The P2P configuration file is wrongly set as STA configuration file,
even though a separate configuration file is mentioned with '-m' option.
Add initialization and deallocation of global.params->conf_p2p_dev to
fix this.
Signed-off-by: Gautam <gautams@broadcom.com>
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.
This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
omac1_aes_128() implementation within crypto_openssl.c is used in this
case and that cannot fail the memory allocation similarly to the
non-FIPS case and aes-omac1.c.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL rejects the cipher string 'EXPORT' in FIPS mode in a way that
results in the locally generated error showing up before the EAP method
has been accepted.
Signed-off-by: Jouni Malinen <j@w1.fi>
MD4 is not allowed in such builds, so comment out md4_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD¤ operations at runtime. This makes it easier
to detect and fix accidental cases where MD4 could still be used in some
older protocols.
Signed-off-by: Jouni Malinen <j@w1.fi>
In addition, replace some of the CHAP cases with PAP since that enables
more coverage without breaking the main test focus.
Signed-off-by: Jouni Malinen <j@w1.fi>
The PKCS12 file with default openssl options cannot be used with OpenSSL
1.0.1 in FIPS mode. Replace this with -descert version as a workaround.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 94f1fe6f63 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.
Signed-off-by: Jouni Malinen <j@w1.fi>
tls_connection_get_keys() used to return TLS master secret, but that
part was removed in commit 94f1fe6f63
('Remove master key extraction from tls_connection_get_keys()'). Since
then, there is no real need for preventing this function from being used
in FIPS mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
The bytes pointer was not reset back to the beginning of the buffer when
mixing in additional entropy from the crypto module. This resulted in
writing beyond the return buffer and not getting the required mixing of
the extra entropy for the actual return buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like the compiler version used in Android 5.0 warns about
potentially uninitialized oper_freq variable in these debug messages.
That is not really valid since this code path can be reached only if
found != 0 and in such a case, oper_freq is set. Anyway, it seems better
to avoid compiler warnings, so add an unnecessary initialization for
oper_freq for now.
Signed-off-by: Jouni Malinen <j@w1.fi>
MD5 is not allowed in such builds, so comment out md5_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD5 operations at runtime. This makes it easier
to detect and fix accidental cases where MD5 could still be used in some
older protocols.
Signed-off-by: Jouni Malinen <j@w1.fi>
FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
MD5 is not available in CONFIG_FIPS=y builds, so use SHA1 for the EAP
peer workaround that tries to detect more robustly whether a duplicate
message was sent.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to build wpa_supplicant for OpenSSL FIPS mode
testing. wpa_supplicant/.config needs following type of configuration
for this:
CONFIG_FIPS=y
CFLAGS += -I/usr/local/ssl/include
LIBS += -L/usr/local/ssl/lib
CC=/usr/local/ssl/fips-2.0/bin/fipsld
Signed-off-by: Jouni Malinen <j@w1.fi>
The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are
unfortunately not available in FIPS mode. Trying to use them results in
"aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API
call to cipher AES forbidden in FIPS mode!" and process termination.
Work around this by reverting commit
f19c907822 ('OpenSSL: Implement aes_wrap()
and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this
ends up using the internal AES key wrap/unwrap implementation through
the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y
is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues
to be used to minimize code size.
Signed-off-by: Jouni Malinen <j@w1.fi>
This avoids a call to hmac_md5() to fix the build. The EAPOL-Key frame
TX code is not applicable for any FIPS mode operation, so the simplest
approach is to remove this from the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows driver-based preference list to override default operating
channel selection mechanism by using a non-social P2P find if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, this was assumed to be the case due to default channel
selection behavior. However, that may not be the case with driver-based
preference list processing. Enforce a social channel to be used as the
operating channel here since dev[2] uses social channel only device
discovery and needs to find the GO.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When processing a GO Negotiation Request and Response, if local driver
supports the preferred channel list extension, then:
- Check if peer's preference for operating channel is already included
in our preferred channel list and if so, take the oper_channel as is.
- If peer's preference for operating channel is not in local device's
preferred channel list and peer device has provided its preferred
frequency list in the GO Negotiation Request/Response, then find a
channel that is common for both preferred channel lists and use it
for oper_channel.
- If peer's preference for operating channel is not in local device's
preferred channel list and peer device doesn't use preferred channel
list extension, i.e., no preferred channel list in GO Negotiation
Request/Response, then look for a channel that is common for local
device's preferred channel list and peer's list of supported channels
and use it for oper_channel.
- In case no common channel is found, use the peer's preference for
oper_channel as is.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a callback function that can be used from the P2P module to
request the current preferred list of operating channels from the
driver.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add an extra condition to omit operating channel preference when
building GO Negotiation Response. If the local device supports the
preferred frequency list extension, then when sending a GO Negotiation
Response frame, advertise the preferred operating channel unless local
device is assuming the P2P Client role and has an empty preferred
frequency list, in which case local device can omit its preference for
the operating channel.
This change helps make use of the preferred frequency list and the
calculated best channel for both negotiating parties of the P2P
connection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When sending a GO Negotiation Request, advertise the preferred frequency
list in a new vendor specific IE. This can be used to extend the
standard P2P behavior where a single preferred channel can be advertised
by allowing a priority list of channels to be indicated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the driver supports the preferred frequency list extension, use this
information from the driver when no explicitly configured preference
list (p2p_pref_chan) is present for P2P operating channel selection.
This commit adds this for GO Negotiation and Invitation use cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds parsing of QCA vendor specific elements and as the first such
element to be parsed, stores pointers to the preferred frequency list
element that can be used to enhance P2P channel negotiation behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new enum qca_vendor_element_id registry is used to manage
assignments of vendor specific elements using the QCA OUI 00:13:74. The
initial assignment is for the purpose for extending P2P functionality
for cases where the wpa_supplicant implementation is used by both ends
of an exchange.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 983422088f ('nl80211: Add means to
query preferred channels') return success if no driver wrapper callback
was provided for fetching the preferred channel list. That is
problematic since the *num argument is not updated and uninitialized
freq_list could end up getting used with arbitrary frequency values. Fix
this by returning error in case the values were not available due to
driver wrapper not implementing the function. This matches the style
used in the driver_nl80211.c implementation for the case where the
driver does not support such fetch operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend the QCA vendor specific nl80211 interface to query the preferred
frequency list from driver and add a new wpa_cli command to query this
information.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Upon GO Negotiation completion, if the remote peer becomes GO, send a
hint event over QCA vendor specific interface to inform the driver of
the likely operating channel of the P2P GO.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend the nl80211 interface command "driver status" to retrieve the
concurrency capabilities from the driver using the QCA vendor
extensions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When ACS is offloaded to device driver and the hw_mode parameter is set
to any, the current_mode structure is NULL which fails the ACS command.
Fix this by populating the ACS channel list with channels from all bands
when current_mode is NULL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add vendor command to pass SET setband command to the driver and read
the updated channel list from driver when this notification succeeds.
This allows the driver to update its internal channel lists based on
setband configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The issue with the special form of TLS session tickets has been fixed in
the OpenSSL 1.1.0 branch, so disable workaround for it. OpenSSL 1.0.1
and 1.0.2 workaround is still in place until a release with the fix has
been made.
This allows TLSv1.1 and TLSv1.2 to be negotiated for EAP-FAST with the
OpenSSL versions that support this.
Signed-off-by: Jouni Malinen <j@w1.fi>