RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
While the drafts for RFC 9190 used a separate Commitment Message term,
that term was removed from the published RFC. Update the debug prints to
match that final language.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The previously used references were pointing to an obsoleted RFC and
draft versions. Replace these with current versions.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
To support the STA testbed role, the STA has to disable transmitting
EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to
disable sending EAPOL-Key group msg 2/2 of Group Key Handshake.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
This is a workaround for mac80211 behavior of retransmitting the
Association Request frames multiple times if the link layer retries
(i.e., seq# remains same) fail. The mac80211 initiated retransmission
will use a different seq# and as such, will go through duplicate
detection. If we were to change our DH key for that attempt, there would
be two different DH shared secrets and the STA would likely select the
wrong one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a QCA_WLAN_VENDOR_FEATURE_USE_ADD_DEL_VIRTUAL_INTF_FOR_NDI
flag to indicate that the driver requires add/del virtual interface
path using the generic nl80211 commands for NDP interface create/delete
and to register/unregister of netdev instead of creating/deleting
the NDP interface using vendor commands.
With the latest Linux kernel (5.12 version onward), interface
creation/deletion is not allowed using vendor commands as it leads to a
deadlock while acquiring the RTNL_LOCK during the register/unregister of
netdev. Create and delete NDP interface using NL80211_CMD_NEW_INTERFACE
and NL80211_CMD_DEL_INTERFACE commands respectively if the driver
advertises this capability.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This makes the debug log clearer for one of the more likely cases of
"invalid group cipher" preventing RSNE parsing.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Copy channels from only valid operating classes in the source channel
list while preparing a non-6 GHz channel/op-classes list when the 6 GHz
band is not used for P2P GO negotiation.
Earlier, during preparation of P2P channels for GO negotiation, a union
of the GO channels and the P2P Client channels is used. While generating
the union in p2p_channels_union_inplace() as the first list itself has
P2P_MAX_REG_CLASSES number of entries, the operating classes from the
second list which are not in the first list were not getting considered.
Fix this by not setting the dst->reg_classes to too large a value.
Fixes: f7d4f1cbec ("P2P: Add a mechanism for allowing 6 GHz channels in channel lists")
Signed-off-by: Sreeramya Soratkal <quic_ssramya@quicinc.com>
While these do not return error code within the current hostapd
implementation, matching functions in wpa_supplicant AP functionality
will have an error case and using consistent return type will make the
control interface code more consistent.
In addition, export hostapd_set_acl() in preparation for the
wpa_supplicant control interface implementation extension.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
This allows upper layers to learn about associated stations requesting
BSS transition management from the AP.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
Only the SME-in-hostapd case updated sta->ext_capability while the
SME-in-the-driver case updated sta->qos_map_enabled, but not other items
related to the extended capabilities. This resulted in reduced
information being available through the control interface.
Use the shared helper function for both cases to get matching
information available regardless of the SME architecture.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
dpp_configurator_params changes were taken into use in the
non-TCP/Controller case immediately on change, but that was not the case
for the Controller where this was updated only when explicitly starting
it. Change this to update dpp_configurator_params for the Controller as
well even if it is already running.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PKEX Exchange Request handling in Controller used incorrect msg_ctx
pointer and that could result in event messages causing unexpected
behavior. Fix this by registering the correct msg_ctx pointer for these
cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
On radar detection on the main chain switch to the channel monitored
by the background chain if we have already performed the CAC there.
If a radar pattern is reported on the background chain, just select a
new random channel according to the regulations for monitoring.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Rely on hostapd_dfs_request_channel_switch() to enable CSA for
background radar detection switching back to the selected channel.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
This is a preliminary patch to add Channel Switch Announcement for
background radar detection.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Introduce the capability to perform radar/CAC detection on an offchannel
radar chain available on some hardware (e.g., mt7915). This feature
allows to avoid CAC downtime switching on a different channel during CAC
detection on the selected radar channel.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Allow background radar detection flag to be set when specifying a
channel. This is a preliminary change to introduce radar/CAC background
detection support.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Add the capability to specify all 3 channel type possibilities in
dfs_downgrade_bandwidth(). This is a preliminary change to introduce
radar/CAC background detection support.
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
RSA low-level routines were deprecated in OpenSSL 3.0.
EVP_PKEY_get_bits(), or its older and more backwards compatible name
EVP_PKEY_bits() can be used here instead.
Signed-off-by: Jouni Malinen <j@w1.fi>
EVP_PKEY_get0_EC_KEY() and EC_KEY_get0_group() were deprecated in
OpenSSL 3.0. Add a version of this by determining the group without
fetching the EC_KEY itself from an EVP_PKEY.
Signed-off-by: Jouni Malinen <j@w1.fi>
EC_GROUP_get_curve_GFp() was deprecated in OpenSSL 3.0.
EC_GROUP_get_curve() can be used to do the exact same thing. Add a
backwards compatibility wrapper for older OpenSSL versions to be able to
use this newer function.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 3.0 deprecated EVP_PKEY_cmp() and replaced it with EVP_PKEY_eq()
which is not available in older versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
There can be some discrepancy between the theorical dfs cac end (as
computed with the cac duration and cac start) and the actual cac end as
reported by the driver. During that window, the value of remaining time
outputed by the status command on the socket control interface will
display an overflowed, invalid value.
To mitigate this lets compute the remaining time as signed and display
it only when positive, otherwise defaulting it to 0.
Status command shows something like that when polling every seconds:
state=DFS
cac_time_seconds=60
cac_time_left_seconds=1
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=0
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967294
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967293
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967292
...
state=ENABLED
cac_time_seconds=60
cac_time_left_seconds=N/A
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
The current code generates a warning when compiled by Clang, because if
we goto 'fail:', password_len can be uninitialised when we pass it in to
bin_clear_free().
Note that the actual usage is safe, because bin_clear_free() ignores
the second argument if the first argument is NULL, but it still seems
worth cleaning up.
Signed-off-by: Alasdair Mackintosh <alasdair at google.com>
This makes it easier for non-SOAP cases to validate HTTP server name
(from the URL) match against the certificate.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add QCA_WLAN_TWT_NOTIFY command type to send event to userspace when AP
changes TWT required bit field in its capabilities.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support for new QCA nested attributes to pass the AFC channel
information as part of the external ACS request command,
EXTERNAL_ACS_EVENT_CHAN_INFO.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is mainly for testing purposes to allow a Configurator to the curve
between provisioning cases. This would not work for real deployement
cases unless every Enrollee were reconfigured.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
DPP network introduction requires all devices to use the same curve for
netAccessKey. Enforce that this happens based on hardcoding the curve
based on the first successful configuration object generation if no
explicit configuration of the curve was used.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is not properly defined in the technical specification and will
need to be clarified there. Change the implementation to use a design
that is more likely to be used in the cleaned up tech spec.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the Configurator to be configured to use a specific curve for the
netAccessKey so that it can request the Enrollee to generate a new key
during the configuration exchange to allow a compatible Connector to be
generated when the network uses a different curve than the protocol keys
used during the authentication exchange.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The encoded CSR could have been leaked if another memory allocation were
to fail in this function. Use a shared return path to free the allocated
temporary buffers to avoid this.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Extend dpp_test testing functionality to allow the Protocol Version
attribute to be removed or modified to invalid value in Reconfig
Authentication Request.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow PKEX v1-only or v2-only behavior to be specific for the Responder
role. This is mainly for testing purposes.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a QCA vendor attribute to enable FFT recapture on user trigger.
Enable FFT recapture only when spectral scan period is greater than 52
us.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the first Tunnel-Password RADIUS entry to be used for SAE in
addition to the sae_password entries and wpa_passphrase parameters from
the static configuration file.
Signed-off-by: Mario Hros <git@reversity.org>
