CONFIG_TLS=linux can now be used to select the crypto implementation
that uses the user space socket interface (AF_ALG) for the Linux kernel
crypto implementation. This commit includes some of the cipher, hash,
and HMAC functions. The functions that are not available through AF_ALG
(e.g., the actual TLS implementation) use the internal implementation
(CONFIG_TLS=internal).
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds new wpa_supplicant control interface commands PMKSA_GET and
PMKSA_ADD that can be used to store PMKSA cache entries in an external
persistent storage when terminating a wpa_supplicant process and then
restore those entries when starting a new process. The previously added
PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing
the external storage with the memory-only volatile storage within
wpa_supplicant.
"PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to
a specific network profile. The network_id of the current profile is
available with the STATUS command (id=<network_id). In addition, the
network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The
output of the PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds>
<akmp> <opportunistic>
For example:
02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0
02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0
The PMKSA_GET command uses the following format:
<network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration
in seconds> <akmp> <opportunistic>
(i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET
output data; however, the reauth_time and expiration values need to be
updated by decrementing them by number of seconds between the PMKSA_GET
and PMKSA_ADD commands)
For example:
PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0
PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0
This functionality is disabled be default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be
noted that this allows any process that has access to the wpa_supplicant
control interface to use PMKSA_ADD command to fetch keying material
(PMK), so this is for environments in which the control interface access
is restricted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.
Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new wpa_supplicant command line argument -M can be used to describe
matching rules with a wildcard interface name (e.g., "wlan*").
This is very useful for systems without udev (Linux) or devd (FreeBSD).
Signed-off-by: Roy Marples <roy@marples.name>
Since hostapd supports ACS now, let's enable its support in
wpa_supplicant as well when starting AP mode.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
[u.oelmann@pengutronix.de: adjusted added text in defconfig]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Linux packet socket workaround(*) has an impact in performance when the
workaround socket needs to be kept open to receive EAPOL frames. While
this is normally avoided with a kernel that has the issue addressed by
closing the workaround packet socket when detecting a frame through the
main socket, it is possible for that mechanism to not be sufficient,
e.g., when an open network connection (no EAPOL frames) is used.
Add a build option (CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y) to disable the
workaround. This build option is disabled by default and can be enabled
explicitly on distributions which have an older kernel or a fix for the
kernel regression.
Also remove the unused variable num_rx.
(*) Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596
('bridge: respect RFC2863 operational state') from 2012 introduced a
regression for using wpa_supplicant with EAPOL frames and a station
interface in a bridge.
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
This allows the binary sizes to be reduced if no support for nl80211
vendor extensions are needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The driver_test.c driver wrapper (-Dtest in wpa_supplicant and
driver=test in hostapd) was previously used for testing without real
Wi-Fi hardware. mac80211_hwsim-based tests have practically replaced all
these needs and there has been no improvements or use for driver_test.c
in a long while. Because of this, there has not really been any effort
to maintain this older test tool and no justification to change this
either. Remove the obsoleted test mechanism to clean up the repository.
Signed-off-by: Jouni Malinen <j@w1.fi>
This patch adds epoll option for the eloop implementation. This can be
selected with the CONFIG_ELOOP_EPOLL=y build option.
[merit]
See Table1.
Table1. comparison table
+--------+--------+-----------+------------+-------------+
| | add fd | remove fd | prepare fd | dispatch fd |
+--------+--------+-----------+------------+-------------+
| select | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| poll | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| epoll | O(1) | O(1) | 0 | O(M) |
+--------+--------+-----------+------------+-------------+
"add fd" is addition of fd by eloop_sock_table_add_sock().
"remove fd" is removal of fd by eloop_sock_table_remove_sock().
"prepare fd" is preparation of fds before wait in eloop_run().
"dispatch fd" is dispatchment of fds by eloop_sock_table_dispatch().
"N" is all watching fds.
"M" is fds which could be dispatched after waiting.
As shown in Table1, epoll option has better performance on "prepare fd" column.
Because select/poll option requires setting fds before every select()/poll().
But epoll_wait() doesn't need it.
And epoll option has also better performance on "dispatch fd" column.
Because select/poll option needs to check all registered fds to find out
dispatchable fds. But epoll option doesn't require checking all registered fds.
Because epoll_wait() returns dispatchable fd set.
So epoll option is effective for GO/AP functionality.
[demerit]
The epoll option requires additional heap memory. In case of P2P GO, it is
about 8K bytes.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add IPv6 support when using udp/udp-remote control interface using the
following new build configuration options:
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote
This is useful for testing, while we don't need to assign IPv4 address
(static or using DHCP) and can just use auto configured IPv6 addresses
(link local, which is based on the MAC address). Also add scope id
support for link local case.
For example,
./wpa_cli
./wpa_cli -i ::1,9877
./wpa_cli -i fe80::203:7fff:fe05:69%wlan0,9877
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
These old driver wrappers have been removed quite some time ago, but
some of the build configuration notes were still describing how they
are configured.
Signed-hostap: Jouni Malinen <j@w1.fi>
This was supposed to be a minimal sample of eloop wrapper, but it is
unclear whether this is of that much use and the file has not been kept
up-to-date. Remove this file to reduce maintenance effort. The other
eloop*.c files can be used as a starting point if something new is
needed.
Signed-hostap: Jouni Malinen <j@w1.fi>
In order to support P2P GO with 11ac support, add CONFIG_IEEE80211AC
config option support to the Makefile.
Signed-hostap: Eliad Peller <eliadx.peller@intel.com>
There is not much use for enabling WPA without WPA2 nowadays since most
networks have been upgraded to WPA2. Furthermore, the code size savings
from disabling just WPA2 are pretty small, so there is not much
justification for maintaining this build option. Remove it to get rid of
undesired complexity.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This updates number of comments in android.config to match the latest
version in defconfig and adds some of the entries that were previously
present only in android.config into defconfig.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add support for VHT capability overrides to allow testing connections
with a subset of the VHT capabilities that are actually supported by
the device. The only thing that isn't currently supported (by mac80211
and this code) is the RX/TX highest rate field.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Add new option for ctrl iface: CONFIG_CTRL_IFACE=udp-remote. This
enables remote access to control interface via UDP port(s). This should
be used for testing purpose only since there is no authentication or
access control on the commands.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
This module will sets a fixed scanning interval. Thus, the parameter to
this module is following this format: <fixed interval>
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
This module will compute the interval on a base exponential. Thus,
params to this module are following this format: <base>:<limit>
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Like bgscan, autoscan is an optional module based feature to automate
scanning but while disconnected or inactive.
Instead of requesting directly a scan, it only sets the scan_interval
and the sched_scan_interval. So, if the driver supports sched_scan,
autoscan will be able to tweak its interval. Otherwise, the tweaked
scan_interval will be used. If scan parameters needs to be tweaked, an
autoscan_params pointer in wpa_s will provide those. So req_scan /
req_sched_scan will not set the scan parameters as they usually do, but
instead will use this pointer.
Modules will not have to request a scan directly, like bgscan does.
Instead, it will need to return the interval it wants after each
notification.
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
If WNM is enabled for the build (CONFIG_WNM=y), add BSS max idle period
information to the (Re)Association Response frame from the AP and parse
this information on the station. For SME-in-wpa_supplicant case, add a
timer to handle periodic transmission of the keep-alive frame. The
actual request for the driver to transmit a frame is not yet
implemented.
Signed-hostap: Jouni Malinen <j@w1.fi>
I think this comment, as originally stated, says the opposite of
what is meant. Reword to help the next guy.
Signed-hostap: Angie Chinchilla <angie.v.chinchilla@intel.com>
Add the option (-T) to wpa_supplicant to log all debug messages into the
kernel tracing, allowing to aggregate kernel debugging with
wpa_supplicant debugging and recording all with trace-cmd.
Since tracing has relatively low overhead and can be filtered
afterwards, record all messages regardless of log level. However, it
will honor the -K option and not record key material by default.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When using more than around 200 virtual stations, we start hitting the
max number of file descriptors supported by select(). This patch adds
support for poll(), which has no hard upper limit.
Signed-hostap: Ben Greear <greearb@candelatech.com>
This allows HT capabilities overrides on kernels that
support these features.
MCS Rates can be disabled to force to slower speeds when using HT.
Rates cannot be forced higher.
HT can be disabled, forcing an 802.11a/b/g/n station to act like
an 802.11a/b/g station.
HT40 can be disabled.
MAX A-MSDU can be disabled.
A-MPDU Factor and A-MPDU Density can be modified.
Please note that these are suggestions to the kernel. Only mac80211
drivers will work at all. The A-MPDU Factor can only be decreased and
the A-MPDU Density can only be increased currently.
Signed-hostap: Ben Greear <greearb@candelatech.com>
This allows the internal TLS implementation to be built for TLS v1.2
support. In addition to the build option, this changes the TLS PRF
based on the negotiated version number. Though, this commit does not
yet complete support for TLS v1.2.
Signed-hostap: Jouni Malinen <j@w1.fi>
This code was used only with driver_test.c to allow MLME operations
in hostapd to be tested without having to use a real radio. There
are no plans on extending this to any other use than testing and
mac80211_hwsim has now obsoled the need for this type of testing.
As such, we can drop this code from wpa_supplicant to clean up the
implementation of unnecessary complexity.
The new wpa_supplicant.conf file global parameters interworking and
hessid can be used to configure wpa_supplicant to include
Interworking element in Probe Request frames.
These protocols seem to be abandoned: latest IETF drafts have expired
years ago and it does not seem likely that EAP-TTLSv1 would be
deployed. The implementation in hostapd/wpa_supplicant was not complete
and not fully tested. In addition, the TLS/IA functionality was only
available when GnuTLS was used. Since GnuTLS removed this functionality
in 3.0.0, there is no available TLS/IA implementation in the latest
version of any supported TLS library.
Remove the EAP-TTLSv1 and TLS/IA implementation to clean up unwanted
complexity from hostapd and wpa_supplicant. In addition, this removes
any potential use of the GnuTLS extra library.
This can be used to avoid rejection of first two 4-way handshakes every
time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new
command line parameter, -e, can now be used to specify an entropy file
that will be used to maintain the needed state.
By default, make hostapd and wpa_supplicant maintain an internal
entropy pool that is fed with following information:
hostapd:
- Probe Request frames (timing, RSSI)
- Association events (timing)
- SNonce from Supplicants
wpa_supplicant:
- Scan results (timing, signal/noise)
- Association events (timing)
The internal pool is used to augment the random numbers generated
with the OS mechanism (os_get_random()). While the internal
implementation is not expected to be very strong due to limited
amount of generic (non-platform specific) information to feed the
pool, this may strengthen key derivation on some devices that are
not configured to provide strong random numbers through
os_get_random() (e.g., /dev/urandom on Linux/BSD).
This new mechanism is not supposed to replace proper OS provided
random number generation mechanism. The OS mechanism needs to be
initialized properly (e.g., hw random number generator,
maintaining entropy pool over reboots, etc.) for any of the
security assumptions to hold.
If the os_get_random() is known to provide strong ramdom data (e.g., on
Linux/BSD, the board in question is known to have reliable source of
random data from /dev/urandom), the internal hostapd random pool can be
disabled. This will save some in binary size and CPU use. However, this
should only be considered for builds that are known to be used on
devices that meet the requirements described above. The internal pool
is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
CONFIG_WPA_CLI_EDIT=y can now be used to build wpa_cli with internal
implementation of line editing and history support. This can be used
as a replacement for CONFIG_READLINE=y.
This patch adds support for wired IEEE 802.1X client on the Solaris.
I have tested with these:
OS : OpenSolaris 2009.06
EAP : EAP-MD5
Switch : Cisco Catalyst 2950
The XML used in D-Bus introspection is simple and there is no need to use
libxml2 to generate it. This gets rid of the dependency on the large
library by using internal XML generation.
This will allow more cleanup to be done for scan results processing
since all code can now be made to depend on the BSS table instead of
the temporary scan results.
Once remaining code has been converted to use the BSS table, the new
scan results can be freed immediately after the BSS table has been
updated. In addition, filtering of BSS information should be added
to better support systems with limited resources. For now, memory
use can be limited by defining WPA_BSS_MAX_COUNT to be smaller.
Anyway, better filtering of results to only the configured networks
should be added to improve this.
Collect information from scan results into a BSS table that will not
expire information as quickly as scan results where every new scan,
no matter for how limited set of channels/SSIDs, clears all old
information.
For now, this is only used for D-Bus BSS added/removed notifications,
but this will likely be extended to be used internally instead of the
scan results to better support partial scans.
The Prism54.org project seems have been dead for a while and it does not
look like this driver would ever be maintained again. Furthermore, it is
difficult to find a version that would work with the driver_prism54.c
wrapper and there is another driver for these card in the Linux kernel
tree.
The hostapd integration in driver_prism54.c is quite different from the
other driver wrappers and would require major effort to get it cleaned
up. Since there does not seem to be any real users for the cleaned up
version, there does not seem to be justification to spend this effort on
the wrapper. This old code is making it much more difficult to clean up
the driver interface and at this point, the best option seems to be to
remove the driver wrappers. Should someone really still need this, the
old code will continue to be available in hostapd 0.6.x.
These driver wrappers should not be used anymore; WEXT should be used
instead. However, there may still be users stuck on older kernel versions
that may require driver specific wrappers, so the source code still
remains in the repository.
This patch implements the new DBus API. Both, the new and the
previous API may work concurrently and may be turned on or off
separately in .config file.
Some features of the new API are:
- more wpa_supplicant's events are signaled with DBus signals,
- introspection data (requires libxml2 and may be disabled),
- CurrentBSS and CurrentNetwork properties,
- PropertyChanged signal for most of properties,
- Relatively easy to extend.
.config options for the new API are: CONFIG_CTRL_IFACE_DBUS_NEW=y and
CONFIG_CTRL_IFACE_DBUS_INTRO=y for introspection.
This commit misses couple of parts from the full implementation
(these are still under review):
- fetching all configuration parameters for learning WPS information
- scan result BSS add/remove notification (register_bss() and
unregister_bss() notification callbacks)
This is based on a patch from Pavel Roskin <proski@gnu.org>, but with
the WIRELESS_DEV part removed instead of moved since it does not apply
anymore. Additional note on client MLME limitations was also added.
MadWifi is unlikely to be in ../head relative to hostapd or
wpa_supplicant, as it would be inside the hostap git repository.
MadWifi sources are more likely to be in a directory called "madwifi"
and residing outside the hostap repository. Using "madwifi" also
demonstrates that the top-level madwifi directory is needed.
This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.
Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
Find attached the patch that creates a new driver: roboswitch. This
driver adds support for wired authentication with a Broadcom
RoboSwitch chipset. For example it is now possible to do wired
authentication with a Linksys WRT54G router running OpenWRT.
LIMITATIONS
- At the moment the driver does not support the BCM5365 series (though
adding it requires just some register tweaks).
- The driver is also limited to Linux (this is a far more technical
restriction).
- In order to compile against a 2.4 series you need to edit
include/linux/mii.h and change all references to "u16" in "__u16". I
have submitted a patch upstream that will fix this in a future version
of the 2.4 kernel. [These modifications (and more) are now included in
the kernel source and can be found in versions 2.4.37-rc2 and up.]
USAGE
- Usage is similar to the wired driver. Choose the interfacename of
the vlan that contains your desired authentication port on the router.
This name must be formatted as <interface>.<vlan>, which is the
default on all systems I know.
Remove the old code from driver_wext.c since the private ioctl interface is
never going to be used with mac80211. driver_nl80211.c has an
implementation than can be used with mac80211 (with two external patches to
enable userspace MLME configuration are still required, though).
delaying Michael MIC error reports by a random amount of time between 0 and
60 seconds if multiple Michael MIC failures are detected with the same PTK
(i.e., the Authenticator does not rekey PTK on first failure report). This
is disabled by default and can be enabled with a build option
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config.
This may help in making a chopchop attack take much longer time by forcing
the attacker to wait 60 seconds before knowing whether a modified frame
resulted in a MIC failure.
This was not accurate since this was mostly based on total runtime of an
eapol_test run. The real improvement in the bignum routines is much larger
(mayby twice as fast as before).
CONFIG_INTERNAL_LIBTOMMATH_FAST=y in .config can now be used to enable all
optimized routines at a cost of about 4 kB. This is small enough increase
in size to justify simplified configuration.
At the cost of about 1 kB of additional binary size, the internal
LibTomMath can be configured to include faster div routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_DIV=y in
.config.
At the cost of about 0.5 kB of additional binary size, the internal
LibTomMath can be configured to include faster sqr routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_SQR=y in
.config.
Add a cost of about 2.5 kB of additional cost, the internal LibTomMath can
be configured to include fast exptmod routine to speed up DH and RSA.
This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_EXPTMOD=y in
.config.