path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* SAE-PK: Fix password validation check for SecJouni Malinen7 days1-1/+1
| | | | | | | | The 0..3 value decoded from the password was not incremented to the actual 2..5 range for Sec. This resulted in not properly detecting the minimum password length. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix SAE-PK password module testsJouni Malinen7 days1-3/+0
| | | | | | Couple of the test values were not actually valid, so remove them. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* nl80211: Do not send FILS ERP sequence number without rRKVinita S. Maloo8 days1-6/+6
| | | | | | | FILS ERP cannot be used without rRK, so include these attributes only together. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* 6 GHz: Change 6 GHz channels per IEEE P802.11ax/D6.1Wu Gao8 days1-10/+27
| | | | | | | | | | | The channel numbering/center frequencies was changed in IEEE P802.11ax/D6.1. The center frequencies of the channels were shifted by 10 MHz. Also, a new operating class 136 was defined with a single channel 2. Add required support to change the channelization as per IEEE P802.11ax/D6.1. Signed-off-by: Wu Gao<wugao@codeaurora.org> Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* nl80211: Use control port TX (status) in AP mode if possibleMarkus Theil11 days1-1/+14
| | | | | | | | | | | | Check if nl80211 control port TX status is available in the kernel and enable control port TX if so. With this feature, nl80211 control path is able to provide the same feature set as nl80211 (management) + AF_PACKET socket (control) before. For debugging and testing, this can explicitly be disabled with the driver parameter control_port_ap=0. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Work around misdelivered control port TX statusJouni Malinen11 days3-17/+36
| | | | | | | | | | | | The kernel commit "mac80211: support control port TX status reporting" seems to be delivering the TX status events for EAPOL frames over control port using NL80211_CMD_FRAME_TX_STATUS due to incorrect check on whether the frame is a Management or Data frame. Use the pending cookie value from EAPOL TX operation to detect this incorrect behavior and redirect the event internally to allow it to be used to get full TX control port functionality available for AP mode. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Use ext ack handler for TX control portMarkus Theil11 days1-2/+56
| | | | | | | | Allow custom ack handler to be registered and use the ext ack handler for TX control port to fetch the cookie information. If these cookies are not supported by the current kernel, a value of 0 is returned. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Handle control port TX status events over nl80211Markus Theil11 days4-0/+43
| | | | | | | | | | | | | | | | | | | | In order to retransmit faster in AP mode, hostapd can handle TX status notifications. When using nl80211, this is currently only possible with socket control messages. Add support for receiving such events directly over nl80211 and detecting, if this feature is supported. This finally allows for a clean separation between management/control path (over nl80211) and in-kernel data path. A follow up commit enables the feature in AP mode. Control port TX status contains the original frame content for matching with the current hostapd code. Furthermore, a cookie is included, which allows for matching against outstanding cookies in the future. This commit only prints the cookie value for debugging purposes on TX status receive. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Add custom ack handler arguments to send_and_recv()Markus Theil11 days4-121/+157
| | | | | | | | | This is a preliminary patch for using extack cookies for TX control port handling. Custom ack handler arguments for send_and_recv() and friends is introduced therefore. This commit does not actually use the provided values, i.e., that will be added in a separate commit. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* nl80211: Clean up SO_WIFI_STATUS error reportingJouni Malinen11 days1-2/+4
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP (server): Allow Phase 2 skip based on client certificateJouni Malinen12 days1-4/+20
| | | | | | | | eap_teap_auth=2 can now be used to configure hostapd to skip Phase 2 if the peer can be authenticated based on client certificate during Phase 1. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is usedJouni Malinen12 days1-0/+9
| | | | | | | | The EAP-TEAP server may skip Phase 2 if the client authentication could be completed during Phase 1 based on client certificate. Handle this similarly to the case of PAC use. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Provide access to peer subject and own certificate useJouni Malinen12 days2-1/+42
| | | | | | | | These are needed for EAP-TEAP server and client side implementation to allow Phase 2 to be skipped based on client certificate use during Phase 1. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add WPA_EVENT_{DO,SKIP}_ROAM eventsMatthew Wang13 days1-0/+4
| | | | | | | Add events for within-ESS reassociation. This allows us to monitor roam events, both skipped and allowed, in tests. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* DPP2: Fix dot1x config object parsing without trustedEapServerNameJouni Malinen13 days1-1/+1
| | | | | | Need to check that the JSON node was found before using its value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add an automatic peer_bi entry for CSR matching if neededJouni Malinen13 days3-6/+54
| | | | | | | | This allows the DPP_CA_SET command to be targeting a specific DPP-CST event in cases where the Configurator did not receive the bootstrapping information for the peer. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add Enrollee name into CSR as the commonNameJouni Malinen13 days3-6/+26
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: GAS comeback response processing for Enrollee over TCPJouni Malinen13 days1-3/+7
| | | | | | This is almost identical to processing of the GAS initial response. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: GAS comeback request processing for Configurator over TCPJouni Malinen13 days1-43/+124
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: GAS Comeback Request for the TCP caseJouni Malinen14 days1-2/+45
| | | | | | | Make the Enrollee handle GAS comeback delay when performing DPP over TCP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Comeback delay response for certificate in over TCP caseJouni Malinen14 days1-0/+24
| | | | | | | Send out the GAS Initial Response with comeback delay when Configurator is operating over TCP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: CSR wait in Configurator when using TCPJouni Malinen14 days1-0/+6
| | | | | | | Make Configurator wait for CSR (i.e., another Config Request) when using DPP over TCP similarly to the over Public Action frame case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: CSR generation in TCP Client/EnrolleeJouni Malinen14 days1-0/+28
| | | | | | | This was previously covered for the DPP over Public Action frames, but the DPP over TCP case was missed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Define a new QCA vendor attribute for Optimized Power ManagementAlan Chen2020-06-171-0/+4
| | | | | | Define a new attribute configuring Optimized Power Management. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Validate CSR on Configurator before forwarding to CA/RAJouni Malinen2020-06-173-0/+134
| | | | | | | Parse the received CSR, verify that it has been signed correctly, and verify that the challengePassword is present and matches the derived cp. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add challengePassword into CSRJouni Malinen2020-06-172-0/+25
| | | | | | Derive challengePassword from bk and add it into the CSR. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Use EVP-based interface for ECDSA sign/verifyJouni Malinen2020-06-161-17/+22
| | | | | | | | The low level ECDSA interface is not available in BoringSSL and has been deprecetated in OpenSSL 3.0, so move to using a higher layer EVP-based interface for performing the ECDSA sign/verify operations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Enterprise provisioning (Enrollee)Jouni Malinen2020-06-164-0/+291
| | | | | | | | | Add initial Enrollee functionality for provisioning enterprise (EAP-TLS) configuration object. This commit is handling only the most basic case and a number of TODO items remains to handle more complete CSR generation and config object processing. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Enterprise provisioning (Configurator)Jouni Malinen2020-06-163-10/+125
| | | | | | | Add Configurator functionality for provisioning enterprise (EAP-TLS) configuration object. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Enterprise provisioning definitions for dot1x AKMJouni Malinen2020-06-162-1/+16
| | | | | | | Add shared AKM definitions for provisioning enterprise (EAP-TLS) credentials. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Support EC key from private_key blobJouni Malinen2020-06-161-0/+11
| | | | | | | Try to parse the private_key blob as an ECPrivateKey in addition to the previously supported RSA and DSA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Support PEM encoded chain from client_cert blobJouni Malinen2020-06-161-0/+23
| | | | | | | Allow a chain of certificates to be configured through a client_cert blob. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* GAS server: Support comeback delay from the request handlerJouni Malinen2020-06-152-27/+104
| | | | | | | Allow GAS request handler function to request comeback delay before providing the response. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* JSON: Add base64 helper functionsJouni Malinen2020-06-152-0/+40
| | | | | | | These functions are similar to the base64url helpers but with the base64 (not url) alphabet. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* base64: Add no-LF variant for encodingJouni Malinen2020-06-152-6/+19
| | | | | | | base64_encode_no_lf() is otherwise identical to base64_encode(), but it does not add line-feeds to split the output. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Update DFS terminology in attribute value documentationJouni Malinen2020-06-111-2/+2
| | | | | | | Use "client device" as the term for the device that operates under a guidance of the device responsible for enforcing DFS rules. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow HE-without-VHT to add the Channel Switch Wrapper elementMuna Sinada2020-06-102-3/+10
| | | | | | | | | | Modify the check for VHT to include an option for HE in hostapd_eid_wb_chsw_wrapper() and its callers to allow the Channel Switch Wrapper element with the Wide Bandwidth Channel Switch subelement to be included in Beacon and Probe Response frames when AP is operating in HE mode without VHT. Signed-off-by: Muna Sinada <msinada@codeaurora.org>
* Move hostapd_eid_wb_chsw_wrapper() to non-VHT-specific fileMuna Sinada2020-06-102-53/+52
| | | | | | | | | Move hostapd_eid_wb_chsw_wrapper() from VHT specific ieee802_11_vht.c to ieee802_11.c since this can be used for both HE and VHT. This commit does not change any functionality to enable the HE use case, i.e., the function is just moved as-is. Signed-off-by: Muna Sinada <msinada@codeaurora.org>
* AP: Reject association request upon invalid HE capabilitiesRajkumar Manoharan2020-06-103-0/+9
| | | | | | | | Operation in the 6 GHz band mandates valid HE capabilities element in station negotiation. Reject association request upon receiving invalid or missing HE elements. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* AP: Restrict Vendor VHT to 2.4 GHz onlyRajkumar Manoharan2020-06-101-1/+3
| | | | | | | | | Vendor VHT IE is used only on the 2.4 GHz band. Restrict the use of vendor VHT element to 2.4 GHz. This will ensure that invalid/wrong user configuration will not impact beacon data in other than the 2.4 GHz band. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* HE: Use device HE capability instead of HT/VHT for 6 GHz IEsRajkumar Manoharan2020-06-102-42/+30
| | | | | | | | | | | | Previously, 6 GHz Band Capability element was derived from HT and VHT capabilities of the device. Removes such unnecessary dependency by relying directly on the HE capability. In addition, clean up the struct ieee80211_he_6ghz_band_cap definition to use a 16-bit little endian field instead of two 8-bit fields to match the definition in P802.11ax. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* nl80211: Fetch HE 6 GHz capability from the driverRajkumar Manoharan2020-06-102-0/+8
| | | | | | | Read mode specific HE 6 GHz capability from phy info. This is needed for futher user config validation and IE construction. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* Sync with mac80211-next.git include/uapi/linux/nl80211.hJouni Malinen2020-06-101-26/+100
| | | | | | This brings in nl80211 definitions as of 2020-05-31. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE-PK: Advertise RSNXE capability bit in STA modeJouni Malinen2020-06-104-2/+12
| | | | | | | Set the SAE-PK capability bit in RSNXE when sending out (Re)Association Request frame for a network profile that allows use of SAE-PK. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Update SAE confirm IE designJouni Malinen2020-06-104-91/+60
| | | | | | | | | Move the FILS Public Key element and the FILS Key Confirmation element to be separate IEs instead of being encapsulated within the SAE-PK element. This is also removing the unnecessary length field for the fixed-length EncryptedModifier. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) groupJouni Malinen2020-06-104-51/+4
| | | | | | | | | This was clarified in the draft specification to not be a mandatory requirement for the AP and STA to enforce, i.e., matching security level is a recommendation for AP configuration rather than a protocol requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WPS UPnP: Support build on OS XJouni Malinen2020-06-091-3/+3
| | | | | | | | Define MAC address fetching for OS X (by reusing the existing FreeBSD implementation) to allow full compile testing of the WPS implementation on a more BSD-like platform. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WPS UPnP: Fix FreeBSD buildJouni Malinen2020-06-091-1/+1
| | | | | | | | | struct ifreq does not include the ifr_netmask alternative on FreeBSD, so replace that more specific name with ifr_addr that works with both Linux and FreeBSD. Fixes: 5b78c8f961f2 ("WPS UPnP: Do not allow event subscriptions with URLs to other networks") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move local TX queue parameter parser into a common fileSubrat Dash2020-06-083-9/+104
| | | | | | | This allows the same implementation to be used for wpa_supplicant as well. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WPS UPnP: Handle HTTP initiation failures for events more properlyJouni Malinen2020-06-081-2/+2
| | | | | | | | | | | | | | | While it is appropriate to try to retransmit the event to another callback URL on a failure to initiate the HTTP client connection, there is no point in trying the exact same operation multiple times in a row. Replve the event_retry() calls with event_addr_failure() for these cases to avoid busy loops trying to repeat the same failing operation. These potential busy loops would go through eloop callbacks, so the process is not completely stuck on handling them, but unnecessary CPU would be used to process the continues retries that will keep failing for the same reason. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>