path: root/wpa_supplicant
Commit message (Collapse)AuthorAgeFilesLines
* Restore permanent MAC address on the FLUSH commandJouni Malinen4 days3-11/+22
| | | | | | | Clear previously used random MAC address on the FLUSH command if mac_addr setting has been disabled. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Accept Config Result before GAS response TX statusJouni Malinen4 days1-4/+19
| | | | | | | | | | | | | | The TX event for the next frame in the sequence might be received before the TX status for the final GAS response frame is processed. This used to result in the Config Result getting discarded and the negotiation not completing successfully on the Configurator side. Accept the Config Result message as an indication of the final GAS response frame having went through fine even if the TX status has not yet been processed to avoid this issue from a potential race condition on kernel events. Signed-off-by: Jouni Malinen <j@w1.fi>
* Avoid use of C++ keyword in a header fileJouni Malinen4 days3-8/+9
| | | | | | | | Don't use 'protected' as the name of the variable in bss.h since this might be used in control interfaces that use C++. Fixes: 1c77f3d3f9a3 ("Indicate whether additional ANQP elements were protected") Signed-off-by: Jouni Malinen <j@w1.fi>
* PASN: Correctly set RSNXE bits from STAIlan Peer6 days1-3/+3
| | | | | | | | | These defines are for the capability bit number, not the binary value from the bit index. As such, need to use BIT() here to set the bitmap appropriately. Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* wpa_supplicant: Fix potential memleak on an error pathAndrei Otcheretianski6 days1-0/+1
| | | | | | | extra_buf allocation was missed in one of the error cases. Fixes: 170775232d61 ("ANQP: Add support to specify frequency in ANQP_GET command") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* Show OCV and beacon protection capabilities in control interfaceVeerendranath Jakkam10 days1-0/+25
| | | | | | | Indicate local support for Operating Channel Validation (OCV) and beacon protection. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* STA: Check driver capability to enable OCV when driver SME is usedVeerendranath Jakkam10 days2-2/+5
| | | | | | | | | | | | | When the driver SME is used, offloaded RSN handshakes like SA Query, GTK rekeying, FT authentication, etc. would fail if wpa_supplicant enables OCV in initial connection based on configuration but the driver doesn't support OCV. To avoid such failures check the driver's capability for enabling OCV when the driver SME used. This commit also adds a capability flag for indicating OCV support by the driver. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* Clean up RSN parameter setting for PASNJouni Malinen10 days1-3/+4
| | | | | | | | Set conf.force_kdk_derivation within the same if block as all the other parameters. This is used only if ssid is not NULL, so no need to have any special handling for this parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Enable beacon protection only when driver indicates supportVeerendranath Jakkam10 days2-3/+9
| | | | | | | | | | | Enabling beacon protection will cause STA connection/AP setup failures if the driver doesn't support beacon protection. To avoid this, check the driver capability before enabling beacon protection. This commit also adds a capability flag to indicate beacon protection support in client mode only. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* Update sgml to generate reproducible manpagesHu Keping10 days8-0/+32
| | | | | | | | | | | | | | Prior to this patch, we failed to recreate bit-by-bit identical copies of wpa_supplicant because it doesn't generate reproducible manpages. Since the latest version(0.6.14-3 or new) of docbook-utils have already support getting the date from sgml file [1], it is possible to make some progress on the "reproducible builds" effort [2]. [1]: https://sources.debian.org/patches/docbook-utils/0.6.14-3 [2]: https://reproducible-builds.org Signed-off-by: Hu Keping <hukeping@huawei.com>
* ext_password: Implement new file-based backendPatrick Steinhardt10 days4-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was not easily possible to separate configuration of an interface and credentials when using the configuration file instead of the control interface or D-Bus interface for setting up the network profiles. This makes it hard to distribute configuration across a set of nodes which use wpa_supplicant without also having to store credentials in the same file. While this can be solved via scripting, having a native way to achieve this would be preferable. Turns out there already is a framework to have external password storages. It only had a single "test" backend though, which is kind of an in-memory store which gets initialized with all passwords up front and is mainly for testing purposes. This isn't really suitable for the above use case: the backend cannot be initialized as part of the central configuration given that it needs the credentials, and we want to avoid scripting. This commit thus extends the infrastructure to implement a new backend, which instead uses a simple configuration file containing key-value pairs. The file follows the format which wpa_supplicant.conf(5) uses: empty lines and comments are ignored, while passwords can be specified with simple `password-name=password-value` assignments. With this new backend, splitting up credentials and configuration becomes trivial: # /etc/wpa_supplicant/wpa_supplicant.conf ext_password_backend=file:/etc/wpa_supplicant/psk.conf network={ ssid="foobar" psk=ext:foobar } # /etc/wpa_supplicant/psk.conf foobar=ecdabff9c80632ec6fcffc4a8875e95d45cf93376d3b99da6881298853dc686b Alternative approaches would be to support including other configuration files in the main configuration, such that common configuration and network declarations including credentials are split up into separate files. But the implementation would probably have been more complex compared to reusing the already-existing framework for external password backends. Signed-off-by: Patrick Steinhardt <ps@pks.im>
* wpa_supplicant: Move wpa_config_get_line() into utilsPatrick Steinhardt10 days6-99/+15
| | | | | | | | | | | | The function wpa_config_get_line() is used by the wpa_supplicant config file parser to retrieve the next non-comment non-blank line. We'll need the same kind of functionality to implement the file-based external password backend, so as a preparatory step this commit extracts the function into its own standalone file in the utils package. No functional changes are expected from this commit. Signed-off-by: Patrick Steinhardt <ps@pks.im>
* P2P: Clear unexpected HT40 configuration on 2.4 GHz bandJouni Malinen11 days1-0/+10
| | | | | | | | | | | | Number of the P2P+NFC test cases have been failing every now and then and those failures seemed to be because of having somehow managed to select the GO's operating channel as HT40+ on the channel 11 in the 2.4 GHz band, i.e., something that is clearly incorrect. The P2P check for HT40 secondary channel is supported only on the 5 GHz band, so drop HT40 configuration if it shows up unexpectedly on the 2.4 GHz band to avoid issues in GO being able to start. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Don't exit scanning state on config reloadMichal Kazior12 days1-1/+7
| | | | | | | | | | | | | | | | | | There's a chance that prior to config reload being requested a scan work was started. As such forcing wpa_supplicant to WPA_DISCONNECTED was removing any hints that the actual driver is busy with work. That led to wpa_supplicant reporting "Failed to initialize AP scan" over and over again for a few seconds (depending on driver/capabilities) until the untracked scan finished. Cancelling a scan isn't really a solution because there's a bunch of scanning state bits sprinkled across wpa_supplicant structure and they get updated as driver events actually flow in in async manner. As far as I can tell this is only preventing unnecessary warning messages. This doesn't seem like it was crippling any logic per se. Signed-off-by: Michal Kazior <michal@plume.com>
* DPP2: Defer chirp scan if other scan is queued upMichal Kazior12 days1-0/+11
| | | | | | | | | | | | | | | | The chirp scan could override the scan_res_handler. This could lead to wpa_supplicant getting stuck in a scanning state while not scanning at all until forced to, e.g., via an explicit SCAN control command. The condition for trigerring this problem in my testing was when (interface_count % 3) == 2. This introduced a two second delay before actual scan was triggered after starting the wpa_supplicant instance up. If DPP chirping was requested fast enough, in between the queueing and triggering, it would punt the scan request, never to be resumed again. Chirp scan handler wouldn't resume it leaving wpa_supplicant inadvertently idle. Signed-off-by: Michal Kazior <michal@plume.com>
* mesh: Assign channel in frequency params in all bandsPradeep Kumar Chitrapu2021-02-091-0/+2
| | | | | | | | Previously, the channel number was set in hostapd_freq_params only with the presence of HT capabilities. Set the channel number before the check for HT mode to accommodate the 6 GHz band cases. Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
* DPP: Expose config object PSK/passphrase in wpa_supplicantMichal Kazior2021-02-091-0/+15
| | | | | | | | | hostapd was already exposing this. There's no reason not to expose it in wpa_supplicant. This allows 3rd party apps interacting with the control interface to handle DPP events to get configs instead of needing to dance around with update_config=1 and SAVE_CONFIG. Signed-off-by: Michal Kazior <michal@plume.com>
* DPP: Expose config object AKM in wpa_supplicant control interfaceMichal Kazior2021-02-091-0/+2
| | | | | | | | | hostapd was already exposing this. There's no reason not to expose it in wpa_supplicant. This allows 3rd party apps interacting with the control interface to handle DPP events to get configs instead of needing to dance around with update_config=1 and SAVE_CONFIG. Signed-off-by: Michal Kazior <michal@plume.com>
* DPP2: Fix Authentication Request destination in the chirping caseJouni Malinen2021-02-091-3/+6
| | | | | | | | | | | The Authentication Request frames triggered by the reception of a Presence Announcement frame were sent to the broadcast address. This is not correct behavior since the source MAC address of the Presence Announcement frame was supposed to override the Responder MAC address. Fix this by using that source MAC address to avoid unnecessary use of broadcast frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix compiler warning on CONFIG_AP without CONFIG_P2P buildsJouni Malinen2021-02-071-0/+2
| | | | | | | | | The static function is_chanwidth160_supported() is called only within CONFIG_P2P block so the function itself needs to have matching condition for build. Fixes: ed24bad1d98d ("AP: Check driver support while auto-selecting bandwidth for AP/P2P GO") Signed-off-by: Jouni Malinen <j@w1.fi>
* Update Visual Studio projects to match file renamingJouni Malinen2021-02-073-3/+3
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename blacklist.[ch] to bssid_ignore.[ch]Jouni Malinen2021-02-0711-10/+10
| | | | | | | This completes renaming of this functionality for a list of temporarily ignored BSSIDs. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename wpa_blacklist to wpa_bssid_ignoreJouni Malinen2021-02-0710-163/+165
| | | | | | | This is more accurate name for this functionality of temporarily ignoring BSSIDs. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename INTERWORKING_BLACKLISTED defineJouni Malinen2021-02-071-1/+1
| | | | | | | | Use more accurate INTERWORKING_EXCLUDED for this. The actual event prefix is not changed to remains compatible with external components using this control interface event message. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename the control interface BLACKLIST command to BSSID_IGNOREJouni Malinen2021-02-072-12/+21
| | | | | | | Use a more specific name for the control interface command used for managing the list of BSSIDs that are temporarily ignored. Signed-off-by: Jouni Malinen <j@w1.fi>
* Rename network profiles parameters for ignoring/accepted BSSIDsJouni Malinen2021-02-077-40/+96
| | | | | | | | | | | Rename the network profile parameters bssid_blacklist and bssid_whitelist to bssid_ignore and bssid_accept to use more specific names for the configuration of which BSSs are ignored/accepted during BSS selection. The old parameter names are maintained as aliases for the new names to avoid breaking compatibility with previously used configurations. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Configurable fast-associate timer thresholdMikael Kanstrup2021-02-067-9/+28
| | | | | | | | | | For Android the default value of 5 seconds is usually too short for scan results from last scan initiated from settings app to be considered for fast-associate. Make the fast-associate timer value configurable so that a suitable value can be set based on a systems regular scan interval. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
* wpa_supplicant: Notify freq change on CH_SWITCHArowa Suliman2021-02-063-14/+20
| | | | | | | | | | wpa_supplicant does not send a D-Bus notification of the BSS frequency change when a CSA happens. Sending a PropertyChanged signal with the updated frequency will notify the network manager quickly, instead of waiting for the next scan results. Signed-off-by: Arowa Suliman <arowa@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org>
* P2P: Adding option to manage device drivers creating random MAC addressesIrcama2021-02-062-3/+41
| | | | | | | | | | | | | | Add option 2 to the p2p_device_random_mac_addr configuration option to support device drivers which use by default random MAC adresses when creating a new P2P Device interface (for instance, the BCM2711 80211 wireless device driver included in Raspberry Pi 4 Model B). In such case, this option allows to create the P2P Device interface correctly when using P2P permanent groups, enabling wpa_supplicant to reuse the same MAC address when re-invoking a P2P permanent group. update_config=1 is required. Signed-off-by: Ircama <amacri@tiscali.it>
* Make wpa_bss_ext_capab() handle NULL bss argumentJouni Malinen2021-02-064-10/+7
| | | | | | | This simplifies the callers that use wpa_s->current_bss (which could be NULL). Signed-off-by: Jouni Malinen <j@w1.fi>
* robust_av: Use wpa_bss_ext_capab() helperJohannes Berg2021-02-061-6/+2
| | | | | | | Use the helper instead of open-coding the check. Since the helper doesn't handle a NULL BSS, keep that extra check. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* dbus: Fix IEs getter to use wpa_bss_ie_ptr()Brad Kemp2021-02-061-2/+2
| | | | | | | | | | | The wpa_bss structure's last element is an empty array. The forgotten code here assumed that the array of IEs was contiguous to the wpa_bss structure. This is not always the case anymore. Update this missed case to use the new wpa_bss_ie_ptr() wrapper to send the correct array of IEs over DBus. Fixes: be7ee264f654 ("BSS: Use wrapper function for getting a pointer to the IE buffer") Signed-off-by: Brad Kemp <brad at beechwoods.com>
* Reset external_scan_running on interface deletionDavid Su2021-02-024-8/+23
| | | | | | | | | | | | | | | | | | Currently, the external_scan_running flag is not reset when an interface is removed. Thus, if a connection attempt is made on another iface, it will fail due to wpa_supplicant incorrectly assuming the radio is still busy due to the ongoing scan. To fix this, convert external_scan_running to a pointer to the interface that started the scan. If this interface is removed, also reset the pointer to NULL so that other operations may continue on this radio. Test: 1. Start scan on wlan0 2. Remove wlan0 3. Can connect to a network on wlan1 Signed-off-by: David Su <dysu@google.com>
* mesh: Fix for leaving meshAbinaya Kalaiselvan2021-02-021-1/+2
| | | | | | | Avoid multiple execution of wpa_drv_leave_mesh(). Fixes: 0896c442dcd5 ("mesh: Fix for mesh init/deinit") Signed-off-by: Abinaya Kalaiselvan <akalaise@codeaurora.org>
* WPA: Support deriving KDK based on capabilitiesIlan Peer2021-01-261-1/+1
| | | | | | | | Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Include RSNXE in the PASN negotiationIlan Peer2021-01-262-9/+31
| | | | | | | | IEEE P802.11az/D2.6 added definitions to include RSNXE in the PASN negotiation. Implement the new functionality in both wpa_supplicant and hostapd. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Support PASN with FT key derivationIlan Peer2021-01-262-7/+57
| | | | | | | | | | | | | | | | | | Add support for PASN authentication with FT key derivation: - As IEEE P802.11az/D2.6 states that wrapped data is optional and is only needed for further validation of the FT security parameters, do not include them in the first PASN frame. - PASN with FT key derivation requires knowledge of the PMK-R1 and PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1, etc. only for the currently associated AP, store the mapping of BSSID to R1KH-ID for each previous association, so the R1KH-ID could be used to derive PMK-R1 and PMK-R1-Name. Do so instead of storing the PMK-R1 to avoid maintaining keys that might not be used. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Support PASN with FILS key derivationIlan Peer2021-01-252-3/+343
| | | | | | | | | As the PASN FILS authentication is only defined for FILS SK without PFS, and to support PASN authentication with FILS, implement the PASN with FILS processing as part of the PASN handling and not as part of the WPA state machine. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Support PASN with SAE key derivationIlan Peer2021-01-255-9/+261
| | | | Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* ctrl_iface: Add support for PASN authenticationIlan Peer2021-01-252-0/+117
| | | | Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Add support for PASN processing to wpa_supplicantIlan Peer2021-01-257-0/+946
| | | | | | | | | | | | | | | | | | Add PASN implementation to wpa_supplicant 1. Add functions to initialize and clear PASN data. 2. Add functions to construct PASN Authentication frames. 3. Add function to process PASN Authentication frame. 4. Add function to handle PASN frame TX status. 5. Implement the station side flow processing for PASN. The implementation is missing support for wrapped data and PMKSA establishment for base AKMs, and only supports PASN authentication or base AKM with PMKSA caching. The missing parts will be added in later patches. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* WPA: Add PTKSA cache to wpa_supplicant for PASNIlan Peer2021-01-257-2/+41
| | | | | | | | | | | PASN requires to store the PTK derived during PASN authentication so it can later be used for secure LTF etc. This is also true for a PTK derived during regular connection. Add an instance of a PTKSA cache for each wpa_supplicant interface when PASN is enabled in build configuration. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* PASN: Add functions to compute PTK, MIC and hashIlan Peer2021-01-253-0/+22
| | | | | | | | | | | 1. Add a function to derive the PTK from a PMK and additional data. 2. Add a function to calculate the MIC for a PASN frames. 3. Add a function to compute the hash of an authentication frame body. The above are built only in case that CONFIG_PASN is enabled at build time. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* WPA: Extend the wpa_pmk_to_ptk() function to also derive KDKIlan Peer2021-01-253-0/+20
| | | | | | | | | | | | Extend the wpa_pmk_to_ptk() to also derive Key Derivation Key (KDK), which can later be used for secure LTF measurements. Update the wpa_supplicant and hostapd configuration and the corresponding WPA and WPA Auth state machine, to allow enabling of KDK derivation. For now, use a testing parameter to control whether KDK is derived. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* Add support for new 5 GHz channels 173 and 177Sreeramya Soratkal2021-01-224-10/+23
| | | | | | | Add support for new channels 173 and 177 in the operating classes 125 to 130 as defined in draft IEEE P802.11ax/D8.0. Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
* DPP: Abort authentication if no Auth Confirm is received within a secondPurushottam Kushwaha2021-01-221-0/+37
| | | | | | | | | | | | | | | After sending DPP Auth Response, the Responder might not receive the Auth Confirm either due to the Initiator not sending it or the reception of the frame failing for some reason (e.g., Responder having already left the negotiation channel). If this happens, following initiation attempts would fail since the consecutive Auth Request would get discarded since the previous authentication is still in progress. Terminate DPP authentication on Responder, if no Auth Confirm is received within one second of successfully sending Auth Response. This allows the Responder to accept start of a new exchange. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add a configuration to disconnect on deinit if WoWLAN is enabledSunil Dutt2021-01-214-2/+19
| | | | | | | | | | | | | | | | | Commit 02c21c02d09f ("wpa_supplicant: Do not disconnect on deinit if WoWLAN is enabled") prevents the disconnection on deinit if the driver indicates that WoWLAN is enabled. This is not the expected behavior in some earlier use cases where the wpa_supplicant process is left running when going to sleep and killing of the wpa_supplicant process is used only when there is an expectation of Wi-Fi connection being disabled. To support the use cases which require the WLAN to disconnect on deinit even if WoWLAN is enabled, introduce a configuration parameter wowlan_disconnect_on_deinit. This is set to 0 by default thereby not impacting the functionality in the above mentioned commit. Setting it to 1 restores the old behavior before the commit identified above. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* dbus: Export new 'suiteb192' capabilityAntonio Cardace2021-01-151-1/+4
| | | | | | | | Export a new 'suiteb192' capability to indicate that wpa_supplicant was built with WPA-EAP-SUITE-B-192 support and accepts 'key_mgmt=WPA-EAP-SUITE-B-192'. Signed-off-by: Antonio Cardace <acardace@redhat.com>
* DBus: Add 'owe' to interface CapabilitiesBrian Norris2021-01-151-0/+6
| | | | Signed-off-by: Brian Norris <briannorris@chromium.org>
* wpa_cli: Add WPS_EVENT_OVERLAP to action scriptsBerkay Ercan2021-01-151-0/+2
| | | | | | | | | WPS_EVENT_OVERLAP case was missing on wpa_cli_action_process function in wpa_cli.c, so when the overlap event occurs, there was no event message sent to the action script. Add this event case to the function. Signed-off-by: Berkay Ercan <berkay.ercan@airties.com> Signed-off-by: Veli Demirel <veli.demirel@airties.com>