Commit Graph

5937 Commits

Author SHA1 Message Date
Jouni Malinen
a86fb43ca3 DPP: DPP_BOOTSTRAP_INFO for hostapd
This extends the hostapd control interface to support the
DPP_BOOTSTRAP_INFO command that was recently added for wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-04 15:56:38 +03:00
Jouni Malinen
484788b875 DPP: Share bootstrap type to string helper function
This can be used in hostapd as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-04 15:45:03 +03:00
Jouni Malinen
8885023252 Add new key_mgmt values for wpa_supplicant STATUS command
Recently added OWE and DPP were missing from the key_mgmt string list.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 14:33:16 +03:00
Jouni Malinen
3a5954ef98 Add mgmt_group_cipher to wpa_supplicant STATUS command
This can be used to check which management group cipher is used in an
association that uses PMF.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 14:28:24 +03:00
Jouni Malinen
90f837b0bf Update default wpa_group_rekey to once-per-day when using CCMP/GCMP
The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:42:55 +03:00
Jouni Malinen
787615b381 DPP: Set PMKSA expiration based on peer connector
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:29:59 +03:00
Jouni Malinen
6b140f0fa2 DPP: Update hostapd configurator parameters to match wpa_supplicant
This updates the previously copied implementation to be up-to-date with
the more recent wpa_supplicant changes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:15:12 +03:00
Jouni Malinen
2605405aa4 DPP: Configurator in hostapd
This integrates DPP configuration request processing into hostapd GAS
server implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:03:35 +03:00
Jouni Malinen
efeada91a4 DPP: PKEX in hostapd
Allow hostapd to initiate and respond with PKEX bootstrapping similarly
to how this was implemented in wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:03:34 +03:00
Jouni Malinen
6095b47905 DPP: Check JWS protected header alg against C-sign-key curve
These need to be compatible for the JWS protected header signing to be
valid, so add an explicit check to confirm this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:03:34 +03:00
Jouni Malinen
31f03cb009 DPP: Update JWS algorithm strings for Brainpool curves
Instead of trying to share the existing definitions for NIST curves,
start using unique strings for Brainpool curves.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-02 21:13:15 +03:00
Jouni Malinen
e0d3d3fceb DPP: Rename Brainpool curve names for JSON
This removes the "R1" postfix from the names used in JSON.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-02 09:35:00 +03:00
Jouni Malinen
500ed7f006 DPP: PKEX bootstrapping
This implements genric PKEX functionality in src/common/dpp.c and glue
code to use this in wpa_supplicant (i.e, hostapd DPP implementation does
not yet support PKEX).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-02 09:35:00 +03:00
Jouni Malinen
b9d47b4848 DPP: Add helper functions for running hash operations
Use helper functions to cover all three different hash algorithm options
for DPP operations instead of having separate calls to each function at
every location a hash operation based on the curve is needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-02 09:35:00 +03:00
Jouni Malinen
43fbb8db5b DPP: More debug for own connector configuration errors
This makes it easier to notice a reason for failure in cases a connector
string has been truncated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-02 09:35:00 +03:00
Jouni Malinen
f1f4fa7972 DPP: Fix JWK debug prints
This function is used for parsing both the C-sign-key and netAccessKey,
so better not imply that all cases are C-sign-key in the debug prints.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-02 09:35:00 +03:00
Ashwini Patil
b04854ceff nl80211/MBO: Set temporary disallowed BSSID list to driver
Set temporary disallowed BSSID list to the driver so that the driver
doesn't try to connect to any of the blacklisted BSSIDs during
driver-based roaming operation. This commit includes support only for
the nl80211 driver interface using a QCA vendor command for this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-30 17:27:44 +03:00
Vidyullatha Kanchanapally
2a71673e27 ERP: Derive ERP key only after successful EAP authentication
ERP key was previously derived immediately after the availability of
EMSK and Session-Id and the ERP key hierarchy was saved even if the
authentication resulted in failure eventually. Instead, derive the ERP
key only after a successful EAP authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-23 19:37:14 +03:00
Sunil Dutt
528b655788 Add Set Wi-Fi Configuration vendor attribute to configure LRO
This can be used to dynamically enable/disable LRO.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-23 19:25:46 +03:00
Sunil Dutt
944f359e19 Introduce a vendor command to specify the active Type Of Service
This commit introduces QCA_NL80211_VENDOR_SUBCMD_ACTIVE_TOS to specify
the active Type Of Service on the specific interface. This can be used
to modify some of the low level scan parameters (off channel dwell time,
home channel time) in the driver/firmware.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-23 19:23:38 +03:00
Vidyullatha Kanchanapally
b6ea764252 nl80211: Make KCK attribute optional in rekey data
New AKM suites like FILS-SHA256 do not use KCK and hence KCK length can
be zero. Add changes to include KCK attribute in rekey data only if the
length is non-zero.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-23 18:58:24 +03:00
Jouni Malinen
186f204893 JSON: Fix \u escaping
Remove the extra 'x' character from the escaped string.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-22 15:09:57 +03:00
Jouni Malinen
8528994e21 DPP: Automatic network profile creation
wpa_supplicant can now be configured to generate a network profile
automatically based on DPP configuration. The following
dpp_config_processing values can be used to specify the behavior:
0 = report received configuration to an external program for
    processing; do not generate any network profile internally (default)
1 = report received configuration to an external program and generate
    a network profile internally, but do not automatically connect
    to the created (disabled) profile; the network profile id is
    reported to external programs
2 = report received configuration to an external program, generate
    a network profile internally, try to connect to the created
    profile automatically

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-21 18:03:34 +03:00
Jouni Malinen
a0d5c56f8b DPP: Network Introduction protocol for wpa_supplicant
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:59 +03:00
Jouni Malinen
4ff89c2ebd DPP: Network Introduction protocol for hostapd
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:59 +03:00
Jouni Malinen
650a70a72a DPP: Network Introduction protocol
This commit adds generic helper functions for going through Network
Introduction protocol.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:59 +03:00
Jouni Malinen
56c7549587 DPP: AP parameters for DPP AKM
Extend hostapd configuration to include parameters needed for the DPP
AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry,
dpp_csign, dpp_csign_expiry.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
0c52953b0f DPP: Allow PMKSA cache entries to be added through hostapd ctrl_iface
This allows external programs to generate and add PMKSA cache entries
into hostapd. The main use for this is to run external DPP processing
(network introduction) and testing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
567da5bbd0 DPP: Add new AKM
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
9c2b8204e6 DPP: Integration for hostapd
This adds DPP bootstrapping, authentication, and configuration into
hostapd similarly to how the design was integrated in wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
461d39af40 DPP: Configuration exchange
This adds support for DPP Configuration Protocol using GAS. Full
generation and processing of the configuration object is not included in
this commit.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:15 +03:00
Jouni Malinen
30d27b048e DPP: Authentication exchange
Add wpa_supplicant control interface commands for managing DPP
Authentication exchange.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:12:30 +03:00
Jouni Malinen
be27e185b7 DPP: Bootstrap information management
Add wpa_supplicant control interface commands for parsing the bootstrap
info URI from a QR Code (get peer public key) and to generate a new
bootstrap info with private key for local use. The optional
key=<hexdump> argument to the DPP_BOOTSTRAP_GEN command can be used to
specify the bootstrapping private key in OpenSSL ECPrivateKey DER
encoding format. This results in the local bootstrapping information
entry being created with the specified key instead of generating a new
random one.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 12:03:30 +03:00
Jouni Malinen
00b02149ed nl80211: Register to receive DPP Public Action frames
These are needed for DPP exchanges. In addition, register GAS frames for
DPP builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:54 +03:00
Jouni Malinen
4e19eb88a9 tests: Module tests for JSON parser
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:54 +03:00
Jouni Malinen
005be3daa9 Add JavaScript Object Notation (JSON) parser (RFC7159)
This is needed for DPP configuration attributes/objects.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:51 +03:00
Jouni Malinen
5b52e1adc2 tests: Update base64 OOM test cases to match implementation changes
Introduction of the new base64 helper function changed the backtraces
for these OOM test cases and resulted in test failures. Update the test
scripts to work with the new implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:32 +03:00
Jouni Malinen
0ffdc8b196 Add base64url encoding/decoding per RFC 4648
This adds functionality needed for parsing and generating JSON Web Key
data structures in DPP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:32 +03:00
Jouni Malinen
77f273c82c Extend SHA-384 and SHA-512 support to match SHA-256
The additional SHA-384 and SHA-512 functionality is needed to support
DPP with various ECC curves.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:12 +03:00
Vidyullatha Kanchanapally
b5db6e5dc4 eap_proxy: Support multiple SIMs in get_imsi()
This allows the eap_proxy mechanism to be used with multiple SIMs by
following the configured sim_num to index which SIM to use for when
fetching the IMSI through eap_proxy.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-06 03:42:32 +03:00
Vidyullatha Kanchanapally
0020876514 eap_proxy: Build realm from IMSI for proxy based EAP methods
For proxy based EAP methods, the EAP identity is constructed in
eap_proxy layer from IMSI when required. Realm information from identity
is used to do ERP eventually, hence construct the realm for proxy based
methods from IMSI in core wpa_supplicant to enable the ERP use case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-06 03:41:23 +03:00
Jouni Malinen
5e0c20ff3e nl80211: Do not notify interface as re-enabled if initialization fails
wpa_supplicant tries to reinitialize an interface when a previously
removed netdev is restored (e.g., re-insert a USB dongle). If that
initialization fails (e.g., driver ejects ifconfig UP), the previous
implementation resulted in leaving the interface in incomplete state
while still claiming to upper layers that the interface status has
changed back to functional one.

Fix this by skipping the interface status update if reinitialization
fails. In other words, remain in INTERFACE_DISABLED state if the
interface cannot be re-enabled successfully.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-06 03:07:43 +03:00
Vidyullatha Kanchanapally
8696e61702 eap_proxy: Add support for deriving ERP information
This commit adds support for deriving ERP key information in EAP Proxy
based EAP method implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-05 08:04:52 +03:00
Vidyullatha Kanchanapally
115d5e2221 hostapd: Fix handling a 20/40 BSS Coexistence Management frame
hostapd processes a received 20/40 BSS Coexistence management frame, but
if no separate callbacks are registered for handling Public Action
frames it eventually sends a reply with MSB of category code set to 1
thinking that the received frame is an invalid frame. This could happen
based on whether hostapd was built and enabled with functionality using
the callback functions.

Fix this by explicitly returning 1 from the function when the 20/40 BSS
Coexistence Management frame is processed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-05 08:04:44 +03:00
Sunil Dutt
2d18ab4082 Add a config parameter to exclude DFS channels from ACS
The new acs_exclude_dfs=1 parameter can be used to request hostapd to
exclude all DFS channels from ACS consideration. This is mainly of use
for cases where the driver supports DFS channels, but for some reason a
non-DFS channel is desired when using automatic channel selection.
Previously, the chanlist parameter could have been used for this, but
that required listing all the acceptable channels. The new parameter
allows this to be done without such a list.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-27 11:50:21 +03:00
Sunil Dutt
9ddba3a309 Rename vendor attribute DISABLE_OFFCHANNEL to RESTRICT_OFFCHANNEL
This commit renames the vendor attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_DISABLE_OFFCHANNEL to
QCA_WLAN_VENDOR_ATTR_CONFIG_RESTRICT_OFFCHANNEL as intended by the
original commit d506c35efc ('Set Wi-Fi
Configuration attribute to restrict offchannel operations').

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-26 13:18:06 +03:00
Sunil Dutt
d506c35efc Set Wi-Fi Configuration attribute to restrict offchannel operations
This commit defines an attribute to
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION -
QCA_WLAN_VENDOR_ATTR_CONFIG_RESTRICT_OFFCHANNEL which can be used to
restrict offchannel operations on the AP/GO interface.

The goal is to restrict any operations which would cause the AP/GO to
leave its operating channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-23 00:10:01 +03:00
Vidyullatha Kanchanapally
4aa329298d ERP: Do not generate ERP keys when domain name is not specified
This commit adds changes to not generate ERP information if the domain
name is not specified in the EAP identity. keyName-NAI needs the realm
part and as such, it is reasonable to require the main EAP configuration
to provide that realm.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-22 13:51:23 +03:00
Beniamino Galvani
290834df69 nl80211: Fix race condition in detecting MAC change
Commit 3e0272ca00 ('nl80211: Re-read MAC
address on RTM_NEWLINK') added the detection of external changes to MAC
address when the interface is brought up.

If the interface state is changed quickly enough, wpa_supplicant may
receive the netlink message for the !IFF_UP event when the interface
has already been brought up and would ignore the next netlink IFF_UP
message, missing the MAC change.

Fix this by also reloading the MAC address when a !IFF_UP event is
received with the interface up, because this implies that the
interface went down and up again, possibly changing the address.

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-05-13 20:01:44 +03:00
Vasanthakumar Thiagarajan
04f667fcdd DFS: Allow switch to DFS channel after radar detection in ETSI
This is to comply with uniform spreading requirement for ETSI domain
(section 4.7.2.7 in EN 301 893 - V1.8.1). ETSI uniform spreading
requires equal probability for the usable channels. The previous channel
selection logic after a radar detection did not fully comply with the
uniform spreading requirement for the domain by ignoring DFS channels.
Consider DFS channels also during channel selection when the current DFS
domain is ETSI.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-05-13 20:01:44 +03:00