Rename driver op for temporarily disallowed BSSIDs
Use the "tmp_disallow" name more consistently so that both the core
wpa_supplicant functionality (struct wpa_bss_tmp_disallowed) and the
wpa_driver_ops callback have more similar names.
DPP2: Fix auth termination after receiving Configurator backup
remove_on_tx_status needs to be set in this case even if
dpp_config_processing=2 is used since there will be no connection
attempt when receiving a Configurator backup instead of station config
object.
dpp-nfc: Do not hardcode netrole for NFC Tag writing cases
Allow netrole to be specified for NFC Tag writing cases. Previously,
this was hardcoded to use netrole=configurator when starting the listen
operation. Now the netrole parameter is not included by default, but any
netrole value can be specified with the new --netrole command line
argument.
In addition, fix the listening frequency for the case where a channel is
picked.
Sunil Dutt [Thu, 18 Jun 2020 08:17:14 +0000 (13:47 +0530)]
Enhance the qca_set_band enum values to be used as a bitmap
Also introduce a new attribute QCA_WLAN_VENDOR_ATTR_SETBAND_MASK to
carry this new bitmask enum. This attribute shall consider the bitmask
combinations to define the respective band combinations and substitutes
QCA_WLAN_VENDOR_ATTR_SETBAND_VALUE. The old attribute use remains same
as before.
In addition, document the previously undocumented, but defined,
QCA_NL80211_VENDOR_SUBCMD_SETBAND.
nl80211: Fix sending proper VLAN ID attr value when using VLAN offload
The NL80211_ATTR_VLAN_ID attribute expects non-zero values, but vlan_id
with value 0 has been set in VLAN offload case. Due to this, station
connection failure is observed if the driver advertises VLAN_OFFLOAD
support:
nl80211: NL80211_ATTR_STA_VLAN (addr=8c:fd:f0:22:19:15 ifname=wlan0
vlan_id=0) failed: -34 (Result not representable)
wlan0: STA 8c:fd:f0:22:19:15 IEEE 802.11: could not bind the STA
entry to vlan_id=0
Yu Wang [Tue, 7 Jul 2020 18:18:47 +0000 (02:18 +0800)]
mesh: Fix peer link counting when removing a mesh peer
When removing a mesh peer with control interface commands (ACCEPT_ACL
DEL_MAC/DENY_ACL ADD_MAC/MESH_PEER_REMOVE) the plink count was not
decreased from its last connection. This resulted in peer link count
leakage and wpa_supplicant rejecting the connections after reaching
max_peer_links (default: 99).
Fix this by decreasing the plink count when removing a mesh peer which
is in PLINK_ESTAB state.
Jouni Malinen [Fri, 26 Jun 2020 17:50:23 +0000 (20:50 +0300)]
DPP2: Make sure dpp_auth gets cleared with external config processing
wpa_s->dpp_auth did not get cleaner if dpp_config_processing=1 is used.
Clear this after having received TX status for Configuration Result to
avoid leaving behind the completed provisioning instance.
Jouni Malinen [Wed, 24 Jun 2020 22:18:30 +0000 (01:18 +0300)]
SAE-PK: Fix password validation check for Sec
The 0..3 value decoded from the password was not incremented to the
actual 2..5 range for Sec. This resulted in not properly detecting the
minimum password length.
Jouni Malinen [Wed, 24 Jun 2020 19:37:52 +0000 (22:37 +0300)]
dpp-nfc: Fix connection handover renegotiation
The use of the alternative channel list did not work properly for the
case were both ends were trying to initiate the negotiated connection
handover. Fix this by always starting a new connection handover client
thread for sending the alternative proposal and ignoring peer messages
(likely something from the first attempt) during this modified attempt.
Vinita S. Maloo [Tue, 19 May 2020 12:13:22 +0000 (17:43 +0530)]
FILS: Use FILS auth alg when connecting using PMKSA caching
When a PMKSA cache entry is available and used for connection with FILS
key management suite, use FILS authentication algorithm for connection
even if ERP keys are not available. This scenario may happen when
applications using wpa_supplicant cache persistently only PMKSA but not
ERP keys and reconfigures wpa_supplicant with PMKSA cache after
restarting wpa_supplicant.
The previous implementation correctly handles SME-in-wpa_supplicant
cases. However, SME-in-driver cases, complete FILS authentication
without PMKSA caching is performed.
Fix SME-in-driver behavior by setting authentication algorithm to
WPA_AUTH_ALG_FILS when connecting to a FILS AP using PMKSA caching.
Wu Gao [Mon, 8 Jun 2020 06:27:12 +0000 (14:27 +0800)]
6 GHz: Change 6 GHz channels per IEEE P802.11ax/D6.1
The channel numbering/center frequencies was changed in IEEE
P802.11ax/D6.1. The center frequencies of the channels were shifted by
10 MHz. Also, a new operating class 136 was defined with a single
channel 2. Add required support to change the channelization as per IEEE
P802.11ax/D6.1.
Jouni Malinen [Tue, 23 Jun 2020 10:24:38 +0000 (13:24 +0300)]
dpp-nfc: Support channel list negotiation
If the peer's channel list in negotiated handover does not have any
common channels and the local end is configured with an alternative
channel list, try to initiate another negotiation handover with the
alternative channels.
Jouni Malinen [Mon, 22 Jun 2020 17:00:31 +0000 (20:00 +0300)]
DPP: Clear bootstrap entries only after clearing authentication state
This fixes an issue where the pending authentication might have held a
reference to auth->tmp_peer_bi and dpp_auth_deinit() would try to free
that bootstrapping entry. This needs to happen before the call to
dpp_global_clear() to avoid double-removal of the bootstrapping entry
from the list.
Markus Theil [Wed, 10 Jun 2020 08:32:58 +0000 (10:32 +0200)]
nl80211: Use control port TX (status) in AP mode if possible
Check if nl80211 control port TX status is available in the kernel and
enable control port TX if so. With this feature, nl80211 control path is
able to provide the same feature set as nl80211 (management) + AF_PACKET
socket (control) before.
For debugging and testing, this can explicitly be disabled with
the driver parameter control_port_ap=0.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Jouni Malinen [Sun, 21 Jun 2020 14:32:00 +0000 (17:32 +0300)]
nl80211: Work around misdelivered control port TX status
The kernel commit "mac80211: support control port TX status reporting"
seems to be delivering the TX status events for EAPOL frames over
control port using NL80211_CMD_FRAME_TX_STATUS due to incorrect check on
whether the frame is a Management or Data frame. Use the pending cookie
value from EAPOL TX operation to detect this incorrect behavior and
redirect the event internally to allow it to be used to get full TX
control port functionality available for AP mode.
Markus Theil [Wed, 10 Jun 2020 08:32:59 +0000 (10:32 +0200)]
nl80211: Use ext ack handler for TX control port
Allow custom ack handler to be registered and use the ext ack handler
for TX control port to fetch the cookie information. If these cookies
are not supported by the current kernel, a value of 0 is returned.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Markus Theil [Wed, 10 Jun 2020 08:32:57 +0000 (10:32 +0200)]
nl80211: Handle control port TX status events over nl80211
In order to retransmit faster in AP mode, hostapd can handle TX status
notifications. When using nl80211, this is currently only possible with
socket control messages. Add support for receiving such events directly
over nl80211 and detecting, if this feature is supported.
This finally allows for a clean separation between management/control
path (over nl80211) and in-kernel data path.
A follow up commit enables the feature in AP mode.
Control port TX status contains the original frame content for matching
with the current hostapd code. Furthermore, a cookie is included, which
allows for matching against outstanding cookies in the future. This
commit only prints the cookie value for debugging purposes on TX status
receive.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Markus Theil [Wed, 10 Jun 2020 08:32:56 +0000 (10:32 +0200)]
nl80211: Add custom ack handler arguments to send_and_recv()
This is a preliminary patch for using extack cookies for TX control port
handling. Custom ack handler arguments for send_and_recv() and friends
is introduced therefore. This commit does not actually use the provided
values, i.e., that will be added in a separate commit.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Jouni Malinen [Sat, 20 Jun 2020 15:05:46 +0000 (18:05 +0300)]
EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used
The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.
Matthew Wang [Tue, 2 Jun 2020 00:10:15 +0000 (17:10 -0700)]
Refactor wpa_supplicant_need_to_roam()
Pull all the within-ESS roam code out of wpa_supplicant_need_to_roam()
and into its own function, wpa_supplicant_need_to_roam_within_ess().
This way, we avoid interleaving several #ifndef's in the original
function and wrap the new function in one big #ifndef. This also
modularizes the within-ESS roam code and makes it easier to test.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Jouni Malinen [Thu, 18 Jun 2020 21:08:33 +0000 (00:08 +0300)]
DPP2: Add an automatic peer_bi entry for CSR matching if needed
This allows the DPP_CA_SET command to be targeting a specific DPP-CST
event in cases where the Configurator did not receive the bootstrapping
information for the peer.
Jouni Malinen [Tue, 16 Jun 2020 10:16:39 +0000 (13:16 +0300)]
OpenSSL: Use EVP-based interface for ECDSA sign/verify
The low level ECDSA interface is not available in BoringSSL and has been
deprecetated in OpenSSL 3.0, so move to using a higher layer EVP-based
interface for performing the ECDSA sign/verify operations.
Jouni Malinen [Mon, 15 Jun 2020 17:20:50 +0000 (20:20 +0300)]
DPP2: Enterprise provisioning (Enrollee)
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS)
configuration object. This commit is handling only the most basic case
and a number of TODO items remains to handle more complete CSR
generation and config object processing.
Muna Sinada [Mon, 18 May 2020 13:57:16 +0000 (06:57 -0700)]
Allow HE-without-VHT to add the Channel Switch Wrapper element
Modify the check for VHT to include an option for HE in
hostapd_eid_wb_chsw_wrapper() and its callers to allow the Channel
Switch Wrapper element with the Wide Bandwidth Channel Switch subelement
to be included in Beacon and Probe Response frames when AP is operating
in HE mode without VHT.
Muna Sinada [Mon, 18 May 2020 13:57:15 +0000 (06:57 -0700)]
Move hostapd_eid_wb_chsw_wrapper() to non-VHT-specific file
Move hostapd_eid_wb_chsw_wrapper() from VHT specific ieee802_11_vht.c to
ieee802_11.c since this can be used for both HE and VHT. This commit
does not change any functionality to enable the HE use case, i.e., the
function is just moved as-is.
AP: Reject association request upon invalid HE capabilities
Operation in the 6 GHz band mandates valid HE capabilities element in
station negotiation. Reject association request upon receiving invalid
or missing HE elements.
Vendor VHT IE is used only on the 2.4 GHz band. Restrict the use of
vendor VHT element to 2.4 GHz. This will ensure that invalid/wrong user
configuration will not impact beacon data in other than the 2.4 GHz
band.
HE: Use device HE capability instead of HT/VHT for 6 GHz IEs
Previously, 6 GHz Band Capability element was derived from HT and VHT
capabilities of the device. Removes such unnecessary dependency by
relying directly on the HE capability.
In addition, clean up the struct ieee80211_he_6ghz_band_cap definition
to use a 16-bit little endian field instead of two 8-bit fields to match
the definition in P802.11ax.
Brian Norris [Mon, 8 Jun 2020 23:47:53 +0000 (16:47 -0700)]
tests: Skip malformed SAE authentication frames
The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Johannes Berg [Sun, 31 May 2020 09:40:32 +0000 (11:40 +0200)]
tests: Check for mac80211_hwsim module before loading it
Instead of checking if the kernel allows modules (via the presence of
/proc/modules), check if mac80211_hwsim is already there and load it
only if not. This gets rid of some ugly prints from modprobe in case
code isn't even a module and cannot be found, etc.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 28 May 2020 17:52:39 +0000 (19:52 +0200)]
tests: Use bytes in a few places
With python3 bytes are returned for stdout, so need to use b''
strings instead of normal strings. These are just a few places
I ran into, almost certainly more places need it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 28 May 2020 17:52:30 +0000 (19:52 +0200)]
tests: Set VHT160 or VHT160-80PLUS80 capability
If we want the test to actually use 160/80+80 we need to explicitly
advertise that we support it ourselves, since the kernel is going to be
a bit more strict about this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Tue, 9 Jun 2020 21:59:09 +0000 (00:59 +0300)]
SAE-PK: Update SAE confirm IE design
Move the FILS Public Key element and the FILS Key Confirmation element
to be separate IEs instead of being encapsulated within the SAE-PK
element. This is also removing the unnecessary length field for the
fixed-length EncryptedModifier.
Jouni Malinen [Tue, 9 Jun 2020 19:32:38 +0000 (22:32 +0300)]
SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group
This was clarified in the draft specification to not be a mandatory
requirement for the AP and STA to enforce, i.e., matching security level
is a recommendation for AP configuration rather than a protocol
requirement.
Jouni Malinen [Tue, 9 Jun 2020 09:48:13 +0000 (12:48 +0300)]
WPS UPnP: Support build on OS X
Define MAC address fetching for OS X (by reusing the existing FreeBSD
implementation) to allow full compile testing of the WPS implementation
on a more BSD-like platform.
Jouni Malinen [Tue, 9 Jun 2020 09:43:53 +0000 (12:43 +0300)]
WPS UPnP: Fix FreeBSD build
struct ifreq does not include the ifr_netmask alternative on FreeBSD, so
replace that more specific name with ifr_addr that works with both Linux
and FreeBSD.
Fixes: 5b78c8f961f2 ("WPS UPnP: Do not allow event subscriptions with URLs to other networks") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
projects / thirdparty / hostap.git / log
