AT_KDF attributes need to be included in Synchronization-Failure
according to EAP-AKA' specification RFC 5448.
Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sony.com>
pmksa_cache_add_entry() may actually free old_entry if the PMKSA cache
is full. This can result in the PMKSA cache containing entries with
corrupt expiration times.
Signed-off-by: Andrew Elble <aweits@rit.edu>
The "FILS: No pending HLP DHCP exchange with hw_addr" debug message was
missing a space before the following MAC address, so add that there to
make the message more readable.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like these parameters related to FT have never been used, so
remove them from causing confusion. The separate update_ft_ies()
callback is used to provide the FT elements.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new sae_commit_override=<hexdump> parameter can be used to force
hostapd to override SAE commit message fields for testing purposes. This
is included only in CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Allow hostapd to be configured to perform SAE reflection attack for SAE
testing purposes with sae_reflection_attack=1 configuration parameter.
This is included only in CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add PMKID into EAPOL-Key 1/4 when using SAE and fix the PMK-from-PMKSA
selection in some cases where PSK (from passphrase) could have been
used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was previously defined inconsistently (H() vs. SHA256()), but it is
now clarified in the draft tech spec to use SHA256(), so update
implementation to do that.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
NL80211_ATTR_AUTH_TYPE needs to be skipped if multiple auth_alg options
are included. The previous list missed the new FILS auth_alg here and
ended up not doing so if OPEN and FILS were included.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
DPP tech spec changed the contents of these frames by replacing the
public key hash attributes with a Transaction ID attribute that gets
copied from the request to the response to identify the transaction in a
simpler manner.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use the SSL_get_SSL_CTX() helper instead of dereferencing SSL* since
struct ssl_st is not exposed in public header files anymore.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is an event indicating to the user space that the driver has
detected an internal failure. The driver is expected to recover from
such a failure automatically, e.g., by resetting the device. This event
carries the information indicating the reason that triggered this
detection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous implementation was able to parse arrays of objects, but not
arrays of other types of items.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The two channel width bits in the VHT capability field can be decoded in
following values (IEEE Std 802.11ac-2013 8.4.2.160.2 VHT Capabilities
Info field):
* 0: no 160 or 80+80 MHz support
* 1: 160 MHz support
* 2: 160 and 80+80 MHz support
* 3: (reserved)
The check must therefore not be done bitwise but instead it must checked
whether the capabilities announced by the driver are at least the ones
requested by the user.
Fixes: c781eb8428 ("hostapd: Verify VHT capabilities are supported by driver")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Previously, CONFIG_WNM enabled build that supports WNM for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode WNM is required and there is no need for AP mode WNM.
Add support to differentiate between station mode WNM and AP mode
WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be
used when AP mode WNM support is required in addition to station mode
WNM. This allows binary size to be reduced for builds that require
only the station side WNM functionality.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
X509_ALGOR_get0() was modified to use const ** pointer as the first
argument in OpenSSL 1.1.0, so need to use different type here to avoid
compilation issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the pointer to strdup passwd was left in OpenSSL library
default_passwd_cb_userdata and even the default_passwd_cb was left set
on an error path. To avoid unexpected behavior if something were to
manage to use there pointers, clear them explicitly once done with
loading of the private key.
Signed-off-by: Jouni Malinen <j@w1.fi>
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".
This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.
[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add OCE IE in Beacon, Probe Response, and (Re)Association Response
frames if OCE is enabled in the configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Check if device supports OCE STA/STA-CFON/AP specific mandatory
features. This commit includes checking based on the QCA vendor
attributes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This request ID was wrongly referred from the REQUEST_ID in
enum qca_wlan_vendor_attr_gscan_config_params which is mapped to
QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM in PNO Config.
Hence define a different attribute to represent the request ID
for PNO Config.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In case of incorrect HT40 configuration as part of an attempt to create
a 80 MHz AP, iface->conf->vht_oper_centr_freq_seg0_idx and
iface->conf->vht_oper_centr_freq_seg1_idx are zero'ed, but
iface->conf->vht_oper_chwidth remains VHT_CHANWIDTH_80MHZ. This causes
the logic in dfs_get_start_chan_idx to fail.
Fix this by setting iface->conf->vht_oper_chwidth to
VHT_CHANWIDTH_USE_HT when zero'ing the center frequency parameters.
Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
dpp.h file requires openssl in order to compile, which breaks
compilation on systems without it.
Move DPP_OUI_TYPE to ieee802_11_defs.h and don't include dpp.h when
not really needed.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add changes to control interface command get_capability to advertize
FILS capability, FILS AKMs suites, and FILS Authentication algorithms
based on the driver capabilities.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The attribute is QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SAR_ENABLE, not
QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SELECT.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd did not add a new PMKSA cache entry when FILS shared key
authentication was used, i.e., only the initial full authentication
resulted in a PMKSA cache entry being created. Derive the PMKID for the
ERP case as well and add a PMKSA cache entry if the ERP exchange
succeeds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The EAP message included in FILS Wrapped Data from the non-AP STA to the
AP is EAP-Initiate/Re-auth.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The DPP Configurator can use this new command to generate its own signed
connector for the network that it manages.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the hostapd control interface to support the
DPP_BOOTSTRAP_INFO command that was recently added for wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
