Use automatic PKEX version negotiation as the initiator by starting with
PKEXv2 and if no response is received, trying again with PKEXv1. For
now, this is enabled only in wpa_supplicant CONFIG_DPP3=y builds.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The radio work starting may be delayed. If the DPP listen operation is
stopped before the radio work starts, the pending dpp-listen radio work
won't get cleaned up, which might lead to failing to start the next DPP
listen operation.
Issue scenario: DPP start -> dpp-listen radio work added but not started
-> DPP stop, pending radio work not cleaned up -> radio work start ->
trying to start DPP but failing because a dpp-listen work already
exists.
This commit removes the potential pending dpp-listen radio
work when DPP stops.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support for PKEXv2 core protocol. This defines a new PKEX Exchange
Request message type with protocol negotiation and different rules for
key derivation with PKEXv2 or newer is used.
This does not change existing behavior for PKEX, i.e., the PKEXv1
variant will still be used by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the dpp_test parameter to be used to request the Protocol Version
attributed to be omitted from the Peer Discovery Request/Response
message.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Verify that the Protocol Version attribute is used appropriate in Peer
Discovery Request/Response messages in cases where the signed Connector
includes the version information.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Generate Peer Discovery Request/Response messages using the protected
version from the Connector, if present, instead of the currently
supported protocol version which might be higher than the one that got
included into the signed Connector during provisioning earlier.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When the driver provides a list of supported modes, chan6 ended getting
added even if the 2.4 GHz mode was not included. This resulted in
incorrect behavior of trying to transmit on a not supported channel in
case of 5 GHz only radios.
Fix this by adding the channel 6 by default only if the driver does not
provide a list of supported modes. Whenever the supported modes are
available, only add this channel if it is explicitly listed as an
enabled channel.
Fixes: 8e5739c3ac ("DPP2: Check channel 6 validity before adding it to chirp channel list")
Signed-off-by: Kani M <kanisumi@codeaurora.org>
The TX event for the next frame in the sequence might be received before
the TX status for the final GAS response frame is processed. This used
to result in the Config Result getting discarded and the negotiation not
completing successfully on the Configurator side.
Accept the Config Result message as an indication of the final GAS
response frame having went through fine even if the TX status has not
yet been processed to avoid this issue from a potential race condition
on kernel events.
Signed-off-by: Jouni Malinen <j@w1.fi>
The chirp scan could override the scan_res_handler. This could lead to
wpa_supplicant getting stuck in a scanning state while not scanning at
all until forced to, e.g., via an explicit SCAN control command.
The condition for trigerring this problem in my testing was when
(interface_count % 3) == 2. This introduced a two second delay before
actual scan was triggered after starting the wpa_supplicant instance up.
If DPP chirping was requested fast enough, in between the queueing and
triggering, it would punt the scan request, never to be resumed again.
Chirp scan handler wouldn't resume it leaving wpa_supplicant
inadvertently idle.
Signed-off-by: Michal Kazior <michal@plume.com>
hostapd was already exposing this. There's no reason not to expose it in
wpa_supplicant. This allows 3rd party apps interacting with the control
interface to handle DPP events to get configs instead of needing to
dance around with update_config=1 and SAVE_CONFIG.
Signed-off-by: Michal Kazior <michal@plume.com>
hostapd was already exposing this. There's no reason not to expose it in
wpa_supplicant. This allows 3rd party apps interacting with the control
interface to handle DPP events to get configs instead of needing to
dance around with update_config=1 and SAVE_CONFIG.
Signed-off-by: Michal Kazior <michal@plume.com>
The Authentication Request frames triggered by the reception of a
Presence Announcement frame were sent to the broadcast address. This is
not correct behavior since the source MAC address of the Presence
Announcement frame was supposed to override the Responder MAC address.
Fix this by using that source MAC address to avoid unnecessary use of
broadcast frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
After sending DPP Auth Response, the Responder might not receive the
Auth Confirm either due to the Initiator not sending it or the reception
of the frame failing for some reason (e.g., Responder having already
left the negotiation channel). If this happens, following initiation
attempts would fail since the consecutive Auth Request would get
discarded since the previous authentication is still in progress.
Terminate DPP authentication on Responder, if no Auth Confirm is
received within one second of successfully sending Auth Response. This
allows the Responder to accept start of a new exchange.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Replace the implicit boolean checks that used int variables with use of
a more explicit bool variable type.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use ppKey instead of C-sign-key to encrypted E-id to E'-id into Reconfig
Announcement frame on the Enrollee side.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Store the received privacy protection key from Connector into
wpa_supplicant network profile and indicate it through the control
interface similarly to C-sign-key.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Generate a control interface event upon receipt of DPP Presence
Announcement frames. This allows external programs to instrument
wpa_supplicant with bootstrapping information on-demand.
Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>
Check if the 2.4 GHz channel 6 is in the list of available channels
advertised by the driver before adding in to the chirping frequency
list. This fixes issues, e.g., with a 5 GHz only interface.
Signed-off-by: Disha Das <dishad@codeaurora.org>
These were not really used anymore since the AP/Relay case did not set
msg_ctx or process_conf_obj in the global DPP context. Get the
appropriate pointers more directly from the more specific data
structures instead and remove these global values.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend hostapd support for DPP Controller to cover the DPP_CONTROLLER_*
cases that were previously implemented only in wpa_supplicant. This
allows hostapd/AP to be provisioned using DPP over TCP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The local network profile parameters for EAP are not available without
IEEE8021X_EAPOL, so do not try to set these in builds that do not
include any EAP support.
Signed-off-by: Jouni Malinen <j@w1.fi>
The offchannel operations (scan, Public Action frame TX/RX) have
significantly more latency when performed while connected, so disconnect
when requested to initiate DPP reconfiguration to avoid this. The old
network profile (i.e., likely the current connection) is going to be
replaced in practice and as such, there is no need to try continue that
association any further.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend DPP authentication session search for the DPP_QR_CODE command to
cover the ongoing exchanges in Controller/Responder.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend the DPP_CONTROLLER_START command to accept the optional qr=mutual
parameter similarly to the DPP_LISTEN case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an optional iter=# parameter to DPP_RECONFIG similarly to the way
this was handled with DPP_CHIRP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an encrypted Enrollee identifier into Reconfig Announcement frames
and decrypt that on the Configurator side. The actual E-id value is
currently not used for anything, but it can be used in the future to
provide better control over reconfiguration.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was added to the protocol design to support cases where the
C-sign-key uses a different group than the netAccessKey. The Enrollee
now indicates its netAccessKey group in Reconfig Announcement and the
Configurator builds it own reconfig Connector using that group instead
of the group used for the C-sign-key.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
remove_on_tx_status needs to be set in this case even if
dpp_config_processing=2 is used since there will be no connection
attempt when receiving a Configurator backup instead of station config
object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wpa_s->dpp_auth did not get cleaner if dpp_config_processing=1 is used.
Clear this after having received TX status for Configuration Result to
avoid leaving behind the completed provisioning instance.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The pending authentication exchange will make us ignore Reconfig
Authentication Request, so do not allow reconfiguration to be started in
that state.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This fixes an issue where the pending authentication might have held a
reference to auth->tmp_peer_bi and dpp_auth_deinit() would try to free
that bootstrapping entry. This needs to happen before the call to
dpp_global_clear() to avoid double-removal of the bootstrapping entry
from the list.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows the DPP_CA_SET command to be targeting a specific DPP-CST
event in cases where the Configurator did not receive the bootstrapping
information for the peer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"DPP_CA_SET name=status value=<int>" can now be used to explicitly
indicate that CSR was rejected by CA/RA.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add initial Enrollee functionality for provisioning enterprise (EAP-TLS)
configuration object. This commit is handling only the most basic case
and a number of TODO items remains to handle more complete CSR
generation and config object processing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use key_mgmt_iftype instead of key_mgmt when the specific interface type
is known by the context of the operation.
Use per interface type AKM capabilities in capa.key_mgmt_iftype array
based on the wpa_supplicant context instead of using capa.key_mgmt to
determine the driver AKM capability.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
This allows DPP_AUTH_INIT to be used with tcp_addr=<dst> argument and
Configurator parameters to perform Configurator initiated DPP
provisioning over TCP. Similarly, DPP_CONTROLLER_START can now be used
to specify Configurator/Enrollee roles and extend Controller to work in
Enrollee role.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend Enrollee functionality to process Reconfig Authentication
Confirm message and start GAS client.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>