Commit message (Collapse)AuthorAgeFilesLines
* hostapd: Ignore LOW_ACK event for co-operative steering clientsHEADpendingmasterRajkumar Manoharan17 hours5-1/+34
| | | | | | | | | | | | | | Ignore hostapd_event_sta_low_ack for a station which has agreed to steering by checking the agreed_to_steer flag. This flag will be set whenever a station accepts the BSS transition request from the AP. Without this ignoring of the LOW_ACK event, the steering in-progress might be affected due to disassociation. In this way AP will allow some time (two seconds) for the station to move away and reset the flag after the timeout. Co-Developed-by: Tamizh Chelvam <tamizhr@codeaurora.org> Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org> Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
* Make STA opmode change event available to upper layersTamizh chelvam18 hours4-0/+93
| | | | | | | | | | | | | Add an event callback for EVENT_STATION_OPMODE_CHANGED to allow user/application to get the notification whenever there is a change in a station's HT/VHT op mode. The new events: STA-OPMODE-MAX-BW-CHANGED <addr> <20(no-HT)|20|40|80|80+80|160> STA-OPMODE-SMPS-MODE-CHANGED <addr> <automatic|off|dynamic|static> STA-OPMODE-N_SS-CHANGED <addr> <N_SS> Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
* nl80211: Add support for STA opmode change eventsTamizh chelvam18 hours3-0/+108
| | | | | | | | The nl80211 driver can report STA_OPMODE notification event as soon as it receives an HT/VHT Action frame about modification of station's SMPS mode/bandwidth/RX NSS. Add support to parse such events. Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
* hostapd: Add last_ack_rssi into ctrl iface cmd STABhagavathi Perumal S18 hours3-2/+15
| | | | | | | | | This allows external application to get last ACK signal strength of the last transmitted frame if the driver makes this information (NL80211_STA_INFO_ACK_SIGNAL) available. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org> Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
* Add hostapd_cli poll_sta commandBhagavathi Perumal S18 hours1-0/+9
| | | | | | | | This uses the already existing POLL_STA control interface to poll an associated station to check connectivity. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org> Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
* OWE: Clean up pointer check in a testing code pathAshok Ponnaiah19 hours2-2/+2
| | | | | | | | | | | Check wpa_auth_write_assoc_resp_owe() return value to keep static analyzers happier. The code path where this could happen is not really reachable due to the separate hapd->conf->own_ie_override check and wpa_auth_write_assoc_resp_owe() returning NULL only in an error case in the override path. Furthermore, clean up the pointer return value to use a proper pointer (NULL vs. 0). Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
* Sync with mac80211-next.git include/uapi/linux/nl80211.hJouni Malinen19 hours1-0/+3
| | | | | | This brings in nl80211 definitions as of 2018-02-13. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: DPP Configurator reconfigurationJouni Malinen4 days1-2/+47
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Support retrieving of configurator's private keyPurushottam Kushwaha4 days10-0/+83
| | | | | | | | | | | | | | | | | | To retain configurator information across hostapd/wpa_supplicant restart, private key need to be maintained to generate a valid pair of authentication keys (connector, netaccess_key, csign) for new enrollees in the network. Add a DPP_CONFIGURATOR_GET_KEY control interface API through which the private key of an existing configurator can be fetched. Command format: DPP_CONFIGURATOR_GET_KEY <configurator_id> The output from this command can then be used with "DPP_CONFIGURATOR_ADD key=<hexdump>" to create the same key again. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Fix EAPOL-Key integrity and key-wrap algorithm selectionJouni Malinen4 days4-76/+82
| | | | | | | | | | | | | | | | The SAE AKM 00-0F-AC:8 is supposed to use EAPOL-Key Key Descriptor Version 0 (AKM-defined) with AES-128-CMAC and NIST AES Key Wrap. However, the previous implementation ended up using Key Descriptor Version 2 (HMAC-SHA-1-128 and NIST AES Key Wrap). Fix this by using the appropriate Key Descriptor Version and integrity algorithm. Use helper functions to keep the selection clearer and more consistent between wpa_supplicant and hostapd uses. Note: This change is not backwards compatible. Both the AP and station side implementations will need to be updated at the same time to maintain functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP protocol testing - stop when transmitting Auth ConfJouni Malinen8 days1-0/+30
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Extend dpp_test 89 functionality to transmit sideSrinivas Dasari8 days2-0/+22
| | | | | | | | | | | | This extends dpp_test functionality to allow DPP exchanges to be stopped after authentication is completed on the Initiator, i.e., after sending out the Authentication Confirm message. Previously, dpp_test=89 was used only on the Responder side to stop after receiving the Authentication Confirm message. The main use case for this extended functionality is to be able to stop the protocol exchange on a device that acts as authentication Initiator and Enrollee. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Use correct WPA_ALG_* values to compare for enum wpa_algPurushottam Kushwaha8 days1-4/+4
| | | | | | | | | | enum wpa_alg was being compared with WPA_CIPHER_* values. That does not work here and strict compilers will report this as an error. Fix the comparision to use proper WPA_ALG_* values. This fixes testing capability for resetting IPN for BIP. Fixes: 16579769ff7b ("Add testing functionality for resetting PN/IPN for configured keys") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* mka: Mark ieee802_1x_kay_create_mka() ckn and cak arguments constJouni Malinen9 days2-3/+5
| | | | | | | | These structures are not modified or freed (i.e., only data from them is copied), so mark the arguments const to document this a bit more clearly now that there was a memory leak in one of the callers to this function. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Fix memory leaks in ieee802_1x_create_preshared_mka()Davide Caratti9 days1-17/+15
| | | | | | | | | In case MKA is initialized successfully, local copies of CAK and CKN were allocated, but never freed. Ensure that such memory is released also when ieee802_1x_kay_create_mka() returns a valid pointer. Fixes: ad51731abf06 ("wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA") Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
* mka: Do not print contents of SAK to debug logMike Siedzik9 days1-2/+3
| | | | | | | | Log newly generated SAKs as well as unwrapped SAKs with wpa_hexdump_key() rather than wpa_hexdump(). By default, the wpa_hexdump_key() function will not display sensitive key data. Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* mka: Detect duplicate MAC addresses during key server electionMike Siedzik9 days1-1/+8
| | | | | | | | | In the unlikely event the local KaY and the elected peer have the same actor priority as well as the same MAC address, log a warning message and do not elect a key server. Resolution is for network administrator to reconfigure MAC address. Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* mka: Loss of live peers to result in connect PENDING not AUTHENTICATEDMike Siedzik9 days1-2/+2
| | | | | | | | | | | | | | | | When the number of live peers becomes 0 the KaY was setting kay->authenticated true and telling the CP to connect AUTHENTICATED. Per IEEE Std 802.1X-2010 Clause 12.2, MKA.authenticated means "the Key Server has proved mutual authentication but has determined that Controlled Port communication should proceed without the use of MACsec", which means port traffic will be passed in the clear. When the number of live peers becomes 0 the KaY must instead set kay->authenticated false and tell the CP to connect PENDING. Per Clause 12.3 connect PENDING will "prevent connectivity by clearing the controlledPortEnabled parameter." Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* mka: Ignore MACsec SAK Use Old Key parameter if we don't have our old keyMike Siedzik9 days1-2/+2
| | | | | | | | | | Upon receipt of the "MACsec MKPDU SAK Use parameter set" the KaY verifies that both the latest key and the old key are valid. If the local system reboots or is reinitialized, the KaY won't have a copy of its old key. Therefore if the KaY does not have a copy of its old key it should not reject MKPDUs that contain old key data in the MACsec SAK Use parameter. Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* mka: When matching CKNs ensure that lengths are identicalMike Siedzik9 days1-6/+33
| | | | | | | | | | KaY looks up participants using CAK Name (CKN). Per IEEE Std 802.1X-2010 Clause 9.3.1 CAK identification, the CKN is an integral number of octets, between 1 and 32 (inclusive). This fix will ensure that the KaY does not inadvertently match CKNs such as 'myCakNamedFoo' and 'myCakNamedFooBar'. Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* tests: Add support for wolfSSL cryptographic librarySean Parkinson2018-03-032-7/+20
| | | | Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* tests: Check PKCS#12 support in additional test casesSean Parkinson2018-03-031-0/+14
| | | | | | | These test cases use PKCS#12, so skip them if the build does not include support for it. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* tests: Verify MSCHAPV2 support in eap_peap_session_resumptionSean Parkinson2018-03-031-0/+1
| | | | | | | This test case uses EAP-MSCHAPv2 within the PEAP tunnel, so verify that the build includes support for that before running the test. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* Add support for wolfSSL cryptographic librarySean Parkinson2018-03-035-1/+3991
| | | | | | | Allow hostapd/wpa_supplicant to be compiled with the wolfSSL cryptography and TLS library. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* Extend ACL check for Probe Request framesTamizh chelvam2018-03-025-7/+51
| | | | | | | | | | Extend ACL check to deny Probe Request frames for the client which does not pass ACL check. Skip this check for the case where RADIUS ACL is used to avoid excessive load on the RADIUS authentication server due to Probe Request frames. This patch add wpa_msg event for auth and assoc rejection due to acl reject. Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
* Add new WiFi test config attributes to configure BA paramsKiran Kumar Lokere2018-03-021-0/+71
| | | | | | | | | Define a new WiFi test configuration attributes in QCA vendor command to configure BA session parameters and to add or delete a BA session and to configure no ack policy. This is used for configuring the testbed device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add new WiFi test config attribute to allow WEP/TKIP in HEKiran Kumar Lokere2018-03-021-0/+7
| | | | | | | | Define a new WiFi test configuration attribute in QCA vendor command to allow or not to allow WEP/TKIP in HT/VHT/HE mode. This is used for configuring the testbed device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS: Check kde more consistently to avoid static analyzer warningsJeffin Mammen2018-03-021-1/+1
| | | | | | | | | For FILS, __wpa_send_eapol() is called only with the kde != NULL, but a static analyzer might not understand that. Add an explicit check kde != NULL similarly to the other cases going through the kde parameter to silence such bogus warnings. Signed-off-by: Jeffin Mammen <jmammen@codeaurora.org>
* SAE: Debug print group support in the crypto libraryJouni Malinen2018-03-021-0/+6
| | | | | | | | This makes it easier to understand why "SAE: Failed to select group" debug entry shows up in cases the selected crypto library does not support a specific group. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Fix potential infinite loop in mismatching PMK case on APJouni Malinen2018-03-021-2/+4
| | | | | | | | | | | | | | | | | | Commit e61fea6b467bec0702096c795b06195584d32a6c ('SAE: Fix PMKSA caching behavior in AP mode') modified the PSK fetching loop to not override PMK in case of SAE with PMKSA caching. However, that commit missed the error path cases where there is need to break from the loop with exact negative of the check in the beginning of the loop. This could result in hitting an infinite loop in hostapd if a station derived a different PMK value from otherwise successfully completed SAE authentication or if a STA used a different PMK with a PMKSA caching attempt after a previously completed successful authentication. Fix this by adding the matching break condition on SAE AKM within the loops. Fixes: e61fea6b467b ("SAE: Fix PMKSA caching behavior in AP mode") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Reject eap_server_erp hostapd.conf parameter without CONFIG_ERP=yJouni Malinen2018-02-281-0/+2
| | | | | | | This provides an explicit error report if runtime configuration is not valid and ERP server functionality cannot be used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpadebug: Improve QR Code scanning with zxingJouni Malinen2018-02-231-1/+8
| | | | | | | Set SCAN_MODE to accept only QR Codes and close the scanner more reliably after a successfully scanned QR Code. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpadebug: Add activity to select method for QR Code scanningAnurag Das2018-02-232-0/+45
| | | | | | | | Add QrCodeReadActivity that makes a decision to select between InputUri and QrCodeScannerActivity depending on the availability of the camera in the device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpadebug: Close InputUri activity automatically on DPP URI completionJouni Malinen2018-02-221-0/+24
| | | | | | | Check the entered text and stop automatically at the end of full DPP URI. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpadebug: Add main screen buttons for QR Code operationsJouni Malinen2018-02-222-0/+42
| | | | | | These can be used for manual testing of the DPP QR Code functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpadebug: A dialog activity to input the URI from QR Code ScannerAnurag Das2018-02-223-0/+115
| | | | | | | | | | | | This should help to read the URI from the QR Code Scanner's (USB HID devices instead of USB video device) that decodes the QR Code. This dialog box provisions the mechanism to enter the decoded URI code from such hardware devices. This dialog can be used with: am start -n w1.fi.wpadebug/w1.fi.wpadebug.InputUri Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpadebug: Update default project target to android-22Jouni Malinen2018-02-221-1/+1
| | | | | | | This matches the current zxing target level and as such, is more likely to be installed on devices that build wpadebug. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Suite B tests with BoringSSLJouni Malinen2018-02-191-7/+10
| | | | | | | | | Enable appropriate Suite B test cases with BoringSSL. Currently, this means enabling only the 192-bit level ECDSA and ECDHE-RSA since BoringSSL has removed support for DHE and there is no need to support 128-bit level ECDSA anymore. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* BoringSSL: Set appropriate sigalgs for Suite B RSA 3K casesJouni Malinen2018-02-191-4/+14
| | | | | | | | | This commit takes care of the sigalg configuration using the relatively recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017 to address the functionality that was already there with OpenSSL using SSL_set1_sigalgs_list(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* BoringSSL: Map OpenSSL SUITEB192 cipher into appropriate sigalgsJouni Malinen2018-02-191-0/+11
| | | | | | | | | | | | | BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so need to map that to the explicit ciphersuite (ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg (SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with ECDSA to be used. This commit takes care of the sigalg configuration using the relatively recent SSL_CTX_set_verify_algorithm_prefs() addition from April 2017. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* BoringSSL: Map OpenSSL SUITEB192 cipher into appropriate parametersJouni Malinen2018-02-191-3/+26
| | | | | | | | | | | | | | BoringSSL removed the special OpenSSL cipher suite value "SUITEB192", so need to map that to the explicit ciphersuite (ECDHE-ECDSA-AES256-GCM-SHA384), curve (P-384), and sigalg (SSL_SIGN_ECDSA_SECP384R1_SHA384) to allow 192-bit level Suite B with ECDSA to be used. This commit takes care of the ciphersuite and curve configuration. sigalg change is in a separate commit since it requires a newer BoringSSL API function that may not be available in all builds. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Replace SSL_set1_curves_list() with SSL_set1_curves()Jouni Malinen2018-02-191-1/+2
| | | | | | | | In practice, this does the same thing (i.e., allows only the P-384 curve to be used), but using an older API function that happens to be available in some BoringSSL builds while the newer one is not. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Processing of truncated RSNE fieldsJouni Malinen2018-02-191-0/+6
| | | | | | | Verify that truncated RSN Capabilities field and PMKIDCount field get ignored. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix Permission denied on FedoraMasashi Honma2018-02-171-0/+2
| | | | | | | | | | | | On Fedora 26, start.sh fails with these error messages. Failed to connect to wpa_supplicant global interface: /tmp/wpas-wlan0 error: Permission denied Failed to connect to wpa_supplicant global interface: /tmp/wpas-wlan0 error: Permission denied ... This is because Fedora 26 uses "wheel" group as administrative group. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* Allow HT40 on 5 GHz channels 165 and 169Ben Greear2018-02-171-1/+1
| | | | | | | India supports 5 GHz channels 169 and 173 now. Enable HT40 across channels 165 and 169. Leave channel 173 to remain HT20 only. Signed-off-by: Ben Greear <greearb@candelatech.com>
* nl80211: Use the new NL80211_MFP_OPTIONAL optionEmmanuel Grumbach2018-02-173-4/+19
| | | | | | | | | | | | | | Now we can configure the network block so that it allows MFP setting for the NL80211_CMD_CONNECT command. If the kernel finds an AP that requires MFP, it'll be able to connect to it. Note that since NL80211_MFP_OPTIONAL isn't supported for NL80211_CMD_ASSOCIATE, we need to take the MFP configuration outside nl80211_connect_common(). In addition, check that NL80211_EXT_FEATURE_MFP_OPTIONAL is supported, to be backward compatible with older kernels. Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
* wpa_supplicant: Handle port authorized eventAvraham Stern2018-02-171-5/+16
| | | | | | | | When the driver indicates that the connection is authorized (i.e., the 4-way handshake was completed by the driver), cancel the EAP authentication timeout and set the EAP state machine to success state. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* nl80211: Handle port authorized eventAvraham Stern2018-02-171-0/+29
| | | | | | | Indicate that the connection is authorized when receiving a port authorized event from the driver. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* driver: Add port authorized eventAvraham Stern2018-02-172-0/+10
| | | | | | | | | | | | Add an event that indicates that the 4 way handshake was completed by the driver. This event is useful for networks that require 802.1X authentication. The driver can use this event that a new connection is already authorized (e.g. when the driver used PMKSA caching) and 802.1X authentication is not required. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* nl80211: Add API to set the PMK to the driverAvraham Stern2018-02-171-0/+42
| | | | | | | Add support for setting the PMK to the driver. This is used for drivers that support 4-way handshake offload. Signed-off-by: Avraham Stern <avraham.stern@intel.com>