Instead of overriding the subject field with something arbitrary, use
the value that is included in the CSR now that there is something there.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows the DPP_CA_SET command to be targeting a specific DPP-CST
event in cases where the Configurator did not receive the bootstrapping
information for the peer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make Configurator wait for CSR (i.e., another Config Request) when using
DPP over TCP similarly to the over Public Action frame case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was previously covered for the DPP over Public Action frames, but
the DPP over TCP case was missed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"DPP_CA_SET name=status value=<int>" can now be used to explicitly
indicate that CSR was rejected by CA/RA.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Parse the received CSR, verify that it has been signed correctly, and
verify that the challengePassword is present and matches the derived cp.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The low level ECDSA interface is not available in BoringSSL and has been
deprecetated in OpenSSL 3.0, so move to using a higher layer EVP-based
interface for performing the ECDSA sign/verify operations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS)
configuration object. This commit is handling only the most basic case
and a number of TODO items remains to handle more complete CSR
generation and config object processing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Try to parse the private_key blob as an ECPrivateKey in addition to the
previously supported RSA and DSA.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
base64_encode_no_lf() is otherwise identical to base64_encode(), but it
does not add line-feeds to split the output.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use "client device" as the term for the device that operates under a
guidance of the device responsible for enforcing DFS rules.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Modify the check for VHT to include an option for HE in
hostapd_eid_wb_chsw_wrapper() and its callers to allow the Channel
Switch Wrapper element with the Wide Bandwidth Channel Switch subelement
to be included in Beacon and Probe Response frames when AP is operating
in HE mode without VHT.
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Move hostapd_eid_wb_chsw_wrapper() from VHT specific ieee802_11_vht.c to
ieee802_11.c since this can be used for both HE and VHT. This commit
does not change any functionality to enable the HE use case, i.e., the
function is just moved as-is.
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Operation in the 6 GHz band mandates valid HE capabilities element in
station negotiation. Reject association request upon receiving invalid
or missing HE elements.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Vendor VHT IE is used only on the 2.4 GHz band. Restrict the use of
vendor VHT element to 2.4 GHz. This will ensure that invalid/wrong user
configuration will not impact beacon data in other than the 2.4 GHz
band.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Previously, 6 GHz Band Capability element was derived from HT and VHT
capabilities of the device. Removes such unnecessary dependency by
relying directly on the HE capability.
In addition, clean up the struct ieee80211_he_6ghz_band_cap definition
to use a 16-bit little endian field instead of two 8-bit fields to match
the definition in P802.11ax.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Read mode specific HE 6 GHz capability from phy info. This is needed
for futher user config validation and IE construction.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Instead of checking if the kernel allows modules (via the presence of
/proc/modules), check if mac80211_hwsim is already there and load it
only if not. This gets rid of some ugly prints from modprobe in case
code isn't even a module and cannot be found, etc.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
With python3 bytes are returned for stdout, so need to use b''
strings instead of normal strings. These are just a few places
I ran into, almost certainly more places need it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If we want the test to actually use 160/80+80 we need to explicitly
advertise that we support it ourselves, since the kernel is going to be
a bit more strict about this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Set the SAE-PK capability bit in RSNXE when sending out (Re)Association
Request frame for a network profile that allows use of SAE-PK.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Move the FILS Public Key element and the FILS Key Confirmation element
to be separate IEs instead of being encapsulated within the SAE-PK
element. This is also removing the unnecessary length field for the
fixed-length EncryptedModifier.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define MAC address fetching for OS X (by reusing the existing FreeBSD
implementation) to allow full compile testing of the WPS implementation
on a more BSD-like platform.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
struct ifreq does not include the ifr_netmask alternative on FreeBSD, so
replace that more specific name with ifr_addr that works with both Linux
and FreeBSD.
Fixes: 5b78c8f961 ("WPS UPnP: Do not allow event subscriptions with URLs to other networks")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, PMF support was enabled in optional mode (ieee80211w=1) for
Hotspot 2.0 network blocks automatically. This did not consider the
global PMF parameter and unconditionally changed that value to optional.
Since the newly added network block had an explicit ieee80211w
parameter, this overrode the global parameter. To make this less
surprising, use the global pmf parameter value to select whether to add
network blocks for Hotspot 2.0 with PMF being optionally enabled (pmf=0
or pmf=1) or required (pmf=2).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>