aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* tests: OCI validation in the FILS handshake (OCV)Mathy Vanhoef2018-12-171-0/+61
| | | | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Include and verify OCI in the FILS handshakeMathy Vanhoef2018-12-173-0/+90
| | | | | | | Include and verify the OCI element in FILS (Re)Association Request and Response frames. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* tests: OCI validation in SA Query frames (OCV)Mathy Vanhoef2018-12-171-1/+66
| | | | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Add UNPROT_DEAUTH command for testing OCVMathy Vanhoef2018-12-171-0/+5
| | | | | | | This new wpa_supplicant control interface command can be used to simplify testing SA Query with OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Perform an SA Query after a channel switchMathy Vanhoef2018-12-174-0/+31
| | | | | | | | | | | After the network changed to a new channel, perform an SA Query with the AP after a random delay if OCV was negotiated for the association. This is used to confirm that we are still operating on the real operating channel of the network. This commit is adding only the station side functionality for this, i.e., the AP behavior is not changed to disconnect stations with OCV that do not go through SA Query. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Include and verify OCI in SA Query framesMathy Vanhoef2018-12-177-43/+284
| | | | | | | | | | | | | | | | | | | | | | | | | | Include an OCI element in SA Query Request and Response frames if OCV has been negotiated. On Linux, a kernel patch is needed to let clients correctly handle SA Query Requests that contain an OCI element. Without this patch, the kernel will reply to the SA Query Request itself, without verifying the included OCI. Additionally, the SA Query Response sent by the kernel will not include an OCI element. The correct operation of the AP does not require a kernel patch. Without the corresponding kernel patch, SA Query Requests sent by the client are still valid, meaning they do include an OCI element. Note that an AP does not require any kernel patches. In other words, SA Query frames sent and received by the AP are properly handled, even without a kernel patch. As a result, the kernel patch is only required to make the client properly process and respond to a SA Query Request from the AP. Without this patch, the client will send a SA Query Response without an OCI element, causing the AP to silently ignore the response and eventually disconnect the client from the network if OCV has been negotiated to be used. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* tests: OCI validation in the FT handshake (OCV)Mathy Vanhoef2018-12-171-1/+46
| | | | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Include and verify OCI in the FT handshakeMathy Vanhoef2018-12-172-0/+109
| | | | | | | | Include and verify the the OCI element in (Re)Association Request and Response frames of the FT handshake. In case verification fails, the handshake message is silently ignored. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* tests: OCI validation in the 4-way and group key handshakes (OCV)Mathy Vanhoef2018-12-172-1/+865
| | | | | | | | | | | Perform detailed tests with OCV enabled, for both the 4-way and group key handshakes. These tests include establishing a working connection with OCV enabled, assuring that a STA without OCV enabled can still connect to a STA with OCV enabled (and vice versa), verifying that invalid OCI elements get silently ignored, verifying that missing OCI elements are reported, and so on. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* tests: Enable OCV in the testing buildsMathy Vanhoef2018-12-172-0/+4
| | | | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Verify OCI in 4-way and group key handshakeMathy Vanhoef2018-12-172-0/+125
| | | | | | | Verify the received OCI element in the 4-way and group key handshakes. If verification fails, the handshake message is silently dropped. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add function to derive Tx parameters to a specific STAMathy Vanhoef2018-12-175-0/+118
| | | | | | | | | | Use the information elements that were present in the (Re)Association Request frame to derive the maximum bandwidth the AP will use to transmit frames to a specific STA. By using this approach, we don't need to query the kernel for this information, and avoid having to add a driver API for that. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add function to verify a received OCI elementMathy Vanhoef2018-12-162-0/+80
| | | | | | | ocv_verify_tx_params() verifies that the receive OCI element includes field values that are compatible with the local channel configuration. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Parse all types of OCI information elementsMathy Vanhoef2018-12-168-0/+44
| | | | | | Add functionality to parse all variations of the OCI element. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Insert OCI in 4-way and group key handshakeMathy Vanhoef2018-12-163-6/+139
| | | | | | | | If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add utility functions to insert OCI elementsMathy Vanhoef2018-12-166-0/+136
| | | | | | | This commit adds utility functions to insert various encoding of the OCI element. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add wlantest support for indicating OCVMathy Vanhoef2018-12-164-4/+16
| | | | | | Add wlantest parsing of the OCV RSN cpability flag. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Advertise OCV capability in RSN capabilities (STA)Mathy Vanhoef2018-12-166-1/+15
| | | | | | | Set the OCV bit in RSN capabilities (RSNE) based on station mode configuration. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Track STA OCV capability in AP modeMathy Vanhoef2018-12-163-0/+33
| | | | | | Check and store OCV capability indication for each STA. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Advertise OCV capability in RSN capabilities (AP)Mathy Vanhoef2018-12-165-1/+23
| | | | | | | | Set the OCV bit in RSN capabilities (RSNE) based on AP mode configuration. Do the same for OSEN since it follows the RSNE field definitions. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add wpa_supplicant config parameterMathy Vanhoef2018-12-164-0/+67
| | | | | | | Add wpa_supplicant network profile parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add hostapd config parameterMathy Vanhoef2018-12-164-0/+25
| | | | | | | Add hostapd.conf parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add build configuration for channel validation supportMathy Vanhoef2018-12-168-0/+32
| | | | | | Add compilation flags for Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Protocol definitionsMathy Vanhoef2018-12-162-1/+5
| | | | | | | Define protocol identifiers for Operating Channel Verification (OCV) based on IEEE P802.11-REVmd/D2.0. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Store the VHT Operation element of an associated STAMathy Vanhoef2018-12-166-0/+32
| | | | | | | | APs and mesh peers use the VHT Operation element to advertise certain channel properties (e.g., the bandwidth of the channel). Save this information element so we can later access this information. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Add functions to convert channel bandwidth to an integerMathy Vanhoef2018-12-164-0/+43
| | | | | | | | | This adds two utility functions to convert both operating classes and and the chan_width enum to an integer representing the channel bandwidth. This can then be used to compare bandwidth parameters in an uniform manner. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Add utility function to derive operating class and channelMathy Vanhoef2018-12-162-0/+38
| | | | | | | | This function can be used to easily convert the parameters returned by the channel_info driver API, into their corresponding operating class and channel number. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Make channel_info available to authenticatorMathy Vanhoef2018-12-162-0/+10
| | | | | | | | This adds the necessary functions and callbacks to make the channel_info driver API available to the authenticator state machine that implements the 4-way and group key handshake. This is needed for OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Make channel_info available to the supplicant state machineMathy Vanhoef2018-12-163-0/+20
| | | | | | | | This adds the necessary functions and callbacks to make the channel_info driver API available to the supplicant state machine that implements the 4-way and group key handshake. This is needed for OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Add driver API to get current channel parametersMathy Vanhoef2018-12-164-0/+109
| | | | | | | | This adds driver API functions to get the current operating channel parameters. This encompasses the center frequency, channel bandwidth, frequency segment 1 index (for 80+80 channels), and so on. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* HS 2.0 server: Allow policy to be set for SIM provisioningJouni Malinen2018-12-161-24/+69
| | | | | | | A new osu_config field "sim_policy" can now be used to specify the policy template for SIM provisioning. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: SIM provisioning exchangeJouni Malinen2018-12-155-6/+264
| | | | | | | | Support SIM provisioning exchange with SPP. This uses the hotspot2dot0-mobile-identifier-hash value from the AAA server to allow subscription registration through subscription remediation exchange. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Hotspot 2.0 AAA server behavior for SIM provisioningJouni Malinen2018-12-151-0/+92
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: RADIUS server support for SIM provisioningJouni Malinen2018-12-158-0/+212
| | | | | | | | | | | | | This adds support for hostapd-as-RADIUS-authentication-server to request subscription remediation for SIM-based credentials. The new hostapd.conf parameter hs20_sim_provisioning_url is used to set the URL prefix for the remediation server for SIM provisioning. The random hotspot2dot0-mobile-identifier-hash value will be added to the end of this URL prefix and the same value is stored in a new SQLite database table sim_provisioning for the subscription server implementation to use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP: Make method and IMSI available from server structuresJouni Malinen2018-12-145-0/+36
| | | | | | | | Expose EAP method and IMSI from the completed (or ongoing) EAP authentication session. These are needed for implementing Hotspot 2.0 SIM provisioning. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WMM AC: Fix a typo in a commentJouni Malinen2018-12-081-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* WMM AC: Do not write ERROR level log entries when WMM AC is not in useJouni Malinen2018-12-081-7/+2
| | | | | | | | | | These two wpa_printf() calls with MSG_ERROR level could be reached when connecting without (Re)Association Response frame elements being available. That would be the case for wired connections and IBSS. Those cases are not supposed to use WMM AC in the first place, so do not confuse logs with ERROR messages in them for normal conditions. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: wpa_supplicant config file writing and key_mgmt valuesJouni Malinen2018-12-081-0/+61
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Fix OWE network profile savingJouni Malinen2018-12-081-0/+12
| | | | | | | | key_mgmt=OWE did not have a config parameter writer and wpa_supplicant was unable to save such a network profile correctly. Fix this by adding the needed parameter writer. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Support DPP key_mgmt saving to wpa_supplicant configurationDamodaran, Rohit (Contractor)2018-12-081-0/+12
| | | | | | | | | In the existing code, there was no "DPP" string available to the DPP key management type for configuration parser of wpa supplicant. When the configuration is saved, the key management string was left out from the config file. Fix this by adding support for writing key_mgmt=DPP option. Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
* tests: Remove parallel-vm.shJouni Malinen2018-12-081-38/+0
| | | | | | | parallel-vm.py has obsoleted this a long time ago and there is no need to maintain two scripts for doing more or less the same thing. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add dfs_etsi to the long_tests listJouni Malinen2018-12-081-1/+2
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Fix PMF-in-use check for ANQP Venue URL processingJouni Malinen2018-12-083-2/+3
| | | | | | | | | | | | | | The previous implementation did not check that we are associated with the sender of the GAS response before checking for PMF status. This could have accepted Venue URL when not in associated state. Fix this by explicitly checking for association with the responder first. This fixes an issue that was detected, e.g., with these hwsim test case sequences: gas_anqp_venue_url_pmf gas_anqp_venue_url gas_prot_vs_not_prot gas_anqp_venue_url Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Hotspot 2.0 connection attempt without PMFJouni Malinen2018-12-081-0/+24
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Enable PMF automatically for Hotspot 2.0 network profilesJouni Malinen2018-12-081-0/+1
| | | | | | | Hotspot 2.0 Release 2 requires PMF to be negotiated, so enable this by default in the network profiles created from cred blocks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Reject Hotspot 2.0 Rel 2 or newer association without PMFJouni Malinen2018-12-081-1/+11
| | | | | | Hotspot 2.0 Rel 2 requires PMF to be enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix ap_hs20_deauth_req_without_pmfJouni Malinen2018-12-081-1/+7
| | | | | | | | Now that hostapd starts mandating PMF for Hotspot 2.0 Release 2 association, this test case needs some more tweaks to work. Hardcode Hotspot 2.0 Release 1 to be used and disable PMF explicitly. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix ap_hs20_ft with PMF enabledJouni Malinen2018-12-081-5/+7
| | | | | | | | The Beacon loss event was not reported anymore, so remove that as an unnecessary step in the test case. In addition, check the key_mgmt values explicitly. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Enable PMF in ap_hs20_unexpected configurationJouni Malinen2018-12-081-0/+2
| | | | | | | This is needed to meet the Hotspot 2.0 Release 2 requirement for the third station that is actually using RSN. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Enable PMF in ap_hs20_external_selection network profileJouni Malinen2018-12-081-0/+1
| | | | | | This is required for Hotspot 2.0 Release 2. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>