Add NAN attributes to communicate IPv6 address, port, and protocol
between wifihal and host driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The n argument to this function is number of bits, not bytes, to shift.
As such, need to use mp_rshb() instead of mp_rshd(). This fixes EAP-pwd
with P-521 curve.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, hostapd CHAN_SWITCH command did not effect VHT configuration
for the following:
When VHT is currently disabled (ieee80211ac=0),
1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \
sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht
====> Comes up in HT40
2. hostapd_cli -p /var/run/hostapd chan_switch 10 5765 \
sec_channel_offset=-1 center_freq1=5775 bandwidth=40 vht
====> Comes up in HT40
3. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \
bandwidth=20 vht
====> Comes up in HT20
When VHT is currently enabled (ieee80211ac=1),
1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \
sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht
====> Comes up in VHT40
2. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \
bandwidth=20 ht
====> Comes up in VHT20
This is since VHT config from chan_switch is processed only for
bandwidths 80 and above (80P80, 160) and for VHT20, VHT40 cases, only
NLA chan type and chan width are updated.
There is no NL attribute for determining if it is HT or VHT for
bandwidths 20 & 40 and currently they are updated as HT20, HT40 (+ or -
depending on offset). Same is notified back via
NL80211_CMD_CH_SWITCH_NOTIFY.
Instead of adding new NL attribute for tracking HT/VHT enabled config,
we are adding new hostapd VHT config parameter to save the chan_switch
config and use only for chan_switch case of VHT20 and VHT40.
Tested with all combinations of chan_switch (noHT->20->40->80->) HT/VHT
and confirmed to be working.
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
When the channel time is zero the interference factor calculation falls
under divide by zero operation which results in invalid (NaN =
not-a-number) interference factor value. This leads to wrong ideal
channel selection in ACS during the scenario described below.
Scenario:
In VHT80 mode, the channel 36 (first channel) gets the channel time as
zero which causes the interfactor factor to be an invalid number (NaN).
Any operations (like addition, mulitplication, divide, etc.) with NaN
value results in a NaN value, so that average factor for the primary
channel 36 got the invalid value (NaN). Since channel 36 is the first
channel, ideal factor is assigned as NaN in the first iteration. The
following iteration condition check (factor < ideal_factor) with a NaN
value fail for all other primary channels. This results in channel 36
being chosen as the ideal channel in ACS which holds a NaN value.
Logs:
ACS: Survey analysis for channel 36 (5180 MHz)
ACS: 1: min_nf=-103 interference_factor=nan nf=0 time=0 busy=0 rx=0
ACS: 2: min_nf=-103 interference_factor=0.615385 nf=-102 time=13 busy=8 rx=0
ACS: 3: min_nf=-103 interference_factor=2.45455 nf=0 time=22 busy=16 rx=0
ACS: 4: min_nf=-103 interference_factor=0.785714 nf=-103 time=42 busy=33 rx=0
ACS: 5: min_nf=-103 interference_factor=nan nf=0 time=0 busy=0 rx=0
ACS: * interference factor average: nan
...
ACS: * channel 36: total interference = nan
..
ACS: * channel 149: total interference = 5.93174e-21
..
ACS: Ideal channel is 36 (5180 MHz) with total interference factor of nan
Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
Over time a number of style issues have crept into qca-vendor.h,
so fix most of them. There are some identifiers and comments which
exceed 80 columns, but these are left as-is for readability.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to determine which mechanism to use for configuring
country code from trusted sources.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new wifi test config QCA vendor attribute to configure Tx
beamformee in the driver. This is used for testbed configuration.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The first two parameters to readlink() are marked restricted and at
least gcc 8.2 warns about used the same pointer for then, so avoid this
by using separate buffers for the pathname and response buffer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Reword the comments to make gcc 8.1 recognize these as designed cases
and not trigger implicit-fallthrough warnings.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Implement tls_connection_get_eap_fast_key() using cryptographic
primitives as wolfSSL implements different spec.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Depend on proper wolfSSL configuration instead of trying to define these
build configuration values externally.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Use the correct intermediate result from mp_sqrmod() in the following
mp_mulmod() call (t is not initialized here; it is used only after this
step).
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
Provide full uncompressed DER data length to wc_ecc_import_point_der()
even though a compressed form is used here. In addition, use
ECC_POINT_COMP_* defined values to make this more readable.
Signed-off-by: Sean Parkinson <sean@wolfssl.com>
The current EAP peer implementation is not yet ready for the TLS v1.3
changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for
this EAP method for now.
While the current EAP-TLS implementation is more or less complete for
TLS v1.3, there has been no interoperability testing with other
implementations, so disable for by default for now until there has been
chance to confirm that no significant interoperability issues show up
with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration
parameter can be used to enable TLS v1.3 (assuming the TLS library
supports it; e.g., when using OpenSSL 1.1.1).
Signed-off-by: Jouni Malinen <j@w1.fi>
The current EAP peer implementation is not yet ready for the TLS v1.3
changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for
this EAP method for now.
While the current EAP-TLS implementation is more or less complete for
TLS v1.3, there has been no interoperability testing with other
implementations, so disable for by default for now until there has been
chance to confirm that no significant interoperability issues show up
with TLS version update. phase1="tls_disable_tlsv1_3=0" configuration
parameter can be used to enable TLS v1.3 (assuming the TLS library
supports it; e.g., when using OpenSSL 1.1.1).
Signed-off-by: Jouni Malinen <j@w1.fi>
This may be needed to avoid interoperability issues with the new
protocol version and significant changes for EAP use cases in both key
derivation and handshake termination.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes this more easily available throughout the handshake
processing, if needed, compared to having to pass through the function
argument through the full path from
tls_connection{,_server}_handshake().
Signed-off-by: Jouni Malinen <j@w1.fi>
The EAP session cannot be marked fully completed on sending Client
Finished with TLS v1.3 since the server may still send NewSessionTicket
before EAP-Success.
Signed-off-by: Jouni Malinen <j@w1.fi>
With TLS v1.3, the Finished message from the client can require
fragmentation. Postpone key derivation and marking of the EAP session
fully completed until all the fragments of that last message are sent to
avoid losing all the subsequent fragments.
Signed-off-by: Jouni Malinen <j@w1.fi>
This value is going to be used only with a helper function that takes it
in as a const value, so use the same style here to simplify callers in
upcoming TLS v1.3 changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 1.1.1 added cases where ClientHello generation may fail due to
"no ciphers available". There is no point in sending out the resulting
TLS Alert message to the server since the server does not know what to
do with it before ClientHello. Instead, simply terminate the TLS
handshake locally and report EAP failure to avoid getting stuck waiting
for a timeout.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL started reporting failures from
EC_POINT_set_affine_coordinates_GFp() similarly to BoringSSL, so use the
same workaround to enable this protocol testing case.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new SQLite table pending_tc is used to maintain a list of sessions
that need to accept Terms and Conditions. This information can be used
on an external Terms and Conditions server to map the incoming MAC
address information into user identity.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add commands to allow an AP to configure filtering rules to capture
frames from stations that are active on the operating channel, but
not associated to this AP. Operations include add/delete the filter
and get the statistics information of the unassociated stations.
Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
Allow hostapd RADIUS authentication server with SQLite EAP user DB to be
used for testing Terms and Conditions functionality. This could be used
for the HO AAA part of functionality (merging HO AAA and SP AAA into a
single component to avoid separate RADIUS proxy in testing setup).
A T&C server with HTTPS processing is needed to allow this to be used
for full over-the-air testing. This commit adds sufficient functionality
to allow hwsim test cases to cover the RADIUS server part.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend RADIUS DAS to support CoA-Request packets for the case where the
HS 2.0 Terms And Conditions filtering VSA is used to remove filtering.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Mark a channel as required DFS based on regulatory information received
from the driver/kernel rather than deciding based on hardcoded
boundaries on the frequency. Previously few channels were being marked
as requiring DFS even though they were non-DFS in a particular country.
If the driver does not provide channel list information, fall back to
the previously used frequency-based determination.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend wpa_supplicant WNM-Notification RX handling to parse and process
received Terms and Conditions Acceptance notifications. If PMF is
enabled for the association, this frame results in control interface
indication (HS20-T-C-ACCEPTANCE <URL>) to get upper layers to guide the
user through the required acceptance steps.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd Access-Accept processing to check if the RADIUS
server indicated that Terms and Conditions Acceptance is required. The
new hs20_t_c_server_url parameter is used to specify the server URL
template that the STA is requested to visit.
This commit does not enable any kind of filtering, i.e., only the part
of forwarding a request from Access-Accept to the STA using
WNM-Notification is covered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd with two new configuration parameters
(hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify
that the Terms and Conditions attributes are to be added into all
Access-Request messages for Hotspot 2.0 STAs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows user to get event indication when a new interface is
added/removed for 4addr WDS STA and also WDS STA ifname is informed
through the STA command.
Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
While it is unlikely that FILS would be used without PMF or SAE in the
build, it is possible to generate such a build and as such, it would be
good for the KDF selection to work properly. Add CONFIG_FILS as an
independent condition for the SHA256-based KDF. Previously, this
combination would have resulted in failure to derive keys and terminated
key management exchange.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Naveen Rawat