Commit graph

8281 commits

Author SHA1 Message Date
Min Liu
1a28589b28 QCA vendor attributes for setting channel width
Define QCA vendor attribute in SET(GET)_WIFI_CONFIGURATION to
dynamically configure capabilities for channel width.

Signed-off-by: Min Liu <minliu@codeaurora.org>
2020-06-06 15:18:13 +03:00
Tanmay Garg
63653307df Add support for indicating missing driver AKM capability flags
Add support for missing driver AKM capability flags from the list of
RSN_AUTH_KEY_MGMT_* flags and make these available through the
'GET_CAPABILITY key_mgmt' control interface command.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-06 15:18:13 +03:00
Veerendranath Jakkam
18f3f99ac4 Add vendor attributes to configure testing functionality for FT/OCV/SAE
Add new QCA vendor attributes to configure RSNXE Used (FTE), ignore CSA,
and OCI frequency override with QCA vendor command
QCA_NL80211_VENDOR_SUBCMD_WIFI_TEST_CONFIGURATION for STA testbed role.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-06 15:18:13 +03:00
Min Liu
e53756a64e Fix a typo vendor attribute documentation
Fix a typo in comment of enum qca_wlan_tspec_ack_policy.

Signed-off-by: Min Liu <minliu@codeaurora.org>
2020-06-06 15:18:13 +03:00
Sunil Dutt
960e8e5334 QCA vendor attribute to configure NSS
Defines the attribute in SET(GET)_WIFI_CONFIGURATION to dynamically
configure NSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-06 15:18:13 +03:00
Jouni Malinen
cc22fb1b86 SAE: Move H2E and PK flags to main sae_data
This maintains knowledge of whether H2E or PK was used as part of the
SAE authentication beyond the removal of temporary state needed during
that authentication. This makes it easier to use information about which
kind of SAE authentication was used at higher layer functionality.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-06 15:18:13 +03:00
Jouni Malinen
40240735bd WPS UPnP: Do not update Beacon frames unnecessarily on subscription removal
There is no need to update the WPS IE in Beacon frames when a
subscription is removed if that subscription is not for an actual
selected registrar. For example, this gets rids of unnecessary driver
operations when a subscription request gets rejected when parsing the
callback URLs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-04 23:53:55 +03:00
Jouni Malinen
c85b39ec50 SAE-PK: Increment the minimum password length to 9
While this is not explicitly defined as the limit, lambda=8 (i.e., 9
characters with the added hyphen) is needed with Sec=5 to reach the
minimum required resistance to preimage attacks, so use this as an
implicit definition of the password length constraint.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-04 23:53:55 +03:00
Jouni Malinen
2c7b5a2c5f tests: Skip too short SAE-PK passwords in positive testing
Lambda >= 12 is needed with Sec = 2, so drop the shorter password
lengths in the sae_pk and module_wpa_supplicant test cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-04 23:53:33 +03:00
Jouni Malinen
d777156e1f SAE-PK: Determine hash algorithm from K_AP group instead of SAE group
While the current implementation forces these groups to be same, that is
not strictly speaking necessary and the correct group to use here is
K_AP, not the SAE authentication group.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-03 17:30:36 +03:00
Jouni Malinen
20ccf97b3d SAE-PK: AP functionality
This adds AP side functionality for SAE-PK. The new sae_password
configuration parameters can now be used to enable SAE-PK mode whenever
SAE is enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-02 23:25:22 +03:00
Jouni Malinen
00e4fbdcc5 tests: Module test for SAE-PK
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-02 23:25:22 +03:00
Jouni Malinen
6b9e99e571 SAE-PK: Extend SAE functionality for AP validation
This adds core SAE functionality for a new mode of using SAE with a
specially constructed password that contains a fingerprint for an AP
public key and that public key being used to validate an additional
signature in SAE confirm from the AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-02 23:25:22 +03:00
Jouni Malinen
b6dcbd01a6 SAE-PK: Identifier definitions
Add the assigned identifiers for SAE-PK elements and fields.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-02 17:56:45 +03:00
Jouni Malinen
aed01b82d3 OpenSSL: Additional EC functionality for SAE-PK
These will be needed for implementing SAE-PK ECDSA signing and signature
verification operations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-02 17:56:45 +03:00
Jouni Malinen
8c1f61e820 OCV: Report OCI validation failures with OCV-FAILURE messages (STA)
Convert the previously used text log entries to use the more formal
OCV-FAILURE prefix and always send these as control interface events to
allow upper layers to get information about unexpected operating channel
mismatches.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-30 00:24:15 +03:00
Jouni Malinen
661e661186 OCV: Allow OCI channel to be overridden for testing (AP)
Add hostapd configuration parameters oci_freq_override_* to allow the
OCI channel information to be overridden for various frames for testing
purposes. This can be set in the configuration and also updated during
the runtime of a BSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-30 00:04:53 +03:00
Jouni Malinen
d10a57f6e9 DPP2: Derive a separate key for enveloped data
Derive a new key from bk to be used as the password for PBKDF2 instead
of using ke for this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 21:42:33 +03:00
Jouni Malinen
32d3360f33 DPP: Fix a typo in a comment
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 21:35:26 +03:00
Jouni Malinen
5a7bcb7725 OSEN: Do not send the actual BIGTK to OSEN STAs
OSEN STAs are not authenticated, so do not send the actual BIGTK for
them so that they cannot generate forged protected Beacon frames. This
means that OSEN STAs cannot enable beacon protection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 21:25:02 +03:00
Jouni Malinen
2d6cc0e670 FT: Do not expose GTK/IGTK in FT Reassociation Response frame in OSEN
Do not include the actual GTK/IGTK value in FT protocol cases in OSEN or
with DGAF disabled (Hotspot 2.0). This was already the case for the
EAPOL-Key cases of providing GTK/IGTK, but the FT protocol case was
missed. OSEN cannot really use FT, so that part is not impacted, but it
would be possible to enable FT in a Hotspot 2.0 network that has DGAF
disabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 21:25:02 +03:00
Jouni Malinen
a998337895 WNM: Do not expose GTK/IGTK in WNM Sleep Mode Response frame in OSEN
Do not include the actual GTK/IGTK value in WNM Sleep Mode Response
frame if WNM Sleep Mode is used in OSEN or in a network where use of GTK
is disabled. This was already the case for the EAPOL-Key cases of
providing GTK/IGTK, but the WNM Sleep Mode exit case was missed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-29 21:04:40 +03:00
Hu Wang
d578e890eb OWE: Skip beacon update of transition BSS if it is not yet enabled
When a single hostapd process manages both the OWE and open BSS for
transition mode, owe_transition_ifname can be used to clone the
transition mode information (i.e., BSSID/SSID) automatically. When both
BSSs use ACS, the completion of ACS on the 1st BSS sets state to
HAPD_IFACE_ENABLED and the OWE transition mode information is updated
for all the other BSSs. However, the 2nd BSS is still in the ACS phase
and the beacon update messes up the state for AP startup and prevents
proper ACS competion.

If 2nd BSS is not yet enabled (e.g., in ACS), skip beacon update and
defer OWE transition information cloning until the BSS is enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-26 16:23:39 +03:00
Sachin Ahuja
88436baaac Add a vendor attribute to get OEM data
Add an attribute QCA_WLAN_VENDOR_ATTR_OEM_DATA_RESPONSE_EXPECTED
to get the response for the queried data.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 23:40:01 +03:00
Sunil Dutt
3f9a89ca1c Vendor attributes for configuring LDPC, TX STBC, RX STBC
Defines the attributes in SET(GET)_WIFI_CONFIGURATION to dynamically
configure capabilities: LDPC, TX STBC, RX STBC.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 23:34:37 +03:00
Jouni Malinen
8ee0bc622a OCV: Disconnect STAs that do not use SA Query after CSA
Verify that all associated STAs that claim support for OCV initiate an
SA Query after CSA. If no SA Query is seen within 15 seconds,
deauthenticate the STA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 21:57:04 +03:00
Jouni Malinen
01ceb88c77 OCV: Report validation errors for (Re)Association Request frames
Add the OCV-FAILURE control interface event to notify upper layers of
OCV validation issues in FT and FILS (Re)Association Request frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 20:46:32 +03:00
Jouni Malinen
a3556d5813 OCV: Report validation errors for EAPOL-Key messages in AP mode
Add the OCV-FAILURE control interface event to notify upper layers of
OCV validation issues in EAPOL-Key msg 2/4 and group 2/2.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 19:09:12 +03:00
Jouni Malinen
d52067a5b6 OCV: Report validation errors for SA Query Request/Response in AP mode
Add a new OCV-FAILURE control interface event to notify upper layers of
OCV validation issues. This commit adds this for SA Query processing in
AP mode.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 18:42:00 +03:00
Jouni Malinen
52579be860 OCV: Move "OCV failed" prefix to callers
Make reporting of OCV validation failure reasons more flexible by
removing the fixed prefix from ocv_verify_tx_params() output in
ocv_errorstr so that the caller can use whatever prefix or encapsulation
that is most appropriate for each case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 18:34:59 +03:00
Vamsi Krishna
2d118f557a OCV: Add support to override channel info OCI element (STA)
To support the STA testbed role, the STA has to use specified channel
information in OCI element sent to the AP in EAPOL-Key msg 2/4, SA Query
Request, and SA Query Response frames. Add override parameters to use
the specified channel while populating OCI element in all these frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 18:01:44 +03:00
Jouni Malinen
c2080e8657 Clear current PMKSA cache selection on association/roam
It was possible for the RSN state machine to maintain old PMKSA cache
selection (sm->cur_pmksa) when roaming to another BSS based on
driver-based roaming indication. This could result in mismatching state
and unexpected behavior, e.g., with not generating a Suite B PMKSA cache
entry.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-25 16:25:50 +03:00
Jouni Malinen
d9532eb70f Debug print PMK-R0/R1 and PMKR0/R1Name in the helper functions
There is no need to have all callers debug print these separately.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-23 21:45:29 +03:00
Min Liu
5ab8ad4cfe Vendor attributes for ssetting TX A-MSDU and RX A-MSDU parameters
Define QCA vendor attributes for SET(GET)_WIFI_CONFIGURATION to
dynamically configure capabilities for TX A-MSDU and RX A-MSDU.

Signed-off-by: Min Liu <minliu@codeaurora.org>
2020-05-21 00:53:20 +03:00
Min Liu
f7a904a283 QCA vendor command for adding and deleting TSPEC
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_CONFIG_TSPEC
to add and delete TSPEC in STA mode.
The attributes defined in enum qca_wlan_vendor_attr_config_tspec
are used to encapsulate required information.

Signed-off-by: Min Liu <minliu@codeaurora.org>
2020-05-21 00:48:11 +03:00
Kiran Kumar Lokere
82867456e9 Vendor attributes to configure PMF protection and disassoc Tx for testing
Add new QCA vendor attributes to configure misbehavior for PMF
protection for Management frames and to inject Disassociation frames.

These attributes are used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-21 00:35:54 +03:00
Vamsi Krishna
e5e2757455 Add QCA vendor interface support to configure PHY modes
Add an attribute that can be used with
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION vendor command to
configure different PHY modes to the driver/firmware.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-21 00:33:55 +03:00
Sunil Dutt
db0d0b84af nl80211: Control the registration for RRM frame with driver_param
wpa_supplicant registered to process the Radio Measurement Request
frames unconditionally. This would prevent other location based
applications from handling these frames. Enable such a use case by
allowing wpa_supplicant to be configured not to register to process
these frames. This can now be done by adding "no_rrm=1" to the
driver_param configuration parameter.

In addition, wpa_driver_nl80211_init() does not have the provision to
take driver_params. Hence, resubscribe again with cfg80211 when this
driver parameter "no_rrm=1" is set after the initial setup steps.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-21 00:30:54 +03:00
Rajkumar Manoharan
dd2daf0848 HE: Process HE 6 GHz band capab from associating HE STA
Process HE 6 GHz band capabilities in (Re)Association Request frames and
pass the information to the driver.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-05-17 17:22:34 +03:00
Rajkumar Manoharan
db603634a9 HE: Add 6 GHz Band Capabilities element in Beacon and response frames
Construct HE 6 GHz Band Capabilities element (IEEE 802.11ax/D6.0,
9.4.2.261) from HT and VHT capabilities and add it to Beacon, Probe
Response, and (Re)Association Response frames when operating on the 6
GHz band.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-05-17 16:47:18 +03:00
Rajkumar Manoharan
88911a0aa4 HE: Add HE 6 GHz Band Capabilities into ieee802_11_parse_elems()
Handle 6 GHz band capability element parsing for association.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-05-17 16:38:00 +03:00
Rajkumar Manoharan
b2c0b83c66 HE: Remove VHT Operation Information from HE Operation element
The VHT Operation Information subfield is conditonally present, so do
not hardcoded it in struct ieee80211_he_operation. These members of the
struct are not currently used, so these can be removed without impact to
functionality.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-05-17 16:32:49 +03:00
Rajkumar Manoharan
e297a5bfda HE: Define 6 GHz band capability elements
Defines IEEE P802.11ax/D6.0, 9.4.2.261 HE 6 GHz Band Capabilities
element and 6 GHz Operation Information field of HE Operation element
(IEEE P802.11ax/D6.0, Figure 9-787k).

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-05-17 16:24:08 +03:00
neo_jou
025ab330b4 ACS: Channel selection based freqlist
When doing ACS, check freqlist also if it is specified.

Signed-off-by: neojou <neojou@gmail.com>
2020-05-17 01:31:19 +03:00
Jouni Malinen
4ae3f39720 Add a helper function for recognizing BIP enum wpa_alg values
Use a shared wpa_alg_bip() function for this and fix the case in
nl_add_key() to cover all BIP algorithms. That fix does not change any
behavior since the function is not currently used with any BIP
algorithm, but it is better to avoid surprises should it ever be needed
with IGTK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-17 01:31:19 +03:00
Jouni Malinen
d3cab56c04 Rename WPA_ALG_IGTK to use the correct cipher name for BIP
IGTK is the key that is used a BIP cipher. WPA_ALG_IGTK was the
historical name used for this enum value when only the AES-128-CMAC
based BIP algorithm was supported. Rename this to match the style used
with the other BIP options.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-17 01:31:19 +03:00
Johannes Berg
bd1aebbd08 hostapd: Extend RESET_PN for BIGTK
Extend the RESET_PN command to allow resetting the BIGTK PN
for testing.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-05-17 01:31:16 +03:00
Jouni Malinen
df49c53f4a Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 22:12:46 +03:00
Jouni Malinen
eb595b3e3a wolfssl: Fix crypto_bignum_rand() implementation
The previous implementation used mp_rand_prime() to generate a random
value in range 0..m. That is insanely slow way of generating a random
value since mp_rand_prime() is for generating a random _prime_ which is
not what is needed here. Replace that implementation with generationg of
a random value in the requested range without doing any kind of prime
number checks or loops to reject values that are not primes.

This speeds up SAE and EAP-pwd routines by couple of orders of
magnitude..

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:02:17 +03:00
Jouni Malinen
6a28c4dbc1 wolfssl: Fix compiler warnings on size_t printf format use
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:01:51 +03:00
Jouni Malinen
f2dbaa8ace SAE: Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 21:01:32 +03:00
Petr Štetiar
3e1a130107 nl80211: Change AKM suite limit from warning to debug print
Commit dd74ddd0df ("nl80211: Handle AKM suite selectors for AP
configuration") added warning log message "nl80211: Not enough room for
all AKM suites (num_suites=X > NL80211_MAX_NR_AKM_SUITES)" which in some
cases fills logs every 3 seconds, so fix this by increasing the log
message level to debug.

Reported-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Ref: https://patchwork.ozlabs.org/project/openwrt/patch/20200504130757.12736-1-ynezz@true.cz/#2429246
Fixes: dd74ddd0df ("nl80211: Handle AKM suite selectors for AP configuration")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2020-05-16 15:51:11 +03:00
Jouni Malinen
5a04a76aa2 Ignore Management frames while AP interface is not fully enabled
It is possible for drivers to report received Management frames while AP
is going through initial setup (e.g., during ACS or DFS CAC). hostapd
and the driver is not yet ready for actually sending out responses to
such frames at this point and as such, it is better to explicitly ignore
such received frames rather than try to process them and have the
response (e.g., a Probe Response frame) getting dropped by the driver as
an invalid or getting out with some incorrect information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 12:16:34 +03:00
Jouni Malinen
c82535edd6 Move deauthentication at AP start to be after beacon configuration
This allows nl80211-based drivers to get the frame out. The old earlier
location resulted in the driver operation getting rejected before the
kernel was not ready to transmit the frame in the BSS context of the AP
interface that has not yet been started.

While getting this broadcast Deauthentication frame transmitted at the
BSS start is not critical, it is one more chance of getting any
previously associated station notified of their previous association not
being valid anymore had they missed previous notifications in cases
where the AP is stopped and restarted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 11:38:09 +03:00
Jouni Malinen
094c8a6218 Remove unnecessary key clearing at AP start with nl80211
cfg80211 takes care of key removal when link/association is lost, so
there is no need to explicitly clear old keys when starting AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-16 11:28:03 +03:00
Jouni Malinen
04030e8c0d nl80211: Remove AP mode interface from bridge for STA-mode-scan
Linux bridging code does not allow a station mode WLAN interface in a
bridge and this prevents the AP mode scan workaround from working if the
AP interface is in a bridge and scanning can be only done by moving to
STA mode. Extend this workaround to remove the interface from the bridge
temporarily for the duration of the scan, i.e., for the same duration as
the interface needs to be moved into the station.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-15 21:23:50 +03:00
Jouni Malinen
98e4b38403 DPP2: Chirping in hostapd Enrollee
Add a new hostapd control interface command "DPP_CHIRP own=<BI ID>
iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started. This follows the model of similar
wpa_supplicant functionality from commit 562f77144c ("DPP2: Chirping
in wpa_supplicant Enrollee"). The hostapd case requires the AP to be
started without beaconing, i.e., with start_disabled=1 in hostapd
configuration, to allow iteration of channels needed for chirping.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:59:05 +03:00
Jouni Malinen
95471fc3e8 Handle hostapd_for_each_interface() at the process termination
Clean struct hapd_interfaces pointers and interface count during
deinitialization at the end of theh ostapd process termination so that a
call to hostapd_for_each_interface() after this does not end up
dereferencing freed memory. Such cases do not exist before this commit,
but can be added after this, e.g., for DPP needs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:39:01 +03:00
Jouni Malinen
99809c7a44 nl80211: Disable offchannel-ok in AP mode only if beaconing
When hostapd is started without beaconing (start_disabled=1), Public
Action frame transmission command through nl80211 needs to allow
offchannel operations regardless of the operating channel configuration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-13 17:09:52 +03:00
Jouni Malinen
0f58c88fc3 DPP2: Fix CONFIG_DPP2=y build with OpenSSL 1.0.2
This file needs the EVP_PKEY_get0_EC_KEY() compatibility wrapper just
like other DPP source code files using this function.

Fixes: 21c612017b ("DPP: Move configurator backup into a separate source code file")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 21:02:39 +03:00
Veerendranath Jakkam
b67bedf2e3 nl80211: Fetch information on supported AKMs from the driver
The driver can advertise supported AKMs per wiphy and/or per interface.
Populate per interface supported AKMs based on the driver advertisement
in the following order of preference:
1. AKM suites advertised by NL80211_ATTR_IFTYPE_AKM_SUITES
2. AKM suites advertised by NL80211_ATTR_AKM_SUITES
If neither of these is available:
3. AKMs support is assumed as per legacy behavior.

In addition, extend other driver interface wrappers to set the
per-interface values based on the global capability indication.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-05-12 16:57:17 +03:00
Veerendranath Jakkam
6fffb320fc nl80211: Remove QCA vendor specific AKM capability handling
Since this functionality was not used for anything in practice, it is
easier to simply remove this functionality completely to avoid potential
conflicts in using the kernel tree upstream commit ab4dfa20534e
("cfg80211: Allow drivers to advertise supported AKM suites").

This is practically reverting the commit 8ec7c99ee4 ("nl80211: Fetch
supported AKM list from the driver").

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-05-12 16:41:22 +03:00
Jouni Malinen
db59827a3c DPP2: Extend TCP encapsulation case to support Configurator as Initiator
This allows DPP_AUTH_INIT to be used with tcp_addr=<dst> argument and
Configurator parameters to perform Configurator initiated DPP
provisioning over TCP. Similarly, DPP_CONTROLLER_START can now be used
to specify Configurator/Enrollee roles and extend Controller to work in
Enrollee role.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-12 14:48:49 +03:00
Jouni Malinen
890ae336c0 DPP2: Clean up CONFIG_DPP2 use with configurator connectivity IE
Avoid duplicated return statement in CONFIG_DPP2=y builds.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:30:26 +03:00
Jouni Malinen
7f20a3ebda DPP2: Reconfiguration support in Controller
Add handling of Reconfiguration messages in Controller.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
6dcb8aaf13 DPP2: Reconfig Announcement relaying from AP to Controller
Recognize the Reconfig Announcement message type and handle it similarly
to the Presence Announcement in the Relay, i.e., send it to the first
Controller if the local Configurator does not have matching C-sign-key.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
3b4f7dfaa1 DPP2: Fix Presence Announcement processing in Controller
Use the new struct dpp_authentication instance when setting Configurator
parameters for authentication exchange triggered by Presence
Announcement. conn->auth is NULL here and would cause dereferencing of a
NULL pointer if dpp_configurator_params is set.

Fixes: fa5143feb3 ("DPP2: Presence Announcement processing in Controller")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
5e2d877cc4 DPP: Mark internal-to-file functions static
These functions are not used outside dpp_crypto.c anymore.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
3aaf269f67 DPP: Move TCP encapsulation into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
21c612017b DPP: Move configurator backup into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
fdbbb74064 DPP: Move authentication functionality into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
3e48c5d4b4 DPP2: Reconfig Authentication Confirm processing
Extend Enrollee functionality to process Reconfig Authentication
Confirm message and start GAS client.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
24b01c706b DPP2: Reconfig Authentication Response processing and Confirm generation
Extend Configurator functionality to process Reconfig Authentication
Response message, derive the needed keys, and generate Reconfig
Authentication Confirm message.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:09 +03:00
Jouni Malinen
65e94351dc DPP2: Reconfig Authentication Request processing and Response generation
Extend Enrollee functionality to process Reconfig Authentication Request
message, derive the needed keys, and generate Reconfig Authentication
Response message.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
3774b6bd03 DPP2: Reconfig Authentication Request generation and transmission
Extend Configurator functionality to sign a special Connector for
reconfiguration and reply with Reconfig Authentication Request frame
when Reconfig Announcement frame is received with a matching C-sign key
hash value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
66ac616cdb DPP2: Process received Reconfig Announcement frame
Check if there is a matching Configurator and be ready to initiate
Reconfig Authentication (which itself is not included in this commit).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
0c043d9de7 DPP2: Reconfig Announcement transmission
Extend DPP chirping mechanism to allow Reconfig Announcement frames to
be transmitted instead of the Presence Announcement frames. Add a new
wpa_supplicant control interface command "DPP_RECONFIG <network id>" to
initiate reconfiguration for a specific network profile.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
92492dd3ac DPP2: Extend connector matching for reconfiguration
Allow the same helper functions to be used with reconfiguration
connector.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
961435097b DPP2: Move connStatus object building into a helper function
Allow the same helper function to be used for reconfiguration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
94f73f90ef DPP: Move signed connector checking into a helper function
This can be reused for similar need with reconfiguration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
94a28a4940 DPP: Move parsing of own connector into a helper function
This can be used for reconfiguration as well.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
d4ae12355a DPP: Move PKEX functionality into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
87b6572616 DPP: Move crypto routines into a separate source code file
This is an initial step in splitting the overly long dpp.c into smaller
pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 12:09:24 +03:00
Jouni Malinen
16626dff9b DPP2: Derive bk ("base key")
Split ke derivation into two parts so that the previously used
internal-only PRK gets stored as the bk in the authentication state.
This new key will be needed for deriving additional keys with DPP R2.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-10 15:55:30 +03:00
Jouni Malinen
76029c6e11 DPP: Use EVP_PKEY_get0_EC_KEY() when a const reference is sufficient
This removes unnecessary allocations and simplifies the implementation
by not having to remember to free the cloned reference.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-10 15:55:30 +03:00
Jouni Malinen
481fdfc462 DPP2: Fix URI version parser
Fix a copy-paste error in parsing the version info.

Fixes: 7dd768c3ca ("DPP2: Version information in bootstrapping info URI")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-06 11:58:56 +03:00
Jouni Malinen
7dd768c3ca DPP2: Version information in bootstrapping info URI
Add the local supported version information into the bootstrapping
information (V=2 in the URI) and parse this from received URI.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-05 20:48:23 +03:00
Jouni Malinen
5a0718a19c DPP2: Report MUD URL and bandSupport in control interface events
Report MUD URL and bandSupport from config request if those optional
nodes are included. For now, these are mainly for testing purposes since
there is no mechanism to delay sending of config response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 15:33:03 +03:00
Jouni Malinen
769139c490 DPP2: Do not include Protocol Version in Auth Req when testing v1
When DPP v2 implementation is hardcoded to behave as v1 for testing
purposes, leave out the Protocol Version attribute form Authentication
Request instead of including it there with indication for v1.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 13:12:21 +03:00
Jouni Malinen
fad64b4168 DPP: Move dppCon signing to a set of helper functions
This simplifies dpp_build_conf_obj_dpp() and makes it easier to share
the signing functionality for other purposes like reconfiguration where
the Configurator needs to sign a dppCon object for itself without
generating the encapsulating config object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:39:19 +03:00
Jouni Malinen
12c8eacf73 DPP: Allow version number to be overridden for testing purposes
"SET dpp_version_override <ver>" can now be used to request
wpa_supplicant and hostapd to support a subset of DPP versions. In
practice, the only valid case for now is to fall back from DPP version 2
support to version 1 in builds that include CONFIG_DPP2=y.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:45 +03:00
Jouni Malinen
c3c38bc8b9 DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 3/4
Do not allow association to continue if the local configuration enables
PFS and the station indicates it supports PFS, but PFS was not
negotiated for the association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
9561925b4d DPP2: Detect PFS downgrade attack while processing EAPOL-Key msg 2/4
Do not allow association to continue if the local configuration enables
PFS and the station indicates it supports PFS, but PFS was not
negotiated for the association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
68422fedbf DPP2: Parse DPP KDE in EAPOL-Key Key Data field
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
143e3d8bc5 DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
b11a12401a DPP2: Add DPP KDE into EAPOL-Key msg 3/4 when using DPP AKM
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
85d5456997 DPP2: Indicate if PFS was used in control interface STATUS
The new "dpp_pfs=1" entry can be used to determine whether PFS was used
during derivation of PTK when DPP AKM is negotiated for an association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
1f5f000086 DPP2: Try to negotiate PFS only if AP supports version 2 or newer
Check AP's DPP Protocol Version during network introduction and mark the
PMKSA cache as suitable for PFS use with version 2 or newer. This avoids
unnecessary attempt of negotiating PFS with version 1 APs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
42acf1292d DPP2: Add Protocol Version attribute to network introduction messages
This can be used to determine whether to try to negotiate PFS (only
available with version 2 or higher).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-04 00:37:44 +03:00
Jouni Malinen
a7d6098fb4 Add PRINTF_FORMAT for printf wrapper functions
This avoids compiler format-nonliteral warnings ("format string is not a
string literal").

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-05-02 21:04:17 +03:00
Jouni Malinen
a803ba4f9d Use more specific reason codes for 4-way handshake timeouts
IEEE 802.11 defines reason codes for indicating 4-way handshake and
group key handshake timeouts. Use those reason codes instead of the more
generic one for these particular cases in the Authenticator state
machine.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-29 13:00:53 +03:00
Jouni Malinen
ff0b87304c nl80211: Process unprotected Beacon frame RX events
Convert driver indications to internal events to allow invalid Beacon
frames to be reported to the AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:10:09 +03:00
Jouni Malinen
a39e9af908 nl80211: DPP listen mode callback
Update frame processing registration for DPP Public Action frames to
include multicast reception when in DPP listen mode and the driver
indicates support for this type of explicit request.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:07:01 +03:00
Jouni Malinen
e81e2091b3 Remove now unused Boolean/TRUE/FALSE definitions
The previous users were converted to C99 bool.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
71140cd5b1 RADIUS: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
2c55e67aaf airtime_policy: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
f75a0339d5 state_machine: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
0365458eb8 HE: Replace Boolean with C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
5e5eb5a312 MACsec: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
d15e109e29 EAP peer: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
c9d70dd329 RSN supp: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
da8478a1ab EAPOL supp: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
37e3501bf7 FST: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
3dc69721e8 EAPOL auth: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
56024a233a WPA auth: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
4d9c313f2a WPA: Fix wpa_parse_kde_ies() handling with vendor specific elements
Documentation of the return values for wpa_parse_vendor_specific() and
wpa_parse_generic() were not accurate and the parsing results from these
were not really handled appropriately. There is no point in calling
wpa_parse_vendor_specific() if wpa_parse_generic() recognizes a KDE. Not
that this would break anything in practice, but still, it looks
confusing.

The part about handling wpa_parse_vendor_specific() return value can, at
least in theory, break some cases where an unexpectedly short KDE/vendor
specific element were present and something would need to be recognized
after it. That does not really happen with any standard compliant
implementation and this is unlikely to cause any real harm, but it is
clearer to handle this more appropriately even for any theoretical case,
including misbehavior of a peer device.

Instead of stopping parsing on too short vendor specific element,
continue parsing the following KDEs/IEs. Skip the
wpa_parse_vendor_specific() call when a KDE has been recognized. Also
fix the return value documentation for wpa_parse_generic() and remove
the useless return value from wpa_parse_vendor_specific().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Jouni Malinen
1025a9052c Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-24.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-24 17:06:36 +03:00
Jouni Malinen
60a2de5683 EAP server: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-21 17:39:07 +03:00
Jouni Malinen
4d2ec436e3 DPP: Add driver operation for enabling/disabling listen mode
This can be used to configure RX filter to be able to receive broadcast
DPP Public Action frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-20 23:52:04 +03:00
Jouni Malinen
99cf895553 Include stdbool.h to allow C99 bool to be used
We have practically started requiring some C99 features, so might as
well finally go ahead and bring in the C99 bool as well.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-20 20:29:31 +03:00
Jouni Malinen
3e6383f31a DPP2: Silence compiler warning with no-CONFIG_DPP2 and OpenSSL 1.0.2
EVP_PKEY_get0_EC_KEY() compatibility wrapper is used only within
CONFIG_DPP2 blocks, so define it with matching condition.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
0115268743 nl80211: Move nl80211_init_connect_handle() to avoid forward declaration
This has no changes to the function itself, i.e., it is just moved to a
location that is above the first caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
7a880b129d l2_packet: Allow initialization without RX handling
This can be used to minimize resource use when receive path is not
needed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
95cbf45090 nl80211: Do not open EAPOL RX socket when using control port for RX (AP)
drv->eapol_sock is used only for receiving EAPOL frames in AP mode, so
it is not needed when using control port for EAPOL frame RX.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 17:42:41 +03:00
Jouni Malinen
c1bc0dd80d nl80211: Disable EAPOL TX over control port in AP mode by default
Since this nl80211 mechanism for sending EAPOL frames does not currently
support TX status notification, disable it by default of AP mode where
the Authenticator state machine uses those notifications to optimize
retransmission. The control port TX can be enabled for AP mode with
driver param control_port_ap=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 16:50:56 +03:00
Markus Theil
12ea7dee31 nl80211: Use nl80211 control port for receiving EAPOL frames
Use and/or set socker owner where necessary to allow EAPOL frames to be
received using the nl80211 control port. This is done when the driver
indicates support for the control port without previous hardcoded
reception of RSN preauth frames.

Use methods which set or use the connection owner nl_sock * where
necessary. Initial operations need to register with the SOCKET_OWNER
attribute set (e.g., connect for STA mode). Final operations need to use
the socket which holds the owner attribute (e.g., disconnect for STA
mode).

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 16:49:03 +03:00
Markus Theil
8609aa5ba3 nl80211: Tie connect handle to bss init/destroy
This commit creates a connect nl_sock * for every bss unconditionally.
It is used in the next commit for nl80211 control port RX.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 15:53:02 +03:00
Markus Theil
b4a70018ee nl80211: Handle control port frame in bss events
In order to work in AP mode, handle control port frame RX as per bss
event.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 15:53:02 +03:00
Markus Theil
6f70fcd986 nl80211: Check ethertype for control port RX
nl80211 control port event handling previously did not differentiate
between EAPOL and RSN preauth ethertypes. Add checking of the ethertype
and report unexpected frames (only EAPOL frames are supposed to be
delivered through this path).

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-04-19 15:53:02 +03:00
Jouni Malinen
932546ac28 nl80211: Add a separate driver capability for control port RX
This is needed since the initial implementation of the control port
mechanism in the kernel mixed in RSN pre-authentication ethertype
unconditionally (and IMHO, incorrectly) into the control port.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 15:53:02 +03:00
Jouni Malinen
bb9e3935dd driver: Add second driver capability flags bitmap
All 64 bits of the capability flags bitmap are used, so add a new
variable to hold future capability bits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-19 15:53:02 +03:00
Disha Das
6b1c590ebb Allow TKIP support to be removed from build
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.

Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-04-17 23:51:58 +03:00
Jouni Malinen
a6c689d354 FT: Testing override for RSNXE Used subfield in FTE (AP)
Allow hostapd to be requested to override the RSNXE Used subfield in FT
reassociation case for testing purposes with "ft_rsnxe_used=<0/1/2>"
where 0 = no override, 1 = override to 1, and 2 = override to 0.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-16 23:39:57 +03:00
Jouni Malinen
9b222b6130 nl80211: Remove unnecessary inclusion of l2_packet.h
The only l2_packet use within this file was removed by commit
d12dab4c6f ("nl80211: Use non-receiving socket for EAPOL TX").

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 19:28:05 +03:00
Jouni Malinen
b2d8dc59f4 FT: Testing override for RSNXE Used subfield in FTE
Allow wpa_supplicant to be requested to override the RSNXE Used subfield
in FT reassociation case for testing purposes with "SET ft_rsnxe_used
<0/1/2>" where 0 = no override, 1 = override to 1, and 2 = override to
0.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 16:37:35 +03:00
Jouni Malinen
5344af7d22 FT: Discard ReassocReq with mismatching RSNXE Used value
Discard the FT Reassociation Request frame instead of rejecting it
(i.e., do not send Reassociation Response frame) if RSNXE Used is
indicated in FTE, but no RSNXE is included even though the AP is
advertising RSNXE.

While there is not really much of a difference between discarding and
rejecting the frame, this discarding behavior is what the standard says
for this type of an error case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 16:37:35 +03:00
Edayilliam Jayadev
af0178c75b Add vendor attributes indicating number of spectral detectors
Add per bandwidth capability attributes which indicate the number of
spectral detectors used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-07 23:05:26 +03:00
Edayilliam Jayadev
7a510a97ba Add an attribute for secondary 80 MHz span of agile spectral scan
Add an attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_FREQUENCY_2
for describing the secondary 80 MHz span of agile spectral scan.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-07 23:03:30 +03:00
Jouni Malinen
24a6bca704 PKCS#1: Debug dump invalid Signature EB
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 20:13:26 +03:00
Jouni Malinen
eac6eb7024 X509: Use unique debug prints for unused bits entries
This makes it easier to understand which X.509 BIT STRING value has the
unused bits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-05 19:59:47 +03:00
Jouni Malinen
153333ef6b FT RRB: Remove confusing debug print about extra data
The "FT: Ignore extra data in end" hexdump is quite confusing since it
shows all the IEs that were actually either processed or forwarded.
There is no code path that could reach this debug print with actual real
extra data. Remove it and the dead increment of pos to avoid warnings
from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 23:42:05 +03:00
Jouni Malinen
d867e11811 FT: Remove and re-add STA entry after FT protocol success with PMF
Allow STA entry to be removed and re-added to the driver with PMF is
used with FT. Previously, this case resulted in cfg80211 rejecting STA
entry update after successful FT protocol use if the association had not
been dropped and it could not be dropped for the PMF case in
handle_auth().

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 21:53:10 +03:00
Jouni Malinen
512b6c02e0 DPP: Mandate mutual auth with NFC negotiated connection handover
Mark own bootstrap information as having been used in NFC negotiated
connection handover and do not accept non-mutual authentication when
processing Authentication Response from the peer when such bootstrapping
information is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-03 16:27:52 +03:00
Jouni Malinen
872299f4b3 DPP2: Store netAccessKey in psk/sae credentials for reconfig
Connector alone is not sufficient for authentication during
reconfiguration, so store the netAccessKey as well.

Fixes: e4eb009d98 ("DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfig")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-03 12:43:48 +03:00
Jouni Malinen
bf9f49396b OWE: Remove check for unexpected DH Parameter IE use with other AKMs
While the Diffie-Hellman Parameter element is defined in RFC 8110
explicitly for use witht he OWE AKM, it has now been proposed to be used
with another AKM (DPP). Should any other AKM be extended in similar
manner in the future, the check against unexpected use could result in
additional interoperability issues. Remove that and instead, ignore the
unexpected Diffie-Hellman Parameter element if it is included in
(Re)Association Request frame when any other AKM is negotiated.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-03 12:18:11 +03:00
Jouni Malinen
e4eb009d98 DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfig
If the Enrollee indicates support for DPP R2 or newer, add Connector and
C-sign-key in psk/sae credentials (i.e., cases where DPP AKM is not
enabled) for reconfiguration. Extend processing of such credentials in
wpa_supplicant network profile addition to handle this new case
correctly by not setting key_mgmt=DPP based on Connector being present,
but by looking at the actual akm value in the config object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-02 21:34:49 +03:00
Jouni Malinen
a371164f88 Process received WNM Notification Request for beacon protection failures
Report received notifications for beacon protection failures in syslog
and control interface.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-01 16:30:12 +03:00
Jouni Malinen
0e794989e5 Beacon frame protection event for incorrect protection
Define a driver interface event for Beacon frame protection failures.
Report such events over the control interface and send a
WNM-Notification Request frame to the AP as well.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-01 16:22:48 +03:00
P Praneesh
7c8f540ee0 wpa_supplicant: Add HE override support
Add HE override support under the build parameter CONFIG_HE_OVERRIDES=y.
The disable_he=1 network profile parameter can be used to disable HE.
This requires a fallback to VHT on the 5 GHz band and to HT on the 2.4
GHz band.

There is no nl80211 support for configuring the driver to disable HE, so
for now, this applies only to IBSS and mesh cases.

Signed-off-by: P Praneesh <ppranees@codeaurora.org>
2020-03-30 12:55:01 +03:00
Sergey Matyukevich
91498a1225 hostapd: DFS for channel switch in repeater mode
In repeater mode remote AP may request channel switch to a new channel.
Check if DFS is required for the new channel before proceeding with
normal AP operations. Start CAC procedure if radar detection is required
and channel is not yet marked as available.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2020-03-29 21:15:16 +03:00
Sergey Matyukevich
683e7c7559 DFS: Add new hostapd_is_dfs_overlap() helper
Add a new hostapd_is_dfs_overlap() helper function to DFS module. This
function tells whether the selected frequency range overlaps with DFS
channels in the current hostapd configuration. Selected frequency reange
is specified by its center frequency and bandwidth.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2020-03-29 21:15:16 +03:00
Sergey Matyukevich
7988767393 DFS: Rename and export hostapd_config_dfs_chan_available helper
Rename DFS helper hostapd_config_dfs_chan_available() to
hostapd_is_dfs_chan_available(). Enable access to this helper function
from other hostapd components.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2020-03-29 21:15:16 +03:00
Alexander Wetzel
3f88d2ba0d AP: Drop not needed condition to delete PTK ID 1
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-29 21:15:16 +03:00
Jouni Malinen
80914e9eb2 DPP2: Fix build with OpenSSL 1.0.2 (EVP_PKEY_get0_EC_KEY() wrapper)
EVP_PKEY_get0_EC_KEY() was added in OpenSSL 1.1.0, so add a
compatibility wrapper for it when building with OpenSSL 1.0.2.

Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Fixes: 7d9e320054 ("DPP: Received Configurator backup processing")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-29 21:15:16 +03:00
Jouni Malinen
54e2961f80 Add a hostapd testing option for skipping association pruning
The new skip_prune_assoc=1 parameter can be used to configure hostapd
not to prune associations from other BSSs operated by the same process
when a station associates with another BSS. This can be helpful in
testing roaming cases where association and authorization state is
maintained in an AP when the stations returns.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 20:39:19 +02:00
Jouni Malinen
1a18f8df63 nl80211: Allow full AP client state capability to be disabled
The new driver param full_ap_client_state=0 can be used to test
functionality with the driver capability for full AP client state being
forced to be disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 20:38:11 +02:00
Jouni Malinen
7b156a3c5a wpa_auth: Use printf format %zu instead of type casts
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:54:10 +02:00
Jouni Malinen
f83d3491b9 wpa_auth: Do not split strings into multiple lines
Avoid unnecessary splitting of long string constants into multiple
lines.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:48:32 +02:00
Jouni Malinen
9385f03feb wpa_auth: Coding style cleanup for pointer is NULL comparisons
Use !ptr instead of ptr == NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:36:00 +02:00
Jouni Malinen
62e12afcf1 wpa_auth: Clean up pointer dereferences
Use local variables to avoid sm->wpa_auth->conf type of dereferences
where multiple instances within a function can be cleaned up.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 19:29:12 +02:00
Veerendranath Jakkam
bbf94a0958 nl80211: Configure PMKSA lifetime and reauth threshold timer to driver
Drivers that trigger roaming need to know the lifetime and reauth
threshold time of configured PMKSA so that they can trigger full
authentication to avoid unnecessary disconnection. To support this, send
dot11RSNAConfigPMKLifetime and dot11RSNAConfigPMKReauthThreshold values
configured in wpa_supplicant to the driver while configuring a PMKSA.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-03-28 17:27:42 +02:00
Jouni Malinen
1f4e9946bc Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-20.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-28 17:27:42 +02:00
Jouni Malinen
7c021dec3a DPP2: Allow AP to require or reject PFS
The new hostapd configuration parameter dpp_pfs can be used to specify
how PFS is applied to associations. The default behavior (dpp_pfs=0)
remains same as it was previously, i.e., allow the station to decide
whether to use PFS. PFS use can now be required (dpp_pfs=1) or rejected
(dpp_pfs=2).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-28 12:33:48 +02:00
Jouni Malinen
ca57d5f553 Return an enum from wpa_validate_wpa_ie()
This is more specific then returning a generic int and also allows the
compiler to do more checks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-28 12:30:46 +02:00
Sathishkumar Muruganandam
2b4f9ce287 hostapd: Add HE bit in BSSID Information field of own Neighbor Report
Add definition for HE bit in neighbor report BSSID Information field
from IEEE P802.11ax/D6.0, 9.4.2.36 Neighbor Report element.

Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
2020-03-27 23:52:24 +02:00
Jouni Malinen
80d0e50dc5 DPP2: Use a helper function for encapsulating TCP message
This functionality was repeated for multiple different frames. Use a
shared helper function to avoid such duplication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
fa5143feb3 DPP2: Presence Announcement processing in Controller
Process the received Presence Announcement frames in Controller. If a
matching bootstrapping entry for the peer is found, initiate DPP
authentication to complete provisioning of the Enrollee.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
db1ef82538 DPP2: Presence Announcement processing in AP/Relay
Process the received Presence Announcement frames in AP/Relay. If a
matching bootstrapping entry for the peer is found in a local
Configurator, that Configurator is used. Otherwise, the frame is relayed
to the first configured Controller (if available).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
06dd32903d DPP2: Presence Announcement processing at Configurator
Process received Presence Announcement frames and initiate
Authentication exchange if matching information is available on the
Configurator.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
6f5bc15bec DPP2: Configurator Connectivity indication
Add a new hostapd configuration parameter
dpp_configurator_connectivity=1 to request Configurator connectivity to
be advertised for chirping Enrollees.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
562f77144c DPP2: Chirping in wpa_supplicant Enrollee
Add a new wpa_supplicant control interface command "DPP_CHIRP own=<BI
ID> iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 20:05:25 +02:00
Jouni Malinen
1f0226770c DPP2: Add a helper function for building Presence Announcement frame
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
7cba35b0ed DPP2: New identifier definitions
Add new identifier definitions for presence announcement,
reconfiguration, and certificate enrollment.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
547dc7eaa3 DPP: Add DPP_BOOTSTRAP_SET command
"DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to
set peer specific configurator parameters which will override any global
parameters from dpp_configurator_params.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
804fc268af DPP: Allow per-peer configurator parameters to be set
This is a more convenient way of addressing cases where a
Configurator/Controller may store a large number of peer bootstrapping
information instances and may need to manage different configuration
parameters for each peer while operating as the Responder.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
514cc49ba5 DPP: Store global pointers in struct dpp_authentication
Set the global pointer and msg_ctx when allocating struct
dpp_authentication instead of needing to pass these to
dpp_set_configurator().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-27 17:44:06 +02:00
Jouni Malinen
b7275a8142 Update STA flags to the driver immediately on disconnection
hostapd (and wpa_supplicant in AP mode) was internally updating the STA
flags on disconnection cases to remove authorization and association.
However, some cases did not result in immediate update of the driver STA
entry. Update all such cases to send out the update to the driver as
well to reduce risk of race conditions where new frames might be
accepted for TX or RX after the port authorization or association has
been lost and configured keys are removed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 17:51:03 +02:00
Jouni Malinen
9d1857cf35 Process Transition Disable KDE in station mode
Check whether the Transition Disable KDE is received from an
authenticated AP and if so, whether it contains valid indication for
disabling a transition mode. If that is the case, update the local
network profile by removing the less secure options.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:13:14 +02:00
Jouni Malinen
82cc0b0cc2 Allow hostapd AP to advertise Transition Disable KDE
The new hostapd configuration parameter transition_disable can now be
used to configure the AP to advertise that use of a transition mode is
disabled. This allows stations to automatically disable transition mode
by disabling less secure network profile parameters.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:12:41 +02:00
Jouni Malinen
3eb9ddc658 Transition Disable KDE definitions
Define the OUI Type and bitmap values for Transition Disable KDE. These
will be shared by both the AP and STA implementations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:12:39 +02:00
Wu Gao
a72ec4c221 Add addition CFR capture type to filter all NDPA NDP frames
Add QCA_WLAN_VENDOR_CFR_NDPA_NDP_ALL in enum
qca_wlan_vendor_cfr_capture_type. This capture type requests all NDPA
NDP frames to be filtered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-25 12:05:14 +02:00
Wu Gao
a163bfe2bc Change CFR attributes from required to optional
Some CFR attributes are used frequently with conditions, so change them
from required to optional.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-25 12:04:37 +02:00
Noam Shaked
e520de8dbe Add ACS support for 60 GHz channel bonding
hostapd will trigger EDMG auto channel selection by setting
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_ENABLED. The 60 GHz driver will be
called to start an auto channel selection and will return the
primary channel and the EDMG channel.

Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
2020-03-24 22:15:32 +02:00
Noam Shaked
00f6a27628 nl80211: Fix offloaded ACS regression for the 60 GHz band
Addition of chan_2ghz_or_5ghz_to_freq() broke 60 GHz ACS, because it
assumes reported ACS channel is on either 2.4 or 5 GHz band. Fix this
by converting chan_2ghz_or_5ghz_to_freq() to a more generic
chan_to_freq(). The new function uses hw_mode to support 60 GHz.

Fixes: 41cac481a8 ("ACS: Use frequency params in ACS (offload) completed event interface")
Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
2020-03-23 22:29:04 +02:00
John Crispin
1e8ea0833d HE: Add HE support to hostapd_set_freq_params()
The parameters that need to be applied are symmetric to those of VHT,
however the validation code needs to be tweaked to check the HE
capabilities.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2020-03-23 18:08:50 +02:00
Wu Gao
bb08be757f Extend vendor attributes to support enhanced CFR capture
Enhanced channel frequency response supports capturing of channel status
information based on RX. Define previous CFR as version 1 and enhanced
CFR as version 2. If target supports both versions, two versions can't
be enabled at same time. Extend attributes for enhanced CFR capture in
enum qca_wlan_vendor_peer_cfr_capture_attr.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-23 15:39:36 +02:00
Noam Shaked
30ac8ddaf6 Add QCA vendor attributes for ACS over EDMG (IEEE 802.11ay)
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_ENABLED, conduct ACS for EDMG.
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_CHANNEL, return the EDMG channel.

Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
2020-03-23 13:19:51 +02:00
Jouni Malinen
8b63a58166 Use a shared helper function for RSN supplicant capabilities
Avoid practically copy-pasted code for determining local RSN
capabilities.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-23 11:47:31 +02:00
Alexander Wetzel
b17b7a8e53 STA: Support Extended Key ID
Support Extended Key ID in wpa_supplicant according to
IEEE Std 802.11-2016 for infrastructure (AP) associations.

Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing STAs to also connect to APs not supporting it.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-23 11:47:31 +02:00
Alexander Wetzel
862aac1fcd AP: Support Extended Key ID
Support Extended Key ID in hostapd according to IEEE Std 802.11-2016.

Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing an AP to serve STAs with and without Extended Key
ID support in the same BSS.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-23 11:43:10 +02:00
Jouni Malinen
9f9a148af6 Convert int_array to use size_t instead of int as the length
This extends this to allow longer lists with LP32 data model to avoid
limit of 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
749add5c64 Limit freq_range_list_parse() result to UINT_MAX entries
This addresses a theoretical integer overflow with configuration
parameters with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
2f06008564 loop: Use size_t for eloop.count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets/signals/events be registered.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
7858f493f3 eloop: Use size_t for socket table->count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets be registered (which is not really going to happen in practice).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
3f45b8daeb hs20-osu-client: Use size_t for certificate components
This avoids a theoretical integer overflow with 16-bit unsigned int
should a certificate be encoded with more that 65535 friendly names or
icons.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
913220cbb8 eloop: Use size_t for signal_count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int (not that there would ever
be more that 32767 signal handlers getting registered).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
ae7193611f Limit maximum number of pending SA Queries
There is no point in starting a huge number of pending SA Queries, so
limit the number of pending queries to 1000 to have an explicit limit
for how large sa_query_count can grow.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
02b43c557c RADIUS: Use size_t instead of int for message attributes
While RADIUS messages are limited to 4 kB, use size_t to avoid even a
theoretical overflow issue with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Ouden
7546c489a9 nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length
If the kernel rtm_newlink or rtm_dellink send the maximum length of
ifname (IFNAMSIZ), the event handlers in
wpa_driver_nl80211_event_rtm_addlink() and
wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME
value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the
NULL termination, that equals the IFNAMSIZ.

Fix the condition when IFNAME reach maximum size.

Signed-off-by: Ouden <Ouden.Biz@gmail.com>
2020-03-21 17:12:29 +02:00
Sourav Mohapatra
22547c3148 More details to the vendor specific driver internal failure reporting
Add more hang reason codes for the hang reason in the
QCA_NL80211_VENDOR_SUBCMD_HANG events. This also introduces the
attribute QCA_WLAN_VENDOR_ATTR_HANG_REASON_DATA to carry the required
data for the respective hang reason. This data is expected to contain
the required dump to analyze the reason for the hang.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 17:12:29 +02:00
Jouni Malinen
51e8f5d63c Ignore duplicated SSID element when parsing
Some APs have managed to add two SSID elements into Beacon frames and
that used to result in picking the last one which had incorrect data in
the known examples of this misbehavior. Pick the first one to get the
correct SSID.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 17:12:29 +02:00
Veerendranath Jakkam
5a296129fc Set beacon protection config irrespective of macro CONFIG_FILS
This was not supposed to be conditional on CONFIG_FILS.

Fixes: ecbf59e693 ("wpa_supplicant configuration for Beacon protection")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 17:12:29 +02:00
Jouni Malinen
cc79eb725f Check against integer overflow in int_array functions
int_array_concat() and int_array_add_unique() could potentially end up
overflowing the int type variable used to calculate their length. While
this is mostly theoretical for platforms that use 32-bit int, there
might be cases where a 16-bit int overflow could be hit. This could
result in accessing memory outside buffer bounds and potentially a
double free when realloc() ends up freeing the buffer.

All current uses of int_array_add_unique() and most uses of
int_array_concat() are currently limited by the buffer limits for the
local configuration parameter or frame length and as such, cannot hit
this overflow cases. The only case where a long enough int_array could
be generated is the combination of scan_freq values for a scan. The
memory and CPU resource needs for generating an int_array with 2^31
entries would not be realistic to hit in practice, but a device using
LP32 data model with 16-bit int could hit this case.

It is better to have more robust checks even if this could not be
reached in practice, so handle cases where more than INT_MAX entries
would be added to an int_array as memory allocation failures instead of
allowing the overflow case to proceed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 17:12:17 +02:00
Jouni Malinen
a55ecfeabe Allow RSNXE to be removed from Beacon frames for testing purposes
The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to
remove RSNXE from Beacon frames. This can be used to test protection
mechanisms for downgrade attacks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:24:03 +02:00
Jouni Malinen
b7366a942a FT: Omit RSNXE from FT protocol Reassociation Response when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Response frame so
that a STA not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
6140cca819 FT: Omit RSNXE from FT protocol Reassociation Request when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Request frame so
that an AP not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
35936cd2cf FT: Verify that RSNXE is used consistently in Reassociation Response
Verify that the AP included RSNXE in Beacon/Probe Response frames if it
indicated in FTE that RSNXE is used. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
497ae9f004 FT: Verify that RSNXE is used consistently in Reassociation Request
Verify that the STA includes RSNXE if it indicated in FTE that RSNXE is
used and the AP is also using RSNXE. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:33:02 +02:00
Jouni Malinen
51d1924bd8 FT: Set the new RSNXE Used subfield in FT reassociation
This is a workaround needed to keep FT protocol backwards compatible for
the cases where either the AP or the STA uses RSNXE, but the other one
does not. This commit adds setting of the new field to 1 in
Reassociation Request/Response frame during FT protocol when the STA/AP
uses RSNXE in other frames. This mechanism is described in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:23:48 +02:00
Jouni Malinen
796253a65f nl80211: Debug print set_key() command names
This makes it easier to understand the debug log for various set_key()
operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:42:21 +02:00
Alexander Wetzel
ac22241532 nl80211: Extended Key ID support
Add key configuration parameters needed to support Extended Key ID with
pairwise keys. Add a driver capability flag to indicate support forusing
this.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:39:57 +02:00
Jouni Malinen
a1afa2df8a Remove unnecessary and confusing length check from the PMKID KDE case
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.

This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:24:18 +02:00
Alexander Wetzel
094c9cdc7e Add parsing of Key ID KDE for Extended Key ID
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:17:56 +02:00
Alexander Wetzel
f5c0104f3b Add KEY_FLAG_MODIFY for Extended Key ID support
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").

Add it again and update check_key_flag() accordingly.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:00:10 +02:00
Jouni Malinen
9e30180a30 nl80211: Allow scanning in wpa_supplicant AP mode
If the driver supports this, request cfg80211 to allow the explicitly
requested scan to go through in AP mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:21:35 +02:00
Jouni Malinen
037e004c16 nl80211: Remove extraneous space from send_mlme debug print
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:09:27 +02:00
Jouni Malinen
81fa7730d3 nl80211: Add more TX status details in debug log in AP mode
The actual TX status (whether ACK frame was received) was not included
in the debug log in AP mode. Add that for all cases. In addition, add
some more details in the debug log to make the log more helpful in
debugging issues related to frame delivery.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:06:35 +02:00
Jouni Malinen
46e147fcdc Allow RSNE/RSNXE to be replaced in FT protocol Reassocation Response frame
This can be used to test station side behavior for FT protocol
validation steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
1a8e9334c0 FT: Check RSNE/RSNXE match in FT protocol Reassociation Response frame
While 13.7.1 (FT reassociation in an RSN) in P802.11-REVmd/D3.0 did not
explicitly require this to be done, this is implied when describing the
contents of the fourth message in the FT authentication sequence (see
13.8.5). Furthermore, 20/332r2 is proposing an explicit validation step
to be added into 13.7.1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
839bab785b nl80211: Debug print driver capabilities
This can be helpful in understanding driver behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-13 20:03:14 +02:00
Hrishikesh Vidwans
d9a7b71a78 AP: Fix regression in frequency check for a usable EDMG channel
Commit 5f9b4afd ("Use frequency in HT/VHT validation steps done before
starting AP") modified hostapd_is_usable_edmg() to use freq instead of
channel numbers. Unfortunately, it did not convert the frequency
calculation correctly and this broke EDMG functionality.

Fix the frequency calculation so that EDMG channel 9 works again.

Fixes: 5f9b4afdfa ("Use frequency in HT/VHT validation steps done before starting AP")
Signed-off-by: Hrishikesh Vidwans <hvidwans@codeaurora.org>
2020-03-11 17:54:13 +02:00
Jouni Malinen
10223b501b SAE: Expose sae_write_commit() error cases to callers
Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:59:42 +02:00
Jouni Malinen
7f1f69e897 SAE: Check hmac_sha256() result in sae_token_hash()
In theory, hmac_sha256() might fail, so check for that possibility
instead of continuing with undetermined index value that could point to
an arbitrary token entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:51:30 +02:00
Jouni Malinen
b0927e5d06 nl80211: Fix error print for hapd_send_eapol()
The return value from nl80211_send_monitor() is not suitable for use
with strerror(). Furthermore, nl80211_send_monitor() itself is printing
out a more detailed error reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:48:00 +02:00
Jouni Malinen
a17cbcd698 os_unix: Call srandom() only if os_get_random() succeeds
Don't use uninitialized stack memory if /dev/urandom is not available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:43:09 +02:00
Jouni Malinen
17ba51b14d nl80211: Fix tx_control_port error print
send_and_recv_msgs() returns a negative number as the error code and
that needs to be negated for strerror().

Fixes: 8759e9116a ("nl80211: Control port over nl80211 helpers")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:38:57 +02:00
Jouni Malinen
bb2ea8e5e3 DPP: Remove unreachable return statement
This was forgotten from an earlier development version.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:35:45 +02:00
Jouni Malinen
7dcc5f7feb SAE: Check sta pointer more consistently in testing code
send_auth_reply() could be called with sta == NULL in certain error
conditions. While that is not applicable for this special test
functionality for SAE, the inconsistent checks for the sta pointer could
result in warnings from static analyzers. Address this by explicitly
checking the sta pointer here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:32:47 +02:00
Jouni Malinen
15d63c6043 Clean up hostapd_get_he_twt_responder() processing
mode->he_capab is an array and as such, there is no point in checking
whether it is NULL since that cannot be the case. Check for the
he_supported flag instead. In addition, convert the TWT responder
capability bit into a fixed value 1 to avoid any surprising to the
callers. In practice, neither of these changes results in different
behavior in the current implementation, but this is more robust.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:28:03 +02:00
Jouni Malinen
7aa47fe5fc DPP: Fix connectorTemplate addition
There was a copy-paste error in this code that would be adding the
connectorTemplate once that becomes available. In practice, this was not
reachable code, but anyway, this should be ready for potential addition
of connectorTemplate in the future.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:18:22 +02:00
Jouni Malinen
c7d293024b RSN: Stop 4-way handshake if scan results are not available
While there may have initially been cases where the RSNE from
Beacon/Probe Response frames was not available from some drivers, it is
now more valuable to notice if such a case were to be hit with drivers
that are always expected to have such information available. As such,
make it a fatal error if the scan results for the current AP are not
available to check the RSNE/RSNXE in EAPOL-Key msg 3/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:16:11 +02:00
Jouni Malinen
785f99b680 FT: Silence debug prints when FT is not actually used
Avoid printing confusing FT debug entries from wpa_sm_set_ft_params()
when FT is not actually used for the connection.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 17:43:27 +02:00
Jouni Malinen
33a28170a3 Recognize OWE Transition Mode element in IE parser
This silences the debug log entry on unknown WFA IE being ignored.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 17:27:32 +02:00
Jouni Malinen
fad0449438 Report RSNXE mismatch in EAPOL-Key msg 3/4 more consistently with RSNE
Use the same reason code to indicate that IE different in 4-way
handshake and also print a hexdump of RSNXE in both Beacon/ProbeResp and
EAPOL-Key msg 3/4 in the log.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 17:05:01 +02:00
Jouni Malinen
4d64fd37b7 Allow RSNE in EAPOL-Key msg 3/4 to be replaced for testing purposes
The new hostapd configuration parameter rsne_override_eapol can now be
used similarly to the previously added rsnxe_override_eapol to override
(replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used
for station protocol testing to verify sufficient checks for RSNE
modification between the Beacon/Probe Response frames and EAPOL-Key msg
3/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 16:45:52 +02:00
Jouni Malinen
9128b67269 Extend hostapd rsnxe_override_eapol to allow IE removal
Previous implementation was determining whether the override value was
set based on its length being larger than zero. Replace this with an
explicit indication of whether the parameter is set to allow zero length
replacement, i.e., remove of RSNXE from EAPOL-Key msg 3/4.

In addition, move IE replacement into a more generic helper function to
allow this to be used with other IEs as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 16:39:36 +02:00
Jouni Malinen
43ededa9c7 Do not override WDS VLAN assignment for STA
The 4-address frames WDS design in mac80211 uses VLAN interfaces
similarly to the way VLAN interfaces based on VLAN IDs are used. The EAP
authentication case ended up overriding the WDS specific assignment even
when the RADIUS server did not assign any specific VLAN for the STA.
This broke WDS traffic.

Fix this by skipping VLAN assignment to VLAN ID 0 for STAs that have
been detected to use 4-address frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 13:56:56 +02:00
Jouni Malinen
ca8a51c4bb webkit2: Fix http://localhost:12345/ redirect handling
The resource-load-started cannot be used to replace the older
resource-request-starting signal and as such, the final redirect to the
special http://localhost:12345/ URL did not work. Use the decide-policy
signal for navigation action instead.

Also remove the attempt to modify the request URI from
resource-load-started since that is not going to work either. This is
not really critical for functionality, but could eventually be replaced
with a handler for the WebKitWebPage send-request signal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-07 11:51:23 +02:00
Alexander Wetzel
be15f33d07 Replace WPA_ALG_PMK with KEY_FLAG_PMK
Drop the no longer needed internal alg WPA_ALG_PMK and use KEY_FLAG_PMK
as replacement.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-06 21:44:31 +02:00
Alexander Wetzel
11b1fcd6ca nl80211: Drop outdated TDLS set_key() hack
wpa_tdls_set_key() did set the key_id to -1 to avoid a useless
NL80211_CMD_SET_KEY call that the updated nl80211 driver no longer
carries out. Remove the no longer required workaround.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-06 21:44:31 +02:00
Pravas Kumar Panda
f64b601c47 DFS: Add support for 80+80 MHz when going through channel switch
After a radar signal is detected, the AP should switch to another
channel, but in the case of 80+80 MHz, channel switch failed because
hostapd did not select the secondary channel in the process. Fix this by
selecting a secondary channel in the case of 80+80 MHz.

Signed-off-by: Xin Wang <xwangw@codeaurora.org>
Signed-off-by: Pravas Kumar Panda <kumarpan@codeaurora.org>
2020-03-06 21:44:31 +02:00
Hu Wang
0a76a0b965 OWE: Fix PTK derivation workaround for interoperability
The initial implementation of the PTK derivation workaround for
interoperability with older OWE implementations forced
WPA_KEY_MGMT_PSK_SHA256 to be used for all of PTK derivation. While that
is needed for selecting which hash algorithm to use, this was also
changing the length of the PTK components and by doing so, did not
actually address the backwards compatibility issue.

Fix this by forcing SHA256 as the hash algorithm in PTK derivation
without changing the PTK length calculation for OWE when
owe_ptk_workaround is enabled.

Fixes: 65a44e849a ("OWE: PTK derivation workaround in AP mode")
Fixes: 8b138d2826 ("OWE: PTK derivation workaround in STA mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-06 21:44:31 +02:00
Alexander Wetzel
81621eab7c nl80211: Migrate from set_tx to key_flag API
Migrate nl80211 driver to key_flag API and add additional sanity checks.

I'm still not sure why we install unicast WEP keys also as default
unicast keys. Based on how I understand how mac80211 handles that it
should be pointless. I just stuck to how we do things prior to the patch
for WEP keys to not break anything. After all other drivers may need it.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:52:31 +02:00
Alexander Wetzel
9757f18db4 nl80211: Don't ignore when SET_KEY returns ENOENT
Always report an error when NL80211_CMD_SET_KEY can't set a key to
default.

The old ioctl-based design used a single command to add, set, and delete
a key and had to ignore ENOENT for key deletions. It looks like that
special handling was also ported for NL80211_CMD_NEW_KEY and
NL80211_CMD_SET_KEY instead only for NL80211_CMD_DEL_KEY.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:38:30 +02:00
Alexander Wetzel
98b8275d92 nl80211: Remove not needed netlink key attribute
Calling NL80211_CMD_NEW_KEY with NL80211_KEY_DEFAULT_TYPES attributes is
pointless. The information is not expected and therefore the kernel
never forwards it to the drivers. That attribute is used with
NL80211_CMD_SET_KEY.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:36:00 +02:00
Alexander Wetzel
8563f6f564 nl80211: Fix wrong return code in set_key error path
Allow to abort key installations with different error codes and fix one
misleading return code.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:28:50 +02:00
Alexander Wetzel
adf550ee4b nl80211: Ignore seq number for key deletion
Turns out we are sometime providing a seq when deleting the key. Since
that makes no sense on key deletion let's stop forwarding that to the
driver at least.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:27:48 +02:00
Alexander Wetzel
e9e69221c1 Validity checking function for key_flag API
Add masks for each key type to define which flags can be combined and
add a helper function to validate key_flag values.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:25:47 +02:00
Alexander Wetzel
5eb1632569 nl80211: Add a missing key_flag for WEP shared key authentication
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:24:55 +02:00
Alexander Wetzel
82eaa3e688 Remove the not yet needed KEY_FLAG_MODIFY
I decided to drop KEY_FLAG_MODIFY instead of allowing flag combinations not
yet used in the code and will simply recreate it with the Extended Key
ID patches once we get there. For that reason I also did not renumber
the flags.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:17:23 +02:00
Alexander Wetzel
982b9cf029 Fix a wrong key_flag when deleting 802.1X WEP keys
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:13:20 +02:00
Alexander Wetzel
d37c05e5b5 AP: Don't try to set NULL WEP default key
hostapd_broadcast_wep_set() can be called without a WEP key set.
Don't try to install a default key in that case.

This patch is not critical for the new API. With key_flag we just would
report an (ignored) error and do nothing. With the patch we simply do
nothing.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-05 00:03:56 +02:00
Alexander Wetzel
fa1a6aff22 Fix unicast argument for set_wep_key() from EAPOL supplicant
The unicast parameter in set_wep_key() is only expected to be set to 0
or 1. Without this patch we set unicast to 0x80 instead of 1. Since
unicast is used as boolean that is working fine but violates the
documented API.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-04 23:59:49 +02:00
Jouni Malinen
11dab0f37f WPS: Remove expired PINs on Selected Registrar timeout
This clears the AuthorizedMACs advertisement immediately when the
Selected Registrar timeout is hit and no more active PINs are present.
Previously, the AuthorizedMACs advertisement could remain in place
indefinitely since expired PINs were removed only when actually trying
to find a PIN for a new WPS exchange.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-04 23:26:02 +02:00
Jouni Malinen
8f89e57ab5 DFS: More debug prints on channel selection after radar detection
This makes it easier to understand what is happening when a new channel
needs to be selected based on a radar detection event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-03 18:58:08 +02:00
Seevalamuthu Mariappan
4b37d24285 hostapd: Fix to downgrade bandwidth in radar detection
Upon radar detection we used to search channels with the same bandwidth.
This way we might not find any other channels. If there are no channels
available with that bandwidth the AP service will be stopped. To avoid
this problem, also search a suitable channel by downgrading the
bandwidth. This scenario is applicable during CAC as well.

Signed-off-by: Seevalamuthu Mariappan <seevalam@codeaurora.org>
2020-03-03 18:37:16 +02:00
Seevalamuthu Mariappan
7242087d1c DFS: Do not process radar event while disabling an interface
In the normal case hostapd_disable_iface() and hostapd_enable_iface()
will be done while switching to another DFS channel upon radar
detection. In certain scenarios radar detected event can come while
hostapd_disable_iface() is in progress and iface->current_mode will be
NULL in that scenario. Previously, we did not check for this scenario
and proceeded with the radar detection logic which can trigger a
segmentation fault. To fix this, avoid proceeding the radar detection
event if iface->current_mode is NULL.

Signed-off-by: Seevalamuthu Mariappan <seevalam@codeaurora.org>
2020-03-03 17:10:31 +02:00
Sachin Shelke
21f835e640 SAE: Allow SAE-only network profile with sae_password to be written
The commit a34ca59e (SAE: Allow SAE password to be configured separately
(STA)) added sae_password configuration option. We should also consider
sae_password in the wpa_config_write() function which stores the valid
network block details to an external database.

Fixes: a34ca59e4d ("SAE: Allow SAE password to be configured separately (STA)")
Signed-off-by: Sachin Shelke <sachin.shelke@nxp.com>
Signed-off-by: Cathy Luo <xiaohua.luo@nxp.com>
Signed-off-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
2020-03-02 11:49:19 +02:00
Jouni Malinen
5bad300565 privsep: Mask out control port capability flag
There is no support for using the control port for sending out EAPOL
frames through privsep yet, so mask out this capability to fall back to
the l2_packet based design.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-01 21:31:07 +02:00
Alexander Wetzel
c1a6b1e47e privsep: Add key_flag to set_key()
Pass through the new key_flag to wpa_priv.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-01 21:11:07 +02:00
Ilan Peer
101da59aa2 common: Add support for element defragmentation
Add support for element defragmentation as defined in IEEE
P802.11-REVmd/D3.0, 10.28.12 (Element defragmentation).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:56:15 +02:00
Ilan Peer
e636bc855f WPA: Rename FILS wrapped data
IEEE P802.11az/D2.0 renamed the FILS Wrapped Data element,
removing the FILS prefix. Change the code accordingly.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:30:55 +02:00
Ilan Peer
94773d40fa crypto: Add a function to get the ECDH prime length
crypto_ecdh_prime_len() can now be used to fetch the length (in octets)
of the prime used in ECDH.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:26:26 +02:00
Ilan Peer
e8ae97aebe nl80211: Allow TX status for Authentication frames
To support PASN authentication flow, where Authentication frames are
sent by wpa_supplicant using the send_mlme() callback, modify the logic
to also send EVENT_TX_STATUS for Authentication frames.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:18:28 +02:00
Ilan Peer
c4988e73c0 driver: Extend send_mlme() with wait option
PASN authentication can be performed while a station interface is
connected to an AP. To allow sending PASN frames while connected, extend
the send_mlme() driver callback to also allow a wait option. Update the
relevant drivers and wpa_supplicant accordingly.

hostapd calls for send_mlme() are left unchanged, since the wait option
is not required there.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-02-29 23:03:20 +02:00
Andrei Otcheretianski
d046f2a9f9 nl80211: Register for SAE Authentication frames more strictly
If the driver requires external SAE authentication, it would result in
registration for all Authentication frames, so even non-SAE
Authentication frames might be forwarded to user space instead of being
handled internally. Fix this by using a more strict match pattern,
limiting the registration to the SAE authentication algorithm only.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2020-02-29 22:55:55 +02:00
Jouni Malinen
200c7693c9 Make WEP functionality an optional build parameter
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 17:45:25 +02:00
Jouni Malinen
bca44f4e4e WPS: Remove static-WEP-only workaround
WEP provisioning was removed from WPS v2, so this workaround
functionality has not been applicable. Remove it completely.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 16:56:44 +02:00
Neo Jou
b7f1d4f4d6 ACS: Allow hw_mode=any to be used with internal ACS algorithm
This was already supported in the offload ACS case and this commit
completes support for this with the internal ACS algorithm.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
d07f1ade90 ACS: Determine mode when using hw_mode=any
Set iface->current_mode and iface->conf->hw_mode when completing ACS
based on the selected channel in the hw_mode=any case.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
c60362e6e8 ACS: Extend acs_find_ideal_chan() to support multiple modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
141a8815e7 ACS: Extend acs_request_scan() to support multiple modes
Add suitable channel frequencies from all modes into the scan parameters
when a single mode is not specified for ACS. This is preparation for
being able to support hw_mode=any to select the best channel from any
supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
f3c44a196f ACS: Extend interference factor calculation for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
070522e5b2 ACS: Extend acs_find_chan() for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
4c1ffb45e4 ACS: Extend acs_surveys_are_sufficient() for all modes
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
3d09be41a8 ACS: Clear all modes in acs_cleanup()
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Neo Jou
499c37b729 ACS: Extend hostapd_get_mode_channel() to find from any mode
This is preparation for being able to support hw_mode=any to select the
best channel from any supported mode.

Signed-off-by: Neo Jou <neojou@gmail.com>
2020-02-29 11:23:03 +02:00
Jouni Malinen
a62d761856 ACS: Fix spelling of "interference"
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 11:23:03 +02:00
Jouni Malinen
167205d455 os_unix: Seed random() for os_random()
While the users of os_random() do not really need strong pseudo random
numebrs, there is no significant harm in seeding random() with data from
os_get_random(), i.e., /dev/urandom, to get different sequence of not so
strong pseudo random values from os_random() for each time the process
is started.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-28 22:59:32 +02:00
Jouni Malinen
74db49d74c SAE: Do not use PMKSA entry after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for
caching after the reauthentication threshold has been reached. This
allows the PMK to be updated without having to force a disassociation
when the PMK expires if the station roams between the reauthentication
threshold and expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
bb93ea234e SAE: Do not clone PMKSA entry for OKC after its reauth threshold
Since SAE PMK can be updated only by going through a new SAE
authentication instead of being able to update it during an association
like EAP authentication, do not allow PMKSA entries to be used for OKC
after the reauthentication threshold has been reached. This allows the
PMK to be updated without having to force a disassociation when the PMK
expires if the station roams between the reauthentication threshold and
expiration timeout.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:24 +02:00
Jouni Malinen
114d124186 SAE: Fix PMKID derivation for OKC
SAE authentication derives PMKID differently from the EAP cases. The
value comes from information exchanged during SAE authentication and
does not bind in the MAC addresses of the STAs. As such, the same PMKID
is used with different BSSIDs. Fix both the hostapd and wpa_supplicant
to use the previous PMKID as is for OKC instead of deriving a new PMKID
using an incorrect derivation method when using an SAE AKM.

This fixes use of opportunistic key caching with SAE.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-28 18:41:20 +02:00
Andrej Shadura
3f10f716af common: Provide the BIT() macro locally
wpa_ctrl.h can be installed separately with libwpa_client, so
utils/common.h won't be available to its users.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2020-02-28 11:03:05 +02:00
Krishna Rao
b8f6b0713a Add attribute for dwell time in QCA vendor scan
Add an attribute QCA_WLAN_VENDOR_ATTR_SCAN_DWELL_TIME for specifying
dwell time in the QCA vendor scan command. This is a common value which
applies across all frequencies requested in the scan.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-26 23:47:37 +02:00
Sunil Dutt
ec303e2cb1 Introduce QCA_WLAN_VENDOR_ATTR_CONFIG_ROAM_REASON
This attribute enables/disables the host driver to send roam reason
information in the Reassociation Request frame to the AP in the same
ESS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 20:17:00 +02:00
Sunil Dutt
34640a88d8 Fix enum qca_wlan_vendor_attr_config value prefix
Couple of the attributes were defined with inconsistent prefix in the
name (missing "CONFIG_"). Fix these to use the common prefix for all
enum qca_wlan_vendor_attr_config values. Add defined values for the
incorrect names to avoid issues with existing users.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 20:16:56 +02:00
Jouni Malinen
f1d3856090 nl80211: Beacon protection capability flag and default key type
Add a new capability flag based on the nl80211 feature advertisement and
start using the new default key type for Beacon protection. This enables
AP mode functionality to allow Beacon protection to be enabled. This is
also enabling the previously added ap_pmf_beacon_protection_* hwsim test
cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-24 12:20:38 +02:00
Jouni Malinen
2e34f6a53f Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-24.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-24 12:20:05 +02:00
Alexander Wetzel
8a1660b607 common: Add missing driver flag strings
Add SAFE_PTK0_REKEYS and some other missing strings.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:53:29 +02:00
Janusz Dziedzic
4b04223f24 hostapd: Replace UDP ctrl_iface global cookies with per-instance ones
The cookie values for UDP control interface commands was defined as a
static global array. This did not allow multi-BSS test cases to be
executed with UDP control interface. For example, after
    hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf')
    hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf')

hapd1->ping() did not work.

Move those cookie values to per-instance location in struct
hapd_interfaces and struct hostapd_data to fix this.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:48:34 +02:00
Alexander Wetzel
1f90a49d02 STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.

To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 13:05:19 +02:00
Alexander Wetzel
1a7963e36f AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.

To allow affected users to mitigate the issues, add a new hostapd
configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys
with disconnection. This requires the station to reassociate to get
connected again and as such, can result in connectivity issues as well.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 12:22:49 +02:00
Alexander Wetzel
35da7c20ac nl80211: Add driver capability flag for CAN_REPLACE_PTK0
The CAN_REPLACE_PTK0 flag provided by nl80211 can be used to detect if
the card/driver is explicitly indicating capability to rekey STA PTK
keys using only keyid 0 correctly.

Check if the card/driver supports it and make the status available as a
driver flag.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 12:00:23 +02:00
Jouni Malinen
7b26238d46 Do not skip MBO PMF check with the WPS special case WPA check exception
The MBO PMF check for AP SME in the driver case was added into a
location that is skipped for WPS processing. That was not really the
correct place for this since the skip_wpa_check label was supposed to
remain immediately following the WPA checks. While this does not really
have much of a practical impact, move the check around so that the
skip_wpa_check label remains where it is supposed to be.

Fixes: 4c572281ed ("MBO: Mandate use of PMF for WPA2+MBO association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Ouden
fae7e64aa3 Save RM enabled capability of station with AP SME
Save RM enabled capability element of an associating station when
hostapd use the device AP SME similarly to how this information is saved
with SME-on-hostapd cases. This allows radio measurement operations
(e.g., REQ_BEACON) to be used.

Signed-off-by: Ouden <Ouden.Biz@gmail.com>
2020-02-22 19:20:44 +02:00
Jouni Malinen
1074d42416 Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
8fe7ec6640 Remove Secondary Channel Offset element from Beacon/Probe Response frames
This element is not used in Beacon or Probe Response frames (which is
the reason why the standard does not indicate where exactly it would be
in those frames..); HT Operation element has this information and so
does Extended CSA element.

In practice, this reverts the functionality added in commit 76aab0305c
("Add secondary channel IE for CSA").

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
7f1529d2a5 Fix HE element order in Beacon and Probe Response frames
Spatial Reuse Parameter Set element is before MU EDCA Parameter Set
element.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
f3bcd69603 Remove CONFIG_IEEE80211N build option
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
640d59942b Fix location of MDE and RSNXE in Beacon and Probe Response frames
Split the IEs from WPA authenticator state machine into separately added
IEs so that the exact location between these and other elements can be
controlled. This fixes the location of MDE and RSNXE in Beacon and Probe
Response frames. In addition, this swaps the order of BSS Load and RM
Enabled Capabilities elements in Beacon frames to get them into the
correct order (which was already used for Probe Response frames).
Furthermore, this fixes the buffer end checks for couple of elements to
make the implementation more consistent (though, in practice, there is
no impact from this since the old size limit was smaller than needed,
but still sufficiently large to have room for these).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
2d4c78aef7 Configure received BIGTK on station/supplicant side
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-18 00:18:47 +02:00
Jouni Malinen
ecbf59e693 wpa_supplicant configuration for Beacon protection
Add a new wpa_supplicant network profile configuration parameter
beacon_prot=<0/1> to allow Beacon protection to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-18 00:18:47 +02:00
Jouni Malinen
16889aff40 Add BIGTK KDE and subelement similarly to IGTK
This provides the BIGTK updates to associated stations similarly to
IGTK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
555dcd75ce Generate BIGTK and rekey it with IGTK
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
323d06187a Parsing of BIGTK KDE in EAPOL-Key frames
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
3937378abe Parsing of BIGTK subelement in FTE
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
d2e77310dc driver: Document use of set_key() for BIGTK
Also update the comment to match the current IGTK KeyID range.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
c1df321b6c AP mode indication of Beacon protection being enabled
Add the new Extended Capability bit for indicating Beacon protection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
92d407dbd6 hostapd configuration for Beacon protection
Add a new hostapd configuration parameter beacon_prot=<0/1> to allow
Beacon protection to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
cb86e8bac8 nl80211: Remove an extra closing parenthesis from a debug message
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
46cb046500 nl80211: Check nla_nest_start() result for NL80211_ATTR_HE_OBSS_PD
nla_nest_start() might fail, so need to check its return value similarly
to all the other callers.

Fixes: a84bf44388 ("HE: Send the AP's OBSS PD settings to the kernel")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 19:30:47 +02:00
John Crispin
0b0ee0f15e HE: Propagate BSS color settings to nl80211
Add the code required to send the BSS color settings to the kernel.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-17 19:28:39 +02:00
Jouni Malinen
dd74ddd0df nl80211: Handle AKM suite selectors for AP configuration
Previously only couple of AKM suite selectors were converted into
NL80211_ATTR_AKM_SUITES. Add rest of the AKM suites here. However, since
the current kernel interface has a very small limit
(NL80211_MAX_NR_AKM_SUITES = 2), add the attribute only when no more
than that limit entries are included. cfg80211 would reject the command
with any more entries listed.

This needs to be extended in cfg80211/nl80211 in a backwards compatible
manner, so this seems to be the best that can be done for now in user
space. Many drivers do not use this attribute, so must not reject the
configuration completely when larger number of AKM suites is configured.
Such cases may not work properly with drivers that depend on
NL80211_ATTR_AKM_SUITES value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 17:47:34 +02:00
Jouni Malinen
139f6deaff Remove duplicated wpa_akm_to_suite() entry
This was unreachable code due to the previous WPA_KEY_MGTM_OWE case
returning from the function.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 17:41:51 +02:00
Jouni Malinen
10655d1bc2 nl80211: Add NLA_F_NESTED to nla_nest_start() with older libnl versions
This is needed to work around a missing attribute that would cause
cfg80211 to reject some nl80211 commands (e.g.,
NL80211_ATTR_VENDOR_DATA) with new kernel versions that enforce netlink
attribute policy validation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 17:25:05 +02:00
Jouni Malinen
5db5290ab4 webkit: Clean up USE_WEBKIT2 blocks
Use a single block each for webkit and webkit2 signal handlers. This
cleans up browser.c to have clear sections for each webkit API version.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:21:06 +02:00
Jouni Malinen
26ad26c8cf webkit2: Split decide-policy into a separate function
This cleans up the #ifdef/#else/#endif mess in the function for webkit
vs. webkit2 API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:21:06 +02:00
Jouni Malinen
02ed737eee webkit2: Split resource-load-started handler into a separate function
This cleans up the #ifdef/#else/#endif mess in the function for webkit
vs. webkit2 API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:15:02 +02:00
Jouni Malinen
7de8bd508f webkit: Track gtk_main()/gtk_main_quit() calls
Avoid unnecessary warnings from webkit on calling gtk_main_quit() more
than once for a single gtk_main() call. This is also fixing an issue for
a corner case where the very first URL has special purpose (osu:// or
http://localhost:12345).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:15:02 +02:00
Jouni Malinen
de0a8906f2 webkit2: Remove TODO not for download-started
It does not look like this signal handler would be needed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:15:02 +02:00
Jouni Malinen
ae07bc46ce webkit2: Do not register notify::load-status handler
This did not seem to do anything with webkit2, so do not bother
registering the handler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:15:02 +02:00
Jouni Malinen
9ea9d18de7 webkit2: Replace notfy::progress with notify::estimated-load-progress
The older signal handler for notify::progress did not really work with
webkit2.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:15:02 +02:00
Jouni Malinen
c0c4685d50 webkit2: Implement notify::title handler
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:15:02 +02:00
Jouni Malinen
ffeafc0872 webkit2: Use mouse-target-changed to replace hovering-over-link
The previous implementation of hovering-over-link signal handler did not
really work with webkit2, so replace this with mouse-target-changed
handler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 19:14:59 +02:00
Jouni Malinen
61bf9819c1 hs20_web_browser() to allow TLS server validation to be enabled
hs20_web_browser() was previously hardcoded to not perform strict TLS
server validation. Add an argument to this function to allow that
behavior to be configured. The hs20-osu-client users are still using the
old behavior, i.e., not validating server certificates, to be usable for
testing purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 17:40:52 +02:00
Ben Greear
921ea4962e hs20-osu-client: Ignore TLS errors with webkit2
Hopefully this helps with self-signed certificates. This matches the
older behavior with webkit.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-02-16 17:40:52 +02:00
Ben Greear
b4b1b122e8 hs20-osu-client: Enable webkit2 support
This is my mostly-ignorant attempt to port hs20-osu-client to webkit2
API.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-02-16 17:40:52 +02:00
Jouni Malinen
466e48dcd7 HT: Remove SMPS in AP mode
SM Power Save was described in somewhat unclear manner in IEEE Std
802.11n-2009 as far the use of it locally in an AP to save power. That
was clarified in IEEE Std 802.11-2016 to allow only a non-AP STA to use
SMPS while the AP is required to support an associated STA doing so. The
AP itself cannot use SMPS locally and the HT Capability advertisement
for this is not appropriate.

Remove the parts of SMPS support that involve the AP using it locally.
In practice, this reverts the following commits:
04ee647d58 ("HT: Let the driver advertise its supported SMPS modes for AP mode")
8f461b50cf ("HT: Pass the smps_mode in AP parameters")
da1080d721 ("nl80211: Advertise and configure SMPS modes")

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 13:58:54 +02:00
Mikhail Karpenko
8de0ff0fa1 HE: Add TWT responder extended capabilities field
Set the proper bits inside the extended capabilities field to indicate
support for TWT responder.

Tested-by: John Crispin <john@phrozen.org>
Signed-off-by: Mikhail Karpenko <karpenko@fastmail.com>
2020-02-16 12:41:24 +02:00
John Crispin
ab8c55358e HE: Dynamically turn on TWT responder support
This allows us to dynamically turn on TWT responder support using an
nl80211 attribute.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-16 12:37:47 +02:00
John Crispin
0cb39f4fd5 HE: Extend BSS color support
The HE Operation field for BSS color consists of a disabled, a partial,
and 6 color bits. The original commit adding support for BSS color
considered this to be a u8. This commit changes this to the actual
bits/values.

This adds an explicit config parameter for the partial bit. The disabled
is set to 0 implicitly if a bss_color is defined.

Interoperability testing showed that stations will require a BSS color
to be set even if the feature is disabled. Hence the default color is 1
when none is defined inside the config file.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-16 12:32:17 +02:00
Jouni Malinen
458162a271 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-02-07.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 12:06:04 +02:00
Jouni Malinen
981b96caa9 WPS: Mark added PSK entry with wps=1 tag for per-Enrollee PSK case
Commit 2bab073dfe ("WPS: Add new PSK entries with wps=1 tag") added
this when writing the new entry into a file, but the in-memory update
did not get the tag. Add it there as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 11:54:36 +02:00
Jouni Malinen
2bab073dfe WPS: Add new PSK entries with wps=1 tag
Now that hostapd wpa_psk_file has a new tag for identifying PSKs that
can be used with WPS, add that tag to new entries for PSKs from WPS.
This makes it clearer where the PSK came from and in addition, this
allows the same PSK to be assigned if the same Enrollee goes through WPS
provisioning again.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-15 17:37:27 +02:00
Tomasz Jankowski
fde8e79463 WPS: Make it possible to use PSKs loaded from the PSK file
By default, when configuration file set wpa_psk_file, hostapd generated
a random PSK for each Enrollee provisioned using WPS and appended that
PSK to wpa_psk_file.

Changes that behavior by adding a new step. WPS will first try to use a
PSK from wpa_psk_file. It will only try PSKs with wps=1 tag.
Additionally it'll try to match enrollee's MAC address (if provided). If
it fails to find an appropriate PSK, it falls back to generating a new
PSK.

Signed-off-by: Tomasz Jankowski <tomasz.jankowski@plume.com>
2020-02-15 17:28:00 +02:00
Jouni Malinen
b1977a652d WPS: Use PMK_LEN instead of hardcoded 32
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-15 17:27:52 +02:00
Jouni Malinen
b27ed050db Do not split strings into multiple lines
Convert hostapd_config_read_wpa_psk() to the newer style of not
splitting strings into multiple lines.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-15 17:12:45 +02:00
Jouni Malinen
838180877f Use PMK_LEN macro instead of hardcoded value 64 (= 2 * 32)
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-15 17:11:18 +02:00
Jouni Malinen
f5da5810c9 Check pbkdf2_sha1() result when generating PSK from PSK file
This function can fail in theory, so check the return value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-15 17:10:08 +02:00
Sergey Matyukevich
e7d8842e6b OWE: Rename owe_assoc_req_process() parameter reason to status
In the function owe_assoc_req_process(), values assigned to the reason
argument imply that it should be renamed to status. Rename 'reason' to
'status' and modify the uses of owe_assoc_req_process() accordingly.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2020-02-15 16:46:32 +02:00
Sunil Dutt
877d9a02b0 Additional get_sta_info attrs for Beacon/Probe Response/disconnect reasons
This commit adds new attributes for getting the Probe Response frame
IEs, Beacon frame IEs and the disconnection reason codes through
get_sta_info vendor command.

The host driver shall give this driver specific reason code through
the disconnection reason code attribute
QCA_WLAN_VENDOR_ATTR_GET_STA_DRIVER_DISCONNECT_REASON.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-13 18:47:50 +02:00
Sachin Ahuja
8162d98f2e Introduce QCA_NL80211_VENDOR_SUBCMD_DRIVER_DISCONNECT_REASON
This acts as an event from the host driver to the user space to notify
the driver specific reason for a disconnection. The host driver
initiates the disconnection for various scenarios (beacon miss, Tx
Failures, gateway unreachability, etc.) and the reason codes from
cfg80211_disconnected() do not carry these driver specific reason codes.
Host drivers should trigger this event immediately prior to triggering
cfg80211_disconnected() to allow the user space to correlate the driver
specific reason code with the disconnect indication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-13 18:47:48 +02:00
Sunil Dutt
32551066b8 Introduce QCA_NL80211_VENDOR_SUBCMD_UPDATE_STA_INFO
This acts as a vendor event and is used to update the information
of a station from the driver to userspace.

Add an attribute for the driver to update the channels scanned in
the last connect/roam attempt.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-13 18:46:39 +02:00
Vamsi Krishna
dae85e655c P2P: Increase number of channels per operating class
Some of the operating classes added in the 6 GHz band have a larger
number of channels included in them (e.g., operating class 131 has 59
channels). Increase the maximum number of channels per operating class
so that all channels will get populated.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-12 23:17:24 +02:00
Sunil Dutt
5551317834 Introduce QCA_WLAN_VENDOR_ATTR_BEACON_REPORT_FAIL
This attribute aims to configure the STA to send the Beacon Report
Response with failure reason for the scenarios where the Beacon Report
Request cannot be handled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-12 21:19:37 +02:00
Jouni Malinen
de08fae66a DPP: Do not require dpp_configurator_params to start with a space
This ugly hack for being able to search for optional arguments with
space before them was quite inconvenient and unexpected. Clean this up
by handling this mess internally with a memory allocation and string
duplication if needed so that the users of wpa_supplicant control
interface do not need to care about such details.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-11 06:43:02 +02:00
Vamsi Krishna
490d90db40 Define macro BIT() in qca_vendor.h
As qca_vendor.h alone can be included by other applications, define
macro BIT() in qca_vendor.h itself if not yet defined, e.g., by
including utils/common.h before qca_vendor.h.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-11 04:59:38 +02:00
Jouni Malinen
9a0edf1700 wlantest: Add PTK derivation support with SAE, OWE, DPP
wlantest build did not define build options to determine key management
values for SAE, OWE, and DPP. Add those and the needed SHA512 functions
to be able to decrypt sniffer captures with PMK available from an
external source.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-10 21:58:10 +02:00
Markus Theil
96a2a9a88b Send RM Enabled Capabilities element in (Re)Association Response frame
(Re)Association Response frames should include radio measurement
capabilities in order to let stations know if they can, e.g., use
neighbor requests.

I tested this commit with a Samsung S8, which does not send neighbor
requests without this commit and sends them afterwards.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-02-10 06:51:42 +02:00
Matthew Wang
23dc196fde Check for FT support when selecting FT suites
A driver supports FT if it either supports SME or the
NL80211_CMD_UPDATE_FT_IES command. When selecting AKM suites,
wpa_supplicant currently doesn't take into account whether or not either
of those conditions are met. This can cause association failures, e.g.,
when an AP supports both WPA-EAP and FT-EAP but the driver doesn't
support FT (wpa_supplicant will decide to do FT-EAP since it is unaware
the driver doesn't support it). This change allows an FT suite to be
selected only when the driver also supports FT.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
2020-02-10 06:43:38 +02:00
Dmitry Shmidt
85f3ab758e Replace deprecated readdir_r() with readdir()
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2020-02-10 06:40:50 +02:00
Jouni Malinen
641d79f165 SAE: Special test mode sae_pwe=3 for looping with password identifier
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-10 05:13:13 +02:00
Jouni Malinen
c248ebaf4f DPP: Fix encryptedContent DER encoding
This was not supposed to set the constructed bit in the header. Fix this
to avoid parsing issues with other ASN.1 DER parsers.

Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-08 07:19:53 +02:00
Jouni Malinen
e2b1e7dce7 DPP: Require conf=configurator to allow Configurator provisioning
Make Configurator provisioning require explicit conf parameter enabling
similarly to the previously used conf=ap-* and conf=sta-* cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-08 07:19:53 +02:00
Jouni Malinen
1ba4a10a07 DPP: Initialize conf_resp_status to non-OK
This avoids unexpected behavior if GAS query fails and the Config
Response does not get processed at all. Previously, this could result in
configuration being assumed to be successful instead of failure when
Config Response object was not received at all. That could result in
undesired Config Result frame transmission with DPP Rel 2 and not
clearing the ongoing DPP session.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-08 07:19:53 +02:00
Jouni Malinen
18714af2d8 DPP: Ignore unexpected duplicated Authentication Confirm
Previously, unexpected Authentication Confirm messages were ignored in
cases where no Authentication Confirm message was expected at all, but
if this message was received twice in a state where it was expected, the
duplicated version was also processed. This resulted in unexpected
behavior when authentication result was processed multiple times (e.g.,
two instances of GAS client could have been started).

Fix this by checking auth->waiting_auth_conf before processing
Authetication Confirm. That boolean was already tracked, but it was used
only for other purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-08 07:19:53 +02:00
Jouni Malinen
8f8473cebb SAE: Fix peer-commit-scalar reuse check
Only one peer-commit-scalar value was stored for a specific STA (i.e.,
one per MAC address) and that value got replaced when the next SAE
Authentication exchange was started. This ended up breaking the check
against re-use of peer-commit-scalar from an Accepted instance when
anti-clogging token was requested. The first SAE commit message (the one
without anti-clogging token) ended up overwriting the cached
peer-commit-scalar value while leaving that instance in Accepted state.
The second SAE commit message (with anti-clogging token) added ended up
getting rejected if it used the same value again (and re-use is expected
in this particular case where the value was not used in Accepted
instance).

Fix this by using a separate pointer for storing the peer-commit-scalar
value that was used in an Accepted instance. There is no need to
allocate memory for two values, i.e., it is sufficient to maintain
separate pointers to the value and move the stored value to the special
Accepted state pointer when moving to the Accepted state.

This fixes issues where a peer STA ends up running back-to-back SAE
authentication within couple of seconds, i.e., without hostapd timing
out the STA entry for a case where anti-clogging token is required.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-08 07:19:53 +02:00
Qiwei Cai
c4bab72d96 Use secondary channel provided by ACS for HT40 if valid
Previously, hostapd ignored the secondary channel provided by ACS if
both HT40+ and HT40- are set in hostapd.conf. This change selects such
channel for HT40 if it's valid, which is more reasonable.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-03 02:03:32 +02:00
Ben Greear
16b789eefc Fix wmm compile on fedora-17 (gcc 4.7.2)
I guess this compiler does not like to initialize arrays with brackets?

Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-02-03 02:03:32 +02:00
Felix Fietkau
d240c74b6a nl80211: Fix regulatory limits for WMM cwmin/cwmax values
The internal WMM AC parameters use just the exponent of the CW value,
while nl80211 reports the full CW value. This led to completely bogus
CWmin/CWmax values in the WMM IE when a regulatory limit was present.
Fix this by converting the value to the exponent before passing it on.

Fixes: 636c02c6e9 ("nl80211: Add regulatory wmm_limit to hostapd_channel_data")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-02-03 02:03:32 +02:00
Felix Fietkau
bc1289b076 nl80211: Fix WMM queue mapping for regulatory limit
nl80211 uses a different queue mapping from hostap, so AC indexes need
to be converted.

Fixes: 636c02c6e9 ("nl80211: Add regulatory wmm_limit to hostapd_channel_data")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-02-03 02:03:32 +02:00
Roy Marples
b2b7f8dcfa BSD: Fix the maximum size of a route(4) msg to 2048
The size of a single route(4) message cannot be derived from
either the size of the AF_INET or AF_INET6 routing tables.
Both could be empty or very large.

As such revert back to a buffer size of 2048 which mirrors
other programs which parse the routing socket.

Signed-off-by: Roy Marples <roy@marples.name>
2020-02-02 21:47:03 +02:00
Roy Marples
25c247684f BSD: Remove an outdated comment
With interface matching support, wpa_supplicant can wait for an
interface to appear.

Signed-off-by: Roy Marples <roy@marples.name>
2020-02-02 21:46:57 +02:00
Roy Marples
d807e289db BSD: Don't set or remove IFF_UP
Now that both hostapd and wpa_supplicant react to interface flag
changes, there is no need to set or remove IFF_UP.

It should be an administrative flag only.

Signed-off-by: Roy Marples <roy@marples.name>
2020-02-02 21:46:53 +02:00
Roy Marples
4692e87b25 BSD: Share route(4) processing with hostapd and wpa_supplicant.
There is little point in having both and it brings interface
addition/removal and IFF_UP notifications to hostapd.

Signed-off-by: Roy Marples <roy@marples.name>
2020-02-02 21:44:23 +02:00
Roy Marples
d20b34b439 BSD: Driver does not need to know about both wpa and hostap contexts
It will either be one or the other.
Fold hapd into ctx to match other drivers.

Signed-off-by: Roy Marples <roy@marples.name>
2020-02-02 21:44:23 +02:00
Ouden
aad414e956 nl80211: Fix send_mlme for SAE external auth
When external authentication is used, the station send mlme frame (auth)
to the driver may not be able to get the frequency (bss->freq) after
hostap.git commit b6f8b5a9 ("nl80211: Update freq only when CSA
completes"). Use the assoc_freq to send the MLME frame when SAE external
authentication is used to avoid this issue.

Signed-off-by: Ouden <Ouden.Biz@gmail.com>
2020-02-02 21:38:51 +02:00
Sunil Dutt
1a9d270d41 Additional stats through QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO
This commit introduces additional stats to query through
QCA_NL80211_VENDOR_SUBCMD_UPDATE_STA_INFO.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:46:01 +02:00
Jouni Malinen
c025c2eb59 DPP: DPPEnvelopedData generation for Configurator backup
This adds support for generating an encrypted backup of the local
Configurator information for the purpose of enrolling a new
Configurator. This includes all ASN.1 construction and data encryption,
but the configuration and connector template values in
dpp_build_conf_params() are not yet complete.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:32:34 +02:00
Jouni Malinen
7d9e320054 DPP: Received Configurator backup processing
Add local Configurator instance for each received Configurator backup.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:16:05 +02:00
Jouni Malinen
ea91ddb08a DPP: DPPEnvelopedData parsing for Configurator backup/restore
Process the received DPPEnvelopedData when going through Configurator
provisioning as the Enrollee (the new Configurator). This parses the
message, derives the needed keys, and decrypts the Configurator
parameters. This commit stores the received information in
auth->conf_key_pkg, but the actually use of that information to create a
new Configurator instance will be handled in a separate commit.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:16:05 +02:00
Jouni Malinen
31b5950d0b ASN.1: Helper functions for building DER encoded data
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:16:05 +02:00
Jouni Malinen
ce1f477397 ASN.1: More OID definitions
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:16:05 +02:00
Jouni Malinen
8006742fa3 ASN.1: Add a helper for parsing AlgorithmIdentifier
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-30 15:23:32 +02:00
Jouni Malinen
f7f2843c45 ASN.1: Add a helper for parsing SEQUENCE
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-30 12:12:26 +02:00
Jouni Malinen
3393d94d02 ASN.1: Add a helper for parsing INTEGER
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-30 12:00:21 +02:00
Jouni Malinen
5e98998ec1 DPP2: Add Protocol Version attr to Auth Resp only if peer is R2 or newer
There is no need for the Protocol Version attribute in Authentication
Response if the peer is a DPP R1 device since such device would not know
how to use this attribute. To reduce risk for interoperability issues,
add this new attribute only if the peer included it in Authentication
Request.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-29 01:00:23 +02:00
Krishna Rao
505797b458 Add a vendor attribute for RTPL instance primary frequency
Add an attribute QCA_WLAN_VENDOR_ATTR_RTPLINST_PRIMARY_FREQUENCY for
primary channel center frequency in the definition for Representative
Tx Power List (RTPL) list entry instance. This is required for 6 GHz
support, since the 6 GHz channel numbers overlap with existing 2.4 GHz
and 5 GHz channel numbers thus requiring frequency values to uniquely
identify channels.

Mark QCA_WLAN_VENDOR_ATTR_RTPLINST_PRIMARY as deprecated if both the
driver and user space application support 6 GHz. For backward
compatibility, QCA_WLAN_VENDOR_ATTR_RTPLINST_PRIMARY is still used if
either the driver or user space application or both do not support the
6 GHz band.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-28 20:48:07 +02:00
Jouni Malinen
76162b1828 TLS: Fix bounds checking in certificate policy parser
The recent addition of the X.509v3 certificatePolicies parser had a
copy-paste issue on the inner SEQUENCE parser that ended up using
incorrect length for the remaining buffer. Fix that to calculate the
remaining length properly to avoid reading beyond the end of the buffer
in case of corrupted input data.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20363
Fixes: d165b32f38 ("TLS: TOD-STRICT and TOD-TOFU certificate policies")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-28 14:21:03 +02:00
Jouni Malinen
566972fd6f DPP: Show selected negotiation channel in DPP_BOOTSTRAP_INFO
Make the selected channel available for upper layer software to use,
e.g., when starting DPP listen operation during NFC negotiated
connection handover.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-27 20:36:09 +02:00
Jouni Malinen
5e287724ee DPP: NFC negotiated connection handover
Add new control interface commands "DPP_NFC_HANDOVER_REQ own=<id>
uri=<URI>" and "DPP_NFC_HANDOVER_SEL own=<id> uri=<URI>" to support NFC
negotiated connection handover. These commands are used to report a DPP
URI received from a peer NFC Device in Handover Request and Handover
Select messages. The commands return peer bootstrapping information ID
or FAIL on failure. The returned ID is used similarly to any other
bootstrapping information to initiate DPP authentication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-27 20:36:09 +02:00
Jouni Malinen
2bbe6ad3aa DPP: Helper function for bootstrapping URI generation
The new dpp_gen_uri() helper function can be used to build the
bootstrapping URI from locally stored information. This can be used to
make it easier to update the URI, e.g., for NFC negotiated connection
handover cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-27 20:36:09 +02:00
Jouni Malinen
12da39b389 crypto: Allow up to 10 fragments for hmac_sha*_vector()
This increases the limit of how many data fragments can be supported
with the internal HMAC implementation. The previous limit was hit with
some FT use cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-26 17:04:54 +02:00
Jouni Malinen
d165b32f38 TLS: TOD-STRICT and TOD-TOFU certificate policies
Add parsing of certificate policies for TOD-STRICT and TOD-TOFU when
using CONFIG_TLS=internal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-26 16:44:49 +02:00
Jouni Malinen
cd66b8295c TLS: Fix a typo in a debug message
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-26 12:50:44 +02:00
Ashish Kumar Dhanotiya
a629409047 Add vendor interface QCA_NL80211_VENDOR_SUBCMD_REQUEST_SAR_LIMITS_EVENT
This commit introduces the vendor event
QCA_NL80211_VENDOR_SUBCMD_REQUEST_SAR_LIMITS_EVENT.
Host drivers can request user space application to set SAR power
limits with this event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-24 20:48:14 +02:00
Vamsi Krishna
0ecf735631 Add new QCA vendor attribute to set thermal level
Add a new QCA vendor attribute to set thermal level to the driver from
userspace. The driver/firmware takes actions requested by userspace to
mitigate high temperature such as throttling TX etc. The driver may
choose the level of throttling and other actions for various thermal
levels set by userspace.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-24 20:45:35 +02:00
Jouni Malinen
8b138d2826 OWE: PTK derivation workaround in STA mode
Initial OWE implementation used SHA256 when deriving the PTK for all OWE
groups. This was supposed to change to SHA384 for group 20 and SHA512
for group 21. The new owe_ptk_workaround=1 network parameter can be used
to enable older behavior mainly for testing purposes. There is no impact
to group 19 behavior, but if enabled, this will make group 20 and 21
cases use SHA256-based PTK derivation which will not work with the
updated OWE implementation on the AP side.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-24 00:47:41 +02:00
Jouni Malinen
65a44e849a OWE: PTK derivation workaround in AP mode
Initial OWE implementation used SHA256 when deriving the PTK for all OWE
groups. This was supposed to change to SHA384 for group 20 and SHA512
for group 21. The new owe_ptk_workaround parameter can be used to enable
workaround for interoperability with stations that use SHA256 with
groups 20 and 21. By default, only the appropriate hash function is
accepted. When workaround is enabled (owe_ptk_workaround=1), the
appropriate hash function is tried first and if that fails, SHA256-based
PTK derivation is attempted. This workaround can result in reduced
security for groups 20 and 21, but is required for interoperability with
older implementations. There is no impact to group 19 behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-24 00:47:41 +02:00
Jouni Malinen
bd50805e40 OWE: Select KDF hash algorithm based on the length of the prime
Previous implementation was hardcoding use of SHA256 PMK-to-PTK
derivation for all groups. Replace that with hash algorithm selection
based on the length of the prime similarly to the way this was done for
other derivation steps in OWE.

This breaks backwards compatibility when using group 20 or 21; group 19
behavior remains same.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-24 00:47:16 +02:00
Jouni Malinen
0d445cd394 Fix a typo in a comment
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-24 00:08:10 +02:00
Vamsi Krishna
1011c79900 Do not enable HT/VHT for 6 GHz band 20 MHz width channels also
The previous commit had a rebasing issue that ended up covering only the
center_segment0 != 0 case. These were supposed to apply for all 6 GHz
band cases.

Fixes: 0bfc04b8d0 ("Do not enable HT/VHT when operating in 6 GHz band")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 16:10:41 +02:00
Jouni Malinen
5e32fb0170 SAE: Use Anti-Clogging Token Container element with H2E
IEEE P802.11-REVmd was modified to use a container IE for anti-clogging
token whenver H2E is used so that parsing of the SAE Authentication
frames can be simplified.

See this document for more details of the approved changes:
https://mentor.ieee.org/802.11/dcn/19/11-19-2154-02-000m-sae-anti-clogging-token.docx

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-21 13:13:56 +02:00
Jouni Malinen
e36a5894d0 SAE: Use H2E whenever Password Identifier is used
IEEE P802.11-REVmd was modified to require H2E to be used whenever
Password Identifier is used with SAE.

See this document for more details of the approved changes:
https://mentor.ieee.org/802.11/dcn/19/11-19-2154-02-000m-sae-anti-clogging-token.docx

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-21 13:13:56 +02:00
Jouni Malinen
c56b7a2fdf SAE: Mark sae_derive_pt_ecc() static
This function is not used outside sae.c.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-21 00:35:16 +02:00
Johannes Berg
4ee5a50358 trace: Handle binutils bfd.h breakage
Some things in bfd.h that we use were renamed, and in the case of
bfd_get_section_vma() a parameter was dropped. Work around this.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-01-20 21:17:21 +02:00
Hai Shalom
d20365db17 EAP-SIM/AKA peer: Add support for EAP Method prefix
Add support for EAP method prefix in the anonymous identity
used during EAP-SIM/AKA/AKA' authentication when encrypted IMSI
is used. The prefix is a single character that indicates which
EAP method is required by the client.

Signed-off-by: Hai Shalom <haishalom@google.com>
2020-01-10 19:16:13 +02:00
Vamsi Krishna
4bf78a79d0 ACS: Populate channel config from external ACS per documented behavior
Based on the now documented seg0/seg1 values from offloaded ACS, there
is a mismatch between the driver interface and internal hostapd use.

The value of segment0 field in ACS results is the index of the channel
center frequency for 20 MHz, 40 MHz, and 80M Hz channels. The value is
the center frequency index of the primary 80 MHz segment for 160 MHz and
80+80 MHz channels.

The value of segment1 field in ACS results is zero for 20 MHz, 40 MHz,
and 80 MHz channels. The value is the index of the channel center
frequency for 160 MHz channels and the center frequency index of the
secondary 80 MHz segment for 80+80 MHz channels.

However, in struct hostapd_config, for 160 MHz channels, the value of
the segment0 field is the index of the channel center frequency of 160
MHz channel and the value of the segment1 field is zero. Map the values
from ACS event into hostapd_config fields accordingly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-09 20:22:12 +02:00
Vamsi Krishna
fe1552d93c ACS: Update documentation of external ACS results event parameters
Update the documentation with values to be sent for seg0 and seg1 fields
in external ACS result event for 20 MHz, 40 MHz, 80 MHz, 160 MHz, and
80+80 MHz channels. These values match the changes done to definitions
of seg0 and seg1 fields in the IEEE 802.11 standard.

This vendor command had not previously been documented in this level of
detail and had not actually been used for the only case that could have
two different interpretation (160 MHz) based on which version of IEEE
802.11 standard is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-09 20:12:14 +02:00
Vamsi Krishna
881177201a 6 GHz: Fix Channel Width value for 80+80 in 6 GHZ Operation Info field
The Channel Width field value is 0 for 20 MHz, 1 for 40 MHz, 2 for 80
MHz, and 3 for both 160 MHz and 80+80 MHz channels. The 80+80 MHz case
was not addressed previously correctly since it cannot be derived from
seg0 only.

The Channel Center Frequency Segment 0 field value is the index of
channel center frequency for 20 MHz, 40 MHz, and 80 MHz channels. The
value is the center frequency index of the primary 80 MHz segment for
160 MHz and 80+80 MHz channels.

The Channel Center Frequency Segment 1 field value is zero for 20 MHz,
40 MHz, and 80 MHz channels. The value is the index of the channel
center frequency for 160 MHz channel and the center frequency index of
the secondary 80 MHz segment for 80+80 MHz channels.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-09 17:43:28 +02:00
Jouni Malinen
b4fe37c4fa Silence compiler warning in no-NEED_AP_MLME builds
Make the dummy hostapd_hw_mode_txt() wrapper return "UNKNOWN" instead of
NULL to avoid a warning from a debug printf using %s with NULL.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-09 12:44:08 +02:00
Alexander Wetzel
a919a26035 Introduce and add key_flag
Add the new set_key() parameter "key_flag" to provide more specific
description of what type of a key is being configured. This is needed to
be able to add support for "Extended Key ID for Individually Addressed
Frames" from IEEE Std 802.11-2016. In addition, this may be used to
replace the set_tx boolean eventually once all the driver wrappers have
moved to using the new key_flag.

The following flag are defined:

  KEY_FLAG_MODIFY
    Set when an already installed key must be updated.
    So far the only use-case is changing RX/TX status of installed
    keys. Must not be set when deleting a key.

  KEY_FLAG_DEFAULT
    Set when the key is also a default key. Must not be set when
    deleting a key. (This is the replacement for set_tx.)

  KEY_FLAG_RX
    The key is valid for RX. Must not be set when deleting a key.

  KEY_FLAG_TX
    The key is valid for TX. Must not be set when deleting a key.

  KEY_FLAG_GROUP
    The key is a broadcast or group key.

  KEY_FLAG_PAIRWISE
    The key is a pairwise key.

  KEY_FLAG_PMK
    The key is a Pairwise Master Key (PMK).

Predefined and needed flag combinations so far are:

  KEY_FLAG_GROUP_RX_TX
    WEP key not used as default key (yet).

  KEY_FLAG_GROUP_RX_TX_DEFAULT
    Default WEP or WPA-NONE key.

  KEY_FLAG_GROUP_RX
    GTK key valid for RX only.

  KEY_FLAG_GROUP_TX_DEFAULT
    GTK key valid for TX only, immediately taking over TX.

  KEY_FLAG_PAIRWISE_RX_TX
    Pairwise key immediately becoming the active pairwise key.

  KEY_FLAG_PAIRWISE_RX
    Pairwise key not yet valid for TX. (Only usable with Extended Key ID
    support.)

  KEY_FLAG_PAIRWISE_RX_TX_MODIFY
    Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX.

  KEY_FLAG_RX_TX
    Not a valid standalone key type and can only used in combination
    with other flags to mark a key for RX/TX.

This commit is not changing any functionality. It just adds the new
key_flag to all hostapd/wpa_supplicant set_key() functions without using
it, yet.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-09 12:38:36 +02:00
Jouni Malinen
3df4c05aec nl80211: Pass set_key() parameter struct to wpa_driver_nl80211_set_key()
This is the function that actually uses the parameters, so pass the full
parameter struct to it instead of hiding the struct from it in the
simple wrapper.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-09 00:48:57 +02:00
Gurumoorthi Gnanasambandhan
99d8c4dca3 hostapd: Support VLAN offload to the driver
If the driver supports VLAN offload mechanism with a single netdev, use
that instead of separate per-VLAN netdevs.

Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
2020-01-09 00:48:57 +02:00
Gurumoorthi Gnanasambandhan
0f903f37dc nl80211: VLAN offload support
Add indication for driver VLAN offload capability and configuration of
the VLAN ID to the driver.

Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
2020-01-09 00:48:57 +02:00
Gurumoorthi Gnanasambandhan
4d3ae54fbd Add vlan_id to driver set_key() operation
This is in preparation for adding support to use a single WLAN netdev
with VLAN operations offloaded to the driver. No functional changes are
included in this commit.

Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
2020-01-09 00:48:57 +02:00
Jouni Malinen
f822546451 driver: Move set_key() parameters into a struct
This makes it more convenient to add, remove, and modify the parameters
without always having to update every single driver_*.c implementation
of this callback function.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-09 00:48:57 +02:00
Jouni Malinen
3912cbd88d SAE: A bit optimized sae_confirm_immediate=2 for testing purposes
sae_confirm_immediate=2 can now be used in CONFIG_TESTING_OPTIONS=y
builds to minimize the latency between SAE Commit and SAE Confirm by
postponing transmission of SAE Commit until the SAE Confirm frame is
generated. This does not have significant impact, but can get the frames
tiny bit closer to each other over the air to increase testing coverage.
The only difference between sae_confirm_immediate 1 and 2 is in the
former deriving KCK, PMK, PMKID, and CN between transmission of the
frames (i.e., a small number of hash operations).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-08 20:57:08 +02:00
Vamsi Krishna
aa663baf45 Fix QCA_WLAN_VENDOR_ATTR_ACS_VHT_SEG1_CENTER_CHANNEL NULL check
Correct the check for presence of
QCA_WLAN_VENDOR_ATTR_ACS_VHT_SEG1_CENTER_CHANNEL attribute before using it
while processing acs_result event.

Fixes: 857d94225a ("Extend offloaded ACS QCA vendor command to support VHT")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-08 16:14:24 +02:00
Markus Theil
f7b2fe99ea tests: Fix undefined behavior in module tests
Test: wpa_supplicant module tests
../src/utils/utils_module_tests.c:933:7: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-08 14:56:55 +02:00
Jouni Malinen
297d69161b OpenSSL: Fix memory leak in TOD policy validation
Returned policies from X509_get_ext_d2i() need to be freed.

Fixes: 21f1a1e66c ("Report TOD policy")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-07 20:40:12 +02:00
Jouni Malinen
c52129bed8 nl80211: Allow control port to be disabled with a driver param
This is mainly for testing purposes to allow wpa_supplicant and hostapd
functionality to be tested both with and without using the nl80211
control port which is by default used whenever supported by the driver.
control_port=0 driver parameter will prevent that from happening.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-05 21:31:33 +02:00
Markus Theil
781c5a0624 nl80211: Use control port TX for AP mode
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-05 21:31:33 +02:00
Markus Theil
d8252a9812 nl80211: Report control port RX events
This allows EAPOL frames to be received over the separate controlled
port once rest of the driver interface is ready for this. By itself,
this commit does not actually change behavior since cfg80211 will not be
delivering these events without them being explicitly requested.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-05 21:30:41 +02:00
Markus Theil
a79ed06871 Add no_encrypt flag for control port TX
In order to correctly encrypt rekeying frames, wpa_supplicant now checks
if a PTK is currently installed and sets the corresponding encrypt
option for tx_control_port().

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-05 20:34:50 +02:00
Brendan Jackman
8759e9116a nl80211: Control port over nl80211 helpers
Linux kernel v4.17 added the ability to request sending controlled port
frames (e.g., IEEE 802.1X controlled port EAPOL frames) via nl80211
instead of a normal network socket. Doing this provides the device
driver with ordering information between the control port frames and the
installation of keys. This empowers it to avoid race conditions between,
for example, PTK replacement and the sending of frame 4 of the 4-way
rekeying handshake in an RSNA. The key difference between the specific
control port and normal socket send is that the device driver will
certainly get any EAPOL frames comprising a 4-way handshake before it
gets the key installation call for the derived key. By flushing its TX
buffers it can then ensure that no pending EAPOL frames are
inadvertently encrypted with a key that the peer will not yet have
installed.

Add a CONTROL_PORT flag to the hostap driver API to report driver
capability for using a separate control port for EAPOL frames. This
operation is exactly like an Ethernet send except for the extra ordering
information it provides for device drivers. The nl80211 driver is
updated to support this operation when the device reports support for
NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211. Also add a driver op
tx_control_port() for request a frame to be sent over the controlled
port.

Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
2020-01-05 19:43:52 +02:00
Jouni Malinen
ccaabeaa03 driver: Remove unused send_ether() driver op
This was used only for FT RRB sending with driver_test.c and
driver_test.c was removed more than five years ago, so there is no point
in continuing to maintain this driver op.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-05 18:32:10 +02:00
Bilal Hatipoglu
3d41dd7c50 WPS: Add application extension data to WPS IE
Application Extension attribute is defined in WSC tech spec v2.07 page
104. Allow hostapd to be configured to add this extension into WPS IE in
Beacon and Probe Response frames. The implementation is very similar to
vendor extension.

A new optional entry called "wps_application_ext" is added to hostapd
config file to configure this. It enodes the payload of the Application
Extension attribute in hexdump format.

Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
2020-01-04 23:39:30 +02:00
Jouni Malinen
9bedf90047 nl80211: Use monitor interface for sending no-encrypt test frames
Since NL80211_CMD_FRAME does not allow encryption to be disabled for the
frame, add a monitor interface temporarily for cases where this type of
no-encrypt frames are to be sent. The temporary monitor interface is
removed immediately after sending the frame.

This is testing functionality (only in CONFIG_TESTING_OPTIONS=y builds)
that is used for PMF testing where the AP can use this to inject an
unprotected Robust Management frame (mainly, Deauthentication or
Disassociation frame) even in cases where PMF has been negotiated for
the association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 20:23:05 +02:00
Jouni Malinen
8d84c75f7c Allow testing override for GTK/IGTK RSC from AP to STA
The new hostapd gtk_rsc_override and igtk_rsc_override configuration
parameters can be used to set an override value for the RSC that the AP
advertises for STAs for GTK/IGTK. The contents of those parameters is a
hexdump of the RSC in little endian byte order.

This functionality is available only in CONFIG_TESTING_OPTIONS=y builds.
This can be used to verify that stations implement initial RSC
configuration correctly for GTK/ and IGTK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 13:05:26 +02:00
Ben Greear
ff77431180 nl80211: Don't set offchan-OK flag if doing on-channel frame in AP mode
I saw a case where the kernel's cfg80211 rejected hostapd's attempt to
send a neighbor report response because nl80211 flagged the frame as
offchannel-OK, but kernel rejects because channel was 100 (DFS) and so
kernel failed thinking it was constrained by DFS/CAC requirements that
do not allow the operating channel to be left (at least in FCC).

Don't set the packet as off-channel OK if we are transmitting on the
current operating channel of an AP to avoid such issues with
transmission of Action frames.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-01-03 16:00:02 +02:00
Jouni Malinen
d5798e43f5 nl80211: Use current command for NL80211_CMD_REGISTER_ACTION
This was renamed to NL80211_CMD_REGISTER_FRAME long time ago.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:26:31 +02:00
Jouni Malinen
81ae8820a6 nl80211: Rename send_action_cookie to send_frame_cookie
This is to match the NL80211_CMD_ACTION renaming to NL80211_CMD_FRAME
that happened long time ago. This command can be used with any IEEE
802.11 frame and it should not be implied to be limited to Action
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:23:49 +02:00
Jouni Malinen
5ad372cc3f nl80211: Clean up nl80211_send_frame_cmd() callers
Replace a separate cookie_out pointer argument with save_cookie boolean
since drv->send_action_cookie is the only longer term storage place for
the cookies. Merge all nl80211_send_frame_cmd() callers within
wpa_driver_nl80211_send_mlme() to use a single shared call to simplify
the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:18:46 +02:00
Jouni Malinen
0dae4354f7 nl80211: Get rid of separate wpa_driver_nl80211_send_frame()
Merge this function into wpa_driver_nl80211_send_mlme() that is now the
only caller for the previously shared helper function. This is a step
towards cleaning up the overly complex code path for sending Management
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:00:15 +02:00
Jouni Malinen
e695927862 driver: Remove unused send_frame() driver op
All the previous users have now been converted to using send_mlme() so
this unused send_frame() callback can be removed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:56:12 +02:00
Jouni Malinen
ce01804872 Convert the only remaining send_frame() users to send_mlme()
Since send_mlme() now has support for the no_encrypt argument it is
possible to get rid of the remaining send_frame() uses.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:53:42 +02:00
Jouni Malinen
27cc06d073 nl80211: Support no_encrypt=1 with send_mlme()
This allows send_mlme() to be used to replace send_frame() for the test
cases where unencrypted Deauthentication/Disassociation frames need to
be sent out even when using PMF for the association. This is currently
supported only when monitor interface is used for AP mode management
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:53:42 +02:00
Jouni Malinen
665a3007fb driver: Add no_encrypt argument to send_mlme()
This is in preparation of being able to remove the separate send_frame()
callback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:53:32 +02:00
Jouni Malinen
3710027463 Make hostapd_drv_send_mlme() more generic
Merge hostapd_drv_send_mlme_csa() functionality into
hostapd_drv_send_mlme() to get a single driver ops handler function for
hostapd. In addition, add a new no_encrypt parameter in preparation for
functionality that is needed to get rid of the separate send_frame()
driver op.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:34:37 +02:00
Jouni Malinen
b3525dc172 P2P Manager: Use send_mlme() instead of send_frame() for Deauthentication
send_frame() is documented to be used for "testing use only" and as
such, it should not have used here for a normal production
functionality. Replace this with use of send_mlme() which is already
used for sending Deauthentication frames in other cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:22:32 +02:00
Jouni Malinen
14cc3d10ca nl80211: Simplify hapd_send_eapol() with monitor interface
Call nl80211_send_monitor() directly instead of going through
wpa_driver_nl80211_send_frame() for the case where monitor interface is
used for AP mode management purposes. drv->use_monitor has to be 1 in
this code path, so wpa_driver_nl80211_send_frame() was calling
nl80211_send_monitor() unconditionally for this code path and that extra
function call can be removed here to simplify the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 12:08:58 +02:00
Jouni Malinen
16a2667203 nl80211: Don't accept interrupted dump responses
Netlink dump message may be interrupted if an internal inconsistency is
detected in the kernel code. This can happen, e.g., if a Beacon frame
from the current AP is received while NL80211_CMD_GET_SCAN is used to
fetch scan results. Previously, such cases would end up not reporting an
error and that could result in processing partial data.

Modify this by detecting this special interruption case and converting
it to an error. For the NL80211_CMD_GET_SCAN, try again up to 10 times
to get the full response. For other commands (which are not yet known to
fail in similar manner frequently), report an error to the caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 23:34:53 +02:00
Roy Marples
a8b00423ea BSD: Use struct ip rather than struct iphdr
As we define __FAVOR_BSD use the BSD IP header.
Compile tested on NetBSD, DragonFlyBSD, and Linux.

Signed-off-by: Roy Marples <roy@marples.name>
2020-01-02 19:17:10 +02:00
Jouni Malinen
3ea58a0548 nl80211: Fix libnl error string fetching
libnl functions return a library specific error value in libnl 2.0 and
newer. errno is not necessarily valid in all error cases and strerror()
for the returned value is not valid either.

Use nl_geterror() to get the correct error string from the returned
error code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 18:05:38 +02:00
Jouni Malinen
139f7ab311 mac80211_linux: Fix libnl error string fetching
libnl functions return a library specific error value. errno is not
necessarily valid in all error cases and strerror() for the returned
value is not valid either.

Use nl_geterror() to get the correct error string from the returned
error code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 18:05:38 +02:00
Jouni Malinen
25ebd538a4 Drop support for libnl 1.1
This simplifies code by not having to maintain and come up with new
backwards compatibility wrappers for a library release from 12 years
ago.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 18:05:38 +02:00
Jouni Malinen
1ace2f7c09 Drop debug print level for informative debug messages
These are certainly not error conditions, but normal cases for starting
up. Drop the message from ERROR to DEBUG.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 18:05:12 +02:00
Jouni Malinen
568950c6e7 RSN: Do not add PMKSA candidates unnecessarily
Add PMKSA candidates from scan results only if they advertise an AKMP
that is used with RSN pre-authentication. Previously, candidates were
added but then ignored later if the AKMP was not suitable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 12:26:24 +02:00
Ethan Everett
22319c7fed RADIUS client: fix extra retry before failover
This commit changes the failover behavior of RADIUS client. Commit
27ebadccfb ("RADIUS client: Cease endless retry for message for
multiple servers") changed the retry logic, causing RADIUS client to
wait RADIUS_CLIENT_NUM_FAILOVER + 1 timeouts before failing over the
first time. Prior to that commit, RADIUS client would wait
RADIUS_CLIENT_NUM_FAILOVER timeouts before each failover. This was
caused by moving the entry->attempts > RADIUS_CLIENT_NUM_FAILOVER
comparison to before the retry attempt, where entry->attempts is
incremented.

The commit in question set entry->attempts in radius_change_server to 1
instead of 0, so RADIUS client would still only wait
RADIUS_CLIENT_NUM_FAILOVER timeouts for subsequent failovers, the same
as the original behavior.

This commit changes the comparison so the initial failover now happens
after waiting RADIUS_CLIENT_NUM_FAILOVER timeouts, as it did originally.
It also changes the RADIUS_CLIENT_MAX_FAILOVER comparison to prevent an
additional attempt to the primary server after the final failover.

Signed-off-by: Ethan Everett <ethan.everett@meraki.net>
2019-12-30 19:13:51 +02:00
Matteo Croce
82ba4f2d1b nl80211: Add a driver ops function to check WoWLAN status
Add function that returns whether WoWLAN has been enabled for the device
or not.

Signed-off-by: Alfonso Sanchez-Beato <alfonso.sanchez-beato@canonical.com>
2019-12-30 18:46:29 +02:00
Jouni Malinen
b0621b083d Call hostapd_allowed_address() directly from handle_probe_req()
ieee802_11_allowed_address() did not really do anything useful for the
call from handle_probe_req(), so replace that with a direct call to
hostapd_allowed_address() and make ieee802_11_allowed_address() a static
function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 23:44:32 +02:00
Michael Braun
963681723f Fix possible memory leak of RADIUS data in handle_auth()
When returning from handle_auth() after ieee802_11_allowed_address()
returned HOSTAPD_ACL_ACCEPT, but before ieee802_11_set_radius_info() has
been called, identity, radius_cui, and psk might not have been consumed.

Fix this by avoiding the need to free these variables at all.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2019-12-29 23:43:55 +02:00
Michael Braun
d4ceaafc24 Make hostapd_copy_psk_list() non-static
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2019-12-29 23:34:01 +02:00
Michael Braun
29024efd18 Move the RADIUS cached attributes into a struct
This makes it easier to pass these around and to add new attributes.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2019-12-29 23:33:57 +02:00
Jouni Malinen
3cd4db231a FT: Do not deliver RRB messages locally without matching FT/SSID
For FT protocol to work, the BSSs need to be operating an FT AKM with
the same SSID and mobility domain. The previous commit covered the
mobility domain, this covers the other prerequisites. This reduces
unnecessary load from having to allocate queued messages for interfaces
that cannot have valid data.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 20:41:41 +02:00
Jinglin Wang
c133c785df FT: Check mobility domain when sending RRB message to local managed BSS
Fast BSS Transition requires related APs operating in the same mobility
domain. Therefore, we can check whether the local managed BSS is
operating the same mobility domain before sending multicast/unicast
messages to it. This reduces unnecessary load from having to allocate
queued messages for interfaces that cannot have valid data.

Signed-off-by: Jinglin Wang <bryanwang@synology.com>
Signed-off-by: MinHong Wang <minhongw@synology.com>
2019-12-29 20:32:07 +02:00
Jouni Malinen
a422d9b4c2 RRB: More debug prints for local delivery
This makes it easier to figure out how frames are delivered directly
between BSSs operated within a single hostapd process.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 20:17:57 +02:00
Jouni Malinen
7b1105afef RRB: Do not reorder locally delivered messages
Add new messages to the end of the l2_oui_queue instead of inserting
them at the beginning so that the dl_list_for_each_safe() iteration in
hostapd_oui_deliver_later() goes through the messages in the same order
they were originally queued.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 20:17:57 +02:00
Jinglin Wang
4834c6869d FT: Fix hostapd_wpa_auth_oui_iter() iteration for multicast packets
When using FT wildcard feature, the inter-AP protocol will send
broadcast messages to discover related APs.

For example,
12/6 16:24:43 FT: Send PMK-R1 pull request to remote R0KH address
    ff:ff:ff:ff:ff:ff
12/6 16:24:43 FT: Send out sequence number request to
    ff:ff:ff:ff:ff:ff

If you have multiple interfaces/BSSs in a single hostapd process,
hostapd_wpa_auth_oui_iter() returned 1 after the first interface was
processed. Iteration in for_each_interface() will be stopped since it
gets a non-zero return value from hostapd_wpa_auth_oui_iter().

Even worse, the packet will not be sent to ethernet because
for_each_interface() returns non-zero value. hostapd_wpa_auth_send_oui()
will then return data_len immediately.

To prevent this, hostapd_wpa_auth_oui_iter() should not return 1 after
any successful transmission to other interfaces, if the dst_addr of
packet is a multicast address.

Signed-off-by: Jinglin Wang <bryanwang@synology.com>
Signed-off-by: MinHong Wang <minhongw@synology.com>
2019-12-29 20:09:52 +02:00
Daniel Kobras
18780c6d67 OpenSSL: Add support for TPM2-wrapped keys
If the header of a PEM-formatted certificate or key in private_key file
indicates that it is wrapped with a TPM2 key, try to autoload the
appropriate OpenSSL engine that can transparently unwrap the key. This
enables systems to use TPM2-wrapped keys as drop-in replacements to
ordinary SSL keys.

This functionality needs
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git
to be installed as an OpenSSL engine.

Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
2019-12-29 11:28:19 +02:00
Jouni Malinen
974f84bb73 Fix ignore_broadcast_ssid behavior with SSID List and Short SSID List
ignore_broadcast_ssid=1 (or 2) were practically ignored if the Probe
Request frame included the SSID List or Short SSID List elements. Fix
this by requiring exact SSID match whenever ignore_broadcast_ssid is in
use regardless how SSID parameters are set in the Probe Request frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 23:19:44 +02:00
Andrei Otcheretianski
1c7f652f9e AP: Support Short SSID List element in Probe Request frames
According to IEEE P802.11ax/D6.0, 11.1.4.3.4 (Criteria for sending a
response), AP should answer Probe Request frames if either SSID or Short
SSID matches. Implement this part of the Short SSID use for the BSS (the
collocated 6 GHz BSS case is not covered in this commit).

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-12-28 23:13:58 +02:00
Andrei Otcheretianski
522450b7b1 AP: Determine Short SSID value for the BSS
This can be used in the future to implement support for RNR and scanning
extensions using a shorter field for the SSID.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-12-28 22:32:14 +02:00
Zefir Kurtisi
ef48f1bfb3 Ensure authenticator session timer is applied with wired driver
We use the wired driver for wired port authentication with a slight
extension to add the port into a bridge upon successful authentication
and to remove it from the bridge when the session terminates.

Our expectation was that the Session-Timeout configuration at the RADIUS
server is respected, i.e. the session is terminated and would need
re-authentication - like it is working for WLAN sessions over the
nl80211 driver. Alas, it turned out the session is not terminated with
the wired driver.

It turned out that when ap_handle_session_timer() is executed, the
sta->flags of the wired port has only the WLAN_STA_AUTHORIZED bit set.
The WLAN_STA_AUTH bit, which is used to check whether the STA needs to
be de-authenticated, is missing.

Extend the check for any of the WLAN_STA_(AUTH | ASSOC | AUTHORIZED)
bits to solve this issue with the wired driver. That should not have any
side-effect for the WLAN cases since WLAN_STA_AUTH is expected to always
be set for those when there is an ongoing session and separate checks
for ASSOC and AUTHORIZED don't change this.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2019-12-28 20:50:05 +02:00
Jouni Malinen
53661e3a9a Allow debug log to be written to both syslog and file
If hostapd or wpa_supplicant is started with both -s and -f command line
arguments, debug log ended up being written only into syslog and the log
file was left empty. Change this so that the log entries will be written
to both places. Either -s or -f (or both) results in debug log to stdout
being disabled which was already the case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 18:28:10 +02:00
Ben Greear
ee48f48ba1 hostapd: Support showing neighbor list through hostapd_cli
This lets one know the current neighbor list, and could be used
to populate the neighbor list of other hostapd processes.

For instance:

$ hostapd_cli -i vap0001 show_neighbor
04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00
$ hostapd_cli -i vap0000 set_neighbor 04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00
OK
$ hostapd_cli -i vap0000 show_neighbor
04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00
04:f0:21:c3:b2:b0 ssid=04f021c3b2b0af190000802809 nr=04f021c3b2b0af1900008028090603022a00

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-12-26 17:59:03 +02:00
Sergey Matyukevich
3af78a4e04 Extract BSS coex 40 MHz check into a separate function
Move this implementation from check_40mhz_2g4() into a new helper
function check_bss_coex_40mhz function() so that it can be used in the
station mode case as well as the previously used AP mode case.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2019-12-26 11:41:01 +02:00
Sergey Matyukevich
a737e40b56 drivers: Support of dynamic VLAN requires Linux ioctls
Support for dynamic VLANs depends on the Linux bridge ioctls.
Add this dependency explicitely to drivers make files.

This fixes build for minimal hostapd configs such as:
CONFIG_DRIVER_WIRED=y
CONFIG_FULL_DYNAMIC_VLAN=y

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2019-12-26 00:00:36 +02:00
Bilal Hatipoglu
b1b62a1364 WPS: Add WPS-PIN-ACTIVE and WPS-CANCEL events
WPS_EVENT_CANCEL is added to indicate cancellation of a WPS operation
for any reason in hostapd/wpa_supplicant.

WPS_EVENT_PIN_ACTIVE is added to indicate when a PIN operation is
triggered in wpa_supplicant.

Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
2019-12-25 20:58:52 +02:00
Michal Kazior
8e111157e7 nl80211: Relax bridge setup
Normally nl80211 driver will attempt to strictly control what bridge
given interface is put in. It'll attempt to remove it from an existing
bridge if it doesn't match the configured one. If it's not in a bridge
it'll try to put it into one. If any of this fails then hostapd will
bail out and not set up the BSS at all.

Arguably that's reasonable since it allows to set the BSS up coherently
with regard to EAPOL handling as well as allows extra interactions with
things like FDB. However, not all hostapd drivers interact with bridge=
the same way. One example is atheros. Therefore it's not clear what the
desired behavior should be if consistency across drivers is considered.

There's a case where one might want to use a non-native Linux bridge,
e.g., openvswitch, in which case regular ioctls won't work to put an
interface into a bridge, or figure out what bridge an interface is in.
The underlying wireless driver can still be an ordinary nl80211 driver.

This change relaxes the bridge setup failure so that hostapd still
starts even if it fails to add an interface into a configured bridge
name. It still sets up all the necessary sockets (including the
configured bridge=) so EAPOL handling should work fine. This then leaves
it to the system integrator to manage wireless interface as bridge ports
and possibly fdb hints too.

Signed-off-by: Michal Kazior <michal@plume.com>
2019-12-24 21:16:23 +02:00
Sergey Matyukevich
3626e72c8d l2_packet: Fix bridge workaround for repeater configuration
In repeater configuration, both AP and STA wireless interfaces may be
included into the same bridge. In this case the following race condition
may occur: wpa_supplicant and hostapd are started, then hostapd clients
are connected before wpa_supplicant connects to remote AP. EAPOL packets
between hostapd and its clients are detected by wpa_supplicant on bridge
interface, prematurely disabling the workaround.

One possible option to fix this issue is to check EAPOL destination MAC
in wpa_supplicant and disable workaround only if EAPOL packet on bridge
interface is indeed intended for wpa_supplicant.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2019-12-24 21:16:23 +02:00
Jouni Malinen
84972999ba FT: More debug prints for RSNE modification for EAPOL-Key msg 2/4
This buffer was getting corrupted, so add more details to make it
clearer what causes the corruption should this type of regression show
up again.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-24 21:16:23 +02:00
Jouni Malinen
4cfa8b92ba Fix wpa_insert_pmkid() when buffer includes extra IEs
The case where the old RSNE included one or more PMKIDs and that RSNE
was followed by another IE was handled incorrectly since the
os_memmove() to move the end of the buffer when removing old PMKIDs was
stopping copying at the end of the RSNE, not the end of the IE buffer.
This could result in corrupting the IE that followed the RSNE. In
practice, this broke FT-SAE with H2E by corrupting the RSNXE that is in
the buffer after the RSNE.

Fix this by copying the full end of the buffer (i.e., including the
following RSNXE in the visible error case) when removing the old PMKIDs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-24 21:16:23 +02:00
Jouni Malinen
07fe134d9c EAP-SIM peer: Do not accept SIM/Challenge without SIM/Start
EAP-SIM full authentication starts with one or more SIM/Start rounds, so
reject an unexpected SIM/Challenge round without any preceeding
SIM/Start rounds to avoid unexpected behavior. In practice, an attempt
to start with SIM/Challenge would have resulted in different MK being
derived and the Challenge message getting rejected due to mismatching
AT_MAC unless the misbehaving server has access to valid Kc, so the end
result is identical, but it is cleaner to reject the unexpected message
explicitly to avoid any risk of trying to proceed without NONCE_MT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-23 23:59:16 +02:00
Jouni Malinen
b2e2a8588d OpenSSL: Extend key_block size determination to support GCM/CCM ciphers
These ciphers do not use a separate MAC algorithm, so digest nid will be
NID_undef. In addition, the fixed_iv_length needs to be set to 4 which
is the implicit part of the IV from PRF. This is needed to fix EAP-FAST
key derivation for cases where GCM/CCM ciphers are used for TLS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-23 20:02:45 +02:00
Jouni Malinen
1730a6a5ef nl80211: Fix couple of typos in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-23 10:24:49 +02:00
Mikael Kanstrup
307cfc3286 Strip trailing zero data in EAPOL-Key msg 1/4 when no PMKID to send
EAPOL-Key message 1/4 without PMKID KDE was sent with 22 bytes of stray
data following a zero length key data field. These 22 bytes happens to
be the exact size of an PMKID KDE. Strip these trailing bytes by
checking whether a PMKID is available and adjust pmkid_len to 0 if not.

This was seen for example in capture files created by hwsim test case
suite_b_192 but code modified to handle also the other cases without
PMKID (Suite B no-KCK, FILS without PMKID available, SAE without PMKID
available).

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2019-12-23 00:26:07 +02:00
Jouni Malinen
2c5ccfa607 nl80211: Initialize full channel info struct even if channel is not known
It was possible for the driver to advertise support for channels that
are not found from wpa_supplicant frequency-to-channel mapping (e.g.,
channel 182 at 5910 MHz) and that resulted in not initializing the
channel number information. Fix this by explicitly clearing the full
struct hostapd_channel_data buffer before parsing the information into
it from the driver.

This avoids some conditional jumps that could have dependent on
uninitialized values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-23 00:01:02 +02:00
Brian Norris
e6d3aca9cf WPS: Add prefixes to public event_* functions
openssl engines may dynamically load external libraries. Our event_*()
functions happen to be named very generically, such that event_add()
collides with the libevent library (https://libevent.org/). This can
have disastrous effects (esp. when using CONFIG_WPA_TRACE, which enables
partial linking) when our SSL engines call into the WPS event_add()
instead of their intended libevent event_add().

Resolve this by providing a more unique prefix to these functions.

Rename performed via:

  sed -i -E \
    's:\<event_(add|delete_all|send_all_later|send_stop_all)\>:wps_upnp_event_\1:g' \
     $(git grep -l event_)

Tested via (among other things) hwsim '-f ap_wps' module.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2019-12-22 11:24:28 +02:00
Davide Caratti
2ba6aa6045 Fix memory leak in case allocation of token fails during JSON parsing
On failure of json_alloc_token(), json_parse() can return without
freeing 'str' previously allocated by json_parse_string(). Fix this
adding proper call to os_free().

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2019-12-21 17:32:19 +02:00
Alexander Wetzel
78d338d1b1 DPP: Fix a memory leak on an error path
Fix a memory leak exposed by the dpp_own_config_sign_fail test.

Fixes: 52d469de11 ("DPP2: Support multiple Config Objects in Enrollee")
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2019-12-21 17:02:00 +02:00
Min Liu
1f1567d2a6 QCA vendor command for getting STA information
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO with
attributes defined in enum qca_wlan_vendor_attr_get_sta to get
information for a BSS in STA mode or for a peer STA in AP mode. This
vendor sub command can be used to get STA information from the driver to
userspace. The attributes defined in enum
qca_wlan_vendor_attr_get_sta_info are used to encapsulate required
information.

Signed-off-by: Min Liu <minliu@codeaurora.org>
2019-12-20 16:25:30 +02:00
Vamsi Krishna
e5620bf025 6 GHz: Select channel width using configured op_class
Use op_class to derive channel width for the operating channel when
op_class is configured by the user in both fixed channel and ACS cases.
We can avoid using ht_capab field to derive channel width especially in
the 6 GHz band in which only HE is supported.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 13:38:05 +02:00
Vamsi Krishna
0bfc04b8d0 Do not enable HT/VHT when operating in 6 GHz band
Only HE mode is allowed in the 6 GHz band hence do not enable HT/VHT
even if they are configured by the user.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 13:25:07 +02:00
Ankita Bajaj
da8570f4c9 Allow non-PCS 6 GHz channels to be excluded from ACS
Add support to exclude non-PSC 6 GHz channels from the input frequency
list to ACS. The new acs_exclude_6ghz_non_psc=1 parameter can be used by
6 GHz only APs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 13:23:13 +02:00
Ankita Bajaj
59bb72642a Allow ACS channel list to be configured as frequencies (in MHz)
The channel numbers are duplicated between 2.4 GHz / 5 GHz bands and 6
GHz band. Hence, add support to configure a list of frequencies to ACS
(freqlist) instead of a list of channel numbers (chanlist). Also, both 5
GHz and 6 GHz channels are referred by HOSTAPD_MODE_IEEE80211A. The 6
GHz channels alone can be configured by using both mode and frequency
list.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 13:19:52 +02:00
Ankita Bajaj
5f9b4afdfa Use frequency in HT/VHT validation steps done before starting AP
Using the channel parameter for validating allowed channel combinations
is not scalable to add 6 GHz support in the future since channel numbers
are duplicated between 2.4 GHz / 5 GHz bands and 6 GHz band. Hence use
frequency field for all channel combination validation steps done before
starting AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 13:05:39 +02:00
Ankita Bajaj
59e33b4a98 ACS: Select current hw_mode based on the selected frequency
After receiving ACS offload results, select the current hw_mode based on
the frequency selected by the ACS algorithm. The current hw_mode will be
further used during other validation steps such as HT capability
validations, DFS validation, etc.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 12:45:03 +02:00
Ankita Bajaj
bb781c763f AP: Populate iface->freq before starting AP
Using channel field while starting AP will cause issues with the new
6GHz band as the channel numbers are duplicated between the different
bands. Populate iface->freq before starting AP so that it can be used
instead of the channel number for all validations that need to be done
while starting AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 12:42:47 +02:00
Ankita Bajaj
41cac481a8 ACS: Use frequency params in ACS (offload) completed event interface
Replace channel fields with frequency fields in ACS completed event
interface from the driver layer. Use
QCA_WLAN_VENDOR_ATTR_ACS_PRIMARY_FREQUENCY and
QCA_WLAN_VENDOR_ATTR_ACS_SECONDARY_FREQUENCY attributes if the driver
includes them in the QCA_NL80211_VENDOR_SUBCMD_DO_ACS event, otherwise
use QCA_WLAN_VENDOR_ATTR_ACS_PRIMARY_CHANNEL and
QCA_WLAN_VENDOR_ATTR_ACS_SECONDARY_CHANNEL attributes to maintain
backwards compatibility with old drivers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 12:31:01 +02:00
Ankita Bajaj
840532aea5 Search through all hw_features sets in hw_get_channel_freq()
The 5 GHz channels are stored in one hw_features set with mode
HOSTAPD_MODE_IEEE80211A while the 6 GHz channels will need to stored in
a separate hw_features set (but with same mode HOSTAPD_MODE_IEEE80211A)
due to possibility of different HE capabilities being available between
the 5 GHz and 6 GHz bands.

Search through all hw_features sets whose mode is same as the input mode
while finding channel corresponding to the input frequency in
hw_get_channel_freq().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 12:21:45 +02:00
Ankita Bajaj
15d3568739 ACS: Add channels from all modes matching with configured hw mode
The 5 GHz channels are stored in one hw_features set with mode
HOSTAPD_MODE_IEEE80211A while the 6 GHz channels will need to stored in
a separate hw_features set (but with same mode HOSTAPD_MODE_IEEE80211A)
due to possibility of different HE capabilities being available between
the 5 GHz and 6 GHz bands.

Iterate through all hw_features sets and populate channels from all
hw_features sets whose hardware mode is matching the configured hardware
mode while preparing the channel list for ACS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 12:21:41 +02:00
Ahmad Masri
996662250d P2P: Add support for EDMG channels
This allows a P2P connection over P802.11ay EDMG channels to achieve the
highest link speed that the standard allows for channel bonding (CB) up
to CB4.

Let each P2P peer add its EDMG channels to the Supported Channels IE
advertised in P2P GO negotiation. Give EDMG channels priority when peers
negotiate for operating channel.

User may add 'edmg' parameter to p2p_connect, p2p_add_group, and
p2p_invite commands to prefer an EDMG channel for the P2P link. User may
also set p2p_go_edmg=1 in wpa_supplicant configuration file to prefer
EDMG.

When EDMG is used, P2P will try to find the highest channel bonding
supported channel that matches the frequency parameter, if the devices
do not support EDMG, the P2P connection will use a legacy (1-6) 60 GHz
channel.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2019-12-20 00:13:08 +02:00
Ahmad Masri
f86e34168e Update operating classes and channels for the 60 GHz band
Update new channels in Channel Bonding (CB2 ... CB4) in the 60 GHz band
for different regulatory regions according to the latest draft amendment
IEEE P802.11ay/D5.0.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2019-12-20 00:00:52 +02:00
Ahmad Masri
a19277a28b Add EDMG bandwidth to channel frequency APIs
Add EDMG bandwidth to CHANWIDTH_ defines.

Update API ieee80211_freq_to_channel_ext() to support EDMG bandwidth
for EDMG channels.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2019-12-19 23:46:28 +02:00
Jouni Malinen
5a563a3d34 Avoid compiler warning on shadowing a local variable
Fixes: 7fde39fb1a ("Add sae_rejected_groups to hostapd STA control interface command")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-18 13:46:59 +02:00
Jouni Malinen
7fde39fb1a Add sae_rejected_groups to hostapd STA control interface command
This is mainly for testing purposes to be able to check which groups
a STA reports as having been rejected when using SAE H2E.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-12 23:52:36 +02:00
Jouni Malinen
5661ebd774 DPP: Configurator netRole for Enrollee
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-12 02:33:00 +02:00
Jouni Malinen
7404574458 DPP: Replace ap boolean with netRole enum in Configurator params
The netRole enum is more generic and can be extended to include new
roles (e.g., Configurator) more easily.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-12 02:33:00 +02:00
Jouni Malinen
f2c4b44b40 SAE H2E: RSNXE override in EAPOL-Key msg 3/4
This new hostapd configuration parameter rsnxe_override_eapol=<hexdump>
can be used to override RSNXE value in EAPOL-Key msg 3/4 for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-07 17:32:17 +02:00
Jouni Malinen
a889e9a70c SAE: Reject invalid rejected group report in SAE commit explicitly (AP)
Previously, this case was ignored silently in AP mode. While that could
be a reasonable approach for an unexpected condition, it would be fine
to reject this case explicitly as well. This makes it somewhat easier to
test unexpected SAE H2E vs. looping behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-07 00:39:46 +02:00
Jouni Malinen
c88e01e1b6 SAE H2E: Fix validation of rejected groups list
check_sae_rejected_groups() returns 1, not -1, in case an enabled group
is rejected. The previous check for < 0 could not have ever triggered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-07 00:28:13 +02:00
Jouni Malinen
918df2227e SAE: Reject unexpected Status Code in SAE commit explicitly (AP)
Previously, this case was ignored silently in AP mode. While that could
be a reasonable approach for an unexpected condition, it would be fine
to reject this case explicitly as well. This makes it somewhat easier to
test unexpected SAE H2E vs. looping behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-06 17:26:57 +02:00
Ankita Bajaj
23acdd9f33 Fix memory leak in ACS offload operation
freq_list is built in allocated heap memory and it needs to be freed
before returning from this function.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-05 18:02:46 +02:00
Ankita Bajaj
e86ba912aa ACS: Remove redundant ch_list parameters from do_acs interface
Clean up do_acs interface to not pass ch_list to drivers as the same
information is available in freq_list. The channel numbers are
duplicated between 2.4 GHz and 5 GHz bands and the 6 GHz band. So, use
the QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST to populate only 2.4 GHz and 5 GHz
channels to ensure backwards compatibility with old drivers which do not
have support to decode the newer QCA_WLAN_VENDOR_ATTR_ACS_FREQ_LIST
attribute.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-05 18:02:34 +02:00
Ankita Bajaj
3cf360b8e2 DFS: Don't handle DFS ops for 6 GHz channels
Skip DFS checks and CAC operation for 6 GHz channels. AFC checks
will be added for 6 GHz channels later.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-05 17:12:27 +02:00
Ankita Bajaj
ee0030e814 6 GHz: Do not check for HT capability on 6 GHz channels
HT capability check is not required when starting AP on 6 GHz band as
only HE operation mode is allowed in the 6 GHz band.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-05 17:12:27 +02:00
Jouni Malinen
e780b4bf20 DPP: Bootstrapping via NFC URI Record
This extends hostapd and wpa_supplicant DPP implementation to allow the
bootstrapping URI to be generated for and parsed from an NFC Tag with an
NFC URI Record. This is similar to the way the bootstrapping URI is used
with QR Code for unidirectional authentication.

The DPP_BOOTSTRAP_GEN command uses "type=nfc-uri" to request the URI to
be assigned for NFC URI Record. In practice, the URI is generated
identically to the QR Code case, but the internal entry maintains the
NFC-URI type.

A new command "DPP_NFC_URI <uri>" can now be used to parse the URI read
from an NFC Tag with the NFC URI Record. This is similar to the
DPP_QR_CODE command.

Other commands (mainly, DPP_LISTEN and DPP_AUTH_INIT) are used for NFC
URI in the same way as they are used for QR Code.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-05 12:37:51 +02:00
Jouni Malinen
3c0d6eb8a9 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2019-11-08.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-05 12:36:09 +02:00
Hu Wang
38203148e9 Extend hostapd to support setband to driver via QCA vendor command
Commit 844dfeb804 ("QCA vendor command support to set band to driver")
added a vendor command to pass 'SET setband' command information to the
driver in wpa_supplicant. Add similar changes to hostapd control
interface.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-02 15:55:43 +02:00
Jouni Malinen
9f50538e13 SAE H2E: Do not use sae_h2e param in AP mode if SAE is disabled
Previously, nonzero sae_h2e parameter values were used to perform SAE
H2E specific operations (deriving PT, adding RSNXE, adding H2E-only BSS
membership selector) in AP mode even if SAE was not enabled for the
network. This could result in unexpected behavior if sae_pwe=1 or
sae_pwe=2 were set in the configuration. Fix this by making the SAE
operations conditional on SAE being actually enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-29 00:07:57 +02:00
Jouni Malinen
181bf93363 DPP2: Report received ssid_charset as DPP-CONFOBJ-SSID-CHARSET event
This provides the SSID character set, if specified, to upper layers on
station Enrollee.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Jouni Malinen
71e2848eab DPP2: ssid64/ssid_charset in Configurator
This allows Configurator to be configured to use the ssid64 option in
the discovery object for a station Enrollee.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Jouni Malinen
57a63b1318 DPP2: Add parsing of ssid64/ssid_charset in Config Object
The discovery object is now allowed to use either the UTF-8 encoded
string ssid or base64url encoded ssid64.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Jouni Malinen
590bc64d65 DPP: Use JSON token builder helpers
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Jouni Malinen
e75ab53222 JSON: Add helper functions for building tokens
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Jouni Malinen
8e5e36a184 Clean up base64_{encode,decode} pointer types
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Jouni Malinen
b22608423b Clean up base64_url_{encode,decode} pointer types
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-27 16:09:35 +02:00
Jouni Malinen
a4255a207b Simplify base64_url_encode() prototype
There is no use case for adding padding into the base64url encoded
strings, so remove the unneeded add_pad argument that was hardcoded to 0
in all callers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-27 15:35:19 +02:00
Jouni Malinen
c54227c26a DPP2: Replace connectionStatus object ssid with ssid64
The UTF-8 encoded ssid string was replaced with base64url encoded ssid64
string, so update the implementation to match.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-27 15:34:38 +02:00
Jouni Malinen
31b6eb417b tests: Update SAE H2E test case to match SSWU parameter z change
Update the test vector based on
11-19-1817-02-000m-hash-to-curve-changes.docx

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-23 17:46:15 +02:00
Jouni Malinen
0432237a4d SAE H2E: Update SSWU curve-specific parameter z values
Update the values based on
11-19-1817-02-000m-hash-to-curve-changes.docx

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-23 17:46:15 +02:00
Jouni Malinen
5b50265e13 WMM: Do not modify input TSPEC buffer during processing
The WMM TSPEC processor used the input buffer for processing the request
and building the response. This was fine for the FT case, but for the
WMM Action frame case, the input buffer is marked const, so it should
not really be modified. This modification could not really cause any
noticeable harm, but it can result in error reports from fuzzing and
potentially even from some static analyzers.

Fix this by marking the input arguments const more consistently (the
parsed IE was able to drop the const) and copy the const input data to a
temporary buffer for processing and modification instead of allowing the
input data to be modified.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19050
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-11-23 17:39:55 +02:00
Hu Wang
f3c077929f P2P: Fix listen state machine getting stuck in send_action() scheduled case
Commit 947b5a1532 ("P2P: Stop listen state if Action frame TX is
needed on another channel") added an optimization for P2P response
transmission in certain concurrent operation cases. However, it did not
take into account possibility of the driver not being in listen
state (p2p->drv_in_listen == 0) and could end up getting stuck with the
P2P state machine in a manner that made the device not listen for
following messages. This showed up in following manner in the debug log:

P2P: Starting short listen state (state=SEARCH)
P2P: Driver ended Listen state (freq=2437)
process received frame and send a response
P2P: Stop listen on 0 MHz to allow a frame to be sent immediately on 2437 MHz
P2P: Clear timeout (state=SEARCH)
--> state machine stuck

Fix this by adding drv_in_listen > 0 condition for the optimization to
stop the listen operation in send_action() resulting in scheduled TX.

Fixes: 947b5a1532 ("P2P: Stop listen state if Action frame TX is needed on another channel")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-13 23:59:37 +02:00
Lei Wang
530b8ee3c8 hostapd: Update DFS status in VHT80+80 mode
Update center frequency and center frequency2's DFS channel status in
VHT80+80 mode. Otherwise it will cause AP failed to start on a DFS
channel.

Tested: qca9984 with firmware ver 10.4-3.10-00047

Signed-off-by: Rick Wu <rwu@codeaurora.org>
Signed-off-by: Lei Wang <leiwa@codeaurora.org>
2019-11-10 22:54:19 +02:00
Jouni Malinen
93ba13bcfd Fix status code in SAE/DPP association PMKID mismatch (driver-AP-SME)
wpa_validate_wpa_ie() was already extended to cover these cases with
WPA_INVALID_PMKID return value, but hostapd_notif_assoc() did not have
code for mapping this into the appropriate status code
(STATUS_INVALID_PMKID) and ended up using the default
(WLAN_STATUS_INVALID_IE) instead. This caused AP SME-in-driver cases
returning incorrect status code when the AP did not have a matching
PMKSA cache entry. This could result in unexpected station behavior
where the station could continue trying to use a PMKSA cache entry that
the AP does not have and not being able to recover this.

Fix this by adding the previously missed mapping of validation errors to
status/reason codes.

Fixes: 567da5bbd0 ("DPP: Add new AKM")
Fixes: 458d8984de ("SAE: Reject request with mismatching PMKID (no PMKSA cache entry)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-09 00:33:58 +02:00
Jouni Malinen
b90d2f7ffe Fix a typo in a comment
Spell NULL correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-06 19:44:50 +02:00
Eric Caruso
bb66d46758 Move ownership of MAC address randomization mask to scan params
This array can be freed either from the scan parameters or from
clearing the MAC address randomization parameters from the
wpa_supplicant struct. To make this ownership more clear, we have
each struct own its own copy of the parameters.

Signed-off-by: Eric Caruso <ejcaruso@chromium.org>
2019-10-27 19:50:22 +02:00
Jouni Malinen
1030dec1fa JSON: Fix escaping of characters that have MSB=1 with signed char
The "\\u%04x" printf string did not really work in the correct way if
char is signed. Fix this by type casting this to unsigned char.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-10-27 19:50:22 +02:00
Mikael Kanstrup
937644aa2c nl80211: Indicate SUITE_B_192 capa only when CCMP-256/GCMP-256 supported
SUITE_B_192 AKM capability was indicated for all devices using the
nl80211 driver (without the QCA vendor specific AKM capability
indication). However, some devices can't handle Suite B 192 due to
insufficient ciphers supported. Add a check for CCMP-256 or GCMP-256
cipher support and only indicate SUITE_B_192 capability when such cipher
is supported. This allows compiling with CONFIG_SUITEB192 and still get
proper response to the 'GET_CAPABILITY key_mgmt' command. Under Android
it can also serve as a dynamic way for HAL to query platform for
WPA3-Enterprise 192-bit support.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2019-10-27 15:22:19 +02:00
Shiva Sankar Gajula
df3b2e22a0 nl80211: Add STA node details in AP through QCA vendor subcommand
Addi STA node details in AP through QCA vendor subcommand
QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE vendor when processing FT
protocol roaming.

Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
2019-10-25 19:29:53 +03:00
Yu Wang
f273b2a5c7 Add QCA vendor cmd for setting BT coex chain mode
To config BT coex chain mode, add a new QCA sub command
QCA_NL80211_VENDOR_SUBCMD_BTC_CHAIN_MODE.

This new command has two attributes:
1. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE: u32 attribute. Indicates the
   BT coex chain mode, are 32-bit values from enum qca_btc_chain_mode.
2. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE_RESTART: flag attribute.
   If set, vdev should be restarted once BT coex chain mode is updated.

Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
2019-10-25 19:29:53 +03:00
Ashish Kumar Dhanotiya
4dc860680c Extend QCA OEM data vendor subcmd to allow use as an event
The QCA_NL80211_VENDOR_SUBCMD_OEM_DATA command was previously defined
only to pass data blobs from user space to kernel (application to
firmware) but there was no mechanism to send the data blobs from
firmware to application. Extend this to define use of the same
subcommand and attributes as vendor events.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
93a1e275a7 SAE: Determine H2E vs. looping when restarting SAE auth in AP mode
If hostapd had existing STA SAE state, e.g., from a previously completed
SAE authentication, a new start of a separate SAE authentication (i.e.,
receiving of a new SAE commit) ended up using some of the previous
state. This is problematic for determining whether to H2E vs. looping
since the STA is allowed (even if not really expected to) to change
between these two alternatives. This could result in trying to use H2E
when STA was using looping to derive PWE and that would result in SAE
confirm failing.

Fix this by determining whether to use H2E or looping for the restarted
authentication based on the Status Code in the new SAE commit message
instead of previously cached state information.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
de580bf6c4 crypto: Remove unused crypto_bignum_sqrtmod()
This wrapper function is not used anymore, so drop it instead of trying
to figure out good way of implementing it in constant time with various
crypto libraries.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
9b292a48f7 SAE: Drop sqrt() alternative from SSWU (H2E)
Remove support for performing full sqrt(), i.e., only support curves
that use prime with p = 3 mod 4. In practice, this drops only group 26
with SAE H2E. This seems acceptable since there does not seem to be any
strong use case for that group taken into account the limits being
placed on acceptable prime lengths.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jesus Fernandez Manzano
00ddc1cc21 common: Fix same expression checked twice in fils_key_auth_sk()
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2019-10-25 19:29:53 +03:00
Pradeep Kumar Chitrapu
327d09aa03 HE: Add 11ax info to ap mode ctrl iface STATUS command
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
d7678a0842 Fix AP Extended Capability length determination
The IE minimum length determination in hostapd_eid_ext_capab() was not
fully up to date with the hostapd_ext_capab_byte() conditions. This
could result in omitting some of the capability octets depending on
configuration. Fix this by adding the missing conditions.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 16:03:37 +03:00
Jimmy Chen
a592f2a9ea P2P: Continue listening next request if no post-PD operations
If there are no post-provision discovery operations, we should continue
in find mode to avoid getting the p2p_find operation stopped (stuck in
SEARCH state) unexpectedly.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2019-10-25 16:03:37 +03:00
Jouni Malinen
f73dd0a692 FT-SAE: Add RSNXE into FT MIC
Protect RSNXE, if present, in FT Reassociation Request/Response frames.
This is needed for SAE H2E with FT.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 16:20:27 +03:00
Jouni Malinen
cb99259775 Add RSNXE into (Re)Association Response frames
Add the new RSNXE into (Re)Association Response frames if any of the
capability bits is nonzero.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 15:49:32 +03:00
Jouni Malinen
865721c695 Merge wpa_supplicant and hostapd EAPOL-Key KDE parsers
Use a single struct definition and a single shared implementation for
parsing EAPOL-Key KDEs and IEs instead of maintaining more or less
identical functionality separately for wpa_supplicant and hostapd.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 13:02:27 +03:00
Jouni Malinen
898b6d58f3 SAE: Verify that STA negotiated H2E if it claims to support it
If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
the AP configuration, require H2E to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 12:48:28 +03:00
Jouni Malinen
74866f5378 RSN: Verify RSNXE match between (Re)AssocReq and EAPOL-Key msg 2/4
If the STA advertises RSN Extension element, it has to be advertised
consistently in the unprotected ((Re)Association Request) and protected
(EAPOL-Key msg 2/4) frames. Verify that this is the case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 00:20:29 +03:00
Jouni Malinen
9981d5bf31 Add RSNXE into AP KDE parser
This is needed for SAE hash-to-element implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 00:20:29 +03:00
Jouni Malinen
d3516cad7a Store a copy of Association Request RSNXE in AP mode for later use
This is needed to be able to compare the received RSNXE to a protected
version in EAPOL-Key msg 2/4.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 00:20:29 +03:00
Jouni Malinen
6d6c887751 SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4
Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg
2/4 when using SAE with hash-to-element mechanism enabled. This allows
the AP to verify that there was no downgrade attack when both PWE
derivation mechanisms are enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 16:54:05 +03:00
Jouni Malinen
8401cdc8d4 Add RSNXE into IE parser
This is needed for SAE hash-to-element implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 16:53:09 +03:00
Jouni Malinen
0b0ed907d1 WPS: Check SHA256 result success
These functions can fail in theory, so verify they succeeded before
comparing the hash values.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:41:13 +03:00
Shiva Sankar Gajula
8dda97c758 QCA vendor command for adding a STA node
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE with
attributes qca_wlan_vendor_attr_add_sta_node_params to add STA peer
entries in AP mode. This vendor sub command is used in FT roaming
scenario to send STA node information from application/service to
driver/firmware. The attributes defined in enum
qca_wlan_vendor_attr_add_sta_node_params are used to deliver the
parameters.

Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
2019-10-15 15:39:22 +03:00
Subrat Dash
b41dc61afa Add a new QCA vendor attribute to carry device info for OEM data
The OEM data binary blobs from application/service will be routed to the
appropriate device based on this attribute value. This optional
attribute is used to specify whether the device type is virtual or
physical. This attribute can be omitted when the command is for a
virtual device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Edayilliam Jayadev
bf185bfd5d QCA vendor attributes to indicate BW-based agile spectral capability
Some chipsets don't have the capability to run agile spectral scan with
160/80+80 MHz modes. Add separate agile spectral scanning capability
flags for 160, 80+80, and non-160 MHz modes to cover such cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Sunil Dutt
1317ea2c0e nl80211: Allow external auth based on SAE/FT-SAE key mgmt
In the SME-in-driver case, wpa_supplicant used only the selected SAE
auth_alg value as the trigger for enabling external authentication
support for SAE. This prevented the driver from falling back to full SAE
authentication if PMKSA caching was attempted (Open auth_alg selected)
and the cached PMKID had been dropped.

Enable external auth based on SAE/FT-SAE key_mgmt, rather than doing
this based on SAE auth_alg, so that the driver can go through full SAE
authentication in cases where PMKSA caching is attempted and it fails.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Dedy Lansky
cdb5774f42 FST: Update FST about MAC address change
Notify FST module upon MAC address change. FST module will update the
Multiband IE accordingly.

Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
2019-10-15 15:39:22 +03:00
Andrei Otcheretianski
49e95ee1ee AP: Publish only HE capabilities and operation IEs on 6 GHz band
When operating on the 6 GHz band, add 6 GHz Operation Information inside
the HE Operation element and don't publish HT/VHT IEs.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

- Replace HOSTAPD_MODE_IEEE80211AX mode checks with is_6ghz_op_class()

Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2019-10-15 15:39:22 +03:00
Andrei Otcheretianski
d7c2c5c98c AP: Add initial support for 6 GHz band
Add support for new hardware mode for 6 GHz band. 6 GHz operation is
defined in IEEE P802.11ax/D4.3. 6 GHz band adds global operating classes
131-135 that define channels in frequency range from 5940 MHz to 7105
MHz.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

- Remove HOSTAPD_MODE_IEEE80211AX mode
- Replace check for HOSTAPD_MODE_IEEE80211AX with is_6ghz_freq()
- Move center_idx_to_bw_6ghz() to ieee802_11_common.c file

Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2019-10-15 15:39:22 +03:00
Liangwei Dong
a5b2faa714 AP: Add op_class config item to specify 6 GHz channels uniquely
Add hostapd config option "op_class" for fixed channel selection along
with existing "channel" option. "op_class" and "channel" config options
together can specify channels across 2.4 GHz, 5 GHz, and 6 GHz bands
uniquely.

Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
032c8264d4 SAE: Check that peer's rejected groups are not enabled in AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00