aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* OCE: Add RSSI based association rejection support (STA)Beni Lev2019-01-016-17/+69
| | | | | | | | | | | | | | An AP might refuse to connect a STA if it has a low RSSI. In such case, the AP informs the STA with the desired RSSI delta and a retry timeout. Any subsequent association attempt with that AP (BSS) should be avoided, unless the RSSI level improved by the desired delta or the timeout has expired. Defined in Wi-Fi Alliance Optimized Connectivity Experience technical specification v1.0, section 3.14 (RSSI-based association rejection information). Signed-off-by: Beni Lev <beni.lev@intel.com>
* P2P: Set global->p2p_group_formation in wpas_p2p_join_start() for p2pdevAloni, Adiel2019-01-011-9/+10
| | | | | | | | | | | | | When a dedicated P2P device interface is used, the global->p2p_group_formation was not set in wpas_p2p_join_start() if no separate group interface is used. This would cause that in case of a failure in group formation, the cleaning of p2p_in_provisioning is done on the wrong interface. Furthermore, P2P_CANCEL command could not be used to stop such a group-join operation. Fix this by setting the global->p2p_group_formation correctly in case that the group interface is reusing wpa_s->parent. Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
* Update wpa_supplicant channel list on FLUSHJouni Malinen2019-01-013-6/+13
| | | | | | | | Try to make sure the driver channel list state is synchronized with wpa_supplicant whenever explicitly clearing state (e.g., between hwsim test cases). Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_cli: Allow reconnect to global interfaceBen Greear2018-12-311-34/+41
| | | | | | | | | Old code would just re-connect to a particular interface, even if user had started wpa_cli with the '-g' option. Refactor global control interface connection routine to allow it to be used in wpa_cli_reconnect(). Signed-off-by: Ben Greear <greearb@candelatech.com>
* wpa_supplicant: Fix build with !CONFIG_AP and CONFIG_CTRL_IFACE_DBUS_NEWMichal Privoznik2018-12-311-1/+32
| | | | | | | | | If the CONFIG_CTRL_IFACE_DBUS_NEW is enabled but CONFIG_AP is disabled the build fails. This is because dbus getters try to access ap_iface member of wpa_supplicant struct which is defined if and only if CONFIG_AP is enabled. Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
* mka: MIB informationJouni Malinen2018-12-291-0/+5
| | | | | | | Provide MKA information through the wpa_supplicant control interface MIB command. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Document nl80211 driver in the man pageAsbjørn Sloth Tønnesen2018-12-271-3/+23
| | | | Signed-off-by: Asbjørn Sloth Tønnesen <hostap@asbjorn.st>
* mka: Extend CAK/CKN-from-EAP-MSK API to pass in MSK lengthJouni Malinen2018-12-261-5/+4
| | | | | | | | This can be used to allow 256-bit key hierarchy to be derived from EAP-based authentication. For now, the MSK length is hardcoded to 128 bits, so the previous behavior is maintained. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow 256-bit CAK to be configured for PSK modeJouni Malinen2018-12-264-11/+18
| | | | | | | This allows 256-bit CAK to be used as the root key in the MKA key hierarchy. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow configuration of MACsec replay protectionAndrey Kartashev2018-12-266-1/+51
| | | | | | | | | | | Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Fix lowest acceptable Packet Number (LPN) calculation and useMike Siedzik2018-12-262-0/+15
| | | | | | | | | | | | | | | | | | | | | | The purpose of the Lowest Acceptable PN (lpn) parameters in the MACsec SAK Use parameter set is to enforce delay protection. Per IEEE Std 802.1X-2010, Clause 9, "Each SecY uses MKA to communicate the lowest PN used for transmission with the SAK within the last two seconds, allowing receivers to bound transmission delays." When encoding the SAK Use parameter set the KaY should set llpn and olpn to the lowest PN transmitted by the latest SAK and oldest SAK (if active) within the last two seconds. Because MKPDUs are transmitted every 2 seconds (MKA_HELLO_TIME), the solution implemented here calculates lpn based on the txsc->next_pn read during the previous MKPDU transmit. Upon receiving and decoding a SAK Use parameter set with delay protection enabled, the KaY will update the SecY's lpn if the delay protect lpn is greater than the SecY's current lpn (which is a product of last PN received and replay protection and window size). Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* macsec: Make pre-shared CKN variable lengthmichael-dev2018-12-253-7/+19
| | | | | | | | | | | | | | | | | IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for CKN: "MKA places no restriction on the format of the CKN, save that it comprise an integral number of octets, between 1 and 32 (inclusive), and that all potential members of the CA use the same CKN. No further constraints are placed on the CKNs used with PSKs, ..." Hence do not require a 32 octet long CKN but instead allow a shorter CKN to be configured. This fixes interoperability with some Aruba switches, that do not accept a 32 octet long CKN (only support shorter ones). Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* tests: Allow TX/RX data test to use different frame lengthJouni Malinen2018-12-241-13/+35
| | | | | | This is needed for MACsec test cases with a bit shorter MTU. Signed-off-by: Jouni Malinen <j@w1.fi>
* Check snprintf result to avoid compiler warningsJouni Malinen2018-12-243-5/+19
| | | | | | | | | These do not really get truncated in practice, but it looks like some newer compilers warn about the prints, so silence those by checking the result and do something a bit more useful if the output would actually get truncated. Signed-off-by: Jouni Malinen <j@w1.fi>
* Readme for DPPDamodaran, Rohit (Contractor)2018-12-231-0/+195
| | | | | | | Addi a readme file for users for on-boarding devices with Device Provisioning Protocol (DPP). Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
* dbus: Expose connected stations on D-BusAndrej Shadura2018-12-235-0/+609
| | | | | | | | | | | | | | | | Make it possible to list connected stations in AP mode over D-Bus, along with some of their properties: rx/tx packets, bytes, capabilities, etc. Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> Rebased by Julian Andres Klode <juliank@ubuntu.com> and updated to use the new getter API. Further modified by Andrej Shadura to not error out when not in AP mode and to send separate StationAdded/StationRemoved signals instead of changing signatures of existing StaAuthorized/StaDeauthorized signals. Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
* dbus: Use dbus_bool_t, not int for boolean function argumentsAndrej Shadura2018-12-231-5/+6
| | | | | | | Properties argument specifies whether to add object's properties or not, hence it doesn't need to be int. Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
* wpa_supplicant: Allow overriding HT STBC capabilitiesSergey Matyukevich2018-12-236-1/+93
| | | | | | | Allow user to override STBC configuration for Rx and Tx spatial streams. Add new configuration options to test for HT capability overrides. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* Add SAE to GET_CAPABILITY key_mgmtJouni Malinen2018-12-211-0/+8
| | | | | | | | Provide information about SAE AKM support in "GET_CAPABILITY key_mgmt" for completeness. The "GET_CAPABILITY auth_alg" case is already providing information about SAE support through user space SME. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add self configuration command in hostapd_cli and wpa_cliPrasad, Jagadeesh (Contractor)2018-12-211-0/+10
| | | | | | | | | The back-end support for DPP self configuration was already present in hostapd and wpa_supplicant. However, the command to invoke DPP self configuration was not available in hostapd_cli and wpa_cli. Add the command "dpp_configurator_sign" in them. Signed-off-by: Prasad, Jagadeesh <Jagadeesh_Prasad@comcast.com>
* DPP: Accept DPP_CONFIGURATION_SIGN without double space before parametersJouni Malinen2018-12-211-1/+1
| | | | | | | Make this command more convenient to use by not requiring two space characters between the command and the first parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Expose Multi-BSS STA capability through wpa_supplicant control interfaceJouni Malinen2018-12-203-0/+14
| | | | | | | | Indicate whether the driver advertises support for Multi-BSS STA functionality with "GET_CAPABILITY multibss" (returns "MULTIBSS-STA" if supported). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Add Multi-AP backhaul STA supportVenkateswara Naralasetty2018-12-208-0/+108
| | | | | | | | | | | | | | | | | | | | | Advertise vendor specific Multi-AP IE in (Re)Association Request frames and process Multi-AP IE from (Re)Association Response frames if the user enables Multi-AP fuctionality. If the (Re)Association Response frame does not contain the Multi-AP IE, disassociate. This adds a new configuration parameter 'multi_ap_backhaul_sta' to enable/disable Multi-AP functionality. Enable 4-address mode after association (if the Association Response frame contains the Multi-AP IE). Also enable the bridge in that case. This is necessary because wpa_supplicant only enables the bridge in wpa_drv_if_add(), which only gets called when an interface is added through the control interface, not when it is configured from the command line. Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* OCV: Include and verify OCI in WNM-Sleep Exit framesMathy Vanhoef2018-12-171-4/+78
| | | | | | | | Include and verify the OCI element in WNM-Sleep Exit Request and Response frames. In case verification fails, the frame is silently ignored. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Include and verify OCI in the AMPE handshakeMathy Vanhoef2018-12-171-0/+72
| | | | | | | | | Include and verify the OCI element in AMPE Open and Confirm frames. Note that the OCI element is included even if the other STA didn't advertise support of OCV. The OCI element is only required and verified if both peers support OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Pass ocv parameter to mesh configurationMathy Vanhoef2018-12-172-2/+8
| | | | Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Add UNPROT_DEAUTH command for testing OCVMathy Vanhoef2018-12-171-0/+5
| | | | | | | This new wpa_supplicant control interface command can be used to simplify testing SA Query with OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Perform an SA Query after a channel switchMathy Vanhoef2018-12-173-0/+29
| | | | | | | | | | | After the network changed to a new channel, perform an SA Query with the AP after a random delay if OCV was negotiated for the association. This is used to confirm that we are still operating on the real operating channel of the network. This commit is adding only the station side functionality for this, i.e., the AP behavior is not changed to disconnect stations with OCV that do not go through SA Query. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Include and verify OCI in SA Query framesMathy Vanhoef2018-12-171-7/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | Include an OCI element in SA Query Request and Response frames if OCV has been negotiated. On Linux, a kernel patch is needed to let clients correctly handle SA Query Requests that contain an OCI element. Without this patch, the kernel will reply to the SA Query Request itself, without verifying the included OCI. Additionally, the SA Query Response sent by the kernel will not include an OCI element. The correct operation of the AP does not require a kernel patch. Without the corresponding kernel patch, SA Query Requests sent by the client are still valid, meaning they do include an OCI element. Note that an AP does not require any kernel patches. In other words, SA Query frames sent and received by the AP are properly handled, even without a kernel patch. As a result, the kernel patch is only required to make the client properly process and respond to a SA Query Request from the AP. Without this patch, the client will send a SA Query Response without an OCI element, causing the AP to silently ignore the response and eventually disconnect the client from the network if OCV has been negotiated to be used. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add utility functions to insert OCI elementsMathy Vanhoef2018-12-162-0/+2
| | | | | | | This commit adds utility functions to insert various encoding of the OCI element. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Advertise OCV capability in RSN capabilities (STA)Mathy Vanhoef2018-12-161-0/+3
| | | | | | | Set the OCV bit in RSN capabilities (RSNE) based on station mode configuration. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Advertise OCV capability in RSN capabilities (AP)Mathy Vanhoef2018-12-161-0/+4
| | | | | | | | Set the OCV bit in RSN capabilities (RSNE) based on AP mode configuration. Do the same for OSEN since it follows the RSNE field definitions. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add wpa_supplicant config parameterMathy Vanhoef2018-12-164-0/+67
| | | | | | | Add wpa_supplicant network profile parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add build configuration for channel validation supportMathy Vanhoef2018-12-164-0/+16
| | | | | | Add compilation flags for Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Store the VHT Operation element of an associated STAMathy Vanhoef2018-12-161-0/+1
| | | | | | | | APs and mesh peers use the VHT Operation element to advertise certain channel properties (e.g., the bandwidth of the channel). Save this information element so we can later access this information. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Make channel_info available to the supplicant state machineMathy Vanhoef2018-12-161-0/+10
| | | | | | | | This adds the necessary functions and callbacks to make the channel_info driver API available to the supplicant state machine that implements the 4-way and group key handshake. This is needed for OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Add driver API to get current channel parametersMathy Vanhoef2018-12-161-0/+8
| | | | | | | | This adds driver API functions to get the current operating channel parameters. This encompasses the center frequency, channel bandwidth, frequency segment 1 index (for 80+80 channels), and so on. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* WMM AC: Fix a typo in a commentJouni Malinen2018-12-081-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* WMM AC: Do not write ERROR level log entries when WMM AC is not in useJouni Malinen2018-12-081-7/+2
| | | | | | | | | | These two wpa_printf() calls with MSG_ERROR level could be reached when connecting without (Re)Association Response frame elements being available. That would be the case for wired connections and IBSS. Those cases are not supposed to use WMM AC in the first place, so do not confuse logs with ERROR messages in them for normal conditions. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Fix OWE network profile savingJouni Malinen2018-12-081-0/+12
| | | | | | | | key_mgmt=OWE did not have a config parameter writer and wpa_supplicant was unable to save such a network profile correctly. Fix this by adding the needed parameter writer. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Support DPP key_mgmt saving to wpa_supplicant configurationDamodaran, Rohit (Contractor)2018-12-081-0/+12
| | | | | | | | | In the existing code, there was no "DPP" string available to the DPP key management type for configuration parser of wpa supplicant. When the configuration is saved, the key management string was left out from the config file. Fix this by adding support for writing key_mgmt=DPP option. Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
* HS 2.0: Fix PMF-in-use check for ANQP Venue URL processingJouni Malinen2018-12-083-2/+3
| | | | | | | | | | | | | | The previous implementation did not check that we are associated with the sender of the GAS response before checking for PMF status. This could have accepted Venue URL when not in associated state. Fix this by explicitly checking for association with the responder first. This fixes an issue that was detected, e.g., with these hwsim test case sequences: gas_anqp_venue_url_pmf gas_anqp_venue_url gas_prot_vs_not_prot gas_anqp_venue_url Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Enable PMF automatically for Hotspot 2.0 network profilesJouni Malinen2018-12-081-0/+1
| | | | | | | Hotspot 2.0 Release 2 requires PMF to be negotiated, so enable this by default in the network profiles created from cred blocks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allocate enough buffer for HS 2.0 Indication element for scanJouni Malinen2018-12-081-1/+1
| | | | | | | The HS 2.0 Indication element can be up to 9 octets in length, so add two more octets to the minimum extra_ie buffer size for scanning. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: As a STA, do not indicate release number greater than the APJouni Malinen2018-12-085-6/+32
| | | | | | | | | | Hotspot 2.0 tech spec mandates mobile device to not indicate a release number that is greater than the release number advertised by the AP. Add this constraint to the HS 2.0 Indication element when adding this into (Re)Association Request frame. The element in the Probe Request frame continues to show the station's latest supported release number. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=yJouni Malinen2018-12-031-2/+0
| | | | | | | | | remove_ie() was defined within an ifdef CONFIG_FILS block while it is now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition there. Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol") Signed-off-by: Jouni Malinen <j@w1.fi>
* Update version to v2.7 and copyright years to include 2018hostap_2_7Jouni Malinen2018-12-0211-11/+81
| | | | | | | Also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.6 and v2.7. Signed-off-by: Jouni Malinen <j@w1.fi>
* Uncomment CONFIG_LIBNL32=y in defconfigJouni Malinen2018-12-021-1/+1
| | | | | | | | libnl 3.2 release is much more likely to be used nowadays than the versions using the older API, so uncomment this in wpa_supplicant and hostapd defconfig. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Try another group only on association rejection with status 77Ashok Kumar2018-12-023-2/+11
| | | | | | | | | Do not change the OWE group if association is rejected for any other reason than WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED to avoid unnecessary latency in cases where the APs reject association, e.g., for load balancing reasons. Signed-off-by: Ashok Kumar <aponnaia@codeaurora.org>
* DPP: Remove unused wpas_dpp_remain_on_channel_cb()Jouni Malinen2018-12-022-25/+0
| | | | | | This function was apparently never used at all. Signed-off-by: Jouni Malinen <j@w1.fi>