Commit graph

4321 commits

Author SHA1 Message Date
Jouni Malinen
4be5bc98a8 DPP: Update AES-SIV AD for PKEX frames
The protocol design was updated to protect the six octets in the header
before the attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-19 18:32:16 +03:00
Jouni Malinen
dc4d271c6d DPP: Update AES-SIV AD for DPP Authentication frames
The protocol design was updated to protect the six octets in the header
before the attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-18 22:51:30 +03:00
Vidyullatha Kanchanapally
6338c99efa FILS: Send updated connection parameters to drivers if needed
After an initial connection wpa_supplicant derives ERP information which
can be used in doing eventual authentications in the same realm. This
information can be used by drivers with offloaded FILS support to do
driver/firmware initiated roamings. Add support to send this updated
information to such drivers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-18 01:19:42 +03:00
Vidyullatha Kanchanapally
d2ba0d719e Move assoc param setting into a helper function
This is needed to be able to use the same implementation for updating
the connection parameters in the driver during an association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-18 01:19:42 +03:00
Vidyullatha Kanchanapally
b0a21e228d FILS: Update replay counter from roam info
Update the replay counter after a roam for all cases. This restores the
design back to what it was before commit
01ef320f19 ('FILS: Update ERP next
sequence number with driver offload').

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-17 16:26:44 +03:00
Jouni Malinen
daa4096084 Allow last (Re)Association Request frame to be replayed for testing
The new wpa_supplicant RESEND_ASSOC command can be used to request the
last (Re)Association Request frame to be sent to the AP to test FT
protocol behavior.

This functionality is for testing purposes and included only in builds
with CONFIG_TESTING_OPTIONS=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 17:47:24 +03:00
Jouni Malinen
751f5b2933 Allow EAPOL-Key Request to be sent through control interface
The new wpa_supplicant "KEY_REQUEST <error=0/1> <pairwise=0/1>" command
can be used to request an EAPOL-Key Request frame to be sent to the AP.

This functionality is for testing purposes and included only in builds
with CONFIG_TESTING_OPTIONS=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 17:47:24 +03:00
Jouni Malinen
bb06748f45 Make last received ANonce available through control interface
This makes it easier to debug 4-way handshake implementation issues
without having to use a sniffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 17:47:24 +03:00
Jouni Malinen
16579769ff Add testing functionality for resetting PN/IPN for configured keys
This can be used to test replay protection. The "RESET_PN" command in
wpa_supplicant and "RESET_PN <addr>" command in hostapd resets the local
counters to zero for the last configured key. For hostapd, the address
parameter specifies which STA this operation is for or selects GTK
("ff:ff:ff:ff:ff:ff") or IGTK ("ff:ff:ff:ff:ff:ff IGTK").

This functionality is for testing purposes and included only in builds
with CONFIG_TESTING_OPTIONS=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 17:43:10 +03:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
adae51f8b9 WNM: Ignore WNM-Sleep Mode Response without pending request
Commit 03ed0a5239 ('WNM: Ignore WNM-Sleep
Mode Response if WNM-Sleep Mode has not been used') started ignoring the
response when no WNM-Sleep Mode Request had been used during the
association. This can be made tighter by clearing the used flag when
successfully processing a response. This adds an additional layer of
protection against unexpected retransmissions of the response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
a34ca59e4d SAE: Allow SAE password to be configured separately (STA)
The new sae_password network profile parameter can now be used to set
the SAE password instead of the previously used psk parameter. This
allows shorter than 8 characters and longer than 63 characters long
passwords to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 23:24:19 +03:00
Sunil Dutt
c5aeb4343e P2P: Do not mark DFS channel as invalid if DFS is offloaded to driver
While considering the movement of P2P GO from its current operating
channel, do not mark a DFS channel as invalid if DFS is offloaded
to the driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 22:36:48 +03:00
Sunil Dutt
f516090228 P2P: Prefer 5/60 GHz band over 2.4 GHz during GO configuration
Previously, wpas_p2p_select_go_freq_no_pref() ended up selecting a 2.4
GHz band channel first before even considering 5 or 60 GHz channels.
This was likely done more or less by accident rather than by design when
the 5 GHz and 60 GHz band extensions were added. It seems reasonable to
enhance this by reordering the code to start with 5 and 60 GHz operating
classes and move to 2.4 GHz band only if no channel was available in 5
or 60 GHz bands for P2P GO use.

This does have some potential interop issues with 2.4 GHz only peer
devices when starting up an autonomous GO (i.e., without there being
prior knowledge of channels that the peers support). Upper layers are
expected to enforce 2.4 GHz selection if that is needed for some use
cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 17:01:10 +03:00
Jouni Malinen
265bda3444 OWE: Allow DH Parameters element to be overridden for testing purposes
This allows CONFIG_TESTING_OPTIONS=y builds of wpa_supplicant to
override the OWE DH Parameters element in (Re)Association Request frames
with arbitrary data specified with the "VENDOR_ELEM_ADD 13 <IE>"
command. This is only for testing purposes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 18:26:29 +03:00
Jouni Malinen
8c19ea3f21 DPP: Add the crypto suite field to the frames
This additional field was added to DPP Public Action frames in DPP tech
spec v0.2.3 to support cryptographic agility in the future.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 01:30:08 +03:00
Jouni Malinen
c77e2ff096 DPP: Remove C-sign-key expiry
This was removed in DPP tech spec v0.2.3.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 01:17:33 +03:00
Jouni Malinen
109704657d OWE: Support station SME-in-driver case
Previously, only the SME-in-wpa_supplicant case was supported. This
extends that to cover the drivers that implement SME internally (e.g.,
through the cfg80211 Connect command).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 12:35:14 +03:00
Jouni Malinen
5a78c36194 OWE: PMKSA caching in station mode
This extends OWE support in wpa_supplicant to allow PMKSA caching to be
used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 12:12:54 +03:00
Jouni Malinen
ec9f483774 OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station
This extends OWE support in wpa_supplicant to allow DH groups 20 and 21
to be used in addition to the mandatory group 19 (NIST P-256). The group
is configured using the new network profile parameter owe_group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
7a12edd163 OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in AP mode
This extends OWE support in hostapd to allow DH groups 20 and 21 to be
used in addition to the mandatory group 19 (NIST P-256).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
e8b9649012 OWE: Transition mode support on station side
Add support for using the OWE Transition Mode element to determine the
hidden SSID for an OWE BSS that is used in transition mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
675112df1b OWE: Set PMK length properly on supplicant side
sm->pmk_len was not set when deriving the PMK as part of OWE key
generation. This depending on wpa_sm_set_pmk_from_pmksa() call resetting
the value to the default. While this worked for many cases, this is not
correct and can have issues with network profile selection based on
association information. For example, the OWE transition mode cases
would hit an issue here.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Sunil Dutt
63bc0ab0ed P2P: Allow GO to advertise Interworking element
This adds new wpa_supplicant configuration parameters (go_interworking,
go_access_network_type, go_internet, go_venue_group, go_venue_type) to
add a possibility of configuring the P2P GO to advertise Interworking
element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-05 14:42:16 +03:00
vamsi krishna
e37cea308e OCE: Update default scan IEs when OCE is enabled/disabled
Update the default scan IEs when OCE is enabled/disabled to the
driver/firmware, so that the correct IEs will be sent out by the
driver/firmware in Probe Request frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-01 18:47:02 +03:00
Jouni Malinen
61a56c1480 Add group_mgmt network parameter for PMF cipher selection
The new wpa_supplicant network parameter group_mgmt can be used to
specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128,
BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not
specified, the current behavior is maintained (i.e., follow what the AP
advertises). The parameter can list multiple space separate ciphers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-26 17:40:02 +03:00
Jouni Malinen
60ed2f24eb Suite B: Add tls_suiteb=1 parameter for RSA 3k key case
This adds phase1 parameter tls_suiteb=1 into wpa_supplicant
configuration to allow TLS library (only OpenSSL supported for now) to
use Suite B 192-bit level rules with RSA when using >= 3k (3072) keys.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-17 00:09:47 +03:00
Jouni Malinen
5030d7d9fd DPP: Allow raw hex PSK to be used for legacy configuration
The new psk=<hexdump> can be used as an alternative to pass=<passphrase>
when configuring the DPP Configurator with a legacy network parameters.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-15 17:54:31 +03:00
Lior David
3c7863f812 wpa_supplicant: Support dynamic update of wowlan_triggers
Previously, wowlan_triggers were updated in kernel only during startup.
Also update it whenever it is set from the control interface.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-13 22:17:58 +03:00
Lior David
3031133983 mesh: Move writing of mesh_rssi_threshold inside CONFIG_MESH
Previously, the code that writes mesh_rssi_threshold to a network block
always executes, but the code that reads it from network block and the
code that initializes it to a default value in a new network block are
inside #ifdef CONFIG_MESH. As a result when writing a config file it
will write mesh_rssi_threshold (since it has a non-default value) and
later fail to read the network block.

Fix this by moving the write code under #ifdef CONFIG_MESH as well.
Note, network blocks which already have mesh_rssi_threshold because of
the bug will still fail to read after the fix.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2017-09-12 17:17:21 +03:00
Jouni Malinen
2efc672075 Fix RSN pre-authentication regression with pre-connection scan results
The introduction of radio works and a delayed callback to complete
association/connection requests ended up breaking RSN pre-authentication
candidate list generation for the case of pre-connection scan results.
Previously, wpa_supplicant_associate() set the RSN state machine
configuration before returning and the calls to
wpa_supplicant_rsn_preauth_scan_results() immediately after this
function call were working fine. However, with the radio work callback,
the RSN state machine configuration started to happen only in that
callback which would be called soon after this code path has completed.
This resulted in the RSN state machine not knowing the selected SSID and
as such, rejecting all pre-authentication candidates.

Fix this by setting the RSN state machine configuration from
wpa_supplicant_associate() so that the existing callers of
wpa_supplicant_rsn_preauth_scan_results() can be used as-is to add
candidates for pre-authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-12 16:47:02 +03:00
Sabrina Dubroca
7612e65b9b mka: Add error handling for secy_init_macsec() calls
secy_init_macsec() can fail (if ->macsec_init fails), and
ieee802_1x_kay_init() should handle this and not let MKA run any
further, because nothing is going to work anyway.

On failure, ieee802_1x_kay_init() must deinit its kay, which will free
kay->ctx, so ieee802_1x_kay_init callers (only ieee802_1x_alloc_kay_sm)
must not do it. Before this patch there is a double-free of the ctx
argument when ieee802_1x_kay_deinit() was called.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2017-09-10 22:23:25 +03:00
Adiel Aloni
2c66c7d115 wpa_supplicant: Check length when building ext_capability in assoc_cb
When building wpa_ie in wpas_start_assoc_cb() with ext_capab,
make sure that assignment does not exceed max_wpa_ie_len.

Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
2017-09-10 22:16:06 +03:00
Saurav Babu
cdf2501494 dbus: Add new interface property to get mesh group
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-09-10 01:39:37 +03:00
Saurav Babu
190f6f1176 dbus: Add new interface property to get connected mesh peers
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-09-10 01:39:37 +03:00
Saurav Babu
a9de99b1c5 dbus: Add MeshPeerDisconnected signal
This is similar to the control interface event MESH-PEER-DISCONNECTED.

Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-09-10 01:39:37 +03:00
Saurav Babu
9b0701fbf5 dbus: Add MeshPeerConnected signal
This is similar to the control interface event MESH-PEER-CONNECTED.

Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-09-10 01:39:35 +03:00
Saurav Babu
a39b040b4c dbus: Add MeshGroupRemoved signal
This is similar to the control interface event MESH-GROUP-REMOVED.

Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-09-09 14:12:33 +03:00
Saurav Babu
89e9cd25d2 dbus: Add MeshGroupStarted signal
This introduces a new interface for mesh and adds a signal that
is similar to the control interface event MESH-GROUP-STARTED.

Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-09-09 14:01:14 +03:00
Jouni Malinen
a0f19e9c74 SAE: Allow commit fields to be overridden for testing purposes (STA)
The new "SET sae_commit_override <hexdump>" control interface command
can be used to force wpa_supplicant to override SAE commit message
fields for testing purposes. This is included only in
CONFIG_TESTING_OPTIONS=y builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-04 13:32:03 +03:00
Jouni Malinen
a6f238f217 DPP: Add base64 dependency in makefiles
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-04 13:31:21 +03:00
Jouni Malinen
85fd8263a5 DPP: Use Transaction ID in Peer Discovery Request/Response frames
DPP tech spec changed the contents of these frames by replacing the
public key hash attributes with a Transaction ID attribute that gets
copied from the request to the response to identify the transaction in a
simpler manner.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-08-23 12:51:41 +03:00
Jouni Malinen
a4bf007877 DPP: Remove devices object from the connector
This was removed from the draft DPP tech spec, so remove it from the
implementation as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-08-22 23:46:27 +03:00
Avraham Stern
b5bf84ba39 WNM: Differentiate between WNM for station and for AP in build
Previously, CONFIG_WNM enabled build that supports WNM for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode WNM is required and there is no need for AP mode WNM.

Add support to differentiate between station mode WNM and AP mode
WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be
used when AP mode WNM support is required in addition to station mode
WNM. This allows binary size to be reduced for builds that require
only the station side WNM functionality.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-18 13:28:09 +03:00
Avraham Stern
922dcf1b45 RRM: Remove duplicate frequencies from beacon report scan request
When setting the frequencies for beacon report request scan, it is
possible that a frequency is added twice (e.g., when the same channel
appears both in the channel field and in the AP channel report
subelement). This may cause the scan request to fail.
Make sure the frequencies array contains no duplications before
requesting the scan.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-17 18:04:34 +03:00
Avraham Stern
705e2909c6 RRM: Send response when Beacon report request is not supported/refused
Send Radio Measurement response with measurement mode set to reject
in the following cases:
 1. Reporting conditions is not supported.
 2. No valid channels found for the measurement

Sending a response with an incapable indication will stop the AP from
sending other measurement requests of the same type as specified
in IEEE Std 802.11-2016, 11.11.6.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-17 18:00:56 +03:00
Avraham Stern
3756acfd48 RRM: Send Radio Measurement response when beacon report scan fails
When failing to trigger scan for beacon report (e.g., when the
requested duration is not supported by the driver), send a
Radio Measurement response with the mode set to refused and don't
retry the scan.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-17 17:57:41 +03:00
Avraham Stern
b3c148e9f8 RRM: Send reject/refuse response only to unicast measurement request
IEEE Std 802.11-2016, 11.11.6 specifies that a station that is unable to
make a requested measurement or refuses to make a measurement shall
respond only if the measurement request was received within an
individually addressed radio measurement request frame, but shall not
respond if such a request was received in a group addressed frame.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-17 17:43:32 +03:00
Dmitry Shmidt
51143af7e7 wpa_cli: Fix global control interface for STA-FIRST/STA-NEXT
If global control interface is used and wlan doesn't support P2P,
   wpa_s->global->p2p == NULL, and log shows:
wpa_supplicant: Failed to create interface p2p-dev-wlan0: -5 (I/O error)
wpa_supplicant: nl80211: Failed to create a P2P Device interface p2p-dev-wlan0
wpa_supplicant: P2P: Failed to enable P2P Device interface

Then STA-FIRST/STA-NEXT is not going to redirect to any interface,
making update_stations(ctrl_conn) is stuck in never-ending loop:

sendto(3, "STA-FIRST", 9, 0, NULL, 0)   = 9
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995000})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995833})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995000})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2017-07-17 14:54:42 +03:00
Beniamino Galvani
2b9891bd6e OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:55:22 +03:00