path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* SAE: Fix build without DPP/OWE/ERPJouni Malinen5 days2-0/+2
| | | | | | SAE needs sha256-kdf.c to be included in the build. Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Start group with user configured params after accepting invitationVamsi Krishna6 days1-2/+6
| | | | | | | Use global configuration parameters while invoking a persistent P2P group after accepting P2P Invitation Request from a peer. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Mandate mutual auth with NFC negotiated connection handoverJouni Malinen6 days1-0/+2
| | | | | | | | | Mark own bootstrap information as having been used in NFC negotiated connection handover and do not accept non-mutual authentication when processing Authentication Response from the peer when such bootstrapping information is used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add Connector and C-sign-key in psk/sae credentials for reconfigJouni Malinen7 days1-3/+5
| | | | | | | | | | | If the Enrollee indicates support for DPP R2 or newer, add Connector and C-sign-key in psk/sae credentials (i.e., cases where DPP AKM is not enabled) for reconfiguration. Extend processing of such credentials in wpa_supplicant network profile addition to handle this new case correctly by not setting key_mgmt=DPP based on Connector being present, but by looking at the actual akm value in the config object. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Clear requirement for QR Code mutual authentication for chirpingJouni Malinen8 days1-0/+1
| | | | | | | | | | | | | The chirping cases are not really targeting interactive operations, so clear the requirement for mutual authentication when DPP_CHIRP command is used. This avoids testing isues where an earlier DPP_LISTEN command has used qr=mutual parameter and that seting not getting cleared before the next DPP_CHIRP command is used. This fixes a test case failure in the following test sequence: dpp_auth_resp_status_failure dpp_controller_relay_chirp Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Beacon frame protection event for incorrect protectionJouni Malinen8 days1-0/+35
| | | | | | | | Define a driver interface event for Beacon frame protection failures. Report such events over the control interface and send a WNM-Notification Request frame to the AP as well. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Add HE override supportP Praneesh11 days9-0/+59
| | | | | | | | | | | | Add HE override support under the build parameter CONFIG_HE_OVERRIDES=y. The disable_he=1 network profile parameter can be used to disable HE. This requires a fallback to VHT on the 5 GHz band and to HT on the 2.4 GHz band. There is no nl80211 support for configuring the driver to disable HE, so for now, this applies only to IBSS and mesh cases. Signed-off-by: P Praneesh <ppranees@codeaurora.org>
* DPP: Add some more details on how to use DPPJouni Malinen11 days1-27/+36
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix the dpp_configurator_sign example commandJouni Malinen11 days1-1/+1
| | | | | | | The mandatory ssid parameter was forgotten from this command when it was added to the dpp_auth_init examples. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Configure PMKSA lifetime and reauth threshold timer to driverVeerendranath Jakkam12 days2-2/+6
| | | | | | | | | | Drivers that trigger roaming need to know the lifetime and reauth threshold time of configured PMKSA so that they can trigger full authentication to avoid unnecessary disconnection. To support this, send dot11RSNAConfigPMKLifetime and dot11RSNAConfigPMKReauthThreshold values configured in wpa_supplicant to the driver while configuring a PMKSA. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* DPP2: Allow station to require or not allow PFSJouni Malinen12 days9-2/+68
| | | | | | | | | | | | | | | | | | | | The new wpa_supplicant network profile parameter dpp_pfs can be used to specify how PFS is applied to associations. The default behavior (dpp_pfs=0) remains same as it was previously, i.e., try to use PFS if the AP supports it. PFS use can now be required (dpp_pfs=1) or disabled (dpp_pfs=2). This is also working around an interoperability issue of DPP R2 STA with certain hostapd builds that included both OWE and DPP functionality. That issue was introduced by commit 09368515d130 ("OWE: Process Diffie-Hellman Parameter element in AP mode") and removed by commit 16a4e931f03e ("OWE: Allow Diffie-Hellman Parameter element to be included with DPP"). hostapd builds between those two commits would reject DPP association attempt with PFS. The new wpa_supplicant default (dpp_pfs=0) behavior is to automatically try to connect again with PFS disabled if that happens. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Presence Announcement processing at ConfiguratorJouni Malinen13 days1-0/+65
| | | | | | | | Process received Presence Announcement frames and initiate Authentication exchange if matching information is available on the Configurator. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Chirping in wpa_supplicant EnrolleeJouni Malinen13 days4-0/+299
| | | | | | | | Add a new wpa_supplicant control interface command "DPP_CHIRP own=<BI ID> iter=<count>" to request chirping, i.e., sending of Presence Announcement frames, to be started. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add DPP_BOOTSTRAP_SET commandJouni Malinen13 days1-0/+4
| | | | | | | | "DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to set peer specific configurator parameters which will override any global parameters from dpp_configurator_params. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Store global pointers in struct dpp_authenticationJouni Malinen13 days1-7/+8
| | | | | | | | Set the global pointer and msg_ctx when allocating struct dpp_authentication instead of needing to pass these to dpp_set_configurator(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix a typo in function documentationJouni Malinen14 days1-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* STA: Fix wpa_clear_keys() PTK key deletion logicAlexander Wetzel2020-03-251-1/+1
| | | | | | | We have to delete PTK keys when either BIT(0) or BIT(15) are zero and not only when both are zero. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* wpa_supplicant AP mode configuration for Transition Disable KDEJouni Malinen2020-03-254-0/+24
| | | | | | | Allow AP mode network profile in wpa_supplicant to be configured to advertise Transition Disable DKE. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Process Transition Disable KDE in station modeJouni Malinen2020-03-251-0/+68
| | | | | | | | | Check whether the Transition Disable KDE is received from an authenticated AP and if so, whether it contains valid indication for disabling a transition mode. If that is the case, update the local network profile by removing the less secure options. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow last configured Key ID for TK to be fetched from wpa_supplicantJouni Malinen2020-03-231-0/+2
| | | | | | | "GET last_tk_key_idx" can now be used in testing build to determine which was the last configured Key ID for the pairwise key. Signed-off-by: Jouni Malinen <j@w1.fi>
* STA: Support Extended Key IDAlexander Wetzel2020-03-2312-10/+91
| | | | | | | | | | | Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Limit scan frequency list to 100 entriesJouni Malinen2020-03-221-1/+3
| | | | | | | | | There is no real use case for the scan to be requested on more than 100 channels individually. To avoid excessively long lists with invalid configuration, use 100 entry limit for the list before dropping to the fallback scan-all-channels option. Signed-off-by: Jouni Malinen <j@w1.fi>
* D-Bus: Use size_t for values theoretically larger than 16-bit intJouni Malinen2020-03-221-3/+3
| | | | | | | These are theoretical cases with 32-bit integers, but cases that could potentially hit an integer overflow with 16-bit int. Signed-off-by: Jouni Malinen <j@w1.fi>
* Use size_t instead of int or unsigned int for configuration itemsJouni Malinen2020-03-224-9/+9
| | | | | | | | While int and unsigned int are not going overflow in practice as 32-bit values, these could at least in theory hit an integer overflow with 16-bit int. Use size_t to avoid such potential issue cases. Signed-off-by: Jouni Malinen <j@w1.fi>
* Use size_t instead of unsigned_int for last_scan_resJouni Malinen2020-03-222-3/+3
| | | | | | | | | This avoids a theoretical unsigned integer overflow case with 32-bit integers, but something that could potentially be hit with 16-bit int (though, even that part looks pretty theoretical in this particular case of number of BSSs in scan results). Signed-off-by: Jouni Malinen <j@w1.fi>
* Interpolate rate calculation functionsMatthew Wang2020-03-211-58/+70
| | | | | | | | | | | | | | | | | | | | | Make max_*_rate() functions and rate calculation at the beginning of wpas_get_est_tpt() more continuous. In wpa_supplicant_need_to_roam(), we compare these values to make a roaming decision. However, at certain SNRs, we see unrealistically large jumps in estimated throughput according to these functions, leading us to make incorrect roaming decisions. Perform linear interpolation where applicable to more accurately reflect actual throughput. Example: wlan0: Current BSS: 88:3d:24:b4:95:d2 freq=2412 level=-69 snr=20 est_throughput=54000 wlan0: Selected BSS: 88:3d:24:b4:89:9e freq=2417 level=-67 snr=22 est_throughput=63500 wlan0: Using signal poll values for the current BSS: level=-69 snr=20 est_throughput=54000 wlan0: Allow reassociation - selected BSS has better estimated throughput 2 dB increase in RSSI likely isn't responsible for a 17% increase in throughput. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* Adjust max bitrate SNR floorsMatthew Wang2020-03-211-32/+42
| | | | | | | | | | | | | These values were defined in commit a1b790eb9d75 ("Select AP based on estimated maximum throughput") with no justification. Other sources [0,1,2] give a different (consistent) set of SNR floors per MCS index. Adjust the values accordingly. [0] http://www.revolutionwifi.net/revolutionwifi/2014/09/wi-fi-snr-to-mcs-data-rate-mapping.html [1] https://higher-frequency.blogspot.com/2016/10/80211n-80211ac-data-rates-and-snr.html [2] https://www.wlanpros.com/resources/mcs-index-802-11ac-vht-chart/ Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* Allow SA Query to be disabled for testing purposesJouni Malinen2020-03-213-0/+8
| | | | | | | | The new wpa_supplicant control interface SET parameter disable_sa_query can now be used to disable SA Query on receiving unprotected disconnection event. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Omit RSNXE from FT protocol Reassociation Request when neededJouni Malinen2020-03-201-1/+4
| | | | | | | | | | The previous design for adding RSNXE into FT was not backwards compatible. Move to a new design based on 20/332r3 to avoid that issue by not include RSNXE in the FT protocol Reassociation Request frame so that an AP not supporting RSNXE can still validate the FTE MIC correctly. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Indicate scan completion in active AP mode even when ignoring resultsJouni Malinen2020-03-151-9/+9
| | | | | | | | | | This is needed to avoid leaving external components (through control interface or D-Bus) timing out while waiting for the scan completion events. This was already taken care of for the scan-only case ("TYPE=only"), but the scan-and-allow-roaming case did not report the scan completion event when operating in AP mode. Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow RSNE in EAPOL-Key msg 2/4 to be overridden for testing purposesJouni Malinen2020-03-154-0/+18
| | | | | | | | The new wpa_supplicant control interface parameter rsne_override_eapol can be used similarly to the earlier rsnxe_override_eapol to override the RSNE value added into EAPOL-Key msg 2/4. Signed-off-by: Jouni Malinen <j@w1.fi>
* Move the "WPA: AP key_mgmt" debug print to be after final changesJouni Malinen2020-03-131-3/+3
| | | | | | | Driver capabilities may end up masking out some WPA_KEY_MGMT_* bits, so debug print the outcome only after having performed all these steps. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Multi-AP: Set 4-address mode after network selectionGurumoorthi Gnanasambandhan2020-03-133-13/+32
| | | | | | | | | Split multi_ap_process_assoc_resp() to set 4-address mode after network selection. Previously, wpa_s->current_ssid might have been NULL in some cases and that would have resulted in 4-address mode not getting enabled properly. Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
* Fill the current opclass in (Re)AssocRequest depending on HT/VHT IEsAnanya Barat2020-03-115-10/+31
| | | | | | | | | | | | | The previous implementation was assuming a fixed 20 MHz channel bandwidth when determining which operating class value to indicate as the Current Operating Class in the Supported Operating Classes element. This is not accurate for many HT/VHT cases. Fix this by determining the current operating class (i.e., the operating class used for the requested association) based on the HT/VHT operation elements from scan results. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* mesh: Fix CONFIG_HT_OVERRIDES build without CONFIG_VHT_OVERRIDESArturo Buzarra2020-03-101-0/+2
| | | | | | | | | | | | Commit e5a9b1e8a3 ("mesh: Implement use of VHT20 config in mesh mode") introduced the possibility to check the disable_vht param. However, this entry is only available when CONFIG_VHT_OVERRIDES is enabled and as such, this broke the build for some cases. Fix this by encapsulating VHT property with the proper CONFIG entry. Fixes: e5a9b1e8a3a5 ("mesh: Implement use of VHT20 config in mesh mode") Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
* WPS: Do not set auth_alg=OPEN for PSK+SAE caseJouni Malinen2020-03-101-0/+1
| | | | | | | | | | | When wps_cred_add_sae=1 is used, WPS_AUTH_WPA2PSK credential gets converted to enabling both PSK and SAE AKMs. However, this case was still hardcoded auth_alg=OPEN which is not really correct for SAE. While the SME-in-wpa_supplicant case can handle that, the SME-in-driver case might not. Remove the unnecessary auth_alg=OPEN configuration to get the normal PSK+SAE configuration enabled for the network profile. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Expose sae_write_commit() error cases to callersJouni Malinen2020-03-081-2/+5
| | | | | | | | Check whether an error is reported from any of the functions that could in theory fail and if so, do not proceed with the partially filled SAE commit buffer. Signed-off-by: Jouni Malinen <j@w1.fi>
* Replace systemd install Alias with WantedByJoshua DeWeese2020-03-083-3/+3
| | | | | | | | | According to the systemd documentation "WantedBy=foo.service in a service bar.service is mostly equivalent to Alias=foo.service.wants/bar.service in the same file." However, this is not really the intended purpose of install Aliases. Signed-off-by: Joshua DeWeese <jdeweese@hennypenny.com>
* OWE: Allow BSS entry with different SSID to be used in transition modeJouni Malinen2020-03-081-0/+7
| | | | | | | | | | | Similarly to the wpa_supplicant_select_config() case, wpa_get_beacon_ie() needs to handle the special case for OWE transition mode where the SSID in the network profile does not match the SSID of the OWE BSS (that has a hidden, random SSID). Accept such a BSS in case the current scan results needs to be fetched for verifying EAPOL-Key msg 3/4 IEs. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Mark BSS for transition mode based on active OWE network profilesJouni Malinen2020-03-081-0/+18
| | | | | | | | | | | | | | It is possible for the hidden OWE BSS to be found based on SSID-specific scan (e.g., from the special OWE scan mechanism). In that sequence, the previously used learning of OWE BSS was skipped since the SSID was already present in the BSS entry. This could result in not being able to find a matching BSS entry for the OWE BSS in transition mode. Fix this by adding the BSS flag for transition mode based on SSID matching against currently enabled OWE network profiles in addition to the previous mechanism. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Avoid incorrect profile update in transition modeJouni Malinen2020-03-072-0/+12
| | | | | | | | | | | | | | | | | | | | | | The "unexpected" change of SSID between the current network profile (which uses the SSID from the open BSS in OWE transition mode) and the association with the OWE BSS (which uses a random, hidden SSID) resulted in wpa_supplicant incorrectly determining that this was a driver-initiated BSS selection ("Driver-initiated BSS selection changed the SSID to <the random SSID from OWE BSS>" in debug log). This ended up with updating security parameters based on the network profile inwpa_supplicant_set_suites() instead of using the already discovered information from scan results. In particular, this cleared the RSN supplicant state machine information of AP RSNE and resulted in having to fetch the scan results for the current BSS when processing EAPOL-Key msg 3/4. Fix this by recognizing the special case for OWE transition mode where the SSID for the associated AP does not actually match the SSID in the network profile. Signed-off-by: Jouni Malinen <j@w1.fi>
* Replace WPA_ALG_PMK with KEY_FLAG_PMKAlexander Wetzel2020-03-061-2/+2
| | | | | | | Drop the no longer needed internal alg WPA_ALG_PMK and use KEY_FLAG_PMK as replacement. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* wpa_cli: Add missing quote around interface nameAndrew Siplas2020-03-061-1/+1
| | | | | | There was only an open quote present. Signed-off-by: Andrew Siplas <andrew@asiplas.net>
* Fix segmentation fault for NULL confname in SAVE_CONFIGZhaoyang Liu2020-03-061-2/+9
| | | | | | | | | | | When wpa_supplicant interface is added without a configuration file, the SAVE_CONFIG command causes a segmentation fault due to referencing a NULL pointer if the update_config parameter is first explicitly enabled. Fix the issue by checking the confname for NULL before saving configuration. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow wildcard SSID to be enforced for a specific BSSID scanVeerendranath Jakkam2020-03-023-1/+9
| | | | | | | | | | | Specific BSSID scan was replacing wildcard SSID with the known SSID if any BSS with the specified BSSID is available in the known BSSes list. Add control interface support to force use of a wildcard SSID in a specific BSSID scan by user with the new "wildcard_ssid=1" argument to the SCAN command. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* mesh: Fix HE enablement on 5 GHz with VHTPradeep Kumar Chitrapu2020-03-021-2/+2
| | | | | | | | | | | | Incorrect he_enabled parameter was being passed to hostapd_set_freq_params() in mesh which caused HE to be not fully enabled on the 5 GHz band. Fix this by setting freq->he_enabled instead of vht_freq.he_enabled so that the hostapd_set_freq_params() uses the correct he_enabled value (and then ends up copying this to vht_freq.he_enabled in the success case). Fixes: 6e711e7ab32 ("mesh: Do not enable HE on 5 GHz without VHT") Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
* SAE: Allow SAE-only network profile with sae_password to be writtenSachin Shelke2020-03-021-2/+5
| | | | | | | | | | | | The commit a34ca59e (SAE: Allow SAE password to be configured separately (STA)) added sae_password configuration option. We should also consider sae_password in the wpa_config_write() function which stores the valid network block details to an external database. Fixes: a34ca59e4db0 ("SAE: Allow SAE password to be configured separately (STA)") Signed-off-by: Sachin Shelke <sachin.shelke@nxp.com> Signed-off-by: Cathy Luo <xiaohua.luo@nxp.com> Signed-off-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
* privsep: Add key_flag to set_key()Alexander Wetzel2020-03-011-0/+1
| | | | | | Pass through the new key_flag to wpa_priv. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Silence a compiler warning in no-WEP and no-EAP buildsJouni Malinen2020-03-011-0/+2
| | | | | | | | wep_keys_set was not used in wpas_start_assoc_cb() without IEEE8021X_EAPOL, so need to make this local variable conditional on build options. Signed-off-by: Jouni Malinen <j@w1.fi>
* driver: Extend send_mlme() with wait optionIlan Peer2020-02-294-6/+6
| | | | | | | | | | | | PASN authentication can be performed while a station interface is connected to an AP. To allow sending PASN frames while connected, extend the send_mlme() driver callback to also allow a wait option. Update the relevant drivers and wpa_supplicant accordingly. hostapd calls for send_mlme() are left unchanged, since the wait option is not required there. Signed-off-by: Ilan Peer <ilan.peer@intel.com>