Commit message (Collapse)AuthorAgeFilesLines
* Clarify documentation of avoid channels expectationsSunil Dutt2019-01-121-2/+6
| | | | | | | | | | | | | | | The vendor command QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY was defined to carry the list of avoid frequencies that aim to avoid any interference with other coexistencies. This recommendation was followed strictly by trying to prevent WLAN traffic on the impacted channels. This commit refines the expectation of the interface by defining this avoid channel list to allow minimal traffic but not heavier one. For example, P2P may still be able to use avoid list frequencies for P2P discovery and GO negotiation if the actual group can be set up on a not impact channel. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Log new username in eventlog for cert reenrollJouni Malinen2019-01-091-0/+5
| | | | | | | | Make it easier to find the new username (and the new serial number from it) when a user entry is renamed at the conclusion of client certificate re-enrollment sequence. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HE: Add MU EDCA Parameter Set element (AP)Siva Mullati2019-01-087-2/+189
| | | | | | | Add support for configuring parameters for the MU EDCA Parameter Set element per IEEE P802.11ax/D3.0. Signed-off-by: Siva Mullati <siva.mullati@intel.com>
* eapol_test: Start the identifier at an initial random valueMartin Stanislav2019-01-081-1/+2
| | | | | | | | Start the (EAP request) identifier at an initial random value as recommended by RFC 3748 in section 4.1 Request and Response on page 21. Signed-off-by: Martin Stanislav <ms@uakom.sk>
* drivers: Set CONFIG_LIBNL32=y automatically based on pkg-configJouni Malinen2019-01-081-0/+12
| | | | | | | If the libnl version is not specified explicitly with CONFIG_LIBNL*, try to check for the most likely case today with pkg-config. Signed-off-by: Jouni Malinen <j@w1.fi>
* drivers: Move libnl related build flags to separate ifdef blockAndrey Kartashev2019-01-082-63/+39
| | | | | | | | Fix compilation issue if we want to build wpa_supplicant without any wireless connectivity but only with MACSec support via Linux kernel driver. Signed-off-by: Andrey Kartashev <a.s.kartashev@gmail.com>
* mka: New MI should only be generated when peer's key is invalidMike Siedzik2019-01-071-6/+6
| | | | | | | | | | | | | | | | | | | | Two recent changes to MKA create a situation where a new MI is generated every time a SAK Use parameter set is decoded. The first change moved invalid key detection from ieee802_1x_decode_basic_body() to ieee802_1x_kay_decode_mpkdu(): commit db9ca18bbff1 ("mka: Do not ignore MKPDU parameter set decoding failures") The second change forces the KaY to generate a new MI when an invalid key is detected: commit a8aeaf41df95 ("mka: Change MI if key invalid") The fix is to move generation of a new MI from the old invalid key detection location to the new location. Fixes: a8aeaf41df95 ("mka: Change MI if key invalid") Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* nl80211: Indicate 802.1X 4-way handshake offload in connectArend van Spriel2019-01-072-0/+14
| | | | | | | | Upon issuing a connect request we need to indicate that we want the driver to offload the 802.1X 4-way handshake for us. Indicate it if the driver capability supports the offload. Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
* drivers: Add separate driver flags for 802.1X and PSK 4-way HS offloadsArend van Spriel2019-01-079-23/+29
| | | | | | | | | Allow drivers to indicate support for offloading 4-way handshake for either IEEE 802.1X (WPA2-Enterprise; EAP) and/or WPA/WPA2-PSK (WPA2-Personal) by splitting the WPA_DRIVER_FLAGS_4WAY_HANDSHAKE flag into two separate flags. Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
* tests: DFS CAC interrupted and restartedJouni Malinen2019-01-071-0/+26
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* DFS: Restart pending CAC on interface enableZefir Kurtisi2019-01-071-0/+5
| | | | | | | | | | | When an interface is re-enabled after it was disabled during CAC, it won't ever get active since hostapd is waiting for a CAC_FINISHED while kernel side is waiting for a CMD_RADAR_DETECT to start a CAC. This commit checks for a pending CAC when an interface is enabled and if so restarts its DFS processing. Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
* tests: Supported operating classes with constraintsJouni Malinen2019-01-071-5/+33
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Use freq_list to constrain supported operating class informationBen Greear2019-01-071-0/+27
| | | | | | | | If a station is configured to allow only a subset of frequencies for an association, the supported operating classes may need to be more limited than what the hardware supports. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Use disable_ht/vht to constrain supported operating class informationBen Greear2019-01-074-7/+43
| | | | | | | If user has disabled HT or VHT, those related operating classes should not be advertised as supported. Signed-off-by: Ben Greear <greearb@candelatech.com>
* RADIUS client: Cease endless retry for message for multiple serversBo Chen2019-01-071-32/+54
| | | | | | | | | | | | | | | | | | In the previous RADIUS client implementation, when there are multiple RADIUS servers, we kept trying the next server when the current message can not be acked. It leads to endless retry when all the RADIUS servers are down. Fix this by keeping a counter for the accumulated retransmit attempts for the message, and guarantee that after all the servers failover RADIUS_CLIENT_MAX_FAILOVER times the message will be dropped. Another issue with the previous code was that the decision regarding whether the server should fail over was made immediately after we send out the message. This patch guarantees we consider whether a server needs failover after pending ack times out. Signed-off-by: Bo Chen<bochen@meraki.com>
* tests: Remove MIB counter check from radius_auth_unreachable2Jouni Malinen2019-01-071-2/+1
| | | | | | | This is in preparation for an implementation change that results in this unreachable server case not incrementing radiusAuthClientAccessRequests. Signed-off-by: Jouni Malinen <j@w1.fi>
* QCA vendor commands to configure HE +HTC capability and OM control TxKiran Kumar Lokere2019-01-071-0/+55
| | | | | | | | Define QCA vendor command attributes to configure HE +HTC support and HE operating mode control transmission. This is used to configure the testbed device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Avoid forward references to enum types in ieee802_11_common.hJouni Malinen2019-01-073-12/+12
| | | | | | | | | | | | | | These are not allowed in ISO C++ (and well, not really in ISO C either, but that does not result in compiler warning without pedantic compilation). Since ieee802_11_common.h may end up getting pulled into C++ code for some external interfaces, it is more convenient to keep it free of these cases. Pull in ieee802_11_defs.h to get enum phy_type defined and move enum chan_width to common/defs.h (which was already pulled in into src/drivers/driver.h and src/common/ieee802_11_common.h). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Reduce mesh result code duplication with helper functionsJouni Malinen2019-01-061-303/+69
| | | | | | | These checks were repeated in almost every test case, so use helper functions to get rid of duplicated (copy-pasted) code. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Mesh with VHT20 and VHT40Jouni Malinen2019-01-061-2/+108
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Implement use of VHT20 config in mesh modePeter Oh2019-01-061-4/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | Mesh in VHT mode is supposed to be able to use any bandwidth that VHT supports, but there was no way to set VHT20 although there are parameters that are supposed to be used. This commit along then previous commit for VHT_CHANWIDTH_USE_HT makes mesh configuration available to use any bandwidth with combinations of existing parameters like shown below. VHT80: default do not set any parameters VHT40: max_oper_chwidth = 0 VHT20: max_oper_chwidth = 0 disable_ht40 = 1 HT40: disable_vht = 1 HT20: disable_ht40 = 1 disable HT: disable_ht = 1 Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
* mesh: Add VHT_CHANWIDTH_USE_HT to max_oper_chwidthPeter Oh2019-01-065-2/+8
| | | | | | | | | Channel width in VHT mode refers HT capability when the width goes down to below 80 MHz, hence add checking HT channel width to its max operation channel width. So that mesh has capability to select bandwidth below 80 MHz. Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
* tests: WPA2-PSK+FT AP and workaround for incorrect STA behaviorJouni Malinen2019-01-061-0/+25
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Work around an interop connection issue in FT-PSK + WPA-PSKJanusz Dziedzic2019-01-062-6/+28
| | | | | | | | | | | | | | | | | | | While the AP is configured to enable both FT-PSK and WPA-PSK, an HP printer request both AKMs (copied from AP?) in Association Request frame, but don't add MDIE and don't use FT. This results in the connection failing. Next in logs we see: RSN: Trying to use FT, but MDIE not included IE - hexdump(len=26): 30 18 01 00 00 0f ac 04 01 00 00 0f ac 04 02 00 00 0f ac 02 00 0f ac 04 00 00 This is seen with some HP and Epson printers. Work around this by stripping FT AKM(s) when MDE is not present and there is still a non-FT AKM available. Signed-off-by: Janusz Dziedzic <janusz@plumewifi.com>
* tests: disable_sgi with VHTJouni Malinen2019-01-062-12/+18
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Allow disabling VHT SGI capabilityBen Greear2019-01-061-0/+10
| | | | | | | | This provides similar features to what was already available for HT overrides. Probe Request frames look correct, and VHT capabilities shown in debugfs look as expected. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Use lchown() instead of chown() for self-created filesJouni Malinen2019-01-064-24/+24
| | | | | | | | | | | | | | There is no need to allow symlink dereferencing in these cases where a file (including directories and sockets) are created by the same process, so use the safer lchown() variant to avoid leaving potential windows for something external to replace the file before the chown() call. The particular locations used here should not have write permissions enabled for processes with less privileges, so this may not be needed, but anyway, it is better to make these more restrictive should there be cases where directory permissions are not as expected for a good deployment. Signed-off-by: Jouni Malinen <j@w1.fi>
* Android: Harden wpa_ctrl_open2() against potential race conditionsJouni Malinen2019-01-061-3/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Android-specific chmod and chown operations on the client socket (for communication with wpa_supplicant) did not protect against file replacement between the bind() and chmod()/chown() calls. If the directory in which the client socket is created (depends a bit on the version and platform, but /data/misc/wifi/sockets is commonly used) allows write access to processes that are different (less privileged) compared to the process calling wpa_ctrl_open2(), it might be possible to delete the socket file and replace it with something else (mainly, a symlink) before the chmod/chown operations occur. This could have resulted in the owner or permissions of the target of that symlink being modified. In general, it would be safest to use a directory which has more limited write privileges (/data/misc/wifi/sockets normally has 'wifi' group (AID_WIFI) with write access), but if that cannot be easily changed due to other constraints, it is better to make wpa_ctrl_open2() less likely to enable this type of race condition between the operations. Replace chown() with lchown() (i.e., a version that does not dereference symlinks) and chmod() with fchmod() on the socket before the bind() call which is also not going to dereference a symlink (whereas chmod() would). lchown() is a standard operation, but the fchmod() on the socket is less so (unspecified behavior in some systems). However, it seems to work on Linux and in particular, on Android, where this code is executed. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: More workarounds for cfg80211 regulatory state clearing (ap_open)Jouni Malinen2019-01-061-9/+2
| | | | | | | | Add even more workarounds for cfg80211 regulatory state clearing since these DFS test cases seem to be the most likely ones to fail due to country=98 issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: More workarounds for cfg80211 regulatory state clearing (DFS)Jouni Malinen2019-01-062-74/+27
| | | | | | | | Add even more workarounds for cfg80211 regulatory state clearing since these DFS test cases seem to be the most likely ones to fail due to country=98 issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* DFS: Add supported channel bandwidth checkingDmitry Lebed2019-01-061-1/+14
| | | | | | | | | While selecting a new channel as a reaction to radar event we need to take into account supported bandwidth for each channel provided via nl80211. Without this modification hostapd might select an unsupported channel that would fail during AP startup. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* ACS: Add supported channel bandwidth checkingDmitry Lebed2019-01-061-3/+25
| | | | | | | | | While doing automatic channel selection we need to take into account supported bandwidth for each channel provided via nl80211. Without this modification hostapd might select an unsupported channel which would fail during AP startup. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* hostapd: Add supported channel bandwidth checking infrastructureDmitry Lebed2019-01-063-35/+105
| | | | | | | | | | | | This adds checks to common code to verify supported bandwidth options for each channel using nl80211-provided info. No support of additional modes is added, just additional checks. Such checks are needed because driver/hardware can declare more strict limitations than declared in the IEEE 802.11 standard. Without this patch hostapd might select unsupported channel and that will fail because Linux kernel does check channel bandwidth limitations. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* nl80211: Add supported bandwidth parsingDmitry Lebed2019-01-063-0/+38
| | | | | | | | Add NL80211_FREQUENCY_ATTR_NO_* channel attributes parsing. This is needed for correct checking if channel is available in a particular bandwidth. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* tests: ACS for 160 MHz channelJouni Malinen2019-01-051-1/+49
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* ACS: Add support for 160 MHz bandwidthDmitry Lebed2019-01-051-16/+50
| | | | | | | Add support for 160 MHz BW channels to automatic channel selection algorithm. Only 36 and 100 channels are supported as 160 MHz channels. Signed-off-by: Dmitry Lebed <lebed.dmitry@gmail.com>
* tests: More workarounds for cfg80211 regulatory state clearing (WNM)Jouni Malinen2019-01-053-39/+50
| | | | | | | | Add even more workarounds for cfg80211 regulatory state clearing since these WNM test cases seem to be the most likely ones to fail due to country=98 issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* dbus: Fix build without CONFIG_WNM=yJouni Malinen2019-01-051-0/+4
| | | | | | | | wpa_s->bss_tm_status is within #ifdef CONFIG_WNM, so need to access it through matching condition. Fixes: 80d06d0ca9f3 ("dbus: Export BSS Transition Management status") Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TLS: Update Session-Id derivation with TLS v1.3Jouni Malinen2019-01-052-8/+40
| | | | | | | Move to the version used in draft-ietf-emu-eap-tls13-03.txt, i.e., include the 0x0D prefix and use a different TLS-Exporter() label string. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: OpenSSL systemwide policy and overridesJouni Malinen2019-01-051-1/+89
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Allow systemwide policies to be overriddenJouni Malinen2019-01-056-3/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some distributions (e.g., Debian) have started introducting systemwide OpenSSL policies to disable older protocol versions and ciphers throughout all programs using OpenSSL. This can result in significant number of interoperability issues with deployed EAP implementations. Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server) parameters to be used to request systemwide policies to be overridden if older versions are needed to be able to interoperate with devices that cannot be updated to support the newer protocol versions or keys. The default behavior is not changed here, i.e., the systemwide policies will be followed if no explicit override configuration is used. The overrides should be used only if really needed since they can result in reduced security. In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network profile parameter can be used to explicitly enable TLS versions that are disabled in the systemwide configuration. For example, phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter can be used to override systemwide policy, e.g., with openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1 in Debian to allow shorter keys to be used. In hostapd, tls_flags parameter can be used to configure similar options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1] Signed-off-by: Jouni Malinen <j@w1.fi>
* OSEN: Disable TLS v1.3 by defaultJouni Malinen2019-01-051-2/+4
| | | | | | | | | | | TLS v1.3 was already disabled by default for EAP-FAST, EAP-TTLS, EAP-PEAP, and EAP-TLS, but the unauthenticated client cases of EAP-TLS -like functionality (e.g., the one used in OSEN) were missed. Address those EAP types as well in the same way of disabling TLS v1.3 by default for now to avoid functionality issues with TLS libraries that enable TLS v1.3 by default. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Fix build with OpenSSL 1.0.2Jouni Malinen2019-01-051-0/+10
| | | | | | | | | SSL_use_certificate_chain_file() was added in OpenSSL 1.1.0, so need to maintain the old version using SSL_use_certificate_file() for backwards compatibility. Fixes: 658c39809bf8 ("OpenSSL: Load chain certificates from client_cert file") Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Split mbo_supp_oper_classes into multiple test casesJouni Malinen2019-01-041-43/+99
| | | | | | | | In addition, add even more workarounds for cfg80211 regulatory state clearing since this test case seems to be the most likely one to fail due to country=98 issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: WPA2-PSK-FT AP over DS and separate hostapd processJouni Malinen2019-01-042-7/+116
| | | | | | | | This is a regression test case for FT-over-DS that got broken on mac80211-based drivers when the extra key reinstallation checks were added. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Allow STA entry to be removed/re-added with FT-over-the-DSJouni Malinen2019-01-043-2/+33
| | | | | | | | | | | | | | FT-over-the-DS has a special case where the STA entry (and as such, the TK) has not yet been configured to the driver depending on which driver interface is used. For that case, allow add-STA operation to be used (instead of set-STA). This is needed to allow mac80211-based drivers to accept the STA parameter configuration. Since this is after a new FT-over-DS exchange, a new TK has been derived after the last STA entry was added to the driver, so key reinstallation is not a concern for this case. Fixes: 0e3bd7ac684a ("hostapd: Avoid key reinstallation in FT handshake") Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Do not try to use FT-over-air if reassociation cannot be usedJouni Malinen2019-01-041-1/+1
| | | | | | | | | There is no point in going through FT authentication if the next step would have to use association exchange which will be rejected by the AP for FT, so only allow FT-over-air if previous BSSID is set, i.e., if reassociation can be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Split ap_ft_oom into separate test casesJouni Malinen2019-01-042-7/+29
| | | | | | | | | | ap_ft_oom seemed to depend on undesired wpa_supplicant behavior of trying to do FT protocol even without being ready for reassociation. This is going to be fixed in wpa_supplicant which would make this test case fail, so split it into separate test cases for each failure item to be able to avoid incorrect test failures. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Verify that roaming attempts do not get rejectedJouni Malinen2019-01-041-3/+13
| | | | | | | | | The previous roam() and roam_over_ds() checks would have ignored failing association rejection if a consecutive attempt to connect succeeds within the initial time limit. This can miss incorrect behavior, so check explicitly for association rejection. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: P2PS stale group removalJouni Malinen2019-01-041-0/+105
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>