Split ke derivation into two parts so that the previously used
internal-only PRK gets stored as the bk in the authentication state.
This new key will be needed for deriving additional keys with DPP R2.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This removes unnecessary allocations and simplifies the implementation
by not having to remember to free the cloned reference.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Fix a copy-paste error in parsing the version info.
Fixes: 7dd768c3ca ("DPP2: Version information in bootstrapping info URI")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the local supported version information into the bootstrapping
information (V=2 in the URI) and parse this from received URI.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Report MUD URL and bandSupport from config request if those optional
nodes are included. For now, these are mainly for testing purposes since
there is no mechanism to delay sending of config response.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When DPP v2 implementation is hardcoded to behave as v1 for testing
purposes, leave out the Protocol Version attribute form Authentication
Request instead of including it there with indication for v1.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This simplifies dpp_build_conf_obj_dpp() and makes it easier to share
the signing functionality for other purposes like reconfiguration where
the Configurator needs to sign a dppCon object for itself without
generating the encapsulating config object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"SET dpp_version_override <ver>" can now be used to request
wpa_supplicant and hostapd to support a subset of DPP versions. In
practice, the only valid case for now is to fall back from DPP version 2
support to version 1 in builds that include CONFIG_DPP2=y.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Documentation of the return values for wpa_parse_vendor_specific() and
wpa_parse_generic() were not accurate and the parsing results from these
were not really handled appropriately. There is no point in calling
wpa_parse_vendor_specific() if wpa_parse_generic() recognizes a KDE. Not
that this would break anything in practice, but still, it looks
confusing.
The part about handling wpa_parse_vendor_specific() return value can, at
least in theory, break some cases where an unexpectedly short KDE/vendor
specific element were present and something would need to be recognized
after it. That does not really happen with any standard compliant
implementation and this is unlikely to cause any real harm, but it is
clearer to handle this more appropriately even for any theoretical case,
including misbehavior of a peer device.
Instead of stopping parsing on too short vendor specific element,
continue parsing the following KDEs/IEs. Skip the
wpa_parse_vendor_specific() call when a KDE has been recognized. Also
fix the return value documentation for wpa_parse_generic() and remove
the useless return value from wpa_parse_vendor_specific().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EVP_PKEY_get0_EC_KEY() compatibility wrapper is used only within
CONFIG_DPP2 blocks, so define it with matching condition.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.
Signed-off-by: Disha Das <dishad@codeaurora.org>
Add an attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_FREQUENCY_2
for describing the secondary 80 MHz span of agile spectral scan.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Mark own bootstrap information as having been used in NFC negotiated
connection handover and do not accept non-mutual authentication when
processing Authentication Response from the peer when such bootstrapping
information is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Connector alone is not sufficient for authentication during
reconfiguration, so store the netAccessKey as well.
Fixes: e4eb009d98 ("DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfig")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the Enrollee indicates support for DPP R2 or newer, add Connector and
C-sign-key in psk/sae credentials (i.e., cases where DPP AKM is not
enabled) for reconfiguration. Extend processing of such credentials in
wpa_supplicant network profile addition to handle this new case
correctly by not setting key_mgmt=DPP based on Connector being present,
but by looking at the actual akm value in the config object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define a driver interface event for Beacon frame protection failures.
Report such events over the control interface and send a
WNM-Notification Request frame to the AP as well.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EVP_PKEY_get0_EC_KEY() was added in OpenSSL 1.1.0, so add a
compatibility wrapper for it when building with OpenSSL 1.0.2.
Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Fixes: 7d9e320054 ("DPP: Received Configurator backup processing")
Signed-off-by: Jouni Malinen <j@w1.fi>
Add definition for HE bit in neighbor report BSSID Information field
from IEEE P802.11ax/D6.0, 9.4.2.36 Neighbor Report element.
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
This functionality was repeated for multiple different frames. Use a
shared helper function to avoid such duplication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process the received Presence Announcement frames in Controller. If a
matching bootstrapping entry for the peer is found, initiate DPP
authentication to complete provisioning of the Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process the received Presence Announcement frames in AP/Relay. If a
matching bootstrapping entry for the peer is found in a local
Configurator, that Configurator is used. Otherwise, the frame is relayed
to the first configured Controller (if available).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process received Presence Announcement frames and initiate
Authentication exchange if matching information is available on the
Configurator.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new wpa_supplicant control interface command "DPP_CHIRP own=<BI
ID> iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add new identifier definitions for presence announcement,
reconfiguration, and certificate enrollment.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to
set peer specific configurator parameters which will override any global
parameters from dpp_configurator_params.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is a more convenient way of addressing cases where a
Configurator/Controller may store a large number of peer bootstrapping
information instances and may need to manage different configuration
parameters for each peer while operating as the Responder.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Set the global pointer and msg_ctx when allocating struct
dpp_authentication instead of needing to pass these to
dpp_set_configurator().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Check whether the Transition Disable KDE is received from an
authenticated AP and if so, whether it contains valid indication for
disabling a transition mode. If that is the case, update the local
network profile by removing the less secure options.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define the OUI Type and bitmap values for Transition Disable KDE. These
will be shared by both the AP and STA implementations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add QCA_WLAN_VENDOR_CFR_NDPA_NDP_ALL in enum
qca_wlan_vendor_cfr_capture_type. This capture type requests all NDPA
NDP frames to be filtered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The parameters that need to be applied are symmetric to those of VHT,
however the validation code needs to be tweaked to check the HE
capabilities.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Enhanced channel frequency response supports capturing of channel status
information based on RX. Define previous CFR as version 1 and enhanced
CFR as version 2. If target supports both versions, two versions can't
be enabled at same time. Extend attributes for enhanced CFR capture in
enum qca_wlan_vendor_peer_cfr_capture_attr.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add more hang reason codes for the hang reason in the
QCA_NL80211_VENDOR_SUBCMD_HANG events. This also introduces the
attribute QCA_WLAN_VENDOR_ATTR_HANG_REASON_DATA to carry the required
data for the respective hang reason. This data is expected to contain
the required dump to analyze the reason for the hang.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some APs have managed to add two SSID elements into Beacon frames and
that used to result in picking the last one which had incorrect data in
the known examples of this misbehavior. Pick the first one to get the
correct SSID.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.
This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").
Add it again and update check_key_flag() accordingly.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
