path: root/wpa_supplicant/sme.c
Commit message (Collapse)AuthorAgeFilesLines
* OCV: Perform an SA Query after a channel switchMathy Vanhoef2018-12-171-0/+21
| | | | | | | | | | | After the network changed to a new channel, perform an SA Query with the AP after a random delay if OCV was negotiated for the association. This is used to confirm that we are still operating on the real operating channel of the network. This commit is adding only the station side functionality for this, i.e., the AP behavior is not changed to disconnect stations with OCV that do not go through SA Query. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Include and verify OCI in SA Query framesMathy Vanhoef2018-12-171-7/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | Include an OCI element in SA Query Request and Response frames if OCV has been negotiated. On Linux, a kernel patch is needed to let clients correctly handle SA Query Requests that contain an OCI element. Without this patch, the kernel will reply to the SA Query Request itself, without verifying the included OCI. Additionally, the SA Query Response sent by the kernel will not include an OCI element. The correct operation of the AP does not require a kernel patch. Without the corresponding kernel patch, SA Query Requests sent by the client are still valid, meaning they do include an OCI element. Note that an AP does not require any kernel patches. In other words, SA Query frames sent and received by the AP are properly handled, even without a kernel patch. As a result, the kernel patch is only required to make the client properly process and respond to a SA Query Request from the AP. Without this patch, the client will send a SA Query Response without an OCI element, causing the AP to silently ignore the response and eventually disconnect the client from the network if OCV has been negotiated to be used. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* HS 2.0: As a STA, do not indicate release number greater than the APJouni Malinen2018-12-081-1/+2
| | | | | | | | | | Hotspot 2.0 tech spec mandates mobile device to not indicate a release number that is greater than the release number advertised by the AP. Add this constraint to the HS 2.0 Indication element when adding this into (Re)Association Request frame. The element in the Probe Request frame continues to show the station's latest supported release number. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=yJouni Malinen2018-12-031-2/+0
| | | | | | | | | remove_ie() was defined within an ifdef CONFIG_FILS block while it is now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition there. Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol") Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Try another group only on association rejection with status 77Ashok Kumar2018-12-021-1/+5
| | | | | | | | | Do not change the OWE group if association is rejected for any other reason than WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED to avoid unnecessary latency in cases where the APs reject association, e.g., for load balancing reasons. Signed-off-by: Ashok Kumar <aponnaia@codeaurora.org>
* FT: Fix Reassociation Request IEs during FT protocolJouni Malinen2018-12-011-1/+79
| | | | | | | | | | | | | | | The previous implementation ended up replacing all pending IEs prepared for Association Request frame with the FT specific IEs (RSNE, MDE, FTE) when going through FT protocol reassociation with the wpa_supplicant SME. This resulted in dropping all other IEs that might have been prepared for the association (e.g., Extended Capabilities, RM Enabled Capabilities, Supported Operating Classes, vendor specific additions). Fix this by replacing only the known FT specific IEs with the appropriate values for FT protocol while maintaining other already prepared elements. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix indentation levelJouni Malinen2018-11-301-1/+1
| | | | | | This gets rid of smatch warnings about inconsistent indenting. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Fix external authentication on big endian platformsAshok Ponnaiah2018-11-301-9/+10
| | | | | | | | Need to handle the little endian 16-bit fields properly when building and parsing Authentication frames. Fixes: 5ff39c1380d9 ("SAE: Support external authentication offload for driver-SME cases") Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
* external-auth: Check key_mgmt when selecting SSIDCedric Izoard2018-11-261-1/+2
| | | | | | | | | When selecting SSID to start external authentication procedure also check the key_mgmt field as several network configuration may be defined for the same SSID/BSSID pair. The external authentication mechanism is only available for SAE. Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
* HS 2.0: Generate AssocReq OSEN IE based on AP advertisementJouni Malinen2018-11-091-0/+14
| | | | | | | | | | | Parse the OSEN IE from the AP to determine values used in the AssocReq instead of using hardcoded cipher suites. This is needed to be able to set the group cipher based on AP advertisement now that two possible options exists for this (GTK_NOT_USED in separate OSEN BSS; CCMP or GTK_NOT_USED in shared BSS case). Furthermore, this is a step towards allowing other ciphers than CCMP to be used with OSEN. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SME: Fix order of WPA IE in association requestIlan Peer2018-10-201-0/+44
| | | | | | | | | | | | | In case that the protocol used for association is WPA the WPA IE was inserted before other (non vendor specific) IEs. This is not in accordance to the standard that states that vendor IEs should be placed after all the non vendor IEs are placed. In addition, this would cause the low layers to fail to properly order information elements. To fix this, if the protocol used is WPA, store the WPA IE and reinsert it after all the non vendor specific IEs were placed. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* OCE: Add OCE capability attribute only when associating to an OCE APBeni Lev2018-09-021-2/+8
| | | | Signed-off-by: Beni Lev <beni.lev@intel.com>
* FILS: Fix FILS connect failures after ERP key invalidationAnkita Bajaj2018-08-241-0/+22
| | | | | | | | | | | | | | | | If the RADIUS authentication server dropped the cached ERP keys for any reason, FILS authentication attempts with ERP fails and the previous wpa_supplicant implementation ended up trying to use the same keys for all consecutive attempts as well. This did not allow recovery from state mismatch between the ERP server and peer using full EAP authentication. Address this by trying to use full (non-FILS) authentication when trying to connect to an AP using the same ERP realm with FILS-enabled network profile if the previous authentication attempt had failed. This allows new ERP keys to be established and FILS authentication to be used again for the consecutive connections. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-191-1/+15
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Clear SME FT data on disassocAhmad Masri2018-05-041-1/+1
| | | | | | | | | | | | | | SME ft_used flag is sometimes not cleared on disassoc. For example, after initial FT connection, ft_used is set while ft_ies stays NULL. Later on, upon disassoc, sme_update_ft_ies() is not invoked and ft_used is not cleared. Fix this by invoking sme_update_ft_ies() also in case ft_used is set. This is needed to fix an issue with drivers that use nl80211 Connect API with FT and expect to the NL80211_AUTHTYPE_OPEN specified in the Connect command for the initial mobility domain association. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection element into AssocReqJouni Malinen2018-04-171-1/+2
| | | | | | | | This makes wpa_supplicant add Hotspot 2.0 Roaming Consortium Selection element into (Re)Association Request frames if the network profile includes roaming_consortium_selection parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Only allow SAE AKMP for PMKSA caching attemptsJouni Malinen2018-04-091-4/+5
| | | | | | | | | | Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Fix default PMK configuration for PMKSA caching caseJouni Malinen2018-04-091-0/+1
| | | | | | | | | | | | The RSN supplicant state machine PMK was set based on WPA PSK even for the cases where SAE would be used. If the AP allows PMKSA caching to be used with SAE, but does not indicate the selected PMKID explicitly in EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE network profiles and instead, configuring the PMK explicitly from the found PMKSA cache entry. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Support external authentication offload for driver-SME casesSunil Dutt2018-02-021-20/+227
| | | | | | | | | | Extend the SME functionality to support the external authentication. External authentication may be used by the drivers that do not define separate commands for authentication and association (~WPA_DRIVER_FLAGS_SME) but rely on wpa_supplicant's SME for the authentication. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Try all supported DH groups automatically on STAJouni Malinen2017-12-271-2/+12
| | | | | | | | If a specific DH group for OWE is not set with the owe_group parameter, try all supported DH groups (currently 19, 20, 21) one by one if the AP keeps rejecting groups with the status code 77. Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow last (Re)Association Request frame to be replayed for testingJouni Malinen2017-10-161-0/+8
| | | | | | | | | | | The new wpa_supplicant RESEND_ASSOC command can be used to request the last (Re)Association Request frame to be sent to the AP to test FT protocol behavior. This functionality is for testing purposes and included only in builds with CONFIG_TESTING_OPTIONS=y. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Allow SAE password to be configured separately (STA)Jouni Malinen2017-10-111-3/+6
| | | | | | | | | The new sae_password network profile parameter can now be used to set the SAE password instead of the previously used psk parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow DH Parameters element to be overridden for testing purposesJouni Malinen2017-10-101-0/+6
| | | | | | | | | This allows CONFIG_TESTING_OPTIONS=y builds of wpa_supplicant to override the OWE DH Parameters element in (Re)Association Request frames with arbitrary data specified with the "VENDOR_ELEM_ADD 13 <IE>" command. This is only for testing purposes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in stationJouni Malinen2017-10-081-1/+4
| | | | | | | | This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add group_mgmt network parameter for PMF cipher selectionJouni Malinen2017-09-261-0/+1
| | | | | | | | | | The new wpa_supplicant network parameter group_mgmt can be used to specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128, BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not specified, the current behavior is maintained (i.e., follow what the AP advertises). The parameter can list multiple space separate ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Allow commit fields to be overridden for testing purposes (STA)Jouni Malinen2017-09-041-0/+13
| | | | | | | | | The new "SET sae_commit_override <hexdump>" control interface command can be used to force wpa_supplicant to override SAE commit message fields for testing purposes. This is included only in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix compiler warning with CONFIG_IEEE80211R no-CONFIG_FILS buildJouni Malinen2017-05-091-0/+2
| | | | | | | Addition of remove_ies() handled the CONFIG_IEEE80211R dependency, but missed the caller being within CONFIG_FILS as well. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Derive FT key hierarchy on supplicant side for FILS+FTJouni Malinen2017-05-071-0/+43
| | | | | | | | Derive PMK-R0 and the relevant key names when using FILS authentication for initial FT mobility domain association. Fill in the FT IEs in (Re)Association Request frame for this. Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Add MDE into Authentication frame for FILS+FTJouni Malinen2017-04-021-4/+9
| | | | | | | | When using FILS for FT initial mobility domain association, add MDE to the Authentication frame from the STA to indicate this special case for FILS authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Check FILS Indication element against local network profileJouni Malinen2017-03-121-0/+32
| | | | | | | Do not try to use FILS authentication unless the AP indicates support for the type the local network profile enforces. Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Add FILS SK auth PFS support in STA modeJouni Malinen2017-03-121-5/+37
| | | | | | | | | | | This adds an option to configure wpa_supplicant to use the perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime network profile parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would use FILS SK PFS with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Process Diffie-Hellman Parameter element in STA modeJouni Malinen2017-03-121-0/+25
| | | | | | | | This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
* Use os_memdup()Johannes Berg2017-03-071-2/+1
| | | | | | | | | | | | | | | | | | | | | | This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* FILS: Use FILS Cache Identifier to extend PMKSA applicabilityJouni Malinen2017-02-261-4/+12
| | | | | | | | This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SME: Clear portValid on starting authentication to fix FILSJouni Malinen2017-02-211-0/+1
| | | | | | | | | | | | The ft_completed for FILS authentication case in wpa_supplicant_event_assoc() depends on something having cleared portValid so that setting it TRUE ends up authorizing the port. This clearing part did not happen when using FILS authentication during a reassociation within an ESS. Fix this by clearing portValid in sme_send_authentication() just before the keys are cleared (i.e., the old connection would not be usable anyway). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Fix BSSID in reassociation caseJouni Malinen2017-02-211-2/+2
| | | | | | | | | | The RSN supplicant implementation needs to be updated to use the new BSSID whenever doing FILS authentication. Previously, this was only done when notifying association and that was too late for the case of reassociation. Fix this by providing the new BSSID when calling fils_process_auth(). This makes PTK derivation use the correct BSSID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FT: Support addition of RIC elements into Reassociation Request frameJouni Malinen2017-02-181-1/+9
| | | | | | | | | The new "SET ric_ies <hexdump>" control interface command can now be used to request wpa_supplicant to add the specified RIC elements into Reassociation Request frame when using FT protocol. This is mainly for testing purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
* SME: Remove null ie param from CTRL-EVENT-AUTH-REJECTJouni Malinen2017-02-101-2/+3
| | | | | | | Clean up the event message by removing the ie=<value> parameter when the IEs are not available instead of printing out "ie=(null)". Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Allow FILS HLP requests to be addedJouni Malinen2017-01-291-1/+26
| | | | | | | | | | | | The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* RRM: Enable beacon report with active/passive scan for all driversJouni Malinen2017-01-031-4/+3
| | | | | | | | | The requested behavior can be approximated for most use cases even if the driver does not support reporting exact TSF values for frames. Enable this capability for all drivers to make beacon report processing more useful for a common use case. Signed-off-by: Jouni Malinen <j@w1.fi>
* Enable Beacon Report using beacon table for all driversJouni Malinen2017-01-031-2/+2
| | | | | | | | | The special parameters for beacon report scan are not needed for the beacon report when using the beacon table measurement mode. Advertise support for this case regardless of whether the driver supports the scan parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Add support for Beacon Report Radio MeasurementAvraham Stern2017-01-031-0/+5
| | | | | | | | Beacon Report Radio Measurement is defined in IEEE Std 802.11-2016, Beacon Report is implemented by triggering a scan on the requested channels with the requested parameters. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* Remove MBO dependency from Supported Operating Classes elementvamsi krishna2016-12-111-18/+5
| | | | | | | | Supported Operating Classes element and its use is define in the IEEE 802.11 standard and can be sent even when MBO is disabled in the build. As such, move this functionality out from the CONFIG_MBO=y only mbo.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add elements to FILS Association Request frameJouni Malinen2016-10-251-0/+34
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Authentication frame processing (STA)Jouni Malinen2016-10-221-0/+18
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Try to use FILS authentication if PMKSA or ERP entry is availableJouni Malinen2016-10-221-4/+25
| | | | | | | | | | If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SME: Clear possibly used WPA/RSN IE for new connectionJouni Malinen2016-10-221-0/+4
| | | | | | | | | | This was already done in the case SME in the driver is used, but the SME code path was resetting the local WPA/RSN IE only for association. While that was fine for existing use cases, FILS needs a new RSN IE to be set for PMKSA caching case in Authentication frames, so clear the local IE before starting new authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Rename sae_data to more generic auth_dataJouni Malinen2016-10-221-2/+2
| | | | | | | This makes it cleaner for the FILS implementation to use the same design for setting Authentication frame elements as was already done with SAE. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SME: Fix SA Query local failure handlingJouni Malinen2016-07-171-1/+4
| | | | | | | | If no new sme_sa_query_timer() callback is scheculed, sme_stop_sa_query() needs to be called to allow new SA Query operations to be started after the failure. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Use extended capabilities per interface typeKanchanapally, Vidyullatha2016-05-311-0/+5
| | | | | | | | | | This adds the necessary changes to support extraction and use of the extended capabilities specified per interface type (a recent cfg80211/nl80211 extension). If that information is available, per-interface values will be used to override the global per-radio value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>