The new DPP_BOOTSTRAP_GEN command parameter supported_curves can be used
to specify a colon separated list of supported curves. Information from
a parsed URI shows this information with a new supp_curves line in the
DPP_BOOTSTRAP_INFO output.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
git has started rejecting repositories owned by other users and refusing
to run the "git rev-parse HEAD" command in this type of cases. That
resulted in issues with the VM testing model where the VM is practically
running everything as root while the host is a normal development
environment and likely a non-root user owned files.
Fix this by fetching the commitid on the host and pass it to the VM so
that no git operations need to be run within the VM itself.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Do not add the --commit argument if the current git commitid cannot be
determined. This prevents complete failure to run the tests if the git
command cannot be used for some reason (like a recent change that
stopped allowing root user within the VM from running the git operation
for the case where the host system uses non-root account).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to reset eLNA bypass configuration to default behavior.
If value of 2 is configured, the driver can choose either to
disable/enable eLNA bypass control and there is no enforcement
from userspace.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
OpenSSL 3.0 deprecated the low-level DH functions, so use the EVP API
for this. Maintain the DH API variant for older versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 3.0 deprecated the low-level HMAC functions, so use the EVP_MAC
API for this. Maintain the HMAC API variant for older versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
This frees up the allocated resources and makes memory leak detection
more convenient without the known allocations being left behind.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 3.0 deprecated the low-level encryption functions, so use the
EVP API for this. Maintain the previous version for BoringSSL and
LibreSSL since not all versions seem to have the EVP_aes_*_wrap()
functions needed for the EVP API.
Signed-off-by: Jouni Malinen <j@w1.fi>
aes_encrypt_init() used incorrect function to free the EVP_CIPHER_CTX
allocated within this function. Fix that to use the OpenSSL function for
freeing the context.
Signed-off-by: Jouni Malinen <j@w1.fi>
When receiving a beacon report request with the mode set to active,
channels that are marked as NO_IR were not added to the scan request.
However, active mode just mean that active scan is allowed, but not
that it is a must, so these channels should not be omitted.
Include channels that are marked as NO_IR in the scan request even
if the mode is set to active.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
The id and cred_id variables are reset to 0 every time the
wpa_config_read() function is called, which is fine as long as it is
only called once. However, this is not the case when using both the -c
and -I options to specify two config files.
This is a problem because the GUI, since commit eadfeb0e93 ("wpa_gui:
Show entire list of networks"), relies on the network IDs being unique
(and increasing), and might get into an infinite loop otherwise.
This is solved by simply making the variables static.
Signed-off-by: Naïm Favier <n@monade.li>
Add Transmit Power Envelope element for 6 GHz per IEEE Std
802.11ax-2021.
Currently, this uses hard coded EIRP/PSD limits which are applicable to
6 GHz operation in United states, Japan, and Korea. Support to extract
power limits from kernel data will be added after complete regulatory
support is added for the 6 GHz band.
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add new field definitions for the 6 GHz Operation Information field in
the HE Operation element per IEEE Std 802.11ax-2021, 9.4.2.249. These
will be used for TPC operation in the 6 GHz band.
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
IEEE Std 802.11ax-2021 introduces Regulatory Info subfield to specify
the 6 GHz access point type per regulatory. Add a user config option for
specifying this.
When not specified, Indoor AP type is selected for the 6 GHz AP by
default.
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add support for the Country element for the 6 GHz band per IEEE Std
802.11ax-2021, 9.4.2.8 (Country element).
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
force_kdk_derivation is defined within CONFIG_TESTING_OPTIONS, so need
to use matching condition when accessing it.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
On the 6 GHz band the following is not allowed (see IEEE Std
802.11ax-2021, 12.12.2), so do not allow association with an AP using
these configurations:
- WEP/TKIP pairwise or group ciphers
- WPA PSK AKMs
- SAE AKM without H2E
In addition, do not allow association if the AP does not advertise a
matching RSNE or does not declare that it is MFP capable.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
So far, this option was only present in the Makefiles. Document it as
being available for configuration since the WFA program has already been
launched.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
The default behavior in wpa_supplicant is to disable use of TLSv1.3 in
EAP-TLS unless explicitly enabled in network configuration. The new
CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to
enable TLSv1.3 by default (if supported by the TLS library).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It could have been possible to get into an endless loop of retried EAP
authentication followed by failing or not completed 4-way handshake if
there was a different interpretation of EAP authentication result
(success on AP, failure on STA). Avoid this by limiting the number of
consecutive EAPOL reauth attempts without completing the following 4-way
handshake.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It would have been possible for the authentication attemps to go into a
loop if the AP/Authenticator/authentication server were to believe EAP
authentication succeeded when the local conclusion in Supplicant was
failure. Avoid this by timing out authentication immediately on the
second consecutive EAP authentication failure.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
While the drafts for RFC 9190 used a separate Commitment Message term,
that term was removed from the published RFC. Update the debug prints to
match that final language.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The previously used references were pointing to an obsoleted RFC and
draft versions. Replace these with current versions.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Change the top level Android.mk's LOCAL_PATH to S_LOCAL_PATH to
avoid potential LOCAL_PATH conflict in subdirectory's LOCAL_PATH.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This reverts commit 1192d5721b. That
commit disabled hostapd and wpa_supplicant build in user build variants.
Furthermore, it used duplicated TARGET_BUILD_VARIANT checks between the
Android.mk files.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
To support the STA testbed role, the STA has to disable transmitting
EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to
disable sending EAPOL-Key group msg 2/2 of Group Key Handshake.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
This is a workaround for mac80211 behavior of retransmitting the
Association Request frames multiple times if the link layer retries
(i.e., seq# remains same) fail. The mac80211 initiated retransmission
will use a different seq# and as such, will go through duplicate
detection. If we were to change our DH key for that attempt, there would
be two different DH shared secrets and the STA would likely select the
wrong one.
Signed-off-by: Jouni Malinen <j@w1.fi>
CONFIG_SAE was added to wpa_supplicant's defconfig but wasn't
added to the hostapd's defconfig file.
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a QCA_WLAN_VENDOR_FEATURE_USE_ADD_DEL_VIRTUAL_INTF_FOR_NDI
flag to indicate that the driver requires add/del virtual interface
path using the generic nl80211 commands for NDP interface create/delete
and to register/unregister of netdev instead of creating/deleting
the NDP interface using vendor commands.
With the latest Linux kernel (5.12 version onward), interface
creation/deletion is not allowed using vendor commands as it leads to a
deadlock while acquiring the RTNL_LOCK during the register/unregister of
netdev. Create and delete NDP interface using NL80211_CMD_NEW_INTERFACE
and NL80211_CMD_DEL_INTERFACE commands respectively if the driver
advertises this capability.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
STA needs to check AP's information after receive reassociation
response. STA uses connected AP's Beacon/Probe Response frame to compare
with Reassociation Response frame of the target AP currently. However,
if one AP supports OCV and the other AP doesn't support OCV, STA will
fail to verify RSN capability, then disconnect. Update current_bss to
the target AP before check, so that STA can compare correct AP's RSN
information in Reassociation Response frame.
Signed-off-by: Xin Deng <quic_deng@quicinc.com>
This makes the debug log clearer for one of the more likely cases of
"invalid group cipher" preventing RSNE parsing.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
