Commit graph

16456 commits

Author SHA1 Message Date
Jouni Malinen
cd99a8c432 EAP-TEAP (server): Allow Phase 2 skip based on client certificate
eap_teap_auth=2 can now be used to configure hostapd to skip Phase 2 if
the peer can be authenticated based on client certificate during Phase
1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-20 18:07:04 +03:00
Jouni Malinen
5196293926 EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used
The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-20 18:05:46 +03:00
Jouni Malinen
9593ce6587 OpenSSL: Provide access to peer subject and own certificate use
These are needed for EAP-TEAP server and client side implementation to
allow Phase 2 to be skipped based on client certificate use during Phase
1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-20 18:04:51 +03:00
Jouni Malinen
b5dab03a13 Convert int to bool for throughput estimate tables
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-19 18:34:26 +03:00
Matthew Wang
b97aa038b7 Add WPA_EVENT_{DO,SKIP}_ROAM events
Add events for within-ESS reassociation. This allows us to monitor roam
events, both skipped and allowed, in tests.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2020-06-19 18:34:26 +03:00
Matthew Wang
d6b450e890 Refactor wpa_supplicant_need_to_roam()
Pull all the within-ESS roam code out of wpa_supplicant_need_to_roam()
and into its own function, wpa_supplicant_need_to_roam_within_ess().
This way, we avoid interleaving several #ifndef's in the original
function and wrap the new function in one big #ifndef. This also
modularizes the within-ESS roam code and makes it easier to test.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2020-06-19 18:30:08 +03:00
Matthew Wang
2ff5a1fdb1 Use lookup-table instead of macro for TX rate estimates
Change INTERPOLATE_RATE() macro to a lookup-table instead for the sake
of readability.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2020-06-19 16:59:13 +03:00
Jouni Malinen
fa09b85c4e DPP2: Remove forgetten development time debug prints
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:37:40 +03:00
Jouni Malinen
1046145093 tests: Copy subject from CSR to certificate
Instead of overriding the subject field with something arbitrary, use
the value that is included in the CSR now that there is something there.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:36:44 +03:00
Jouni Malinen
a758a66725 tests: DPP over TCP for enterprise provisioning
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:48 +03:00
Jouni Malinen
0bbab64656 DPP2: Fix dot1x config object parsing without trustedEapServerName
Need to check that the JSON node was found before using its value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:48 +03:00
Jouni Malinen
8f88dcf050 DPP2: Add an automatic peer_bi entry for CSR matching if needed
This allows the DPP_CA_SET command to be targeting a specific DPP-CST
event in cases where the Configurator did not receive the bootstrapping
information for the peer.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:48 +03:00
Jouni Malinen
b25ddfe9d3 DPP2: Add Enrollee name into CSR as the commonName
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:48 +03:00
Jouni Malinen
11aa77e00f DPP2: GAS comeback response processing for Enrollee over TCP
This is almost identical to processing of the GAS initial response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:37 +03:00
Jouni Malinen
18e013a93f DPP2: GAS comeback request processing for Configurator over TCP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-19 00:13:37 +03:00
Jouni Malinen
68d9586a46 DPP2: GAS Comeback Request for the TCP case
Make the Enrollee handle GAS comeback delay when performing DPP over
TCP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 13:17:17 +03:00
Jouni Malinen
a352c7230d DPP2: Comeback delay response for certificate in over TCP case
Send out the GAS Initial Response with comeback delay when Configurator
is operating over TCP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 13:03:29 +03:00
Jouni Malinen
0f9463d6ee DPP2: CSR wait in Configurator when using TCP
Make Configurator wait for CSR (i.e., another Config Request) when using
DPP over TCP similarly to the over Public Action frame case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 12:56:51 +03:00
Jouni Malinen
1f86b2c248 DPP2: CSR generation in TCP Client/Enrollee
This was previously covered for the DPP over Public Action frames, but
the DPP over TCP case was missed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 12:10:23 +03:00
Jouni Malinen
697fa0c4bd DPP2: Do not try to proceed with GAS client if CSR building fails
This error path was supposed to stop instead of continuing to
wpas_dpp_start_gas_client().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-18 12:09:00 +03:00
Alan Chen
ffc8ae507e Define a new QCA vendor attribute for Optimized Power Management
Define a new attribute configuring Optimized Power Management.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 21:59:47 +03:00
Jouni Malinen
725d98a513 tests: DPP and enterprise provisioning and CSR getting rejected
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 21:42:35 +03:00
Jouni Malinen
3a3eded0dc DPP2: Allow CSR processing by CA/RA to reject configuration
"DPP_CA_SET name=status value=<int>" can now be used to explicitly
indicate that CSR was rejected by CA/RA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 21:39:47 +03:00
Jouni Malinen
3b60f11741 DPP2: Validate CSR on Configurator before forwarding to CA/RA
Parse the received CSR, verify that it has been signed correctly, and
verify that the challengePassword is present and matches the derived cp.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 20:33:07 +03:00
Jouni Malinen
c98db9f1f8 DPP2: Add challengePassword into CSR
Derive challengePassword from bk and add it into the CSR.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-17 12:22:08 +03:00
Jouni Malinen
dbbb0d5b82 OpenSSL: Use EVP-based interface for ECDSA sign/verify
The low level ECDSA interface is not available in BoringSSL and has been
deprecetated in OpenSSL 3.0, so move to using a higher layer EVP-based
interface for performing the ECDSA sign/verify operations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:26:09 +03:00
Jouni Malinen
5abf8ad9b2 tests: DPP enterprise provisioning
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:26:09 +03:00
Jouni Malinen
ace3723d98 DPP2: Enterprise provisioning (Enrollee)
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS)
configuration object. This commit is handling only the most basic case
and a number of TODO items remains to handle more complete CSR
generation and config object processing.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:26:06 +03:00
Jouni Malinen
6568e5d203 DPP2: Enterprise provisioning (Configurator)
Add Configurator functionality for provisioning enterprise (EAP-TLS)
configuration object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
4643b2feec DPP2: Enterprise provisioning definitions for dot1x AKM
Add shared AKM definitions for provisioning enterprise (EAP-TLS)
credentials.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
812d52ae27 OpenSSL: Support EC key from private_key blob
Try to parse the private_key blob as an ECPrivateKey in addition to the
previously supported RSA and DSA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
4b834df5e0 OpenSSL: Support PEM encoded chain from client_cert blob
Allow a chain of certificates to be configured through a client_cert
blob.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-16 18:24:23 +03:00
Jouni Malinen
68ac45d53c GAS server: Support comeback delay from the request handler
Allow GAS request handler function to request comeback delay before
providing the response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-15 23:56:06 +03:00
Jouni Malinen
608adae5ba JSON: Add base64 helper functions
These functions are similar to the base64url helpers but with the base64
(not url) alphabet.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-15 20:19:19 +03:00
Jouni Malinen
c7e6dbdad8 base64: Add no-LF variant for encoding
base64_encode_no_lf() is otherwise identical to base64_encode(), but it
does not add line-feeds to split the output.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-15 20:18:12 +03:00
Jouni Malinen
6dc2c0118a Update DFS terminology in attribute value documentation
Use "client device" as the term for the device that operates under a
guidance of the device responsible for enforcing DFS rules.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-11 21:53:24 +03:00
Muna Sinada
621745917f Allow HE-without-VHT to add the Channel Switch Wrapper element
Modify the check for VHT to include an option for HE in
hostapd_eid_wb_chsw_wrapper() and its callers to allow the Channel
Switch Wrapper element with the Wide Bandwidth Channel Switch subelement
to be included in Beacon and Probe Response frames when AP is operating
in HE mode without VHT.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
2020-06-11 00:56:45 +03:00
Muna Sinada
d51b1b7a66 Move hostapd_eid_wb_chsw_wrapper() to non-VHT-specific file
Move hostapd_eid_wb_chsw_wrapper() from VHT specific ieee802_11_vht.c to
ieee802_11.c since this can be used for both HE and VHT. This commit
does not change any functionality to enable the HE use case, i.e., the
function is just moved as-is.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
2020-06-11 00:53:26 +03:00
Rajkumar Manoharan
1f72bbbefb AP: Reject association request upon invalid HE capabilities
Operation in the 6 GHz band mandates valid HE capabilities element in
station negotiation. Reject association request upon receiving invalid
or missing HE elements.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:34:38 +03:00
Rajkumar Manoharan
088bef1786 AP: Restrict Vendor VHT to 2.4 GHz only
Vendor VHT IE is used only on the 2.4 GHz band. Restrict the use of
vendor VHT element to 2.4 GHz. This will ensure that invalid/wrong user
configuration will not impact beacon data in other than the 2.4 GHz
band.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:30:50 +03:00
Rajkumar Manoharan
6a34bd3007 HE: Use device HE capability instead of HT/VHT for 6 GHz IEs
Previously, 6 GHz Band Capability element was derived from HT and VHT
capabilities of the device. Removes such unnecessary dependency by
relying directly on the HE capability.

In addition, clean up the struct ieee80211_he_6ghz_band_cap definition
to use a 16-bit little endian field instead of two 8-bit fields to match
the definition in P802.11ax.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:23:24 +03:00
Rajkumar Manoharan
9272ebae83 nl80211: Fetch HE 6 GHz capability from the driver
Read mode specific HE 6 GHz capability from phy info. This is needed
for futher user config validation and IE construction.

Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
2020-06-10 21:14:56 +03:00
Jouni Malinen
f25c51a9f4 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2020-05-31.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-06-10 21:12:44 +03:00
Brian Norris
1ce2a4fbea tests: Add all-blacklist test
Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-06-10 21:12:44 +03:00
Brian Norris
ddd821365a tests: Skip malformed SAE authentication frames
The parsed 'length' field might pointsbeyond the end of the frame, for
some malformed frames. I haven't figured the source of said packets (I'm
using kernel 4.14.177, FWIW), but we can at least be safer about our
handling of them here.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2020-06-10 21:12:44 +03:00
Johannes Berg
2f9e2f9044 tests: Check for mac80211_hwsim module before loading it
Instead of checking if the kernel allows modules (via the presence of
/proc/modules), check if mac80211_hwsim is already there and load it
only if not. This gets rid of some ugly prints from modprobe in case
code isn't even a module and cannot be found, etc.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-06-10 21:12:44 +03:00
Johannes Berg
4dd712bd36 tests: Use bytes in a few places
With python3 bytes are returned for stdout, so need to use b''
strings instead of normal strings. These are just a few places
I ran into, almost certainly more places need it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-06-10 21:12:44 +03:00
Johannes Berg
db294952bb tests: Set VHT160 or VHT160-80PLUS80 capability
If we want the test to actually use 160/80+80 we need to explicitly
advertise that we support it ourselves, since the kernel is going to be
a bit more strict about this.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-06-10 21:12:44 +03:00
Jouni Malinen
518be614f1 SAE-PK: Advertise RSNXE capability bit in STA mode
Set the SAE-PK capability bit in RSNXE when sending out (Re)Association
Request frame for a network profile that allows use of SAE-PK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:47:07 +03:00
Jouni Malinen
de36f6b7b3 tests: SAE-PK with group 21
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:47:07 +03:00