Commit graph

7860 commits

Author SHA1 Message Date
Jouni Malinen
b591810f9b DPP2: Add DPP Status attribute into Reconfig Auth Confirm
Add and process DPP Status at the end of reconfig authentication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-08-07 23:33:59 +03:00
Jouni Malinen
c6d0e5a93d DPP2: Add E-id in Reconfig Announcement
Add an encrypted Enrollee identifier into Reconfig Announcement frames
and decrypt that on the Configurator side. The actual E-id value is
currently not used for anything, but it can be used in the future to
provide better control over reconfiguration.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-08-07 22:54:53 +03:00
Jouni Malinen
e5be6e68c8 DPP2: Add Enrollee netAccessKey group into Reconfig Announcement
This was added to the protocol design to support cases where the
C-sign-key uses a different group than the netAccessKey. The Enrollee
now indicates its netAccessKey group in Reconfig Announcement and the
Configurator builds it own reconfig Connector using that group instead
of the group used for the C-sign-key.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-08-07 15:25:10 +03:00
Jouni Malinen
7ca81190a8 SAE-PK: Allow SAE-PK style wpa_passphrase if SAE-PK is enabled with same
This prevents use of a SAE-PK style password as the WPA-PSK passphrase
only if the same password is not also enabled through sae_password for
use with SAE-PK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-08-06 23:52:07 +03:00
Rajasekaran Kalidoss
844ecc70a3 Additional TWT attributes for response path and resume
Introduce additional attributes for the TWT response parameters from the
host driver. Also, add ATTR_TWT_RESUME_FLOW_ID for TWT Resume request.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-08-06 16:32:33 +03:00
Jouni Malinen
0a9d7b169e SAE-PK: Update design for fingerprint encoding into password
Update the SAE-PK implementation to match the changes in the protocol
design:
- allow only Sec values 3 and 5 and encode this as a single bit field
  with multiple copies
- add a checksum character

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-08-05 22:05:20 +03:00
Veerendranath Jakkam
b28b9dfcbf OCV: OCI channel override support for testing (STA)
Add override parameters to use the specified channel while populating
OCI element in EAPOL-Key group msg 2/2, FT reassoc request, FILS assoc
request and WNM sleep request frames.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-08-03 11:02:13 +03:00
Sunil Dutt
d309dd52b0 Fix the documentation for QCA_WLAN_VENDOR_ATTR_CONFIG_UDP_QOS_UPGRADE
The documentation for the QCA_WLAN_VENDOR_ATTR_CONFIG_UDP_QOS_UPGRADE
attribute had incorrectly specified the value of 0 (corresponding to BE)
to disable the QoS upgrade. BK (1) is a lower priority AC compared to BE
and if BE is used to disable the upgrade, there would be no possibility
for configured UDP AC upgrade to replace BK-from-DSCP with BE. Thus,
correct this by specifying that the value of BK (1) is used to disable
this UDP AC upgrade.

Fixes: ebd5e764f9 ("Vendor attribute to configure QoS/AC upgrade for UDP frames")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-31 20:40:02 +03:00
Jouni Malinen
87971ff059 SAE-PK: Fix SAE confirm writing in some AP cases with transition mode
sae_check_confirm_pk() and sae_write_confirm_pk() were using different
checks for determining whether SAE-PK was used. It was apparently
possible to miss the checks in sae_write_confirm_pk() in some AP cases
where SAE H2E is being used. Fix this by checking sae->pk in the
write-confirm case similarly to the way this was done in check-confirm.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-31 20:32:35 +03:00
Jouni Malinen
240e9af4d1 SAE-PK: Make no-KEK debug prints distinct
Debug logs did not make it clear whether the failure happens when
checking a received SAE confirm or when writing own SAE confirm. Those
cases have different checks on when to go through SAE-PK processing, so
it is useful to make this part clear in the debug log.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-31 19:59:52 +03:00
Jouni Malinen
7c04bab710 tests: AES-CTR encrypt test vectors
Verify AES-CTR encryption implementation against the test vectors in
NIST SP 800-38a. This implementations was already tested against AES SIV
and EAX mode test vectors, but this adds more explicit testing against
published CTR mode test vectors.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-30 13:52:14 +03:00
Jouni Malinen
730fc307b1 Update documentation for vendor attributes to ignore BSSIDs during roaming
Replace some of the "blacklist" term to reduce undesired connotations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-24 12:26:22 +03:00
Jouni Malinen
f4877083ec Rename driver op for temporarily disallowed BSSIDs
Use the "tmp_disallow" name more consistently so that both the core
wpa_supplicant functionality (struct wpa_bss_tmp_disallowed) and the
wpa_driver_ops callback have more similar names.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-24 12:26:09 +03:00
Jouni Malinen
f8c756c5b8 FT: Rename temporary blocking of nonresponsive R0KH
Avoid use of the "blacklist" term here to reduce undesired connotations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-24 12:25:32 +03:00
Sunil Dutt
ebd5e764f9 Vendor attribute to configure QoS/AC upgrade for UDP frames
Introduce a new attribute QCA_WLAN_VENDOR_ATTR_CONFIG_UDP_QOS_UPGRADE
to configure access category override for UDP frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-17 23:26:34 +03:00
Sunil Dutt
d91fb3ce32 Add a vendor command to fetch the currently enabled band(s)
Introduces a vendor command to get the currently enabled band(s)
through QCA_NL80211_VENDOR_SUBCMD_GETBAND.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-17 23:23:03 +03:00
Sunil Dutt
29e47c4165 Vendor command to configure TWT
This commit defines a new vendor interface
QCA_NL80211_VENDOR_SUBCMD_CONFIG_TWT to configure TWT.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-17 22:48:26 +03:00
Sunil Dutt
8f396ad685 Enhance the qca_set_band enum values to be used as a bitmap
Also introduce a new attribute QCA_WLAN_VENDOR_ATTR_SETBAND_MASK to
carry this new bitmask enum. This attribute shall consider the bitmask
combinations to define the respective band combinations and substitutes
QCA_WLAN_VENDOR_ATTR_SETBAND_VALUE. The old attribute use remains same
as before.

In addition, document the previously undocumented, but defined,
QCA_NL80211_VENDOR_SUBCMD_SETBAND.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-07-17 18:43:05 +03:00
Seevalamuthu Mariappan
cc6153a8a4 nl80211: Fix sending proper VLAN ID attr value when using VLAN offload
The NL80211_ATTR_VLAN_ID attribute expects non-zero values, but vlan_id
with value 0 has been set in VLAN offload case. Due to this, station
connection failure is observed if the driver advertises VLAN_OFFLOAD
support:

nl80211: NL80211_ATTR_STA_VLAN (addr=8c:fd:f0:22:19:15 ifname=wlan0
         vlan_id=0) failed: -34 (Result not representable)
wlan0: STA 8c:fd:f0:22:19:15 IEEE 802.11: could not bind the STA
         entry to vlan_id=0

Fix this by setting only non-zero values.

Fixes: 0f903f37dc ("nl80211: VLAN offload support")
Signed-off-by: Seevalamuthu Mariappan <seevalam@codeaurora.org>
2020-07-16 00:25:14 +03:00
Pradeep Kumar Chitrapu
a57f98754e Fix enabling 40/80 MHz bandwidth support in the 6 GHz band
40/80 MHz bandwidth setting was being rejected due to incorrect sanity
check on the channel index. Fix that for the bandwidths larger than 20
MHz.

Fixes: d7c2c5c98c ("AP: Add initial support for 6 GHz band")
Signed-off-by: Pradeep Kumar Chitrapu  <pradeepc@codeaurora.org>
2020-07-16 00:08:58 +03:00
Jouni Malinen
5d8c5f344e SAE-PK: Fix password validation check for Sec
The 0..3 value decoded from the password was not incremented to the
actual 2..5 range for Sec. This resulted in not properly detecting the
minimum password length.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-25 01:39:45 +03:00
Jouni Malinen
0ce6883f64 tests: Fix SAE-PK password module tests
Couple of the test values were not actually valid, so remove them.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-25 01:39:45 +03:00
Vinita S. Maloo
70b80c31f9 nl80211: Do not send FILS ERP sequence number without rRK
FILS ERP cannot be used without rRK, so include these attributes only
together.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-24 00:29:58 +03:00
Wu Gao
52a3257621 6 GHz: Change 6 GHz channels per IEEE P802.11ax/D6.1
The channel numbering/center frequencies was changed in IEEE
P802.11ax/D6.1. The center frequencies of the channels were shifted by
10 MHz. Also, a new operating class 136 was defined with a single
channel 2. Add required support to change the channelization as per IEEE
P802.11ax/D6.1.

Signed-off-by: Wu Gao<wugao@codeaurora.org>
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2020-06-24 00:29:37 +03:00
Markus Theil
67efd19e0a nl80211: Use control port TX (status) in AP mode if possible
Check if nl80211 control port TX status is available in the kernel and
enable control port TX if so. With this feature, nl80211 control path is
able to provide the same feature set as nl80211 (management) + AF_PACKET
socket (control) before.

For debugging and testing, this can explicitly be disabled with
the driver parameter control_port_ap=0.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-06-21 18:07:54 +03:00
Jouni Malinen
569497bf4f nl80211: Work around misdelivered control port TX status
The kernel commit "mac80211: support control port TX status reporting"
seems to be delivering the TX status events for EAPOL frames over
control port using NL80211_CMD_FRAME_TX_STATUS due to incorrect check on
whether the frame is a Management or Data frame. Use the pending cookie
value from EAPOL TX operation to detect this incorrect behavior and
redirect the event internally to allow it to be used to get full TX
control port functionality available for AP mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-21 17:56:04 +03:00
Markus Theil
87065881b1 nl80211: Use ext ack handler for TX control port
Allow custom ack handler to be registered and use the ext ack handler
for TX control port to fetch the cookie information. If these cookies
are not supported by the current kernel, a value of 0 is returned.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-06-21 17:55:28 +03:00
Markus Theil
6f19cc4d78 nl80211: Handle control port TX status events over nl80211
In order to retransmit faster in AP mode, hostapd can handle TX status
notifications. When using nl80211, this is currently only possible with
socket control messages. Add support for receiving such events directly
over nl80211 and detecting, if this feature is supported.

This finally allows for a clean separation between management/control
path (over nl80211) and in-kernel data path.

A follow up commit enables the feature in AP mode.

Control port TX status contains the original frame content for matching
with the current hostapd code. Furthermore, a cookie is included, which
allows for matching against outstanding cookies in the future. This
commit only prints the cookie value for debugging purposes on TX status
receive.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-06-21 17:55:26 +03:00
Markus Theil
f7c657b79f nl80211: Add custom ack handler arguments to send_and_recv()
This is a preliminary patch for using extack cookies for TX control port
handling. Custom ack handler arguments for send_and_recv() and friends
is introduced therefore. This commit does not actually use the provided
values, i.e., that will be added in a separate commit.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-06-21 16:57:45 +03:00
Jouni Malinen
73ea1ad7f2 nl80211: Clean up SO_WIFI_STATUS error reporting
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-21 16:57:45 +03:00
Jouni Malinen
cd99a8c432 EAP-TEAP (server): Allow Phase 2 skip based on client certificate
eap_teap_auth=2 can now be used to configure hostapd to skip Phase 2 if
the peer can be authenticated based on client certificate during Phase
1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-20 18:07:04 +03:00
Jouni Malinen
5196293926 EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used
The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-20 18:05:46 +03:00
Jouni Malinen
9593ce6587 OpenSSL: Provide access to peer subject and own certificate use
These are needed for EAP-TEAP server and client side implementation to
allow Phase 2 to be skipped based on client certificate use during Phase
1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-20 18:04:51 +03:00
Matthew Wang
b97aa038b7 Add WPA_EVENT_{DO,SKIP}_ROAM events
Add events for within-ESS reassociation. This allows us to monitor roam
events, both skipped and allowed, in tests.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2020-06-19 18:34:26 +03:00
Jouni Malinen
0bbab64656 DPP2: Fix dot1x config object parsing without trustedEapServerName
Need to check that the JSON node was found before using its value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:48 +03:00
Jouni Malinen
8f88dcf050 DPP2: Add an automatic peer_bi entry for CSR matching if needed
This allows the DPP_CA_SET command to be targeting a specific DPP-CST
event in cases where the Configurator did not receive the bootstrapping
information for the peer.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:48 +03:00
Jouni Malinen
b25ddfe9d3 DPP2: Add Enrollee name into CSR as the commonName
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:48 +03:00
Jouni Malinen
11aa77e00f DPP2: GAS comeback response processing for Enrollee over TCP
This is almost identical to processing of the GAS initial response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:37 +03:00
Jouni Malinen
18e013a93f DPP2: GAS comeback request processing for Configurator over TCP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:37 +03:00
Jouni Malinen
68d9586a46 DPP2: GAS Comeback Request for the TCP case
Make the Enrollee handle GAS comeback delay when performing DPP over
TCP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 13:17:17 +03:00
Jouni Malinen
a352c7230d DPP2: Comeback delay response for certificate in over TCP case
Send out the GAS Initial Response with comeback delay when Configurator
is operating over TCP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 13:03:29 +03:00
Jouni Malinen
0f9463d6ee DPP2: CSR wait in Configurator when using TCP
Make Configurator wait for CSR (i.e., another Config Request) when using
DPP over TCP similarly to the over Public Action frame case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 12:56:51 +03:00
Jouni Malinen
1f86b2c248 DPP2: CSR generation in TCP Client/Enrollee
This was previously covered for the DPP over Public Action frames, but
the DPP over TCP case was missed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 12:10:23 +03:00
Alan Chen
ffc8ae507e Define a new QCA vendor attribute for Optimized Power Management
Define a new attribute configuring Optimized Power Management.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 21:59:47 +03:00
Jouni Malinen
3b60f11741 DPP2: Validate CSR on Configurator before forwarding to CA/RA
Parse the received CSR, verify that it has been signed correctly, and
verify that the challengePassword is present and matches the derived cp.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 20:33:07 +03:00
Jouni Malinen
c98db9f1f8 DPP2: Add challengePassword into CSR
Derive challengePassword from bk and add it into the CSR.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 12:22:08 +03:00
Jouni Malinen
dbbb0d5b82 OpenSSL: Use EVP-based interface for ECDSA sign/verify
The low level ECDSA interface is not available in BoringSSL and has been
deprecetated in OpenSSL 3.0, so move to using a higher layer EVP-based
interface for performing the ECDSA sign/verify operations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:26:09 +03:00
Jouni Malinen
ace3723d98 DPP2: Enterprise provisioning (Enrollee)
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS)
configuration object. This commit is handling only the most basic case
and a number of TODO items remains to handle more complete CSR
generation and config object processing.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:26:06 +03:00
Jouni Malinen
6568e5d203 DPP2: Enterprise provisioning (Configurator)
Add Configurator functionality for provisioning enterprise (EAP-TLS)
configuration object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
4643b2feec DPP2: Enterprise provisioning definitions for dot1x AKM
Add shared AKM definitions for provisioning enterprise (EAP-TLS)
credentials.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00