Commit message (Collapse)AuthorAgeFilesLines
* tests: sigma_dut DPP reconfigurationHEADpendingmasterJouni Malinen6 days1-0/+112
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Make sure dpp_auth gets cleared with external config processingJouni Malinen6 days1-0/+2
| | | | | | | | wpa_s->dpp_auth did not get cleaner if dpp_config_processing=1 is used. Clear this after having received TX status for Configuration Result to avoid leaving behind the completed provisioning instance. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Do not allow reconfiguration to be started with pending authJouni Malinen6 days1-0/+6
| | | | | | | | The pending authentication exchange will make us ignore Reconfig Authentication Request, so do not allow reconfiguration to be started in that state. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Debug print reason for rejecting reconfigurationJouni Malinen6 days1-3/+15
| | | | | | | This makes it easier to understand why Reconfig Authentication Request gets ignored. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut SAE-PK AP with additional SAE_PK_KeyPair valuesJouni Malinen7 days1-1/+7
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: SAE-PK password minimum lengthJouni Malinen7 days1-0/+27
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Fix password validation check for SecJouni Malinen7 days1-1/+1
| | | | | | | | The 0..3 value decoded from the password was not incremented to the actual 2..5 range for Sec. This resulted in not properly detecting the minimum password length. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix SAE-PK password module testsJouni Malinen7 days1-3/+0
| | | | | | Couple of the test values were not actually valid, so remove them. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* dpp-nfc: Fix connection handover renegotiationJouni Malinen8 days1-11/+16
| | | | | | | | | | The use of the alternative channel list did not work properly for the case were both ends were trying to initiate the negotiated connection handover. Fix this by always starting a new connection handover client thread for sending the alternative proposal and ignoring peer messages (likely something from the first attempt) during this modified attempt. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS: Use FILS auth alg when connecting using PMKSA cachingVinita S. Maloo8 days1-7/+11
| | | | | | | | | | | | | | | | | | When a PMKSA cache entry is available and used for connection with FILS key management suite, use FILS authentication algorithm for connection even if ERP keys are not available. This scenario may happen when applications using wpa_supplicant cache persistently only PMKSA but not ERP keys and reconfigures wpa_supplicant with PMKSA cache after restarting wpa_supplicant. The previous implementation correctly handles SME-in-wpa_supplicant cases. However, SME-in-driver cases, complete FILS authentication without PMKSA caching is performed. Fix SME-in-driver behavior by setting authentication algorithm to WPA_AUTH_ALG_FILS when connecting to a FILS AP using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* nl80211: Do not send FILS ERP sequence number without rRKVinita S. Maloo8 days1-6/+6
| | | | | | | FILS ERP cannot be used without rRK, so include these attributes only together. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* 6 GHz: Change 6 GHz channels per IEEE P802.11ax/D6.1Wu Gao8 days3-17/+34
| | | | | | | | | | | The channel numbering/center frequencies was changed in IEEE P802.11ax/D6.1. The center frequencies of the channels were shifted by 10 MHz. Also, a new operating class 136 was defined with a single channel 2. Add required support to change the channelization as per IEEE P802.11ax/D6.1. Signed-off-by: Wu Gao<wugao@codeaurora.org> Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* dpp-nfc: Support channel list negotiationJouni Malinen9 days1-6/+35
| | | | | | | | | If the peer's channel list in negotiated handover does not have any common channels and the local end is configured with an alternative channel list, try to initiate another negotiation handover with the alternative channels. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* dpp-nfc: Update debug print for tag-read-only operationJouni Malinen9 days1-1/+4
| | | | | | | Be clearer about only a tag read being allowed when dpp-nfc is configured to not allow connection handover. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut sta_scan WaitCompletion,1Jouni Malinen10 days1-0/+9
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut DPP Configurator for dot1xJouni Malinen10 days1-2/+17
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Fix DPP_CA_SET processing with authentication not having peer BIJouni Malinen10 days1-1/+2
| | | | | | Need to check for auth->peer_bi being set before using it here. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Clear bootstrap entries only after clearing authentication stateJouni Malinen10 days1-1/+1
| | | | | | | | | | This fixes an issue where the pending authentication might have held a reference to auth->tmp_peer_bi and dpp_auth_deinit() would try to free that bootstrapping entry. This needs to happen before the call to dpp_global_clear() to avoid double-removal of the bootstrapping entry from the list. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: nl80211 control port in AP mode disabled/enabledJouni Malinen11 days1-1/+8
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Use control port TX (status) in AP mode if possibleMarkus Theil11 days1-1/+14
| | | | | | | | | | | | Check if nl80211 control port TX status is available in the kernel and enable control port TX if so. With this feature, nl80211 control path is able to provide the same feature set as nl80211 (management) + AF_PACKET socket (control) before. For debugging and testing, this can explicitly be disabled with the driver parameter control_port_ap=0. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Work around misdelivered control port TX statusJouni Malinen11 days3-17/+36
| | | | | | | | | | | | The kernel commit "mac80211: support control port TX status reporting" seems to be delivering the TX status events for EAPOL frames over control port using NL80211_CMD_FRAME_TX_STATUS due to incorrect check on whether the frame is a Management or Data frame. Use the pending cookie value from EAPOL TX operation to detect this incorrect behavior and redirect the event internally to allow it to be used to get full TX control port functionality available for AP mode. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Use ext ack handler for TX control portMarkus Theil11 days1-2/+56
| | | | | | | | Allow custom ack handler to be registered and use the ext ack handler for TX control port to fetch the cookie information. If these cookies are not supported by the current kernel, a value of 0 is returned. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Handle control port TX status events over nl80211Markus Theil11 days4-0/+43
| | | | | | | | | | | | | | | | | | | | In order to retransmit faster in AP mode, hostapd can handle TX status notifications. When using nl80211, this is currently only possible with socket control messages. Add support for receiving such events directly over nl80211 and detecting, if this feature is supported. This finally allows for a clean separation between management/control path (over nl80211) and in-kernel data path. A follow up commit enables the feature in AP mode. Control port TX status contains the original frame content for matching with the current hostapd code. Furthermore, a cookie is included, which allows for matching against outstanding cookies in the future. This commit only prints the cookie value for debugging purposes on TX status receive. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Add custom ack handler arguments to send_and_recv()Markus Theil11 days4-121/+157
| | | | | | | | | This is a preliminary patch for using extack cookies for TX control port handling. Custom ack handler arguments for send_and_recv() and friends is introduced therefore. This commit does not actually use the provided values, i.e., that will be added in a separate commit. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Clean up SO_WIFI_STATUS error reportingJouni Malinen11 days1-2/+4
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: EAP-TEAP with client certificate in Phase 1Jouni Malinen12 days2-0/+28
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP (server): Allow Phase 2 skip based on client certificateJouni Malinen12 days3-5/+23
| | | | | | | | eap_teap_auth=2 can now be used to configure hostapd to skip Phase 2 if the peer can be authenticated based on client certificate during Phase 1. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is usedJouni Malinen12 days1-0/+9
| | | | | | | | The EAP-TEAP server may skip Phase 2 if the client authentication could be completed during Phase 1 based on client certificate. Handle this similarly to the case of PAC use. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Provide access to peer subject and own certificate useJouni Malinen12 days2-1/+42
| | | | | | | | These are needed for EAP-TEAP server and client side implementation to allow Phase 2 to be skipped based on client certificate use during Phase 1. Signed-off-by: Jouni Malinen <j@w1.fi>
* Convert int to bool for throughput estimate tablesJouni Malinen13 days1-7/+7
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Add WPA_EVENT_{DO,SKIP}_ROAM eventsMatthew Wang13 days2-6/+20
| | | | | | | Add events for within-ESS reassociation. This allows us to monitor roam events, both skipped and allowed, in tests. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* Refactor wpa_supplicant_need_to_roam()Matthew Wang13 days2-37/+48
| | | | | | | | | | Pull all the within-ESS roam code out of wpa_supplicant_need_to_roam() and into its own function, wpa_supplicant_need_to_roam_within_ess(). This way, we avoid interleaving several #ifndef's in the original function and wrap the new function in one big #ifndef. This also modularizes the within-ESS roam code and makes it easier to test. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* Use lookup-table instead of macro for TX rate estimatesMatthew Wang13 days1-48/+76
| | | | | | | Change INTERPOLATE_RATE() macro to a lookup-table instead for the sake of readability. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* DPP2: Remove forgetten development time debug printsJouni Malinen13 days1-4/+0
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Copy subject from CSR to certificateJouni Malinen13 days1-2/+1
| | | | | | | Instead of overriding the subject field with something arbitrary, use the value that is included in the CSR now that there is something there. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP over TCP for enterprise provisioningJouni Malinen13 days1-0/+84
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Fix dot1x config object parsing without trustedEapServerNameJouni Malinen13 days1-1/+1
| | | | | | Need to check that the JSON node was found before using its value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add an automatic peer_bi entry for CSR matching if neededJouni Malinen13 days4-18/+82
| | | | | | | | This allows the DPP_CA_SET command to be targeting a specific DPP-CST event in cases where the Configurator did not receive the bootstrapping information for the peer. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add Enrollee name into CSR as the commonNameJouni Malinen13 days4-8/+30
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: GAS comeback response processing for Enrollee over TCPJouni Malinen13 days1-3/+7
| | | | | | This is almost identical to processing of the GAS initial response. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: GAS comeback request processing for Configurator over TCPJouni Malinen13 days1-43/+124
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: GAS Comeback Request for the TCP caseJouni Malinen14 days1-2/+45
| | | | | | | Make the Enrollee handle GAS comeback delay when performing DPP over TCP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Comeback delay response for certificate in over TCP caseJouni Malinen14 days1-0/+24
| | | | | | | Send out the GAS Initial Response with comeback delay when Configurator is operating over TCP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: CSR wait in Configurator when using TCPJouni Malinen14 days1-0/+6
| | | | | | | Make Configurator wait for CSR (i.e., another Config Request) when using DPP over TCP similarly to the over Public Action frame case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: CSR generation in TCP Client/EnrolleeJouni Malinen14 days1-0/+28
| | | | | | | This was previously covered for the DPP over Public Action frames, but the DPP over TCP case was missed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Do not try to proceed with GAS client if CSR building failsJouni Malinen14 days1-0/+1
| | | | | | | This error path was supposed to stop instead of continuing to wpas_dpp_start_gas_client(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Define a new QCA vendor attribute for Optimized Power ManagementAlan Chen2020-06-171-0/+4
| | | | | | Define a new attribute configuring Optimized Power Management. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP and enterprise provisioning and CSR getting rejectedJouni Malinen2020-06-171-0/+34
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Allow CSR processing by CA/RA to reject configurationJouni Malinen2020-06-171-17/+27
| | | | | | | "DPP_CA_SET name=status value=<int>" can now be used to explicitly indicate that CSR was rejected by CA/RA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Validate CSR on Configurator before forwarding to CA/RAJouni Malinen2020-06-173-0/+134
| | | | | | | Parse the received CSR, verify that it has been signed correctly, and verify that the challengePassword is present and matches the derived cp. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>