Commit Graph

4388 Commits

Author SHA1 Message Date
Jouni Malinen
9f8d459d4c OWE: Fix association IEs for transition mode open AP connection
The special case of returning from wpa_supplicant_set_suites() when OWE
transition mode profile is used for an open association did not clear
the wpa_ie buffer length properly. This resulted in trying to use
corrupted IEs in the association request and failed association
(cfg80211 rejects the request or if the request were to go out, the AP
would likely reject it).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-04 11:55:01 +02:00
Simon Dinkin
c6096c6eef wpa_cli: Enable add/remove/get vendor elements without P2P
This functionality can be used regardless of P2P and should not be under
the ifdef of CONFIG_P2P.

Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2018-02-03 12:44:20 +02:00
Vasyl Vavrychuk
ebf4043739 D-Bus: Report error on starting P2P find
Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
2018-02-03 12:25:32 +02:00
Jouni Malinen
66b9f3ca8a wpa_cli: Fix cred_fields[] declaration
This was supposed to be an array of const-pointers to const-char; not
something duplicating const for char and resulting in compiler warnings
with more recent gcc versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-03 12:08:09 +02:00
Sunil Dutt
5ff39c1380 SAE: Support external authentication offload for driver-SME cases
Extend the SME functionality to support the external authentication.
External authentication may be used by the drivers that do not define
separate commands for authentication and association
(~WPA_DRIVER_FLAGS_SME) but rely on wpa_supplicant's SME for the
authentication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-02 21:17:55 +02:00
Jouni Malinen
9e834fc648 EAP-SIM/AKA: Separate identity for MK derivation
This allows a separate configuration parameter (imsi_identity) to be
used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK
derivation for the case where the identity is expected to be from the
last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was
not used). This may be needed to avoid sending out an unprotected
permanent identity information over-the-air and if the EAP-SIM/AKA
server ends up using a value based on the real IMSI during the internal
key derivation operation (that does not expose the data to others).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2018-01-21 11:28:53 +02:00
Jouni Malinen
c1790a5ff8 OWE: Allow station in transition mode to connect to an open BSS
If the OWE network profile matches an open network which does not
advertise OWE BSS, allow open connection. The new owe_only=1 network
profile parameter can be used to disable this transition mode and
enforce connection only with OWE networks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-21 11:13:01 +02:00
Jouni Malinen
fd92095491 DPP: Report reception of Config Request to upper layers
This is mainly for protocol testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-12 00:50:45 +02:00
Jouni Malinen
b7ed94834d GnuTLS: Add option to build with libnettle instead of libgcrypt
GnuTLS-based builds can now be done using either libnettle or libgcrypt
for crypto functionality:

CONFIG_TLS=gnutls
CONFIG_CRYPTO=nettle

CONFIG_TLS=gnutls
CONFIG_CRYPTO=gnutls

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-29 17:13:57 +02:00
Jouni Malinen
133f8d09fc GnuTLS: Implement HMAC functions using libgcrypt
Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with
the ones from libgcrypt and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:35:26 +02:00
Jouni Malinen
85c12a62ee GnuTLS: Implement sha{256,384,512}_vector() using libgcrypt
Replace the internal SHA256 implementation with the one from libgcrypt
and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:21:37 +02:00
Jouni Malinen
2cb40e9f40 OWE: Try all supported DH groups automatically on STA
If a specific DH group for OWE is not set with the owe_group parameter,
try all supported DH groups (currently 19, 20, 21) one by one if the AP
keeps rejecting groups with the status code 77.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 21:06:02 +02:00
Jouni Malinen
9596a75652 PAE: Remove OpenSSL header dependency
Instead of requiring OpenSSL headers to be available just for the
SSL3_RANDOM_SIZE definition, replace that macro with a fixed length (32)
to simplify dependencies.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-24 21:40:21 +02:00
Sean Parkinson
04b1bcc5f3 EAP-pwd: Use abstract crypto API
This makes it easier to use EAP-pwd with other crypto libraries than
OpenSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 21:40:21 +02:00
Mikael Kanstrup
12bce14b10 wpa_cli: Add completion for get/set cred commands
Add command completion support for get_cred and set_cred commands.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2017-12-16 13:23:52 +02:00
Masashi Honma
6240424a76 dbus: Add FILS key mgmt values into BSS security properties
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-12-16 13:14:37 +02:00
vamsi krishna
d98038bb05 FILS: Driver configuration to disable/enable FILS features
The new disable_fils parameter can be used to disable FILS functionality
in the driver. This is currently removing the FILS Capability bit in
Extended Capabilities and providing a callback to the driver wrappers.
driver_nl80211.c implements this using a QCA vendor specific command for
now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-15 20:52:17 +02:00
Jouni Malinen
5f30b69cde OWE: Allow DH Parameters element overriding with driver SME
Commit 265bda3444 ('OWE: Allow DH
Parameters element to be overridden for testing purposes') provided
means for using "VENDOR_ELEM_ADD 13 <IE>" in OWE protocol testing, but
that commit covered only the sme.c case (i.e., drivers that use
wpa_supplicant SME). Extend this to cover drivers that use internal SME
(e.g., use the nl80211 Connect command).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-11 13:59:55 +02:00
Jeff Vander Stoep
b65353a767 Android: Set CONFIG_NO_RANDOM_POOL=y
Wpa_supplicant's random pool is not necessary on Android. Randomness
is already provided by the entropymixer service which ensures
sufficient entropy is maintained across reboots. Commit b410eb1913
'Initialize /dev/urandom earlier in boot' seeds /dev/urandom with
that entropy before either wpa_supplicant or hostapd are run.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-12-09 17:47:42 +02:00
Jouni Malinen
055cd39788 tests: DPP P-256 test vectors
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-07 13:35:19 +02:00
Jouni Malinen
f55269753c DPP: Allow protocol key to be overridden for testing purposes
This can be used for various testing needs.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-05 23:53:08 +02:00
Jouni Malinen
afd3cf14a0 WPS: Add GCMP-256 and CCMP-256 cipher options on Enrollee
If a credential with encp type AES is received, add GCMP-256 and
CCMP-256 cipher options on station Enrollee based on local capabilities.
This is needed to allow connection with an AP using either of these
newer ciphers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-02 12:14:55 +02:00
Jouni Malinen
5f481b6fdb WPS: Check BSS table against current BSSID if credential does not match
The credential MAC address is not necessarily that of the AP, i.e., it
is more likely to be that of the Enrollee. Check the scan results
against the current BSSID as well if match is not found otherwise when
going through the mixed mode workaround.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-02 12:00:45 +02:00
Jouni Malinen
ed2c493e9e DPP: Change Authentication Response retry time to 1 second
The previously used 10 second timer did not really make much sense since
the Initiator is not going to be waiting for the response that long.
Change this to 1 second based on the DPP tech spec change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-02 12:00:44 +02:00
Jouni Malinen
55c6c85855 DPP: Extend dpp_test with invalid Transaction ID in Peer Disc Req
Allow a Transaction ID attribute with invalid length to be sent for
protocol testing purposes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-30 21:56:19 +02:00
Jouni Malinen
fa5c907495 DPP: Call wpas_dpp_stop() from wpas_dpp_deinit()
This makes the full DPP deinit operation more consistent with stopping
of a single operation. In practice, this adds the new GAS client
stopping functionality.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-30 00:11:22 +02:00
Jouni Malinen
1866dfb52c DPP: Stop pending GAS client operation on DPP_STOP_LISTEN
This makes the operation more complete in stopping all ongoing DPP
related functionality.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-30 00:08:40 +02:00
Jouni Malinen
ed62d40116 DPP: Deinit PKEX instance on DPP_STOP_LISTEN
Previously this stopped only the DPP Authentication instance, but it is
better to clear both PKEX and Authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-29 12:24:01 +02:00
Jouni Malinen
d3cb7ebe1b DPP: Do not process dpp_auth_ok_on_ack multiple times
An additional TX status callback could result in processing the DPP
authentication completion another time at least with hostapd. Fix this
by clearing the dpp_auth_ok_on_ack when processing it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-27 20:20:26 +02:00
Ashok Ponnaiah
dc2f24f1b2 DPP: Fix compilation without CONFIG_TESTING_OPTIONS=y
Add CONFIG_TESTING_OPTIONS ifdef protection to couple of forgotten DPP
test parameters in wpa_supplicant ctrl_iface.

Signed-off-by: Ashok Ponnaiah <aponnaia@qti.qualcomm.com>
2017-11-27 17:30:03 +02:00
Jouni Malinen
82feacced0 DPP: Ignore GAS server status callback for unknown response
It was possible for a timeout from an old GAS server operation to
trigger DPP configuration failure during the subsequent DPP operation.
Fix this by verifying that the status callback is for the response
generated during the same DPP Authentication/Configuration exchange.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-27 13:48:40 +02:00
Jouni Malinen
a2588be82c DPP: Add DPP_CONFIGURATOR_SIGN support to hostapd
Configurator signing its own Connector was previously supported only in
wpa_supplicant. This commit extends that to hostapd to allow an AP
acting as a Configurator to self-configure itself.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-27 13:24:20 +02:00
Jouni Malinen
acc555f9e6 DPP: Allow PKEX x/X and y/Y keypairs to be overridden
This is for testing purposes to allow a test vector with specific values
to be generated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-24 01:41:50 +02:00
Jouni Malinen
2bdc47a945 DPP: Allow PKEX own/peer MAC addresses to be overridden
This is for testing purposes to allow a test vector with specific values
to be generated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-23 23:47:52 +02:00
Jouni Malinen
af4103e5e9 DPP: Provide peer_mac to PKEX Initiator through function argument
Avoid unnecessary direct write to a struct dpp_pkex member from outside
dpp.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-23 23:32:33 +02:00
Jouni Malinen
3ca4be1eaa DPP: Remove compiler warnings about signed/unsigned comparisons
These timestamp comparisons did not use matching signedness.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-23 20:31:12 +02:00
bhagavathi perumal s
cc79e06f00 hostapd: Add wpa_msg_ctrl() to report Probe Request frames from STA
This allows external applications to get event indication for Probe
Request frames. Extend ctrl iface cmd "ATTACH" to enable this event on
per-request basis. For example, user has to send ctrl iface cmd "ATTACH
probe_rx_events=1" to enable the Probe Request frame events.

Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
2017-11-23 20:12:34 +02:00
Jouni Malinen
0db637ca80 DPP: Fix number of Authentication Request retry cases
Previous implementation did not handle number of sequences correctly.
Make sure the iteration continues in both unicast and broadcast cases
until the five attempts have been made. In addition, improve timing by
checking 10 second time from the beginning of each iteration round and
not the last channel on which the Auth Req frame has been transmitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-23 13:08:45 +02:00
Jouni Malinen
921f5acd17 DPP: Take response wait time into account for init retries
Previously, the Authentication Request frame was retried after 2+10 = 12
seconds since the wait for the response was not accounted for. Substract
that wait from the 10 second wait time to start the retries more quickly
based on the 10 second timer described in the tech spec.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-23 00:42:20 +02:00
Jouni Malinen
248264c622 DPP: Stop Authentication Request attempts if no response after ACK
If unicast Authentication Request frame is used and the peer ACKs such a
frame, but does not reply within the two second limit, there is no need
to continue trying to retransmit the request frames since the peer was
found, but not responsive.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-23 00:22:13 +02:00
Jouni Malinen
e3a5882b3e DPP: Add SAE credential support to Configurator
The new conf={sta,ap}-{sae,psk-sae} parameter values can now be used to
specify that the legacy configuration object is for SAE.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-22 21:24:08 +02:00
Jouni Malinen
5dd745b738 DPP: Add akm=sae and akm=psk+sae support in Enrollee role
This allows DPP to be used for enrolling credentials for SAE networks in
addition to the legacy PSK (WPA-PSK) case. In addition, enable FT-PSK
and FT-SAE cases automatically.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-22 21:23:51 +02:00
Jouni Malinen
00d2d13db2 DPP: Retry PKEX Exchange Request frame up to five times
Retransmit the PKEX Exchange Request frame if no response from a peer is
received. This makes the exchange more robust since this frame is sent
to a broadcast address and has no link layer retries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-22 15:54:35 +02:00
Jouni Malinen
4b8de0c929 DPP: Protocol testing for invalid Peer Discovery Req/Resp values
Extend dpp_test to allow more invalid attribute values to be written
into Peer Discovery Request/Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-19 17:15:02 +02:00
Jouni Malinen
f9cf7d03f1 DPP: Protocol testing for invalid Config Attrib Object value
Extend dpp_test to cover a case where Config Attrib Object value is
invalid in Configuration Request frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-19 14:13:20 +02:00
Jouni Malinen
95b0104a34 DPP: Retransmit DPP Authentication Response frame if it is not ACKed
This extends wpa_supplicant DPP implementation to retransmit DPP
Authentication Response frame every 10 seconds up to 5 times if the peer
does not reply with DPP Authentication Confirm frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-13 12:35:26 +02:00
Jouni Malinen
c1d3773967 DPP: Stop authentication exchange of DPP_STOP_LISTEN
Previously, this command stopped listen operation immediately, but if
there was an ongoing authentication exchange, a new listen operation was
started. This is not really expected behavior, so stop the
authentication exchange first with this command to avoid restarting
listen operation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-13 12:35:26 +02:00
Jouni Malinen
d1f082644c DPP: Allowed initiator to indicate either role
The new role=either parameter can now be used with DPP_AUTH_INIT to
indicate that the initiator can take either the Configurator or Enrollee
role.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-13 11:45:05 +02:00
Jouni Malinen
f97ace34cb DPP: Support multiple channels for initiating DPP Authentication
This extends wpa_supplicant to iterate over all available channels from
the intersection of what the peer indicates and the local device
supports when initiating DPP Authentication. In addition, retry DPP
Authentication Request frame up to five times if no response is
received.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-13 11:45:05 +02:00
Jouni Malinen
de02986189 DPP: Share a helper function for PKEX final steps
Generate the PKEX bootstrapping information and release the PKEX session
in a helper function that both the initiator and responder can use
instead of maintaining this functionality separately in two places.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-13 10:30:11 +02:00