Commit graph

190 commits

Author SHA1 Message Date
Jouni Malinen
0c043d9de7 DPP2: Reconfig Announcement transmission
Extend DPP chirping mechanism to allow Reconfig Announcement frames to
be transmitted instead of the Presence Announcement frames. Add a new
wpa_supplicant control interface command "DPP_RECONFIG <network id>" to
initiate reconfiguration for a specific network profile.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
d4ae12355a DPP: Move PKEX functionality into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
87b6572616 DPP: Move crypto routines into a separate source code file
This is an initial step in splitting the overly long dpp.c into smaller
pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 12:09:24 +03:00
Disha Das
6b1c590ebb Allow TKIP support to be removed from build
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.

Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-04-17 23:51:58 +03:00
Jouni Malinen
97beccc838 SAE: Fix build without DPP/OWE/ERP
SAE needs sha256-kdf.c to be included in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 18:11:11 +03:00
P Praneesh
7c8f540ee0 wpa_supplicant: Add HE override support
Add HE override support under the build parameter CONFIG_HE_OVERRIDES=y.
The disable_he=1 network profile parameter can be used to disable HE.
This requires a fallback to VHT on the 5 GHz band and to HT on the 2.4
GHz band.

There is no nl80211 support for configuring the driver to disable HE, so
for now, this applies only to IBSS and mesh cases.

Signed-off-by: P Praneesh <ppranees@codeaurora.org>
2020-03-30 12:55:01 +03:00
Jouni Malinen
200c7693c9 Make WEP functionality an optional build parameter
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 17:45:25 +02:00
Jouni Malinen
f3bcd69603 Remove CONFIG_IEEE80211N build option
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
312eac1d1e DPP: Add ASN.1 support into build
This will be needed in following patches to process DPPEnvelopedData.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:16:05 +02:00
Andrei Otcheretianski
522450b7b1 AP: Determine Short SSID value for the BSS
This can be used in the future to implement support for RNR and scanning
extensions using a shorter field for the SSID.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-12-28 22:32:14 +02:00
Vamsi Krishna
3f3876344e SAE: Enable NEED_DH_GROUPS_ALL for CONFIG_TESTING_OPTIONS=y builds
Enable all DH FFC groups for SAE in wpa_supplicant testing builds. These
are needed to allow more testing coverage for AP functionality.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-12-20 16:27:19 +02:00
Jouni Malinen
1eff2e7bf1 DPP2: Fix wpa_supplicant build dependencies for CONFIG_AP=y build
Fix CONFIG_DPP2=y with CONFIG_AP=y build for cases where the needed
dependencies were not pulled in by other optional build parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:44:07 +03:00
Jouni Malinen
d2bae5763d DPP: Fix wpa_supplicant build dependencies for DPP-only build
Fix CONFIG_DPP=y build for cases where the needed dependencies were not
pulled in by other optional build parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:39:43 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Jouni Malinen
52069c7eff Add TLS-PRF using HMAC with P_SHA384 for TEAP
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-16 21:16:37 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
Jouni Malinen
2b84ca4dd9 Share common SAE and EAP-pwd functionality: suitable groups
Start sharing common SAE and EAP-pwd functionality by adding a new
source code file that can be included into both. This first step is
bringing in a shared function to check whether a group is suitable.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-25 23:49:49 +03:00
Jouni Malinen
ce7effd08f DPP2: Build configuration flags for DPP version 2 support
The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is
used to control whether new functionality defined after the DPP
specification v1.0 is included. All such functionality are considered
experimental and subject to change without notice and as such, not
suitable for production use.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 12:00:09 +02:00
Lubomir Rintel
6a8dee76d4 wpa_supplicant: Drop the old D-Bus interface support
This drops support for the fi.epitest.hostap.WPASupplicant D-Bus name
along with the associated CONFIG_CTRL_IFACE_DBUS option. Nothing should
really be using this since 2010.

This is a just a straightforward removal. Perhaps the dbus_common.c and
dbus_new.c can be merged now. Also, the "_NEW" suffix of the config
option seems to make even less sense than it used to.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-03-09 18:33:26 +02:00
Mathy Vanhoef
6ab73efa72 OCV: Add utility functions to insert OCI elements
This commit adds utility functions to insert various encoding of the OCI
element.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 00:02:14 +02:00
Mathy Vanhoef
138205d600 OCV: Add build configuration for channel validation support
Add compilation flags for Operating Channel Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Jouni Malinen
ee2c6bb5e5 Remove CONFIG_IEEE80211R_AP=y build option from wpa_supplicant
There is no existing mechanism for setting up AP mode functionality with
FT enabled, so there is not really much point in having a build option
for trying to include the AP-to-AP FT functionality into wpa_supplicant
either. Since this build option results in failures to complete the
build, simply remove it completely. This can be restored if there is
ever desire to enable FT functionality in wpa_supplicant controlled AP
mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-04-02 17:00:45 +03:00
Jouni Malinen
b7ed94834d GnuTLS: Add option to build with libnettle instead of libgcrypt
GnuTLS-based builds can now be done using either libnettle or libgcrypt
for crypto functionality:

CONFIG_TLS=gnutls
CONFIG_CRYPTO=nettle

CONFIG_TLS=gnutls
CONFIG_CRYPTO=gnutls

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-29 17:13:57 +02:00
Jouni Malinen
133f8d09fc GnuTLS: Implement HMAC functions using libgcrypt
Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with
the ones from libgcrypt and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:35:26 +02:00
Jouni Malinen
85c12a62ee GnuTLS: Implement sha{256,384,512}_vector() using libgcrypt
Replace the internal SHA256 implementation with the one from libgcrypt
and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:21:37 +02:00
Sean Parkinson
04b1bcc5f3 EAP-pwd: Use abstract crypto API
This makes it easier to use EAP-pwd with other crypto libraries than
OpenSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 21:40:21 +02:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
ec9f483774 OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station
This extends OWE support in wpa_supplicant to allow DH groups 20 and 21
to be used in addition to the mandatory group 19 (NIST P-256). The group
is configured using the new network profile parameter owe_group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
a6f238f217 DPP: Add base64 dependency in makefiles
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-04 13:31:21 +03:00
Avraham Stern
b5bf84ba39 WNM: Differentiate between WNM for station and for AP in build
Previously, CONFIG_WNM enabled build that supports WNM for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode WNM is required and there is no need for AP mode WNM.

Add support to differentiate between station mode WNM and AP mode
WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be
used when AP mode WNM support is required in addition to station mode
WNM. This allows binary size to be reduced for builds that require
only the station side WNM functionality.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-18 13:28:09 +03:00
Beniamino Galvani
2b9891bd6e OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:55:22 +03:00
Jouni Malinen
9c2b8204e6 DPP: Integration for hostapd
This adds DPP bootstrapping, authentication, and configuration into
hostapd similarly to how the design was integrated in wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
461d39af40 DPP: Configuration exchange
This adds support for DPP Configuration Protocol using GAS. Full
generation and processing of the configuration object is not included in
this commit.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:15 +03:00
Jouni Malinen
30d27b048e DPP: Authentication exchange
Add wpa_supplicant control interface commands for managing DPP
Authentication exchange.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:12:30 +03:00
Jouni Malinen
be27e185b7 DPP: Bootstrap information management
Add wpa_supplicant control interface commands for parsing the bootstrap
info URI from a QR Code (get peer public key) and to generate a new
bootstrap info with private key for local use. The optional
key=<hexdump> argument to the DPP_BOOTSTRAP_GEN command can be used to
specify the bootstrapping private key in OpenSSL ECPrivateKey DER
encoding format. This results in the local bootstrapping information
entry being created with the specified key instead of generating a new
random one.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 12:03:30 +03:00
Jouni Malinen
005be3daa9 Add JavaScript Object Notation (JSON) parser (RFC7159)
This is needed for DPP configuration attributes/objects.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:51 +03:00
Jouni Malinen
77f273c82c Extend SHA-384 and SHA-512 support to match SHA-256
The additional SHA-384 and SHA-512 functionality is needed to support
DPP with various ECC curves.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:12 +03:00
Vamsi Krishna
35bb8a9a57 Android: Define CONFIG_TESTING_OPTIONS if enabled in config
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-05 00:26:06 +03:00
Jouni Malinen
470f08b4f6 Enable CONFIG_WNM=y automatically for CONFIG_MBO=y builds
wpa_supplicant build with MBO enabled failed in CONFIG_WNM=y was not
specified explicitly. Add the WNM dependency automatically to avoid
needing explicit addition in build configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-05-01 17:39:14 +03:00
Jouni Malinen
76e20f4fa7 FILS: Add FILS SK auth PFS support in STA mode
This adds an option to configure wpa_supplicant to use the perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime network profile parameter fils_dh_group is used to enable
this by specifying which DH group to use. For example, fils_dh_group=19
would use FILS SK PFS with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Jouni Malinen
6115238492 OWE: Add CONFIG_OWE=y build option
This can be used to enable OWE support in hostapd and wpa_supplicant
builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
c4bb39707f Fix AES-SIV build dependencies
aes-siv.c needs functions from aes-ctr.c and aes-omac1.c, so set
NEED_AES_CTR=y and NEED_AES_OMAC1=y if NEED_AES_SIV is defined. This
fixes some build configuration combinations where either of those
dependencies were not pulled in through other parameters. For example,
some CONFIG_FILS=y cases were impacted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-26 12:05:40 +02:00
Peng Xu
d512f406fc hostapd: Add IEEE 802.11ax HE IEs into Beacon/Probe Response frames
IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response
frames. These elements are using vendor specific forms for now since the
IEEE 802.11ax draft is not yet finalized and the element contents is
subject to change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:55 +02:00
Peng Xu
94380cb40a hostapd: Initial IEEE 802.11ax (HE) definitions
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:52 +02:00
Jouni Malinen
62944f7d2c Add HMAC-SHA384 with internal crypto
This is a copy of the internal HMAC-SHA256 implementation with the hash
block size and output length updated to match SHA384 parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-16 22:15:29 +02:00
Jouni Malinen
b5562a1a6e FILS: Remove CRC32 dependency from build
The published P802.11ai version does not use CRC32 anymore, so remove
inclusion of crc32.o into wpa_supplicant and hostapd builds based on
CONFIG_FILS=y.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-13 23:17:31 +02:00
Jouni Malinen
54b04d6f39 FILS: Move HLP request handling into a separate file
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:13 +02:00
Avraham Stern
76196ddb2b wpa_supplicant: Add support for Beacon Report Radio Measurement
Beacon Report Radio Measurement is defined in IEEE Std 802.11-2016,
11.11.9.1. Beacon Report is implemented by triggering a scan on the
requested channels with the requested parameters.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:30 +02:00
Avraham Stern
ec493469f6 wpa_supplicant: Move RRM implementation to a dedicated file
As support for new RRM measurements will be added, the RRM
implementation will become quite large, so move it to a dedicated file.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Jouni Malinen
3459381dd2 External persistent storage for PMKSA cache entries
This adds new wpa_supplicant control interface commands PMKSA_GET and
PMKSA_ADD that can be used to store PMKSA cache entries in an external
persistent storage when terminating a wpa_supplicant process and then
restore those entries when starting a new process. The previously added
PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing
the external storage with the memory-only volatile storage within
wpa_supplicant.

"PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to
a specific network profile. The network_id of the current profile is
available with the STATUS command (id=<network_id). In addition, the
network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The
output of the PMKSA_GET command uses the following format:

<BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds>
<akmp> <opportunistic>

For example:

02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0
02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0

The PMKSA_GET command uses the following format:

<network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration
in seconds> <akmp> <opportunistic>

(i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET
output data; however, the reauth_time and expiration values need to be
updated by decrementing them by number of seconds between the PMKSA_GET
and PMKSA_ADD commands)

For example:

PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0
PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0

This functionality is disabled be default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be
noted that this allows any process that has access to the wpa_supplicant
control interface to use PMKSA_ADD command to fetch keying material
(PMK), so this is for environments in which the control interface access
is restricted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 23:47:04 +02:00