path: root/src/eapol_supp/eapol_supp_sm.h
Commit message (Collapse)AuthorAgeFilesLines
* EAPOL supp: Convert Boolean to C99 boolJouni Malinen2020-04-241-10/+10
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaroundAlexander Wetzel2020-02-231-0/+9
| | | | | | | | | | | | | | Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Pass full struct to peer certificate callbacksJouni Malinen2019-06-141-8/+5
| | | | | | | | This makes it easier to add new information to the callbacks without having to modify each callback function type in EAPOL and EAP code every time. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Propagate the EAP method error codeAhmed ElArabawy2018-03-311-0/+7
| | | | | | | | | | | | | | | | | | In the current implementation, upon an EAP method failure, followed by an EAP failure, the EAP Status is propagated up in wpa_supplicant with a general failure parameter string "failure". This parameter is used for a notification on the dbus. This commit reports the EAP method failure error code in a separate callback. The solution in this commit is generic to all EAP methods, and can be used by any method that need to pass its error code. However, this commit only implements the reporting for EAP-SIM and EAP-AKA methods where the Notification Code (in AT_NOTIFICATION) is used as the method specific error code value. Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
* eap_proxy: Support multiple SIMs in get_imsi()Vidyullatha Kanchanapally2017-06-061-1/+2
| | | | | | | | This allows the eap_proxy mechanism to be used with multiple SIMs by following the configured sim_num to index which SIM to use for when fetching the IMSI through eap_proxy. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* eap_proxy: Build realm from IMSI for proxy based EAP methodsVidyullatha Kanchanapally2017-06-061-1/+1
| | | | | | | | | For proxy based EAP methods, the EAP identity is constructed in eap_proxy layer from IMSI when required. Realm information from identity is used to do ERP eventually, hence construct the realm for proxy based methods from IMSI in core wpa_supplicant to enable the ERP use case. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* ERP: External control of ERP key informationVidyullatha Kanchanapally2017-04-071-0/+20
| | | | | | | This allows ERP keys to be managed by external entities, e.g., when offloading FILS shared key authentication to a driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* eap_proxy: Add support for SIM state change indication from eap_proxyPurushottam Kushwaha2016-12-191-0/+8
| | | | | | | | | | | | This registers a new callback to indicate change in SIM state. This helps to do some clean up (more specifically pmksa_flush) based on the state change of the SIM. Without this, the reconnection using the cached PMKSA could happen though the SIM is changed. Currently eap_proxy_sim_state corresponds to only SIM_STATE_ERROR. This can be further extended. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* ERP: Make eap_peer_finish() callableJouni Malinen2016-10-221-0/+6
| | | | | | This is needed for FILS to process EAP-Finish/Re-auth. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* ERP: Make eap_peer_erp_reauth_start() availableJouni Malinen2016-10-221-0/+6
| | | | | | | This needs to be callable through the EAPOL supplicant wrappers to allow FILS implementation to use ERP. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* eap_proxy: Callback to notify any updates from eap_proxySunil Dutt2015-03-021-0/+8
| | | | | | | | This commit introduces a callback to notify any configuration updates from the eap_proxy layer. This is used to trigger re-reading of IMSI and MNC length. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Simplify eapol_sm_notify_pmkid_attempt()Jouni Malinen2015-01-281-2/+4
| | | | | | | | Drop the unneeded 'attempt' argument. This was originally used for indicating an aborted PMKID caching attempt, but a fix in 2006 removed the only such user and since that time, only attempt == 1 has been used. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add eap_session_id to wpa_supplicant STATUS outputJouni Malinen2015-01-281-0/+5
| | | | | | This makes the current EAP Session-Id available for external programs. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add peer certificate alt subject name information to EAP eventsJouni Malinen2015-01-141-0/+3
| | | | | | | | | | | | | | | A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used to provide information about server certificate chain alternative subject names for upper layers, e.g., to make it easier to configure constraints on the server certificate. For example: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com Currently, this includes DNS, EMAIL, and URI components from the certificates. Similar information is priovided to D-Bus Certification signal in the new altsubject argument which is a string array of these items. Signed-off-by: Jouni Malinen <j@w1.fi>
* ERP: Add wpa_supplicant ERP_FLUSH ctrl_iface commandJouni Malinen2014-12-041-0/+4
| | | | | | This can be used to flush all the ERP keys. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Extend startWhen to 2 if peer AP supports WPS 2.0Justin Shen2014-10-131-0/+2
| | | | | | | | | | | Increase EAPOL startWhen to 2 for the case where the AP/GO has advertised it supports WPS 2.0. This is done to make it less likely for the EAPOL-Start frame to be sent out since that is only required for WPS 1.0. Not sending it can remove one unnecessary round trip from the EAP exchange when the AP is going to start with EAP-Request/Identity immediately based on the Association Request frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Allow OpenSSL cipherlist string to be configuredJouni Malinen2014-10-121-0/+9
| | | | | | | | | | | The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled for TLS-based EAP methods when OpenSSL is used as the TLS library. This parameter can be used both as a global parameter to set the default for all network blocks and as a network block parameter to override the default for each network profile. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Set EAPOL workarounds dynamically based on associationJouni Malinen2014-09-081-0/+5
| | | | | | | | | | | | | | | | Previously, the shorter startWhen value was used based on build parameters (i.e., if WPS was enabled). This is not really ideal and the knowledge of WPS use can be provided to the EAPOL state machine to allow this (and similar WPS workarounds) to be done only when the association is for the purpose of WPS. Reduce the default startWhen value from 3 to 2 seconds for non-WPS case since WPS builds have likely received most testing for the past years with the 1 second value and there is no strong justification for forcing the longer 3 second wait should a frame be lost or something else require the EAPOL-Start to initiate operation after a connection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add function to fetch EAP Session-Id from EAPOL supplicantHu Wang2014-05-091-0/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Skip network disabling on expected EAP failureJouni Malinen2014-01-081-2/+9
| | | | | | | | | | Some EAP methods can go through a step that is expected to fail and as such, should not trigger temporary network disabling when processing EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as a special case, but similar behavior is needed for EAP-FAST with unauthenticated provisioning. Signed-hostap: Jouni Malinen <j@w1.fi>
* eap_proxy: Confirm eap_proxy initialization before reading SIM infoNaresh Jayaram2013-10-231-0/+1
| | | | | | | | | Trying to access the SIM card details without checking if the eap_proxy layer has been initialized can results in a crash. Address this by sending the request for the IMSI through eapol_supp_sm.c which can verify that eap_proxy has been initialized. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP peer: Add framework for external SIM/USIM processingJouni Malinen2013-10-201-0/+5
| | | | | | | | | | | | | | The new configuration parameter external_sim=<0/1> can now be used to configure wpa_supplicant to use external SIM/USIM processing (e.g., GSM authentication for EAP-SIM or UMTS authentication for EAP-AKA). The requests and responses for such operations are sent over the ctrl_iface CTRL-REQ-SIM and CTRL-RSP-SIM commands similarly to the existing password query mechanism. Changes to the EAP methods to use this new mechanism will be added in separate commits. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA: Store pseudonym identity in configurationJouni Malinen2012-09-021-0/+8
| | | | | | | | Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity so that this can be maintained between EAP sessions (e.g., after wpa_supplicant restart) even if fast re-authentication data was cleared. Signed-hostap: Jouni Malinen <j@w1.fi>
* Disable network block temporarily on authentication failuresJouni Malinen2012-08-261-0/+5
| | | | | | | | If 4-way handshake fails due to likely PSK failure or if EAP authentication fails, disable the network block temporarily. Use longer duration if multiple consecutive failures are seen. Signed-hostap: Jouni Malinen <j@w1.fi>
* EXT PW: Add support for password parameter from external storageJouni Malinen2012-08-031-1/+8
| | | | | | | | | | | | | | | | | | | | This allows the password parameter for EAP methods to be fetched from an external storage. Following example can be used for developer testing: ext_password_backend=test:pw1=password|pw2=testing network={ key_mgmt=WPA-EAP eap=TTLS identity="user" password=ext:pw1 ca_cert="ca.pem" phase2="auth=PAP" } Signed-hostap: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Report EAP connection progress to DBusPaul Stewart2012-06-041-0/+9
| | | | | | | | | | | | | | | | | | | | | Send an "EAP" signal via the new DBus interface under various conditions during EAP authentication: - During method selection (ACK and NAK) - During certificate verification - While sending and receiving TLS alert messages - EAP success and failure messages This provides DBus callers a number of new tools: - The ability to probe an AP for available EAP methods (given an identity). - The ability to identify why the remote certificate was not verified. - The ability to identify why the remote peer refused a TLS connection. Signed-hostap: Paul Stewart <pstew@chromium.org>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Use an enum for EAP SM requestsDan Williams2011-10-301-2/+2
| | | | | | | | | | | Control requests will be extended for non-EAP uses later, so it makes sense to have them be generic. Furthermore, having them defined as an enum is easier for processing internally, and more generic for control interfaces that may not use field names. The public ctrl_req_type / field_name conversion function will be used later by the D-Bus control interface too. Signed-off-by: Dan Williams <dcbw@redhat.com>
* eapol_test: Add option for writing server certificate chain to a fileJouni Malinen2011-09-171-0/+5
| | | | | | eapol_test command line argument -o<file> can now be used to request the received server certificate chain to be written to the specified file. The certificates will be written in PEM format. [Bug 391]
* Add dbus signal for information about server certificationMichael Chang2011-07-051-0/+11
| | | | | | | | | | | | In general, this patch attemps to extend commit 00468b4650998144f794762206c695c962c54734 with dbus support. This can be used by dbus client to implement subject match text entry with preset value probed from server. This preset value, if user accepts it, is remembered and passed to subject_match config for any future authentication. Signed-off-by: Michael Chang <mchang@novell.com>
* wpa_supplicant: Add wpa_supplicant_get_eap_mode methodPaul Stewart2011-03-151-0/+4
| | | | Signed-off-by: Paul Stewart <pstew@google.com>
* eapol_supp: Request EAP method from EAP state machinePaul Stewart2011-03-151-0/+1
| | | | Signed-off-by: Paul Stewart <pstew@google.com>
* Remove unnecessary definesJouni Malinen2009-12-051-2/+0
| | | | | | | | | The following defines are not really needed in most places, so remove them to clean up source code and build scripts: EAP_TLS_FUNCS EAP_TLS_OPENSSL EAP_TLS_GNUTLS CONFIG_TLS_INTERNAL
* Remove src/common from default header file pathJouni Malinen2009-11-291-1/+1
| | | | | | | | | | This makes it clearer which files are including header from src/common. Some of these cases should probably be cleaned up in the future not to do that. In addition, src/common/nl80211_copy.h and wireless_copy.h were moved into src/drivers since they are only used by driver wrappers and do not need to live in src/common.
* Add new wpa_supplicant driver op for setting 802.1X port statusJouni Malinen2009-04-221-0/+7
| | | | | This can be used with drivers that implement PAE to control whether normal data frames (non-EAPOL) are allowed.
* WPS: Moved mac_addr and uuid configuration into wps_contextJouni Malinen2008-11-281-13/+0
| | | | | There is no need to complicate EAPOL and EAP interfaces with WPS specific parameters now that wps_context is passed through.
* WPS: Moved wps_context initialization into wps_supplicant.cJouni Malinen2008-11-281-8/+3
| | | | | | | The wps_context data is now managed at wpa_supplicant, not EAP-WSC. This makes wpa_supplicant design for WPS match with hostapd one and also makes it easier configure whatever parameters and callbacks are needed for WPS.
* WPS: Merged two cred_cb variables into the same oneJouni Malinen2008-11-281-1/+1
| | | | | | | Previously, wpa_supplicant as Enrollee case was handled using a different callback function pointer. However, now that the wps_context structure is allocated for all cases, the same variable can be used in all cases.
* WPS: Moved UUID configuration from phase1 into global config areaJouni Malinen2008-11-261-0/+7
* Added preliminary Wi-Fi Protected Setup (WPS) implementationJouni Malinen2008-11-231-0/+18
| | | | | | | | | | | | | This adds WPS support for both hostapd and wpa_supplicant. Both programs can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN methods are supported. Currently, hostapd has more complete configuration option for WPS parameters and wpa_supplicant configuration style will likely change in the future. External Registrars are not yet supported in hostapd or wpa_supplicant. While wpa_supplicant has initial support for acting as an Registrar to configure an AP, this is still using number of hardcoded parameters which will need to be made configurable for proper operation.
* Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 releaseJouni Malinen2008-02-281-0/+335