path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* Add helper functions for parsing RSNXE capabilitiesJouni Malinen6 days3-35/+26
| | | | | | | | Simplify the implementation by using shared functions for parsing the capabilities instead of using various similar but not exactly identical checks throughout the implementation. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Remove now unused password identifier argument from non-H2E caseJouni Malinen6 days2-2/+0
| | | | | | | | | | | | | IEEE Std 802.11-2020 mandates H2E to be used whenever an SAE password identifier is used. While this was already covered in the implementation, the sae_prepare_commit() function still included an argument for specifying the password identifier since that was used in an old test vector. Now that that test vector has been updated, there is no more need for this argument anymore. Simplify the older non-H2E case to not pass through a pointer to the (not really used) password identifier. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* PASN: Change PASN flows to use SAE H2E onlyIlan Peer6 days1-21/+47
| | | | | | | | Do so for both wpa_supplicant and hostapd. While this was not explicitly required in IEEE P802.11az/D3.0, likely direction for the draft is to start requiring use of H2E for all cases where SAE is used with PASN. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Derive KDK only when requiredIlan Peer6 days2-1/+13
| | | | | | | | | | | When a PTK derivation is done as part of PASN authentication flow, a KDK derivation should be done if and only if the higher layer protocol is supported by both parties. Fix the code accordingly, so KDK would be derived if and only if both sides support Secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* Set last_eapol_matches_bssid=1 on a roam+auth indication from driverSunil Dutt7 days1-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 3ab35a660364 ("Extend EAPOL frames processing workaround for roaming cases") added a work around to address the issue of EAPOL frame reception after reassociation replied to with an incorrect destination address (the BSSID of the old AP). This is due to association events and EAPOL RX events being reordered for the roaming cases with drivers that perform BSS selection internally. This mechanism relies on the fact that the driver always forwards the EAPOL handshake to wpa_supplicant after the roaming (sets last_eapol_matches_bssid during the EAPOL processing and resets on the assoc/reassoc indication). The above approach does not address the case where the driver does the EAPOL handshake on the roam, indicating the authorized status to wpa_supplicant but also forwards the EAPOL handshake to wpa_supplicant for few other roam attempts. This is because the flag last_eapol_matches_bssid is not set with the roam+authorized event from the driver. Thus, the next reorder of roam and EAPOL RX events would miss this workaround. Address this by setting last_eapol_matches_bssid=1 on a roam+authorized event from the driver. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: assoc+auth driver eventJouni Malinen2021-03-281-0/+128
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: IEEE 802.1X and FORCE_UNAUTH stateJouni Malinen2021-03-281-0/+13
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Flush pending control interface message for an interface to be removedJouni Malinen2021-03-257-20/+66
| | | | | | | | | | | | | | | | | wpa_supplicant_ctrl_iface_deinit() was executed only if the per-interface control interface initialization had been completed. This is not the case if driver initialization fails and that could result in leaving behind references to the freed wpa_s instance in a corner case where control interface messages ended up getting queued. Fix this by calling wpa_supplicant_ctrl_iface_deinit() in all cases to cancel the potential eloop timeout for wpas_ctrl_msg_queue_timeout with the reference to the wpa_s pointer. In addition, flush any pending message from the global queue for this interface since such a message cannot be of use after this and there is no need to leave them in the queue until the global control interface gets deinitialized. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* MSCS: Fix MSCS Response frame Status field parsingJouni Malinen2021-03-221-1/+1
| | | | | | | | This is a 2 octet field, so need to use WPA_GET_LE16() here instead of using only the first octet of the value. Fixes: bbd3178af45b ("MSCS: Add support to process MSCS Response frames") Signed-off-by: Jouni Malinen <j@w1.fi>
* PASN: Use a helper function to free radio work dataJouni Malinen2021-03-211-8/+12
| | | | | | | This is safer in avoiding memory leaks now that there is a dynamically allocated member within the data struct. Signed-off-by: Jouni Malinen <j@w1.fi>
* PASN: Mark pubkey/comeback arguments constant for frame constructionJouni Malinen2021-03-211-1/+1
| | | | | | These parameters are only copied to the frame, so mark them as constant. Signed-off-by: Jouni Malinen <j@w1.fi>
* PASN: Add support for comeback flow to wpa_supplicantIlan Peer2021-03-213-16/+124
| | | | | | | | Process the received comeback cookie and retry automatically if the AP allows this. Otherwise, provide the cookie to upper layers to allow a later attempt with the cookie. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Add support for deauthentication flow in stationIlan Peer2021-03-164-0/+87
| | | | | | | | | The new wpa_supplicant control interface command "PASN_DEAUTH bssid=<BSSID>" can now be used to flush the local PTKSA cache for the specified BSS and to notify the AP to request it to drop its PTKSA as well. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: For testing purposes allow to corrupt MICIlan Peer2021-03-163-0/+12
| | | | | | | For testing purposes, add support for corrupting the MIC in PASN Authentication frames for both wpa_supplicant and hostapd. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Encode the public key properlyIlan Peer2021-03-161-6/+18
| | | | | | | | | | | | When a public key is included in the PASN Parameters element, it should be encoded using the RFC 5480 conventions, and thus the first octet of the Ephemeral Public Key field should indicate whether the public key is compressed and the actual key part starts from the second octet. Fix the implementation to properly adhere to the convention requirements for both wpa_supplicant and hostapd. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* TWT: Allow specifying Control field value in TWT RequestBen Greear2021-03-124-6/+12
| | | | | | | See IEEE P802.11ax/D8.0, Figure 9-687 (Control field format) for details. Signed-off-by: Ben Greear <greearb@candelatech.com>
* wpa_supplicant: Don't process EAPOL frames while disconnectingAndrei Otcheretianski2021-03-121-0/+6
| | | | | | | | | | | | | | | | | | | An EAPOL frame may be pending when wpa_supplicant requests to deauthenticate. At this stage the EAP SM cache is already cleaned by calling eapol_sm_invalidate_cached_session(). Since at this stage the wpa_supplicant's state is still set to associated, the EAPOL frame is processed and results in a crash due to NULL dereference. This wasn't seen previously as nl80211 wouldn't process the NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would set the valid_handler to NULL. This behavior was changed in commit ab89291928fa exposing this race. Fix it by ignoring EAPOL frames while the deauthentication is in progress. Fixes: ab89291928fa ("nl80211: Use process_bss_event() for the nl_connect handler") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* eapol_test: Add address family for IPv4 in Windows buildStefan Paetow2021-03-121-0/+1
| | | | | | | | | | Add the address family when manually constructing IPv4 addresses in eapol_test on Windows. Otherwise other functions, like hostapd_ip_txt() in src/utils/ip_addr.c, that rely on addr->af being set fail miserably. The non-Windows option uses hostapd_parse_ip_addr() which does this as part of the helper function. Signed-off-by: Stefan Paetow <oss@eons.net>
* TWT: Support sending TWT Setup and Teardown Action framesBen Greear2021-03-076-0/+277
| | | | | | | | | This adds new control interface commands TWT_SETUP and TWT_TEARDOWN. For now, these are only for testing purposes to be able to trigger transmission of the TWT Action frames without configuring any local behavior for TWT in the driver. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Reject authentication start during explicit roam requestsMatthew Wang2021-03-064-0/+28
| | | | | | | | | | | | | | | | | | | The roam D-Bus and ROAM control itnerface commands flip the reassociate bit before calling wpa_supplicant_connect(). wpa_supplicant connect eventually aborts ongoing scans (if any), which causes scan results to be reported. Since the reassociate bit is set, this will trigger a connection attempt based on the aborted scan's scan results and cancel the initial connetion request. This often causes wpa_supplicant to reassociate to the same AP it is currently associated to instead of the explicitly requested roaming target. Add a roam_in_progress flag to indicate that we're currently attempting to roam via an explicitly request to a specific BSS so that we don't initiate another connection attempt based on the possibly received scan results from a scan that was in progress at the time the roam command was received. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* Fix a memory leak in WPS with ap_scan=2Jouni Malinen2021-02-281-0/+1
| | | | | | | | The wpa_ie buffer is now allocated here and needs to be freed before returning from the function. Fixes: d2ba0d719e2a ("Move assoc param setting into a helper function") Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Simplify code pathsJouni Malinen2021-02-281-5/+3
| | | | | | | Use a shared code path for freeing the wpa_ie buffer to avoid unnecessary complexity with a separate return for the non-FILS case. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix dynamic EAP library buildingJouni Malinen2021-02-271-63/+100
| | | | | | | | | Build eap_*.so into the wpa_supplicant similarly with the wpa_supplicant binary and include the shared helper functions from additional files into the builds. This got broken at some point with the build system changes. Signed-off-by: Jouni Malinen <j@w1.fi>
* Ignore group-addressed SA Query framesJouni Malinen2021-02-273-3/+9
| | | | | | | | | | | | These frames are used for verifying that a specific SA and protected link is in functional state between two devices. The IEEE 802.11 standard defines only a case that uses individual MAC address as the destination. While there is no explicit rule on the receiver to ignore other cases, it seems safer to make sure group-addressed frames do not end up resulting in undesired behavior. As such, drop such frames instead of interpreting them as valid SA Query Request/Response. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* P2P: Pick a 5 GHz channel from more possible channelsJimmy Chen2021-02-271-2/+24
| | | | | | | | | | | | | | | | | | | For an autonomous P2P group on the 5 GHz band, a channel was picked only from the operating class 115 which is not available in the EU region anymore. As a result, an autonomous group creation would always fail in this generic 5 GHz channel case. There are more possible available channels for the 5 GHz currently. Especially in the EU region, the operating class 115 channels are no longer available, but SRD channels (the operating class 124) are available. Allow them to be used here if they are marked as allowed for P2P GO use. In addition, iterate through all the potential options instead of just checking the first randomly picked channel. Start this iteration from random position to maintain some randomness in this process. Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
* TDLS: Support TDLS operations in HE modeSreeramya Soratkal2021-02-261-0/+4
| | | | | | | | Determine if the TDLS peer is HE capable based on HE Capability element received in the TDLS Setup Response frame. Indicate the peer's HE capabilities to the driver through sta_add(). Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
* Restore permanent MAC address on the FLUSH commandJouni Malinen2021-02-213-11/+22
| | | | | | | Clear previously used random MAC address on the FLUSH command if mac_addr setting has been disabled. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Accept Config Result before GAS response TX statusJouni Malinen2021-02-211-4/+19
| | | | | | | | | | | | | | The TX event for the next frame in the sequence might be received before the TX status for the final GAS response frame is processed. This used to result in the Config Result getting discarded and the negotiation not completing successfully on the Configurator side. Accept the Config Result message as an indication of the final GAS response frame having went through fine even if the TX status has not yet been processed to avoid this issue from a potential race condition on kernel events. Signed-off-by: Jouni Malinen <j@w1.fi>
* Avoid use of C++ keyword in a header fileJouni Malinen2021-02-213-8/+9
| | | | | | | | Don't use 'protected' as the name of the variable in bss.h since this might be used in control interfaces that use C++. Fixes: 1c77f3d3f9a3 ("Indicate whether additional ANQP elements were protected") Signed-off-by: Jouni Malinen <j@w1.fi>
* PASN: Correctly set RSNXE bits from STAIlan Peer2021-02-191-3/+3
| | | | | | | | | These defines are for the capability bit number, not the binary value from the bit index. As such, need to use BIT() here to set the bitmap appropriately. Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* wpa_supplicant: Fix potential memleak on an error pathAndrei Otcheretianski2021-02-191-0/+1
| | | | | | | extra_buf allocation was missed in one of the error cases. Fixes: 170775232d61 ("ANQP: Add support to specify frequency in ANQP_GET command") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* Show OCV and beacon protection capabilities in control interfaceVeerendranath Jakkam2021-02-151-0/+25
| | | | | | | Indicate local support for Operating Channel Validation (OCV) and beacon protection. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* STA: Check driver capability to enable OCV when driver SME is usedVeerendranath Jakkam2021-02-152-2/+5
| | | | | | | | | | | | | When the driver SME is used, offloaded RSN handshakes like SA Query, GTK rekeying, FT authentication, etc. would fail if wpa_supplicant enables OCV in initial connection based on configuration but the driver doesn't support OCV. To avoid such failures check the driver's capability for enabling OCV when the driver SME used. This commit also adds a capability flag for indicating OCV support by the driver. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* Clean up RSN parameter setting for PASNJouni Malinen2021-02-151-3/+4
| | | | | | | | Set conf.force_kdk_derivation within the same if block as all the other parameters. This is used only if ssid is not NULL, so no need to have any special handling for this parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Enable beacon protection only when driver indicates supportVeerendranath Jakkam2021-02-152-3/+9
| | | | | | | | | | | Enabling beacon protection will cause STA connection/AP setup failures if the driver doesn't support beacon protection. To avoid this, check the driver capability before enabling beacon protection. This commit also adds a capability flag to indicate beacon protection support in client mode only. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* Update sgml to generate reproducible manpagesHu Keping2021-02-158-0/+32
| | | | | | | | | | | | | | Prior to this patch, we failed to recreate bit-by-bit identical copies of wpa_supplicant because it doesn't generate reproducible manpages. Since the latest version(0.6.14-3 or new) of docbook-utils have already support getting the date from sgml file [1], it is possible to make some progress on the "reproducible builds" effort [2]. [1]: https://sources.debian.org/patches/docbook-utils/0.6.14-3 [2]: https://reproducible-builds.org Signed-off-by: Hu Keping <hukeping@huawei.com>
* ext_password: Implement new file-based backendPatrick Steinhardt2021-02-154-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was not easily possible to separate configuration of an interface and credentials when using the configuration file instead of the control interface or D-Bus interface for setting up the network profiles. This makes it hard to distribute configuration across a set of nodes which use wpa_supplicant without also having to store credentials in the same file. While this can be solved via scripting, having a native way to achieve this would be preferable. Turns out there already is a framework to have external password storages. It only had a single "test" backend though, which is kind of an in-memory store which gets initialized with all passwords up front and is mainly for testing purposes. This isn't really suitable for the above use case: the backend cannot be initialized as part of the central configuration given that it needs the credentials, and we want to avoid scripting. This commit thus extends the infrastructure to implement a new backend, which instead uses a simple configuration file containing key-value pairs. The file follows the format which wpa_supplicant.conf(5) uses: empty lines and comments are ignored, while passwords can be specified with simple `password-name=password-value` assignments. With this new backend, splitting up credentials and configuration becomes trivial: # /etc/wpa_supplicant/wpa_supplicant.conf ext_password_backend=file:/etc/wpa_supplicant/psk.conf network={ ssid="foobar" psk=ext:foobar } # /etc/wpa_supplicant/psk.conf foobar=ecdabff9c80632ec6fcffc4a8875e95d45cf93376d3b99da6881298853dc686b Alternative approaches would be to support including other configuration files in the main configuration, such that common configuration and network declarations including credentials are split up into separate files. But the implementation would probably have been more complex compared to reusing the already-existing framework for external password backends. Signed-off-by: Patrick Steinhardt <ps@pks.im>
* wpa_supplicant: Move wpa_config_get_line() into utilsPatrick Steinhardt2021-02-156-99/+15
| | | | | | | | | | | | The function wpa_config_get_line() is used by the wpa_supplicant config file parser to retrieve the next non-comment non-blank line. We'll need the same kind of functionality to implement the file-based external password backend, so as a preparatory step this commit extracts the function into its own standalone file in the utils package. No functional changes are expected from this commit. Signed-off-by: Patrick Steinhardt <ps@pks.im>
* P2P: Clear unexpected HT40 configuration on 2.4 GHz bandJouni Malinen2021-02-141-0/+10
| | | | | | | | | | | | Number of the P2P+NFC test cases have been failing every now and then and those failures seemed to be because of having somehow managed to select the GO's operating channel as HT40+ on the channel 11 in the 2.4 GHz band, i.e., something that is clearly incorrect. The P2P check for HT40 secondary channel is supported only on the 5 GHz band, so drop HT40 configuration if it shows up unexpectedly on the 2.4 GHz band to avoid issues in GO being able to start. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Don't exit scanning state on config reloadMichal Kazior2021-02-131-1/+7
| | | | | | | | | | | | | | | | | | There's a chance that prior to config reload being requested a scan work was started. As such forcing wpa_supplicant to WPA_DISCONNECTED was removing any hints that the actual driver is busy with work. That led to wpa_supplicant reporting "Failed to initialize AP scan" over and over again for a few seconds (depending on driver/capabilities) until the untracked scan finished. Cancelling a scan isn't really a solution because there's a bunch of scanning state bits sprinkled across wpa_supplicant structure and they get updated as driver events actually flow in in async manner. As far as I can tell this is only preventing unnecessary warning messages. This doesn't seem like it was crippling any logic per se. Signed-off-by: Michal Kazior <michal@plume.com>
* DPP2: Defer chirp scan if other scan is queued upMichal Kazior2021-02-131-0/+11
| | | | | | | | | | | | | | | | The chirp scan could override the scan_res_handler. This could lead to wpa_supplicant getting stuck in a scanning state while not scanning at all until forced to, e.g., via an explicit SCAN control command. The condition for trigerring this problem in my testing was when (interface_count % 3) == 2. This introduced a two second delay before actual scan was triggered after starting the wpa_supplicant instance up. If DPP chirping was requested fast enough, in between the queueing and triggering, it would punt the scan request, never to be resumed again. Chirp scan handler wouldn't resume it leaving wpa_supplicant inadvertently idle. Signed-off-by: Michal Kazior <michal@plume.com>
* mesh: Assign channel in frequency params in all bandsPradeep Kumar Chitrapu2021-02-091-0/+2
| | | | | | | | Previously, the channel number was set in hostapd_freq_params only with the presence of HT capabilities. Set the channel number before the check for HT mode to accommodate the 6 GHz band cases. Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
* DPP: Expose config object PSK/passphrase in wpa_supplicantMichal Kazior2021-02-091-0/+15
| | | | | | | | | hostapd was already exposing this. There's no reason not to expose it in wpa_supplicant. This allows 3rd party apps interacting with the control interface to handle DPP events to get configs instead of needing to dance around with update_config=1 and SAVE_CONFIG. Signed-off-by: Michal Kazior <michal@plume.com>
* DPP: Expose config object AKM in wpa_supplicant control interfaceMichal Kazior2021-02-091-0/+2
| | | | | | | | | hostapd was already exposing this. There's no reason not to expose it in wpa_supplicant. This allows 3rd party apps interacting with the control interface to handle DPP events to get configs instead of needing to dance around with update_config=1 and SAVE_CONFIG. Signed-off-by: Michal Kazior <michal@plume.com>
* DPP2: Fix Authentication Request destination in the chirping caseJouni Malinen2021-02-091-3/+6
| | | | | | | | | | | The Authentication Request frames triggered by the reception of a Presence Announcement frame were sent to the broadcast address. This is not correct behavior since the source MAC address of the Presence Announcement frame was supposed to override the Responder MAC address. Fix this by using that source MAC address to avoid unnecessary use of broadcast frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix compiler warning on CONFIG_AP without CONFIG_P2P buildsJouni Malinen2021-02-071-0/+2
| | | | | | | | | The static function is_chanwidth160_supported() is called only within CONFIG_P2P block so the function itself needs to have matching condition for build. Fixes: ed24bad1d98d ("AP: Check driver support while auto-selecting bandwidth for AP/P2P GO") Signed-off-by: Jouni Malinen <j@w1.fi>
* Update Visual Studio projects to match file renamingJouni Malinen2021-02-073-3/+3
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename blacklist.[ch] to bssid_ignore.[ch]Jouni Malinen2021-02-0711-10/+10
| | | | | | | This completes renaming of this functionality for a list of temporarily ignored BSSIDs. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename wpa_blacklist to wpa_bssid_ignoreJouni Malinen2021-02-0710-163/+165
| | | | | | | This is more accurate name for this functionality of temporarily ignoring BSSIDs. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename INTERWORKING_BLACKLISTED defineJouni Malinen2021-02-071-1/+1
| | | | | | | | Use more accurate INTERWORKING_EXCLUDED for this. The actual event prefix is not changed to remains compatible with external components using this control interface event message. Signed-off-by: Jouni Malinen <j@w1.fi>