Avraham Stern [Sun, 11 Jun 2017 12:41:19 +0000 (15:41 +0300)]
RRM: Send reject/refuse response only to unicast measurement request
IEEE Std 802.11-2016, 11.11.6 specifies that a station that is unable to
make a requested measurement or refuses to make a measurement shall
respond only if the measurement request was received within an
individually addressed radio measurement request frame, but shall not
respond if such a request was received in a group addressed frame.
Dmitry Shmidt [Mon, 22 May 2017 21:38:58 +0000 (21:38 +0000)]
wpa_cli: Fix global control interface for STA-FIRST/STA-NEXT
If global control interface is used and wlan doesn't support P2P,
wpa_s->global->p2p == NULL, and log shows:
wpa_supplicant: Failed to create interface p2p-dev-wlan0: -5 (I/O error)
wpa_supplicant: nl80211: Failed to create a P2P Device interface p2p-dev-wlan0
wpa_supplicant: P2P: Failed to enable P2P Device interface
Then STA-FIRST/STA-NEXT is not going to redirect to any interface,
making update_stations(ctrl_conn) is stuck in never-ending loop:
X509_ALGOR_get0() was modified to use const ** pointer as the first
argument in OpenSSL 1.1.0, so need to use different type here to avoid
compilation issues.
Previously, the pointer to strdup passwd was left in OpenSSL library
default_passwd_cb_userdata and even the default_passwd_cb was left set
on an error path. To avoid unexpected behavior if something were to
manage to use there pointers, clear them explicitly once done with
loading of the private key.
OpenSSL: Fix private key password handling with OpenSSL >= 1.1.0f
Since OpenSSL version 1.1.0f, SSL_use_PrivateKey_file() uses the
callback from the SSL object instead of the one from the CTX, so let's
set the callback on both SSL and CTX. Note that
SSL_set_default_passwd_cb*() is available only in 1.1.0.
OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".
This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.
FILS: Fix issuing FILS connect to a non-FILS AP in driver-FILS case
If an AP is not FILS capable and wpa_supplicant has a saved network
block for the network with FILS key management and a saved erp info,
wpa_supplicant might end up issuing a FILS connection to a non-FILS AP.
Fix this by looking for the presence of FILS AKMs in wpa_s->key_mgmt,
i.e., after deciding on the AKM suites to use for the current
connection.
Introduce a vendor attribute to represent the PNO/EPNO Request ID
This request ID was wrongly referred from the REQUEST_ID in
enum qca_wlan_vendor_attr_gscan_config_params which is mapped to
QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM in PNO Config.
Hence define a different attribute to represent the request ID
for PNO Config.
Avraham Stern [Thu, 8 Jun 2017 08:17:56 +0000 (11:17 +0300)]
RRM: Filter scan results by parent TSF only if driver supports it
Scan results with parent TSF older than the scan start TSF are not added
to the beacon report since they are considered as scan results from
previous scans. However, for drivers that report the scan start TSF but
not the parent TSF of each scan result, the parent TSF will be zero so
valid scan results will be dropped.
Fix this by filtering scan results by the parent TSF only if the
driver supports reporting the parent TSF for each scan result.
In case of incorrect HT40 configuration as part of an attempt to create
a 80 MHz AP, iface->conf->vht_oper_centr_freq_seg0_idx and
iface->conf->vht_oper_centr_freq_seg1_idx are zero'ed, but
iface->conf->vht_oper_chwidth remains VHT_CHANWIDTH_80MHZ. This causes
the logic in dfs_get_start_chan_idx to fail.
Fix this by setting iface->conf->vht_oper_chwidth to
VHT_CHANWIDTH_USE_HT when zero'ing the center frequency parameters.
Adiel Aloni [Thu, 22 Jun 2017 07:58:44 +0000 (10:58 +0300)]
tests: Use global control interface in test_p2p_channel.py
Previously p2p_channel_drv_pref_* tests would fail
if dedicated P2P device is used, since the SET commands
were sent to incorrect interface.
Fix this by using a global control interface instead.
Johannes Berg [Tue, 30 May 2017 14:29:56 +0000 (16:29 +0200)]
tests: Print higher debug level on console
We capture the dmesg that contains everything, but if a test
causes a kernel crash we will miss all logging at higher levels
like debug. Change the printk level to catch all of that too.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Tue, 30 May 2017 14:29:50 +0000 (16:29 +0200)]
tests: Catch various lockdep warnings
Lockdep no longer prints "INFO:" but now prints "WARNING:".
Also add the "*** DEADLOCK ***" string it usually prints so
if it changes again we can keep finding that string.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
dpp.h file requires openssl in order to compile, which breaks
compilation on systems without it.
Move DPP_OUI_TYPE to ieee802_11_defs.h and don't include dpp.h when
not really needed.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Sunil Dutt [Tue, 13 Jun 2017 11:52:02 +0000 (17:22 +0530)]
P2P: Allow auto GO on DFS channels if driver supports this
If a DFS forced frequency is provided in 'p2p_group_add' and the driver
supports DFS offload, the frequency was rejected in
wpas_p2p_init_go_params(). However, it was accepted in
wpas_p2p_select_go_freq() and wpas_p2p_group_add(). To make the behavior
consistent, the DFS frequency is now accepted in
wpas_p2p_init_go_params() similar to the way done in
wpas_p2p_select_go_freq().
Redundant check in wpas_p2p_group_add() for DFS forced frequency is
removed.
FILS: Advertize FILS capability based on driver capability
Add changes to control interface command get_capability to advertize
FILS capability, FILS AKMs suites, and FILS Authentication algorithms
based on the driver capabilities.
hostapd did not add a new PMKSA cache entry when FILS shared key
authentication was used, i.e., only the initial full authentication
resulted in a PMKSA cache entry being created. Derive the PMKID for the
ERP case as well and add a PMKSA cache entry if the ERP exchange
succeeds.
tests: Clear ignore_old_scan_res after sigma_dut test cases
sigma_dut can end up setting ignore_old_scan_res=1 and that can result
in some of the consecutive test cases failing. Fix this by explicitly
clearing ignore_old_scan_res after sigma_dut cases that may have ended
up setting the parameter.
Update default wpa_group_rekey to once-per-day when using CCMP/GCMP
The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.
This implements genric PKEX functionality in src/common/dpp.c and glue
code to use this in wpa_supplicant (i.e, hostapd DPP implementation does
not yet support PKEX).
DPP: Add helper functions for running hash operations
Use helper functions to cover all three different hash algorithm options
for DPP operations instead of having separate calls to each function at
every location a hash operation based on the curve is needed.
Ashwini Patil [Wed, 21 Jun 2017 14:46:07 +0000 (20:16 +0530)]
nl80211/MBO: Set temporary disallowed BSSID list to driver
Set temporary disallowed BSSID list to the driver so that the driver
doesn't try to connect to any of the blacklisted BSSIDs during
driver-based roaming operation. This commit includes support only for
the nl80211 driver interface using a QCA vendor command for this.
ERP: Derive ERP key only after successful EAP authentication
ERP key was previously derived immediately after the availability of
EMSK and Session-Id and the ERP key hierarchy was saved even if the
authentication resulted in failure eventually. Instead, derive the ERP
key only after a successful EAP authentication.
Sunil Dutt [Wed, 14 Jun 2017 06:07:37 +0000 (11:37 +0530)]
Introduce a vendor command to specify the active Type Of Service
This commit introduces QCA_NL80211_VENDOR_SUBCMD_ACTIVE_TOS to specify
the active Type Of Service on the specific interface. This can be used
to modify some of the low level scan parameters (off channel dwell time,
home channel time) in the driver/firmware.
nl80211: Make KCK attribute optional in rekey data
New AKM suites like FILS-SHA256 do not use KCK and hence KCK length can
be zero. Add changes to include KCK attribute in rekey data only if the
length is non-zero.
Jouni Malinen [Thu, 22 Jun 2017 11:52:28 +0000 (14:52 +0300)]
DPP: Add an example python script for QR Code operations
This script can be used to process Android logcat information for
scanned QR Codes (e.g., from Barcode Scanner app) and also to display QR
Codes for locally generated bootstrap keys.
Jouni Malinen [Wed, 21 Jun 2017 15:01:51 +0000 (18:01 +0300)]
DPP: Automatic network profile creation
wpa_supplicant can now be configured to generate a network profile
automatically based on DPP configuration. The following
dpp_config_processing values can be used to specify the behavior:
0 = report received configuration to an external program for
processing; do not generate any network profile internally (default)
1 = report received configuration to an external program and generate
a network profile internally, but do not automatically connect
to the created (disabled) profile; the network profile id is
reported to external programs
2 = report received configuration to an external program, generate
a network profile internally, try to connect to the created
profile automatically
Jouni Malinen [Mon, 19 Jun 2017 18:34:10 +0000 (21:34 +0300)]
FILS: Fix EVENT_ASSOC processing checks for driver-SME
Commit 5538fc930988bfc12935579b2b9930d18ffd1be8 ('FILS: Track completion
with FILS shared key authentication offload') added an additional case
for calling wpa_supplicant_event_assoc_auth() from EVENT_ASSOC handling
in case of FILS-completion with driver-based-SME. However, that checked
what placed outside the data != NULL case while data != NULL needs to
apply for this case as well due to wpa_supplicant_event_assoc_auth()
behavior. Move the data != NULL check to apply to both cases to avoid
potentially issues if a driver interface were to return EVENT_ASSOC
without the associate data. (CID 164708)
Jouni Malinen [Mon, 19 Jun 2017 18:28:37 +0000 (21:28 +0300)]
Make wpa_config_read_blob() easier for static analyzers
While encoded == NULL could happen in the case of an empty blob, that
will result in encoded_len == 0 and base64_decode() not derefencing the
src argument. That seems to be too difficult for some static analyzers,
so to avoid false warnings, explicitly reject the encoded == NULL case
without even trying to base64 decode it. (CID 164709)
Jouni Malinen [Sun, 18 Jun 2017 14:29:57 +0000 (17:29 +0300)]
DPP: AP parameters for DPP AKM
Extend hostapd configuration to include parameters needed for the DPP
AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry,
dpp_csign, dpp_csign_expiry.
Jouni Malinen [Sun, 18 Jun 2017 10:48:57 +0000 (13:48 +0300)]
DPP: Network profile parameters for DPP AKM
Extend wpa_supplicant network profile to include parameters needed for
the DPP AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry,
dpp_csign, dpp_csign_expiry.
Jouni Malinen [Sun, 18 Jun 2017 11:14:18 +0000 (14:14 +0300)]
DPP: Allow PMKSA cache entries to be added through hostapd ctrl_iface
This allows external programs to generate and add PMKSA cache entries
into hostapd. The main use for this is to run external DPP processing
(network introduction) and testing.
Jouni Malinen [Sat, 17 Jun 2017 20:48:52 +0000 (23:48 +0300)]
DPP: Add new AKM
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.
projects / thirdparty / hostap.git / log
