path: root/wpa_supplicant/wpas_glue.c
Commit message (Collapse)AuthorAgeFilesLines
* EAP peer: External server certificate chain validationJouni Malinen2015-12-121-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for optional functionality to validate server certificate chain in TLS-based EAP methods in an external program. wpa_supplicant control interface is used to indicate when such validation is needed and what the result of the external validation is. This external validation can extend or replace the internal validation. When ca_cert or ca_path parameter is set, the internal validation is used. If these parameters are omitted, only the external validation is used. It needs to be understood that leaving those parameters out will disable most of the validation steps done with the TLS library and that configuration is not really recommend. By default, the external validation is not used. It can be enabled by addingtls_ext_cert_check=1 into the network profile phase1 parameter. When enabled, external validation is required through the CTRL-REQ/RSP mechanism similarly to other EAP authentication parameters through the control interface. The request to perform external validation is indicated by the following event: CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid> Before that event, the server certificate chain is provided with the CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump> parameter. depth=# indicates which certificate is in question (0 for the server certificate, 1 for its issues, and so on). The result of the external validation is provided with the following command: CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad> It should be noted that this is currently enabled only for OpenSSL (and BoringSSL/LibreSSL). Due to the constraints in the library API, the validation result from external processing cannot be reported cleanly with TLS alert. In other words, if the external validation reject the server certificate chain, the pending TLS handshake is terminated without sending more messages to the server. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix CONFIG_NO_WPA=y buildJouni Malinen2015-11-231-1/+1
| | | | | | | | Number of places were calling functions that are not included in CONFIG_NO_WPA=y build anymore. Comment out such calls. In addition, pull in SHA1 and MD5 for config_internal.c, if needed. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Add GTK RSC relaxation workaroundMax Stepanov2015-11-011-0/+1
| | | | | | | | | | | | | | | | | | | | | | Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
* Try to set PMK only with key mgmt offload support in the driverJouni Malinen2015-04-271-1/+2
| | | | | | | | | | | Previously, it was possible for the set_key() handler to be used with WPA_ALG_PMK even if the driver did not indicate support for key management offload. While this is not really supposed to result in any difference, it makes the debug logs somewhat confusing. Avoid that by using driver capability flag for key management offload as an additional condition for setting the PMK. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow PSK/passphrase to be set only when neededJouni Malinen2015-03-281-22/+36
| | | | | | | | | | | | | | | | | | | | | The new network profile parameter mem_only_psk=1 can be used to specify that the PSK/passphrase for that network is requested over the control interface (ctrl_iface or D-Bus) similarly to the EAP network parameter requests. The PSK/passphrase can then be configured temporarily in a way that prevents it from getting stored to the configuration file. For example: Event: CTRL-REQ-PSK_PASSPHRASE-0:PSK or passphrase needed for SSID test-wpa2-psk Response: CTRL-RSP-PSK_PASSPHRASE-0:"qwertyuiop" Note: The response value uses the same encoding as the psk network profile parameter, i.e., passphrase is within double quotation marks. Signed-off-by: Jouni Malinen <j@w1.fi>
* eap_proxy: Callback to notify any updates from eap_proxySunil Dutt2015-03-021-0/+22
| | | | | | | | This commit introduces a callback to notify any configuration updates from the eap_proxy layer. This is used to trigger re-reading of IMSI and MNC length. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Preparations for variable length KCK and KEKJouni Malinen2015-01-261-4/+5
| | | | | | | | This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add peer certificate alt subject name information to EAP eventsJouni Malinen2015-01-141-1/+3
| | | | | | | | | | | | | | | A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used to provide information about server certificate chain alternative subject names for upper layers, e.g., to make it easier to configure constraints on the server certificate. For example: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com Currently, this includes DNS, EMAIL, and URI components from the certificates. Similar information is priovided to D-Bus Certification signal in the new altsubject argument which is a string array of these items. Signed-off-by: Jouni Malinen <j@w1.fi>
* Include peer certificate always in EAP eventsJouni Malinen2015-01-141-0/+1
| | | | | | | | | | | | | | | | This makes it easier for upper layer applications to get information regarding the server certificate without having to use a special certificate probing connection. This provides both the SHA256 hash of the certificate (to be used with ca_cert="hash://server/sha256/<hash>", if desired) and the full DER encoded X.509 certificate so that upper layer applications can parse and display the certificate easily or extract fields from it for purposes like configuring an altsubject_match or domain_suffix_match. The old behavior can be configured by adding cert_in_cb=0 to wpa_supplicant configuration file. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix memory leak on wpa_supplicant_init_wpa() error pathJouni Malinen2015-01-071-0/+1
| | | | | | | If wpa_sm_init() fails, the context data needs to be freed in the caller. Signed-off-by: Jouni Malinen <j@w1.fi>
* TDLS: Propagate enable/disable channel-switch commands to driverArik Nemtsov2015-01-041-0/+23
| | | | | | | | | | | | The supplicant code does not try to control the actual channel of the radio at any point. It simply passes the target peer and channel parameters to the driver. It's the driver's responsibility to periodically initiate TDLS channel-switch operations when TDLS channel-switching is enabled. Allow enable/disable operations to be invoked via the control interface. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* TDLS: Add channel-switch capability flagArik Nemtsov2015-01-041-1/+6
| | | | | | | Propagate a driver TDLS channel-switch support bit from nl80211 to TDLS code. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* Remove unused send_eapol() driver opJouni Malinen2014-12-111-1/+1
| | | | | | | | | | The send_eapol() callback was used by driver_test.c, but with that removed, there is no remaining users of the alternative EAPOL frame transmitting mechanism in wpa_supplicant, i.e., all remaining driver interfaces use l2_packet instead. Remove the send_eapol() to get rid of unused code. Signed-off-by: Jouni Malinen <j@w1.fi>
* Check os_snprintf() result more consistently - automatic 1Jouni Malinen2014-12-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This converts os_snprintf() result validation cases to use os_snprintf_error() where the exact rule used in os_snprintf_error() was used. These changes were done automatically with spatch using the following semantic patch: @@ identifier E1; expression E2,E3,E4,E5,E6; statement S1; @@ ( E1 = os_snprintf(E2, E3, ...); | int E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else E1 = os_snprintf(E2, E3, ...); | if (E5) E1 = os_snprintf(E2, E3, ...); else if (E6) E1 = os_snprintf(E2, E3, ...); else E1 = 0; | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else if (E6) { ... E1 = os_snprintf(E2, E3, ...); } else { ... return -1; } | if (E5) { ... E1 = os_snprintf(E2, E3, ...); } else { ... E1 = os_snprintf(E2, E3, ...); } ) ? os_free(E4); - if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \)) + if (os_snprintf_error(E3, E1)) ( S1 | { ... } ) Signed-off-by: Jouni Malinen <j@w1.fi>
* Replace send_ft_action() driver_op with send_action()Jouni Malinen2014-12-061-1/+38
| | | | | | | | This reduced number of unnecessarily duplicated driver interface callback functions for sending Action frames by using the more generic send_action() instead of FT specific send_ft_action(). Signed-off-by: Jouni Malinen <j@w1.fi>
* Add support for offloading key management operations to the driverChet Lanctot2014-10-231-0/+14
| | | | | | | | | This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Allow OpenSSL cipherlist string to be configuredJouni Malinen2014-10-121-0/+1
| | | | | | | | | | | The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled for TLS-based EAP methods when OpenSSL is used as the TLS library. This parameter can be used both as a global parameter to set the default for all network blocks and as a network block parameter to override the default for each network profile. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add external EAPOL transmission option for testing purposesJouni Malinen2014-10-101-0/+15
| | | | | | | | | | The new ext_eapol_frame_io parameter can be used to configure hostapd and wpa_supplicant to use control interface for receiving and transmitting EAPOL frames. This makes it easier to implement automated test cases for protocol testing. This functionality is included only in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Use WMM IE for propagating peer WMM capabilityArik Nemtsov2014-10-031-4/+4
| | | | | | | | Relying on qos qosinfo is not enough, as it can be 0 for WMM enabled peers that don't support U-APSD. Further, some peers don't even contain this IE (Google Nexus 5), but do contain the WMM IE during setup. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* TDLS: Set the initiator during tdls_mgmt operationsArik Nemtsov2014-10-031-2/+4
| | | | | | | | Some drivers need to know the initiator of a TDLS connection in order to generate a correct TDLS mgmt packet. It is used to determine the link identifier IE. Pass this information to the driver. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
* Work around broken AP PMKSA caching implementationJouni Malinen2014-09-081-5/+23
| | | | | | | | | | | | | An interoperability issue with a deployed AP has been identified where the connection fails due to that AP failing to operate correctly if PMKID is included in the Association Request frame. To work around this, allow EAPOL-Start packet to be transmitted on startWhen reaching 0 even when trying to use PMKSA caching. In practice, this allows fallback to full EAP authentication if the AP/Authenticator takes more than 1-2 seconds to initiate 4-way handshake for PMKSA caching or full EAP authentication if there was no PMKSA cache match. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* MACsec: wpa_supplicant integrationHu Wang2014-05-091-0/+3
| | | | | | Add MACsec to the wpa_supplicant build system and configuration file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Pass TDLS peer capability information in tdls_mgmtSunil Dutt2014-03-271-3/+3
| | | | | | | | | | | | | | | While framing the TDLS Setup Confirmation frame, the driver needs to know if the TDLS peer is VHT/HT/WMM capable and thus shall construct the VHT/HT operation / WMM parameter elements accordingly. Supplicant determines if the TDLS peer is VHT/HT/WMM capable based on the presence of the respective IEs in the received TDLS Setup Response frame. The host driver should not need to parse the received TDLS Response frame and thus, should be able to rely on the supplicant to indicate the capability of the peer through additional flags while transmitting the TDLS Setup Confirmation frame through tdls_mgmt operations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Add test option to disable IP address assignment requestJouni Malinen2014-01-271-1/+2
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Add support for IP address assignment in 4-way handshakeJouni Malinen2014-01-271-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go= ip_addr_mask= ip_addr_start= ip_addr_end= DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Pass peer's Supported channel and oper class info during sta_addSunil Dutt2014-01-141-1/+7
| | | | | | | | | The information of the peer's supported channel and operating class is required for the driver to do TDLS off channel operations with a compatible peer. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Skip network disabling on expected EAP failureJouni Malinen2014-01-081-5/+24
| | | | | | | | | | Some EAP methods can go through a step that is expected to fail and as such, should not trigger temporary network disabling when processing EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as a special case, but similar behavior is needed for EAP-FAST with unauthenticated provisioning. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP peer: Add framework for external SIM/USIM processingJouni Malinen2013-10-201-0/+5
| | | | | | | | | | | | | | The new configuration parameter external_sim=<0/1> can now be used to configure wpa_supplicant to use external SIM/USIM processing (e.g., GSM authentication for EAP-SIM or UMTS authentication for EAP-AKA). The requests and responses for such operations are sent over the ctrl_iface CTRL-REQ-SIM and CTRL-RSP-SIM commands similarly to the existing password query mechanism. Changes to the EAP methods to use this new mechanism will be added in separate commits. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove compiler warnings if TDLS is enabled without WPA2Jouni Malinen2013-06-071-2/+2
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Add test code for fetching the last configured GTKJouni Malinen2013-05-201-0/+7
| | | | | | | | | | | | This can be useful for some test cases, so allow wpa_supplicant to be built with special test functionality to expose the current (last configured) GTK. This is disabled by default and can be enabled by adding following line into .config: CFLAGS += -DCONFIG_TESTING_GET_GTK The GTK can then be fetched with "wpa_cli get gtk". Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Move AID=1 workaround into driver_nl80211.cJouni Malinen2013-05-061-1/+1
| | | | | | | | The use of AID=1 for the nl80211 dummy STA case is specific to the driver (cfg80211), so better move this into the driver wrapper instead of generic TDLS implementation. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Pass peer's AID information to kernelSunil Dutt2013-05-061-2/+2
| | | | | | | | | The information of the peer's AID is required for the driver to construct partial AID in VHT PPDU's. Pass this information to the driver during add/set station operations (well, as soon as the information is available, i.e., with set station operation currently). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix build with CONFIG_NO_CONFIG_BLOBSJouni Malinen2013-03-161-0/+2
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* TDLS: Pass peer's VHT Capability information during sta_addSunil Dutt2013-02-251-0/+2
| | | | | | | | | The information of the peer's VHT capability is required for the driver to establish a TDLS link in VHT mode with a compatible peer. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Pass peer's Capability and Ext Capability info during sta_addSunil Dutt2013-02-141-1/+3
| | | | | | | | | The contents of the peer's capability and extended capability information is required for the driver to perform TDLS P-UAPSD and Off Channel operations. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Pass peer's HT Capability and QOS information during sta_addSunil Dutt2013-02-141-2/+13
| | | | | | | | The information of the peer's HT capability and the QOS information is required for the driver to perform TDLS operations. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* TDLS: Fix add/set STA operationJouni Malinen2013-02-141-0/+2
| | | | | | | | | | | Commit a9a1d0f08aaf7c96f40def0d7966399b89b2a7c0 added vht_capabilities to struct hostapd_sta_add_params but forgot to update wpa_supplicant_tdls_peer_addset() to initialize the variable to NULL. This could result in uninitialized pointer being used in driver_nl80211.c when adding a TDLS peer entry. Fix this by clearing the hostapd_sta_add_params with memset. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_supplicant: Add more DBus EAP statusPaul Stewart2013-01-121-0/+2
| | | | | | | Signal the start of EAP authentication as well as when additional credentials are required to complete. Signed-hostap: Paul Stewart <pstew@chromium.org>
* Remove compiler warning on CONFIG_NO_WPA buildJouni Malinen2012-12-181-0/+2
| | | | | | | wpa_supplicant_set_rekey_offload() is used only if CONFIG_NO_WPA is not defined. Signed-hostap: Jouni Malinen <j@w1.fi>
* Allow OKC to be enabled by defaultJouni Malinen2012-11-121-1/+2
| | | | | | | | | | | Previously, OKC (opportunistic key caching, a.k.a. proactive key caching) could be enabled only with a per-network parameter (proactive_key_caching). The new global parameter (okc) can now be used to change the default behavior to be OKC enabled (okc=1) for network blocks that do not override this with the proactive_key_caching parameter. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove unused wpa_supplicant_disassociate()Jouni Malinen2012-11-051-9/+0
| | | | | | | | This function is now unused after the last couple of commits that removed the last uses, so remove this to keep code simpler since all places that disassociate, can use deauthentication instead. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-SIM/AKA: Store pseudonym identity in configurationJouni Malinen2012-09-021-1/+40
| | | | | | | | Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity so that this can be maintained between EAP sessions (e.g., after wpa_supplicant restart) even if fast re-authentication data was cleared. Signed-hostap: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Report EAP connection progress to DBusPaul Stewart2012-06-041-0/+10
| | | | | | | | | | | | | | | | | | | | | Send an "EAP" signal via the new DBus interface under various conditions during EAP authentication: - During method selection (ACK and NAK) - During certificate verification - While sending and receiving TLS alert messages - EAP success and failure messages This provides DBus callers a number of new tools: - The ability to probe an AP for available EAP methods (given an identity). - The ability to identify why the remote certificate was not verified. - The ability to identify why the remote peer refused a TLS connection. Signed-hostap: Paul Stewart <pstew@chromium.org>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add wpa_supplicant_ctrl_req_from_string()Dan Williams2011-10-301-0/+18
| | | | | | | | Converts from a string to a control request enum when input from a control interface is received. Will be used by a subsequent patch. Signed-off-by: Dan Williams <dcbw@redhat.com>
* dbus: Implement EAP SM control request signalsDan Williams2011-10-301-0/+2
| | | | | | | | | Add a D-Bus signal for EAP SM requests. This signal is emitted on the Interface object so that clients only have to listen to one object for requests rather than to all network objects. This signal is analogous to the socket control interface's CTRL-REQ- request. Signed-off-by: Dan Williams <dcbw@redhat.com>
* Use an enum for EAP SM requestsDan Williams2011-10-301-3/+58
| | | | | | | | | | | Control requests will be extended for non-EAP uses later, so it makes sense to have them be generic. Furthermore, having them defined as an enum is easier for processing internally, and more generic for control interfaces that may not use field names. The public ctrl_req_type / field_name conversion function will be used later by the D-Bus control interface too. Signed-off-by: Dan Williams <dcbw@redhat.com>
* TDLS: Add peer as a STA during link setupArik Nemtsov2011-10-231-0/+22
| | | | | | | | | | | | | | | | | | | Before commencing setup, add a new STA entry to the driver representing the peer. Later during setup, update the STA entry using information received from the peer. Extend sta_add() callback for adding/modifying a TDLS peer entry and connect it to the TDLS state machine. Implement this callback for the nl80211 driver and send peer information to kernel. Mark TDLS peer entries with a new flag and translate it to a corresponding nl80211 flag in the nl80211 driver. In addition, correct TDLS related documentation in the wpa_driver_ops structure. Signed-off-by: Arik Nemtsov <arik@wizery.com> Cc: Kalyan C Gaddam <chakkal@iit.edu>
* TDLS: Get TDLS related capabilities from driverArik Nemtsov2011-10-231-0/+22
| | | | | | | | | | | | | | Put glue code in place to propagate TDLS related driver capabilities to the TDLS state machine. If the driver doesn't support capabilities, assume TDLS is supported internally. When TDLS is explicitly not supported, disable all user facing TDLS operations. Signed-off-by: Arik Nemtsov <arik@wizery.com> Cc: Kalyan C Gaddam <chakkal@iit.edu>
* Remove user space client MLMEJouni Malinen2011-10-221-13/+0
| | | | | | | | | This code was used only with driver_test.c to allow MLME operations in hostapd to be tested without having to use a real radio. There are no plans on extending this to any other use than testing and mac80211_hwsim has now obsoled the need for this type of testing. As such, we can drop this code from wpa_supplicant to clean up the implementation of unnecessary complexity.