aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* DPP2: Update the default port number for DPP-over-TCPJouni Malinen12 hours1-1/+1
| | | | | | | IANA assigned the TCP port 8908 for DPP, so update the implementation to match the formal assignment. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix couple more typosJouni Malinen36 hours1-1/+1
| | | | | | Couple of similar cases that were not included in the previous commit. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Do not accept SAE-PK status code when no PK is configuredJouni Malinen36 hours1-3/+5
| | | | | | | | Make sae_status_success() more explicit by rejecting SAE-PK status code when the AP is not configured with PK. Fixes: 20ccf97b3dc1 ("SAE-PK: AP functionality") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Don't use potentially uninitialized keysAndrei Otcheretianski36 hours1-9/+17
| | | | | | | | | | | If SAE_CONFIG_PK is not defined and sae->pk isn't zero (which is possible as it is controlled by the commit message status code), sae_derive_keys() may end up deriving PMK and KCK from an uninitialized array. Fix that. Fixes: 6b9e99e571ee ("SAE-PK: Extend SAE functionality for AP validation") Fixes: 20ccf97b3dc1 ("SAE-PK: AP functionality") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* OpenSSL: Make openssl_debug_dump_certificate() more robustPooventhiran G38 hours1-0/+3
| | | | | | | | | | | SSL_CTX_get0_certificate() returns NULL if no certificate is installed. While this should not be the case here due to the loop in openssl_debug_dump_certificate_chains() proceeding only if the SSL_CTX_set_current_cert() returns success, it is safer to make openssl_debug_dump_certificate() explicitly check against NULL before trying to dump details about the certificate. Signed-off-by: Pooventhiran G <pooventh@codeaurora.org>
* build: lib.rules: Add common-cleanJohannes Berg5 days1-1/+1
| | | | | | | | During the build reshuffling, I missed this, so doing 'make clean' in a certain src/lib folder doesn't clean up everything anymore. Fix that. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* eap_peer: Add .gitignore with *.soJohannes Berg5 days1-0/+1
| | | | | | | If wpa_supplicant is built with dynamic EAP methods, the *.so files land here. Add them to .gitignore. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* P2P: Stop old listen radio work before go to WAIT_PEER_IDLE stateHu Wang7 days1-0/+1
| | | | | | | | | | | | | | | | | | | | P2P goes to Listen state while waiting for the peer to become ready for GO Negotiation. If old listen radio work has not been completed, P2P fails to go to listen state. This could happen in cases where P2P Action frame transmission reused ongoing p2p-listen radio work. p2p0: Add radio work 'p2p-listen'@0x P2P-FIND-STOPPED p2p0: Starting radio work 'p2p-listen'@0x after 0.010644 second wait P2P: Use ongoing radio work for Action frame TX P2P: Use ongoing radio work for Action frame TX P2P: State CONNECT -> CONNECT P2P: State CONNECT -> WAIT_PEER_IDLE P2P: State WAIT_PEER_IDLE -> WAIT_PEER_CONNECT P2P: Reject start_listen since p2p_listen_work already exists P2P: Failed to start listen mode Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add QCA interface for driver to report various connect fail reason codesVamsi Krishna7 days1-0/+39
| | | | | | | | | | The connection process fails for several reasons and the status codes defined in IEEE Std 802.11 do not cover the locally generated reason codes. Add an attribute to QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO vendor sub command which can be used by the driver/firmware to report various additional reason codes for connection failures. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* build: Fix libeap_peer.a buildJouni Malinen7 days2-7/+10
| | | | | | | | | | | | | The install target at the beginning of src/eap_peer/Makefile was confusing make about the build rules for libeap_peer.a and overriding of the install target between src/eap_peer/Makefile and src/lib.rules was breaking installation of dynamic EAP peer *.so files. Fix this by lib.rules defining a default for the install target so that src/*/Makefile can override that and by moving the install target for eap_peer to the end of the Makefile. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DFS: Use helper functions for VHT/HE parametersMarkus Theil7 days1-2/+5
| | | | | | | This is needed to cover the HE-specific conf->he_oper_chwidth value in addition to conf->vht_oper_chwidth. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* hw_features: Better debug messages for some error casesMarkus Theil7 days1-7/+29
| | | | Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* HE/VHT: Fix frequency setup with HE enabledMarkus Theil7 days1-4/+4
| | | | | | | | | | | | | | | | | | | Some places in the code base were not using the wrappers like hostapd_set_oper_centr_freq_seg0_idx and friends. This could lead to errors, for example when joining 80 MHz mesh networks. Fix this, by enforcing usage of these wrappers. wpa_supplicant_conf_ap_ht() now checks for HE capability before dealing with VHT in order for these wrappers to work, as they first check HE support in the config. While doing these changes, I've noticed that the extra channel setup code for mesh networks in wpa_supplicant/mesh.c should not be necessary anymore and dropped it. wpa_supplicant_conf_ap_ht() should handle this setup already. Acked-by: John Crispin <john@phrozen.org> Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* DPP2: Add privacyProtectionKey into Configurator backup/restoreJouni Malinen8 days3-9/+84
| | | | | | | This allows the privacyProtectionKey to be transferred to a new Configurator similarly to the way c-sign-key is transferred. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Use ppKey to decrypt E'-id on ConfiguratorJouni Malinen8 days3-11/+14
| | | | | | | Use the new privacy protection key to decrypt E'-id from Reconfig Announcement frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Use the new privacy protection key to protect E-id on EnrolleeJouni Malinen8 days3-11/+27
| | | | | | | Use ppKey instead of C-sign-key to encrypted E-id to E'-id into Reconfig Announcement frame on the Enrollee side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Copy received ppKey into wpa_supplicant network profileJouni Malinen8 days1-0/+1
| | | | | | | | Store the received privacy protection key from Connector into wpa_supplicant network profile and indicate it through the control interface similarly to C-sign-key. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Parse ppKey from ConnectorJouni Malinen8 days2-3/+37
| | | | | | This will be used to protect E-id in Reconfig Announcement frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add ppKey into ConnectorJouni Malinen8 days1-0/+10
| | | | | | | This provides the new privacy protection key to the Enrollee so that this can be used to protect E-id in Reconfig Announcement frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Generate a privacy protection key for ConfiguratorJouni Malinen8 days2-6/+25
| | | | | | | | | Generate a new key for Configurator. This is either generated automatically for the specified curve or provided from external source with the new ppkey=<val> argument similarly to the way c-sign-key was previously generated. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Make dpp_keygen_configurator() a static functionJouni Malinen8 days2-4/+1
| | | | | | This was not used anywhere outside dpp.c. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* build: Make more library things commonJohannes Berg9 days16-122/+22
| | | | | | | | We don't really need to duplicate more of this, so just move the lib.rules include to the end and do more of the stuff that's common anyway there. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Make a common library buildJohannes Berg9 days16-60/+8
| | | | | | | | | | Derive the library name from the directory name, and let each library Makefile only declare the objects that are needed. This reduces duplicate code for the ar call. While at it, also pretty-print that call. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Rebuild libs all the timeJohannes Berg9 days1-2/+6
| | | | | | | | | | | | | | | | | When files change that go into a static library such as libutils.a, then libutils.a doesn't get rebuilt from, e.g., wlantest because the top-level Makefile just calls the library make if the library doesn't exist yet. Change that by making the library depend on a phony target (cannot make it itself phony due to the pattern) so that the build will always recurse into the library build, and check there if the library needs to be rebuilt. While at it, remove the (actually unnecessary) mkdir so it doesn't get done each and every time you do 'make'. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Fix dependency file inclusionJohannes Berg9 days1-1/+1
| | | | | | | | | | | | | | | | The objs.mk include changes for archive files broke things completely and none of the dependency files (*.d) ever got included, as the expansion there ended up empty. Clearly, my mistake, I should've tested that better. As we don't need the %.a files in the list there use filter-out to remove them, rather than what I had lazily wanted to do, which was trying to read %.d files for them. The filter-out actually works, and avoids looking up files that can never exist in the first place. Fixes: 87098d3324e0 ("build: Put archive files into build/ folder too") Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* macsec_linux: Fix receive-lowest-PN settingZe Gan10 days1-0/+3
| | | | | | | Setting of the PN for the receive SA failed because the SCI wasn't provided. Fix this by adding the needed attribute to the command. Signed-off-by: Ze Gan <ganze718@gmail.com>
* gitignore: Clean up a bitJohannes Berg10 days5-6/+0
| | | | | | | | Now that we no longer leave build artifacts outside the build folder, we can clean up the gitignore a bit. Also move more things to per-folder files that we mostly had already anyway. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Put archive files into build/ folder tooJohannes Berg10 days17-33/+42
| | | | | | | | | | | | | | | | This is something I hadn't previously done, but there are cases where it's needed, e.g., building 'wlantest' and then one of the tests/fuzzing/*/ projects, they use a different configuration (fuzzing vs. not fuzzing). Perhaps more importantly, this gets rid of the last thing that was dumped into the source directories, apart from the binaries themselves. Note that due to the use of thin archives, this required building with absolute paths. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Use the new build system for fuzz testsJohannes Berg10 days1-0/+4
| | | | Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* wolfSSL: Fix wrong types in tls_wolfssl.cJuliusz Sosinowicz10 days1-20/+27
| | | | | | | | | | wolfSSL_X509_get_ext_d2i() returns STACK_OF(GENERAL_NAME)* for ALT_NAMES_OID therefore wolfSSL_sk_value needs to expect a WOLFSSL_GENERAL_NAME*. In addition, explicitly check for NULL return from wolfSSL_sk_value(). Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
* nl80211: Unbreak mode processing due to presence of S1G bandThomas Pedersen11 days1-1/+4
| | | | | | | | If kernel advertises a band with channels < 2.4 GHz hostapd/wpa_supplicant gets confused and assumes this is an IEEE 802.11b, corrupting the real IEEE 802.11b band info. Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
* build: Allow overriding BUILDDIR from command lineJohannes Berg11 days1-1/+2
| | | | | | | You can now specify BUILDDIR= on the make command line, e.g., in order to put that into a tmpfs or similar. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Add .config file to dependenciesJohannes Berg11 days1-2/+2
| | | | | | | | | If the .config file changes, basically everything needs to be rebuilt since we don't try to detect which symbols changed or such. Now that the .config file handling is in the common build system, make everything depend on it if there's one. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Put object files into build/ folderJohannes Berg11 days17-38/+57
| | | | | | | | | | | | | | | | Instead of building in the source tree, put most object files into the build/ folder at the root, and put each thing that's being built into a separate folder. This then allows us to build hostapd and wpa_supplicant (or other combinations) without "make clean" inbetween. For the tests keep the objects in place for now (and to do that, add the build rule) so that we don't have to rewrite all of that with $(call BUILDOBJS,...) which is just noise there. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Move config file handling into build.rulesJohannes Berg11 days1-1/+22
| | | | | | | This will make it easier to split out the handling in a proper way, and handle common cflags/dependencies. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Add a common-clean targetJohannes Berg11 days2-2/+10
| | | | | | | | Clean up in a more common fashion as well, initially for ../src/. Also add $(Q) to the clean target in src/ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Use build.rules in lib.rulesJohannes Berg11 days16-86/+34
| | | | | | | Use the new build.rules in lib.rules and also unify the clean targets to lib.rules. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Disable built-in rulesJohannes Berg11 days1-0/+3
| | | | | | This makes things faster and easier to debug. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Pull common fragments into a build.rules fileJohannes Berg11 days1-0/+43
| | | | | | | Some things are used by most of the binaries, pull them into a common rule fragment that we can use properly. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* AP: Reflect status code in SAE reflection attack testThomas Pedersen12 days1-0/+1
| | | | | | | | | | | | When testing SAE reflection, the incoming commit may have the H2E status code (126) or SAE-PK (127), but the test code in the AP was always sending back status code 0. The STA would then reject the commit response due to expecting H2E/SAE-PK status code. Just reflect the incoming status code so the commit can be rejected based on the SAE contents regardless of which variant of SAE was used. Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
* BSD: don't log SIOCG80211 errors during interface setupRoy Marples12 days1-1/+9
| | | | | | | | Unless debugging. wpa_supplicant will log it failed to initialized the driver for the interface anyway so this just silences some noise for users. Signed-off-by: Roy Marples <roy@marples.name>
* Global parser functions to return 1 when property unchangedMatthew Wang12 days1-0/+15
| | | | | | | | | | | Currently, wpa_config_set(), the function that sets wpa_supplicant per-network properties, returns 1 when a property it attempts to set is unchanged. Its global parallel, wpa_config_process_global(), doesn't do this even though much of the code is very similar. Change this, and several of the parser functions, to resemble the per-network parser and setter functions. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* D-Bus: Allow changing an interface bridge via D-BusBeniamino Galvani12 days1-0/+5
| | | | | | | | | | | | | D-Bus clients can call CreateInterface() once and use the resulting Interface object to connect multiple times to different networks. However, if the network interface gets added to a bridge, clients currently have to remove the Interface object and create a new one. Improve this by supporting the change of the BridgeIfname property of an existing Interface object. Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
* OCV: Work around for misbehaving STAs that indicate OCVC=1 without OCIVeerendranath Jakkam13 days5-15/+47
| | | | | | | | | | | | | | | | | | | | | | | | | | Some legacy stations copy previously reserved RSN capability bits, including OCVC, in (Re)Association Request frames from the AP's RSNE but do not indicate MFP capability and/or do not send OCI in RSN handshakes. This is causing connection failures with such erroneous STAs. To improve interoperability with such legacy STAs allow a workaround OCV mode to be enabled to ignore OCVC=1 from the STA if it does not follow OCV requirements in the first protected exchange. This covers cases where a STA claims to have OCV capability, but it does not negotiate use of management frame protection or does not include OCI in EAPOL Key msg 2/4, FT Reassociation Request frame, or FILS (Re)Association Reqest. The previous behavior with ocv=1 is maintained, i.e., misbehaving STAs are not allowed to connect. When the new workaround mode is enabled with ocv=2, the AP considers STA as OCV capable on below criteria - STA indicates both OCV and MFP capability - STA sends OCI during connection attempt in a protected frame Enabling this workaround mode reduced OCV protection to some extend since it allows misbehavior to go through. As such, this should be enabled only if interoperability with misbehaving STAs is needed. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* FT: Modify status code in FT Reassoc frame for invalid OCI channel infoShaakir Mohamed14 days1-1/+1
| | | | | | | | | Modify status code in FT Reassociation Response frame from WLAN_STATUS_UNSPECIFIED_FAILURE to WLAN_STATUS_INVALID_FTE when replying to an invalid OCI channel info (subelement of FTE) in FT Reassociation Request frame. Signed-off-by: Shaakir Mohamed <smohamed@codeaurora.org>
* DPP2: Presence Announcement notification in APAndrew Beltrano14 days1-0/+3
| | | | | | | | Generate a control interface event upon receipt of DPP Presence Announcement frames. This allows external programs to instrument hostapd with bootstrapping information on-demand. Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>
* DPP2: Presence Announcement notificationAndrew Beltrano14 days3-0/+17
| | | | | | | Define a control event with bootstrap id, frame source, frequency, and chirp hash for receipt of Presence Announcement (chirp) frames. Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>
* DPP2: Fix hostapd crash setting global configurator params on chirp RXAndrew Beltrano14 days1-2/+2
| | | | | | | | | | | | | | | | | | | When a Presence Announcement frame is received, a check is done to ensure an ongoing auth is not in progress (!hapd->dpp_auth). A new DPP auth is then initialized, however, when setting global configurator params for it, the hapd->dpp_auth pointer is used which was earlier confirmed as NULL, causing a crash in dpp_set_configurator params when the pointer is dereferenced. This only occurs when there are global DPP configurator params to be set and the peer has no overriding configurator params. If no global DPP configurator params exist, the call to dpp_set_configurator exits early and the problem is not observed. Fix by using the newly init'ed DPP auth structure for setting global DPP configurator params. Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>
* DPP2: Replace OneAsymmetricKey version number (v2 to v1)Jouni Malinen2020-10-061-2/+2
| | | | | | | | | | | | | | | DPP tech spec was modified to use v1(0) instead of v2(1) for the OneAsymmetricKey in the Configurator backup structure to match the description in RFC 5958 Section 2 which indicates v2 to be used when any items tagged as version 2 are included. No such items are actually included in this case, so v1 should be used instead. Change OneAsymmetricKey generation to use v1(0) instead of v2(1) and parsing to accept either version to be used. This is not backwards compatible with the earlier implementation which requires v2(1) when parsing the received value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Fix GAS fragmentation for DPP Config Response from hostapdDisha Das2020-10-061-3/+7
| | | | | | | | | | The Query Response Length field was missing from GAS Initial Response and GAS Comeback Response frames in the DPP specific code path from hostaps GAS server. This resulted in invalid frames being used when the DPP Config Response needed fragmentation. Fix this by adding the Query Response Length fields into these frames. Signed-off-by: Disha Das <dishad@codeaurora.org>