path: root/wpa_supplicant/dpp_supplicant.c
Commit message (Collapse)AuthorAgeFilesLines
* DPP: Remove unused wpas_dpp_remain_on_channel_cb()Jouni Malinen2018-12-021-23/+0
| | | | | | This function was apparently never used at all. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Apply testing configuration option to signing of own configJouni Malinen2018-12-011-0/+1
| | | | | | | Previous implementation had missed this case of setting configurator parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Reject invalid no-psk/pass legacy configurator parametersJouni Malinen2018-11-301-13/+23
| | | | | | | | | | | Instead of going through the configuration exchange, reject invalid legacy configurator parameters explicitly. Previously, configuring legacy (psk/sae) parameters without psk/pass resulted in a config object that used a zero length passphrase. With this change, that config object is not sent and instead, either the initialization attempts is rejected or the incoming initialization attempt is ignored. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Fix GAS client error case handlingJouni Malinen2018-11-251-1/+2
| | | | | | | | | | | The GAS client processing of the response callback for DPP did not properly check for GAS query success. This could result in trying to check the Advertisement Protocol information in failure cases where that information is not available and that would have resulted in dereferencing a NULL pointer. Fix this by checking the GAS query result before processing with processing of the response. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Set group id through DPP_AUTH_INIT or dpp_configurator_paramsPurushottam Kushwaha2018-08-301-0/+25
| | | | | | | | | This enhances DPP_AUTH_INIT, DPP_CONFIGURATOR_SIGN, and SET dpp_configurator_params to allow optional setting of the DPP groupId string for a Connector. If the value is not set, the previously wildcard value ("*") is used by default. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Support retrieving of configurator's private keyPurushottam Kushwaha2018-03-161-0/+13
| | | | | | | | | | | | | | | | | | To retain configurator information across hostapd/wpa_supplicant restart, private key need to be maintained to generate a valid pair of authentication keys (connector, netaccess_key, csign) for new enrollees in the network. Add a DPP_CONFIGURATOR_GET_KEY control interface API through which the private key of an existing configurator can be fetched. Command format: DPP_CONFIGURATOR_GET_KEY <configurator_id> The output from this command can then be used with "DPP_CONFIGURATOR_ADD key=<hexdump>" to create the same key again. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Extend dpp_test 89 functionality to transmit sideSrinivas Dasari2018-03-121-0/+11
| | | | | | | | | | | | This extends dpp_test functionality to allow DPP exchanges to be stopped after authentication is completed on the Initiator, i.e., after sending out the Authentication Confirm message. Previously, dpp_test=89 was used only on the Responder side to stop after receiving the Authentication Confirm message. The main use case for this extended functionality is to be able to stop the protocol exchange on a device that acts as authentication Initiator and Enrollee. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Use wildcard BSSID in GAS query framesJouni Malinen2018-02-101-1/+1
| | | | | | | | | | | Force use of the wildcard BSSID address in GAS query frames with DPP regardless of how the gas_address3 configuration parameter is set. DPP specification mandates this and the use of GAS here is really outside the context of a BSS, so using the wildcard BSSID makes sense even for the corner case of Configurator running on a known AP (where IEEE 802.11 standard would allow the BSSID of the AP to be used). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: PKEX initiation on other bandsJouni Malinen2018-02-071-6/+65
| | | | | | | | | | | Add support for wpa_supplicant to try to initiate PKEX on 5 GHz and 60 GHz bands in addition to the previously available 2.4 GHz case. If no response from a peer device is seen on the 2.4 GHz band (channel 6) for the five attempts, try the other PKEX channels (5 GHz channels 44 and 149; and 60 GHz channel 2) if they are supported and allowed for initiating radiation. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Require use of PMF for DPP AKMJouni Malinen2018-02-061-2/+2
| | | | | | | | | | | Previously, wpa_supplicant set PMF as optional for the DPP AKM since there was no clear statement about this requirement in the tech spec. Now that this requirement has been added, update the implementation to match. In addition, set ssid->ieee80211w using the actual enum mfp_options values instead of magic constants to make this a bit more readable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Report reception of Config Request to upper layersJouni Malinen2018-01-111-0/+2
| | | | | | This is mainly for protocol testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Change Authentication Response retry time to 1 secondJouni Malinen2017-12-021-1/+1
| | | | | | | | The previously used 10 second timer did not really make much sense since the Initiator is not going to be waiting for the response that long. Change this to 1 second based on the DPP tech spec change. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Extend dpp_test with invalid Transaction ID in Peer Disc ReqJouni Malinen2017-11-301-0/+6
| | | | | | | Allow a Transaction ID attribute with invalid length to be sent for protocol testing purposes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Call wpas_dpp_stop() from wpas_dpp_deinit()Jouni Malinen2017-11-291-3/+1
| | | | | | | | This makes the full DPP deinit operation more consistent with stopping of a single operation. In practice, this adds the new GAS client stopping functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Stop pending GAS client operation on DPP_STOP_LISTENJouni Malinen2017-11-291-0/+5
| | | | | | | This makes the operation more complete in stopping all ongoing DPP related functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Deinit PKEX instance on DPP_STOP_LISTENJouni Malinen2017-11-291-0/+2
| | | | | | | Previously this stopped only the DPP Authentication instance, but it is better to clear both PKEX and Authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Do not process dpp_auth_ok_on_ack multiple timesJouni Malinen2017-11-271-0/+3
| | | | | | | | An additional TX status callback could result in processing the DPP authentication completion another time at least with hostapd. Fix this by clearing the dpp_auth_ok_on_ack when processing it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Ignore GAS server status callback for unknown responseJouni Malinen2017-11-271-0/+8
| | | | | | | | | It was possible for a timeout from an old GAS server operation to trigger DPP configuration failure during the subsequent DPP operation. Fix this by verifying that the status callback is for the response generated during the same DPP Authentication/Configuration exchange. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add DPP_CONFIGURATOR_SIGN support to hostapdJouni Malinen2017-11-271-1/+1
| | | | | | | | Configurator signing its own Connector was previously supported only in wpa_supplicant. This commit extends that to hostapd to allow an AP acting as a Configurator to self-configure itself. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Provide peer_mac to PKEX Initiator through function argumentJouni Malinen2017-11-231-2/+1
| | | | | | | Avoid unnecessary direct write to a struct dpp_pkex member from outside dpp.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove compiler warnings about signed/unsigned comparisonsJouni Malinen2017-11-231-1/+1
| | | | | | These timestamp comparisons did not use matching signedness. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Fix number of Authentication Request retry casesJouni Malinen2017-11-231-24/+63
| | | | | | | | | | Previous implementation did not handle number of sequences correctly. Make sure the iteration continues in both unicast and broadcast cases until the five attempts have been made. In addition, improve timing by checking 10 second time from the beginning of each iteration round and not the last channel on which the Auth Req frame has been transmitted. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Take response wait time into account for init retriesJouni Malinen2017-11-221-1/+11
| | | | | | | | | Previously, the Authentication Request frame was retried after 2+10 = 12 seconds since the wait for the response was not accounted for. Substract that wait from the 10 second wait time to start the retries more quickly based on the 10 second timer described in the tech spec. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Stop Authentication Request attempts if no response after ACKJouni Malinen2017-11-221-6/+25
| | | | | | | | | If unicast Authentication Request frame is used and the peer ACKs such a frame, but does not reply within the two second limit, there is no need to continue trying to retransmit the request frames since the peer was found, but not responsive. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add SAE credential support to ConfiguratorJouni Malinen2017-11-221-6/+20
| | | | | | | The new conf={sta,ap}-{sae,psk-sae} parameter values can now be used to specify that the legacy configuration object is for SAE. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add akm=sae and akm=psk+sae support in Enrollee roleJouni Malinen2017-11-221-1/+7
| | | | | | | | This allows DPP to be used for enrolling credentials for SAE networks in addition to the legacy PSK (WPA-PSK) case. In addition, enable FT-PSK and FT-SAE cases automatically. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Retry PKEX Exchange Request frame up to five timesJouni Malinen2017-11-221-12/+70
| | | | | | | | Retransmit the PKEX Exchange Request frame if no response from a peer is received. This makes the exchange more robust since this frame is sent to a broadcast address and has no link layer retries. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Protocol testing for invalid Peer Discovery Req/Resp valuesJouni Malinen2017-11-191-0/+16
| | | | | | | Extend dpp_test to allow more invalid attribute values to be written into Peer Discovery Request/Response frames. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Protocol testing for invalid Config Attrib Object valueJouni Malinen2017-11-191-0/+6
| | | | | | | Extend dpp_test to cover a case where Config Attrib Object value is invalid in Configuration Request frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Retransmit DPP Authentication Response frame if it is not ACKedJouni Malinen2017-11-131-0/+67
| | | | | | | | This extends wpa_supplicant DPP implementation to retransmit DPP Authentication Response frame every 10 seconds up to 5 times if the peer does not reply with DPP Authentication Confirm frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Stop authentication exchange of DPP_STOP_LISTENJouni Malinen2017-11-131-0/+7
| | | | | | | | | | Previously, this command stopped listen operation immediately, but if there was an ongoing authentication exchange, a new listen operation was started. This is not really expected behavior, so stop the authentication exchange first with this command to avoid restarting listen operation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allowed initiator to indicate either roleJouni Malinen2017-11-131-4/+7
| | | | | | | | The new role=either parameter can now be used with DPP_AUTH_INIT to indicate that the initiator can take either the Configurator or Enrollee role. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Support multiple channels for initiating DPP AuthenticationJouni Malinen2017-11-131-42/+114
| | | | | | | | | | This extends wpa_supplicant to iterate over all available channels from the intersection of what the peer indicates and the local device supports when initiating DPP Authentication. In addition, retry DPP Authentication Request frame up to five times if no response is received. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Share a helper function for PKEX final stepsJouni Malinen2017-11-131-38/+32
| | | | | | | | Generate the PKEX bootstrapping information and release the PKEX session in a helper function that both the initiator and responder can use instead of maintaining this functionality separately in two places. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Protocol testing to allow missing attributes in peer discoveryJouni Malinen2017-11-061-0/+19
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: PKEX counter tJouni Malinen2017-11-031-0/+17
| | | | | | | | | Add limit on number of failed attempts that could have used PKEX code. If the limit (5) is reached, drop the PKEX state (including the code) and report this on the control interface to indicate that a new code needs to be entered due to possible attack. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Terminate PKEX exchange on detection of a mismatching codeJouni Malinen2017-11-031-0/+5
| | | | | | | | | | Clean up the pending PKEX exchange if Commit-Reveal Request processing indicates a mismatch in the PKEX code. Previously, the this case was silently ignored and the session was left in pending state that prevented new PKEX exchanges from getting initated. Now, a new attempt is allowed to be initiated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: PKEX and STATUS_BAD_GROUPJouni Malinen2017-11-031-0/+13
| | | | | | | | Report mismatching finite cyclic group with PKEX Exchange Response using STATUS_BAD_GROUP and provide more detailed error report over the control interface on the peer device when this happens. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Report possible PKEX code mismatch in control interfaceJouni Malinen2017-11-021-2/+2
| | | | | | | | Indicate to upper layers if PKEX Commit-Reveal Request frame AES-SIV decryption fails. That is a likely sign of the PKEX code mismatch between the devices. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Enable PMF when adding wpa_supplicant network profileJouni Malinen2017-11-011-1/+3
| | | | | | | | | DPP AKM should really require PMF to be used, but since that is not yet explicitly required in the specification, make PMF enabled for now. For legacy PSK cases, configure PMF to be enabled as well to support both APs in no-PMF, optional-PMF, and required-PMF configuration. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Negotiation channel change request from InitiatorJouni Malinen2017-10-291-7/+49
| | | | | | | | | Allow the Initiator to request a different channel to be used for DPP Authentication and DPP Configuration exchanges. This commit adds support for this in wpa_supplicant with the optional neg_freq=<freq in MHz> parameter in DPP_AUTH_INIT. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add DPP Status attribute into Peer Discovery ResponseJouni Malinen2017-10-291-9/+38
| | | | | | | This was added in DPP tech spec v0.2.7 to allow result of network introduction to be reported. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Report invalid messages and failure conditions in control interfaceJouni Malinen2017-10-221-8/+8
| | | | | | | This is useful for protocol testing purposes and UI needs to display more detailed information about DPP exchanges. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Report transmitted messages as control interface eventsJouni Malinen2017-10-221-13/+47
| | | | | | | | This is helpful for testing purposes and also for upper layer components that may want to show more detailed progress through a DPP exchange. Both the DPP-TX and DPP-TX-STATUS events are provided. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Report received messages as control interface eventsJouni Malinen2017-10-221-1/+10
| | | | | | | This is helpful for testing purposes and also for upper layer components that may want to show more detailed progress through a DPP exchange. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove unnecessary Wrapped Data checks from callersJouni Malinen2017-10-221-18/+5
| | | | | | | | Now that dpp_check_attrs() takes care of verifying that no attributes are after the Wrapped Data attribute, the duplicated checks in hostapd and wpa_supplicant side of the implementation can be removed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Update AES-SIV AD for PKEX framesJouni Malinen2017-10-191-6/+9
| | | | | | | The protocol design was updated to protect the six octets in the header before the attributes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Update AES-SIV AD for DPP Authentication framesJouni Malinen2017-10-181-49/+25
| | | | | | | The protocol design was updated to protect the six octets in the header before the attributes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add the crypto suite field to the framesJouni Malinen2017-10-091-6/+12
| | | | | | | This additional field was added to DPP Public Action frames in DPP tech spec v0.2.3 to support cryptographic agility in the future. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove C-sign-key expiryJouni Malinen2017-10-091-29/+3
| | | | | | This was removed in DPP tech spec v0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>