path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* wpa_supplicant: Handle port authorized eventAvraham Stern3 days1-5/+16
| | | | | | | | When the driver indicates that the connection is authorized (i.e., the 4-way handshake was completed by the driver), cancel the EAP authentication timeout and set the EAP state machine to success state. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* wpa_passphrase: Include $(LIBS) for linkingArkadiusz Drabczyk3 days1-1/+1
| | | | | | | | | | | wpa_passphrase requires libcrypto from OpenSSL (or another selected library). User can set an alternative path to OpenSSL libraries by defining LIBS at the top of .config but if $(LIBS) is not actually used wrong libcrypto is used or compilation fails if there is no libcrypto in the default locations cc is looking for it. It's especially bad for cross-compilers that fail with 'cannot find -lcrypto' message. Signed-off-by: Arkadiusz Drabczyk <arkadiusz@drabczyk.org>
* DPP: Do not include common/dpp.h without CONFIG_DPP=yJouni Malinen3 days1-0/+2
| | | | | | | | This header file pulls in an OpenSSL header file and as such, should not be included without CONFIG_DPP=y to avoid bringing in an unnecessary build dependency on OpenSSL header files. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix a typo in disassoc_low_ack documentationJouni Malinen3 days1-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Add ap_isolate configuration option for wpa_supplicant AP modeDanilo Ravotto3 days6-2/+26
| | | | | | | Allow client isolation to be configured with ap_isolate inside wpa_supplicant configuration file. Signed-off-by: Danilo Ravotto <danilo.ravotto@zirak.it>
* DPP: Use wildcard BSSID in GAS query framesJouni Malinen10 days5-11/+14
| | | | | | | | | | | Force use of the wildcard BSSID address in GAS query frames with DPP regardless of how the gas_address3 configuration parameter is set. DPP specification mandates this and the use of GAS here is really outside the context of a BSS, so using the wildcard BSSID makes sense even for the corner case of Configurator running on a known AP (where IEEE 802.11 standard would allow the BSSID of the AP to be used). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Fix GAS query removal race condition on DPP_STOP_LISTENJouni Malinen13 days3-0/+26
| | | | | | | | | | | | If a DPP_STOP_LISTEN call happens to be received when there is a pending gas-query radio work that has not yet been started, it was possible for gas_query_stop() to go through gas_query_done() processing with gas->work == NULL and that ended up with the pending GAS query getting freed without removing the pending radio work that hold a reference to the now freed memory. Fix this by removing the pending non-started radio work for the GAS query in this specific corner case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: PKEX initiation on other bandsJouni Malinen13 days1-6/+65
| | | | | | | | | | | Add support for wpa_supplicant to try to initiate PKEX on 5 GHz and 60 GHz bands in addition to the previously available 2.4 GHz case. If no response from a peer device is seen on the 2.4 GHz band (channel 6) for the five attempts, try the other PKEX channels (5 GHz channels 44 and 149; and 60 GHz channel 2) if they are supported and allowed for initiating radiation. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Require use of PMF for DPP AKMJouni Malinen14 days1-2/+2
| | | | | | | | | | | Previously, wpa_supplicant set PMF as optional for the DPP AKM since there was no clear statement about this requirement in the tech spec. Now that this requirement has been added, update the implementation to match. In addition, set ssid->ieee80211w using the actual enum mfp_options values instead of magic constants to make this a bit more readable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Fix parsing errors on additional config fileJouni Malinen2018-02-042-3/+16
| | | | | | | | | | If the -I<config> argument is used and the referenced configuration file cannot be parsed, wpa_config_read() ended up freeing the main configuration data structure and that resulted in use of freed memory in such an error case. Fix this by not freeing the main config data and handling the error case in the caller. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Free config only if it was allocated in same callDmitry Shmidt2018-02-041-1/+2
| | | | | | | | If option -I:config points to a non-existing file, the the previously allocated config must not be freed. Avoid use of freed memory in such an error case by skipping the incorrect freeing operation. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* OWE: Fix association IEs for transition mode open AP connectionJouni Malinen2018-02-041-0/+1
| | | | | | | | | | | The special case of returning from wpa_supplicant_set_suites() when OWE transition mode profile is used for an open association did not clear the wpa_ie buffer length properly. This resulted in trying to use corrupted IEs in the association request and failed association (cfg80211 rejects the request or if the request were to go out, the AP would likely reject it). Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_cli: Enable add/remove/get vendor elements without P2PSimon Dinkin2018-02-031-2/+3
| | | | | | | | This functionality can be used regardless of P2P and should not be under the ifdef of CONFIG_P2P. Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* D-Bus: Report error on starting P2P findVasyl Vavrychuk2018-02-031-2/+5
| | | | Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
* wpa_cli: Fix cred_fields[] declarationJouni Malinen2018-02-031-1/+1
| | | | | | | | This was supposed to be an array of const-pointers to const-char; not something duplicating const for char and resulting in compiler warnings with more recent gcc versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Support external authentication offload for driver-SME casesSunil Dutt2018-02-026-20/+276
| | | | | | | | | | Extend the SME functionality to support the external authentication. External authentication may be used by the drivers that do not define separate commands for authentication and association (~WPA_DRIVER_FLAGS_SME) but rely on wpa_supplicant's SME for the authentication. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-SIM/AKA: Separate identity for MK derivationJouni Malinen2018-01-213-0/+4
| | | | | | | | | | | | | This allows a separate configuration parameter (imsi_identity) to be used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK derivation for the case where the identity is expected to be from the last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was not used). This may be needed to avoid sending out an unprotected permanent identity information over-the-air and if the EAP-SIM/AKA server ends up using a value based on the real IMSI during the internal key derivation operation (that does not expose the data to others). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow station in transition mode to connect to an open BSSJouni Malinen2018-01-215-1/+38
| | | | | | | | | If the OWE network profile matches an open network which does not advertise OWE BSS, allow open connection. The new owe_only=1 network profile parameter can be used to disable this transition mode and enforce connection only with OWE networks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Report reception of Config Request to upper layersJouni Malinen2018-01-111-0/+2
| | | | | | This is mainly for protocol testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* GnuTLS: Add option to build with libnettle instead of libgcryptJouni Malinen2017-12-292-5/+29
| | | | | | | | | | | | | GnuTLS-based builds can now be done using either libnettle or libgcrypt for crypto functionality: CONFIG_TLS=gnutls CONFIG_CRYPTO=nettle CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement HMAC functions using libgcryptJouni Malinen2017-12-272-0/+20
| | | | | | | Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with the ones from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement sha{256,384,512}_vector() using libgcryptJouni Malinen2017-12-272-2/+0
| | | | | | | Replace the internal SHA256 implementation with the one from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Try all supported DH groups automatically on STAJouni Malinen2017-12-275-5/+49
| | | | | | | | If a specific DH group for OWE is not set with the owe_group parameter, try all supported DH groups (currently 19, 20, 21) one by one if the AP keeps rejecting groups with the status code 77. Signed-off-by: Jouni Malinen <j@w1.fi>
* PAE: Remove OpenSSL header dependencyJouni Malinen2017-12-241-2/+2
| | | | | | | | Instead of requiring OpenSSL headers to be available just for the SSL3_RANDOM_SIZE definition, replace that macro with a fixed length (32) to simplify dependencies. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Use abstract crypto APISean Parkinson2017-12-242-0/+2
| | | | | | | This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* wpa_cli: Add completion for get/set cred commandsMikael Kanstrup2017-12-161-4/+82
| | | | | | Add command completion support for get_cred and set_cred commands. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
* dbus: Add FILS key mgmt values into BSS security propertiesMasashi Honma2017-12-161-1/+11
| | | | Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* FILS: Driver configuration to disable/enable FILS featuresvamsi krishna2017-12-154-1/+20
| | | | | | | | | | The new disable_fils parameter can be used to disable FILS functionality in the driver. This is currently removing the FILS Capability bit in Extended Capabilities and providing a callback to the driver wrappers. driver_nl80211.c implements this using a QCA vendor specific command for now. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow DH Parameters element overriding with driver SMEJouni Malinen2017-12-111-0/+5
| | | | | | | | | | | Commit 265bda34441da14249cb22ce8a459cebe8015a55 ('OWE: Allow DH Parameters element to be overridden for testing purposes') provided means for using "VENDOR_ELEM_ADD 13 <IE>" in OWE protocol testing, but that commit covered only the sme.c case (i.e., drivers that use wpa_supplicant SME). Extend this to cover drivers that use internal SME (e.g., use the nl80211 Connect command). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Android: Set CONFIG_NO_RANDOM_POOL=yJeff Vander Stoep2017-12-091-1/+7
| | | | | | | | | | Wpa_supplicant's random pool is not necessary on Android. Randomness is already provided by the entropymixer service which ensures sufficient entropy is maintained across reboots. Commit b410eb1913 'Initialize /dev/urandom earlier in boot' seeds /dev/urandom with that entropy before either wpa_supplicant or hostapd are run. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
* tests: DPP P-256 test vectorsJouni Malinen2017-12-071-0/+10
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allow protocol key to be overridden for testing purposesJouni Malinen2017-12-051-0/+11
| | | | | | This can be used for various testing needs. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Add GCMP-256 and CCMP-256 cipher options on EnrolleeJouni Malinen2017-12-021-0/+10
| | | | | | | | | If a credential with encp type AES is received, add GCMP-256 and CCMP-256 cipher options on station Enrollee based on local capabilities. This is needed to allow connection with an AP using either of these newer ciphers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Check BSS table against current BSSID if credential does not matchJouni Malinen2017-12-021-0/+3
| | | | | | | | | The credential MAC address is not necessarily that of the AP, i.e., it is more likely to be that of the Enrollee. Check the scan results against the current BSSID as well if match is not found otherwise when going through the mixed mode workaround. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Change Authentication Response retry time to 1 secondJouni Malinen2017-12-021-1/+1
| | | | | | | | The previously used 10 second timer did not really make much sense since the Initiator is not going to be waiting for the response that long. Change this to 1 second based on the DPP tech spec change. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Extend dpp_test with invalid Transaction ID in Peer Disc ReqJouni Malinen2017-11-301-0/+6
| | | | | | | Allow a Transaction ID attribute with invalid length to be sent for protocol testing purposes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Call wpas_dpp_stop() from wpas_dpp_deinit()Jouni Malinen2017-11-291-3/+1
| | | | | | | | This makes the full DPP deinit operation more consistent with stopping of a single operation. In practice, this adds the new GAS client stopping functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Stop pending GAS client operation on DPP_STOP_LISTENJouni Malinen2017-11-294-0/+25
| | | | | | | This makes the operation more complete in stopping all ongoing DPP related functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Deinit PKEX instance on DPP_STOP_LISTENJouni Malinen2017-11-291-0/+2
| | | | | | | Previously this stopped only the DPP Authentication instance, but it is better to clear both PKEX and Authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Do not process dpp_auth_ok_on_ack multiple timesJouni Malinen2017-11-271-0/+3
| | | | | | | | An additional TX status callback could result in processing the DPP authentication completion another time at least with hostapd. Fix this by clearing the dpp_auth_ok_on_ack when processing it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Fix compilation without CONFIG_TESTING_OPTIONS=yAshok Ponnaiah2017-11-271-0/+4
| | | | | | | Add CONFIG_TESTING_OPTIONS ifdef protection to couple of forgotten DPP test parameters in wpa_supplicant ctrl_iface. Signed-off-by: Ashok Ponnaiah <aponnaia@qti.qualcomm.com>
* DPP: Ignore GAS server status callback for unknown responseJouni Malinen2017-11-271-0/+8
| | | | | | | | | It was possible for a timeout from an old GAS server operation to trigger DPP configuration failure during the subsequent DPP operation. Fix this by verifying that the status callback is for the response generated during the same DPP Authentication/Configuration exchange. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add DPP_CONFIGURATOR_SIGN support to hostapdJouni Malinen2017-11-271-1/+1
| | | | | | | | Configurator signing its own Connector was previously supported only in wpa_supplicant. This commit extends that to hostapd to allow an AP acting as a Configurator to self-configure itself. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allow PKEX x/X and y/Y keypairs to be overriddenJouni Malinen2017-11-231-0/+12
| | | | | | | This is for testing purposes to allow a test vector with specific values to be generated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allow PKEX own/peer MAC addresses to be overriddenJouni Malinen2017-11-231-0/+8
| | | | | | | This is for testing purposes to allow a test vector with specific values to be generated. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Provide peer_mac to PKEX Initiator through function argumentJouni Malinen2017-11-231-2/+1
| | | | | | | Avoid unnecessary direct write to a struct dpp_pkex member from outside dpp.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove compiler warnings about signed/unsigned comparisonsJouni Malinen2017-11-231-1/+1
| | | | | | These timestamp comparisons did not use matching signedness. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Add wpa_msg_ctrl() to report Probe Request frames from STAbhagavathi perumal s2017-11-231-1/+1
| | | | | | | | | This allows external applications to get event indication for Probe Request frames. Extend ctrl iface cmd "ATTACH" to enable this event on per-request basis. For example, user has to send ctrl iface cmd "ATTACH probe_rx_events=1" to enable the Probe Request frame events. Signed-off-by: bhagavathi perumal s <bperumal@qti.qualcomm.com>
* DPP: Fix number of Authentication Request retry casesJouni Malinen2017-11-232-24/+65
| | | | | | | | | | Previous implementation did not handle number of sequences correctly. Make sure the iteration continues in both unicast and broadcast cases until the five attempts have been made. In addition, improve timing by checking 10 second time from the beginning of each iteration round and not the last channel on which the Auth Req frame has been transmitted. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Take response wait time into account for init retriesJouni Malinen2017-11-221-1/+11
| | | | | | | | | Previously, the Authentication Request frame was retried after 2+10 = 12 seconds since the wait for the response was not accounted for. Substract that wait from the 10 second wait time to start the retries more quickly based on the 10 second timer described in the tech spec. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>