Commit graph

17877 commits

Author SHA1 Message Date
Purushottam Kushwaha
ef4cd8e33c QoS: Use common classifier_mask for ipv4/ipv6
ipv4_params/ip6_params in type4_params maintains separate classifier
mask while type4_params already has a common classifier_mask. Lets
use the common classifier mask for both ipv4/ipv6 params and remove
the redundant params_mask in ipv4_params/ip6_params.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2022-07-28 12:31:37 +03:00
Xiaoning Ma
93be02592c Add fixed FDD mode to qca_btc_chain_mode QCA vendor attribute
Previously when chains of BT and WLAN 2.4 GHz are separated,
hybrid mode will be used for BTC. Now adding fixed FDD mode
to fulfill different BTC scenarios.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-28 12:24:21 +03:00
Jouni Malinen
e7cbfa1c12 tests: sigma_dut and DPP Enrollee unsupported curves
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-28 11:22:44 +03:00
Jouni Malinen
5565fbee23 DPP: Check Enrollee supported curves when building Config Response
The Enrollee may report its supported curves in the bootstrapping URI.
If it does that, the Configurator may stop generating the Config Object
that would depend on the Enrollee using a curve that it did not indicate
as being supported. Check for this case while proessing the Config
Request and stop Configurator from building a configuration that is
known not to work.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-28 11:19:55 +03:00
Jouni Malinen
ceae05cec2 tests: sigma_dut and DPP MUDURL setting for hostapd
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-27 13:43:58 +03:00
Jouni Malinen
4cfb484e90 DPP: Allow dpp_controller_start without arguments in CLIs
The DPP_CONTROLLER_START control interface command can be used without
any arguments, so do not force at least a single argument to be included
in wpa_cli and hostapd_cli.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-27 12:33:40 +03:00
Jouni Malinen
c97000933c Fix ifdef condition for imsi_privacy_cert
CRYPTO_RSA_OAEP_SHA256 is not sufficient here since ssid->eap does not
exist without IEEE8021X_EAPOL.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 11:12:11 +03:00
Jouni Malinen
2a9a61d6cd tests: SAE with extended key AKM
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 11:12:11 +03:00
Jouni Malinen
e35f6ed1d4 tests: More detailed report on SAE PMKSA caching error case
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
f70db167ab SAE: Derive a variable length PMK with the new AKM suites
Select the PMK length based on the used group (prime length) when using
the new AKM suites for SAE.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
91010e6f67 SAE: Indicate AKM suite selector in commit for new AKM suites
SAE authentication needs to known which AKM suite is being used to be
able to determine the correct PMK length for the new AKM suite selectors
that use variable length keys.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
e81ec0962d SAE: Use H2E unconditionally with the new AKM suites
The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
f8eed2e8b8 SAE: Store PMK length and AKM in SAE data
These are needed to be able to support new AKM suites with variable
length PMK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
9dc4e9d136 SAE: EAPOL-Key and key/MIC length information for the new AKM suites
Update the AKM suite specific mapping of various EAPOL-Key key lengths
and algorithms to include the new SAE AKM suites with variable length
keys.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
a32ef3cfb2 SAE: Driver capability flags for the new SAE AKM suites
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
91df8c9c65 SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
5c8a714b18 SAE: Use wpa_key_mgmt_sae() helper
Use the existing helper function instead of maintaining multiple copies
of lists of SAE key management suites.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
5456b0f260 Define new RSN AKM suite selector values
Add the new AKM suite selectors defined in IEEE P802.11-REVme/D1.3.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
def33101c8 DPP: Clear push button announcement state on wpa_supplicant FLUSH
This was already done in hostapd and same is needed for wpa_supplicant
to avoid testing issues due to session overlap detection from previous
test cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
35587fa8f3 tests: DPP Controller/Relay with need to discover Controller
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
d22dfe9187 DPP: Event message for indicating when Relay would need a Controller
The new DPP-RELAY-NEEDS-CONTROLLER control interface event can be used
to trigger mDNS discovery of a Controller to see if such a connection
can be established automatically at the time an Enrollee is trying to
initiate an operation.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
ca7892e98f tests: DPP Relay and adding/removing connection to a Controller
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
bfe3cfc382 DPP: Allow Relay connections to Controllers to be added and removed
The new control interface commands "DPP_RELAY_ADD_CONTROLLER <IP addr>
<PK hash>" and "DPP_RELAY_REMOVE_CONTROLLER <IP addr>" can now be used
to dynamically add and remove connections to Controllers for the cases
where the connection is initialized through a DPP Public Action frame
(i.e., Controller as the Responder).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
808834b18b Add a comparison function for hostapd_ip_addr
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
f7763880bd DPP: Advertise Configurator connectivity on Relay automatically
Instead of requiring explicit configuration through
dpp_configurator_connectivity=1, advertise Configurator connectivity
automatically if a Relay is configured with a Controller that can
operate as a Responder.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
ff7cc1d490 tests: DPP Relay and dynamic Controller addition
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-23 16:58:00 +03:00
Jouni Malinen
ca682f80a9 DPP: Dynamic Controller initiated connection on Relay
Accept an incoming TCP connection from a Controller in a Relay that is
configured with dpp_relay_port even if that Controller is not configured
with a dpp_controller parameter. This allows more dynamic Controller
initiated operations, e.g., when using mDNS to discover a Relay.

This type of a dynamic Controller entry will not be used for exchanges
that are initiated by an Enrollee (i.e., based on a DPP Public Action
frame received by the Relay).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-23 16:57:54 +03:00
Jouni Malinen
d2388bcca5 DPP: Strict validation of PKEX peer bootstrapping key during auth
Verify that the peer does not change its bootstrapping key between the
PKEX exchange and the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:08:08 +03:00
Jouni Malinen
a7b8cef8b7 DPP3: Fix push button boostrapping key passing through PKEX
When PKEX was started through the push button mechanism, the own
bootstrapping key was not bound correctly to the Authentication phase
information and that ended up in incorrectly generating a new
bootstrapping key for the Authentication exchange. Fix this by added the
needed own=<id> parameter into the cached parameters when using push
button.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:06:04 +03:00
Jouni Malinen
69d7c8e6bb DPP: Add peer=id entry for PKEX-over-TCP case
The peer=<id> information about the specific boostrapping key provided
through PKEX was added for Public Action frame cases, but the TCP
variant did not do same. Add the same information there to maintain
knowledge of the specific peer bootstrapping key from PKEX to
Authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:04:08 +03:00
Jouni Malinen
b607d2723e tests: sigma_dut and DPP PB Configurator in wpa_supplicant
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 12:39:58 +03:00
Jouni Malinen
1ff9251a83 DPP3: Push button Configurator in wpa_supplicant
Extend DPP push button support in wpa_supplicant to allow the role of
the Configurator to be used. This provides similar functionality to the
way the DPP_PUSH_BUTTON command in hostapd worked when providing the
configuration parameters with that command (instead of building the
config object based on current AP configuration).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 12:28:18 +03:00
Jouni Malinen
b94e46bc71 tests: PB Configurator in wpa_supplicant
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 12:27:24 +03:00
Jouni Malinen
ca4e82cbfe tests: sigma_dut DPP/PKEX initiator as Configurator over TCP and Wi-Fi
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 20:32:32 +03:00
Jouni Malinen
e9137950fa DPP: Recognize own PKEX Exchange Request if it ends up being received
It is possible for a Controller to receive a copy of its own PKEX
Exchange Request in the case where the Controller is initiating a PKEX
exchange through a Relay. The Configurator role in the device would have
a matching PKEX code in that case and the device might reply as a PKEX
responder which would result in going through the exchange with the
Controller device itself. That is clearly not desired, so recognize this
special case by checking whether the Encrypted Key attribute value
matches a pending locally generated one when processing a received PKEX
Exchange Request.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 20:30:07 +03:00
Jouni Malinen
6929564467 DPP: Note PKEX code/identifier deletion in debug log
This was already done in hostapd, but not in wpa_supplicant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 17:48:54 +03:00
Jouni Malinen
dfa9183b11 tests: DPP reconfig after Controller-initiated operation through Relay
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 13:16:26 +03:00
Jouni Malinen
ae4a3a6f67 DPP: Add DPP-CONF-REQ-RX event for Controller
This gets the Controller (DPP-over-TCP) sequence closer to the one used
with Public Action frames and makes it easier for upper layer components
to share the same design for tracking operation status.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 13:15:22 +03:00
Jouni Malinen
17216b5242 tests: sigma_dut DPP/PKEX initiator as Configurator (TCP) through Relay
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 23:28:33 +03:00
Jouni Malinen
fb2937b858 DPP: Allow Controller to initiate PKEX through Relay
Relay will need to allow the PKEX Exchange Response message to be
handled similarly to the Authentication Response message to allow this
sequence to be completed successfully.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 23:28:33 +03:00
Jouni Malinen
15af83cf18 DPP: Delete PKEX code and identifier on success completion of PKEX
We are not supposed to reuse these without being explicitly requested to
perform PKEX again. There is not a strong use case for being able to
provision an Enrollee multiple times with PKEX, so this should have no
issues on the Enrollee. For a Configurator, there might be some use
cases that would benefit from being able to use the same code with
multiple Enrollee devices, e.g., for guess access with a laptop and a
smart phone. That case will now require a new DPP_PKEX_ADD command on
the Configurator after each completion of the provisioning exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 23:28:33 +03:00
Jouni Malinen
d86ed5b72b tests: Allow DPP_PKEX_REMOVE success in dpp_pkex_hostapd_errors
This is in preparation to allow the implementation in hostapd to be
changed to accept removal of PKEX information without indicating an
error after it have been automatically removed at the successful
completion of PKEX.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 23:28:33 +03:00
Jouni Malinen
0a4f391b1c tests: sigma_dut and DPP Connector Privacy
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
479e412a67 DPP3: Default value for dpp_connector_privacy
The new global configuration parameter
dpp_connector_privacy_default=<0/1> can now be used to set the default
value for the dpp_connector_privacy parameter for all new networks
provisioned using DPP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
7d12871ba0 test: DPP Private Peer Introduction protocol
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
148de3e0dc DPP3: Private Peer Introduction protocol
Add a privacy protecting variant of the peer introduction protocol to
allow the station device to hide its Connector from 3rd parties. The new
wpa_supplicant network profile parameter dpp_connector_privacy=1 can be
used to select this alternative mechanism to the peer introduction
protocol added in the initial release of DPP.

It should be noted that the new variant does not work with older DPP APs
(i.e., requires support for release 3). As such, this new variant is
disabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
786ea402bc HPKE base mode with single-shot API
Add support for HPKE base mode with single-shot API (see RFC 9180) using
OpenSSL. This is needed for DPP private introduction protocol.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-18 16:49:45 +03:00
Jouni Malinen
f0273bc814 OpenSSL: Remove a forgotten debug print
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-17 12:07:22 +03:00
Jouni Malinen
f2bb0839fb test: DPP 3rd party config information
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-16 17:22:23 +03:00
Jouni Malinen
68209ddbe4 DPP: Allow 3rd party information to be added into config object
This allows the DPP Configuration Object from a Configurator to be
extended with 3rd party information. This information can be provided as
a part of the existing configuration specification mechanisms with the
new extra_name=<string> and extra_value=<hexdump encoded JSON>.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-16 17:22:23 +03:00