path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* Provide more details of WPA3 modes in wpa_supplicant.confJouni Malinen2018-08-011-1/+4
| | | | | | | Clarify that proto=RSN is used for WPA3 and add the WPA3-Personal name for SAE and include OWE as a possible key_mgmt value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* P2P: Use more compact debug print of common group frequenciesJouni Malinen2018-06-151-5/+14
| | | | | | | Print the list of frequencies on a single line instead of one line per frequency. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* P2P: Improve common group channel selection if GO needs to be movedJouni Malinen2018-06-151-0/+87
| | | | | | | | | | | | Prefer channels that support VHT80 (and secondarily, HT40 on the same band) over other common group channels. If no such channel is found, prefer any channel that uses the same band so that CSA can be used. This improves the case where a P2P GO needs to move to another channel and there is no other reason (e.g., preferred channel from the driver or an already used channel from a virtual interface sharing the same radio) to pick a specific channel. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* P2P/AP: More detailed debug prints on HT/VHT parameter selectionJouni Malinen2018-06-151-3/+45
| | | | | | | This makes it easier to debug why wpa_supplicant selects particular HT/VHT parameters for AP/P2P GO mode. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Fix potential NULL pointer dereference in MDE additionJouni Malinen2018-06-051-1/+1
| | | | | | | | The bss variable in this function might be NULL, so make the FT MDE addition case conditional on a BSS entry being available. Fixes: 3dc3afe298f0 ("FT: Add MDE to assoc request IEs in connect params") Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Add key management value FT-EAP-SHA384 for wpa_supplicantJouni Malinen2018-06-052-1/+19
| | | | | | | This allows wpa_supplicant to be configuted to use the SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Connection settings for SHA384-based AKMJouni Malinen2018-06-051-1/+14
| | | | | | | Extend wpa_supplicant to allow SHA384-based FT AKM to be selected for a connection. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Fix parsing of max_oper_chwidthSven Eckelmann2018-05-311-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | The max_oper_chwidth is parsed in wpa_config_set as INT_RANGE (see ssid_fields). The actual parsing for INT_RANGE is done by wpa_config_parse_int which can only store the result as full integer. max_oper_chwidth is stored as u8 (a single byte) in wpa_ssid. This means that on little endian systems, the least significant byte of the parsed value are really stored in the max_oper_chwidth. But on big endian system, the only most significant byte is stored as max_oper_chwidth. This means that 0 is always stored because the provided range doesn't allow any other value for systems with multi-byte-wide integers. This also means that for common systems with 4-byte-wide integers, the remaining 3 bytes were written after the actual member of the struct. This should not have influenced the behavior of succeeding members because these bytes would have been part of the padding between the members on most systems. Increasing its size to a full int fixes the write operations outside of the member and allows to use the max_oper_chwidth setting on big endian systems. Fixes: 0f29bc68d18e ("IBSS/mesh: Add support for VHT80P80 configuration") Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
* mesh: Fix crash with CONFIG_TAXONOMY enabledFelix Fietkau2018-05-311-1/+1
| | | | | | | | | wpa_s->ifmsh needs to be allocated using hostapd_alloc_iface() instead of a direct call to os_zalloc(), otherwise the linked list for station taxonomy items remains uninitialized, leading to a crash on the first attempt to traverse that list Signed-off-by: Felix Fietkau <nbd@nbd.name>
* HS 2.0: Allow OSEN connection to be used in an RSN BSSJouni Malinen2018-05-292-4/+17
| | | | | | | | | This allows a single BSS/SSID to be used for both data connection and OSU. In wpa_supplicant configuration, the current proto=OSEN key_mgmt=OSEN combination is now allowing both the old separate OSEN BSS/IE and the new RSN-OSEN to be used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Disable PMKSA caching with FTJouni Malinen2018-05-211-0/+7
| | | | | | | | | PMKSA caching with FT is not fully functional, so disable the case for now, so that wpa_supplicant does not end up trying to connect with a PMKSA cache entry from another AKM. FT-EAP was already modified long time ago to not add PMKSA cache entries itself. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-197-1/+38
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* mesh: Register msg_ctx for hostapd/AP codeJouni Malinen2018-05-191-0/+1
| | | | | | | | | The use of hostapd code for a mesh interface did not register hapd->msg_ctx. This needs to be done similarly to the existing cases in wpa_supplicant AP and IBSS mode uses so that wpa_msg() calls from the hostapd/AP code get delivered properly. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Mark connection failed in the unlikely no-bss-entry caseJouni Malinen2018-05-161-1/+4
| | | | | | | | | If no BSS entry can be found when processing association rejected event from the driver for the special OWE case of unsupported finite-cyclic-group, process the event as a connection failure instead of just skipping the the OWE retry with another DH group. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move wpa_supplicant_event() EVENT_ASSOC_REJECT handling into a functionJouni Malinen2018-05-161-78/+82
| | | | | | | This cleans up the implementation a bit by making this functionality easier to understand. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Get the bss from bssid of assoc_reject to try for next groupSrinivas Dasari2018-05-151-0/+9
| | | | | | | | | | | On an assoc_reject from the BSS with the status=77, a connection attempt with the next supported group happens. The BSS considered here is from current_bss which may be NULL at this point of time with SME-in-driver case. Address this by getting the BSS from the bssid obtained in association reject indication and skip the step if no BSS entry can be found. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Flush PMKSA if an assoc reject without timeout is receivedSrinivas Dasari2018-05-151-0/+12
| | | | | | | | | | | | Flush the PMKSA upon receiving association reject event without timeout in the event data in SME-in-driver case to avoid trying to use the old PMKSA entry in subsequent connection attempts. Do not flush PMKSA if association reject is received with timeout as it is generated internally from the driver without reaching the AP. This is similar to the SME-in-wpa_supplicant case that was already addressed within sme_event_assoc_reject(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Silence a gcc warning on switch statement fallthroughJouni Malinen2018-05-151-0/+1
| | | | | | | Add an explicit comment noting a previously undocumented fallthrough to not trigger an implicit-fallthrough warning. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Silence new gcc warnings on switch statement fallthroughsJouni Malinen2018-05-151-1/+1
| | | | | | | Reword the comments to make gcc 8.1 recognize these as designed cases and not trigger implicit-fallthrough warnings. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Clear SME FT data on disassocAhmad Masri2018-05-041-1/+1
| | | | | | | | | | | | | | SME ft_used flag is sometimes not cleared on disassoc. For example, after initial FT connection, ft_used is set while ft_ies stays NULL. Later on, upon disassoc, sme_update_ft_ies() is not invoked and ft_used is not cleared. Fix this by invoking sme_update_ft_ies() also in case ft_used is set. This is needed to fix an issue with drivers that use nl80211 Connect API with FT and expect to the NL80211_AUTHTYPE_OPEN specified in the Connect command for the initial mobility domain association. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* wpa_supplicant: Make channel switch event available for non-AP buildsBhagavathi Perumal S2018-05-041-0/+4
| | | | | | | This allows user to get channel switch indication in station mode even if wpa_supplicant is built without CONFIG_AP=y. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
* wpa_supplicant: Add ieee80211ac information in STATUSBhagavathi Perumal S2018-05-043-0/+13
| | | | | | This allows user to get current operating mode of station. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
* wolfSSL: Fix EAP-FAST key derivationSean Parkinson2018-05-021-0/+1
| | | | | | | Implement tls_connection_get_eap_fast_key() using cryptographic primitives as wolfSSL implements different spec. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabledJouni Malinen2018-05-011-0/+2
| | | | | | | | This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_cli: Indicate HS20-T-C-ACCEPTANCE to action scriptsJouni Malinen2018-04-291-0/+2
| | | | | | | This can be used to start a web browser to go through Terms and Conditions acknowledgment. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DFS: Mark channels required DFS based on reg-domain info from the drivermazumdar2018-04-232-6/+11
| | | | | | | | | | | | Mark a channel as required DFS based on regulatory information received from the driver/kernel rather than deciding based on hardcoded boundaries on the frequency. Previously few channels were being marked as requiring DFS even though they were non-DFS in a particular country. If the driver does not provide channel list information, fall back to the previously used frequency-based determination. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Process received Terms and Conditions Acceptance notificationJouni Malinen2018-04-233-0/+39
| | | | | | | | | | Extend wpa_supplicant WNM-Notification RX handling to parse and process received Terms and Conditions Acceptance notifications. If PMF is enabled for the association, this frame results in control interface indication (HS20-T-C-ACCEPTANCE <URL>) to get upper layers to guide the user through the required acceptance steps. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Do not remove CCMP group cipher if any CCMP/GCMP cipher is enabledJouni Malinen2018-04-231-2/+3
| | | | | | | | | | | | | | | | CCMP group cipher was removed if CCMP was not allowed as a pairwise cipher when loading a configuration file (but not actually when changing configuration during runtime). This is needed to avoid issues with configurations that use the default group cipher (TKIP CCMP) while modifying pairwise cipher from the default CCMP TKIP) to TKIP. However, there is not really a need to remove the CCMP group cipher if any GCMP or CCMP cipher is enabled as a pairwise cipher. Change the network profile validation routine to not remove CCMP as group cipher if CCMP-256, GCMP, or GCMP-256 is enabled as a pairwise cipher even if CCMP is not. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Handle AP initalization failure in async flowTova Mussai2018-04-191-0/+7
| | | | | | | | | When AP initialization is completed in a callback (e.g., OBSS scan), wpa_supplicant_deinit_ap() is not called in case of failure. Fix this by calling setup_complete_cb in case of failure, too, which in turn calls wpa_supplicant_deinit_ap() if needed. Signed-off-by: Tova Mussai <tova.mussai@intel.com>
* FT: Add FT auth algorithm to connect params when roamingAhmad Masri2018-04-191-1/+11
| | | | | | | Add WPA FT auth to connect params in case of a re-connection to ESS supporting FT when FT was used in the first connect. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* FT: Add MDE to assoc request IEs in connect paramsAhmad Masri2018-04-191-0/+23
| | | | | | | | | Add MDE (mobility domain element) to Association Request frame IEs in the driver assoc params. wpa_supplicant will add MDE only if the network profile allows FT, the selected AP supports FT, and the mobility domain ID matches. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* Make CENTER_FRQ1 available independently in SIGNAL_POLLBhagavathi Perumal S2018-04-191-4/+11
| | | | | | | This allows user to get center frequency and find secondary channel offset. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection element into AssocReqJouni Malinen2018-04-174-2/+22
| | | | | | | | This makes wpa_supplicant add Hotspot 2.0 Roaming Consortium Selection element into (Re)Association Request frames if the network profile includes roaming_consortium_selection parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection network profile parameterJouni Malinen2018-04-176-1/+48
| | | | | | | | | | | | | This adds new roaming_consortium_selection network profile parameter into wpa_supplicant. This is used to store the OI that was used for network selection (INTERWORKING_SELECT) based on matching against the Roaming Consortium OIs advertised by the AP. This can also be used when using an external component to perform selection. This commit adds the network profile parameter, but does not yet include it in (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Use roaming_consortiums list to match OIs for accessJouni Malinen2018-04-171-9/+29
| | | | | | | | This extends Hotspot 2.0 credential matching to consider the roaming_consortiums parameter when determining whether the cred block matches the information advertised by an AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add a new cred block parameter roaming_consortiumsJouni Malinen2018-04-175-0/+144
| | | | | | | | | | This new string parameter contains a comma delimited list of OIs (hexdump) in a string. This is used to store Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI. This commit includes the configuration changes to parse and write the parameter. The actual values are not yet used in Interworking network selection. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Document credential parameter required_roaming_consortiumJouni Malinen2018-04-173-0/+21
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add fetching of Operator Icon Metadata ANQP-elementJouni Malinen2018-04-174-0/+15
| | | | | | | | | This extends wpa_supplicant Hotspot 2.0 ANQP routines to allow the Operator Icon Metadata ANQP-element to be fetched with "ANQP_GET <bssid> hs20:12". The result is available in the new hs20_operator_icon_metadata entry in the "BSS <bssid>" output. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Increase authentication timeout if CAC is startedDmitry Lebed2018-04-153-10/+108
| | | | | | | | | | | | | | | | | | Timeout is increased by dfs_cac_ms from channel data, or by max CAC time (10 minutes) if dfs_cac_ms is not defined. This is needed for some more complex cases, e.g., when STA is acting as an active slave with DFS offload enabled and decided to start CAC after receiving CONNECT command, in such a case the 10 second timeout is too small and wpa_supplicant need to wait for CAC completion or CAC timeout (up to 10 minutes). Without such timeout modification wpa_supplicant will be unable to connect to an AP on DFS channel, since the default authentication timeout (10 s) is smaller than the minimum CAC time (60 s). Tested with nl80211 DFS offload implementation. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* wpa_supplicant: Rename wpas_event_*() to wpas_ap_event_*()Dmitry Lebed2018-04-153-25/+26
| | | | | | | Rename DFS event handling functions, since they are located in ap.c and refer to AP-mode only. Needed to add some STA-mode DFS event handling. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* Fix sae_password documentation in wpa_supplicant to refer correct fieldJouni Malinen2018-04-131-3/+3
| | | | | | sae_password replaces psk, not passphrase, parameter in wpa_supplicant. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Properly handle sae_passwordDaniel Golle2018-04-131-3/+7
| | | | | | | | | | | | | The recently introduced sae_password parameter was only handled properly in wpa_supplicant/sme.c while wpa_supplicant/mesh.c assumed that ssid->passphrase exclusively holds the secret. Import the logic from sme.c to mesh.c to allow having only sae_password set which otherwise throws this error: AP-ENABLED mesh: Passphrase for SAE not configured Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* SAE: Only allow SAE AKMP for PMKSA caching attemptsJouni Malinen2018-04-094-8/+9
| | | | | | | | | | Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Fix default PMK configuration for PMKSA caching caseJouni Malinen2018-04-092-4/+12
| | | | | | | | | | | | The RSN supplicant state machine PMK was set based on WPA PSK even for the cases where SAE would be used. If the AP allows PMKSA caching to be used with SAE, but does not indicate the selected PMKID explicitly in EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE network profiles and instead, configuring the PMK explicitly from the found PMKSA cache entry. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add more debug prints for wpa_sm_set_pmk() callsJouni Malinen2018-04-081-0/+5
| | | | | | | Couple of these were not preceded by wpa_hexdump_key(PSK) which made it more difficult to interpret the debug log. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211R_AP=y build option from wpa_supplicantJouni Malinen2018-04-024-24/+0
| | | | | | | | | | | | There is no existing mechanism for setting up AP mode functionality with FT enabled, so there is not really much point in having a build option for trying to include the AP-to-AP FT functionality into wpa_supplicant either. Since this build option results in failures to complete the build, simply remove it completely. This can be restored if there is ever desire to enable FT functionality in wpa_supplicant controlled AP mode. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Don't reply to EAPOL if pkt_type is PACKET_OTHERHOSTDavide Caratti2018-04-021-0/+5
| | | | | | | | | | | | | | When wpa_supplicant is running on a Linux interface that is configured in promiscuous mode, and it is not a member of a bridge, incoming EAPOL packets are processed regardless of the Destination Address in the frame. As a consequence, there are situations where wpa_supplicant replies to EAPOL packets that are not destined for it. This behavior seems undesired (see IEEE Std 802.1X-2010, 11.4.a), and can be avoided by attaching a BPF filter that lets the kernel discard packets having pkt_type equal to PACKET_OTHERHOST. Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
* Clean up setting of iface->p2p_mgmt flagVasyl Vavrychuk2018-04-021-9/+6
| | | | | | | | | | | | | | | | | | | Previously we set this flag to one in wpa_supplicant_init_iface() if Wi-Fi controller does not have a dedicated P2P-interface. This setting had effect only in scope of wpa_supplicant_init_iface() and it contradicts with comment to struct wpa_interface::p2p_mgmt field. This comment says that this flag is used only if Wi-Fi controller has dedicated P2P-device interface. Also it contradicts with usage of similiar p2p_mgmt field in struct wpa_supplicant. Again struct wpa_supplicant::p2p_mgmt is set only for dedicated P2P-device interface. After this change wpa_interface become input argument to wpa_supplicant_init_iface() that we are not modifying. Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
* dbus: Redirect signal processing to the management device if presentVasyl Vavrychuk2018-04-021-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes sending of FindStopped, GroupFormationFailure, and InvitationReceived signals in the case of separate P2P-Device interface. This extends the coverage of the earlier commit 745d62322b37675b4a7eb8f0cd10e25a288168da ("dbus: Redirect P2P request to the managment device if present") to these three functions that were missing the redirection. Some wireless controllers might have separate P2P-Device interface, see as example result of 'iw dev': phy#0 Unnamed/non-netdev interface ... type P2P-device ... Interface wlp2s0 type managed ... In this case there is separate 'struct wpa_supplicant' created for this p2p-dev-* device as result of 'wpa_supplicant_add_iface > wpas_p2p_add_p2pdev_interface > wpa_supplicant_add_iface'. This instance of wpa_supplicant is not registered in D-Bus (wpas_dbus_register_*) since for corresponding P2P device interface flag 'struct wpa_interface > p2p_mgmt' is set. But this instance is saved in p2p_init_wpa_s and is used for handling P2P related D-Bus commands. Therefore we should look for D-Bus path in the parent of p2p_init_wpa_s instance. Without this change test dbus_p2p_discovery starts failing if we set support_p2p_device in vm-run.sh. Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
* dbus: Add FILS to global capabilitiesMasashi Honma2018-04-024-23/+44
| | | | | | | If any of the interfaces supports FILS (and similarly for FILS-SK-PFS), include the "fils" (and "fils_sk_pfs") capability in D-Bus information. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>