DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
hostapd/src/rsn_supp/wpa.h

656 lines
20 KiB
C
Raw Normal View History

Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
/*
* wpa_supplicant - WPA definitions
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 16:49:18 +02:00
* Copyright (c) 2003-2015, Jouni Malinen <j@w1.fi>
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
*
Remove the GPL notification from files contributed by Jouni Malinen Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 16:46:35 +02:00
* This software may be distributed under the terms of the BSD license.
* See README for more details.
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
*/
#ifndef WPA_H
#define WPA_H
Remove src/common from default header file path This makes it clearer which files are including header from src/common. Some of these cases should probably be cleaned up in the future not to do that. In addition, src/common/nl80211_copy.h and wireless_copy.h were moved into src/drivers since they are only used by driver wrappers and do not need to live in src/common.
2009-11-29 17:51:55 +02:00
#include "common/defs.h"
#include "common/eapol_common.h"
#include "common/wpa_common.h"
TDLS: Pass peer's HT Capability and QOS information during sta_add The information of the peer's HT capability and the QOS information is required for the driver to perform TDLS operations. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-05 16:41:01 +02:00
#include "common/ieee802_11_defs.h"
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
struct wpa_sm;
struct eapol_sm;
struct wpa_config_blob;
TDLS: Propagate enable/disable channel-switch commands to driver The supplicant code does not try to control the actual channel of the radio at any point. It simply passes the target peer and channel parameters to the driver. It's the driver's responsibility to periodically initiate TDLS channel-switch operations when TDLS channel-switching is enabled. Allow enable/disable operations to be invoked via the control interface. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-12-29 00:20:51 -05:00
struct hostapd_freq_params;
Make channel_info available to the supplicant state machine This adds the necessary functions and callbacks to make the channel_info driver API available to the supplicant state machine that implements the 4-way and group key handshake. This is needed for OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 15:46:20 -04:00
struct wpa_channel_info;
Add a callback to notify added PMKSA cache entry details Add a callback handler to notify details of a PMKSA cache entry when it is added to the PMKSA cache. This can be used to provide external components more convenient access to the PMKSA cache contents. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-20 19:27:51 +05:30
struct rsn_pmksa_cache_entry;
Provide information about the encryption status of received EAPOL frames This information was already available from the nl80211 control port RX path, but it was not provided to upper layers within wpa_supplicant and hostapd. It can be helpful, so parse the information from the driver event. Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 00:38:35 +03:00
enum frame_encryption;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
struct wpa_sm_ctx {
void *ctx; /* pointer to arbitrary upper level context */
Added a separate ctx pointer for wpa_msg() calls in WPA supp This is needed to allow IBSS RSN to use per-peer context while maintaining support for wpa_msg() calls to get *wpa_s as the pointer.
2009-01-17 17:54:40 +02:00
void *msg_ctx; /* upper level context for wpa_msg() calls */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
Get rid of unnecessary typedefs for enums.
2009-12-26 10:35:08 +02:00
void (*set_state)(void *ctx, enum wpa_states state);
enum wpa_states (*get_state)(void *ctx);
Replace int status/reason_code with u16 variable These cases are for the IEEE 802.11 Status Code and Reason Code and those fields are unsigned 16 bit values, so use the more appropriate type consistently. This is mainly to document the uses and to make the source code easier to understand. Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-22 20:17:38 +03:00
void (*deauthenticate)(void * ctx, u16 reason_code);
STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-10 23:19:09 +01:00
void (*reconnect)(void *ctx);
MLD STA: Extend key configuration functions to support Link ID Add support to specify a Link ID for set key operation for MLO connection. This does not change the existing uses and only provides the mechanism for extension in following commits. Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-03 13:38:49 +05:30
int (*set_key)(void *ctx, int link_id, enum wpa_alg alg,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
const u8 *addr, int key_idx, int set_tx,
const u8 *seq, size_t seq_len,
Introduce and add key_flag Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-04 23:10:04 +01:00
const u8 *key, size_t key_len, enum key_flag key_flag);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
void * (*get_network_ctx)(void *ctx);
int (*get_bssid)(void *ctx, u8 *bssid);
int (*ether_send)(void *ctx, const u8 *dest, u16 proto, const u8 *buf,
size_t len);
int (*get_beacon_ie)(void *ctx);
void (*cancel_auth_timeout)(void *ctx);
u8 * (*alloc_eapol)(void *ctx, u8 type, const void *data, u16 data_len,
size_t *msg_len, void **data_pos);
Add PMKSA-CACHE-ADDED/REMOVED events to wpa_supplicant These allow external program to monitor PMKSA cache updates in preparation to enable external persistent storage of PMKSA cache. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 20:59:41 +02:00
int (*add_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
FILS: Add support for Cache Identifier in add/remove PMKSA Add support for setting and deleting PMKSA cache entries based on FILS Cache Identifer. Also additionally add support for sending PMK as part of SET_PMKSA to enable driver to derive keys in case of FILS shared key offload using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-30 19:27:15 +05:30
const u8 *pmkid, const u8 *fils_cache_id,
nl80211: Configure PMKSA lifetime and reauth threshold timer to driver Drivers that trigger roaming need to know the lifetime and reauth threshold time of configured PMKSA so that they can trigger full authentication to avoid unnecessary disconnection. To support this, send dot11RSNAConfigPMKLifetime and dot11RSNAConfigPMKReauthThreshold values configured in wpa_supplicant to the driver while configuring a PMKSA. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-03-23 19:11:24 +05:30
const u8 *pmk, size_t pmk_len, u32 pmk_lifetime,
FT: Do not add PMKID to the driver for FT-EAP if caching is disabled wpa_supplicant disables PMKSA caching with FT-EAP by default due to known interoperability issues with APs. This is allowed only if the network profile is explicitly enabling caching with ft_eap_pmksa_caching=1. However, the PMKID for such PMKSA cache entries was still being configured to the driver and it was possible for the driver to build an RSNE with the PMKID for SME-in-driver cases. This could result in hitting the interop issue with some APs. Fix this by skipping PMKID configuration to the driver fot FT-EAP AKM if ft_eap_pmksa_caching=1 is not used in the network profile so that the driver and wpa_supplicant behavior are in sync for this. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-06 16:46:32 +03:00
u8 pmk_reauth_threshold, int akmp);
Add PMKSA-CACHE-ADDED/REMOVED events to wpa_supplicant These allow external program to monitor PMKSA cache updates in preparation to enable external persistent storage of PMKSA cache. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 20:59:41 +02:00
int (*remove_pmkid)(void *ctx, void *network_ctx, const u8 *bssid,
FILS: Add support for Cache Identifier in add/remove PMKSA Add support for setting and deleting PMKSA cache entries based on FILS Cache Identifer. Also additionally add support for sending PMK as part of SET_PMKSA to enable driver to derive keys in case of FILS shared key offload using PMKSA caching. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-30 19:27:15 +05:30
const u8 *pmkid, const u8 *fils_cache_id);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
void (*set_config_blob)(void *ctx, struct wpa_config_blob *blob);
const struct wpa_config_blob * (*get_config_blob)(void *ctx,
const char *name);
int (*mlme_setprotection)(void *ctx, const u8 *addr,
int protection_type, int key_type);
int (*update_ft_ies)(void *ctx, const u8 *md, const u8 *ies,
size_t ies_len);
int (*send_ft_action)(void *ctx, u8 action, const u8 *target_ap,
const u8 *ies, size_t ies_len);
FT: Add driver op for marking a STA authenticated This can be used with FT-over-DS where FT Action frame exchange triggers transition to State 2 (authenticated) without Authentication frame exchange.
2010-03-13 18:28:15 +02:00
int (*mark_authenticated)(void *ctx, const u8 *target_ap);
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
#ifdef CONFIG_TDLS
TDLS: Get TDLS related capabilities from driver Put glue code in place to propagate TDLS related driver capabilities to the TDLS state machine. If the driver doesn't support capabilities, assume TDLS is supported internally. When TDLS is explicitly not supported, disable all user facing TDLS operations. Signed-off-by: Arik Nemtsov <arik@wizery.com> Cc: Kalyan C Gaddam <chakkal@iit.edu>
2011-09-26 13:55:25 +03:00
int (*tdls_get_capa)(void *ctx, int *tdls_supported,
TDLS: Add channel-switch capability flag Propagate a driver TDLS channel-switch support bit from nl80211 to TDLS code. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-12-28 22:44:37 -05:00
int *tdls_ext_setup, int *tdls_chan_switch);
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
int (*send_tdls_mgmt)(void *ctx, const u8 *dst,
u8 action_code, u8 dialog_token,
Pass TDLS peer capability information in tdls_mgmt While framing the TDLS Setup Confirmation frame, the driver needs to know if the TDLS peer is VHT/HT/WMM capable and thus shall construct the VHT/HT operation / WMM parameter elements accordingly. Supplicant determines if the TDLS peer is VHT/HT/WMM capable based on the presence of the respective IEs in the received TDLS Setup Response frame. The host driver should not need to parse the received TDLS Response frame and thus, should be able to rely on the supplicant to indicate the capability of the peer through additional flags while transmitting the TDLS Setup Confirmation frame through tdls_mgmt operations. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-26 21:34:50 +05:30
u16 status_code, u32 peer_capab,
driver: Add option for link ID to be specified for send_tdls_mgmt() This is needed to allow the driver to know on which operating channel (as specified by the link that is affiliated with AP MLD for the current association) is used for transmitting TDLS Discovery Response. This commit adds the link_id parameter to various functions, but does not implement the driver interface change itself. Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
2023-02-09 00:25:30 -08:00
int initiator, const u8 *buf, size_t len,
int link_id);
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
int (*tdls_oper)(void *ctx, int oper, const u8 *peer);
TDLS: Pass peer's AID information to kernel The information of the peer's AID is required for the driver to construct partial AID in VHT PPDU's. Pass this information to the driver during add/set station operations (well, as soon as the information is available, i.e., with set station operation currently). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-05-06 15:47:44 +03:00
int (*tdls_peer_addset)(void *ctx, const u8 *addr, int add, u16 aid,
TDLS: Add peer as a STA during link setup Before commencing setup, add a new STA entry to the driver representing the peer. Later during setup, update the STA entry using information received from the peer. Extend sta_add() callback for adding/modifying a TDLS peer entry and connect it to the TDLS state machine. Implement this callback for the nl80211 driver and send peer information to kernel. Mark TDLS peer entries with a new flag and translate it to a corresponding nl80211 flag in the nl80211 driver. In addition, correct TDLS related documentation in the wpa_driver_ops structure. Signed-off-by: Arik Nemtsov <arik@wizery.com> Cc: Kalyan C Gaddam <chakkal@iit.edu>
2011-10-23 14:02:57 +03:00
u16 capability, const u8 *supp_rates,
TDLS: Pass peer's HT Capability and QOS information during sta_add The information of the peer's HT capability and the QOS information is required for the driver to perform TDLS operations. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-05 16:41:01 +02:00
size_t supp_rates_len,
const struct ieee80211_ht_capabilities *ht_capab,
TDLS: Pass peer's VHT Capability information during sta_add The information of the peer's VHT capability is required for the driver to establish a TDLS link in VHT mode with a compatible peer. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-25 10:31:50 +02:00
const struct ieee80211_vht_capabilities *vht_capab,
TDLS: Support TDLS operations in HE mode Determine if the TDLS peer is HE capable based on HE Capability element received in the TDLS Setup Response frame. Indicate the peer's HE capabilities to the driver through sta_add(). Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-01-06 12:38:25 +05:30
const struct ieee80211_he_capabilities *he_capab,
size_t he_capab_len,
TDLS: Support TDLS operations in HE mode for 6 GHz Determine if the TDLS peer supports TDLS in 6 GHz band based on the HE 6 GHz Band Capabilities element received in the TDLS Setup Response frame. Indicate the peer's HE 6 GHz capabilities to the driver through sta_add(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-07-19 13:42:05 +05:30
const struct ieee80211_he_6ghz_band_cap *he_6ghz_capab,
TDLS: Use WMM IE for propagating peer WMM capability Relying on qos qosinfo is not enough, as it can be 0 for WMM enabled peers that don't support U-APSD. Further, some peers don't even contain this IE (Google Nexus 5), but do contain the WMM IE during setup. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-09-29 20:47:53 +02:00
u8 qosinfo, int wmm, const u8 *ext_capab,
TDLS: Pass peer's Supported channel and oper class info during sta_add The information of the peer's supported channel and operating class is required for the driver to do TDLS off channel operations with a compatible peer. Pass this information to the driver when the peer station is getting added. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-06 18:36:13 +05:30
size_t ext_capab_len, const u8 *supp_channels,
size_t supp_channels_len,
const u8 *supp_oper_classes,
TDLS: Set EHT/MLO information for TDLS STA into the driver Add the copied EHT capabilities into the sta_add() call when adding a TDLS peer. The mld_link_id value was previously only for AP mode, but it can now be used for TDLS links as well to indicate the link on which a single-link-TDLS direct link is negotiated. Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
2023-02-09 00:25:30 -08:00
size_t supp_oper_classes_len,
const struct ieee80211_eht_capabilities *eht_capab,
size_t eht_capab_len, int mld_link_id);
TDLS: Propagate enable/disable channel-switch commands to driver The supplicant code does not try to control the actual channel of the radio at any point. It simply passes the target peer and channel parameters to the driver. It's the driver's responsibility to periodically initiate TDLS channel-switch operations when TDLS channel-switching is enabled. Allow enable/disable operations to be invoked via the control interface. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-12-29 00:20:51 -05:00
int (*tdls_enable_channel_switch)(
void *ctx, const u8 *addr, u8 oper_class,
const struct hostapd_freq_params *params);
int (*tdls_disable_channel_switch)(void *ctx, const u8 *addr);
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
#endif /* CONFIG_TDLS */
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 16:49:18 +02:00
void (*set_rekey_offload)(void *ctx, const u8 *kek, size_t kek_len,
const u8 *kck, size_t kck_len,
nl80211: Support GTK rekey offload Add support to wpa_supplicant for device-based GTK rekeying. In order to support that, pass the KEK, KCK, and replay counter to the driver, and handle rekey events that update the latter. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-07-12 21:22:51 +03:00
const u8 *replay_ctr);
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 18:21:49 +03:00
int (*key_mgmt_set_pmk)(void *ctx, const u8 *pmk, size_t pmk_len);
FILS: Parse and report received FILS HLP Containers from response The new FILS-HLP-RX control interface event is now used to report received FILS HLP responses from (Re)Association Response frame as a response to the HLP requests configured with FILS_HLP_REQ_ADD. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 21:21:24 +02:00
void (*fils_hlp_rx)(void *ctx, const u8 *dst, const u8 *src,
const u8 *pkt, size_t pkt_len);
Make channel_info available to the supplicant state machine This adds the necessary functions and callbacks to make the channel_info driver API available to the supplicant state machine that implements the 4-way and group key handshake. This is needed for OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 15:46:20 -04:00
int (*channel_info)(void *ctx, struct wpa_channel_info *ci);
Process Transition Disable KDE in station mode Check whether the Transition Disable KDE is received from an authenticated AP and if so, whether it contains valid indication for disabling a transition mode. If that is the case, update the local network profile by removing the less secure options. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-26 00:10:16 +02:00
void (*transition_disable)(void *ctx, u8 bitmap);
Mark addr argument to storing PTKSA const This is not being modified, so mark it const to be more flexible for the caller. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-21 17:24:30 +02:00
void (*store_ptk)(void *ctx, const u8 *addr, int cipher,
WPA: Add PTKSA cache to wpa_supplicant for PASN PASN requires to store the PTK derived during PASN authentication so it can later be used for secure LTF etc. This is also true for a PTK derived during regular connection. Add an instance of a PTKSA cache for each wpa_supplicant interface when PASN is enabled in build configuration. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 13:00:27 +02:00
u32 life_time, const struct wpa_ptk *ptk);
PASN: Set secure ranging context to driver after association After the secure association and PTK derivation are completed, if the device supports LTF keyseed, generate the LTF keyseed using KDK and set the ranging context to the driver by using the command QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-08 02:47:08 +05:30
#ifdef CONFIG_PASN
int (*set_ltf_keyseed)(void *ctx, const u8 *own_addr,
const u8 *peer_addr, size_t ltf_keyseed_len,
const u8 *ltf_keyseed);
#endif /* CONFIG_PASN */
Add a callback to notify added PMKSA cache entry details Add a callback handler to notify details of a PMKSA cache entry when it is added to the PMKSA cache. This can be used to provide external components more convenient access to the PMKSA cache contents. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-20 19:27:51 +05:30
void (*notify_pmksa_cache_entry)(void *ctx,
struct rsn_pmksa_cache_entry *entry);
Indicate if SSID has been verified in STATUS output Add a new "ssid_verified=1" entry into the control interface STATUS command output if the SSID has been verified for the current association. This verification may have been done implicitly (e.g., with SAE H2E and FT protocol binding in the SSID into key derivation or with FILS protecting the SSID element in the (Re)Association Request frame) or explicitly with the recently added SSID protection mechanism during the 4-way handshake. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 22:44:46 +03:00
void (*ssid_verified)(void *ctx);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
};
enum wpa_sm_conf_params {
RSNA_PMK_LIFETIME /* dot11RSNAConfigPMKLifetime */,
RSNA_PMK_REAUTH_THRESHOLD /* dot11RSNAConfigPMKReauthThreshold */,
RSNA_SA_TIMEOUT /* dot11RSNAConfigSATimeout */,
WPA_PARAM_PROTO,
WPA_PARAM_PAIRWISE,
WPA_PARAM_GROUP,
WPA_PARAM_KEY_MGMT,
WPA_PARAM_MGMT_GROUP,
MFP: Add MFPR flag into station RSN IE if 802.11w is mandatory
2010-03-29 10:48:01 -07:00
WPA_PARAM_RSN_ENABLED,
OCV: Advertise OCV capability in RSN capabilities (STA) Set the OCV bit in RSN capabilities (RSNE) based on station mode configuration. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 15:46:25 -04:00
WPA_PARAM_MFP,
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 16:54:05 +03:00
WPA_PARAM_OCV,
WPA_PARAM_SAE_PWE,
SAE-PK: Advertise RSNXE capability bit in STA mode Set the SAE-PK capability bit in RSNXE when sending out (Re)Association Request frame for a network profile that allows use of SAE-PK. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-10 12:22:59 +03:00
WPA_PARAM_SAE_PK,
STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-10 23:19:09 +01:00
WPA_PARAM_DENY_PTK0_REKEY,
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
WPA_PARAM_EXT_KEY_ID,
WPA_PARAM_USE_EXT_KEY_ID,
FT: Testing override for RSNXE Used subfield in FTE Allow wpa_supplicant to be requested to override the RSNXE Used subfield in FT reassociation case for testing purposes with "SET ft_rsnxe_used <0/1/2>" where 0 = no override, 1 = override to 1, and 2 = override to 0. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-14 13:48:43 +03:00
WPA_PARAM_FT_RSNXE_USED,
DPP2: Add DPP KDE into EAPOL-Key msg 2/4 when using DPP AKM Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-01 19:53:07 +03:00
WPA_PARAM_DPP_PFS,
WMM: Advertise support for 16 PTKSA replay counters for non-AP STA In theory, each device that supports WMM (or the IEEE 802.11 QoS for that matter) is expected to advertise how many replay counters it supports and the peer device is supposed to use that information to restrict the total number of different MSDU priorities (AC/UP) that might be used. In practice, this is not really done in deployed devices and instead, it is just assumed that everyone supports the eight different replay counters so that there is no need to restrict which MSDU priorities can be used. hostapd implementation of WMM has advertised support for 16 PTKSA replay counters from the beginning while wpa_supplicant has not had any code for setting the supported replay counter fields in RSNE, i.e., has left the value to 0 which implies that only a single replay counter is supported. While this does not really result in any real issues with deployed devices, this is not really correct behavior based on the current IEEE 802.11 standard and the WMM specification. Update wpa_supplicant to use similar design to the hostapd RSNE generation by setting the number of supported PTKSA replay counters to 16 whenever WMM is enabled. For now, this is done based on the association being for HT/VHT/HE/EHT and also based on the AP supporting WMM since it is much more likely for the local device to support WMM and eight replay counters (which can be indicated only with the value that implies support for 16 counters since there is no separate value for 8). Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-04-12 18:46:53 +03:00
WPA_PARAM_WMM_ENABLED,
OCV: Add support to override channel info OCI element (STA) To support the STA testbed role, the STA has to use specified channel information in OCI element sent to the AP in EAPOL-Key msg 2/4, SA Query Request, and SA Query Response frames. Add override parameters to use the specified channel while populating OCI element in all these frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-08 23:29:04 +05:30
WPA_PARAM_OCI_FREQ_EAPOL,
OCV: OCI channel override support for testing (STA) Add override parameters to use the specified channel while populating OCI element in EAPOL-Key group msg 2/2, FT reassoc request, FILS assoc request and WNM sleep request frames. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-06-26 13:49:14 +05:30
WPA_PARAM_OCI_FREQ_EAPOL_G2,
WPA_PARAM_OCI_FREQ_FT_ASSOC,
WPA_PARAM_OCI_FREQ_FILS_ASSOC,
Add support for not transmitting EAPOL-Key group msg 2/2 To support the STA testbed role, the STA has to disable transmitting EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to disable sending EAPOL-Key group msg 2/2 of Group Key Handshake. Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-02-28 16:57:37 +05:30
WPA_PARAM_DISABLE_EAPOL_G2_TX,
Testing functionality for EAPOL-Key Key Data field encryption Allow the Key Data field to be encrypted in EAPOL-Key msg 2/4 and 4/4. This is for testing purposes to enable a convenient mechanism for testing Authenticator behavior with either potential future extensions or unexpected Supplicant behavior. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 21:11:23 +02:00
WPA_PARAM_ENCRYPT_EAPOL_M2,
WPA_PARAM_ENCRYPT_EAPOL_M4,
FT: Allow wpa_supplicant to be configured to prepend PMKR1Name The standard is somewhat unclear on whether the PMKIDs used in (Re)Association Request frame (i.e., potential PMKIDs that could be used for PMKSA caching during the initial mobility domain association) are to be retained or removed when generating EAPOL-Key msg 2/4. wpa_supplicant has replaced the PMKID List contents from (Re)Association Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT. Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name without removing the PMKIDs from (Re)Association Request frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-03 20:13:46 +02:00
WPA_PARAM_FT_PREPEND_PMKID,
SSID protection in 4-way handshake on STA Add support for SSID protection in 4-way handshake based on the mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against CVE-2023-52424 (a.k.a. the SSID Confusion Attack). This functionality is disabled by default and can be enabled with ssid_protection=1 in the network profile. Once there has been more testing of this to confirm there is no significant interoperability issues, the goal is to be able to change this to be enabled by default. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-19 01:07:36 +03:00
WPA_PARAM_SSID_PROTECTION,
RSNO: Use the RSN Selection element to indicate which variant was used This replaces the use of the RSNE Override and RSNE Override 2 elements with empty payload to indicate which RSNE variant was used. In addition, this adds stricter validation of the RSNE in (Re)Association Request frame to allow only the pairwise cipher suites and AKMs listed in the indicated RSNE variant to be used. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-29 15:41:59 +03:00
WPA_PARAM_RSN_OVERRIDE,
};
enum wpa_rsn_override {
RSN_OVERRIDE_NOT_USED,
RSN_OVERRIDE_RSNE,
RSN_OVERRIDE_RSNE_OVERRIDE,
RSN_OVERRIDE_RSNE_OVERRIDE_2,
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
};
struct rsn_supp_config {
void *network_ctx;
int allowed_pairwise_cipher; /* bitfield of WPA_CIPHER_* */
int proactive_key_caching;
int eap_workaround;
void *eap_conf_ctx;
const u8 *ssid;
size_t ssid_len;
Added support for enforcing frequent PTK rekeying Added a new configuration option, wpa_ptk_rekey, that can be used to enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP deficiencies. This can be set either by the Authenticator (to initiate periodic 4-way handshake to rekey PTK) or by the Supplicant (to request Authenticator to rekey PTK). With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP keys will not be used for more than 10 minutes which may make some attacks against TKIP more difficult to implement.
2008-11-06 19:57:21 +02:00
int wpa_ptk_rekey;
STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast reconnects. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-01-10 23:19:09 +01:00
int wpa_deny_ptk0_rekey;
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 19:13:31 +02:00
int p2p;
wpa_supplicant: Add GTK RSC relaxation workaround Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte order (or by some other corrupted way). Thus, after a successful EAPOL-Key exchange the TSC values of received multicast packets, such as DHCP, don't match the RSC one and as a result these packets are dropped on replay attack TSC verification. An example of such AP is Sapido RB-1732. Work around this by setting RSC octets to 0 on GTK installation if the AP RSC value is identified as a potentially having the byte order issue. This may open a short window during which older (but valid) group-addressed frames could be replayed. However, the local receive counter will be updated on the first received group-addressed frame and the workaround is enabled only if the common invalid cases are detected, so this workaround is acceptable as not decreasing security significantly. The wpa_rsc_relaxation global configuration property allows the GTK RSC workaround to be disabled if it's not needed. Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-10-14 12:26:33 +03:00
int wpa_rsc_relaxation;
OWE: PTK derivation workaround in STA mode Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround=1 network parameter can be used to enable older behavior mainly for testing purposes. There is no impact to group 19 behavior, but if enabled, this will make group 20 and 21 cases use SHA256-based PTK derivation which will not work with the updated OWE implementation on the AP side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-23 22:46:51 +02:00
int owe_ptk_workaround;
FILS: Use FILS Cache Identifier to extend PMKSA applicability This allows PMKSA cache entries for FILS-enabled BSSs to be shared within an ESS when the BSSs advertise the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 12:22:19 +02:00
const u8 *fils_cache_id;
wpa_supplicant configuration for Beacon protection Add a new wpa_supplicant network profile configuration parameter beacon_prot=<0/1> to allow Beacon protection to be enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-18 00:16:55 +02:00
int beacon_prot;
WPA: Support deriving KDK based on capabilities Derive the KDK as part of PMK to PTK derivation if forced by configuration or in case both the local station and the AP declare support for secure LTF. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 13:01:39 +02:00
bool force_kdk_derivation;
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
};
MLD STA: Set MLO connection info to wpa_sm Update the following MLO connection information to wpa_sm: - AP MLD address and link ID of the (re)association link. - Bitmap of requested links and accepted links - Own link address for each requested link - AP link address, RSNE and RSNXE for each requested link Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-03 13:38:45 +05:30
struct wpa_sm_link {
u8 addr[ETH_ALEN];
u8 bssid[ETH_ALEN];
RSNO: Verify all RSNE/RSNXE variants in multi-link cases Use the RSN Override Link KDE to include the override variants of the RSNE/RSNXE for each link so that all variants are verifies when processing the protected EAPOL-Key message 3/4. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 19:56:00 +03:00
u8 *ap_rsne, *ap_rsnxe, *ap_rsnoe, *ap_rsno2e, *ap_rsnxoe;
size_t ap_rsne_len, ap_rsnxe_len, ap_rsnoe_len, ap_rsno2e_len,
ap_rsnxoe_len;;
MLD STA: Processing of EAPOL-Key msg 3/4 frame when using MLO Process EAPOL-Key msg 3/4 and configure PTK and per-link GTK/IGTK/BIGTK keys to the driver when MLO is used. Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-03 13:38:50 +05:30
struct wpa_gtk gtk;
struct wpa_gtk gtk_wnm_sleep;
struct wpa_igtk igtk;
struct wpa_igtk igtk_wnm_sleep;
struct wpa_bigtk bigtk;
struct wpa_bigtk bigtk_wnm_sleep;
MLD STA: Set MLO connection info to wpa_sm Update the following MLO connection information to wpa_sm: - AP MLD address and link ID of the (re)association link. - Bitmap of requested links and accepted links - Own link address for each requested link - AP link address, RSNE and RSNXE for each requested link Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-03 13:38:45 +05:30
};
struct wpa_sm_mlo {
u8 ap_mld_addr[ETH_ALEN];
u8 assoc_link_id;
u16 valid_links; /* bitmap of accepted links */
u16 req_links; /* bitmap of requested links */
struct wpa_sm_link links[MAX_NUM_MLD_LINKS];
};
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
#ifndef CONFIG_NO_WPA
struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx);
void wpa_sm_deinit(struct wpa_sm *sm);
void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid);
void wpa_sm_notify_disassoc(struct wpa_sm *sm);
SAE: Add support for PMKSA caching on the station side This makes wpa_supplicant SME create PMKSA cache entries from SAE authentication and try to use PMKSA caching if an entry is found for the AP. If the AP rejects the attempt, fall back to SAE authentication is used. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 13:02:02 +03:00
void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
SAE: Fix PMKID calculation for PMKSA cache The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-15 11:23:37 +09:00
const u8 *pmkid, const u8 *bssid);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm);
void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth);
void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx);
void wpa_sm_set_config(struct wpa_sm *sm, struct rsn_supp_config *config);
SSID protection in 4-way handshake on STA Add support for SSID protection in 4-way handshake based on the mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against CVE-2023-52424 (a.k.a. the SSID Confusion Attack). This functionality is disabled by default and can be enabled with ssid_protection=1 in the network profile. Once there has been more testing of this to confirm there is no significant interoperability issues, the goal is to be able to change this to be enabled by default. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-19 01:07:36 +03:00
void wpa_sm_set_ssid(struct wpa_sm *sm, const u8 *ssid, size_t ssid_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr);
void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
const char *bridge_ifname);
void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol);
int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len);
int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm, u8 *wpa_ie,
size_t *wpa_ie_len);
SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4 Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-17 16:54:05 +03:00
int wpa_sm_set_assoc_rsnxe_default(struct wpa_sm *sm, u8 *rsnxe,
size_t *rsnxe_len);
int wpa_sm_set_assoc_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie, size_t len);
int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie, size_t len);
RSN: Verify RSNXE match between Beacon/ProbeResp and EAPOL-Key msg 3/4 If the AP advertises RSN Extension element, it has to be advertised consistently in the unprotected (Beacon and Probe Response) and protected (EAPOL-Key msg 3/4) frames. Verify that this is the case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-06 14:51:31 +03:00
int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie, size_t len);
RSNO: Include all RSNE/RSNXE variants in EAPOL-Key message 3/4 This allows all variants to be verified based on a protected frame to achieve robust downgrade protection. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-29 17:20:22 +03:00
int wpa_sm_set_ap_rsne_override(struct wpa_sm *sm, const u8 *ie, size_t len);
int wpa_sm_set_ap_rsne_override_2(struct wpa_sm *sm, const u8 *ie, size_t len);
int wpa_sm_set_ap_rsnxe_override(struct wpa_sm *sm, const u8 *ie, size_t len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen);
int wpa_sm_set_param(struct wpa_sm *sm, enum wpa_sm_conf_params param,
unsigned int value);
int wpa_sm_get_status(struct wpa_sm *sm, char *buf, size_t buflen,
int verbose);
WNM: Make ESS Disassoc Imminent event more convenient to use Define a proper event prefix and include additional information to allow ESS Dissassociation Imminent event to be used in a wpa_cli action script. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-04-20 16:48:10 -07:00
int wpa_sm_pmf_enabled(struct wpa_sm *sm);
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
int wpa_sm_ext_key_id(struct wpa_sm *sm);
int wpa_sm_ext_key_id_active(struct wpa_sm *sm);
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 15:46:27 -04:00
int wpa_sm_ocv_enabled(struct wpa_sm *sm);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise);
int wpa_parse_wpa_ie(const u8 *wpa_ie, size_t wpa_ie_len,
struct wpa_ie_data *data);
void wpa_sm_aborted_cached(struct wpa_sm *sm);
FILS: Flush external-PMKSA when connection fails without ERP keys External applications can store PMKSA entries persistently and reconfigure them to wpa_supplicant after restart. This can result in wpa_supplicant having a PMKSA for FILS authentication without having matching ERP keys for it which would prevent the previously added mechanism for dropping FILS PMKSA entries to recover from rejected association attempts. Fix this by clearing PMKSA entries configured by external applications upon FILS connection failure even when ERP keys are not available. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-01 23:39:06 +05:30
void wpa_sm_aborted_external_cached(struct wpa_sm *sm);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
Provide information about the encryption status of received EAPOL frames This information was already available from the nl80211 control port RX path, but it was not provided to upper layers within wpa_supplicant and hostapd. It can be helpful, so parse the information from the driver event. Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 00:38:35 +03:00
const u8 *buf, size_t len, enum frame_encryption encrypted);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm, struct wpa_ie_data *data);
Removed wpa_sm dereference from pmksa_cache_list()
2009-01-13 20:22:42 +02:00
int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf, size_t len);
External persistent storage for PMKSA cache entries This adds new wpa_supplicant control interface commands PMKSA_GET and PMKSA_ADD that can be used to store PMKSA cache entries in an external persistent storage when terminating a wpa_supplicant process and then restore those entries when starting a new process. The previously added PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing the external storage with the memory-only volatile storage within wpa_supplicant. "PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to a specific network profile. The network_id of the current profile is available with the STATUS command (id=<network_id). In addition, the network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The output of the PMKSA_GET command uses the following format: <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> For example: 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0 The PMKSA_GET command uses the following format: <network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds> <akmp> <opportunistic> (i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET output data; however, the reauth_time and expiration values need to be updated by decrementing them by number of seconds between the PMKSA_GET and PMKSA_ADD commands) For example: PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0 PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0 This functionality is disabled be default and can be enabled with CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be noted that this allows any process that has access to the wpa_supplicant control interface to use PMKSA_ADD command to fetch keying material (PMK), so this is for environments in which the control interface access is restricted. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 23:47:04 +02:00
struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_head(struct wpa_sm *sm);
struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_add_entry(struct wpa_sm *sm,
struct rsn_pmksa_cache_entry * entry);
FILS: Update PMKSA cache with FILS shared key offload Add a new PMKSA cache entry within wpa_supplicant if a driver event from offloaded FILS shared key authentication indicates a new PMKSA entry was created. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-22 16:10:05 +05:30
void wpa_sm_pmksa_cache_add(struct wpa_sm *sm, const u8 *pmk, size_t pmk_len,
const u8 *pmkid, const u8 *bssid,
const u8 *fils_cache_id);
Check for own address (SPA) match when finding PMKSA entries This prevents attempts of trying to use PMKSA caching when the existing entry was created using a different MAC address than the one that is currently being used. This avoids exposing the longer term PMKID value when using random MAC addresses for connections. In practice, similar restriction was already done by flushing the PMKSA cache entries whenever wpas_update_random_addr() changed the local address or when the interface was marked down (e.g., for an external operation to change the MAC address). Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 14:10:55 +02:00
int wpa_sm_pmksa_exists(struct wpa_sm *sm, const u8 *bssid, const u8 *own_addr,
DPP: Add new AKM This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 23:48:52 +03:00
const void *network_ctx);
Add a drop_sa command to allow 802.11w testing This drops PTK and PMK without notifying the AP.
2010-03-29 15:42:04 -07:00
void wpa_sm_drop_sa(struct wpa_sm *sm);
WPA: Add a function to get PMKSA cache entry Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 13:00:25 +02:00
struct rsn_pmksa_cache_entry * wpa_sm_pmksa_cache_get(struct wpa_sm *sm,
const u8 *aa,
const u8 *pmkid,
const void *network_ctx,
int akmp);
DPP: Drop PMKSA entry if AP reject association due to invalid PMKID This is needed to avoid trying the subsequent connections with the old PMKID that the AP claims not to hold and continues connection failures. This was already handled for the SME-in-the-driver case in commit commit 50b77f50e80f ("DPP: Flush PMKSA if an assoc reject without timeout is received"), but the wpa_supplicant SME case did not have matching processing. Add the needed check to avoid recover from cases where the AP has dropped its PMKSA cache entry. Do this only based on the specific status code value (53 = invalid PMKID) and only for the PMKSA entry that triggered this failure to minimize actions taken based on an unprotected (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-20 08:00:36 +02:00
void wpa_sm_pmksa_cache_remove(struct wpa_sm *sm,
struct rsn_pmksa_cache_entry *entry);
FT: Do not try to use FT protocol between mobility domains wpa_supplicant has support for only a single FT key hierarchy and as such, cannot use more than a single mobility domain at a time. Do not allow FT protocol to be started if there is a request to reassociate to a different BSS within the same ESS if that BSS is in a different mobility domain. This results in the initial mobility domain association being used whenever moving to another mobility domain. While it would be possible to add support for multiple FT key hierachies and multiple mobility domains in theory, there does not yet seem to be sufficient justification to add the complexity needed for that due to limited, if any, deployment of such networks. As such, it is simplest to just prevent these attempts for now and start with a clean initial mobility domain association. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-08 23:43:43 +02:00
bool wpa_sm_has_ft_keys(struct wpa_sm *sm, const u8 *md);
Add no_encrypt flag for control port TX In order to correctly encrypt rekeying frames, wpa_supplicant now checks if a PTK is currently installed and sets the corresponding encrypt option for tx_control_port(). Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-03 16:17:42 +01:00
int wpa_sm_has_ptk_installed(struct wpa_sm *sm);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
nl80211: Support GTK rekey offload Add support to wpa_supplicant for device-based GTK rekeying. In order to support that, pass the KEK, KCK, and replay counter to the driver, and handle rekey events that update the latter. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-07-12 21:22:51 +03:00
void wpa_sm_update_replay_ctr(struct wpa_sm *sm, const u8 *replay_ctr);
Flush PMKSA cache entries and invalidate EAP state on network changes If a network configuration block is removed or modified, flush all PMKSA cache entries that were created using that network configuration. Similarly, invalidate EAP state (fast re-auth). The special case for OKC on wpa_supplicant reconfiguration (network_ctx pointer change) is now addressed as part of the PMKSA cache flushing, so it does not need a separate mechanism for clearing the network_ctx values in the PMKSA cache.
2011-09-07 17:46:00 +03:00
void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx);
FILS: Flush external-PMKSA when connection fails without ERP keys External applications can store PMKSA entries persistently and reconfigure them to wpa_supplicant after restart. This can result in wpa_supplicant having a PMKSA for FILS authentication without having matching ERP keys for it which would prevent the previously added mechanism for dropping FILS PMKSA entries to recover from rejected association attempts. Fix this by clearing PMKSA entries configured by external applications upon FILS connection failure even when ERP keys are not available. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-01 23:39:06 +05:30
void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm, void *network_ctx);
Flush PMKSA cache entries and invalidate EAP state on network changes If a network configuration block is removed or modified, flush all PMKSA cache entries that were created using that network configuration. Similarly, invalidate EAP state (fast re-auth). The special case for OKC on wpa_supplicant reconfiguration (network_ctx pointer change) is now addressed as part of the PMKSA cache flushing, so it does not need a separate mechanism for clearing the network_ctx values in the PMKSA cache.
2011-09-07 17:46:00 +03:00
P2P: Add support for IP address assignment in 4-way handshake This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go=192.168.42.1 ip_addr_mask=255.255.255.0 ip_addr_start=192.168.42.2 ip_addr_end=192.168.42.100 DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-03-16 19:13:31 +02:00
int wpa_sm_get_p2p_ip_addr(struct wpa_sm *sm, u8 *buf);
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 18:21:49 +03:00
void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm, const u8 *rx_replay_counter);
Preparations for variable length KCK and KEK This modifies struct wpa_ptk to allow the length of KCK and KEK to be stored. This is needed to allow longer keys to be used, e.g., with Suite B 192-bit level. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-25 16:49:18 +02:00
void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm,
const u8 *ptk_kck, size_t ptk_kck_len,
const u8 *ptk_kek, size_t ptk_kek_len);
FILS: Fix compilation with CONFIG_NO_WPA wpa_fils_is_completed() was not defined. Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2017-06-08 11:18:00 +03:00
int wpa_fils_is_completed(struct wpa_sm *sm);
Add support to reconfigure or flush PMKSA cache on interface enable Update PMKSA cache when interface is disabled and then enabled based on the new MAC address. If the new MAC address is same as the previous MAC address, the PMKSA cache entries are valid and hence update the PMKSA cache entries to the driver. If the new MAC address is not same as the previous MAC address, the PMKSA cache entries will not be valid anymore and hence delete the PMKSA cache entries. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-07 19:46:04 +05:30
void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm);
MLD STA: Set MLO connection info to wpa_sm Update the following MLO connection information to wpa_sm: - AP MLD address and link ID of the (re)association link. - Bitmap of requested links and accepted links - Own link address for each requested link - AP link address, RSNE and RSNXE for each requested link Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-03 13:38:45 +05:30
int wpa_sm_set_mlo_params(struct wpa_sm *sm, const struct wpa_sm_mlo *mlo);
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 18:21:49 +03:00
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
#else /* CONFIG_NO_WPA */
static inline struct wpa_sm * wpa_sm_init(struct wpa_sm_ctx *ctx)
{
return (struct wpa_sm *) 1;
}
static inline void wpa_sm_deinit(struct wpa_sm *sm)
{
}
static inline void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
{
}
static inline void wpa_sm_notify_disassoc(struct wpa_sm *sm)
{
}
static inline void wpa_sm_set_pmk(struct wpa_sm *sm, const u8 *pmk,
SAE: Fix PMKID calculation for PMKSA cache The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-15 11:23:37 +09:00
size_t pmk_len, const u8 *pmkid,
const u8 *bssid)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
{
}
static inline void wpa_sm_set_pmk_from_pmksa(struct wpa_sm *sm)
{
}
static inline void wpa_sm_set_fast_reauth(struct wpa_sm *sm, int fast_reauth)
{
}
static inline void wpa_sm_set_scard_ctx(struct wpa_sm *sm, void *scard_ctx)
{
}
static inline void wpa_sm_set_config(struct wpa_sm *sm,
struct rsn_supp_config *config)
{
}
static inline void wpa_sm_set_own_addr(struct wpa_sm *sm, const u8 *addr)
{
}
static inline void wpa_sm_set_ifname(struct wpa_sm *sm, const char *ifname,
const char *bridge_ifname)
{
}
static inline void wpa_sm_set_eapol(struct wpa_sm *sm, struct eapol_sm *eapol)
{
}
static inline int wpa_sm_set_assoc_wpa_ie(struct wpa_sm *sm, const u8 *ie,
size_t len)
{
return -1;
}
static inline int wpa_sm_set_assoc_wpa_ie_default(struct wpa_sm *sm,
u8 *wpa_ie,
size_t *wpa_ie_len)
{
return -1;
}
static inline int wpa_sm_set_ap_wpa_ie(struct wpa_sm *sm, const u8 *ie,
size_t len)
{
return -1;
}
static inline int wpa_sm_set_ap_rsn_ie(struct wpa_sm *sm, const u8 *ie,
size_t len)
{
return -1;
}
RSN: Verify RSNXE match between Beacon/ProbeResp and EAPOL-Key msg 3/4 If the AP advertises RSN Extension element, it has to be advertised consistently in the unprotected (Beacon and Probe Response) and protected (EAPOL-Key msg 3/4) frames. Verify that this is the case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-06 14:51:31 +03:00
static inline int wpa_sm_set_ap_rsnxe(struct wpa_sm *sm, const u8 *ie,
size_t len)
{
return -1;
}
RSNO: Include all RSNE/RSNXE variants in EAPOL-Key message 3/4 This allows all variants to be verified based on a protected frame to achieve robust downgrade protection. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-29 17:20:22 +03:00
static inline int wpa_sm_set_ap_rsne_override(struct wpa_sm *sm, const u8 *ie,
size_t len)
{
return -1;
}
static inline int wpa_sm_set_ap_rsne_override_2(struct wpa_sm *sm, const u8 *ie,
size_t len)
{
return -1;
}
static inline int wpa_sm_set_ap_rsnxe_override(struct wpa_sm *sm, const u8 *ie,
size_t len)
{
return -1;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
static inline int wpa_sm_get_mib(struct wpa_sm *sm, char *buf, size_t buflen)
{
return 0;
}
static inline int wpa_sm_set_param(struct wpa_sm *sm,
enum wpa_sm_conf_params param,
unsigned int value)
{
return -1;
}
static inline int wpa_sm_get_status(struct wpa_sm *sm, char *buf,
size_t buflen, int verbose)
{
return 0;
}
Fix WNM build without WPA2 Commit ae8535b6e1a98ca40ce87650a4179851e7cd13a7 added a new function wpa_sm_pmf_enabled() which is called from WNM code without ifdefs. Define a dummy wrapper for this function to fix build if WPA2 is disabled. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-06-07 20:02:50 +03:00
static inline int wpa_sm_pmf_enabled(struct wpa_sm *sm)
{
return 0;
}
STA: Support Extended Key ID Support Extended Key ID in wpa_supplicant according to IEEE Std 802.11-2016 for infrastructure (AP) associations. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing STAs to also connect to APs not supporting it. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-20 20:04:32 +01:00
static inline int wpa_sm_ext_key_id(struct wpa_sm *sm)
{
return 0;
}
static inline int wpa_sm_ext_key_id_active(struct wpa_sm *sm)
{
return 0;
}
OCV: Insert OCI in 4-way and group key handshake If Operating Channel Verification is negotiated, include the OCI KDE element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both messages of the group key handshake. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-08-06 15:46:27 -04:00
static inline int wpa_sm_ocv_enabled(struct wpa_sm *sm)
{
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
static inline void wpa_sm_key_request(struct wpa_sm *sm, int error,
int pairwise)
{
}
static inline int wpa_parse_wpa_ie(const u8 *wpa_ie, size_t wpa_ie_len,
struct wpa_ie_data *data)
{
return -1;
}
static inline void wpa_sm_aborted_cached(struct wpa_sm *sm)
{
}
FILS: Flush external-PMKSA when connection fails without ERP keys External applications can store PMKSA entries persistently and reconfigure them to wpa_supplicant after restart. This can result in wpa_supplicant having a PMKSA for FILS authentication without having matching ERP keys for it which would prevent the previously added mechanism for dropping FILS PMKSA entries to recover from rejected association attempts. Fix this by clearing PMKSA entries configured by external applications upon FILS connection failure even when ERP keys are not available. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-01 23:39:06 +05:30
static inline void wpa_sm_aborted_external_cached(struct wpa_sm *sm)
{
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
static inline int wpa_sm_rx_eapol(struct wpa_sm *sm, const u8 *src_addr,
Provide information about the encryption status of received EAPOL frames This information was already available from the nl80211 control port RX path, but it was not provided to upper layers within wpa_supplicant and hostapd. It can be helpful, so parse the information from the driver event. Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 00:38:35 +03:00
const u8 *buf, size_t len,
enum frame_encryption encrypted)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
{
return -1;
}
static inline int wpa_sm_parse_own_wpa_ie(struct wpa_sm *sm,
struct wpa_ie_data *data)
{
return -1;
}
Removed wpa_sm dereference from pmksa_cache_list()
2009-01-13 20:22:42 +02:00
static inline int wpa_sm_pmksa_cache_list(struct wpa_sm *sm, char *buf,
size_t len)
{
return -1;
}
Add a drop_sa command to allow 802.11w testing This drops PTK and PMK without notifying the AP.
2010-03-29 15:42:04 -07:00
static inline void wpa_sm_drop_sa(struct wpa_sm *sm)
{
}
WPA: Add a function to get PMKSA cache entry Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 13:00:25 +02:00
static inline struct rsn_pmksa_cache_entry *
wpa_sm_pmksa_cache_get(struct wpa_sm *sm, const u8 *aa, const u8 *pmkid,
const void *network_ctx, int akmp)
{
return NULL;
}
Fix wpa_sm_has_ptk() no-WPA wrapper location
2010-04-11 11:39:14 +03:00
static inline int wpa_sm_has_ptk(struct wpa_sm *sm)
{
return 0;
}
nl80211: Support GTK rekey offload Add support to wpa_supplicant for device-based GTK rekeying. In order to support that, pass the KEK, KCK, and replay counter to the driver, and handle rekey events that update the latter. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-07-12 21:22:51 +03:00
static inline void wpa_sm_update_replay_ctr(struct wpa_sm *sm,
const u8 *replay_ctr)
{
}
FILS: Flush external-PMKSA when connection fails without ERP keys External applications can store PMKSA entries persistently and reconfigure them to wpa_supplicant after restart. This can result in wpa_supplicant having a PMKSA for FILS authentication without having matching ERP keys for it which would prevent the previously added mechanism for dropping FILS PMKSA entries to recover from rejected association attempts. Fix this by clearing PMKSA entries configured by external applications upon FILS connection failure even when ERP keys are not available. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-01 23:39:06 +05:30
static inline void wpa_sm_external_pmksa_cache_flush(struct wpa_sm *sm,
void *network_ctx)
{
}
Flush PMKSA cache entries and invalidate EAP state on network changes If a network configuration block is removed or modified, flush all PMKSA cache entries that were created using that network configuration. Similarly, invalidate EAP state (fast re-auth). The special case for OKC on wpa_supplicant reconfiguration (network_ctx pointer change) is now addressed as part of the PMKSA cache flushing, so it does not need a separate mechanism for clearing the network_ctx values in the PMKSA cache.
2011-09-07 17:46:00 +03:00
static inline void wpa_sm_pmksa_cache_flush(struct wpa_sm *sm,
void *network_ctx)
{
}
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 18:21:49 +03:00
static inline void wpa_sm_set_rx_replay_ctr(struct wpa_sm *sm,
const u8 *rx_replay_counter)
{
}
static inline void wpa_sm_set_ptk_kck_kek(struct wpa_sm *sm, const u8 *ptk_kck,
Fix CONFIG_NO_WPA=y build Number of places were calling functions that are not included in CONFIG_NO_WPA=y build anymore. Comment out such calls. In addition, pull in SHA1 and MD5 for config_internal.c, if needed. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-23 23:34:52 +02:00
size_t ptk_kck_len,
const u8 *ptk_kek, size_t ptk_kek_len)
Add support for offloading key management operations to the driver This commit introduces a QCA vendor command and event to provide an option to use extended versions of the nl80211 connect/roam operations in a way that allows drivers to offload key management operations to the driver/firmware. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-23 18:21:49 +03:00
{
}
FILS: Fix compilation with CONFIG_NO_WPA wpa_fils_is_completed() was not defined. Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2017-06-08 11:18:00 +03:00
static inline int wpa_fils_is_completed(struct wpa_sm *sm)
{
return 0;
}
Add support to reconfigure or flush PMKSA cache on interface enable Update PMKSA cache when interface is disabled and then enabled based on the new MAC address. If the new MAC address is same as the previous MAC address, the PMKSA cache entries are valid and hence update the PMKSA cache entries to the driver. If the new MAC address is not same as the previous MAC address, the PMKSA cache entries will not be valid anymore and hence delete the PMKSA cache entries. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-07 19:46:04 +05:30
static inline void wpa_sm_pmksa_cache_reconfig(struct wpa_sm *sm)
{
}
MLD STA: Set MLO connection info to wpa_sm Update the following MLO connection information to wpa_sm: - AP MLD address and link ID of the (re)association link. - Bitmap of requested links and accepted links - Own link address for each requested link - AP link address, RSNE and RSNXE for each requested link Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-03 13:38:45 +05:30
static inline int wpa_sm_set_mlo_params(struct wpa_sm *sm,
const struct wpa_sm_mlo *mlo)
{
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
#endif /* CONFIG_NO_WPA */
#ifdef CONFIG_IEEE80211R
FT: Clean up wpa_sm_set_ft_params() by using common parse Instead of parsing the IEs in the callers, use the already existing parser in wpa_ft.c to handle MDIE and FTIE from initial MD association response. In addition, this provides more complete access to association response IEs to FT code which will be needed to fix FT 4-way handshake message 2/4.
2010-04-10 11:36:35 +03:00
int wpa_sm_set_ft_params(struct wpa_sm *sm, const u8 *ies, size_t ies_len);
FT: Copy FT Capability and Policy to MDIE from target AP This sets the FT Capability and Policy field in the MDIE to the values received from the target AP (if available). This fixes the MDIE contents during FT Protocol, but the correct value may not yet be used in initial mobility domain association.
2010-04-09 16:26:20 +03:00
int wpa_ft_prepare_auth_request(struct wpa_sm *sm, const u8 *mdie);
FT: Add MDE to assoc request IEs in connect params Add MDE (mobility domain element) to Association Request frame IEs in the driver assoc params. wpa_supplicant will add MDE only if the network profile allows FT, the selected AP supports FT, and the mobility domain ID matches. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2018-04-16 13:52:27 +03:00
int wpa_ft_add_mdie(struct wpa_sm *sm, u8 *ies, size_t ies_len,
const u8 *mdie);
const u8 * wpa_sm_get_ft_md(struct wpa_sm *sm);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
FT: Add RIC Request generation and validation (but not processing) This adds first part of FT resource request as part of Reassocition Request frame (i.e., FT Protocol, not FT Resource Request Protocol). wpa_supplicant can generate a test resource request when driver_test.c is used with internal MLME code and hostapd can verify the FTIE MIC properly with the included RIC Request. The actual RIC Request IEs are not processed yet and hostapd does not yet reply with RIC Response (nor would wpa_supplicant be able to validate the FTIE MIC for a frame with RIC Response).
2009-03-09 20:45:17 +02:00
int ft_action, const u8 *target_ap,
const u8 *ric_ies, size_t ric_ies_len);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
int wpa_ft_is_completed(struct wpa_sm *sm);
FT: Reset FT flag upon STA deauthentication Reset ft_completed if STA receives deauthentication between FT reassoc success and the subsequent initial mobility authentication and association. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-04-26 17:56:24 +03:00
void wpa_reset_ft_completed(struct wpa_sm *sm);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
FT: Use correct BSSID when deriving PTK and verifying MIC The old version was using struct wpa_sm::bssid which is not necessarily updated to point to the correct target address when doing over-the-air FT since the address is used before the association has actually been completed.
2008-03-12 11:20:20 +02:00
size_t ies_len, const u8 *src_addr);
FT: Copy FT Capability and Policy to MDIE from target AP This sets the FT Capability and Policy field in the MDIE to the values received from the target AP (if available). This fixes the MDIE contents during FT Protocol, but the correct value may not yet be used in initial mobility domain association.
2010-04-09 16:26:20 +03:00
int wpa_ft_start_over_ds(struct wpa_sm *sm, const u8 *target_ap,
FT: Do not try to use FT protocol between mobility domains wpa_supplicant has support for only a single FT key hierarchy and as such, cannot use more than a single mobility domain at a time. Do not allow FT protocol to be started if there is a request to reassociate to a different BSS within the same ESS if that BSS is in a different mobility domain. This results in the initial mobility domain association being used whenever moving to another mobility domain. While it would be possible to add support for multiple FT key hierachies and multiple mobility domains in theory, there does not yet seem to be sufficient justification to add the complexity needed for that due to limited, if any, deployment of such networks. As such, it is simplest to just prevent these attempts for now and start with a clean initial mobility domain association. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-08 23:43:43 +02:00
const u8 *mdie, bool force);
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
PASN: Support PASN with FT key derivation Add support for PASN authentication with FT key derivation: - As IEEE P802.11az/D2.6 states that wrapped data is optional and is only needed for further validation of the FT security parameters, do not include them in the first PASN frame. - PASN with FT key derivation requires knowledge of the PMK-R1 and PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1, etc. only for the currently associated AP, store the mapping of BSSID to R1KH-ID for each previous association, so the R1KH-ID could be used to derive PMK-R1 and PMK-R1-Name. Do so instead of storing the PMK-R1 to avoid maintaining keys that might not be used. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 13:01:03 +02:00
#ifdef CONFIG_PASN
int wpa_pasn_ft_derive_pmk_r1(struct wpa_sm *sm, int akmp, const u8 *r1kh_id,
u8 *pmk_r1, size_t *pmk_r1_len, u8 *pmk_r1_name);
#endif /* CONFIG_PASN */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
#else /* CONFIG_IEEE80211R */
static inline int
FT: Fix wpa_sm_set_ft_params wrapper for non-FT build
2010-04-11 19:49:32 +03:00
wpa_sm_set_ft_params(struct wpa_sm *sm, const u8 *ies, size_t ies_len)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
{
return 0;
}
FT: Copy FT Capability and Policy to MDIE from target AP This sets the FT Capability and Policy field in the MDIE to the values received from the target AP (if available). This fixes the MDIE contents during FT Protocol, but the correct value may not yet be used in initial mobility domain association.
2010-04-09 16:26:20 +03:00
static inline int wpa_ft_prepare_auth_request(struct wpa_sm *sm,
const u8 *mdie)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
{
return 0;
}
FT: Add MDE to assoc request IEs in connect params Add MDE (mobility domain element) to Association Request frame IEs in the driver assoc params. wpa_supplicant will add MDE only if the network profile allows FT, the selected AP supports FT, and the mobility domain ID matches. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2018-04-16 13:52:27 +03:00
static inline int wpa_ft_add_mdie(struct wpa_sm *sm, u8 *ies, size_t ies_len,
const u8 *mdie)
{
return 0;
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
static inline int
wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
int ft_action, const u8 *target_ap)
{
return 0;
}
static inline int wpa_ft_is_completed(struct wpa_sm *sm)
{
return 0;
}
FT: Reset FT flag upon STA deauthentication Reset ft_completed if STA receives deauthentication between FT reassoc success and the subsequent initial mobility authentication and association. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-04-26 17:56:24 +03:00
static inline void wpa_reset_ft_completed(struct wpa_sm *sm)
{
}
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
static inline int
FT: Use correct BSSID when deriving PTK and verifying MIC The old version was using struct wpa_sm::bssid which is not necessarily updated to point to the correct target address when doing over-the-air FT since the address is used before the association has actually been completed.
2008-03-12 11:20:20 +02:00
wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
const u8 *src_addr)
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
{
return -1;
}
PASN: Support PASN with FT key derivation Add support for PASN authentication with FT key derivation: - As IEEE P802.11az/D2.6 states that wrapped data is optional and is only needed for further validation of the FT security parameters, do not include them in the first PASN frame. - PASN with FT key derivation requires knowledge of the PMK-R1 and PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1, etc. only for the currently associated AP, store the mapping of BSSID to R1KH-ID for each previous association, so the R1KH-ID could be used to derive PMK-R1 and PMK-R1-Name. Do so instead of storing the PMK-R1 to avoid maintaining keys that might not be used. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 13:01:03 +02:00
#ifdef CONFIG_PASN
PASN: Fix CONFIG_PASN=y build without CONFIG_IEEE80211R=y Do not try to use variables that are not defined without CONFIG_IEEE80211R=y and add the forgotten "inline" for the function wrapper. Fixes: 5c65ad6c0b08 ("PASN: Support PASN with FT key derivation") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-30 17:05:47 +03:00
static inline int
wpa_pasn_ft_derive_pmk_r1(struct wpa_sm *sm, int akmp, const u8 *r1kh_id,
u8 *pmk_r1, size_t *pmk_r1_len, u8 *pmk_r1_name)
PASN: Support PASN with FT key derivation Add support for PASN authentication with FT key derivation: - As IEEE P802.11az/D2.6 states that wrapped data is optional and is only needed for further validation of the FT security parameters, do not include them in the first PASN frame. - PASN with FT key derivation requires knowledge of the PMK-R1 and PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1, etc. only for the currently associated AP, store the mapping of BSSID to R1KH-ID for each previous association, so the R1KH-ID could be used to derive PMK-R1 and PMK-R1-Name. Do so instead of storing the PMK-R1 to avoid maintaining keys that might not be used. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2020-12-16 13:01:03 +02:00
{
return -1;
}
#endif /* CONFIG_PASN */
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
#endif /* CONFIG_IEEE80211R */
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
/* tdls.c */
TDLS: Do not allow setup to be started if AP prohibits TDLS
2011-01-28 19:27:28 +02:00
void wpa_tdls_ap_ies(struct wpa_sm *sm, const u8 *ies, size_t len);
void wpa_tdls_assoc_resp_ies(struct wpa_sm *sm, const u8 *ies, size_t len);
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
int wpa_tdls_start(struct wpa_sm *sm, const u8 *addr);
TDLS: Remove link, if any, on an implicit set up request If an implicit TDLS set up request is obtained on an existing link or an to be established link, the previous link was not removed. This commit disables the existing link on a new set up request. Also, wpa_tdls_reneg() function was invoking wpa_tdls_start() on an already existing peer for the case of internal setup, which is incorrect. Thus the invocation of wpa_tdls_start() is removed in wpa_tdls_reneg() and also this function is renamed to wps_tdls_remove() as it does not renegotiation rather shall remove the link (if any) for the case of external setup. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-05 13:27:56 +02:00
void wpa_tdls_remove(struct wpa_sm *sm, const u8 *addr);
TDLS: Support sending a teardown frame from usermode When a driver does not implement the TDLS_TEARDOWN operation internally, send an explicit TDLS link teardown frame to the driver. Change all teardown calls to use these calling semantics. Signed-off-by: Arik Nemtsov <arik@wizery.com> Cc: Kalyan C Gaddam <chakkal@iit.edu>
2011-09-26 13:55:28 +03:00
int wpa_tdls_teardown_link(struct wpa_sm *sm, const u8 *addr, u16 reason_code);
TDLS: Support sending TDLS discovery requests Allow sending a TDLS discovery request as a frame through the driver. Signed-off-by: Arik Nemtsov <arik@wizery.com> Cc: Kalyan C Gaddam <chakkal@iit.edu>
2011-09-26 13:55:29 +03:00
int wpa_tdls_send_discovery_request(struct wpa_sm *sm, const u8 *addr);
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
int wpa_tdls_init(struct wpa_sm *sm);
TDLS: Tear down peers when disconnecting from the AP A TDLS Teardown frame with Reason Code 3 (Deauthenticated because sending STA is leaving (or has left) IBSS or ESS) shall be transmitted to all TDLS peer STAs (via the AP or via the direct path) prior to transmitting a Disassociation frame or a Deauthentication frame to the AP. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-02-12 23:25:21 +02:00
void wpa_tdls_teardown_peers(struct wpa_sm *sm);
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
void wpa_tdls_deinit(struct wpa_sm *sm);
TDLS: Allow TDLS to be disabled at runtime for testing purposes Control interface command 'SET tdls_disabled <1/0>' can now be used to disable/enable TDLS at runtime. This is mainly for testing purposes.
2011-03-24 20:44:17 +02:00
void wpa_tdls_enable(struct wpa_sm *sm, int enabled);
TDLS: Handle unreachable link teardown for external setup If a link is unreachable, the specification mandates we should send a teardown packet via the AP with a specific teardown reason. Force this by first disabling the link and only then sending the teardown packet for the LOW_ACK event. Rename the TDLS LOW_ACK event handler to better reflect its purpose. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-06-10 21:19:04 +03:00
void wpa_tdls_disable_unreachable_link(struct wpa_sm *sm, const u8 *addr);
dbus_new: Add DBus TDLS methods Add DBus methods for TDLS operations similar to those available for the control interface. This includes Discover, Setup, and Teardown commands. While here, add a method to query the TDLS link status and add a DBus method for it. Tested with CONFIG_TDLS enabled, on a TDLS-enabled host and peer capable of TDLS: dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \ /fi/w1/wpa_supplicant1/Interfaces/0 \ fi.w1.wpa_supplicant1.Interface.TDLSStatus string:<peer-mac-address> yields: string "peer does not exist" dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \ /fi/w1/wpa_supplicant1/Interfaces/0 \ fi.w1.wpa_supplicant1.Interface.TDLSDiscover string:<peer-mac-address> yields no error dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \ /fi/w1/wpa_supplicant1/Interfaces/0 \ fi.w1.wpa_supplicant1.Interface.TDLSSetup string:<peer-mac-address> yields no error dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \ /fi/w1/wpa_supplicant1/Interfaces/0 \ fi.w1.wpa_supplicant1.Interface.TDLSStatus string:<peer-mac-address> yields: string "connected" after TDLS completes dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \ /fi/w1/wpa_supplicant1/Interfaces/0 \ fi.w1.wpa_supplicant1.Interface.TDLSTeardown string:<peer-mac-address> yields no error dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \ /fi/w1/wpa_supplicant1/Interfaces/0 \ fi.w1.wpa_supplicant1.Interface.TDLSStatus string:<peer-mac-address> yields: string "peer not connected" Signed-hostap: Paul Stewart <pstew@chromium.org>
2013-11-11 12:13:55 -08:00
const char * wpa_tdls_get_link_status(struct wpa_sm *sm, const u8 *addr);
TDLS: Support mgmt-frame Tx for ctrl-iface operations Use capability information to decide whether to perform a given TDLS operation internally or through mgmt-frame Tx. Signed-off-by: Arik Nemtsov <arik@wizery.com> Cc: Kalyan C Gaddam <chakkal@iit.edu>
2011-09-26 13:55:33 +03:00
int wpa_tdls_is_external_setup(struct wpa_sm *sm);
TDLS: Propagate enable/disable channel-switch commands to driver The supplicant code does not try to control the actual channel of the radio at any point. It simply passes the target peer and channel parameters to the driver. It's the driver's responsibility to periodically initiate TDLS channel-switch operations when TDLS channel-switching is enabled. Allow enable/disable operations to be invoked via the control interface. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2014-12-29 00:20:51 -05:00
int wpa_tdls_enable_chan_switch(struct wpa_sm *sm, const u8 *addr,
u8 oper_class,
struct hostapd_freq_params *freq_params);
int wpa_tdls_disable_chan_switch(struct wpa_sm *sm, const u8 *addr);
TDLS: Learn MLD link ID from TDLS Discovery Response This is needed to be able to determine which link is used for TDLS setup when the current association is with an AP MLD. Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
2023-02-09 00:25:30 -08:00
int wpa_tdls_process_discovery_response(struct wpa_sm *sm, const u8 *addr,
const u8 *buf, size_t len);
TDLS: Declare tdls_testing as extern in a header file This gets rid of a sparse warning with CONFIG_TDLS_TESTING builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 13:31:04 +03:00
#ifdef CONFIG_TDLS_TESTING
extern unsigned int tdls_testing;
#endif /* CONFIG_TDLS_TESTING */
TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010)
2010-10-07 10:26:56 +03:00
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 17:27:19 +02:00
int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf);
Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side The new wpa_supplicant control interface command "TEST_ASSOC_IE <hexdump>" can now be used to override the WPA/RSN IE for Association Request frame and following 4-way handshake to allow protocol testing of AP side processing of WPA/RSN IE. Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 19:30:59 +02:00
void wpa_sm_set_test_assoc_ie(struct wpa_sm *sm, struct wpabuf *buf);
Supplicant side testing functionality for EAPOL-Key Key Data field Allow additional elements and KDEs to be added to EAPOL-Key msg 2/4 and 4/4. This is for testing purposes to enable a convenient mechanism for testing Authenticator behavior with either potential future extensions or incorrect Supplicant behavior. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 16:03:34 +02:00
void wpa_sm_set_test_eapol_m2_elems(struct wpa_sm *sm, struct wpabuf *buf);
void wpa_sm_set_test_eapol_m4_elems(struct wpa_sm *sm, struct wpabuf *buf);
Make last received ANonce available through control interface This makes it easier to debug 4-way handshake implementation issues without having to use a sniffer. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-14 17:58:11 +03:00
const u8 * wpa_sm_get_anonce(struct wpa_sm *sm);
FT: Add MDE to assoc request IEs in connect params Add MDE (mobility domain element) to Association Request frame IEs in the driver assoc params. wpa_supplicant will add MDE only if the network profile allows FT, the selected AP supports FT, and the mobility domain ID matches. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
2018-04-16 13:52:27 +03:00
unsigned int wpa_sm_get_key_mgmt(struct wpa_sm *sm);
WNM: Add WNM-Sleep Mode for station mode Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-02-26 17:27:19 +02:00
FILS: Add MDE into Authentication frame for FILS+FT When using FILS for FT initial mobility domain association, add MDE to the Authentication frame from the STA to indicate this special case for FILS authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-04-02 13:22:52 +03:00
struct wpabuf * fils_build_auth(struct wpa_sm *sm, int dh_group, const u8 *md);
FILS: Fix BSSID in reassociation case The RSN supplicant implementation needs to be updated to use the new BSSID whenever doing FILS authentication. Previously, this was only done when notifying association and that was too late for the case of reassociation. Fix this by providing the new BSSID when calling fils_process_auth(). This makes PTK derivation use the correct BSSID. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 12:25:02 +02:00
int fils_process_auth(struct wpa_sm *sm, const u8 *bssid, const u8 *data,
size_t len);
FILS: Add elements to FILS Association Request frame Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-08 20:58:53 +03:00
struct wpabuf * fils_build_assoc_req(struct wpa_sm *sm, const u8 **kek,
size_t *kek_len, const u8 **snonce,
FILS: Allow FILS HLP requests to be added The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be added to the (Re)Association Request frame whenever FILS authentication is used. FILS_HLP_REQ_ADD parameters use the following format: <destination MAC address> <hexdump of payload starting from ethertype> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 14:07:20 +02:00
const u8 **anonce,
const struct wpabuf **hlp,
unsigned int num_hlp);
FILS: Association Response processing (STA) Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and configure keys to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-09 17:34:13 +03:00
int fils_process_assoc_resp(struct wpa_sm *sm, const u8 *resp, size_t len);
FILS: Try to use FILS authentication if PMKSA or ERP entry is available If a PMKSA cache entry for the target AP is available, try to use FILS with PMKSA caching. If an ERP key for the target AP is available, try to use FILS with EAP-Initiate/Re-auth added as Wrapper Data element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-04 15:32:07 +03:00
OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station This extends OWE support in wpa_supplicant to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). The group is configured using the new network profile parameter owe_group. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 16:39:08 +03:00
struct wpabuf * owe_build_assoc_req(struct wpa_sm *sm, u16 group);
OWE: PMKSA caching in station mode This extends OWE support in wpa_supplicant to allow PMKSA caching to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 12:08:57 +03:00
int owe_process_assoc_resp(struct wpa_sm *sm, const u8 *bssid,
const u8 *resp_ies, size_t resp_ies_len);
OWE: Process Diffie-Hellman Parameter element in STA mode This adds STA side addition of OWE Diffie-Hellman Parameter element into (Re)Association Request frame and processing it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 11:53:21 +02:00
FILS: Track completion with FILS shared key authentication offload Update the internal fils_completed state when offloading FILS shared key authentication to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-22 16:10:05 +05:30
void wpa_sm_set_reset_fils_completed(struct wpa_sm *sm, int set);
FILS: Update cache identifier on association This is needed when offloading FILS shared key to the drivers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-22 16:10:05 +05:30
void wpa_sm_set_fils_cache_id(struct wpa_sm *sm, const u8 *fils_cache_id);
DPP2: PFS for PTK derivation Use Diffie-Hellman key exchange to derivate additional material for PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element (defined in OWE RFC 8110) is used in association frames to exchange the DH public keys. For backwards compatibility, ignore missing request/response DH parameter and fall back to no PFS in such cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-17 23:51:53 +02:00
void wpa_sm_set_dpp_z(struct wpa_sm *sm, const struct wpabuf *z);
Store secure ranging driver capabilities in WPA state machine Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-20 19:26:02 +05:30
void wpa_pasn_sm_set_caps(struct wpa_sm *sm, unsigned int flags2);
PASN: Remove wpa_sm dependency to add an entry to PMKSA cache Store PMKSA cache entry in wpas_pasn and remove wpa_sm dependency to add an entry to PMKSA cache. This is a step towards allowing the PASN implementation to be used outside the context of wpa_supplicant. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-18 23:27:13 +05:30
struct rsn_pmksa_cache * wpa_sm_get_pmksa_cache(struct wpa_sm *sm);
void wpa_sm_set_cur_pmksa(struct wpa_sm *sm,
struct rsn_pmksa_cache_entry *entry);
MLD STA: Use AP MLD address to derive pairwise keys Use AP MLD address to derive pairwise keys for MLO connection. Current changes are handling only PTK derivation during EAPOL-Key 4-way handshake and FILS authentication, i.e., FT protocol case needs to be addressed separately. Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-03 13:38:47 +05:30
const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm);
SAE: Remove current PMKSA from driver after reauth threshold is passed wpa_supplicant postpones expired PMKSA deletion untillassociation is lost for SAE to avoid forced disconnection. But during this time the driver may use the expired PMKSA for reassociation with the current connected AP. Remove the current PMKSA for SAE from the driver after reauth threshold is passed when the driver takes care of BSS selection. Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-09-27 11:27:13 +05:30
void wpa_sm_set_driver_bss_selection(struct wpa_sm *sm,
bool driver_bss_selection);
FILS: Track completion with FILS shared key authentication offload Update the internal fils_completed state when offloading FILS shared key authentication to the driver. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-22 16:10:05 +05:30
Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release
2008-02-27 17:34:43 -08:00
#endif /* WPA_H */
Reference in a new issue Copy permalink