path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* FT: Disable PMKSA caching with FTJouni Malinen5 days1-0/+7
| | | | | | | | | PMKSA caching with FT is not fully functional, so disable the case for now, so that wpa_supplicant does not end up trying to connect with a PMKSA cache entry from another AKM. FT-EAP was already modified long time ago to not add PMKSA cache entries itself. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen7 days7-1/+38
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* mesh: Register msg_ctx for hostapd/AP codeJouni Malinen7 days1-0/+1
| | | | | | | | | The use of hostapd code for a mesh interface did not register hapd->msg_ctx. This needs to be done similarly to the existing cases in wpa_supplicant AP and IBSS mode uses so that wpa_msg() calls from the hostapd/AP code get delivered properly. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Mark connection failed in the unlikely no-bss-entry caseJouni Malinen10 days1-1/+4
| | | | | | | | | If no BSS entry can be found when processing association rejected event from the driver for the special OWE case of unsupported finite-cyclic-group, process the event as a connection failure instead of just skipping the the OWE retry with another DH group. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move wpa_supplicant_event() EVENT_ASSOC_REJECT handling into a functionJouni Malinen10 days1-78/+82
| | | | | | | This cleans up the implementation a bit by making this functionality easier to understand. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Get the bss from bssid of assoc_reject to try for next groupSrinivas Dasari11 days1-0/+9
| | | | | | | | | | | On an assoc_reject from the BSS with the status=77, a connection attempt with the next supported group happens. The BSS considered here is from current_bss which may be NULL at this point of time with SME-in-driver case. Address this by getting the BSS from the bssid obtained in association reject indication and skip the step if no BSS entry can be found. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Flush PMKSA if an assoc reject without timeout is receivedSrinivas Dasari11 days1-0/+12
| | | | | | | | | | | | Flush the PMKSA upon receiving association reject event without timeout in the event data in SME-in-driver case to avoid trying to use the old PMKSA entry in subsequent connection attempts. Do not flush PMKSA if association reject is received with timeout as it is generated internally from the driver without reaching the AP. This is similar to the SME-in-wpa_supplicant case that was already addressed within sme_event_assoc_reject(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Silence a gcc warning on switch statement fallthroughJouni Malinen11 days1-0/+1
| | | | | | | Add an explicit comment noting a previously undocumented fallthrough to not trigger an implicit-fallthrough warning. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Silence new gcc warnings on switch statement fallthroughsJouni Malinen11 days1-1/+1
| | | | | | | Reword the comments to make gcc 8.1 recognize these as designed cases and not trigger implicit-fallthrough warnings. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Clear SME FT data on disassocAhmad Masri2018-05-041-1/+1
| | | | | | | | | | | | | | SME ft_used flag is sometimes not cleared on disassoc. For example, after initial FT connection, ft_used is set while ft_ies stays NULL. Later on, upon disassoc, sme_update_ft_ies() is not invoked and ft_used is not cleared. Fix this by invoking sme_update_ft_ies() also in case ft_used is set. This is needed to fix an issue with drivers that use nl80211 Connect API with FT and expect to the NL80211_AUTHTYPE_OPEN specified in the Connect command for the initial mobility domain association. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* wpa_supplicant: Make channel switch event available for non-AP buildsBhagavathi Perumal S2018-05-041-0/+4
| | | | | | | This allows user to get channel switch indication in station mode even if wpa_supplicant is built without CONFIG_AP=y. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
* wpa_supplicant: Add ieee80211ac information in STATUSBhagavathi Perumal S2018-05-043-0/+13
| | | | | | This allows user to get current operating mode of station. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
* wolfSSL: Fix EAP-FAST key derivationSean Parkinson2018-05-021-0/+1
| | | | | | | Implement tls_connection_get_eap_fast_key() using cryptographic primitives as wolfSSL implements different spec. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabledJouni Malinen2018-05-011-0/+2
| | | | | | | | This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_cli: Indicate HS20-T-C-ACCEPTANCE to action scriptsJouni Malinen2018-04-291-0/+2
| | | | | | | This can be used to start a web browser to go through Terms and Conditions acknowledgment. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DFS: Mark channels required DFS based on reg-domain info from the drivermazumdar2018-04-232-6/+11
| | | | | | | | | | | | Mark a channel as required DFS based on regulatory information received from the driver/kernel rather than deciding based on hardcoded boundaries on the frequency. Previously few channels were being marked as requiring DFS even though they were non-DFS in a particular country. If the driver does not provide channel list information, fall back to the previously used frequency-based determination. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Process received Terms and Conditions Acceptance notificationJouni Malinen2018-04-233-0/+39
| | | | | | | | | | Extend wpa_supplicant WNM-Notification RX handling to parse and process received Terms and Conditions Acceptance notifications. If PMF is enabled for the association, this frame results in control interface indication (HS20-T-C-ACCEPTANCE <URL>) to get upper layers to guide the user through the required acceptance steps. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Do not remove CCMP group cipher if any CCMP/GCMP cipher is enabledJouni Malinen2018-04-231-2/+3
| | | | | | | | | | | | | | | | CCMP group cipher was removed if CCMP was not allowed as a pairwise cipher when loading a configuration file (but not actually when changing configuration during runtime). This is needed to avoid issues with configurations that use the default group cipher (TKIP CCMP) while modifying pairwise cipher from the default CCMP TKIP) to TKIP. However, there is not really a need to remove the CCMP group cipher if any GCMP or CCMP cipher is enabled as a pairwise cipher. Change the network profile validation routine to not remove CCMP as group cipher if CCMP-256, GCMP, or GCMP-256 is enabled as a pairwise cipher even if CCMP is not. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Handle AP initalization failure in async flowTova Mussai2018-04-191-0/+7
| | | | | | | | | When AP initialization is completed in a callback (e.g., OBSS scan), wpa_supplicant_deinit_ap() is not called in case of failure. Fix this by calling setup_complete_cb in case of failure, too, which in turn calls wpa_supplicant_deinit_ap() if needed. Signed-off-by: Tova Mussai <tova.mussai@intel.com>
* FT: Add FT auth algorithm to connect params when roamingAhmad Masri2018-04-191-1/+11
| | | | | | | Add WPA FT auth to connect params in case of a re-connection to ESS supporting FT when FT was used in the first connect. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* FT: Add MDE to assoc request IEs in connect paramsAhmad Masri2018-04-191-0/+23
| | | | | | | | | Add MDE (mobility domain element) to Association Request frame IEs in the driver assoc params. wpa_supplicant will add MDE only if the network profile allows FT, the selected AP supports FT, and the mobility domain ID matches. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* Make CENTER_FRQ1 available independently in SIGNAL_POLLBhagavathi Perumal S2018-04-191-4/+11
| | | | | | | This allows user to get center frequency and find secondary channel offset. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection element into AssocReqJouni Malinen2018-04-174-2/+22
| | | | | | | | This makes wpa_supplicant add Hotspot 2.0 Roaming Consortium Selection element into (Re)Association Request frames if the network profile includes roaming_consortium_selection parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection network profile parameterJouni Malinen2018-04-176-1/+48
| | | | | | | | | | | | | This adds new roaming_consortium_selection network profile parameter into wpa_supplicant. This is used to store the OI that was used for network selection (INTERWORKING_SELECT) based on matching against the Roaming Consortium OIs advertised by the AP. This can also be used when using an external component to perform selection. This commit adds the network profile parameter, but does not yet include it in (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Use roaming_consortiums list to match OIs for accessJouni Malinen2018-04-171-9/+29
| | | | | | | | This extends Hotspot 2.0 credential matching to consider the roaming_consortiums parameter when determining whether the cred block matches the information advertised by an AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add a new cred block parameter roaming_consortiumsJouni Malinen2018-04-175-0/+144
| | | | | | | | | | This new string parameter contains a comma delimited list of OIs (hexdump) in a string. This is used to store Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI. This commit includes the configuration changes to parse and write the parameter. The actual values are not yet used in Interworking network selection. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Document credential parameter required_roaming_consortiumJouni Malinen2018-04-173-0/+21
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Add fetching of Operator Icon Metadata ANQP-elementJouni Malinen2018-04-174-0/+15
| | | | | | | | | This extends wpa_supplicant Hotspot 2.0 ANQP routines to allow the Operator Icon Metadata ANQP-element to be fetched with "ANQP_GET <bssid> hs20:12". The result is available in the new hs20_operator_icon_metadata entry in the "BSS <bssid>" output. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Increase authentication timeout if CAC is startedDmitry Lebed2018-04-153-10/+108
| | | | | | | | | | | | | | | | | | Timeout is increased by dfs_cac_ms from channel data, or by max CAC time (10 minutes) if dfs_cac_ms is not defined. This is needed for some more complex cases, e.g., when STA is acting as an active slave with DFS offload enabled and decided to start CAC after receiving CONNECT command, in such a case the 10 second timeout is too small and wpa_supplicant need to wait for CAC completion or CAC timeout (up to 10 minutes). Without such timeout modification wpa_supplicant will be unable to connect to an AP on DFS channel, since the default authentication timeout (10 s) is smaller than the minimum CAC time (60 s). Tested with nl80211 DFS offload implementation. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* wpa_supplicant: Rename wpas_event_*() to wpas_ap_event_*()Dmitry Lebed2018-04-153-25/+26
| | | | | | | Rename DFS event handling functions, since they are located in ap.c and refer to AP-mode only. Needed to add some STA-mode DFS event handling. Signed-off-by: Dmitry Lebed <dlebed@quantenna.com>
* Fix sae_password documentation in wpa_supplicant to refer correct fieldJouni Malinen2018-04-131-3/+3
| | | | | | sae_password replaces psk, not passphrase, parameter in wpa_supplicant. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Properly handle sae_passwordDaniel Golle2018-04-131-3/+7
| | | | | | | | | | | | | The recently introduced sae_password parameter was only handled properly in wpa_supplicant/sme.c while wpa_supplicant/mesh.c assumed that ssid->passphrase exclusively holds the secret. Import the logic from sme.c to mesh.c to allow having only sae_password set which otherwise throws this error: AP-ENABLED mesh: Passphrase for SAE not configured Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* SAE: Only allow SAE AKMP for PMKSA caching attemptsJouni Malinen2018-04-094-8/+9
| | | | | | | | | | Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Fix default PMK configuration for PMKSA caching caseJouni Malinen2018-04-092-4/+12
| | | | | | | | | | | | The RSN supplicant state machine PMK was set based on WPA PSK even for the cases where SAE would be used. If the AP allows PMKSA caching to be used with SAE, but does not indicate the selected PMKID explicitly in EAPOL-Key msg 1/4, this could result in trying to use the PSK instead of SAE PMK. Fix this by not setting the WPA-PSK as default PMK for SAE network profiles and instead, configuring the PMK explicitly from the found PMKSA cache entry. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add more debug prints for wpa_sm_set_pmk() callsJouni Malinen2018-04-081-0/+5
| | | | | | | Couple of these were not preceded by wpa_hexdump_key(PSK) which made it more difficult to interpret the debug log. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211R_AP=y build option from wpa_supplicantJouni Malinen2018-04-024-24/+0
| | | | | | | | | | | | There is no existing mechanism for setting up AP mode functionality with FT enabled, so there is not really much point in having a build option for trying to include the AP-to-AP FT functionality into wpa_supplicant either. Since this build option results in failures to complete the build, simply remove it completely. This can be restored if there is ever desire to enable FT functionality in wpa_supplicant controlled AP mode. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Don't reply to EAPOL if pkt_type is PACKET_OTHERHOSTDavide Caratti2018-04-021-0/+5
| | | | | | | | | | | | | | When wpa_supplicant is running on a Linux interface that is configured in promiscuous mode, and it is not a member of a bridge, incoming EAPOL packets are processed regardless of the Destination Address in the frame. As a consequence, there are situations where wpa_supplicant replies to EAPOL packets that are not destined for it. This behavior seems undesired (see IEEE Std 802.1X-2010, 11.4.a), and can be avoided by attaching a BPF filter that lets the kernel discard packets having pkt_type equal to PACKET_OTHERHOST. Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
* Clean up setting of iface->p2p_mgmt flagVasyl Vavrychuk2018-04-021-9/+6
| | | | | | | | | | | | | | | | | | | Previously we set this flag to one in wpa_supplicant_init_iface() if Wi-Fi controller does not have a dedicated P2P-interface. This setting had effect only in scope of wpa_supplicant_init_iface() and it contradicts with comment to struct wpa_interface::p2p_mgmt field. This comment says that this flag is used only if Wi-Fi controller has dedicated P2P-device interface. Also it contradicts with usage of similiar p2p_mgmt field in struct wpa_supplicant. Again struct wpa_supplicant::p2p_mgmt is set only for dedicated P2P-device interface. After this change wpa_interface become input argument to wpa_supplicant_init_iface() that we are not modifying. Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
* dbus: Redirect signal processing to the management device if presentVasyl Vavrychuk2018-04-021-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes sending of FindStopped, GroupFormationFailure, and InvitationReceived signals in the case of separate P2P-Device interface. This extends the coverage of the earlier commit 745d62322b37675b4a7eb8f0cd10e25a288168da ("dbus: Redirect P2P request to the managment device if present") to these three functions that were missing the redirection. Some wireless controllers might have separate P2P-Device interface, see as example result of 'iw dev': phy#0 Unnamed/non-netdev interface ... type P2P-device ... Interface wlp2s0 type managed ... In this case there is separate 'struct wpa_supplicant' created for this p2p-dev-* device as result of 'wpa_supplicant_add_iface > wpas_p2p_add_p2pdev_interface > wpa_supplicant_add_iface'. This instance of wpa_supplicant is not registered in D-Bus (wpas_dbus_register_*) since for corresponding P2P device interface flag 'struct wpa_interface > p2p_mgmt' is set. But this instance is saved in p2p_init_wpa_s and is used for handling P2P related D-Bus commands. Therefore we should look for D-Bus path in the parent of p2p_init_wpa_s instance. Without this change test dbus_p2p_discovery starts failing if we set support_p2p_device in vm-run.sh. Signed-off-by: Vasyl Vavrychuk <vvavrychuk@gmail.com>
* dbus: Add FILS to global capabilitiesMasashi Honma2018-04-024-23/+44
| | | | | | | If any of the interfaces supports FILS (and similarly for FILS-SK-PFS), include the "fils" (and "fils_sk_pfs") capability in D-Bus information. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* Add config information related to MACsecJaap Keuter2018-04-012-14/+34
| | | | | | | | | | Add examples of relevant top level CONFIG clauses for wpa_supplicant MACsec support to defconfig. Extend the example of MACsec related network configuration. Also bring them in line with the format of the other example network configurations. Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
* dbus: Add mesh to global capabilitiesSaurav Babu2018-04-011-1/+4
| | | | Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
* Propagate the EAP method error codeAhmed ElArabawy2018-03-313-0/+16
| | | | | | | | | | | | | | | | | | In the current implementation, upon an EAP method failure, followed by an EAP failure, the EAP Status is propagated up in wpa_supplicant with a general failure parameter string "failure". This parameter is used for a notification on the dbus. This commit reports the EAP method failure error code in a separate callback. The solution in this commit is generic to all EAP methods, and can be used by any method that need to pass its error code. However, this commit only implements the reporting for EAP-SIM and EAP-AKA methods where the Notification Code (in AT_NOTIFICATION) is used as the method specific error code value. Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
* wpa_supplicant: Fix auth failure when the MAC is updated externallyBeniamino Galvani2018-03-301-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When connecting to a WPA-EAP network and the MAC address is changed just before the association (for example by NetworkManager, which sets a random MAC during scans), the authentication sometimes fails in the following way ('####' logs added by me): wpa_supplicant logs: wlan0: WPA: RX message 1 of 4-Way Handshake from 02:00:00:00:01:00 (ver=1) RSN: msg 1/4 key data - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 WPA: PMKID in EAPOL-Key - hexdump(len=22): dd 14 00 0f ac 04 d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 RSN: PMKID from Authenticator - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 wlan0: RSN: no matching PMKID found EAPOL: Successfully fetched key (len=32) WPA: PMK from EAPOL state machines - hexdump(len=32): [REMOVED] #### WPA: rsn_pmkid(): #### WPA: aa - hexdump(len=6): 02 00 00 00 01 00 #### WPA: spa - hexdump(len=6): 66 20 cf ab 8c dc #### WPA: PMK - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7 #### WPA: computed PMKID - hexdump(len=16): ea 73 67 b1 8e 5f 18 43 58 24 e8 1c 47 23 87 71 RSN: Replace PMKSA entry for the current AP and any PMKSA cache entry that was based on the old PMK nl80211: Delete PMKID for 02:00:00:00:01:00 wlan0: RSN: PMKSA cache entry free_cb: 02:00:00:00:01:00 reason=1 RSN: Added PMKSA cache entry for 02:00:00:00:01:00 network_ctx=0x5630bf85a270 nl80211: Add PMKID for 02:00:00:00:01:00 wlan0: RSN: PMKID mismatch - authentication server may have derived different MSK?! hostapd logs: WPA: PMK from EAPOL state machine (MSK len=64 PMK len=32) WPA: 02:00:00:00:00:00 WPA_PTK entering state PTKSTART wlan1: STA 02:00:00:00:00:00 WPA: sending 1/4 msg of 4-Way Handshake #### WPA: rsn_pmkid(): #### WPA: aa - hexdump(len=6): 02 00 00 00 01 00 #### WPA: spa - hexdump(len=6): 02 00 00 00 00 00 #### WPA: PMK - hexdump(len=32): b5 24 76 4f 6f 50 8c f6 a1 2e 24 b8 07 4e 9a 13 1b 94 c4 a8 1f 7e 22 d6 ed fc 7d 43 c7 77 b6 f7 #### WPA: computed PMKID - hexdump(len=16): d8 21 9d a5 73 98 88 26 ef 03 d2 ce f7 04 7d 23 WPA: Send EAPOL(version=1 secure=0 mic=0 ack=1 install=0 pairwise=1 kde_len=22 keyidx=0 encr=0) That's because wpa_supplicant computed the PMKID using the wrong (old) MAC address used during the scan. wpa_supplicant updates own_addr when the interface goes up, as the MAC can only change while the interface is down. However, drivers don't report all interface state changes: for example the nl80211 driver may ignore a down-up cycle if the down message is processed later, when the interface is already up. In such cases, wpa_supplicant (and in particular, the EAP state machine) would continue to use the old MAC. Add a new driver event that notifies of MAC address changes while the interface is active. Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
* OWE: Fix CONFIG_OWE=y build without CONFIG_IEEE80211R=yJouni Malinen2018-03-261-2/+2
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Make STA opmode change event available to upper layersTamizh chelvam2018-03-191-0/+12
| | | | | | | | | | | | | Add an event callback for EVENT_STATION_OPMODE_CHANGED to allow user/application to get the notification whenever there is a change in a station's HT/VHT op mode. The new events: STA-OPMODE-MAX-BW-CHANGED <addr> <20(no-HT)|20|40|80|80+80|160> STA-OPMODE-SMPS-MODE-CHANGED <addr> <automatic|off|dynamic|static> STA-OPMODE-N_SS-CHANGED <addr> <N_SS> Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
* DPP: Support retrieving of configurator's private keyPurushottam Kushwaha2018-03-164-0/+28
| | | | | | | | | | | | | | | | | | To retain configurator information across hostapd/wpa_supplicant restart, private key need to be maintained to generate a valid pair of authentication keys (connector, netaccess_key, csign) for new enrollees in the network. Add a DPP_CONFIGURATOR_GET_KEY control interface API through which the private key of an existing configurator can be fetched. Command format: DPP_CONFIGURATOR_GET_KEY <configurator_id> The output from this command can then be used with "DPP_CONFIGURATOR_ADD key=<hexdump>" to create the same key again. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Extend dpp_test 89 functionality to transmit sideSrinivas Dasari2018-03-121-0/+11
| | | | | | | | | | | | This extends dpp_test functionality to allow DPP exchanges to be stopped after authentication is completed on the Initiator, i.e., after sending out the Authentication Confirm message. Previously, dpp_test=89 was used only on the Responder side to stop after receiving the Authentication Confirm message. The main use case for this extended functionality is to be able to stop the protocol exchange on a device that acts as authentication Initiator and Enrollee. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Fix memory leaks in ieee802_1x_create_preshared_mka()Davide Caratti2018-03-111-17/+15
| | | | | | | | | In case MKA is initialized successfully, local copies of CAK and CKN were allocated, but never freed. Ensure that such memory is released also when ieee802_1x_kay_create_mka() returns a valid pointer. Fixes: ad51731abf06 ("wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA") Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
* Add support for wolfSSL cryptographic librarySean Parkinson2018-03-031-0/+40
| | | | | | | Allow hostapd/wpa_supplicant to be compiled with the wolfSSL cryptography and TLS library. Signed-off-by: Sean Parkinson <sean@wolfssl.com>