Commit graph

17521 commits

Author SHA1 Message Date
Jouni Malinen
3085e1a671 hs20-osu-client: dNSName values from OSU server certificate for PPS MO
The previous change to allow EST server to use a different host name
ended up overriding the OSU server certificate information and the
incorrect server certificate was used when comparing the SP FQDN from
the PPS MO if the OSU and EST servers where different. Fix this by
keeping the dNSName from the SPP interaction and not storing the values
from the EST interaction.

Fixes: 0ce8d55a2e ("hs20-osu-client: Allow EST server to use different host name")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-14 10:42:11 +02:00
Jouni Malinen
ce86f2446f DFS: Remove unnecessary variable
This was not used for anything else than checking the value returned by
the called function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 21:23:54 +02:00
Lorenzo Bianconi
760a5ae26b DFS: Switch to background radar channel if available
On radar detection on the main chain switch to the channel monitored
by the background chain if we have already performed the CAC there.
If a radar pattern is reported on the background chain, just select a
new random channel according to the regulations for monitoring.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:23:10 +02:00
Lorenzo Bianconi
b63d953feb DFS: Enable CSA for background radar detection
Rely on hostapd_dfs_request_channel_switch() to enable CSA for
background radar detection switching back to the selected channel.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:15:48 +02:00
Lorenzo Bianconi
25663241c5 DFS: Introduce hostapd_dfs_request_channel_switch()
This is a preliminary patch to add Channel Switch Announcement for
background radar detection.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:12:43 +02:00
Lorenzo Bianconi
316a9dc63b DFS: Configure background radar/CAC detection
Introduce the capability to perform radar/CAC detection on an offchannel
radar chain available on some hardware (e.g., mt7915). This feature
allows to avoid CAC downtime switching on a different channel during CAC
detection on the selected radar channel.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:06:51 +02:00
Lorenzo Bianconi
bad12effe8 nl80211: Radar background flag setting
Allow background radar detection flag to be set when specifying a
channel. This is a preliminary change to introduce radar/CAC background
detection support.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 20:48:06 +02:00
Lorenzo Bianconi
effd6111b8 DFS: Rely on channel_type in dfs_downgrade_bandwidth()
Add the capability to specify all 3 channel type possibilities in
dfs_downgrade_bandwidth(). This is a preliminary change to introduce
radar/CAC background detection support.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 18:30:56 +02:00
Jouni Malinen
b37bbcc390 tests: Clear country configuration at the end of wpas_ap_async_fail
This was causing a failure in the following sequence:
wpas_ap_async_fail wpas_ctrl_country

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 18:26:45 +02:00
Jouni Malinen
7f661f942d tests: Make DPP relay tests more robust
Flush scan results to avoid failure caused by incorrect channel
selection based on an old result for the same BSSID. This was found with
the following test sequence:
ap_track_sta_no_auth dpp_network_intro_version_missing_req dpp_controller_relay_pkex

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 18:26:45 +02:00
Jouni Malinen
f9ba3d5c89 OpenSSL 3.0: Set SSL groups using SSL_set1_groups()
The mechanism using SSL_set_tmp_ecdh() has been obsoleted and
SSL_set1_groups() takes care of it instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 11:27:15 +02:00
Jouni Malinen
09c62aaf11 OpenSSL: Determine RSA key size without low-level routines
RSA low-level routines were deprecated in OpenSSL 3.0.
EVP_PKEY_get_bits(), or its older and more backwards compatible name
EVP_PKEY_bits() can be used here instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 11:27:12 +02:00
Jouni Malinen
b700a56e14 OpenSSL 3.0: Determine the prime length for an EC key group using EVP_PKEY
EVP_PKEY_get0_EC_KEY() and EC_KEY_get0_group() were deprecated in
OpenSSL 3.0. Add a version of this by determining the group without
fetching the EC_KEY itself from an EVP_PKEY.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 11:26:55 +02:00
Jouni Malinen
3c61f4db4c OpenSSL: Replace EC_GROUP_get_curve_GFp() calls with EC_GROUP_get_curve()
EC_GROUP_get_curve_GFp() was deprecated in OpenSSL 3.0.
EC_GROUP_get_curve() can be used to do the exact same thing. Add a
backwards compatibility wrapper for older OpenSSL versions to be able to
use this newer function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 11:26:47 +02:00
Jouni Malinen
e2cb0ca1ac OpenSSL 3.0: Implement crypto_ec_key_group() with new API
Get rid of the now deprecated EVP_PKEY_get0_EC_KEY() and
EC_KEY_get0_group() calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 11:26:36 +02:00
Jouni Malinen
7c8fcd6baf tests: Fix sigma_dut_cmd() processing for the return value
The first sock.recv() may return both the status,RUNNING and the
following status line if the sigma_dut process ends up being faster in
writing the result than the test script is in reading the result. This
resulted in unexpected behavior and odd error messages when parsing the
result in the test cases. Fix this by dropping the status,RUNNING line
from the result in case the buffer includes multiple lines.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-12 19:00:36 +02:00
Jouni Malinen
f6a53f64af OpenSSL: Replace EVP_PKEY_cmp() with EVP_PKEY_eq() when available
OpenSSL 3.0 deprecated EVP_PKEY_cmp() and replaced it with EVP_PKEY_eq()
which is not available in older versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-12 10:54:48 +02:00
Lubomir Rintel
5b093570dc D-Bus: Add 'wep_disabled' capability
Since commit 200c7693c9 ('Make WEP functionality an optional build
parameter'), WEP support is optional and, indeed, off by default.

The distributions are now catching up and disabling WEP in their builds.
Unfortunately, there's no indication prior to an attempt to connect to a
WEP network that it's not going to work. Add a capability to communicate
that.

Unlike other capabilities, this one is negative. That is, it indicates
lack of a WEP support as opposed to its presence. This is necessary
because historically there has been no capability to indicate presence
of WEP support and therefore NetworkManager (and probably others) just
assumes it's there.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Davide Caratti <davide.caratti@gmail.com>
2022-03-12 10:40:01 +02:00
Nicolas Escande
56a14cc720 DFS: Don't let cac_time_left_seconds overflow
There can be some discrepancy between the theorical dfs cac end (as
computed with the cac duration and cac start) and the actual cac end as
reported by the driver. During that window, the value of remaining time
outputed by the status command on the socket control interface will
display an overflowed, invalid value.
To mitigate this lets compute the remaining time as signed and display
it only when positive, otherwise defaulting it to 0.

Status command shows something like that when polling every seconds:

state=DFS
cac_time_seconds=60
cac_time_left_seconds=1
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=0
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967294
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967293
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967292
...
state=ENABLED
cac_time_seconds=60
cac_time_left_seconds=N/A

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-03-12 10:39:43 +02:00
Alasdair Mackintosh
ae512c30a1 DPP: Fix uninitialised variable on error path
The current code generates a warning when compiled by Clang, because if
we goto 'fail:', password_len can be uninitialised when we pass it in to
bin_clear_free().

Note that the actual usage is safe, because bin_clear_free() ignores
the second argument if the first argument is NULL, but it still seems
worth cleaning up.

Signed-off-by: Alasdair Mackintosh <alasdair at google.com>
2022-03-12 10:36:03 +02:00
ArisAachen
3a157fe92f dbus: Set CurrentAuthMode to INACTIVE only if network is not selected
CurrentAuthMode should be set as a real auth type when authentication is
in progress. wpa_supplicant has a property "State" which indicates the
authentication stage already. I think setting auth mode as "INACTIVE" in
all auth progress stages is not a good idea, because sometimes we need
to handle this connection according to the auth type even when
authentication is not complete. For example, NetworkManager may recall
ask-password-dialog when auth mode is "wpa-psk" and "sae", try next
access point when auth mode is "EAP-xx" when password is incorrect.
Since "CurrentAuthMode" is set as "INACTIVE" in all not fully completed
situations, we do not know how to handle it.

Signed-off-by: Aris Aachen <chenyunxiong@unionitech.com>
Signed-off-by: ArisAachen <chenyunxiong@uniontech.com>
2022-03-12 10:30:26 +02:00
Jouni Malinen
0ce8d55a2e hs20-osu-client: Allow EST server to use different host name
The EST server does not have to be sharing the same host name with the
OSU server. Use the host name from the EST URL instead of the SPP server
URL when validating the EST server certificate.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-11 19:47:30 +02:00
Jouni Malinen
5eaf596e14 HTTP: Make URL available to the cert_cb
This makes it easier for non-SOAP cases to validate HTTP server name
(from the URL) match against the certificate.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-11 19:46:23 +02:00
Jouni Malinen
abed7978f6 HS 2.0 server: Event log entry on missing configuration for the realm
Make the error reason clearer in the event log for the case where the
requested realm has not been configured.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-11 19:44:58 +02:00
Purushottam Kushwaha
1192d5721b Android: Compile hs20-osu-client to /vendor/bin in test builds
hs20-osu-client compilation fails on Android O onwards because of
undefined reference for __android_log_print/__android_log_vprint.

Modify hs20-osu-client's Android.mk to include liblog library and use
tag 'hs20-osu-client' in logcat logs. Additionally, compile
hs20-osu-client to /vendor/bin in non-production builds.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 19:40:08 +02:00
Sumit Agre
1fee1c40c3 Enhance QCA vendor interface to indicate TWT required capability of AP
Add QCA_WLAN_TWT_NOTIFY command type to send event to userspace when AP
changes TWT required bit field in its capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 19:36:37 +02:00
Jhalak Naik
a192305a41 Add QCA vendor attributes for AFC support in external ACS
Add support for new QCA nested attributes to pass the AFC channel
information as part of the external ACS request command,
EXTERNAL_ACS_EVENT_CHAN_INFO.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 19:31:49 +02:00
Jouni Malinen
0c51cf624c tests: sigma_dut DPP Configurator (MUD URL, NAK change)
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 18:29:34 +02:00
Jouni Malinen
e792f38db8 tests: DPP PKEX with netAccessKey curve change
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 01:30:33 +02:00
Jouni Malinen
5ce5ed88a9 tests: Fix dpp_own_config_curve_mismatch to match implementation
This test case was assuming the Configurator would change the
netAccessKey curve every time based on the protocol keys, but that is
not the case anymore, so force that change here for a negative test.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 01:30:33 +02:00
Jouni Malinen
c4a36d050a tests: Fix dpp_intro_mismatch to match implementation
This test case was assuming the Configurator would change the
netAccessKey curve every time based on the protocol keys, but that is
not the case anymore, so force that change here for a negative test.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 01:30:33 +02:00
Jouni Malinen
de5939ef52 DPP: Allow Configurator net_access_key_curve to be changed
This is mainly for testing purposes to allow a Configurator to the curve
between provisioning cases. This would not work for real deployement
cases unless every Enrollee were reconfigured.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 01:30:33 +02:00
Jouni Malinen
9638452a62 DPP: Update Configurator to require same netAccessKey curve to be used
DPP network introduction requires all devices to use the same curve for
netAccessKey. Enforce that this happens based on hardcoding the curve
based on the first successful configuration object generation if no
explicit configuration of the curve was used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 23:08:06 +02:00
Jouni Malinen
800ae647df tests: Check DPP3 support in the build for netAccessKey curve changes
These test cases need to be skipped if CONFIG_DPP3=y is not defined in
the build.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 21:26:28 +02:00
Jouni Malinen
2b406eecee DPP: Update Auth-I derivation operations
This is not properly defined in the technical specification and will
need to be clarified there. Change the implementation to use a design
that is more likely to be used in the cleaned up tech spec.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 20:50:56 +02:00
Jouni Malinen
77ae98511d tests: sigma_dut and DPP netAccessKey curve change
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 01:20:49 +02:00
Jouni Malinen
117dc4ea41 tests: DPP curve change for netAccessKey
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 01:07:59 +02:00
Jouni Malinen
de64dfe98e DPP: Curve change for netAccessKey
Allow the Configurator to be configured to use a specific curve for the
netAccessKey so that it can request the Enrollee to generate a new key
during the configuration exchange to allow a compatible Connector to be
generated when the network uses a different curve than the protocol keys
used during the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 01:07:59 +02:00
Jouni Malinen
fd2eb7a41e DPP: Fix a memory leak on error path
The encoded CSR could have been leaked if another memory allocation were
to fail in this function. Use a shared return path to free the allocated
temporary buffers to avoid this.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-08 00:28:10 +02:00
Jouni Malinen
1d4cd24d0b tests: sigma_dut and DPP Reconfig Auth Req error cases
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-08 00:06:00 +02:00
Jouni Malinen
e9551efe05 DPP: Missing/invalid Protocol Version in Reconfig Auth Req
Extend dpp_test testing functionality to allow the Protocol Version
attribute to be removed or modified to invalid value in Reconfig
Authentication Request.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-07 23:40:27 +02:00
Jouni Malinen
fc78c13550 tests: sigma_dut and DPP PKEXv1 responder
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-07 21:38:25 +02:00
Jouni Malinen
eeb72e7c9a DPP: Extend DPP_PKEX_ADD ver=<1/2> to cover Responder role
Allow PKEX v1-only or v2-only behavior to be specific for the Responder
role. This is mainly for testing purposes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-07 21:37:40 +02:00
Jhalak Naik
6c3c431bbd Add QCA vendor attribute to enable Spectral FFT recapture
Add a QCA vendor attribute to enable FFT recapture on user trigger.
Enable FFT recapture only when spectral scan period is greater than 52
us.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-04 22:35:33 +02:00
Jouni Malinen
c34b35b54e tests: WPA3 with SAE password from RADIUS
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-04 12:25:47 +02:00
Mario Hros
fcbdaae8a5 SAE: Add support for RADIUS passphrase as the SAE password
Allow the first Tunnel-Password RADIUS entry to be used for SAE in
addition to the sae_password entries and wpa_passphrase parameters from
the static configuration file.

Signed-off-by: Mario Hros <git@reversity.org>
2022-03-04 12:25:14 +02:00
Baligh Gasmi
3d86fcee07 cleanup: Remove unreachable code
There is no need for unreachable code in these places, so remove it.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2022-03-04 12:07:46 +02:00
Yegor Yefremov
9683195ee5 qca-vendor: Fix typos
Fix typos found with codespell utility.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-03-04 12:04:54 +02:00
Yegor Yefremov
4c9ef9322a brcm_vendor: Fix typos
Fix typos found with codespell utility.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-03-04 12:04:54 +02:00
Yegor Yefremov
d65285ab8f src/drivers: Fix typos
Fix typos found with codespell utility.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-03-04 12:04:51 +02:00