Commit message (Collapse)AuthorAgeFilesLines
* wpa_supplicant: Don't return an error when successfully parsing WMM rulesHEADpendingmasterSujay Patwardhan3 days1-0/+1
| | | | | | | | | The config file parser previously would fall through into an error if CONFIG_AP is defined and it hit a wmm_ac_* rule with a valid value. Add a return to prevent incorrectly printing an error message and returning a non-zero exit code. Signed-off-by: Sujay Patwardhan <sujay@eero.com>
* P2P: Use latest BSS entry if multiple P2P Device Addr matches foundHu Wang3 days1-6/+13
| | | | | | | | | | | | If an AP (P2P GO) has changed its operating channel or SSID recently, the BSS table may have multiple entries for the same BSSID. Commit 702621e6dd35 ('WPS: Use latest updated BSS entry if multiple BSSID matches found') fetches latest updated BSS entry based on BSSID. Do the same when fetching an entry based on the P2P Device Address. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Add support for 60 GHz band channels 5 and 6Alexei Avshalom Lazar3 days3-12/+12
| | | | | | | The previous support in the 60 GHz band was for channels 1-4. Add support for channels 5 and 6. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* Remove IAPP functionality from hostapdJouni Malinen5 days16-633/+1
| | | | | | | | | | | | | | IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been maintained nor is there any expectation of the withdrawn trial-use recommended practice to be maintained in the future. Furthermore, implementation of IAPP in hostapd was not complete, i.e., only parts of the recommended practice were included. The main item of some real use long time ago was the Layer 2 Update frame to update bridges when a STA roams within an ESS, but that functionality has, in practice, been moved to kernel drivers to provide better integration with the networking stack. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Remove IAPP test caseJouni Malinen5 days1-41/+0
| | | | | | | This is in preparation for removal of the full IAPP functionality from hostapd. Signed-off-by: Jouni Malinen <j@w1.fi>
* AP: Silently ignore management frame from unexpected source addressJouni Malinen5 days2-0/+25
| | | | | | | | | | | | | | | Do not process any received Management frames with unexpected/invalid SA so that we do not add any state for unexpected STA addresses or end up sending out frames to unexpected destination. This prevents unexpected sequences where an unprotected frame might end up causing the AP to send out a response to another device and that other device processing the unexpected response. In particular, this prevents some potential denial of service cases where the unexpected response frame from the AP might result in a connected station dropping its association. Signed-off-by: Jouni Malinen <j@w1.fi>
* HE: Send the AP's OBSS PD settings to the kernelJohn Crispin6 days3-0/+39
| | | | | | | This allows us to send the OBSS PD settings to the kernel, such that the driver can propagate them to the hardware/firmware. Signed-off-by: John Crispin <john@phrozen.org>
* Sync with mac80211-next.git include/uapi/linux/nl80211.hJouni Malinen6 days1-3/+88
| | | | | | This brings in nl80211 definitions as of 2019-08-30. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: WPS MAC address changeMikael Kanstrup7 days1-0/+54
| | | | | | | Verify that MAC address of WPS M1 message use correct address after address change. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
* WPS: Update MAC address on address changesMikael Kanstrup7 days3-0/+16
| | | | | | | | | | | The WPS component keeps a copy of the network interface MAC address. When MAC address is changed the WPS copy was not updated so WPS M1 message contained the old address. Some devices check this field and fail connection attempts. Update the WPS MAC address on interface MAC address changes. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
* os_sleep: Use nanosleep for POSIX versions 2008 and higherRosen Penev7 days2-0/+12
| | | | | | | | uClibc-ng optionally disabled deprecated POSIX functions like usleep, causing compilation failures. This switches to nanosleep while retaining support for older libcs that do not support nanosleep. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* wpa_cli: Do not pick p2p-dev-* interfaces by defaultJouni Malinen7 days1-1/+4
| | | | | | | | These are the driver-specific interface for the non-netdev P2P Device interface and not something that useful for most use cases. Skip them to allow the main netdev (e.g., wlan0 over p2p-dev-wlan0) to be selected. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: wpa_supplicant DPP-only build testsJouni Malinen8 days2-0/+7
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Return result from confirm CN() operation to the callerJouni Malinen8 days1-50/+56
| | | | | | | These functions could fail in theory, so report the result to the caller. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS: Update connect params after sending connection notificationAnkita Bajaj8 days1-1/+8
| | | | | | | | | Update connect params will update auth_alg and fils_hlp_req in wpa_supplicant structure before calling function wpas_notify_state_changed(). This could have resulted in triggering inconsistent state change events and messages in the Android framework. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Correct the type/usage of QCA_ATTR_ROAM_CONTROL_SCAN_FREQ_LISTSrinivas Dasari8 days1-1/+1
| | | | | | | | | Update the documentation of QCA_ATTR_ROAM_CONTROL_SCAN_FREQ_LIST to make it a nested attribute to carry frequencies of type u32. This is to be in sync with the nl80211 attribute NL80211_ATTR_SCAN_FREQUENCIES. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Fix hostapd build dependencies for DPP-only buildJouni Malinen8 days2-0/+2
| | | | | | | Fix CONFIG_DPP=y build for cases where the needed dependencies were not pulled in by other optional build parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Fix wpa_supplicant build dependencies for CONFIG_AP=y buildJouni Malinen8 days2-0/+8
| | | | | | | Fix CONFIG_DPP2=y with CONFIG_AP=y build for cases where the needed dependencies were not pulled in by other optional build parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Fix wpa_supplicant build dependencies for DPP-only buildJouni Malinen8 days2-8/+4
| | | | | | | Fix CONFIG_DPP=y build for cases where the needed dependencies were not pulled in by other optional build parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen8 days76-537/+11
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* DFS offload: Fix hostapd state and CAC info in STATUS outputHu Wang14 days1-1/+8
| | | | | | | | With DFS offloaded to the driver, hostapd state and CAC info was not updated in DFS-CAC-START event, so STATUS output showed wrong info. Fix this by updating the CAC related state when processing the driver event. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TEAP peer: Clear Phase 2 EAP method on new Identity exchangeJouni Malinen2019-09-011-9/+19
| | | | | | | | This is needed to allow clean transition from one inner EAP authentication method to another one if EAP method negotiation is needed within Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: EAP-TEAP with inner EAP-MSCHAPv2 user and EAP-TLS machine credentialsJouni Malinen2019-09-012-1/+20
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Add support for machine credentials using certificatesJouni Malinen2019-09-0111-18/+113
| | | | | | | | | This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is an explicit request for machine credentials. The network profile parameters are otherwise same as the Phase 1 parameters, but each one uses a "machine_" prefix for the parameter name. Signed-off-by: Jouni Malinen <j@w1.fi>
* Do not try to include net/ethernet.h in MinGW/Windows buildsJouni Malinen2019-09-011-0/+2
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix Windows error code definition workaroundJouni Malinen2019-09-011-0/+6
| | | | | | | | ENOTCONN, EOPNOTSUPP, and ECANCELED are defined in a newer version of MinGW, so make this workaround conditional on what is defined in the header files. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer config: Move ocsp param to phase1/phase2Jouni Malinen2019-09-016-18/+21
| | | | | | | | | OCSP configuration is applicable to each instance of TLS-based authentication and as such, the configuration might need to be different for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and add a separate ocsp2 network profile parameter to set this for Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Too many EAP roundtrips (server)Jouni Malinen2019-09-011-0/+27
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Configurable maximum number of authentication message roundsJouni Malinen2019-09-018-11/+29
| | | | | | | | | Allow the previously hardcoded maximum numbers of EAP message rounds to be configured in hostapd EAP server. This can be used, e.g., to increase the default limits if very large X.509 certificates are used for EAP authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer: Move certificate configuration params into shared structJouni Malinen2019-09-0110-423/+245
| | | | | | | | | | | These parameters for certificate authentication are identical for the Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel). Furthermore, yet another copy would be needed to support separate machine credential in Phase 2. Clean this up by moving the shared parameters into a separate data struct that can then be used for each need without having to define separate struct members for each use. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Do not enable HE on 5 GHz without VHTSven Eckelmann2019-08-301-2/+10
| | | | | | | | | | | | | | | | | | | The commit ad9a1bfe788e ("nl80211: Share VHT channel configuration for HE") always enforced that VHT is enabled when HE was enabled. This broke the mesh functionality on 2.4 GHz with HE because ibss_mesh_setup_freq() isn't setting up the VHT parameters for 2.4 GHz. This problem was resolved for 2.4 GHz by commit df4f959988b6 ("nl80211: Don't force VHT channel definition with HE"), but it is still possible to disable VHT during the mesh/IBSS freq setup on 5 GHz - which would result in the same problem as seen on 2.4 GHz. The code enabling HE for IBSS/mesh must now make sure that it doesn't enable HE when VHT could be enforced by the nl80211 driver code but disabled by the user. Fixes: 3459c54ac78b ("mesh: Add support for HE mode") Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
* HE: Fix HE Capabilities element sizeJohn Crispin2019-08-302-2/+38
| | | | | | | | | Set the max value of optional bytes inside the data structure. This requires us to calculate the actually used size when copying the HE capabilities and generating the IE. Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
* Add nl80211 vendor ACS trigger reasons related to interferenceKrishna Rao2019-08-301-0/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | Add the following ACS trigger reasons to enum qca_wlan_vendor_acs_select_reason: 1) QCA_WLAN_VENDOR_ACS_SELECT_REASON_GENERIC_INTERFERENCE Generic, uncategorized interference found 2) QCA_WLAN_VENDOR_ACS_SELECT_REASON_80211_INTERFERENCE Excessive 802.11 interference found 3) QCA_WLAN_VENDOR_ACS_SELECT_REASON_CW_INTERFERENCE Continuous Wave (CW) interference found 4) QCA_WLAN_VENDOR_ACS_SELECT_REASON_MWO_INTERFERENCE Microwave Oven (MWO) interference found 5) QCA_WLAN_VENDOR_ACS_SELECT_REASON_FHSS_INTERFERENCE Frequency-Hopping Spread Spectrum (FHSS) interference found 6) QCA_WLAN_VENDOR_ACS_SELECT_REASON_NON_80211_FHSS_INTERFERENCE Non-802.11 Frequency-Hopping Spread Spectrum (FHSS) interference found 7) QCA_WLAN_VENDOR_ACS_SELECT_REASON_WB_INTERFERENCE Wideband (WB) interference found 8) QCA_WLAN_VENDOR_ACS_SELECT_REASON_NON_80211_WB_INTERFERENCE Non-802.11 Wideband (WB) interference found 9) QCA_WLAN_VENDOR_ACS_SELECT_REASON_JAMMER_INTERFERENCE Jammer interference found Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Do not add two copies of OSEN element into Beacon/Probe RespJouni Malinen2019-08-301-6/+8
| | | | | | | | | | | OSEN element was getting added both through the Authenticator IEs (before some non-vendor elements) and separately at the end of the frames with other vendor elements. Fix this by removing the separate addition of the OSEN element and by moving the Authenticator IE addition for OSEN to match the design used with WPA so that the vendor element gets added in the proper place in the sequence of IEs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Hotspot 2.0 open OSU associationJouni Malinen2019-08-301-0/+18
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 AP: Do not mandate PMF for HS 2.0 Indication in open OSU networkJouni Malinen2019-08-301-1/+2
| | | | | | | | | | | Even though the station is not supposed to include Hotspot 2.0 Indication element in the Association Request frame when connecting to the open OSU BSS, some station devices seem to do so. With the strict PMF-required-with-Hotspot-2.0-R2 interpretation, such connection attempts were rejected. Relax this to only perform the PMF check if the local AP configuration has PMF enabled, i.e., for the production BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make nfc_wps more robust by avoiding race conditionsJouni Malinen2019-08-241-0/+14
| | | | | | | | | | | The hostapd side operations and data connectivity test were executed without explicitly waiting for hostapd to report connection as having been completed. This could result in trying to transmit data before EAPOL-Key msg 4/4 was processed especially when using UML time-travel. Make this more robust by waiting for hostapd to be ready before the data test. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Fix ap_ft_reassoc_replay for case where wlantest has the PSKJouni Malinen2019-08-241-1/+2
| | | | | | | | This test case was failing if wlantest was able to decrypt the CCMP protected frames. Fix the tshark filter string to include only the actually encrypted frames for PN comparison. Signed-off-by: Jouni Malinen <j@w1.fi>
* IEEE 802.1X authenticator: Coding style cleanupJouni Malinen2019-08-241-138/+149
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Clean up IEEE 802.1X authentication debug messages for EAP codeJouni Malinen2019-08-241-19/+26
| | | | | | | Merge the separate debug print with the text name of the EAP code into the same debug line with the numerical value to clean up debug log. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: EAP-TEAP with user and machine credentialsJouni Malinen2019-08-241-0/+98
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Fix protected indication of inner EAP method failureJouni Malinen2019-08-241-1/+2
| | | | | | | | Need to leave EAP-TEAP methodState == MAY_CONT when marking decision = FAIL based on inner EAP method failure since this message will be followed by protected failure indication. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Add support for requiring user and machine credentialsJouni Malinen2019-08-243-9/+49
| | | | | | | | | The new eap_teap_id=5 hostapd configuration parameter value can be used to configure EAP-TEAP server to request and require user and machine credentials within the tunnel. This can be done either with Basic Password Authentication or with inner EAP authentication methods. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Remove unnecessary "config exists" debug prints from build.shJouni Malinen2019-08-241-4/+0
| | | | | | | This is the common case and these prints do not really help and just make the output from build.sh less clear. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Import helper functions directly from utils.pyJouni Malinen2019-08-241-3/+3
| | | | | | | | These were moved from test_sae.py to utils.py, so import them from the correct location instead of through test_sae.py that imports them from utils.py. Signed-off-by: Jouni Malinen <j@w1.fi>
* wlantest: Derive PMK-R1 and PTK for FT protocol casesJouni Malinen2019-08-225-10/+240
| | | | | | | | Track PMK-R0/PMK-R0-Name from the initial mobility domain association and derive PMK-R1/PTK when the station uses FT protocol. This allows frames from additional roaming cases to be decrypted. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Configure wlantest for FT+PMF test casesJouni Malinen2019-08-221-0/+5
| | | | | | | It is useful to get the encrypted frames decrypted in the sniffer capture for these test cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: EAP-TEAP with machine username/password credentialJouni Malinen2019-08-203-0/+25
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Add support for machine authenticationJouni Malinen2019-08-201-6/+24
| | | | | | | This allows a separate machine credential to be used for authentication if the server requests Identity-Type = 2 (machine). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer: Add a concept of a separate machine credentialJouni Malinen2019-08-205-19/+242
| | | | | | | | | | | | | | | | | This is an initial step in adding support for configuring separate user and machine credentials. The new wpa_supplicant network profile parameters machine_identity and machine_password are similar to the existing identity and password, but explicitly assigned for the purpose of machine authentication. This commit alone does not change actual EAP peer method behavior as separate commits are needed to determine when there is an explicit request for machine authentication. Furthermore, this is only addressing the username/password credential type, i.e., additional changes following this design approach will be needed for certificate credentials. Signed-off-by: Jouni Malinen <j@w1.fi>