Extend the DPP_CONTROLLER_START command to accept the optional qr=mutual
parameter similarly to the DPP_LISTEN case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support to configure the number of TX chains and the number of RX
chains to be used during a connection.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend dpp_control_get_auth() to find the ongoing session for enterprise
credential provisioning in cases where the Controller/Configurator
initiated the exchange. Only the other direction was supported
previously.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an encrypted Enrollee identifier into Reconfig Announcement frames
and decrypt that on the Configurator side. The actual E-id value is
currently not used for anything, but it can be used in the future to
provide better control over reconfiguration.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was added to the protocol design to support cases where the
C-sign-key uses a different group than the netAccessKey. The Enrollee
now indicates its netAccessKey group in Reconfig Announcement and the
Configurator builds it own reconfig Connector using that group instead
of the group used for the C-sign-key.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Introduce additional attributes for the TWT response parameters from the
host driver. Also, add ATTR_TWT_RESUME_FLOW_ID for TWT Resume request.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the SAE-PK implementation to match the changes in the protocol
design:
- allow only Sec values 3 and 5 and encode this as a single bit field
with multiple copies
- add a checksum character
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The documentation for the QCA_WLAN_VENDOR_ATTR_CONFIG_UDP_QOS_UPGRADE
attribute had incorrectly specified the value of 0 (corresponding to BE)
to disable the QoS upgrade. BK (1) is a lower priority AC compared to BE
and if BE is used to disable the upgrade, there would be no possibility
for configured UDP AC upgrade to replace BK-from-DSCP with BE. Thus,
correct this by specifying that the value of BK (1) is used to disable
this UDP AC upgrade.
Fixes: ebd5e764f9 ("Vendor attribute to configure QoS/AC upgrade for UDP frames")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
sae_check_confirm_pk() and sae_write_confirm_pk() were using different
checks for determining whether SAE-PK was used. It was apparently
possible to miss the checks in sae_write_confirm_pk() in some AP cases
where SAE H2E is being used. Fix this by checking sae->pk in the
write-confirm case similarly to the way this was done in check-confirm.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Debug logs did not make it clear whether the failure happens when
checking a received SAE confirm or when writing own SAE confirm. Those
cases have different checks on when to go through SAE-PK processing, so
it is useful to make this part clear in the debug log.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Introduce a new attribute QCA_WLAN_VENDOR_ATTR_CONFIG_UDP_QOS_UPGRADE
to configure access category override for UDP frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Introduces a vendor command to get the currently enabled band(s)
through QCA_NL80211_VENDOR_SUBCMD_GETBAND.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Also introduce a new attribute QCA_WLAN_VENDOR_ATTR_SETBAND_MASK to
carry this new bitmask enum. This attribute shall consider the bitmask
combinations to define the respective band combinations and substitutes
QCA_WLAN_VENDOR_ATTR_SETBAND_VALUE. The old attribute use remains same
as before.
In addition, document the previously undocumented, but defined,
QCA_NL80211_VENDOR_SUBCMD_SETBAND.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
40/80 MHz bandwidth setting was being rejected due to incorrect sanity
check on the channel index. Fix that for the bandwidths larger than 20
MHz.
Fixes: d7c2c5c98c ("AP: Add initial support for 6 GHz band")
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
The 0..3 value decoded from the password was not incremented to the
actual 2..5 range for Sec. This resulted in not properly detecting the
minimum password length.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The channel numbering/center frequencies was changed in IEEE
P802.11ax/D6.1. The center frequencies of the channels were shifted by
10 MHz. Also, a new operating class 136 was defined with a single
channel 2. Add required support to change the channelization as per IEEE
P802.11ax/D6.1.
Signed-off-by: Wu Gao<wugao@codeaurora.org>
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
Add events for within-ESS reassociation. This allows us to monitor roam
events, both skipped and allowed, in tests.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
This allows the DPP_CA_SET command to be targeting a specific DPP-CST
event in cases where the Configurator did not receive the bootstrapping
information for the peer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make Configurator wait for CSR (i.e., another Config Request) when using
DPP over TCP similarly to the over Public Action frame case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was previously covered for the DPP over Public Action frames, but
the DPP over TCP case was missed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Parse the received CSR, verify that it has been signed correctly, and
verify that the challengePassword is present and matches the derived cp.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS)
configuration object. This commit is handling only the most basic case
and a number of TODO items remains to handle more complete CSR
generation and config object processing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use "client device" as the term for the device that operates under a
guidance of the device responsible for enforcing DFS rules.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Operation in the 6 GHz band mandates valid HE capabilities element in
station negotiation. Reject association request upon receiving invalid
or missing HE elements.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Previously, 6 GHz Band Capability element was derived from HT and VHT
capabilities of the device. Removes such unnecessary dependency by
relying directly on the HE capability.
In addition, clean up the struct ieee80211_he_6ghz_band_cap definition
to use a 16-bit little endian field instead of two 8-bit fields to match
the definition in P802.11ax.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Move the FILS Public Key element and the FILS Key Confirmation element
to be separate IEs instead of being encapsulated within the SAE-PK
element. This is also removing the unnecessary length field for the
fixed-length EncryptedModifier.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use value 2 to point to RFC 5480 which describes the explicit
indicatiotion of the public key being in compressed form.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is in preparation of implementation changes to check SAE-PK
password length more accurately based on the Sec value.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new sae_commit_status and sae_pk_omit configuration parameters and
an extra key at the end of sae_password pk argument can be used to
override SAE-PK behavior for testing purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define QCA vendor attribute in SET(GET)_WIFI_CONFIGURATION to
dynamically configure capabilities for dynamic bandwidth adjustment.
Signed-off-by: Min Liu <minliu@codeaurora.org>
Define QCA vendor attribute in SET(GET)_WIFI_CONFIGURATION to
dynamically configure capabilities for channel width.
Signed-off-by: Min Liu <minliu@codeaurora.org>
Add new QCA vendor attributes to configure RSNXE Used (FTE), ignore CSA,
and OCI frequency override with QCA vendor command
QCA_NL80211_VENDOR_SUBCMD_WIFI_TEST_CONFIGURATION for STA testbed role.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This maintains knowledge of whether H2E or PK was used as part of the
SAE authentication beyond the removal of temporary state needed during
that authentication. This makes it easier to use information about which
kind of SAE authentication was used at higher layer functionality.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
While this is not explicitly defined as the limit, lambda=8 (i.e., 9
characters with the added hyphen) is needed with Sec=5 to reach the
minimum required resistance to preimage attacks, so use this as an
implicit definition of the password length constraint.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Lambda >= 12 is needed with Sec = 2, so drop the shorter password
lengths in the sae_pk and module_wpa_supplicant test cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
While the current implementation forces these groups to be same, that is
not strictly speaking necessary and the correct group to use here is
K_AP, not the SAE authentication group.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds core SAE functionality for a new mode of using SAE with a
specially constructed password that contains a fingerprint for an AP
public key and that public key being used to validate an additional
signature in SAE confirm from the AP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an attribute QCA_WLAN_VENDOR_ATTR_OEM_DATA_RESPONSE_EXPECTED
to get the response for the queried data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new OCV-FAILURE control interface event to notify upper layers of
OCV validation issues. This commit adds this for SA Query processing in
AP mode.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make reporting of OCV validation failure reasons more flexible by
removing the fixed prefix from ocv_verify_tx_params() output in
ocv_errorstr so that the caller can use whatever prefix or encapsulation
that is most appropriate for each case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define QCA vendor attributes for SET(GET)_WIFI_CONFIGURATION to
dynamically configure capabilities for TX A-MSDU and RX A-MSDU.
Signed-off-by: Min Liu <minliu@codeaurora.org>
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_CONFIG_TSPEC
to add and delete TSPEC in STA mode.
The attributes defined in enum qca_wlan_vendor_attr_config_tspec
are used to encapsulate required information.
Signed-off-by: Min Liu <minliu@codeaurora.org>
Add new QCA vendor attributes to configure misbehavior for PMF
protection for Management frames and to inject Disassociation frames.
These attributes are used for testing purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an attribute that can be used with
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION vendor command to
configure different PHY modes to the driver/firmware.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The VHT Operation Information subfield is conditonally present, so do
not hardcoded it in struct ieee80211_he_operation. These members of the
struct are not currently used, so these can be removed without impact to
functionality.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Defines IEEE P802.11ax/D6.0, 9.4.2.261 HE 6 GHz Band Capabilities
element and 6 GHz Operation Information field of HE Operation element
(IEEE P802.11ax/D6.0, Figure 9-787k).
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Use a shared wpa_alg_bip() function for this and fix the case in
nl_add_key() to cover all BIP algorithms. That fix does not change any
behavior since the function is not currently used with any BIP
algorithm, but it is better to avoid surprises should it ever be needed
with IGTK.
Signed-off-by: Jouni Malinen <j@w1.fi>
IGTK is the key that is used a BIP cipher. WPA_ALG_IGTK was the
historical name used for this enum value when only the AES-128-CMAC
based BIP algorithm was supported. Rename this to match the style used
with the other BIP options.
Signed-off-by: Jouni Malinen <j@w1.fi>
This file needs the EVP_PKEY_get0_EC_KEY() compatibility wrapper just
like other DPP source code files using this function.
Fixes: 21c612017b ("DPP: Move configurator backup into a separate source code file")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows DPP_AUTH_INIT to be used with tcp_addr=<dst> argument and
Configurator parameters to perform Configurator initiated DPP
provisioning over TCP. Similarly, DPP_CONTROLLER_START can now be used
to specify Configurator/Enrollee roles and extend Controller to work in
Enrollee role.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Recognize the Reconfig Announcement message type and handle it similarly
to the Presence Announcement in the Relay, i.e., send it to the first
Controller if the local Configurator does not have matching C-sign-key.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use the new struct dpp_authentication instance when setting Configurator
parameters for authentication exchange triggered by Presence
Announcement. conn->auth is NULL here and would cause dereferencing of a
NULL pointer if dpp_configurator_params is set.
Fixes: fa5143feb3 ("DPP2: Presence Announcement processing in Controller")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend Enrollee functionality to process Reconfig Authentication
Confirm message and start GAS client.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend Configurator functionality to sign a special Connector for
reconfiguration and reply with Reconfig Authentication Request frame
when Reconfig Announcement frame is received with a matching C-sign key
hash value.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Check if there is a matching Configurator and be ready to initiate
Reconfig Authentication (which itself is not included in this commit).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend DPP chirping mechanism to allow Reconfig Announcement frames to
be transmitted instead of the Presence Announcement frames. Add a new
wpa_supplicant control interface command "DPP_RECONFIG <network id>" to
initiate reconfiguration for a specific network profile.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Split ke derivation into two parts so that the previously used
internal-only PRK gets stored as the bk in the authentication state.
This new key will be needed for deriving additional keys with DPP R2.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This removes unnecessary allocations and simplifies the implementation
by not having to remember to free the cloned reference.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Fix a copy-paste error in parsing the version info.
Fixes: 7dd768c3ca ("DPP2: Version information in bootstrapping info URI")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the local supported version information into the bootstrapping
information (V=2 in the URI) and parse this from received URI.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Report MUD URL and bandSupport from config request if those optional
nodes are included. For now, these are mainly for testing purposes since
there is no mechanism to delay sending of config response.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When DPP v2 implementation is hardcoded to behave as v1 for testing
purposes, leave out the Protocol Version attribute form Authentication
Request instead of including it there with indication for v1.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This simplifies dpp_build_conf_obj_dpp() and makes it easier to share
the signing functionality for other purposes like reconfiguration where
the Configurator needs to sign a dppCon object for itself without
generating the encapsulating config object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"SET dpp_version_override <ver>" can now be used to request
wpa_supplicant and hostapd to support a subset of DPP versions. In
practice, the only valid case for now is to fall back from DPP version 2
support to version 1 in builds that include CONFIG_DPP2=y.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Documentation of the return values for wpa_parse_vendor_specific() and
wpa_parse_generic() were not accurate and the parsing results from these
were not really handled appropriately. There is no point in calling
wpa_parse_vendor_specific() if wpa_parse_generic() recognizes a KDE. Not
that this would break anything in practice, but still, it looks
confusing.
The part about handling wpa_parse_vendor_specific() return value can, at
least in theory, break some cases where an unexpectedly short KDE/vendor
specific element were present and something would need to be recognized
after it. That does not really happen with any standard compliant
implementation and this is unlikely to cause any real harm, but it is
clearer to handle this more appropriately even for any theoretical case,
including misbehavior of a peer device.
Instead of stopping parsing on too short vendor specific element,
continue parsing the following KDEs/IEs. Skip the
wpa_parse_vendor_specific() call when a KDE has been recognized. Also
fix the return value documentation for wpa_parse_generic() and remove
the useless return value from wpa_parse_vendor_specific().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EVP_PKEY_get0_EC_KEY() compatibility wrapper is used only within
CONFIG_DPP2 blocks, so define it with matching condition.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.
Signed-off-by: Disha Das <dishad@codeaurora.org>
Add an attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_FREQUENCY_2
for describing the secondary 80 MHz span of agile spectral scan.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Mark own bootstrap information as having been used in NFC negotiated
connection handover and do not accept non-mutual authentication when
processing Authentication Response from the peer when such bootstrapping
information is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Connector alone is not sufficient for authentication during
reconfiguration, so store the netAccessKey as well.
Fixes: e4eb009d98 ("DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfig")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the Enrollee indicates support for DPP R2 or newer, add Connector and
C-sign-key in psk/sae credentials (i.e., cases where DPP AKM is not
enabled) for reconfiguration. Extend processing of such credentials in
wpa_supplicant network profile addition to handle this new case
correctly by not setting key_mgmt=DPP based on Connector being present,
but by looking at the actual akm value in the config object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define a driver interface event for Beacon frame protection failures.
Report such events over the control interface and send a
WNM-Notification Request frame to the AP as well.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EVP_PKEY_get0_EC_KEY() was added in OpenSSL 1.1.0, so add a
compatibility wrapper for it when building with OpenSSL 1.0.2.
Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Fixes: 7d9e320054 ("DPP: Received Configurator backup processing")
Signed-off-by: Jouni Malinen <j@w1.fi>
Add definition for HE bit in neighbor report BSSID Information field
from IEEE P802.11ax/D6.0, 9.4.2.36 Neighbor Report element.
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
This functionality was repeated for multiple different frames. Use a
shared helper function to avoid such duplication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process the received Presence Announcement frames in Controller. If a
matching bootstrapping entry for the peer is found, initiate DPP
authentication to complete provisioning of the Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process the received Presence Announcement frames in AP/Relay. If a
matching bootstrapping entry for the peer is found in a local
Configurator, that Configurator is used. Otherwise, the frame is relayed
to the first configured Controller (if available).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process received Presence Announcement frames and initiate
Authentication exchange if matching information is available on the
Configurator.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new wpa_supplicant control interface command "DPP_CHIRP own=<BI
ID> iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add new identifier definitions for presence announcement,
reconfiguration, and certificate enrollment.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to
set peer specific configurator parameters which will override any global
parameters from dpp_configurator_params.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is a more convenient way of addressing cases where a
Configurator/Controller may store a large number of peer bootstrapping
information instances and may need to manage different configuration
parameters for each peer while operating as the Responder.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Set the global pointer and msg_ctx when allocating struct
dpp_authentication instead of needing to pass these to
dpp_set_configurator().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Check whether the Transition Disable KDE is received from an
authenticated AP and if so, whether it contains valid indication for
disabling a transition mode. If that is the case, update the local
network profile by removing the less secure options.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define the OUI Type and bitmap values for Transition Disable KDE. These
will be shared by both the AP and STA implementations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add QCA_WLAN_VENDOR_CFR_NDPA_NDP_ALL in enum
qca_wlan_vendor_cfr_capture_type. This capture type requests all NDPA
NDP frames to be filtered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The parameters that need to be applied are symmetric to those of VHT,
however the validation code needs to be tweaked to check the HE
capabilities.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Enhanced channel frequency response supports capturing of channel status
information based on RX. Define previous CFR as version 1 and enhanced
CFR as version 2. If target supports both versions, two versions can't
be enabled at same time. Extend attributes for enhanced CFR capture in
enum qca_wlan_vendor_peer_cfr_capture_attr.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add more hang reason codes for the hang reason in the
QCA_NL80211_VENDOR_SUBCMD_HANG events. This also introduces the
attribute QCA_WLAN_VENDOR_ATTR_HANG_REASON_DATA to carry the required
data for the respective hang reason. This data is expected to contain
the required dump to analyze the reason for the hang.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some APs have managed to add two SSID elements into Beacon frames and
that used to result in picking the last one which had incorrect data in
the known examples of this misbehavior. Pick the first one to get the
correct SSID.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.
This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").
Add it again and update check_key_flag() accordingly.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
There was a copy-paste error in this code that would be adding the
connectorTemplate once that becomes available. In practice, this was not
reachable code, but anyway, this should be ready for potential addition
of connectorTemplate in the future.
Signed-off-by: Jouni Malinen <j@w1.fi>
The initial implementation of the PTK derivation workaround for
interoperability with older OWE implementations forced
WPA_KEY_MGMT_PSK_SHA256 to be used for all of PTK derivation. While that
is needed for selecting which hash algorithm to use, this was also
changing the length of the PTK components and by doing so, did not
actually address the backwards compatibility issue.
Fix this by forcing SHA256 as the hash algorithm in PTK derivation
without changing the PTK length calculation for OWE when
owe_ptk_workaround is enabled.
Fixes: 65a44e849a ("OWE: PTK derivation workaround in AP mode")
Fixes: 8b138d2826 ("OWE: PTK derivation workaround in STA mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add masks for each key type to define which flags can be combined and
add a helper function to validate key_flag values.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
I decided to drop KEY_FLAG_MODIFY instead of allowing flag combinations not
yet used in the code and will simply recreate it with the Extended Key
ID patches once we get there. For that reason I also did not renumber
the flags.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
