Map to correct control interface commands for PASN start and stop.
Fixes: ad338cfe58 ("ctrl_iface: Add support for PASN authentication")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.
Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.
Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.
Signed-off-by: Jeffery Miller <jefferymiller@google.com>
Add support to fetch and indicate per-link MLO signal poll information
via a new control interface command MLO_SIGNAL_POLL.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The DPP_CONTROLLER_START control interface command can be used without
any arguments, so do not force at least a single argument to be included
in wpa_cli and hostapd_cli.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Extend DPP push button support in wpa_supplicant to allow the role of
the Configurator to be used. This provides similar functionality to the
way the DPP_PUSH_BUTTON command in hostapd worked when providing the
configuration parameters with that command (instead of building the
config object based on current AP configuration).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to use a push button -based bootstrap mechanism with DPP.
The new DPP_PUSH_BUTTON control interface command enables this mode on
the AP/hostapd and station/wpa_supplicant. This goes through the
following sequence of events: a suitable peer in active push button mode
is discovered with session overlap detection, PKEX is executed with
bootstrap key hash validation, DPP authentication and configuration
exchanges are performed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The DH file parameters are applicable only for the TLS server, so this
parameter did not really have any impact to functionality. Remove it to
get rid of useless code and confusing documentation for the network
block configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add AP mode commands for ACL and BTM into wpa_cli similarly to the way
these were already available in hostapd_cli.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
Add the support of engine, engine_id, ca_cert_id, cert_id, and key_id
parameters to credential blocks for Hotspot 2.0.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
Support adding/deleting vendor elements dynamically for AP mode while it
is started by wpa_supplicant instead of hostapd which already supported
this. This adds ap_assocresp_elements global parameter and UPDATE_BEACON
control interface command to take the changed values into effect.
Usage in wpa_cli:
Add vendor IE for (Re)Association Response frames
> set ap_assocresp_elements=xxxx
Add vendor IE for Beacon/Probe Response frames
> set ap_vendor_elements=xxxx
Delete vendor IE from (Re)Association Response frames
> set ap_assocresp_elements
Delete vendor IE from Beacon/Probe Response frames
> set ap_vendor_elements
To make vendor IE changes take effect
> update_beacon
Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
The new wpa_supplicant control interface command "PASN_DEAUTH
bssid=<BSSID>" can now be used to flush the local PTKSA cache for the
specified BSS and to notify the AP to request it to drop its PTKSA as
well.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This adds new control interface commands TWT_SETUP and TWT_TEARDOWN. For
now, these are only for testing purposes to be able to trigger
transmission of the TWT Action frames without configuring any local
behavior for TWT in the driver.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Use a more specific name for the control interface command used for
managing the list of BSSIDs that are temporarily ignored.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rename the network profile parameters bssid_blacklist and
bssid_whitelist to bssid_ignore and bssid_accept to use more specific
names for the configuration of which BSSs are ignored/accepted during
BSS selection. The old parameter names are maintained as aliases for the
new names to avoid breaking compatibility with previously used
configurations.
Signed-off-by: Jouni Malinen <j@w1.fi>
For Android the default value of 5 seconds is usually too short for
scan results from last scan initiated from settings app to be
considered for fast-associate. Make the fast-associate timer value
configurable so that a suitable value can be set based on a systems
regular scan interval.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
WPS_EVENT_OVERLAP case was missing on wpa_cli_action_process function in
wpa_cli.c, so when the overlap event occurs, there was no event message
sent to the action script. Add this event case to the function.
Signed-off-by: Berkay Ercan <berkay.ercan@airties.com>
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Don't print potentially uninitialized variables in wpa_ctrl_command_bss().
Some compilers and analyzers may warn about it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add the DPP control interface chirp commands to the CLIs for greater
visibility and ease of use.
Signed-off-by: Wystan Schmidt <wystan.schmidt@charter.com>
The wpa_supplicant control interface returns maximum of 4 kB of response
data and, thus, limits maximum number of scan entries as part of
SCAN_RESULTS to approximately 60. Add a new all_bss command to use a
more robust iteration of the BSS table entries with the BSS command to
to get all scan entries and print them in the same format as the
scan_results command.
Signed-off-by: Purushottam Kushwaha <pkushwah@codeaurora.org>
Add support to query per interface type AKM capabilities through the
control interface. For example, "GET_CAPABILITY key_mgmt
iftype=STATION".
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add HE override support under the build parameter CONFIG_HE_OVERRIDES=y.
The disable_he=1 network profile parameter can be used to disable HE.
This requires a fallback to VHT on the 5 GHz band and to HT on the 2.4
GHz band.
There is no nl80211 support for configuring the driver to disable HE, so
for now, this applies only to IBSS and mesh cases.
Signed-off-by: P Praneesh <ppranees@codeaurora.org>
Support Extended Key ID in wpa_supplicant according to
IEEE Std 802.11-2016 for infrastructure (AP) associations.
Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing STAs to also connect to APs not supporting it.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
This allows starting point of the network list to be specified so that
the potentially long response can be fragmented into multiple fetch
operations.
Signed-off-by: Victor Ananyev <vindex10@gmail.com>
When the newly added "-r" parameter is used, both clis will try to
reconnect forever on connection lost until signalled (ctrl+c) or
terminated. This is useful only when used with -a to take action to
retrieve events or get status and the cli process stays even if
hostapd/wpa_supplicant daemons restart for some reason (e.g.,
configuration change).
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
This allows a P2P connection over P802.11ay EDMG channels to achieve the
highest link speed that the standard allows for channel bonding (CB) up
to CB4.
Let each P2P peer add its EDMG channels to the Supported Channels IE
advertised in P2P GO negotiation. Give EDMG channels priority when peers
negotiate for operating channel.
User may add 'edmg' parameter to p2p_connect, p2p_add_group, and
p2p_invite commands to prefer an EDMG channel for the P2P link. User may
also set p2p_go_edmg=1 in wpa_supplicant configuration file to prefer
EDMG.
When EDMG is used, P2P will try to find the highest channel bonding
supported channel that matches the frequency parameter, if the devices
do not support EDMG, the P2P connection will use a legacy (1-6) 60 GHz
channel.
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
There is no need for #ifdef/#else/#endif construction in
network_fields[] to cover "mode" (which is completely independent of
CONFIG_MESH) or two separate conditional blocks for mesh related network
fields, so move these into a single conditionally included block.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add two new configuration parameters for wpa_supplicant:
enable_edmg: Enable EDMG capability for STA/AP mode
edmg_channel: Configure channel bonding. In AP mode it defines the EDMG
channel to start the AP on. In STA mode it defines the EDMG channel to
use for connection.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
These are the driver-specific interface for the non-netdev P2P Device
interface and not something that useful for most use cases. Skip them to
allow the main netdev (e.g., wlan0 over p2p-dev-wlan0) to be selected.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Inject an Ethernet frame to a given peer bypassing next_hop lookup in
mpath table. Optional payload is expected to be hexdump without 0x.
usage:
wpa_cli -i <dev> mesh_link_probe <peer MAC> [payload=<hexdump of payload>]
example:
wpa_cli -i wlan0 mesh_link_probe aa:bb:cc:dd:ee:ff payload=aabb
wpa_cli -i wlan0 mesh_link_probe aa:bb:cc:dd:ee:ff
Signed-off-by: Pradeep Kumar chitrapu <pradeepc@codeaurora.org>
This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.
This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).
Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
Setting mem_only_psk=1 in the wpa_supplicant configuration prevents the
passphrase from being stored in the configuration file. wpa_supplicant
will request the PSK passphrase over the control interface in such case
and this new wpa_cli command can be used to set the psk_passphrase.
usage:
psk_passphrase <network id> <psk_passphrase>
Signed-off-by: Hagai Moshe <hagai.moshe@tandemg.com>
Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com>
Old code would just re-connect to a particular interface, even if user
had started wpa_cli with the '-g' option. Refactor global control
interface connection routine to allow it to be used in
wpa_cli_reconnect().
Signed-off-by: Ben Greear <greearb@candelatech.com>
Add new configuration parameters macsec_replay_protect and
macsec_replay_window to allow user to set up MACsec replay protection
feature. Note that according to IEEE Std 802.1X-2010 replay protection
and delay protection are different features: replay protection is
related only to SecY and does not appear on MKA level while delay
protection is something that KaY can use to manage SecY state.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>