path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* DPP: Report reception of Config Request to upper layersJouni Malinen2018-01-111-0/+2
| | | | | | This is mainly for protocol testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* GnuTLS: Add option to build with libnettle instead of libgcryptJouni Malinen2017-12-292-5/+29
| | | | | | | | | | | | | GnuTLS-based builds can now be done using either libnettle or libgcrypt for crypto functionality: CONFIG_TLS=gnutls CONFIG_CRYPTO=nettle CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement HMAC functions using libgcryptJouni Malinen2017-12-272-0/+20
| | | | | | | Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with the ones from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement sha{256,384,512}_vector() using libgcryptJouni Malinen2017-12-272-2/+0
| | | | | | | Replace the internal SHA256 implementation with the one from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Try all supported DH groups automatically on STAJouni Malinen2017-12-275-5/+49
| | | | | | | | If a specific DH group for OWE is not set with the owe_group parameter, try all supported DH groups (currently 19, 20, 21) one by one if the AP keeps rejecting groups with the status code 77. Signed-off-by: Jouni Malinen <j@w1.fi>
* PAE: Remove OpenSSL header dependencyJouni Malinen2017-12-241-2/+2
| | | | | | | | Instead of requiring OpenSSL headers to be available just for the SSL3_RANDOM_SIZE definition, replace that macro with a fixed length (32) to simplify dependencies. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Use abstract crypto APISean Parkinson2017-12-242-0/+2
| | | | | | | This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* wpa_cli: Add completion for get/set cred commandsMikael Kanstrup2017-12-161-4/+82
| | | | | | Add command completion support for get_cred and set_cred commands. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
* dbus: Add FILS key mgmt values into BSS security propertiesMasashi Honma2017-12-161-1/+11
| | | | Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* FILS: Driver configuration to disable/enable FILS featuresvamsi krishna2017-12-154-1/+20
| | | | | | | | | | The new disable_fils parameter can be used to disable FILS functionality in the driver. This is currently removing the FILS Capability bit in Extended Capabilities and providing a callback to the driver wrappers. driver_nl80211.c implements this using a QCA vendor specific command for now. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow DH Parameters element overriding with driver SMEJouni Malinen2017-12-111-0/+5
| | | | | | | | | | | Commit 265bda34441da14249cb22ce8a459cebe8015a55 ('OWE: Allow DH Parameters element to be overridden for testing purposes') provided means for using "VENDOR_ELEM_ADD 13 <IE>" in OWE protocol testing, but that commit covered only the sme.c case (i.e., drivers that use wpa_supplicant SME). Extend this to cover drivers that use internal SME (e.g., use the nl80211 Connect command). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Android: Set CONFIG_NO_RANDOM_POOL=yJeff Vander Stoep2017-12-091-1/+7
| | | | | | | | | | Wpa_supplicant's random pool is not necessary on Android. Randomness is already provided by the entropymixer service which ensures sufficient entropy is maintained across reboots. Commit b410eb1913 'Initialize /dev/urandom earlier in boot' seeds /dev/urandom with that entropy before either wpa_supplicant or hostapd are run. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
* tests: DPP P-256 test vectorsJouni Malinen2017-12-071-0/+10
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allow protocol key to be overridden for testing purposesJouni Malinen2017-12-051-0/+11
| | | | | | This can be used for various testing needs. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Add GCMP-256 and CCMP-256 cipher options on EnrolleeJouni Malinen2017-12-021-0/+10
| | | | | | | | | If a credential with encp type AES is received, add GCMP-256 and CCMP-256 cipher options on station Enrollee based on local capabilities. This is needed to allow connection with an AP using either of these newer ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Check BSS table against current BSSID if credential does not matchJouni Malinen2017-12-021-0/+3
| | | | | | | | | The credential MAC address is not necessarily that of the AP, i.e., it is more likely to be that of the Enrollee. Check the scan results against the current BSSID as well if match is not found otherwise when going through the mixed mode workaround. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Change Authentication Response retry time to 1 secondJouni Malinen2017-12-021-1/+1
| | | | | | | | The previously used 10 second timer did not really make much sense since the Initiator is not going to be waiting for the response that long. Change this to 1 second based on the DPP tech spec change. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Extend dpp_test with invalid Transaction ID in Peer Disc ReqJouni Malinen2017-11-301-0/+6
| | | | | | | Allow a Transaction ID attribute with invalid length to be sent for protocol testing purposes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Call wpas_dpp_stop() from wpas_dpp_deinit()Jouni Malinen2017-11-291-3/+1
| | | | | | | | This makes the full DPP deinit operation more consistent with stopping of a single operation. In practice, this adds the new GAS client stopping functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Stop pending GAS client operation on DPP_STOP_LISTENJouni Malinen2017-11-294-0/+25
| | | | | | | This makes the operation more complete in stopping all ongoing DPP related functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Deinit PKEX instance on DPP_STOP_LISTENJouni Malinen2017-11-291-0/+2
| | | | | | | Previously this stopped only the DPP Authentication instance, but it is better to clear both PKEX and Authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Do not process dpp_auth_ok_on_ack multiple timesJouni Malinen2017-11-271-0/+3
| | | | | | | | An additional TX status callback could result in processing the DPP authentication completion another time at least with hostapd. Fix this by clearing the dpp_auth_ok_on_ack when processing it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Fix compilation without CONFIG_TESTING_OPTIONS=yAshok Ponnaiah2017-11-271-0/+4
| | | | | | | Add CONFIG_TESTING_OPTIONS ifdef protection to couple of forgotten DPP test parameters in wpa_supplicant ctrl_iface. Signed-off-by: Ashok Ponnaiah <aponnaia@qti.qualcomm.com>
* DPP: Ignore GAS server status callback for unknown responseJouni Malinen2017-11-271-0/+8
| | | | | | | | | It was possible for a timeout from an old GAS server operation to trigger DPP configuration failure during the subsequent DPP operation. Fix this by verifying that the status callback is for the response generated during the same DPP Authentication/Configuration exchange. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add DPP_CONFIGURATOR_SIGN support to hostapdJouni Malinen2017-11-271-1/+1
| | | | | | | | Configurator signing its own Connector was previously supported only in wpa_supplicant. This commit extends that to hostapd to allow an AP acting as a Configurator to self-configure itself. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allow PKEX x/X and y/Y keypairs to be overriddenJouni Malinen2017-11-231-0/+12
| | | | | | | This is for testing purposes to allow a test vector with specific values to be generated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allow PKEX own/peer MAC addresses to be overriddenJouni Malinen2017-11-231-0/+8
| | | | | | | This is for testing purposes to allow a test vector with specific values to be generated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Provide peer_mac to PKEX Initiator through function argumentJouni Malinen2017-11-231-2/+1
| | | | | | | Avoid unnecessary direct write to a struct dpp_pkex member from outside dpp.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove compiler warnings about signed/unsigned comparisonsJouni Malinen2017-11-231-1/+1
| | | | | | These timestamp comparisons did not use matching signedness. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Add wpa_msg_ctrl() to report Probe Request frames from STAbhagavathi perumal s2017-11-231-1/+1
| | | | | | | | | This allows external applications to get event indication for Probe Request frames. Extend ctrl iface cmd "ATTACH" to enable this event on per-request basis. For example, user has to send ctrl iface cmd "ATTACH probe_rx_events=1" to enable the Probe Request frame events. Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
* DPP: Fix number of Authentication Request retry casesJouni Malinen2017-11-232-24/+65
| | | | | | | | | | Previous implementation did not handle number of sequences correctly. Make sure the iteration continues in both unicast and broadcast cases until the five attempts have been made. In addition, improve timing by checking 10 second time from the beginning of each iteration round and not the last channel on which the Auth Req frame has been transmitted. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Take response wait time into account for init retriesJouni Malinen2017-11-221-1/+11
| | | | | | | | | Previously, the Authentication Request frame was retried after 2+10 = 12 seconds since the wait for the response was not accounted for. Substract that wait from the 10 second wait time to start the retries more quickly based on the 10 second timer described in the tech spec. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Stop Authentication Request attempts if no response after ACKJouni Malinen2017-11-221-6/+25
| | | | | | | | | If unicast Authentication Request frame is used and the peer ACKs such a frame, but does not reply within the two second limit, there is no need to continue trying to retransmit the request frames since the peer was found, but not responsive. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add SAE credential support to ConfiguratorJouni Malinen2017-11-221-6/+20
| | | | | | | The new conf={sta,ap}-{sae,psk-sae} parameter values can now be used to specify that the legacy configuration object is for SAE. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add akm=sae and akm=psk+sae support in Enrollee roleJouni Malinen2017-11-221-1/+7
| | | | | | | | This allows DPP to be used for enrolling credentials for SAE networks in addition to the legacy PSK (WPA-PSK) case. In addition, enable FT-PSK and FT-SAE cases automatically. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Retry PKEX Exchange Request frame up to five timesJouni Malinen2017-11-221-12/+70
| | | | | | | | Retransmit the PKEX Exchange Request frame if no response from a peer is received. This makes the exchange more robust since this frame is sent to a broadcast address and has no link layer retries. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Protocol testing for invalid Peer Discovery Req/Resp valuesJouni Malinen2017-11-191-0/+16
| | | | | | | Extend dpp_test to allow more invalid attribute values to be written into Peer Discovery Request/Response frames. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Protocol testing for invalid Config Attrib Object valueJouni Malinen2017-11-191-0/+6
| | | | | | | Extend dpp_test to cover a case where Config Attrib Object value is invalid in Configuration Request frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Retransmit DPP Authentication Response frame if it is not ACKedJouni Malinen2017-11-133-0/+75
| | | | | | | | This extends wpa_supplicant DPP implementation to retransmit DPP Authentication Response frame every 10 seconds up to 5 times if the peer does not reply with DPP Authentication Confirm frame. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Stop authentication exchange of DPP_STOP_LISTENJouni Malinen2017-11-133-0/+9
| | | | | | | | | | Previously, this command stopped listen operation immediately, but if there was an ongoing authentication exchange, a new listen operation was started. This is not really expected behavior, so stop the authentication exchange first with this command to avoid restarting listen operation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allowed initiator to indicate either roleJouni Malinen2017-11-131-4/+7
| | | | | | | | The new role=either parameter can now be used with DPP_AUTH_INIT to indicate that the initiator can take either the Configurator or Enrollee role. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Support multiple channels for initiating DPP AuthenticationJouni Malinen2017-11-133-42/+127
| | | | | | | | | | This extends wpa_supplicant to iterate over all available channels from the intersection of what the peer indicates and the local device supports when initiating DPP Authentication. In addition, retry DPP Authentication Request frame up to five times if no response is received. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Share a helper function for PKEX final stepsJouni Malinen2017-11-131-38/+32
| | | | | | | | Generate the PKEX bootstrapping information and release the PKEX session in a helper function that both the initiator and responder can use instead of maintaining this functionality separately in two places. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Protocol testing to allow missing attributes in peer discoveryJouni Malinen2017-11-061-0/+19
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: ACS offload for the autonomous GOSunil Dutt2017-11-034-6/+52
| | | | | | | | | | | | This commit introduces the ACS functionality for the autonomous GO. The optional parameter <freq> in p2p_group_add is enhanced to carry a value "acs" with the intention to select the channels among any supported band. freq = 2 / 5 carry the need to select the channels only in the respective bands 2.4 / 5 GHz. This functionality is on top of the host driver's capability to offload ACS, which is advertized through WPA_DRIVER_FLAGS_ACS_OFFLOAD. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: PKEX counter tJouni Malinen2017-11-031-0/+17
| | | | | | | | | Add limit on number of failed attempts that could have used PKEX code. If the limit (5) is reached, drop the PKEX state (including the code) and report this on the control interface to indicate that a new code needs to be entered due to possible attack. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Terminate PKEX exchange on detection of a mismatching codeJouni Malinen2017-11-031-0/+5
| | | | | | | | | | Clean up the pending PKEX exchange if Commit-Reveal Request processing indicates a mismatch in the PKEX code. Previously, the this case was silently ignored and the session was left in pending state that prevented new PKEX exchanges from getting initated. Now, a new attempt is allowed to be initiated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: PKEX and STATUS_BAD_GROUPJouni Malinen2017-11-031-0/+13
| | | | | | | | Report mismatching finite cyclic group with PKEX Exchange Response using STATUS_BAD_GROUP and provide more detailed error report over the control interface on the peer device when this happens. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Report possible PKEX code mismatch in control interfaceJouni Malinen2017-11-021-2/+2
| | | | | | | | Indicate to upper layers if PKEX Commit-Reveal Request frame AES-SIV decryption fails. That is a likely sign of the PKEX code mismatch between the devices. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Enable PMF when adding wpa_supplicant network profileJouni Malinen2017-11-011-1/+3
| | | | | | | | | DPP AKM should really require PMF to be used, but since that is not yet explicitly required in the specification, make PMF enabled for now. For legacy PSK cases, configure PMF to be enabled as well to support both APs in no-PMF, optional-PMF, and required-PMF configuration. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>