path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* Allow SAE to be used in wpa_supplicant AP modeJouni Malinen2 days1-1/+29
| | | | | | | | | | | SAE password configuration for AP mode requires additional steps compared to PSK cases. Previous implementation allowed SAE to be configured, but all authentication attempts would fail due to no password being available. Now both psk and sae_password/sae_password_id parameters are translated properly to the hostapd configuration structures to fix this. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* NetBSD: Fix compileRoy Marples2 days1-3/+6
| | | | | | | | | | On NetBSD the ethernet header is net/if_ether.h This also pulls in net/if.h which defines if_type, which in turn conflicts with an enum in wpa_supplicant. As such we need to include this at the bottom rather than at the top. Signed-off-by: Roy Marples <roy@marples.name>
* MBO/OCE: Work around misbehaving MBO/OCE APs that use RSN without PMFVamsi Krishna3 days6-23/+43
| | | | | | | | | | | | | | | | | | | | | | The MBO and OCE specification require the station to mandate use of PMF when connecting to an MBO/OCE AP that uses WPA2. The earlier implementation prevented such misbehaving APs from being selected for connection completely. This looks like the safest approach to take, but unfortunately, there are deployed APs that are not compliant with the MBO/OCE requirements and this strict interpretation of the station requirements results in interoperability issues by preventing the association completely. Relax the approach by allowing noncompliant MBO/OCE APs to be selected for RSN connection without PMF to avoid the main impact of this interoperability issue. However, disable MBO/OCE functionality when PMF cannot be negotiated to try to be as compliant as practical with the MBO/OCE tech spec requirements (i.e., stop being an MBO/OCE STA for the duration of such workaround association). Also disable support for BTM in this workaround state since MBO would expect all BTM frames to be protected. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add bandSupport JSON array into config requestJouni Malinen5 days3-4/+30
| | | | | | | Indicate supported global operating classes when wpa_supplicant is operating as an Enrollee. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Allow name and mudurl to be configured for Config RequestJouni Malinen5 days4-15/+39
| | | | | | | | | | | The new hostapd and wpa_supplicant configuration parameters dpp_name and dpp_mud_url can now be used to set a specific name and MUD URL for the Enrollee to use in the Configuration Request. dpp_name replaces the previously hardcoded "Test" string (which is still the default if an explicit configuration entry is not included). dpp_mud_url can optionally be used to add a MUD URL to describe the Enrollee device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Connection status result (Enrollee)Jouni Malinen7 days5-3/+201
| | | | | | | Add support for reporting connection status after provisioning if the Configurator requests this. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Connection status result (Configurator)Jouni Malinen7 days1-0/+74
| | | | | | | | | | | | | | | | | | A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be used to set Configurator to request a station Enrollee to report connection result after a successfully completed provisioning step. If the peer supports this, the DPP-CONF-SENT event indicates this with a new argument (wait_conn_status=1) and the Configurator remains waiting for the connection result for up to 16 seconds. Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event is generated with arguments result, ssid, and channel_list indicating what the Enrollee reported. result=0 means success while non-zero codes are for various error cases as specified in the DPP tech spec. If no report is received from the Enrollee, the event with "timeout" argument is generated locally. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Don't return an error when successfully parsing WMM rulesSujay Patwardhan10 days1-0/+1
| | | | | | | | | The config file parser previously would fall through into an error if CONFIG_AP is defined and it hit a wmm_ac_* rule with a valid value. Add a return to prevent incorrectly printing an error message and returning a non-zero exit code. Signed-off-by: Sujay Patwardhan <sujay@eero.com>
* P2P: Use latest BSS entry if multiple P2P Device Addr matches foundHu Wang10 days1-6/+13
| | | | | | | | | | | | If an AP (P2P GO) has changed its operating channel or SSID recently, the BSS table may have multiple entries for the same BSSID. Commit 702621e6dd35 ('WPS: Use latest updated BSS entry if multiple BSSID matches found') fetches latest updated BSS entry based on BSSID. Do the same when fetching an entry based on the P2P Device Address. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Add support for 60 GHz band channels 5 and 6Alexei Avshalom Lazar10 days2-2/+2
| | | | | | | The previous support in the 60 GHz band was for channels 1-4. Add support for channels 5 and 6. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* WPS: Update MAC address on address changesMikael Kanstrup2019-09-093-0/+16
| | | | | | | | | | | The WPS component keeps a copy of the network interface MAC address. When MAC address is changed the WPS copy was not updated so WPS M1 message contained the old address. Some devices check this field and fail connection attempts. Update the WPS MAC address on interface MAC address changes. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
* wpa_cli: Do not pick p2p-dev-* interfaces by defaultJouni Malinen2019-09-091-1/+4
| | | | | | | | These are the driver-specific interface for the non-netdev P2P Device interface and not something that useful for most use cases. Skip them to allow the main netdev (e.g., wlan0 over p2p-dev-wlan0) to be selected. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS: Update connect params after sending connection notificationAnkita Bajaj2019-09-081-1/+8
| | | | | | | | | Update connect params will update auth_alg and fils_hlp_req in wpa_supplicant structure before calling function wpas_notify_state_changed(). This could have resulted in triggering inconsistent state change events and messages in the Android framework. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Fix wpa_supplicant build dependencies for CONFIG_AP=y buildJouni Malinen2019-09-082-0/+8
| | | | | | | Fix CONFIG_DPP2=y with CONFIG_AP=y build for cases where the needed dependencies were not pulled in by other optional build parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Fix wpa_supplicant build dependencies for DPP-only buildJouni Malinen2019-09-082-8/+4
| | | | | | | Fix CONFIG_DPP=y build for cases where the needed dependencies were not pulled in by other optional build parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-0820-177/+1
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP peer: Add support for machine credentials using certificatesJouni Malinen2019-09-013-0/+42
| | | | | | | | | This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is an explicit request for machine credentials. The network profile parameters are otherwise same as the Phase 1 parameters, but each one uses a "machine_" prefix for the parameter name. Signed-off-by: Jouni Malinen <j@w1.fi>
* Do not try to include net/ethernet.h in MinGW/Windows buildsJouni Malinen2019-09-011-0/+2
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix Windows error code definition workaroundJouni Malinen2019-09-011-0/+6
| | | | | | | | ENOTCONN, EOPNOTSUPP, and ECANCELED are defined in a newer version of MinGW, so make this workaround conditional on what is defined in the header files. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer config: Move ocsp param to phase1/phase2Jouni Malinen2019-09-014-3/+6
| | | | | | | | | OCSP configuration is applicable to each instance of TLS-based authentication and as such, the configuration might need to be different for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and add a separate ocsp2 network profile parameter to set this for Phase 2. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP peer: Move certificate configuration params into shared structJouni Malinen2019-09-014-109/+103
| | | | | | | | | | | These parameters for certificate authentication are identical for the Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel). Furthermore, yet another copy would be needed to support separate machine credential in Phase 2. Clean this up by moving the shared parameters into a separate data struct that can then be used for each need without having to define separate struct members for each use. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Do not enable HE on 5 GHz without VHTSven Eckelmann2019-08-301-2/+10
| | | | | | | | | | | | | | | | | | | The commit ad9a1bfe788e ("nl80211: Share VHT channel configuration for HE") always enforced that VHT is enabled when HE was enabled. This broke the mesh functionality on 2.4 GHz with HE because ibss_mesh_setup_freq() isn't setting up the VHT parameters for 2.4 GHz. This problem was resolved for 2.4 GHz by commit df4f959988b6 ("nl80211: Don't force VHT channel definition with HE"), but it is still possible to disable VHT during the mesh/IBSS freq setup on 5 GHz - which would result in the same problem as seen on 2.4 GHz. The code enabling HE for IBSS/mesh must now make sure that it doesn't enable HE when VHT could be enforced by the nl80211 driver code but disabled by the user. Fixes: 3459c54ac78b ("mesh: Add support for HE mode") Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
* EAP peer: Add a concept of a separate machine credentialJouni Malinen2019-08-202-10/+154
| | | | | | | | | | | | | | | | | This is an initial step in adding support for configuring separate user and machine credentials. The new wpa_supplicant network profile parameters machine_identity and machine_password are similar to the existing identity and password, but explicitly assigned for the purpose of machine authentication. This commit alone does not change actual EAP peer method behavior as separate commits are needed to determine when there is an explicit request for machine authentication. Furthermore, this is only addressing the username/password credential type, i.e., additional changes following this design approach will be needed for certificate credentials. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add TLS-PRF using HMAC with P_SHA384 for TEAPJouni Malinen2019-08-162-0/+10
| | | | | | | This version of TLS PRF is needed when using TEAP with TLS ciphersuites that are defined to use SHA384 instead of SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
* Extend server certificate TOD policy reporting to include TOD-TOFUJouni Malinen2019-08-161-2/+3
| | | | | | | | | The previously used single TOD policy was split into two policies: TOD-STRICT and TOD-TOFU. Report these separately in the CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for TOD-TOFU). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Conditionally set PMKID while notifying the external auth statusSunil Dutt2019-08-161-0/+2
| | | | | | | | | | | This is needed for the drivers implementing SME to include the PMKID in the Association Request frame directly following SAE authentication. This commit extends the commit d2b208384391 ("SAE: Allow PMKID to be added into Association Request frame following SAE") for drivers with internal SME that use the external authentication mechanism. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Use BSSID stored in ext_auth_bssid for set_pmkSunil Dutt2019-08-161-4/+4
| | | | | | | | | | | pending_bssid is cleared in the connected state and thus is not valid if SAE authentication is done to a new BSSID when in the connected state. Hence use the BSSID from ext_auth_bssid while configuring the PMK for the external authentication case. This is required for roaming to a new BSSID with driver-based-SME while the SAE processing happens with wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Update connect params with new DH attributes to the driverSunil Dutt2019-08-161-0/+25
| | | | | | | | | | | | | | | A new DH public key is sent through this interface to the driver after every successful connection/roam to a BSS. This helps to do OWE roaming to a new BSS with drivers that implement SME/MLME operations during roaming. This updated DH IEs are added in the subsequent (Re)Association Request frame sent by the station when roaming. The DH IE from the roamed AP is given to wpa_supplicant in the roam result event. wpa_supplicant shall further process these DH IEs to generate the PMK for the 4-way handshake. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RSN: Do not allow connection to proceed without MFPC=1 if PMF requiredJouni Malinen2019-08-161-0/+7
| | | | | | | | | | | PMF capability check is done as part of BSS selection routines, but those are not used when going through the enforced roaming operation ("ROAM <BSSID>" control interface command). While that mechanism is mainly for testing purposes, extend it to do the same check for PMF to prevent cases where forced roaming could end up disabling PMF against the local profile requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCE: Mandate PMF for WPA2 association with OCE APAnkita Bajaj2019-08-151-2/+9
| | | | | | | | | An OCE AP with WPA2 enabled shall require PMF negotiation when associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a STA when it is operating as an AP. Don't select an OCE AP for connection if PMF is not enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Match credentials based on required_roaming_consortiumPurushottam Kushwaha2019-08-151-1/+5
| | | | | | | | | | | | | | | | When required_roaming_consortium is set in a credential, station should match this against Roaming Consortium(s) for a BSS similar to how it is matching for roaming_consortiums during Interworking credentials availability check for roaming_consortium. In the context of Hotspot 2.0 PPS MO, this means addressing matching part in the same manner for HomeSP/HomeOIList/<X+>/HomeOI regardless of how HomeSP/HomeOIList/<X+>/HomeOIRequired is set (i.e., the required part is used as an independent check for the AP advertising the needed information while the "credential can be used here and this is a home network" part is shared). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Allow PMKID to be added into Association Request frame following SAEJouni Malinen2019-08-144-8/+45
| | | | | | | | | | | IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but it is not disallowed either, so it is useful to have an option to identify the derived PMKSA in the immediately following Association Request frames. This is disabled by default (i.e., no change to previous behavior) and can be enabled with a global wpa_supplicant configuration parameter sae_pmkid_in_assoc=1. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Check for LEAP before doing FTMatthew Wang2019-08-111-2/+4
| | | | | | | | | According to https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html Cisco does not support EAP-LEAP with Fast Transition. Here, we check for LEAP before selecting FT 802.1X key management suite. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* Clear external eapSuccess setting in driver-authorized casesJouni Malinen2019-08-072-2/+5
| | | | | | | | | | | | | | | | | The conditions for the eapol_sm_notify_eap_success(FALSE) calls did not cover the case where eapol_sm_notify_eap_success(TRUE) had been called based on offloaded 4-way handshake and driver notification of authorization in wpa_supplicant_event_port_authorized(). This could result in eapSuccess and altSuccess state machine variables being left TRUE when roaming to another BSS and that results in EAP failure if the following roaming case does not get fully authorized through the driver offload. Fix this by clearing eapSuccess/altSuccess when processing a new association (including roaming) event and also when disconnecting from the network. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Preparations for v2.8 releasehostap_2_9Jouni Malinen2019-08-071-0/+29
| | | | | | | | Update the version number for the build and also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.7 and v2.8. Signed-off-by: Jouni Malinen <j@w1.fi>
* Set the default scan IEs on interface restartSunil Dutt2019-08-071-0/+1
| | | | | | | | | | Previously, these default scan IEs were set only when parameter values changed and during the interface initialization, which can get lost in the driver on an interface restart. Hence, also set these IEs on an interface restart notification even when there has been no change in the values since the last update to the driver. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Indicate authentication success on ConfReqRX if neededJouni Malinen2019-08-051-0/+12
| | | | | | | | | | | | | It is possible to receive the Configuration Request frame before having seen TX status for the Authentication Confirm. In that sequence, the DPP-AUTH-SUCCESS event would not be indicated before processing the configuration step and that could confuse upper layers that follow the details of the DPP exchange. As a workaround, indicate DPP-AUTH-SUCCESS when receiving the Configuration Request since the Enrollee/Responser has clearly receive the Authentication Confirm even if the TX status for it has not been received. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* nl80211: Use separate flag for 4-way handshake offloadArend van Spriel2019-08-011-1/+1
| | | | | | | | | | | | | | | | Commit d896874f8689 ("nl80211: Indicate 802.1X 4-way handshake offload in connect") used the req_key_mgmt_offload flag to indicate to the driver that it should offload the 802.1X handshake. However, this field was existing and used for a different offload API. This causes wpa_supplicant to send a connect request without the WANT_1X_HS flag and the subsequent set-pmk is rejected causing the connection to fail. Fix that by introducing a new flag req_handshake_offload so the offloads are no longer entangled. Fixes: d896874f8689 ("nl80211: Indicate 802.1X 4-way handshake offload in connect") Reported-by: Stefan Wahren <wahrenst@gmx.net> Tested-by: Stefan Wahren <wahrenst@gmx.net> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
* D-Bus: Demote timeout/flush messages to MSG_MSGDUMPBrian Norris2019-07-311-1/+1
| | | | | | | | | | | | | We intentionally don't emit property-changed signals on every property update -- for "less timing critical" messages we delay up to 5 milliseconds waiting to see if we can batch them together. When the timer hits, we emit the signal anyway and (potentially) log this message. This amounts to effectively tracing every property update, which can be quite excessive. Lower this to MSGDUMP, so MSG_DEBUG can remain slightly more sane. Signed-off-by: Brian Norris <briannorris@chromium.org>
* P2P: Pass HE flag to GO negotiation resultYu Wang2019-07-291-0/+2
| | | | | | | In order to set up P2P connection with HE capability, the 'he' flag should be passed to GO negotiation result. Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
* wpa_cli: Add support to process DPP action events in action scriptDisha Das2019-07-241-0/+16
| | | | Signed-off-by: Disha Das <dishad@codeaurora.org>
* Avoid nested enum wpas_mode declaration to allow C++ compilationJouni Malinen2019-07-241-8/+10
| | | | | | | | | | Move enum wpas_mode declaration to the global scope to avoid issues with the recently added inline function wpas_mode_to_ieee80211_mode() using it as an argument. This fixes C++ compilation issues with cases that include wpa_supplicant_i.h. Fixes: 3459c54ac78b ("mesh: Add support for HE mode") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-094-1/+56
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove useless NULL comparison for an arrayJouni Malinen2019-07-072-16/+9
| | | | | | | | | Now that the TLS peer_cert information is provided as a full struct to handler functions, the altsubject pointer shows up as an array and causes static analyzers to warn about unnecessary NULL comparison. Get rid of that comparison now that it is clearly not needed anymore. Signed-off-by: Jouni Malinen <j@w1.fi>
* Move MAC address randomization enable/disable to helper functionsEric Caruso2019-06-263-52/+72
| | | | | | This makes it easier to share this for D-Bus implementation. Signed-off-by: Eric Caruso <ejcaruso@chromium.org>
* mesh: Add support for HE modeSven Eckelmann2019-06-235-2/+67
| | | | | | | | | Mesh points can partially support HE features (when requiring no controlling STA/AP) as long as hardware supports it. The kernel just requires support for HE mesh and wpa_supplicant can forward the peer capabilities to the kernel for further processing. Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
* wpa_supplicant: Fix type for ssid->mode comparisonsSven Eckelmann2019-06-233-9/+9
| | | | | | | | | | | The ssid->mode is from type enum wpas_mode and all its constants start with WPAS_MODE_*. Still some of the code sections used the IEEE80211_MODE_* defines instead of WPAS_MODE_*. This should have no impact on the actual code because the constants for INFRA, IBSS, AP and MESH had the same values. Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
* DPP: Fix documentation to include operating class for URIAmit Khatri2019-06-221-1/+1
| | | | | | | As per code dpp_parse_uri_chan_list() function checks "/" as separator for operating class and operating channel. Update readme accordingly. Signed-off-by: Amit Khatri <amit7861234@gmail.com>
* HS 2.0: Skip credential without EAP method for roaming consortium matchPurushottam Kushwaha2019-06-141-0/+3
| | | | | | | | | | EAP method is required for a credential that matches configured roaming_consortium with an Interworking AP. Hence skip credentials which do not have EAP method specified for this match. This fixes an issue where a credential that cannot work without EAP method from NAI Realms information is selected first based on roaming consortium. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WNM: Provide option to disable/enable BTM support in STAAnkita Bajaj2019-06-146-1/+29
| | | | | | | Add support to disable/enable BTM support using configuration and wpa_cli command. This is useful mainly for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>