Update the documentation with values to be sent for seg0 and seg1 fields
in external ACS result event for 20 MHz, 40 MHz, 80 MHz, 160 MHz, and
80+80 MHz channels. These values match the changes done to definitions
of seg0 and seg1 fields in the IEEE 802.11 standard.
This vendor command had not previously been documented in this level of
detail and had not actually been used for the only case that could have
two different interpretation (160 MHz) based on which version of IEEE
802.11 standard is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the new set_key() parameter "key_flag" to provide more specific
description of what type of a key is being configured. This is needed to
be able to add support for "Extended Key ID for Individually Addressed
Frames" from IEEE Std 802.11-2016. In addition, this may be used to
replace the set_tx boolean eventually once all the driver wrappers have
moved to using the new key_flag.
The following flag are defined:
KEY_FLAG_MODIFY
Set when an already installed key must be updated.
So far the only use-case is changing RX/TX status of installed
keys. Must not be set when deleting a key.
KEY_FLAG_DEFAULT
Set when the key is also a default key. Must not be set when
deleting a key. (This is the replacement for set_tx.)
KEY_FLAG_RX
The key is valid for RX. Must not be set when deleting a key.
KEY_FLAG_TX
The key is valid for TX. Must not be set when deleting a key.
KEY_FLAG_GROUP
The key is a broadcast or group key.
KEY_FLAG_PAIRWISE
The key is a pairwise key.
KEY_FLAG_PMK
The key is a Pairwise Master Key (PMK).
Predefined and needed flag combinations so far are:
KEY_FLAG_GROUP_RX_TX
WEP key not used as default key (yet).
KEY_FLAG_GROUP_RX_TX_DEFAULT
Default WEP or WPA-NONE key.
KEY_FLAG_GROUP_RX
GTK key valid for RX only.
KEY_FLAG_GROUP_TX_DEFAULT
GTK key valid for TX only, immediately taking over TX.
KEY_FLAG_PAIRWISE_RX_TX
Pairwise key immediately becoming the active pairwise key.
KEY_FLAG_PAIRWISE_RX
Pairwise key not yet valid for TX. (Only usable with Extended Key ID
support.)
KEY_FLAG_PAIRWISE_RX_TX_MODIFY
Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX.
KEY_FLAG_RX_TX
Not a valid standalone key type and can only used in combination
with other flags to mark a key for RX/TX.
This commit is not changing any functionality. It just adds the new
key_flag to all hostapd/wpa_supplicant set_key() functions without using
it, yet.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
According to IEEE P802.11ax/D6.0, 11.1.4.3.4 (Criteria for sending a
response), AP should answer Probe Request frames if either SSID or Short
SSID matches. Implement this part of the Short SSID use for the BSS (the
collocated 6 GHz BSS case is not covered in this commit).
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Move this implementation from check_40mhz_2g4() into a new helper
function check_bss_coex_40mhz function() so that it can be used in the
station mode case as well as the previously used AP mode case.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
WPS_EVENT_CANCEL is added to indicate cancellation of a WPS operation
for any reason in hostapd/wpa_supplicant.
WPS_EVENT_PIN_ACTIVE is added to indicate when a PIN operation is
triggered in wpa_supplicant.
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
The case where the old RSNE included one or more PMKIDs and that RSNE
was followed by another IE was handled incorrectly since the
os_memmove() to move the end of the buffer when removing old PMKIDs was
stopping copying at the end of the RSNE, not the end of the IE buffer.
This could result in corrupting the IE that followed the RSNE. In
practice, this broke FT-SAE with H2E by corrupting the RSNXE that is in
the buffer after the RSNE.
Fix this by copying the full end of the buffer (i.e., including the
following RSNXE in the visible error case) when removing the old PMKIDs.
Signed-off-by: Jouni Malinen <j@w1.fi>
Fix a memory leak exposed by the dpp_own_config_sign_fail test.
Fixes: 52d469de11 ("DPP2: Support multiple Config Objects in Enrollee")
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO with
attributes defined in enum qca_wlan_vendor_attr_get_sta to get
information for a BSS in STA mode or for a peer STA in AP mode. This
vendor sub command can be used to get STA information from the driver to
userspace. The attributes defined in enum
qca_wlan_vendor_attr_get_sta_info are used to encapsulate required
information.
Signed-off-by: Min Liu <minliu@codeaurora.org>
Use op_class to derive channel width for the operating channel when
op_class is configured by the user in both fixed channel and ACS cases.
We can avoid using ht_capab field to derive channel width especially in
the 6 GHz band in which only HE is supported.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Only HE mode is allowed in the 6 GHz band hence do not enable HT/VHT
even if they are configured by the user.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support to exclude non-PSC 6 GHz channels from the input frequency
list to ACS. The new acs_exclude_6ghz_non_psc=1 parameter can be used by
6 GHz only APs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Using the channel parameter for validating allowed channel combinations
is not scalable to add 6 GHz support in the future since channel numbers
are duplicated between 2.4 GHz / 5 GHz bands and 6 GHz band. Hence use
frequency field for all channel combination validation steps done before
starting AP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The 5 GHz channels are stored in one hw_features set with mode
HOSTAPD_MODE_IEEE80211A while the 6 GHz channels will need to stored in
a separate hw_features set (but with same mode HOSTAPD_MODE_IEEE80211A)
due to possibility of different HE capabilities being available between
the 5 GHz and 6 GHz bands.
Search through all hw_features sets whose mode is same as the input mode
while finding channel corresponding to the input frequency in
hw_get_channel_freq().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update new channels in Channel Bonding (CB2 ... CB4) in the 60 GHz band
for different regulatory regions according to the latest draft amendment
IEEE P802.11ay/D5.0.
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Add EDMG bandwidth to CHANWIDTH_ defines.
Update API ieee80211_freq_to_channel_ext() to support EDMG bandwidth
for EDMG channels.
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
The netRole enum is more generic and can be extended to include new
roles (e.g., Configurator) more easily.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd and wpa_supplicant DPP implementation to allow the
bootstrapping URI to be generated for and parsed from an NFC Tag with an
NFC URI Record. This is similar to the way the bootstrapping URI is used
with QR Code for unidirectional authentication.
The DPP_BOOTSTRAP_GEN command uses "type=nfc-uri" to request the URI to
be assigned for NFC URI Record. In practice, the URI is generated
identically to the QR Code case, but the internal entry maintains the
NFC-URI type.
A new command "DPP_NFC_URI <uri>" can now be used to parse the URI read
from an NFC Tag with the NFC URI Record. This is similar to the
DPP_QR_CODE command.
Other commands (mainly, DPP_LISTEN and DPP_AUTH_INIT) are used for NFC
URI in the same way as they are used for QR Code.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows Configurator to be configured to use the ssid64 option in
the discovery object for a station Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The discovery object is now allowed to use either the UTF-8 encoded
string ssid or base64url encoded ssid64.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no use case for adding padding into the base64url encoded
strings, so remove the unneeded add_pad argument that was hardcoded to 0
in all callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The UTF-8 encoded ssid string was replaced with base64url encoded ssid64
string, so update the implementation to match.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
To config BT coex chain mode, add a new QCA sub command
QCA_NL80211_VENDOR_SUBCMD_BTC_CHAIN_MODE.
This new command has two attributes:
1. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE: u32 attribute. Indicates the
BT coex chain mode, are 32-bit values from enum qca_btc_chain_mode.
2. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE_RESTART: flag attribute.
If set, vdev should be restarted once BT coex chain mode is updated.
Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
The QCA_NL80211_VENDOR_SUBCMD_OEM_DATA command was previously defined
only to pass data blobs from user space to kernel (application to
firmware) but there was no mechanism to send the data blobs from
firmware to application. Extend this to define use of the same
subcommand and attributes as vendor events.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Remove support for performing full sqrt(), i.e., only support curves
that use prime with p = 3 mod 4. In practice, this drops only group 26
with SAE H2E. This seems acceptable since there does not seem to be any
strong use case for that group taken into account the limits being
placed on acceptable prime lengths.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Protect RSNXE, if present, in FT Reassociation Request/Response frames.
This is needed for SAE H2E with FT.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a single struct definition and a single shared implementation for
parsing EAPOL-Key KDEs and IEs instead of maintaining more or less
identical functionality separately for wpa_supplicant and hostapd.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE with
attributes qca_wlan_vendor_attr_add_sta_node_params to add STA peer
entries in AP mode. This vendor sub command is used in FT roaming
scenario to send STA node information from application/service to
driver/firmware. The attributes defined in enum
qca_wlan_vendor_attr_add_sta_node_params are used to deliver the
parameters.
Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
The OEM data binary blobs from application/service will be routed to the
appropriate device based on this attribute value. This optional
attribute is used to specify whether the device type is virtual or
physical. This attribute can be omitted when the command is for a
virtual device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some chipsets don't have the capability to run agile spectral scan with
160/80+80 MHz modes. Add separate agile spectral scanning capability
flags for 160, 80+80, and non-160 MHz modes to cover such cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When operating on the 6 GHz band, add 6 GHz Operation Information inside
the HE Operation element and don't publish HT/VHT IEs.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
- Replace HOSTAPD_MODE_IEEE80211AX mode checks with is_6ghz_op_class()
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
Add support for new hardware mode for 6 GHz band. 6 GHz operation is
defined in IEEE P802.11ax/D4.3. 6 GHz band adds global operating classes
131-135 that define channels in frequency range from 5940 MHz to 7105
MHz.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
- Remove HOSTAPD_MODE_IEEE80211AX mode
- Replace check for HOSTAPD_MODE_IEEE80211AX with is_6ghz_freq()
- Move center_idx_to_bw_6ghz() to ieee802_11_common.c file
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
These are the defined values/identifiers for SAE hash-to-element
mechanism from IEEE P802.11-REVmd/D3.0.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The logic for displaying the message about no configuration being
available for the Enrollee was reversed when support for multiple Config
Objects was added. This was supposed to be shown only if the first
Config Object fails (i.e., when no configuration is available); not when
second attempt fails (since the first one had already been successful in
that case).
Fixes: 7eb06a3369 ("DPP2: Allow multiple Config Objects to be build on Configurator")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new use_akm_selector=1 value to Configurator parameters can now be
used to request a list of AKM suite selectors to be used in the
Configuration Object if the Enrollee supports version 2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process all received DPP Configuration Object attributes from
Configuration Result in Enrollee STA case. If wpa_supplicant is
configured to add networks automatically, this results in one network
being added for each included Configuration Object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Special @CONF-OBJ-SEP@ string can now be used as a DPP configuration
string value to split the string into two different components to
configure two Config Objects for an Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Go through the received bandSupport JSON array and print its contents in
the debug log. This information might be exposed to upper layer
configuration generation/use somehow in the future.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be
used to set Configurator to request a station Enrollee to report
connection result after a successfully completed provisioning step. If
the peer supports this, the DPP-CONF-SENT event indicates this with a
new argument (wait_conn_status=1) and the Configurator remains waiting
for the connection result for up to 16 seconds.
Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event
is generated with arguments result, ssid, and channel_list indicating
what the Enrollee reported. result=0 means success while non-zero codes
are for various error cases as specified in the DPP tech spec. If no
report is received from the Enrollee, the event with "timeout" argument
is generated locally.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is more consistent with the use of CONFIG_DPP2 since the
Configuration Result message is sent only when using version 2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If only one of the allocations fails, the successful allocation needs to
be freed on the error path.
Fixes: 22f90b32f1 ("DPP2: Configuration Result message generation and processing")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previous support in the 60 GHz band was for channels 1-4.
Add support for channels 5 and 6.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Update the documentation of QCA_ATTR_ROAM_CONTROL_SCAN_FREQ_LIST
to make it a nested attribute to carry frequencies of type u32.
This is to be in sync with the nl80211 attribute
NL80211_ATTR_SCAN_FREQUENCIES.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Set the max value of optional bytes inside the data structure. This
requires us to calculate the actually used size when copying the
HE capabilities and generating the IE.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Track PMK-R0/PMK-R0-Name from the initial mobility domain association
and derive PMK-R1/PTK when the station uses FT protocol. This allows
frames from additional roaming cases to be decrypted.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If FT over-the-DS case is enforced through the "FT_DS <BSSID>" control
interface command, the PMF capability check during BSS selection is not
used and that could have allowed PMF to be disabled in the over-the-DS
case even if the local network profile mandated use of PMF. Check
against this explicitly to avoid unexpected cases if the APs within the
same mobility domain are not configured consistently.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is not used only with FT, so make the comments less confusing and
include the function in all builds to make it available for
non-FT/non-FILS builds.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add vendor command QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY_EXT
and attribute qca_wlan_vendor_attr_avoid_frequency_ext to send structured
avoid frequency data.
This new command is alternative to existing command
QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY since existing command is
using stream of bytes instead of structured data using vendor attributes.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
As a part of P802.11ax amendment, 6 GHz band operation is added.
Since the 6 GHz channel numbers are overlapping with existing 2.4 GHz
and 5 GHz channel numbers, use frequency to identify unique channel
operation instead of channel number. Channel frequency is unique across
bands.
In the existing QCA vendor interface, wherever missing, add frequency
attributes to identify unique channel operation. In addition, add
comments to document some of the previously missed attributes/values.
Note: If both channel and frequency attributes are present in vendor
command/event and
(a) If both the driver and user-space application supports 6 GHz band
then channel related attributes are deprecated and use frequency
attributes.
(b) If either driver or user-space application or both doesn't
support 6 GHz band then use channel attributes.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Add QCA_WLAN_VENDOR_ATTR_SAP_CONFIG_CHANNEL attribute in
enum qca_wlan_vendor_attr_sap_config to use with vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_SAP_CONFIG.
This new attribute is used to restart AP on given channel.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_ACS_POLICY
with attributes enum qca_wlan_vendor_attr_acs_config and
enum qca_acs_dfs_mode to configure ACS policy.
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
This enhances the existing vendor command QCA_NL80211_VENDOR_SUBCMD_ROAM
with the following configurations:
1. Set/get/clear roam control
2. Set/get the channels on which the roaming has to be triggered.
3. Set/get the roam scan period.
4. Configure the triggers for roaming.
5. Configure the candidate selection criteria.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
qca_wlan_vendor_attr_roam_subcmd is an enum associated with the
attribute QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD. It represents different
sub command values and these are not the attributes. Hence, rename the
enum to qca_wlan_vendor_roaming_subcmd. Accordingly, the members of this
enum are also renamed to suite the usage.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
The KCK, PMK, and PMKID derivation fix broke SAE key derivation for all
FFC groups. Fix that by setting sae->tmp->order_len for FFC groups (it
was only set for ECC groups).
Fixes: ac734a342e ("SAE: Fix KCK, PMK, and PMKID derivation for groups 22, 23, 24")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This replaces the separately implemented ECDH operations with a single
helper function to avoid code duplication. In addition, this introduces
a workaround for strange OpenSSL behavior where the first
EVP_PKEY_derive(NULL) call to learn the size of the output shared secret
returns unexpectedly large buffer (72 octets when expected 32 octets for
group 19). It is not known what is causing this, but such behavior seems
to be showing up every now and then at least when running hwsim test
cases under UML and apparently mainly (only?) in the sigma_dut
controller cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.11-2016 is not exactly clear on the encoding of the bit
string that is needed for KCK, PMK, and PMKID derivation, but it seems
to make most sense to encode the (commit-scalar + peer-commit-scalar)
mod r part as a bit string by zero padding it from left to the length of
the order (in full octets).
The previous implementation used the length of the prime (in full
octets). This would work for KCK/PMK, but this results in deriving all
zero PMKIDs for the groups where the size of the order is smaller than
the size of the prime. This is the case for groups 22, 23, and 24.
However, those groups have been marked as being unsuitable for use with
SAE, so this fix should not really have a practical impact anymore.
Anyway, better fix it and document this clearly in the implementation
taken into account the unclarity of the standard in this area.
Signed-off-by: Jouni Malinen <j@w1.fi>
Disable groups that use Brainpool curves for now since they leak more
timing information due to the prime not being close to a power of two.
This removes use of groups 28, 29, and 30 from SAE and EAP-pwd.
Signed-off-by: Jouni Malinen <j@w1.fi>
These SAE, OWE, DPP, and OSEN AKM suite selectors were covered in the
reverse conversion in rsn_key_mgmt_to_bitfield(), but were missing from
wpa_akm_to_suite(). Add them to make AKM suite selector reporting more
accurate in RADIUS Accounting messages (and future users of this
function).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a shared function to determine the k parameter, i.e., the minimum
number of iterations of the PWE derivation loop, for SAE and EAP-pwd.
This makes it easier to fine-tune the parameter based on the negotiated
group, if desired.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add attributes QCA_WLAN_VENDOR_ATTR_CONFIG_ELNA_BYPASS under
the enum qca_wlan_vendor_attr_config to support set and get
the ELNA bypass.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
Add a new vendor attribute QCA_WLAN_VENDOR_ATTR_DISCONNECT_IES
to configure disconnect IEs to the driver. Driver shall fill
these IEs in disassoc/deauth frame.
These IEs are expected to be considered only for the next
immediate disconnection (disassoc/deauth frame) originated by
the DUT, irrespective of the entity (user space/driver/firmware)
triggering the disconnection.
The host drivers are not expected to use the IEs set through
this interface for further disconnections after the first immediate
disconnection initiated post the configuration.
If the IEs are also updated through cfg80211 interface (after the
enhancement to cfg80211_disconnect), host driver is expected to
take the union of IEs from both of these interfaces and send in
further disassoc/deauth frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_OEM_DATA
with attributes qca_wlan_vendor_attr_oem_data_params to support
OEM data. It is used to send OEM data binary blobs from
application/service to firmware. The attributes defined in enum
qca_wlan_vendor_attr_oem_data_params are used to deliver the
parameters.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).
Signed-off-by: Jouni Malinen <j@w1.fi>
The driver automatically starts beacon reporting if it pauses the beacon
reporting for any reason other than disconnection. In specific cases,
userspace may not want the beacon reporting to be automatically resumed
after a pause. Add interface support for userspace to specify driver not
to start beacon reporting automatically after a pause.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the following vendor attributes under the enum
qca_wlan_vendor_attr_spectral_scan to support the configuration of
Spectral DMA debug.
1. QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_RING_DEBUG
Enable/disable debug of the Spectral DMA ring
2. QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_BUFFER_DEBUG
Enable/disable debug of the Spectral DMA buffers
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a config option to allow setting a custom Basic NSS/MCS set. As a
default we use single stream HE-MCS 0-7.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Process HE information in (Re)Association Request frames and add HE
elements into (Re)Association Response frames when HE is enabled in the
BSS.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The HE Capibilities element has dynamic size due to the variable length
and optional fields at the end. Mask out the channel width capabilities
that are less than the configured. Only add the MCS/NSS sets for the
announced channel widths and also add the PPET elements.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
oper_chwidth is used for both VHT and HE here.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The bandwidth values are shared between VHT and HE mode so remove the
VHT specific prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The bootstrapping URI format for DPP was extended during protocol design
to allow a list of channels without having to repeat the same operating
class information for each channel. That change was not included in the
initial implementation of the parser and a channel-list like
"C:81/1,6,11" would not be understood correctly (i.e., only the longer
"C:81/1,81/6,81/11" form would have been parsed correctly).
Fix this by extending the parser to accept both the shorter and longer
form for a list of channels within a single operating class.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->own_protocol_key to be overridden without having
freed the previously stored key in case a test sequence in
dpp_proto_auth_conf_replaced_by_resp is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->peer_protocol_key to be overridden without having
freed the previously stored key in case two Authentication Response
messages are received.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The result of EC_GROUP_dup() needs to be freed, so do so within the
derivation functions for all error cases and in the callers for success
cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is mostly a theoretical case, but since crypto_bignum_rand() could
fail, need to free the allocated struct crypto_bignum *tmp in such a
case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EC_GROUP_new_by_curve_name() allocates memory for the returned pointer,
so need to free this with EC_GROUP_free() before leaving the calling
functions. This was leaking memory when parsing JWK and when performing
PKEX.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In practice, some APs have interop issues with the DUT. This sub command
is used to transfer the AP info between the driver and user space. This
works both as a command and event. As a command, it configures the
stored list of APs from user space to firmware; as an event, it
indicates the AP info detected by the firmware to user space for
persistent storage. The attributes defined in enum
qca_vendor_attr_interop_issues_ap are used to deliver the parameters.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
Update enum qca_wlan_vendor_attr_get_wifi_info to add support for
attribute QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX. In addition
update the documentation for qca_wlan_vendor_attr_get_wifi_info and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO to fully describe the
operation of the command and the format of the attributes.
Signed-off-by: Jeff Johnson <jjohnson@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING
to implement beacon reporting feature. Different operations required to
implement this feature can be specified in
QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE.
Userspace requests the driver/firmware to periodically report received
Beacon frames whose BSSID matches the current connected BSS's MAC
address. If userspace requests the driver/firmware to send beacon
reports actively, the driver encapsulates the details of the beacon in
an event and sends it to userspace asynchronously. Otherwise, the driver
will only update the beacon in cfg80211 scan cache but will not send any
event to userspace.
If this command is not issued, the current behavior of the
driver/firmware is to update the cfg80211 scan cache only when there is
a scan issued by the host in progress or whenever there is a change in
IEs of the Beacon frames from the current connected BSS.
The userspace requests the driver/firmware to stop reporting beacons
when reporting is not required anymore. If the driver/firmware is not
able to receive Beacon frames because of other Wi-Fi operations such as
off-channel activities, etc., the driver/firmware sends a pause event to
userspace and stops reporting Beacon frames. The driver/firmware
indicates whether the beacon reporting automatically resumes later by
using the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES flag. If
userspace doesn't want the beacon reporting to be resumed automatically,
userspace can send QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP command to
the driver to stop beacon reporting.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no point in checking this pointer against NULL after it has
been dereferenced. Move the check to the beginning of the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
The first four octets of the element were used as a host byte order u32.
That is not correct on bigendian CPUs, so handle byte swapping needs
properly. Mark the he_oper_params field as le32 to explicitly indicate
the byte order and swap the generated params content based on CPU byte
order.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Start sharing common SAE and EAP-pwd functionality by adding a new
source code file that can be included into both. This first step is
bringing in a shared function to check whether a group is suitable.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Move the identical function used by both SAE and EAP-pwd to
src/utils/common.c to avoid duplicated implementation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This reduces timing and memory access pattern differences for an
operation that could depend on the used password.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA
thresholds. For this to work the AP needs to broadcast the element
first.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
According to P802.11ax/D4.0 9.4.2.238 (HE Operation element) the BSS
Color Information field is located after the HE Operation Parameters
field. Fix the ordering of the bit masks/offsets for fields in these 3+1
octets used as a single 32-bit value. With these changes, Wireshark 3.2
is able to properly parse and display Beacon frames.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
This makes it easier to upper layer components to manage operating
channels in cases where the same radio is shared for both station and AP
mode virtual interfaces.
Signed-off-by: Omer Dagan <omer.dagan@tandemg.com>
Logs involving IEEE 802.11 Status Codes output the Status Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each status code using the latter part
of the Status Code #define names.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
Logs involving IEEE 802.11 Reason Codes output the Reason Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each Reason Code using the latter part
of the reason code #define names.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
Add initial implementation of DPP-over-TCP. This adds the general TCP
encapsulation routines into the shared src/common/dpp.c implementation.
That functionality will be exposed through hostapd and wpa_supplicant in
the following commits.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be helpful for testing DPP2 Controller functionality (get
pkhash from Controller to Relay).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to provide configurable parameter to the global DPP
context. This initial commit introduces the msg_ctx context pointer for
wpa_msg().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
Explicitly verify that own and peer commit scalar/element are available
when trying to check SAE confirm message. It could have been possible to
hit a NULL pointer dereference if the peer element could not have been
parsed. (CVE-2019-9496)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Try to avoid showing externally visible timing or memory access
differences regardless of whether the derived pwd-value is smaller than
the group prime.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is an initial step towards making the FFC case use strictly
constant time operations similarly to the ECC case.
sae_test_pwd_seed_ffc() does not yet have constant time behavior,
though.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These groups have significant probability of coming up with pwd-value
that is equal or greater than the prime and as such, need for going
through the PWE derivation loop multiple times. This can result in
sufficient timing different to allow an external observer to determine
how many rounds are needed and that can leak information about the used
password.
Force at least 40 loop rounds for these MODP groups similarly to the ECC
group design to mask timing. This behavior is not described in IEEE Std
802.11-2016 for SAE, but it does not result in different values (i.e.,
only different timing), so such implementation specific countermeasures
can be done without breaking interoperability with other implementation.
Note: These MODP groups 22, 23, and 24 are not considered sufficiently
strong to be used with SAE (or more or less anything else). As such,
they should never be enabled in runtime configuration for any production
use cases. These changes to introduce additional protection to mask
timing is only for completeness of implementation and not an indication
that these groups should be used.
This is related to CVE-2019-9494.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make the non-failure path in the function proceed without branches based
on r_odd and in constant time to minimize risk of observable differences
in timing or cache use. (CVE-2019-9494)
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The QR test result can provide information about the password to an
attacker, so try to minimize differences in how the
sae_test_pwd_seed_ecc() result is used. (CVE-2019-9494)
Use heap memory for the dummy password to allow the same password length
to be used even with long passwords.
Use constant time selection functions to track the real vs. dummy
variables so that the exact same operations can be performed for both QR
test results.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Inclusion of common/dpp.h into hostapd/main.c brought in an undesired
unconditional dependency on OpenSSL header files even for builds where
DPP is not enabled. Fix this by making the dpp.h contents, and in
particular the inclusion of openssl/x509.h, conditional on CONFIG_DPP.
Fixes: 87d8435cf9 ("DPP: Common configurator/bootstrapping data management")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The rules defining which DH groups are suitable for SAE use were
accepted into IEEE 802.11 REVmd based on this document:
https://mentor.ieee.org/802.11/dcn/19/11-19-0387-02-000m-addressing-some-sae-comments.docx
Enforce those rules in production builds of wpa_supplicant and hostapd.
CONFIG_TESTING_OPTIONS=y builds can still be used to select any o the
implemented groups to maintain testing coverage.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit introduces an attribute
QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_REASON to carry the roam reason code
through QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH event.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Avoid duplicated code in each user of dpp_build_conf_req() by moving the
common encapsulation case into this helper function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Merge the practically copy-pasted implementations in wpa_supplicant and
hostapd into a single shared implementation in dpp.c for managing
configurator and boostrapping information. This avoid unnecessary code
duplication and provides a convenient location for adding new global DPP
data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The offset update for copying KEK2 from the extended PTK was overriding
the offset instead of incrementing it (a likely copy-paste error from
the first offset assignment based on KCK). This resulted in KEK2 being
set to incorrect segment of PTK. Fix this by updating the offset
properly so that KEK2 is copied from the correct place at the end of the
PTK.
Fixes: 2f37387812 ("FILS: Add more complete support for FT-FILS use cases")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use Diffie-Hellman key exchange to derivate additional material for
PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element
(defined in OWE RFC 8110) is used in association frames to exchange the
DH public keys. For backwards compatibility, ignore missing
request/response DH parameter and fall back to no PFS in such cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
DPP allows Diffie-Hellman exchange to be used for PFS in PTK derivation.
This requires an additional Z.x (x coordinate of the DH shared secret)
to be passed to wpa_pmk_to_ptk(). This commit adds that to the function
and updates all the callers to pass NULL,0 for that part in preparation
of the DPP specific changes to start using this.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>