aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Extend NUD Stats to collect the data packet statisticsHEADpendingmasterSunil Dutt5 days1-9/+126
| | | | | | | | | This commit extends the existing QCA vendor specific NUD_STATS_GET/SET interface to also collect the statistics of the data packets. The intention here is to get more comprehensive information to detect the network unreachability. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Add the EC root CA private keys to repositoryJouni Malinen5 days2-0/+17
| | | | | | These were forgotten from the initial commit adding the EC PKI. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Suite B 192-bit RSA validation with 2048-bit client certJouni Malinen5 days4-0/+196
| | | | | | | | Verify that unexpected 2048-bit RSA client certificate gets rejected by the RADIUS server if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Copy WLAN-Reason-Code value from Access-Reject to DeauthenticationJouni Malinen5 days3-2/+14
| | | | | | | | | | This makes hostapd use the WLAN-Reason-Code value from Access-Reject when disconnecting a station due to IEEE 802.1X authentication failure. If the RADIUS server does not include this attribute, the default value 23 (IEEE 802.1X authentication failed) is used. That value was the previously hardcoded reason code. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Add WLAN-Reason-Code attribute to Access-RejectJouni Malinen5 days3-0/+13
| | | | | | | | | | Make the RADIUS server in hostapd add WLAN-Reason-Code attribute to all Access-Reject messages generated based on EAP-Failure from the EAP server. For now, the reason code value is set to 23 (IEEE 802.1X authentication failed). This can be extending in future commits to cover addition failure reasons. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Suite B 192-bit validation with p256 client certJouni Malinen5 days4-0/+120
| | | | | | | Verify that unexpected p256 client certificate gets rejected if the server is configured to use Suite B at 192-bit level. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Set appropriate permission(s) for cert file/folders on AndroidPurushottam Kushwaha6 days1-23/+34
| | | | | | | | This commit adds additional permission to 'SP' and 'Cert' folders which is needed to copy certificates from Cert to SP. Additionally, this associates AID_WIFI group id with these folders. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Update ap_wpa2_eap_assoc_rsn to match implementation changeJouni Malinen6 days1-1/+1
| | | | | | This covers the new status code for group management cipher mismatch. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Replace RSNE group key management mismatch status/reason codesJouni Malinen6 days2-3/+3
| | | | | | | | Use "cipher out of policy" value instead of invalid group cipher (which is for the group data frame cipher) and management frame policy violation (which is used for MFPC/MFPR mismatch). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add QCA vendor command to get the WLAN MAC informationSunil Dutt6 days1-0/+73
| | | | | | | | This commit introduces a QCA vendor command that provides the current information of WLAN hardware MAC and its associated WLAN netdev interfaces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut Suite B tests to not explicitly set PMFJouni Malinen6 days1-3/+3
| | | | | | | PMF is supposed to be enabled automatically in sigma_dut, so remove the explicit argument to do so from the commands. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: WPA2-PSK AP and association request RSN IE with PMKIDJouni Malinen6 days1-0/+12
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Report reception of Config Request to upper layersJouni Malinen6 days3-0/+5
| | | | | | This is mainly for protocol testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Use longer timeout in sigma_dut_dpp_proto_initiatorJouni Malinen6 days1-1/+2
| | | | | | | This is needed to be ready for a sigma_dut change to wait for an extra frame RX event. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut sta_scan_bssJouni Malinen6 days1-0/+13
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut with alternative OWE transition mode configurationJouni Malinen6 days1-0/+31
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: sigma_dut and new DPP config index valuesJouni Malinen6 days1-0/+24
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP QR Code and hostapd as initiator (offchannel)Jouni Malinen9 days1-0/+59
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Authentication exchange retries and channel iteration in hostapdJouni Malinen9 days3-30/+335
| | | | | | | | This extends hostapd with previoiusly implemented wpa_supplicant functionality to retry DPP Authentication Request/Response and to iterate over possible negotiation channels. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Report offchannel RX frame frequency to hostapdJouni Malinen10 days3-3/+12
| | | | | | | | | | Not all code paths for management frame RX reporting delivered the correct frequency for offchannel RX cases. This is needed mainly for Public Action frame processing in some special cases where AP is operating, but an exchange is done on a non-operational channel. For example, DPP Initiator role may need to do this. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Enable and require PMF in SAE and OWE test cases with sigma_dutJouni Malinen11 days1-16/+39
| | | | | | | | All SAE and OWE associations are expected to require PMF to be negotiated, so enable or require PMF in AP and STA configurations accordingly to match the new sigma_dut behavior. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* GnuTLS: Add option to build with libnettle instead of libgcryptJouni Malinen2017-12-295-9/+494
| | | | | | | | | | | | | GnuTLS-based builds can now be done using either libnettle or libgcrypt for crypto functionality: CONFIG_TLS=gnutls CONFIG_CRYPTO=nettle CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: GnuTLS configuration of intermediate CA certificateJouni Malinen2017-12-293-81/+116
| | | | | | | | | | GnuTLS seems to require the intermediate CA certificate to be included both in the ca_cert and client_cert file for the cases of server and client certificates using different intermediate CA certificates. Use the user_and_ica.pem file with GnuTLS builds and reorder the certificates in that file to make this work with GnuTLS. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Enable Suite B test cases with GnuTLSJouni Malinen2017-12-281-6/+17
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Speed up suite_b_192_rsa_insufficient_dh in failure caseJouni Malinen2017-12-281-1/+4
| | | | | | | Check for unexpected connection to avoid timeout on TLS alert event if the implementation does not check DH key size at all. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Suite B validationJouni Malinen2017-12-281-11/+55
| | | | | | | | | This allows OpenSSL-style configuration of Suite B parameters to be used in the wpa_supplicant network profile. 128-bit and 192-bit level requirements for ECDHE-ECDSA cases are supported. RSA >=3K case is enforced using GnuTLS %PROFILE_HIGH special priority string keyword. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Add support for disabling TLS versionsJouni Malinen2017-12-281-0/+23
| | | | | | | This extends GnuTLS support for tls_disable_v1_{0,1,2}=1 flags in the phase1 network profile parameter in wpa_supplicant. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement tls_get_cipher()Jouni Malinen2017-12-281-2/+29
| | | | | | Provide OpenSSL-style name for the negotiated cipher suite. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Make debug prints clearer for cert/key parsingJouni Malinen2017-12-281-2/+21
| | | | | | | | Indicate more clearly when the parsing succeeds to avoid ending the debug prints with various internal GnuTLS internal error messages even when the parsing actually succeeded in the end. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Skip eap_tls_pkcs8_pkcs5_v15 with GnuTLSJouni Malinen2017-12-281-1/+1
| | | | | | | It looks like this private key format is not supported in GnuTLS (tested with version 3.4.10). Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Fix wpas_config_file with non-mesh and non-SAE buildsJouni Malinen2017-12-281-6/+23
| | | | | | | Check wpa_supplicant capabilities before testing mesh and SAE parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Fix gas_anqp_overrides with non-FILS buildsJouni Malinen2017-12-281-1/+6
| | | | | | | Need to ignore missing RX-ANQP event for the FILS Realm Info if wpa_supplicant build does not include FILS support. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Add TEST_FAIL() to crypto routines for testing purposesJouni Malinen2017-12-281-0/+12
| | | | | | | This allows number of hwsim test cases for local error conditions to be executed with GnuTLS-based builds. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement tls_get_version()Jouni Malinen2017-12-281-3/+13
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Skip sigma_dut tests for SAE/DPP based on build capabilitiesJouni Malinen2017-12-271-0/+10
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement HMAC functions using libgcryptJouni Malinen2017-12-275-0/+156
| | | | | | | Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with the ones from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement sha{256,384,512}_vector() using libgcryptJouni Malinen2017-12-275-5/+19
| | | | | | | Replace the internal SHA256 implementation with the one from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Use a helper function for hash functionsJouni Malinen2017-12-271-30/+13
| | | | | | | Use a shared helper function instead of implementing practically same sequence separately for each hash function. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Opportunistic Wireless Encryption and group negotiationJouni Malinen2017-12-271-0/+24
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Try all supported DH groups automatically on STAJouni Malinen2017-12-275-5/+49
| | | | | | | | If a specific DH group for OWE is not set with the owe_group parameter, try all supported DH groups (currently 19, 20, 21) one by one if the AP keeps rejecting groups with the status code 77. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Mixed mode BSS and MFP-enabled AP rejecting TKIPJouni Malinen2017-12-271-0/+30
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix MFP-enabled test for disallowed TKIPJouni Malinen2017-12-271-6/+6
| | | | | | | | The test against use of TKIP was done only in MFP-required (ieee80211w=2) configuration. Fix this to check the pairwise cipher for MFP-enabled (ieee80211w=1) case as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Mixed SAE and non-SAE network and MFP required with SAEJouni Malinen2017-12-271-0/+32
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Add option to require MFP for SAE associationsJouni Malinen2017-12-276-0/+23
| | | | | | | | | | | The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to enforce negotiation of MFP for all associations that negotiate use of SAE. This is used in cases where SAE-capable devices are known to be MFP-capable and the BSS is configured with optional MFP (ieee80211w=1) for legacy support. The non-SAE stations can connect without MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Set PMK length in eapol-fuzzerJouni Malinen2017-12-271-1/+5
| | | | | | | | | | Commit b488a12948751f57871f09baa345e59b23959a41 ('Clear PMK length and check for this when deriving PTK') started rejecting PTK derivation based on PMK length. This reduced coverage from the eapol-fuzzer, so set the default length when initializing the state machine in the fuzzer to reach the previously used code paths. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: SAE protocol testing - Confirm replayJouni Malinen2017-12-271-0/+78
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Set special Sc value when moving to Accepted stateJouni Malinen2017-12-272-1/+3
| | | | | | | | | Set Sc to 2^16-1 when moving to Accepted state per IEEE Std 802.11-2016, 12.4.8.6.5 (Protocol instance behavior - Confirmed state). This allows the peer in Accepted state to silently ignore unnecessary retransmissions of the Confirm message. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Add Rc variable and peer send-confirm validationJouni Malinen2017-12-272-3/+28
| | | | | | | | | | | This implements the behavior described in IEEE Std 802.11-2016, 12.4.8.6.6 (Protocol instance behavior - Accepted state) to silently discard received Confirm message in the Accepted state if the new message does not use an incremented send-confirm value or if the special 2^16-1 value is used. This avoids unnecessary processing of retransmitted Confirm messages. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Print state changes in debug logJouni Malinen2017-12-263-13/+51
| | | | | | This makes it easier to follow state changes in SAE protocol instances. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Make dot11RSNASAESync configurableJouni Malinen2017-12-266-10/+16
| | | | | | | | | The new hostapd.conf parameter sae_sync (default: 5) can now be used to configure the dot11RSNASAESync value to specify the maximum number of synchronization errors that are allowed to happen prior to disassociation of the offending SAE peer. Signed-off-by: Jouni Malinen <j@w1.fi>