Ilan Peer [Mon, 27 Jul 2015 19:24:26 +0000 (22:24 +0300)]
P2P: Disallow GO CS immediately after GO Negotiation or invitation
A newly created GO might move to another channel before the client was
able to connect to it. This creates a situation where the client
searches the GO on the channel agreed upon during GO Negotiation or
invitation signaling, while the GO is on another channel. This in turn
might lead to delayed connection or connection failure and group
removal.
Fix this by disallowing a GO CS as long as there is some activity that
should delay the switch. If a GO move is not allowed, set a timeout to
re-attempt the move.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:25 +0000 (22:24 +0300)]
P2P: Consider channel optimizations for additional cases
Re-factor the code, so channel optimizations would be also triggered
upon the following changes: channel updates from the kernel,
disallow_freq interface, etc.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Arik Nemtsov [Mon, 27 Jul 2015 19:24:24 +0000 (22:24 +0300)]
Refactor channel list update event in wpa_supplicant
Update hardware features for all interfaces inside the loop, don't treat
the calling wpa_s instance specially. Perform the P2P channel list
updates after the hardware features are updated. This will prevent P2P
from relying on stale information.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:23 +0000 (22:24 +0300)]
P2P: Modify wpas_p2p_init_go_params()
Not all paths in wpas_p2p_init_go_params() verified that the candidate
frequency can be used for GO purposes. Fix this, and in addition
re-factor the code to put better emphasis on the frequency selection
priorities.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:22 +0000 (22:24 +0300)]
P2P: Remove GO handling in avoid frequency event
Remove the code that considers removing GOs from their current
channel due to frequency interference, as this is already handled
as part of the P2P channels update.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:21 +0000 (22:24 +0300)]
P2P: Move a GO to a frequency that is also supported by the client
A P2P GO interface that was instantiated after a GO Negotiation or
Invitation holds the intersection of frequencies between the GO and the
client. In case the GO is going to move to another frequency, allow it
to move only to a frequency that is also supported by the client.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:20 +0000 (22:24 +0300)]
P2P: Add a function to compute the group common freqs
Add a function to compute the group common frequencies, and
use it to update the group_common_frequencies as part of the
channel switch flows.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:19 +0000 (22:24 +0300)]
P2P: Move a GO from its operating frequency
Upon any change in the currently used channels evaluate if a GO should
move to a different operating frequency, where the possible scenarios:
1. The frequency that the GO is currently using is no longer valid,
due to regulatory reasons, and thus the GO must be moved to some
other frequency.
2. Due to Multi Concurrent Channel (MCC) policy considerations, it would
be preferable, based on configuration settings, to prefer Same
Channel Mode (SCM) over concurrent operation in multiple channels.
The supported policies:
- prefer SCM: prefer moving the GO to a frequency used by some other
interface.
- prefer SCM if Peer supports: prefer moving the GO to a frequency
used by some other station interface iff the other station
interface is using a frequency that is common between the local and
the peer device (based on the GO Negotiation/Invitation signaling).
- Stay on the current frequency.
Currently, the GO transition to another frequency is handled by a
complete tear down and re-setup of the GO. Still need to add CSA flow to
the considerations.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Mon, 27 Jul 2015 19:24:18 +0000 (22:24 +0300)]
Share freq-to-channel conversion function
Add ieee80211_freq_to_channel_ext() conversion function into
ieee802_11_common.c. This function converts freq to channel and
additionally computes operating class, based on provided HT and VHT
parameters.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Mon, 3 Aug 2015 15:52:10 +0000 (18:52 +0300)]
tests: Make dbus_p2p_group_termination_by_go more robust
Set peer_group_removed only if peer_group_added has already been set.
This fixes an issue where a propertiesChanged event triggered by an
earlier test case was able to get dbus_p2p_group_termination_by_go
terminated too early. This happened, e.g., with sequence
"dbus_p2p_two_groups dbus_p2p_group_termination_by_go".
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 15:35:35 +0000 (18:35 +0300)]
tests: Avoid exception in dbus_p2p_two_groups
Only run peerJoined() steps once to avoid trying to use GetAll() on an
already removed group and double-removal of a group. This did not make
the test case fail, but the exception is printed out in pretty confusing
way to stdout, so better get rid of it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:54:31 +0000 (17:54 +0300)]
tests: hostapd ctrl_iface LOG_LEVEL
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:53:52 +0000 (17:53 +0300)]
tests: Fix hostapd debug level
Remove the duplicated -ddKt command line argument to avoid setting
hostapd debug level to EXCESSIVE.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Srinivas Dasari [Sun, 2 Aug 2015 09:34:21 +0000 (15:04 +0530)]
hostapd: Add support to configure debug log level at runtime
Add support to read/configure log_level using hostapd control interface
LOG_LEVEL command similarly to what was already supported in
wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:44:55 +0000 (17:44 +0300)]
Move debug level string conversion functions to wpa_debug.c
This makes it possible to use these helper functions from hostapd as
well as the current use in wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:37:05 +0000 (17:37 +0300)]
FST: Mark fst_ies buffer const
This buffer is owned by the FST module, so mark it const in the
set_ies() callback to make it clearer which component is responsible for
modifying and freeing this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Anton Nayshtut [Mon, 27 Jul 2015 13:45:36 +0000 (16:45 +0300)]
FST: Fix MB IE clearing on detach
This fixes an issue where freed MB IEs buffer memory could potentially
have been accessed after an interface is detached from FST group.
Without this fix, if an interface is detached from FST group, it can use
MB IEs buffer previously set by fst_iface_set_ies(), although the buffer
was released by fst_iface_delete().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Daichi Ueura [Mon, 13 Jul 2015 15:31:22 +0000 (00:31 +0900)]
Android: Handle STATUS-NO_EVENTS command in wpa_cli
NO_EVENTS parameter was added to STATUS command by commit
a6ab82d7b409cd95c4e64452c2a672d4ce4c3c99 ('Android: Add NO_EVENTS
parameter to status command'). This patch adds handling of the new
parameter in wpa_cli so that "status no_events" can be used to specify
this parameter.
Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
Daichi Ueura [Mon, 13 Jul 2015 15:31:21 +0000 (00:31 +0900)]
Android: Make wpa_cli work on wifi.interface without extra params
Currently wpa_cli connects to global control interface if -i/-p
parameters are not specified. wpa_cli on global control interface
is not useful since the prefix like "IFNAME=wlan0 " needs to be
added to some commands like "IFNAME=wlan0 scan". And, specifying
-i/-p parameters every time is annoying. To improve efficiency of
debugging, this patch enables to make wpa_cli work without extra
parameters.
If you still want to connect to global control interface,
the following command can be used instead:
$ wpa_cli -g@android:wpa_wlan0 (or -gwlan0)
Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
Masashi Honma [Wed, 8 Jul 2015 13:41:36 +0000 (22:41 +0900)]
mesh: Fix mesh SAE auth on low spec devices
The mesh SAE auth often fails with master branch. By bisect I found
commit
eb5fee0bf50444419ac12d3c7f38f27a47523a47 ('SAE: Add side-channel
protection to PWE derivation with ECC') causes this issue. This does not
mean the commit has a bug. This is just a CPU resource issue.
After the commit, sae_derive_pwe_ecc() spends 101(msec) on my PC (Intel
Atom N270 1.6GHz). But dot11RSNASAERetransPeriod is 40(msec). So
auth_sae_retransmit_timer() is always called and it can causes
continuous frame exchanges. Before the commit, it was 23(msec).
On the IEEE 802.11 spec, the default value of dot11RSNASAERetransPeriod
is defined as 40(msec). But it looks short because generally mesh
functionality will be used on low spec devices. Indeed Raspberry Pi B+
(ARM ARM1176JZF-S 700MHz) requires 287(msec) for new
sae_derive_pwe_ecc().
So this patch makes the default to 1000(msec) and makes it configurable.
This issue does not occur on infrastructure SAE because the
dot11RSNASAERetransPeriod is not used on it.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Johannes Berg [Fri, 17 Jul 2015 20:24:58 +0000 (22:24 +0200)]
tests: Work around iw scan getting stuck
On recent kernels, it seems that something changed (scheduler?)
that makes hwsim send the scan done event so quickly that iw isn't
scheduled back in to listen for it, causing iw to get stuck.
Work around this by using the scan trigger command (it'll be quick
enough so that we don't really need to wait) and the scan trigger
and dump commands where the results are required (and use a small
sleep there instead of waiting for the scan results.)
I'll try to fix this separately in iw later.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sun, 2 Aug 2015 17:48:56 +0000 (20:48 +0300)]
tests: P2P extended listen timing operations
This verifies P2P extended listen timing operations by confirming that a
peer is not discoverable during the provisioning step and that the peer
becomes discoverable after having removed the group during such
provisioning step. The latter case was broken until the 'P2P: Cancel
group formation when deleting a group during group formation' commit.
Signed-off-by: Jouni Malinen <j@w1.fi>
Michael Olbrich [Thu, 30 Jul 2015 10:14:24 +0000 (12:14 +0200)]
P2P: Cancel group formation when deleting a group during group formation
Otherwise P2P remains in provisioning state and continues to skip
extended listening forever.
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Purushottam Kushwaha [Fri, 31 Jul 2015 04:54:04 +0000 (04:54 +0000)]
P2P: Fix update of listen_reg_class and listen_channel
Allow proper update for listen_reg_class and listen_channel with
changed_parameters [CFG_CHANGED_P2P_LISTEN_CHANNEL] configuration for
command received through ctrl_interface. Without this, "set
p2p_listen_channel" and "set p2p_listen_reg_class" do not update the
listen channel. The D-Bus version was already setting these flags.
Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
Jouni Malinen [Sun, 2 Aug 2015 16:28:41 +0000 (19:28 +0300)]
tests: D-Bus PropertiesChanged events on P2P Peer.Groups
Verify that Groups list for a P2P Peer gets updated properly on group
addition and removal (three different paths).
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 16:25:41 +0000 (19:25 +0300)]
P2P: Do not clear wpa_s->go_dev_addr before group removal
This variable is needed to figure out whether a wpa_supplicant interface
is for a P2P group that is (or was) connected to a specific GO. The
previous implementation was able to find such a case only when there was
an association with the GO. However, this may be needed even if there is
a temporary disconnection from the GO. Keep the GO device address
information over such temporary disconnections and only remove it on
group termination. This fixes an issue with D-Bus Peer PropertiesChanged
signals for the Groups property in case a P2P group gets removed due to
group idle timeout instead of explicit group termination command (local
request) or GO notification.
Signed-off-by: Jouni Malinen <j@w1.fi>
Gautam [Fri, 31 Jul 2015 09:04:30 +0000 (14:34 +0530)]
P2P: Fix P2P configuration file name
The P2P configuration file is wrongly set as STA configuration file,
even though a separate configuration file is mentioned with '-m' option.
Add initialization and deallocation of global.params->conf_p2p_dev to
fix this.
Signed-off-by: Gautam <gautams@broadcom.com>
Jouni Malinen [Sun, 2 Aug 2015 14:11:47 +0000 (17:11 +0300)]
tests: Run Suite B test cases with OpenSSL 1.1.0
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 13:16:58 +0000 (16:16 +0300)]
tests: Skip ERP tests with EAP methods that are not supported
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 12:58:08 +0000 (15:58 +0300)]
tests: Skip LEAP tests if not included in the build
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 12:50:23 +0000 (15:50 +0300)]
tests: Skip IEEE 802.1X dynamic WEP tests in FIPS mode
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 20:37:07 +0000 (23:37 +0300)]
Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.
This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 19:54:07 +0000 (22:54 +0300)]
tests: Skip WPA(V1) test cases in FIPS mode
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 19:39:21 +0000 (22:39 +0300)]
OpenSSL: Fix FIPS mode enabling in dynamic interface case
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 18:37:24 +0000 (21:37 +0300)]
tests: Skip ap_wpa2_eap_psk_oom and ap_ft_oom in FIPS mode
omac1_aes_128() implementation within crypto_openssl.c is used in this
case and that cannot fail the memory allocation similarly to the
non-FIPS case and aes-omac1.c.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 18:22:43 +0000 (21:22 +0300)]
tests: Allow FIPS error case for openssl_cipher_suite_config_wpas
OpenSSL rejects the cipher string 'EXPORT' in FIPS mode in a way that
results in the locally generated error showing up before the EAP method
has been accepted.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 18:11:20 +0000 (21:11 +0300)]
tests: Skip EAP-pwd NTHash test in FIPS build
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 18:10:04 +0000 (21:10 +0300)]
tests: Skip EAP-IKEV2 tests if not included in the build
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 18:06:03 +0000 (21:06 +0300)]
OpenSSL: Remove md4_vector() from CONFIG_FIPS=y builds
MD4 is not allowed in such builds, so comment out md4_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD¤ operations at runtime. This makes it easier
to detect and fix accidental cases where MD4 could still be used in some
older protocols.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 18:03:30 +0000 (21:03 +0300)]
EAP-pwd peer: Comment out MS password hash if CONFIG_FIPS=y
The needed hash functions are not available in FIPS mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 18:03:04 +0000 (21:03 +0300)]
tests: Skip ms_funcs module tests in CONFIG_FIPS=y builds
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 15:56:06 +0000 (18:56 +0300)]
tests: Skip EAP-MD5 and EAP-MSCHAPV2 test cases in FIPS mode
These would require MD5 or MD4 which are not allowed in FIPS mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 15:48:49 +0000 (18:48 +0300)]
tests: Skip EAP-TTLS/CHAP, MSCHAP, MSCHAPV2 test cases in FIPS mode
In addition, replace some of the CHAP cases with PAP since that enables
more coverage without breaking the main test focus.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 15:43:12 +0000 (18:43 +0300)]
tests: Use openssl pkcs12 -descert workaround to allow FIPS mode
The PKCS12 file with default openssl options cannot be used with OpenSSL
1.0.1 in FIPS mode. Replace this with -descert version as a workaround.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 15:17:14 +0000 (18:17 +0300)]
Rename tls_connection_get_keys() to tls_connection_get_random()
Commit
94f1fe6f6384a2ef379ef5b8cdc32a2fa01f8d13 ('Remove master key
extraction from tls_connection_get_keys()') left only fetching of
server/client random, but did not rename the function and structure to
minimize code changes. The only name is quite confusing, so rename this
through the repository to match the new purpose.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 15:11:07 +0000 (18:11 +0300)]
Add 'GET_CAPABILITY fips' to enable runtime check for CONFIG_FIPS=y
This can be used to check whether the running wpa_supplicant version was
built with CONFIG_FIPS=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 15:09:41 +0000 (18:09 +0300)]
OpenSSL: Allow server/client random to be fetched in FIPS mode
tls_connection_get_keys() used to return TLS master secret, but that
part was removed in commit
94f1fe6f6384a2ef379ef5b8cdc32a2fa01f8d13
('Remove master key extraction from tls_connection_get_keys()'). Since
then, there is no real need for preventing this function from being used
in FIPS mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 14:40:25 +0000 (17:40 +0300)]
random: Fix random_get_bytes() with CONFIG_FIPS=y
The bytes pointer was not reset back to the beginning of the buffer when
mixing in additional entropy from the crypto module. This resulted in
writing beyond the return buffer and not getting the required mixing of
the extra entropy for the actual return buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 14:03:12 +0000 (17:03 +0300)]
P2P: Silence bogus compiler warnings
It looks like the compiler version used in Android 5.0 warns about
potentially uninitialized oper_freq variable in these debug messages.
That is not really valid since this code path can be reached only if
found != 0 and in such a case, oper_freq is set. Anyway, it seems better
to avoid compiler warnings, so add an unnecessary initialization for
oper_freq for now.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 13:53:55 +0000 (16:53 +0300)]
OpenSSL: Remove md5_vector() from CONFIG_FIPS=y builds
MD5 is not allowed in such builds, so comment out md5_vector() from the
build to force compile time failures for cases that cannot be supported
instead of failing the MD5 operations at runtime. This makes it easier
to detect and fix accidental cases where MD5 could still be used in some
older protocols.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 13:53:16 +0000 (16:53 +0300)]
EAP-TTLS: Disable CHAP, MSCHAP, and MSCHAPV2 in CONFIG_FIPS=y builds
FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 13:50:48 +0000 (16:50 +0300)]
EAP peer: Replace MD5 with SHA1 in duplicate message workaround
MD5 is not available in CONFIG_FIPS=y builds, so use SHA1 for the EAP
peer workaround that tries to detect more robustly whether a duplicate
message was sent.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 13:50:05 +0000 (16:50 +0300)]
tests: Skip MD5 module tests in CONFIG_FIPS=y builds
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 13:39:41 +0000 (16:39 +0300)]
tests: Set FIPSLD_CC=gcc (if not set) to make CONFIG_FIPS=y use easier
This makes it easier to build wpa_supplicant for OpenSSL FIPS mode
testing. wpa_supplicant/.config needs following type of configuration
for this:
CONFIG_FIPS=y
CFLAGS += -I/usr/local/ssl/include
LIBS += -L/usr/local/ssl/lib
CC=/usr/local/ssl/fips-2.0/bin/fipsld
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 13:31:45 +0000 (16:31 +0300)]
OpenSSL: Implement aes_wrap/aes_unwrap through EVP for CONFIG_FIPS=y
The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are
unfortunately not available in FIPS mode. Trying to use them results in
"aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API
call to cipher AES forbidden in FIPS mode!" and process termination.
Work around this by reverting commit
f19c907822ad0dec3480b1435b615ae22c5533a1 ('OpenSSL: Implement aes_wrap()
and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this
ends up using the internal AES key wrap/unwrap implementation through
the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y
is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues
to be used to minimize code size.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 12:52:35 +0000 (15:52 +0300)]
OpenSSL: Comment out openssl_get_keyblock_size() if CONFIG_FIPS=y
This function is not used in CONFIG_FIPS=y builds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 12:51:44 +0000 (15:51 +0300)]
tests: Comment out TLS PRF test from CONFIG_FIPS=y build
This fixes CONFIG_FIPS=y build that may not include tls_prf_sha1_md5().
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 12:49:34 +0000 (15:49 +0300)]
Comment out EAPOL-Key WEP support in CONFIG_FIPS=y build
This avoids a call to hmac_md5() to fix the build. The EAPOL-Key frame
TX code is not applicable for any FIPS mode operation, so the simplest
approach is to remove this from the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 12:45:18 +0000 (15:45 +0300)]
Make ieee802_1x_tx_key() static
This is used only within ieee802_1x.c.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 30 Jul 2015 13:03:12 +0000 (16:03 +0300)]
tests: Support non-social oper channel in persistent_group_per_sta_psk
This allows driver-based preference list to override default operating
channel selection mechanism by using a non-social P2P find if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 30 Jul 2015 12:57:05 +0000 (15:57 +0300)]
tests: Make wifi_display enforce social channel as operating channel
Previously, this was assumed to be the case due to default channel
selection behavior. However, that may not be the case with driver-based
preference list processing. Enforce a social channel to be used as the
operating channel here since dev[2] uses social channel only device
discovery and needs to find the GO.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 08:23:24 +0000 (01:23 -0700)]
P2P: Process preferred frequency list as part of GO Neg Req/Resp
When processing a GO Negotiation Request and Response, if local driver
supports the preferred channel list extension, then:
- Check if peer's preference for operating channel is already included
in our preferred channel list and if so, take the oper_channel as is.
- If peer's preference for operating channel is not in local device's
preferred channel list and peer device has provided its preferred
frequency list in the GO Negotiation Request/Response, then find a
channel that is common for both preferred channel lists and use it
for oper_channel.
- If peer's preference for operating channel is not in local device's
preferred channel list and peer device doesn't use preferred channel
list extension, i.e., no preferred channel list in GO Negotiation
Request/Response, then look for a channel that is common for local
device's preferred channel list and peer's list of supported channels
and use it for oper_channel.
- In case no common channel is found, use the peer's preference for
oper_channel as is.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 08:23:24 +0000 (01:23 -0700)]
P2P: Expose driver preferred frequency list fetch to P2P
This adds a callback function that can be used from the P2P module to
request the current preferred list of operating channels from the
driver.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 08:56:48 +0000 (01:56 -0700)]
P2P: Do not omit known operating channel preference from GO Neg Resp
Add an extra condition to omit operating channel preference when
building GO Negotiation Response. If the local device supports the
preferred frequency list extension, then when sending a GO Negotiation
Response frame, advertise the preferred operating channel unless local
device is assuming the P2P Client role and has an empty preferred
frequency list, in which case local device can omit its preference for
the operating channel.
This change helps make use of the preferred frequency list and the
calculated best channel for both negotiating parties of the P2P
connection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 00:39:45 +0000 (17:39 -0700)]
P2P: Parse preferred frequency list extension
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 00:39:45 +0000 (17:39 -0700)]
P2P: Add preferred frequency list extension to GO Neg Req
When sending a GO Negotiation Request, advertise the preferred frequency
list in a new vendor specific IE. This can be used to extend the
standard P2P behavior where a single preferred channel can be advertised
by allowing a priority list of channels to be indicated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 00:39:45 +0000 (17:39 -0700)]
P2P: Use preferred frequency list from the local driver
If the driver supports the preferred frequency list extension, use this
information from the driver when no explicitly configured preference
list (p2p_pref_chan) is present for P2P operating channel selection.
This commit adds this for GO Negotiation and Invitation use cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 00:39:45 +0000 (17:39 -0700)]
Add parsing of preferred frequency list element
This adds parsing of QCA vendor specific elements and as the first such
element to be parsed, stores pointers to the preferred frequency list
element that can be used to enhance P2P channel negotiation behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 17 Jun 2015 16:24:29 +0000 (19:24 +0300)]
Define new registry for QCA vendor specific elements
The new enum qca_vendor_element_id registry is used to manage
assignments of vendor specific elements using the QCA OUI 00:13:74. The
initial assignment is for the purpose for extending P2P functionality
for cases where the wpa_supplicant implementation is used by both ends
of an exchange.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 30 Jul 2015 19:10:46 +0000 (22:10 +0300)]
Return error from wpa_drv_get_pref_freq_list() if no driver support
Commit
983422088f0066068fd364013623d1e475031e6b ('nl80211: Add means to
query preferred channels') return success if no driver wrapper callback
was provided for fetching the preferred channel list. That is
problematic since the *num argument is not updated and uninitialized
freq_list could end up getting used with arbitrary frequency values. Fix
this by returning error in case the values were not available due to
driver wrapper not implementing the function. This matches the style
used in the driver_nl80211.c implementation for the case where the
driver does not support such fetch operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Thu, 23 Jul 2015 23:32:58 +0000 (16:32 -0700)]
nl80211: Add means to query preferred channels
Extend the QCA vendor specific nl80211 interface to query the preferred
frequency list from driver and add a new wpa_cli command to query this
information.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 00:07:55 +0000 (17:07 -0700)]
P2P: Inform driver of the operating channel following group formation
Upon GO Negotiation completion, if the remote peer becomes GO, send a
hint event over QCA vendor specific interface to inform the driver of
the likely operating channel of the P2P GO.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Fri, 24 Jul 2015 00:01:17 +0000 (17:01 -0700)]
nl80211: Add concurrency capabilities to driver status
Extend the nl80211 interface command "driver status" to retrieve the
concurrency capabilities from the driver using the QCA vendor
extensions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Peng Xu [Sat, 20 Jun 2015 00:19:27 +0000 (17:19 -0700)]
Fix generating offloaded ACS channel list when hw_mode is set to any
When ACS is offloaded to device driver and the hw_mode parameter is set
to any, the current_mode structure is NULL which fails the ACS command.
Fix this by populating the ACS channel list with channels from all bands
when current_mode is NULL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Srinivas Dasari [Mon, 27 Jul 2015 10:14:22 +0000 (15:44 +0530)]
QCA vendor command support to set band to driver
Add vendor command to pass SET setband command to the driver and read
the updated channel list from driver when this notification succeeds.
This allows the driver to update its internal channel lists based on
setband configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 28 Jul 2015 08:53:13 +0000 (11:53 +0300)]
OpenSSL: Remove EAP-FAST TLSv1.0 only workaround for OpenSSL 1.1.0
The issue with the special form of TLS session tickets has been fixed in
the OpenSSL 1.1.0 branch, so disable workaround for it. OpenSSL 1.0.1
and 1.0.2 workaround is still in place until a release with the fix has
been made.
This allows TLSv1.1 and TLSv1.2 to be negotiated for EAP-FAST with the
OpenSSL versions that support this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 28 Jul 2015 13:38:02 +0000 (16:38 +0300)]
tests: Allow local disconnect in openssl_cipher_suite_config_wpas
The openssl_ciphers="EXPORT" case may result in locally generated
disconnection event if the OpenSSL version used in the build rejects
export ciphers in default configuration (which is what OpenSSL 1.1.0
will likely do). Don't report a test case failure in such a case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 28 Jul 2015 13:32:27 +0000 (16:32 +0300)]
EAP-TLS/TTLS/PEAP/FAST peer: Stop connection more quickly on local failure
If there is only zero-length buffer of output data in error case, mark
that as an immediate failure instead of trying to report that
non-existing error report to the server. This allows faster connection
termination in cases where a non-recoverable error occurs in local TLS
processing, e.g., if none of the configured ciphers are available.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 28 Jul 2015 13:30:41 +0000 (16:30 +0300)]
EAP-TTLS/PEAP/FAST peer: Stop immediately on local TLS processing failure
EAP-TLS was already doing this, but the other TLS-based EAP methods did
not mark methodState DONE and decision FAIL on local TLS processing
errors (instead, they left the connection waiting for a longer timeout).
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 28 Jul 2015 08:57:05 +0000 (11:57 +0300)]
OpenSSL: Add CONFIG_TLS_ADD_DL=y build option for hostapd
This behaves similarly to the same option in wpa_supplicant, i.e., adds
-ldl when linking in libcrypto from OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 28 Jul 2015 08:51:55 +0000 (11:51 +0300)]
OpenSSL: Drop security level to 0 if needed for EAP-FAST
OpenSSL 1.1.0 disables the anonymous ciphers by default, so need to
enable these for the special case of anonymous EAP-FAST provisioning.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 28 Jul 2015 08:40:17 +0000 (11:40 +0300)]
OpenSSL: Add SHA256 support in openssl_tls_prf() for TLSv1.2
This is needed when enabling TLSv1.2 support for EAP-FAST since the
SSL_export_keying_material() call does not support the needed parameters
for TLS PRF and the external-to-OpenSSL PRF needs to be used instead.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 28 Jul 2015 07:48:05 +0000 (10:48 +0300)]
OpenSSL: Implement openssl_tls_prf() for OpenSSL 1.1.0
This needs to use the new accessor functions since the SSL session
details are not directly accessible anymore and there is now sufficient
helper functions to get to the needed information.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 27 Jul 2015 22:00:06 +0000 (01:00 +0300)]
OpenSSL: Implement SSL_set_session_secret_cb() callback for OpenSSL 1.1.0
This needs to use the new accessor functions for client/server random
since the previously used direct access won't be available anymore.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 27 Jul 2015 21:58:39 +0000 (00:58 +0300)]
OpenSSL: Implement tls_connection_get_keys() for OpenSSL 1.1.0
This needs to use the new accessor functions since the SSL session
details are not directly accessible anymore.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 27 Jul 2015 21:57:36 +0000 (00:57 +0300)]
OpenSSL: Include openssl/engine.h and openssl/dsa.h explicitly
This seems to be needed for OpenSSL 1.1.0.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 27 Jul 2015 21:54:08 +0000 (00:54 +0300)]
OpenSSL: Remove extra BIO_write() call on TLS client
openssl_handshake() was checking only that in_data is not NULL and not
its length when determining whether to call BIO_write(). Extend that to
check the buffer length as well. In practice, this removes an
unnecessary BIO_write() call at the beginning of a TLS handshake on the
client side. This did not cause issues with OpenSSL versions up to
1.0.2, but that call seems to fail with the current OpenSSL 1.1.0
degvelopment snapshot. There is no need for that zero-length BIO_write()
call, so remove it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 27 Jul 2015 10:54:03 +0000 (13:54 +0300)]
tests: Skip fst_attach_wpas_error if no FST support
This check for FST testing support was forgotten from one of the new FST
test cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:26 +0000 (16:21 +0300)]
tests: Add CPT parameters to p2ps_provision()
Add adv_cpt and seeker_cpt parameters to p2ps_provision() function.
The seeker_cpt is used in P2P_ASP_PROVISION command by a seeker, the
adv_cpt parameter is in P2P_ASP_PROVISION_RESP by an advertiser.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:25 +0000 (16:21 +0300)]
tests: Add CPT parameter to p2ps_advertise()
Add an optional parameter to p2ps_advertise() function allowing to
specify CPT priority values.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:24 +0000 (16:21 +0300)]
tests: Add CPT parameter to WpaSupplicant asp_provision()
Add an optional CPT parameter to asp_provision() method of
WpaSupplicant.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:23 +0000 (16:21 +0300)]
P2PS: Add feature capability to PD events
Report the feature capability on P2PS-PROV-START and P2PS-PROV-DONE
ctrl-iface events. A feature capability value is specified as
'feature_cap=<hex>' event parameter, where <val> is a hexadecimal
string of feature capability bytes in a PD Response frame.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:22 +0000 (16:21 +0300)]
P2PS: Add CPT handling on PD request and response
On PD Request/follow-on PD Request preparation set a feature capability
CPT value of PD context.
On PD Request processing use a request CPT and service advertisement
CPT priority list to select a feature capability CPT of PD Response.
On follow-on PD Request processing use a request CPT and a CPT priority
list in PD context to select a CPT value of follow on PD Response.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:21 +0000 (16:21 +0300)]
P2PS: Add CPT parameter to P2PS_PROVISION and P2PS_PROVISION_RESP
Add a parameter allowing to specify a value of Coordination
Protocol Transport to P2PS_PROVISION and P2PS_PROVISION_RESP commands.
Extend the p2ps_provision structure to contain cpt_priority and
cpt_mask properties and initialize them on a P2PS PD request command.
The format of the parameter:
cpt=<cpt>[:cpt]
where <cpt> is CPT name e.g. UDP or MAC. The CPT names are listed
according to their preferences to be used for a specific P2PS session.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:20 +0000 (16:21 +0300)]
P2PS: Add CPT parameter to P2P_SERVICE_ADD asp command
Add Coordination Transport Protocol parameter to P2P_SERVICE_ADD
asp command.
Extend p2ps_advertisement structure to contain CPT priorities
and a supported CPT bitmask.
The format of the new parameter:
cpt=<cpt>[:<cpt>]
where <cpt> is a name of the Coordination Protocol Transport.
This implementation supports two CPT names: UDP and MAC.
The order of specified CPTs defines their priorities where
the first one has the highest priority.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Max Stepanov [Thu, 2 Jul 2015 13:21:19 +0000 (16:21 +0300)]
utils: Add cstr_token() function
Add an auxiliary cstr_token() function to get a token from a const char
string. The function usage syntax is similar to str_token(), but unlike
str_token() the function doesn't modify the buffer of the string. Change
str_token() function implementation to use cstr_token().
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Mon, 13 Jul 2015 06:49:12 +0000 (09:49 +0300)]
tests: Add p2ps_connect_pd() method
Add p2ps_connect_pd() helper method which strictly validates the PD
results and establishes the connection between peers accordingly.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Mon, 13 Jul 2015 06:49:11 +0000 (09:49 +0300)]
tests: Add p2ps_provision() method
Add generic provision method. This method receives a seeker and an
advertiser devices, advertisement id, method, and a flag which indicates
whether deferred flow is expected. The method returns P2PS-PROV-DONE
events and the pin (if keypad or display method is used).
This method is needed to simplify the P2PS provision flows in the tests.
This method complies to the P2PS specification regarding the expected
order of the show and display PIN events.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Mon, 13 Jul 2015 06:49:10 +0000 (09:49 +0300)]
tests: Add asp_provision method to wpa_supplicant
Add asp_provision method which issues either P2PS PD Request or, if the
status is provided, continues the deferred flow by sending follow on
PD Request.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Jouni Malinen [Sun, 26 Jul 2015 15:23:37 +0000 (18:23 +0300)]
tests: Make discovery_auto more robust
This test case could fail if there were old BSS entries remaining in
cfg80211 scan results. That happened, e.g., when running test cases in
the following sequence: "discovery_social_plus_one discovery_auto".
Signed-off-by: Jouni Malinen <j@w1.fi>