Clear the possible blacklisting of a WPS AP during WPS PIN iteration if
the AP moves to selected registrar TRUE state or if it adds our MAC
address to the list of authorized MACs.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Maintain state of WPS APs during iteration to find the correct AP for
WPS PIN operation when no specific BSSID is specified. This information
can be used for optimizing the order in which the APs are tried. This
commit is only adding the collection of the information and more
detailed debug information to make debug logs more helpful in figuring
out how the AP selection order could be improved.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If 4-way handshake fails due to likely PSK failure or if EAP
authentication fails, disable the network block temporarily. Use longer
duration if multiple consecutive failures are seen.
Signed-hostap: Jouni Malinen <j@w1.fi>
The WPA_AUTH_WPA and WPA_AUTH_WPA2 cases have already been rejected in
this function when execution comes here. In theory, support for
WPA-Enterprise could be added, but since that has not happened over the
years, there is no good reason to keep this dead code here.
Signed-hostap: Jouni Malinen <j@w1.fi>
dev.config_methods was not updated when wps_update_config was called.
This could lead to mismatching config methods between Probe Request and
M1 packets. Add missing part for it.
P2P group is only going to use a single GO, so we can leave the fixed
BSSID parameter set for the actual data connection in addition to the
initial WPS provisionign step. This can speed up operations with drivers
that select BSS internally by allowing them to skip an extra scan when
the BSSID and frequency of the GO is already known.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
os_random() may not be seeded properly, so use stronger mechanism for
generating the password id for NFC password tokens.
Signed-hostap: Jouni Malinen <j@w1.fi>
The AP PIN on wps_reg command can now be replaced with special value
"nfc-pw" to use device password from a NFC password token from the AP.
Signed-hostap: Jouni Malinen <j@w1.fi>
WPS_ER_NFC_CONFIG_TOKEN command can now be used to build a NFC
configuration token based on AP Settings learnt with WPS_ER_LEARN
or set with WPS_ER_CONFIG.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new wpa_supplicant ctrl_iface command WPS_NFC_TAG_READ can now be
used to process NFC tags read by external programs to initiate
wpa_supplicant to use NFC Configuration Token to create a new network.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of requiring low-level access to an NFC device and synchronous
operations, the new WPS_NFC_TOKEN and WPS_NFC ctrl_iface commands can be
used to build a NFC password token and initiate WPS protocol run using
that token (or pre-configured values) as separate commands. The
WPS_NFC_TOKEN output can be written to a NFC tag using an external
program, i.e., wpa_supplicant does not need to have low-level code for
NFC operations for this.
Signed-hostap: Jouni Malinen <j@w1.fi>
It is possible for wpa_state to be WPA_DISCONNECTED when a new scan is
scheduled to be started in the future. If wpas_wps_cancel() gets called
(e.g., through control interface wps_cancel or a P2P group removal)
while in that state, the WPS operation (scan request and special network
block) were not removed. Fix this by clearing the WPS operations both in
WPA_SCANNING and WPA_DISCONNECTED states.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
If WPS commands are used with a specific BSSID instead of wildcard,
the BSSID that was supposed to be used only for the provisioning step
may end up getting copied to the network block that gets provisioned
based on the WPS credentials. Fix this by clearing ssid->bssid_set
when creating the network block by replacing the block used for WPS
provisioning.
This issue could show up with the provisioned network not getting
selected properly with APs that have multiple radios. Depending on
the driver, this could result in only a single one of the available
BSSes being available or the connection failing completely.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
I think this should fix the following valgrind complaint:
==1972== Source and destination overlap in memcpy(0x5181708, 0x5181708, 16)
==1972== at 0x4A073BA: memcpy (mc_replace_strmem.c:602)
==1972== by 0x45872B: wpas_wps_set_uuid (wps_supplicant.c:1116)
==1972== by 0x4599EC: wpas_wps_update_config (wps_supplicant.c:1747)
==1972== by 0x4C8DB0: wpa_supplicant_update_config (wpa_supplicant.c:3090)
==1972== by 0x4C3E5E: wpa_supplicant_reload_configuration (wpa_supplicant.c:746)
==1972== by 0x4B8B37: wpa_supplicant_ctrl_iface_process (ctrl_iface.c:4082)
==1972== by 0x4BA39C: wpa_supplicant_ctrl_iface_receive (ctrl_iface_unix.c:168)
==1972== by 0x4114D4: eloop_sock_table_dispatch_table (eloop.c:335)
==1972== by 0x411541: eloop_sock_table_dispatch (eloop.c:352)
==1972== by 0x41200D: eloop_run (eloop.c:766)
==1972== by 0x4C8B43: wpa_supplicant_run (wpa_supplicant.c:3010)
==1972== by 0x4D44AD: main (main.c:286)
Signed-hostap: Ben Greear <greearb@candelatech.com>
intended-for: hostap-1
wps_vendor_ext_m1 configuration parameter can now be used to add a
vendor specific attribute into the WPS M1 message, e.g., for
Windows Vertical Pairing.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 3c85f144ce fixed issues with P2P
Action frame TX after disconnection by clearing wpa_s->assoc_freq.
This resulted in a regression to the post-WPS scan optimization that
used wpa_s->assoc_freq to enable fast single-channel scan. Fix this by
copying wpa_s->assoc_freq to a local variable before calling
wpa_supplicant_deauthenticate() that ends up calling
wpa_supplicant_mark_disassoc() which will clear assoc_freq.
Reported-by: Angie Chinchilla <angie.v.chinchilla@intel.com>
intended-for: hostap-1
Signed-hostap: Jouni Malinen <j@w1.fi>
While the exponential increase in the lockout period provides an
efficient mitigation mechanism against brute force attacks, this
additional trigger to enter indefinite lockout period (cleared by
restarting hostapd) will limit attacks even further by giving maximum of
10 attempts (without authorized user action) even in a very long term
attack.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the BSSID of the AP is specified in the WPS command, the target
AP is likely already in the BSS table and its operating channel is
known. Use this information to speed up connection by only scanning
the known channel.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, the WPS scans could have been done in associated state if we
happened to be associated when the request to use WPS was received. This
can slow down scanning and end up in unexpected state if no WPS
association is tried. Avoid these issues by disconnecting when WPS
search is started.
Signed-hostap: Jouni Malinen <j@w1.fi>
When normal scan can speed up operations, use that for the first three
scan runs before starting the sched_scan to allow user space sleep more.
We do this only if the normal scan has functionality that is suitable
for this or if the sched_scan does not have better support for multiple
SSIDs.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The hardware feature data is required in several different places
throughout the code. Previously, the data was acquired and freed on
demand, but with this patch wpa_supplicant will keep a single copy
around at runtime for everyone to use.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Instead of hardcoding the Config Methods attribute value in Probe
Request frames, set this based on the configured parameter
config_methods to allow correct set of methods to be advertised.
Make sure that the WPA and EAPOL state machines do not hold a pointer
to a network configuration that is about to be freed. This can fix
potential issues with references to freed memory.
Signal is triggered if an error occurs during WPS provisioning phase.
Signed-off-by: Jean-Michel.Bachot <jean-michelx.bachot@intel.com>
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Do not emit network objects during P2P group formation since such
network objects can confuse certain apps. Instead, a persistent group
object is created to allow apps to keep track of persistent groups.
Persistent group objects only represent the info needed to recreate the
group.
Also fixes a minor bug in the handling of persistent group objects
during WPS operations.
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Instead of converting back and forth from the string representation,
always use the binary representation internally.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The secondary device type list is an optional attribute in the WSC IE.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Instead of generating a different UUID for each interface, use the
same UUID that was either configured of generated for the first
interface. This avoids potential issues with PBC session overlap
detection should multiple interfaces end up running a PBC scan
at the same time which may happen at least in some P2P use cases.
GO may use M2D to notify that PBC overlap was detected if the GO was
configured to allow only a specific P2P Device to connect using PBC.
We need to report the M2D message on the parent interface if a
separate group interface is used. In addition, we can stop the P2P
operation if PBC overlap was indicated similarly to what we are
already doing in th case the overlap is detected locally.
When the network was provisioned, we need to get the keys to be able to
reconnect without new provisioning. To be able to publish those keys but
not normally configured ones, add a new attribute to struct wpa_ssid
indicating whether or not keys may be exported.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If the EAPOL processing times out (e.g., if the AP stops replying
to messages for some reason) during WPS negotiation, we need to
indicate WPS-FAIL event from eapol_cb since no other WPS failure is
reported for this particular case.
Previously, only the Configuration Error values were indicated in
WPS-FAIL events. Since those values are defined in the specification
it is not feasible to extend them for indicating other errors. Add
a new error indication value that is internal to wpa_supplicant and
hostapd to allow other errors to be indicated.
Use the new mechanism to indicate if negotiation fails because of
WEP or TKIP-only configurations being disallows by WPS 2.0.
The BSS table entries may be in more or less random order and it is
better to show the most likely WPS configuration method in a way that is
somewhat more consistent instead of just showing the method of the first
BSS entry found in the table.
CONFIG_WPS_REG_DISABLE_OPEN=y can be used to configure wpa_supplicant
to disable open networks by default when wps_reg command is used to
learn the current AP settings. When this is enabled, there will be a
WPS-OPEN-NETWORK ctrl_iface event and the user will need to explicitly
enable the network (e.g., with "select_network <id>") to connect to
the open network.
This command can be used to enroll a network based on a local
network configuration block instead of having to (re-)learn the
current AP settings with wps_er_learn.
This is a workaround for incorrect configuration (missing
virtual/physical identifier for config methods) for WPS 2.0 to
allow unmodified configuration from WPS 1.0 to be used while
enforcing compliant WPS 2.0 values.
This makes it easier to figure out what could have failed in the
WPS protocol and potentially provide more information for the
user on how to resolve the issue.
A new ctrl_interface command, WPS_CANCEL, can now be used to cancel
a pending or ongoing WPS operation. For now, this is only available
with wpa_supplicant (either in station or AP mode). Similar
functionality should be added for hostapd, too.
If CONFIG_WPS_STRICT is set, validate WPS IE(s) in management frames and
reject the frames if any of the mandatory attributes is missing or if an
included attribute uses an invalid value. In addition, verify that all
mandatory attributes are included and have valid values in the WSC
messages.
Advertize list of authorized enrollee MAC addresses in Beacon and
Probe Response frames and use these when selecting the AP. In order
to provide the list, the enrollee MAC address should be specified
whenever adding a new PIN. In addition, add UUID-R into
SetSelectedRegistrar action to make it potentially easier for an AP
to figure out which ER sent the action should there be multiple ERs
using the same IP address.
The AP configuration may change after provisioning, so it is better
not to use the current security policy to prioritize results. Instead,
use WPS Selected Registrar attribute as the main sorting key and use
signal strength next without considering security policy or rate sets.
The non-WPS provisioning case remains as-is, i.e., this change applies
only when trying to find an AP for WPS provisioning.
wps_er_config can now be used to configure an AP. It is similar to
wps_er_learn, but instead of only learning the current AP settings,
it continues to send M8 with the new settings for the AP.
wps_er_start command now takes an optional parameter that can be used
to configure a filter to only allow UPnP SSDP messages from the
specified IP address. In practice, this limits the WPS ER operations
to a single AP and filters out all other devices in the network.
Scan only the frequency that was used during provisioning during the
first five scans for the connection. This speeds up connection in the
most likely case where the AP remains on the same channel. If the AP is
not found after these initial scans, all channels will be scanned.
This fits better in wpa_supplicant/scan.c. Couple of remaining
scan_helpers.c functions are currently used in driver wrappers,
but they can likely be removed in the future.
This adds config_methods configuration option for wpa_supplicant
following the design used in hostapd. In addition, the string is
now parsed in common code from src/wps/wps_common.c and the list
of configurable methods include all the defined methods from
WPS 1.0h spec.
Instead of forcefully deinitializing ER immediately, give it some
time to complete unsubscription and call eloop_terminate() only once
ER code has completed its work.
In addition, start ordering header file includes to be in more
consistent order: system header files, src/utils, src/*, same
directory as the *.c file.
This makes it clearer which files are including header from src/common.
Some of these cases should probably be cleaned up in the future not to
do that.
In addition, src/common/nl80211_copy.h and wireless_copy.h were moved
into src/drivers since they are only used by driver wrappers and do not
need to live in src/common.
Use shared functions for converting Primary Device Type between binary
and string formats. In addition, use array of eight octets instead of a
specific structure with multiple fields to reduce code complexity.
This will need some additional code in wps_er_pbc() to handle PBC mode
enabling for a single AP only. For now, this can only be expected to work
when the ER is connected to a single AP.
New PINs can now be added to WPS ER. This results in the ER code
using SetSelectedRegistrar to modify AP state so that Enrollees
will be able to notice the actice registrar more easily.
This is the first step in adding support for using wpa_supplicant as a
WPS External Registrar to manage APs over UPnP. Only the device
discovery part is implemented in this commit.
This provides information about PBC mode result from the WPS Registrar
module. This could be used, e.g., to provide a user notification on the
AP UI on PBC failures.
Crypto library wrappers can now override the internal DH (group 5)
implementation. As a starting point, this is done with OpenSSL. The
new mechanism is currently available only for WPS (i.e., IKEv2 still
depends on the internal DH implementation).
This introduces a new mechanism for collecting notification calls into
a single place (notify.c). As a result of this, most of the
wpa_supplicant code does not need to know about dbus (etc. mechanisms
that could use the notifications). Some empty placeholder functions are
also added in preparation of new dbus code that needs more event
notifications.
wpa_supplicant can now reconfigure the AP by acting as an External
Registrar with the wps_reg command. Previously, this was only used
to fetch the current AP settings, but now the wps_reg command has
optional arguments which can be used to provide the new AP
configuration. When the new parameters are set, the WPS protocol run
is allowed to continue through M8 to reconfigure the AP instead of
stopping at M7.
An SMC router was reported to use 0x22 (WPAPSK + WPA2PSK) in the
authentication type of the provisioned credential and wpa_supplicant
rejected this as invalid. Work around this by replacing WPAPSK + WPA2PSK
with WPA2PSK.
Update credential to only include a single authentication and
encryption type in case the AP configuration includes more than one
option. Without this, the credential would be rejected if the AP was
configured to allow more than one authentication type.
wpa_supplicant can now initialize hostapd data structures when mode=2 is
used to set up an AP. The hostapd configuration is not yet set based on
wpa_supplicant network configuration block. In addition, the glue code
for hostapd driver_ops needs number of functions that will be needed for
AP functionality.
The new file wps_nfc.c and ndef.c implements NFC device independent
operation, wps_nfc_pn531.c implements NFC device dependent operation.
This patch is only for the following use case:
- Enrollee = wpa_supplicant
- Registrar = hostapd internal Registrar
Following NFC methods can be used:
- Enrollee PIN with NFC
- Registrar PIN with NFC
- unencrypted credential with NFC
Encrypted credentials are not supported.
Enrollee side operation:
Registrar side operation:
Example configuration.
CONFIG_WPS=y
CONFIG_WPS_NFC=y
CONFIG_WPS_NFC_PN531=y
I used NFC device "NXP PN531". The NFC device access method is
confidential, so I used outer library. Please download below files from
https://www.saice-wpsnfc.bz/index.php
[WPS NFC Library]
WpsNfcLibrary/WpsNfc.h
WpsNfcLibrary/WpsNfcType.h
WpsNfcLibrary/WpsNfcVersion.h
WpsNfcLibrary/linux/libnfc_mapping_pn53x.dll
WpsNfcLibrary/linux/wpsnfc.dll
[NFC Reader/Writer Kernel Driver]
NFCKernelDriver-1.0.3/linux/kobj/sonyrw.ko
<WiFi test>
The hostapd/wpa_supplicant with this patch passed below tests on
"Wi-Fi WPS Test Plan Version 1.6".
4.2.5 Add device using NFC Method with password token
(I used SONY STA instead of NXP STA.)
4.2.6 Add device using NFC Method with configuration token
5.1.9 Add to AP using NFC Method with password token
through internal registrar
(I used SONY AP instead of NXP AP.)
5.1.10 Add to AP using NFC Method with configuration token
through internal registrar
Many deployed APs do not handle negotiation of security parameters well
when both TKIP and CCMP (or both WPA and WPA2) are enabled. The most
common end result seems to be ending up with the least secure option..
As a workaround, check whether the AP advertises WPA2/CCMP in Beacon
frames and add those options for the credential if needed. This allows
the client to select the most secure configuration regardless of how
broken the AP's WPS implementation is as far as auth/encr type
negotiation is concerned.
The old behavior of generating new DH keys can be maintained for non-OOB
cases and only OOB (in this case, with UFD) will use the pre-configured
DH keys to allow the public key hash to be checked.
It seems that WFA WPS spec says that default key index should be 1 (not
0). I think this meas that WEP key indexes region is not from 0 to 3,
but from 1 to 4 in WPS. At least WRT610N implemented it this way.
If a Registrar tries to configure the AP, but fails to validate the
device password (AP PIN), lock the AP setup after four failures. This
protects the AP PIN against brute force guessing attacks.
Some WPS APs do not set Selected Registrar attribute to 1 properly when
using an external Registrar. Allow such an AP to be selected for PIN
registration after couple of scan runs that do not find APs marked with
Selected Registrar = 1. This allows wpa_supplicant to iterate through
all APs that advertise WPS support without delaying connection with
implementations that set Selected Registrar = 1 properly.
The wps_cred_process option can be used to configure wpa_supplicant to
send received Credential attributes for external processing over
ctrl_iface and dbus. This allows external programs to update their
configuration when WPS is used to provision new networks.
This makes it easier to pass the credential data to external programs
(e.g., Network Manager) for processing. The actual use of this data is
not yet included in hostapd/wpa_supplicant.
The current implementation does not support WPA/WPA2-Enterprise
credentials. Ignore any credential that is using unsupported
authentication type to avoid potential issues with partially configured
network blocks.
Must not set pairwise_cipher/group_cipher for non-WPA/WPA2 networks
since the configuration parser is going to reject such values. In
addition, should not limit group_cipher to just TKIP or TKIP|CCMP just
in case the AP is using WEP as the group cipher. Default group_cipher
value can be used for all cases.
Generate a SHA1 hash -based UUID from the local MAC address if the UUID
was not configured. This makes it easier to prepare for WPS since there
is no need to generate an UUID.
UUID-E is not required to be present in Beacon frame, so we need to
accept scan results that do not have UUID-E as a valid PBC situation as
long as not more than one AP is in active PBC mode.
Change association behavior to match with ap_scan=1 when WPS is used in
ap_scan=2 mode with wildcard SSID matching. In addition, allow hardcoded
BSSID to be used to select AP even if selected registrar attribute is
not present.
This callback is now used to stop wpa_supplicant from trying to continue
using parameters (most likely, device password) that do not work in a
loop. In addition, wpa_gui can now notify user of failed registration.
The event callback will be used for various event messages and the M2D
notification is the first such message. It is used to notify wpa_gui
about Registrar not yet knowing the device password (PIN).
We need to be a bit more careful when removing the WPS configuration
block since wpa_s->current_ssid may still be pointing at it. In
addition, registrar pointer in wps_context will need to be cleared
since the context data is now maintained over multiple EAP-WSC runs.
Without this, certain WPS operations could have used freed memory.
Whenever new scan results include WPS AP(s) and the client is not
associated, send a notification message to control interface monitors.
This makes it easier for GUIs to notify the user about possible WPS
availability without having to go through the scan results.
Fragment WPS IE if needed to fit into the IE length limits in hostapd
and Reassemble WPS IE data from multiple IEs in wpa_supplicant.
In addition, moved WPS code from events.c into wps_supplicant.c to clean
up module interfaces.
New control interface commands WPS_PBC, WPS_PIN, and WPS_REG can be used
to start WPS processing. These add and select the WPS network block into
the configuration temporarily, i.e., there is no need to add the WPS
network block manually anymore.
The wps_context data is now managed at wpa_supplicant, not EAP-WSC. This
makes wpa_supplicant design for WPS match with hostapd one and also
makes it easier configure whatever parameters and callbacks are needed
for WPS.
Previously, wpa_supplicant as Enrollee case was handled using a
different callback function pointer. However, now that the wps_context
structure is allocated for all cases, the same variable can be used in
all cases.
This cleans up the internal interface between different modules and is
the first step in getting wpa_supplicant design closer to hostapd as far
as WPS is concerned.