Commit message (Collapse)AuthorAgeFilesLines
* DPP: Flush PMKSA if an assoc reject without timeout is receivedHEADmasterSrinivas Dasari6 days1-0/+10
| | | | | | | | | | | | | | Flush the PMKSA upon receiving assoc reject event without timeout in the event data, to avoid trying the subsequent connections with the old PMKID. Do not flush PMKSA if assoc reject is received with timeout as it is generated internally from the driver without reaching the AP. This extends commit d109aa6cacf2c3f643de0c758a30b0daf936a67a ("SAE: Flush PMKSA if an assoc reject without timeout is received") to handle also the DPP AKM. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* QCA vendor command support for TWT test configurationVarun Reddy Yeturu6 days1-0/+149
| | | | | | Define new QCA vendor specific test config attributes to configure TWT. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Enable Suite B test cases with OpenSSL 1.1.1Jouni Malinen7 days1-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Fix test functionality for invalid keys with OpenSSL 1.1.0Jouni Malinen7 days1-3/+3
| | | | | | | | | It looks like at least OpenSSL 1.1.0i includes the extra checks in EC_POINT_set_affine_coordinates_GFp() that break the previously used mechanism for generating invalid keys. Fix this by using the alternative design that was used with OpenSSL 1.1.1 and BoringSSL. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Store device MAC address into databaseJouni Malinen9 days3-21/+93
| | | | | | This is needed for tracking status of certificate enrollment cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut controlled Hotspot 2.0 connectionJouni Malinen9 days1-0/+61
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut controlled Venue URL fetchJouni Malinen9 days1-0/+50
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Venue URL ANQP-element with PMFJouni Malinen9 days1-0/+55
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* ANQP: Parse and report Venue URL informationJouni Malinen9 days2-0/+40
| | | | | | | Parse the Venue URL ANQP-element payload and report it with the new RX-VENUE-URL event messages if the query was done using PMF. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Fix T&C server database checkJouni Malinen11 days1-2/+4
| | | | | | | | | It was possible for the wait loop to exit early due to the $row[0] == 1 check returning false if the database value was not yet set. Fix this by updated the $waiting default value only if the database actually has a value for this field. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allow OSU SSID selection to be enforced for testing purposesJouni Malinen11 days2-1/+21
| | | | | | | | This allows hs20-osu-client to be requested to select a specific OSU SSID with the new command line argument (-o<OSU_SSID>). This is useful for testing single SSID transition mode cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Use shared SSID (if available) for OSU by defaultJouni Malinen11 days1-2/+21
| | | | | | | | When the AP is detected to have single BSS shared for RSN and OSEN, use that BSS for OSU by default instead of the one based on the OSU_SSID in the OSU Providers list. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Hotspot 2.0 OSU provider and single SSIDJouni Malinen12 days1-0/+51
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add alternative OSU_SSID into providers info fileJouni Malinen12 days1-3/+27
| | | | | | | | | This adds the second SSID (the one used by the shared BSS) for OSU connection when generating osu-providers.txt. External tools can use that to configure multiple network profiles for OSU to cover the cases where transition mode is used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut controlled AP with OSENJouni Malinen12 days1-0/+23
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS server: Add testing support for authentication resultJouni Malinen13 days1-3/+54
| | | | | | | | | | | CONFIG_RADIUS_TEST builds can now update the user SQLite database based on authentication result from the last attempt. If the database has a last_msk column, that will be set to the hexdump of the MSK whenever authentication succeeds and to "FAIL" whenever authentication fails. This can be used for testing purposes by having an external program track authentication status per user. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 server: Replace deprecated PHP function split()Jouni Malinen13 days1-1/+1
| | | | | | | Use explode() instead of split() because split() has been removed from PHP 7.0.0 and there is no need for using full regular expression here. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* XML: Do not add empty Value node for nodes with child nodes in TNDSJouni Malinen14 days1-1/+3
| | | | | | | | This fixes some validation issues against DM_ddf DTD that were caused by the conversion from the internal tree structure to TNDS. Only the leaf nodes are supposed to have the Value node. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Define test config attribute to configure OM control supportKiran Kumar Lokere2018-09-051-0/+7
| | | | | | | Define a new QCA vendor specific test config attribute to configure the support for receiving the MPDU with operating mode control subfield. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCE: Add OCE capability attribute only when associating to an OCE APBeni Lev2018-09-024-7/+35
| | | | Signed-off-by: Beni Lev <beni.lev@intel.com>
* OCE: Send scan parameters when OCE_STA functionality is enabledRoee Zamir2018-09-021-0/+44
| | | | | | | | If the device supports OCE features and OCE is enabled, set the relevant scan parameters and FILS Request Parameters element with Max Channel Time. Signed-off-by: Roee Zamir <roee.zamir@intel.com>
* nl80211: Support OCE features (driver capability and scan params)Roee Zamir2018-09-022-0/+28
| | | | | | | | Check if the device supports specific mandatory features and set the the relevant WPA_DRIVER_FLAGS_OCE_STA flag. Send the relevant scan parameters for OCE scans. Signed-off-by: Roee Zamir <roee.zamir@intel.com>
* driver: Add OCE scan parametersRoee Zamir2018-09-022-0/+13
| | | | | | | | | | | | Add a flag to scan parameters that enables OCE scan features. If this flag is set the device should enable the following features as defined in the Optimized Connectivity Experience Technical Specification v1.0: - Overwrite FILS request Max Channel Time with actual value (clause 3.8) - Send Probe Request frame in high rate (at least 5.5 Mbps) (clause 3.12) - Probe Request frame Transmission Deferral and Suppression (clause 3.5) - Accept broadcast Probe Response frame (clause 3.6) Signed-off-by: Roee Zamir <roee.zamir@intel.com>
* Sync with mac80211-next.git include/uapi/linux/nl80211.hJouni Malinen2018-09-021-18/+219
| | | | | | This brings in nl80211 definitions as of 2018-08-29. Signed-off-by: Jouni Malinen <j@w1.fi>
* random: Remove write-only variable random_entropy_file_readJohannes Berg2018-09-021-2/+0
| | | | | | This variable is never read, so it's not needed. Remove it. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* hostapd: Send an event before throwing a station on re-authenticationAndreas Tobler2018-09-021-0/+1
| | | | | | | | | If you modify the WLAN-STA-AUTHORIZED bit in sta->flags, you have to call the ap_sta_set_authorized() function to make sure the corresponding event is sent over the control interface. Otherwise we leak entries in the event history. Signed-off-by: Andreas Tobler <andreas.tobler@cloudguard.ch>
* atheros: Fix atheros_send_mgmt() dependency on CONFIG_FILSJouni Malinen2018-09-021-3/+3
| | | | | | This fixes a CONFIG_FILS=y build without CONFIG_IEEE80211W=y. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Fix build error in AP code without CONFIG_IEEE80211W=yChaitanya T K2018-09-021-2/+2
| | | | | | | | When CONFIG_OWE is enabled but none of 11R/11W/FILS are enabled hostapd (and wpa_supplicant with AP mode support) build failed. Fix this by adding OWE to the list of conditions for including the local variables. Signed-off-by: Chaitanya T K <chaitanya.mgit@gmail.com>
* Parse sae_password option when CONFIG_SAE is enabledHai Shalom2018-09-021-1/+1
| | | | | | | | | Call to parse_sae_password was incorrectly depending on CONFIG_TESTING_OPTIONS and CONFIG_SAE. Should depend only on the latter. Fixes: 2377c1caef77 ("SAE: Allow SAE password to be configured separately (AP)") Signed-off-by: Hai Shalom <haishalom@google.com>
* nl80211: Do not ignore disconnect event in case of !drv->associatedHu Wang2018-08-311-2/+5
| | | | | | | | | | | | | | | | | | | | Commit 3f53c006c7d7362cf715ceaeda92c69d91ea7b63 ('nl80211: Ignore disconnect event in case of locally generated request') made wpa_supplicant ignore the next received disconnect event for cases where wpa_supplicant itself requested a disconnection. This can result in ignoring a disconnection notification in some cases. Considering a P2P Client receiving disconnect event from the kernel after a P2P group is started, drv->ignore_next_local_disconnect is cleared to 0, then wpa_driver_nl80211_disconnect() will be called during the removal of the group, in which drv->ignore_next_local_disconnect is set to 1 by mistake. Do not allow ignore_next_local_{disconnect,deauth} to be set to 1 if the driver is not in associated state (drv->associated is 0) to avoid this type of cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP group_id parameterJouni Malinen2018-08-301-7/+31
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Set group id through DPP_AUTH_INIT or dpp_configurator_paramsPurushottam Kushwaha2018-08-304-1/+57
| | | | | | | | | This enhances DPP_AUTH_INIT, DPP_CONFIGURATOR_SIGN, and SET dpp_configurator_params to allow optional setting of the DPP groupId string for a Connector. If the value is not set, the previously wildcard value ("*") is used by default. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add new QCA vendor command and attributes to enhance NANNachiket Kukade2018-08-301-0/+56
| | | | | | | | | | | | | The payload used for the existing NAN vendor command, QCA_NL80211_VENDOR_SUBCMD_NAN is a binary blob of data. This command is not extendable to send additional information. Hence define a new vendor command QCA_NL80211_VENDOR_SUBCMD_NAN_EXT, that can carry the binary blob encapsulated within an attribute and can carry additional attributes to enhance the NAN command interface. Define additional 3 new attributes for conveying type of NAN subcmd and channel information. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Correct the documentation of NAN vendor commandNachiket Kukade2018-08-301-2/+8
| | | | | | | | | | | Present implementation of NAN vendor command does not use attribute encapsulation for sending the command from userspace to the driver, payload is directly sent as is. Attribute QCA_WLAN_VENDOR_ATTR_NAN is used only for receiving vendor events in the userspace from the driver. Update the doc as per this implementation. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* mka: Fix confidentiality offset issue in macsec_qca driver interfacexiaofeis2018-08-241-0/+25
| | | | | | | Confidentiality offset from MKA should be configured to the driver/hardware when creating SA. Signed-off-by: xiaofeis <xiaofeis@codeaurora.org>
* mka: Fix sci port mask issue in macsec_qca driver interfacexiaofeis2018-08-241-4/+4
| | | | | | Need to use full 8-bit mask here when swapping byte order. Signed-off-by: xiaofeis <xiaofeis@codeaurora.org>
* Change the ADDBA buffer size attribute type to U16 from U8Kiran Kumar Lokere2018-08-241-2/+2
| | | | | | | | | | | | | The max supported ADDBA buffer size value is 256, so change the buffer size attribute type to U16 to configure the testbed device to use the 256 buffer size in ADDBA negotiation in 11ax testing. This attribute is used only to configure a testbed device and the old definition of this attribute was not used in any deployed implementation hence it is still justifiable to change the definition. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Vendor attribute to get max blacklist BSSIDs capabilitySrinivas Dasari2018-08-241-0/+8
| | | | | | | | Add a QCA vendor attribute QCA_WLAN_VENDOR_ATTR_GSCAN_MAX_BLACKLIST_BSSID to get maximum blacklist BSSIDs capability from the driver for gscan. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* nl80211: Fix sending of WDS STA event to the correct BSS contextBhagavathi Perumal S2018-08-241-2/+2
| | | | | | | | | | The WDS-STA-INTERFACE-ADDED/WDS-STA-INTERFACE-REMOVED events were always sent to the first BSS instead of the specific BSS that the STA was connected to in multi-BSS cases. Fix this by using the BSS specific context pointer. Fixes: 1952b626ba57 ("hostapd: Add ctrl iface indications for WDS STA interface") Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
* tests: FILS SK ERP and ERP flush on server, but not on peerJouni Malinen2018-08-241-0/+81
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS: Fix FILS connect failures after ERP key invalidationAnkita Bajaj2018-08-244-2/+68
| | | | | | | | | | | | | | | | If the RADIUS authentication server dropped the cached ERP keys for any reason, FILS authentication attempts with ERP fails and the previous wpa_supplicant implementation ended up trying to use the same keys for all consecutive attempts as well. This did not allow recovery from state mismatch between the ERP server and peer using full EAP authentication. Address this by trying to use full (non-FILS) authentication when trying to connect to an AP using the same ERP realm with FILS-enabled network profile if the previous authentication attempt had failed. This allows new ERP keys to be established and FILS authentication to be used again for the consecutive connections. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* mka: Support GCM-AES-256xiaofeis2018-08-213-8/+54
| | | | | | | | | | | | GCM-AES-256 cipher suite is defined in IEEE Std 802.1AEbn-2011. If authenticator configured as GCM-AES-256, the distributed SAK will be 256 bits indicated by the GCM-AES-256 ID in the MKA packet. This patch will make AES Key Unwrap to 32 bytes of SAK when identify the ID. Signed-off-by: xiaofeis <xiaofeis@codeaurora.org>
* tests: HT40 disablingJouni Malinen2018-08-211-0/+35
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: SET ht_capab support for disabling 40 MHz bandwidthSathishkumar Muruganandam2018-08-211-0/+2
| | | | | | | | | | | | | | | | | 'hostapd_cli SET ht_capab' only checked for [HT40+] or [HT40-] or both to be present. Based on the offset + or -, secondary_channel is updated but HT20/VHT20 mode can be brought up only from config file and can't be done using the SET command when the current HT mode is HT40+ or HT40-. When managing AP+STA mode from userspace doing hostapd_cli: "disable -> set channel, ht_capab -> enable" sequence, channel switch from HT40/VHT40 to HT20/VHT20 was not possible with this SET ht_capab limitation. Cover this additional case by resetting secondary_channel to 0 for HT20/VHT20 when ht_capab has neither [HT40+] nor [HT40-] present. Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
* tests: AP with WEP and external ifconfig downJouni Malinen2018-08-211-0/+24
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Re-configure WEP keys on hostapd interface re-enableHu Wang2018-08-213-1/+15
| | | | | | | This allows WEP mode AP to be re-enabled automatically after external ifconfig down + up on netdev used by hostapd. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix QoS Mapping ext capab bit settingJouke Witteveen2018-08-121-1/+1
| | | | | | | | | Fix the typo in using WPA_DRIVER_FLAGS_QOS_MAPPING to set the QoS Map bit in Extended Capabilities. The previous implementation ended up adding this bit even if the driver did not actually indicate support for the capability. Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
* OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIsRosen Penev2018-08-121-1/+3
| | | | | | | SSL_session_reused() is the same as the deprecated SSL_cache_hit(). The engine load stuff is now handled by OPENSSL_init(). Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Clarify the TODO comment regarding PMKID KDE in EAPOL-Key msg 1/4Jouni Malinen2018-08-101-2/+12
| | | | | | | | | Make it clear that the consideration should be only for the IBSS case and in infrastructure BSS case, PMKID KDE should not be added due to risks involved with exposing this to stations that do not know the passphrase. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: WPA2-PSK/TKIP and MIC=0 in msg 3/4Jouni Malinen2018-08-081-0/+77
| | | | | | Verify that unauthenticated EAPOL-Key message does not get decrypted. Signed-off-by: Jouni Malinen <j@w1.fi>