Commit graph

4759 commits

Author SHA1 Message Date
Sunil Dutt
3263fca289 Set the default scan IEs on interface restart
Previously, these default scan IEs were set only when parameter values
changed and during the interface initialization, which can get lost in
the driver on an interface restart. Hence, also set these IEs on an
interface restart notification even when there has been no change in the
values since the last update to the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-07 11:43:12 +03:00
Jouni Malinen
422e73d623 DPP: Indicate authentication success on ConfReqRX if needed
It is possible to receive the Configuration Request frame before having
seen TX status for the Authentication Confirm. In that sequence, the
DPP-AUTH-SUCCESS event would not be indicated before processing the
configuration step and that could confuse upper layers that follow the
details of the DPP exchange. As a workaround, indicate DPP-AUTH-SUCCESS
when receiving the Configuration Request since the Enrollee/Responser
has clearly receive the Authentication Confirm even if the TX status for
it has not been received.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-05 13:31:14 +03:00
Arend van Spriel
cb28bd52e1 nl80211: Use separate flag for 4-way handshake offload
Commit d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload
in connect") used the req_key_mgmt_offload flag to indicate to the
driver that it should offload the 802.1X handshake. However, this field
was existing and used for a different offload API. This causes
wpa_supplicant to send a connect request without the WANT_1X_HS flag and
the subsequent set-pmk is rejected causing the connection to fail. Fix
that by introducing a new flag req_handshake_offload so the offloads are
no longer entangled.

Fixes: d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload in connect")
Reported-by: Stefan Wahren <wahrenst@gmx.net>
Tested-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
2019-08-01 15:52:48 +03:00
Brian Norris
cc2fd94258 D-Bus: Demote timeout/flush messages to MSG_MSGDUMP
We intentionally don't emit property-changed signals on every property
update -- for "less timing critical" messages we delay up to 5
milliseconds waiting to see if we can batch them together. When the
timer hits, we emit the signal anyway and (potentially) log this
message. This amounts to effectively tracing every property update,
which can be quite excessive.

Lower this to MSGDUMP, so MSG_DEBUG can remain slightly more sane.

Signed-off-by: Brian Norris <briannorris@chromium.org>
2019-07-31 22:06:33 +03:00
Yu Wang
0136864032 P2P: Pass HE flag to GO negotiation result
In order to set up P2P connection with HE capability,
the 'he' flag should be passed to GO negotiation result.

Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
2019-07-29 11:48:09 +03:00
Disha Das
5a511924b1 wpa_cli: Add support to process DPP action events in action script
Signed-off-by: Disha Das <dishad@codeaurora.org>
2019-07-24 20:16:02 +03:00
Jouni Malinen
64e37be945 Avoid nested enum wpas_mode declaration to allow C++ compilation
Move enum wpas_mode declaration to the global scope to avoid issues with
the recently added inline function wpas_mode_to_ieee80211_mode() using
it as an argument. This fixes C++ compilation issues with cases that
include wpa_supplicant_i.h.

Fixes: 3459c54ac7 ("mesh: Add support for HE mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-07-24 19:49:24 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
Jouni Malinen
d3a035169b Remove useless NULL comparison for an array
Now that the TLS peer_cert information is provided as a full struct to
handler functions, the altsubject pointer shows up as an array and
causes static analyzers to warn about unnecessary NULL comparison. Get
rid of that comparison now that it is clearly not needed anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-07 10:00:49 +03:00
Eric Caruso
91b6eba773 Move MAC address randomization enable/disable to helper functions
This makes it easier to share this for D-Bus implementation.

Signed-off-by: Eric Caruso <ejcaruso@chromium.org>
2019-06-26 20:56:01 +03:00
Sven Eckelmann
3459c54ac7 mesh: Add support for HE mode
Mesh points can partially support HE features (when requiring no
controlling STA/AP) as long as hardware supports it. The kernel just
requires support for HE mesh and wpa_supplicant can forward the peer
capabilities to the kernel for further processing.

Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-06-23 18:03:51 +03:00
Sven Eckelmann
f74618cb92 wpa_supplicant: Fix type for ssid->mode comparisons
The ssid->mode is from type enum wpas_mode and all its constants start
with WPAS_MODE_*. Still some of the code sections used the
IEEE80211_MODE_* defines instead of WPAS_MODE_*.

This should have no impact on the actual code because the constants for
INFRA, IBSS, AP and MESH had the same values.

Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-06-23 18:03:51 +03:00
Amit Khatri
30bbff142d DPP: Fix documentation to include operating class for URI
As per code dpp_parse_uri_chan_list() function checks "/" as separator
for operating class and operating channel. Update readme accordingly.

Signed-off-by: Amit Khatri <amit7861234@gmail.com>
2019-06-22 20:39:39 +03:00
Purushottam Kushwaha
dcc31e7957 HS 2.0: Skip credential without EAP method for roaming consortium match
EAP method is required for a credential that matches configured
roaming_consortium with an Interworking AP. Hence skip credentials which
do not have EAP method specified for this match. This fixes an issue
where a credential that cannot work without EAP method from NAI Realms
information is selected first based on roaming consortium.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:51 +03:00
Ankita Bajaj
ef59f98729 WNM: Provide option to disable/enable BTM support in STA
Add support to disable/enable BTM support using configuration and
wpa_cli command. This is useful mainly for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:51 +03:00
Jouni Malinen
21f1a1e66c Report TOD policy in peer certificate events
Add tod=1 to CTRL-EVENT-EAP-PEER-CERT events if the peer certificate
includes the TOD policy in the X.509v3 Certificate Policies extension.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00
Jouni Malinen
bc0634da4a Pass full struct to peer certificate callbacks
This makes it easier to add new information to the callbacks without
having to modify each callback function type in EAPOL and EAP code every
time.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00
Jouni Malinen
7deb0450bc Interworking: Print HESSID in debug messages
This makes it easier to understand ANQP queries needed during
Interworking network selection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-05 21:09:57 +03:00
leiwei
a93b369c17 macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
Srinivas Dasari
fb6ebd1ced SAE: Send external auth failure status to driver
wpa_supplicant prepares auth commit request as part of the external
authentication (first SAE authentication frame), but it fails to get
prepared when wpa_supplicant is started without mentioning the SAE
password in configuration. Send this failure status to the driver to
make it aware that the external authentication has been aborted by
wpa_supplicant.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
2019-05-31 16:52:15 +03:00
Sunil Dutt
cbfd0a263d P2P: Force p2p-send-action as the next radio work to execute
This increases the priority of the p2p-send-action radio work, i.e., the
radio work used for transmitting potentially offchannel P2P Action
frames by marking it as the next radio work to execute. This is to avoid
the delay in transmissions due to already queued offchannel radio work
items in the queue. In particular, this means not having to wait for a
pending p2p-scan radio work to be executed before the new P2P Action
frame can be transmitted. This helps in avoiding timeouts on the peer
device when a P2P Action frames is received during other activity on the
device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-31 16:52:15 +03:00
Sunil Dutt
2e3bff5919 P2P: Reject p2p-send-action work while other one is pending
The previous implementation rejects the p2p-send-action work while there
is already one in progress (wpas_send_action_cb() has already been
called for it to start operation). Enhance the same to also consider any
p2p-send-action works pending in the radio work (i.e., waiting for that
wpas_send_action_cb() call).

This is considering the current behaviour of P2P to handle the state
corresponding to respective Action frame transmission:
pending_action_state. If a new P2P Action frame transmission is queued
while there is another one already in the queue, the transmit status of
the first frame is wrongly intepreted by the P2P state machine which has
already scheduled/queued another frame for transmission.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-31 16:52:15 +03:00
Ankita Bajaj
a8391db7cf OCE: Use RSSI of actual BSS which rejected association
If an AP rejects association due to low RSSI, then RSSI of the BSS from
which association reject is received shall be used for calculating RSSI
threshold at which STA can try connecting back to that BSS later. In
case of SME offload, the current_bss might not have been set before
receiving association completion, so fetch the BSS entry based on the
BSSID provided in the driver event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-31 16:52:10 +03:00
Pradeep Kumar Chitrapu
7ace4328c0 wpa_supplicant: Add support to probe mesh link to given peer
Inject an Ethernet frame to a given peer bypassing next_hop lookup in
mpath table. Optional payload is expected to be hexdump without 0x.

usage:
wpa_cli -i <dev> mesh_link_probe <peer MAC> [payload=<hexdump of payload>]

example:
wpa_cli -i wlan0 mesh_link_probe aa:bb:cc:dd:ee:ff payload=aabb
wpa_cli -i wlan0 mesh_link_probe aa:bb:cc:dd:ee:ff

Signed-off-by: Pradeep Kumar chitrapu <pradeepc@codeaurora.org>
2019-05-28 14:38:30 +03:00
John Crispin
88005ee98d HE: Pass in HE information into hostapd_set_freq_params()
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:33:59 +03:00
John Crispin
464dcfd030 HE: Remove VHT_ prefix from CHANWITDH_* define
The bandwidth values are shared between VHT and HE mode so remove the
VHT specific prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:27:49 +03:00
Jouni Malinen
0de46d8a66 mesh: Fix RSN initialization failure handling
The driver was left in mesh mode (joined to the group) if RSN
authenticator initialization failed. This could result in next
operations failing due to unexpected driver state.

This was found with the following hwsim test case sequence:
mesh_wpa_auth_init_oom dpp_config_no_discovery

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-25 21:48:45 +03:00
Mohit Sethi
2f6700c9c6 defconfig: Add config parameter for SIM simulator for EAP-SIM
Allow compilation of internal GSM-Milenage implementation for EAP-SIM
testing with eapol_test.

Signed-off-by: Mohit Sethi <mohit.sethi@aalto.fi>
2019-05-25 16:26:44 +03:00
Jouni Malinen
e8ebef87cb WNM: Fix BSS Termination Duration subelement length validation
The length check for the BSS Termination Duration subelement was
accidentally removed and this could result in reading up to 10 bytes
beyond the end of a received frame. The actual read bytes would be
stored locally, but they were not used for anything, so other than
reading beyond the end of an allocated heap memory buffer, this did not
result in any behavior difference or exposure of the bytes.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14922
Fixes: 093226783d ("WNM: Simplify how candidate subelements are stored")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-25 01:19:33 +03:00
Jouni Malinen
a96c783645 dbus: Fix some memory leaks on error paths
wpa_dbus_dict_close_write() was not called if
fill_dict_with_properties() fails and that could result in leaking
memory. Fix this in two cases. There might be other missing calls to
jouni@codeaurora.org() on error paths, but those will need to be handled
separately with more complex changes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-08 22:06:46 +03:00
Jouni Malinen
d42df8d6ce Fix a regression in storing of external_auth SSID/BSSID
An earlier change in drivers_ops API for struct external_auth broke the
way SSID and BSSID for an external authentication request were stored.
The implementation depended on the memory array being available in the
API struct with a use of memcpy() to copy the full structure even though
when only SSID and BSSID was needed. Fix this by replacing that
easy-to-break storing mechanism with explicit arrays for the exact set
of needed information.

Fixes: dd1a8cef4c ("Remove unnecessary copying of SSID and BSSID for external_auth")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-28 16:24:32 +03:00
Jouni Malinen
9083ef1355 FT: Allow PMKSA caching to be enabled with FT-EAP
The new wpa_supplicant network profile configuration parameter
ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with
FT-EAP for FT initial mobility domain association. This is still
disabled by default (i.e., maintaining previous behavior) to avoid
likely interoperability issues.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 16:01:45 +03:00
Jouni Malinen
2b84ca4dd9 Share common SAE and EAP-pwd functionality: suitable groups
Start sharing common SAE and EAP-pwd functionality by adding a new
source code file that can be included into both. This first step is
bringing in a shared function to check whether a group is suitable.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-25 23:49:49 +03:00
Omer Dagan
fa335929b7 wpa_cli: Make CTRL-EVENT-CHANNEL-SWITCH available to action scripts
Signed-off-by: Omer Dagan <omer.dagan@tandemg.com>
2019-04-22 22:08:07 +03:00
Omer Dagan
95f556f3c7 Make channel switch started event available over control interface
This makes it easier to upper layer components to manage operating
channels in cases where the same radio is shared for both station and AP
mode virtual interfaces.

Signed-off-by: Omer Dagan <omer.dagan@tandemg.com>
2019-04-22 22:08:07 +03:00
Jouni Malinen
4be17ffbd9 Replace int status/reason_code with u16 variable
These cases are for the IEEE 802.11 Status Code and Reason Code and
those fields are unsigned 16 bit values, so use the more appropriate
type consistently. This is mainly to document the uses and to make the
source code easier to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-22 22:08:07 +03:00
Alex Khouderchah
cfde99a84b Add 802.11 reason code strings into wpa_supplicant messages
Logs involving IEEE 802.11 Reason Codes output the Reason Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each Reason Code using the latter part
of the reason code #define names.

Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
2019-04-22 22:08:05 +03:00
Jouni Malinen
2a5a068086 DPP2: wpa_supplicant as TCP initiator
A DPP TCP connection can now be initiated directly from wpa_supplicant
with the new new tcp_port and tcp_addr parameters to the DPP_AUTH_INIT
control interface command. This initiates DPP Authentication exchange
over TCP with the specified Controller instead of using DPP Public
Action frames over WLAN.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-22 21:08:59 +03:00
Jouni Malinen
c02dd10d76 DPP2: wpa_supplicant as Controller over TCP
New wpa_supplicant control interface commands "DPP_CONTROLLER_START
[tcp_port=<port>]" and "DPP_CONTROLLER_STOP" can be used to start and
stop listening to DPP requests over TCP in the Responder role. The TCP
connections are processed similarly to the ones that would have been
received over DPP Public Action frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-22 21:08:59 +03:00
Jouni Malinen
2ed2b52ff5 DPP: Add configuration structure to dpp_global_init()
This can be used to provide configurable parameter to the global DPP
context. This initial commit introduces the msg_ctx context pointer for
wpa_msg().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-21 21:35:32 +03:00
Jouni Malinen
6396282430 Preparations for v2.8 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-21 10:10:22 +03:00
Wiktor Drewniak
bce3d4f70e autoscan: Disable when we move above WPA_SCANNING state
In case of drivers that don't use wpa_supplicant as SME, autoscan
feature was never disabled.

Signed-off-by: Wiktor Drewniak <wiktor.drewniak@gmail.com>
2019-04-16 01:53:21 +03:00
Sergey Matyukevich
eb3234c07b SAE: Use open authentication to reassociate for PMKSA caching
For reassociation with the same AP wpa_supplicant attempts to use cached
PMKSA. For this purpose PMKID is passed in RSNE in (Re)Association
Request frame. In the case of SAE AP, open authentication shall be used
during reassociation. Otherwise cached PMKID becomes invalid after full
SAE authentication.

The previous implementation correctly handles SME-in-wpa_supplicant
cases. However SME-in-driver cases, complete SAE authentication is
performed. As a result, first reassociation attempt fails.

Fix SME-in-driver behavior by reseting authentication algorithm to
WPA_AUTH_ALG_OPEN when reassociating with SAE AP with an existing PMKSA
cache entry.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2019-04-16 01:53:21 +03:00
Avraham Stern
fe01cd0067 Fix FILS ERP association event with 4-way HS offload drivers
When FILS authentication is used with ERP, no EAPOL frames are expected
after association. However, for drivers that set the
WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X capability flag, the EAP state
machine was not configured correctly and was waiting for EAPOL frames,
which leads to disconnection.

Fix this by reordering the if branches to set the EAPOL/EAP state
machines to success when FILS authentication was already completed.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-04-16 01:53:21 +03:00
Andrei Otcheretianski
31cf52bf2e Do not clear FT IEs twice in sme_deinit()
Remove FT IEs clearing from sme_deinit() as it is done twice. The
sme_clear_on_disassoc() call to sme_update_ft_ies() takes care of this.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-04-16 00:48:27 +03:00
Andrei Otcheretianski
01ac337b32 Stop SA Query on disconnection
SA Query wasn't stopped after disconnection, which could potentially
result in an unexpected SA timeout firing later when already connected
to another AP. Fix that by stopping SA Query when an association is
terminated.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-04-16 00:48:27 +03:00
Jouni Malinen
7a206c504f Add debug print on stopping SA Query procedure
This makes it easier to debug SA Query behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-04-16 00:42:58 +03:00
Andrei Otcheretianski
710c692381 P2PS: Cleanup pending_p2ps_group flag
pending_p2ps_group flag is not always cleaned, which may later result
in an unexpected GO bring up, after PD response is transmitted in
wpas_prov_disc_resp_cb().
This can be seen when running the following hwsim tests together:
 - p2ps_channel_sta_connected_disallow_freq_mcc
 - p2ps_channel_active_go_and_station_different_mcc
Fix this by clearing pending_p2ps_group flag also when processing new
PD requests. In addition, set this flag only when really needed.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-04-16 00:19:03 +03:00
Jouni Malinen
984d5b7e1f mesh: Fix random llid generation in an error case
If os_get_random() fails, llid must not be read/used since it could be
uninitialized. Handle that special case by clearing llid explicitly to 0
to continue iteration.

Fixes: 5f92659d88 ("mesh: Add mesh peering manager")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-15 22:26:07 +03:00
Jouni Malinen
e6ac47b47d Fix debug print in GET_PREF_FREQ_LIST handler
Do not use the buf argument to wpas_ctrl_iface_get_pref_freq_list() in
the debug print since it points to the response buffer ("OK\n" without
null termination). This was supposed to print the cmd argument instead.
The previous version ended up using uninitialized heap memory from the
response buffer.

Fixes: 983422088f ("nl80211: Add means to query preferred channels")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-15 20:54:12 +03:00
Jouni Malinen
2e70e807c8 D-Bus: Fix P2P GroupStarted signal not to use uninitialized IP buffer
wpas_p2p_completed() used wpa_sm_get_p2p_ip_addr() return value properly
for filling in the ip_addr[] string only if the IP addresses got
assigned, but the raw ip[] array was passed to
wpas_dbus_signal_p2p_group_started() regardless of whether the IP
addresses were assigned. This could result in using uninitialized stack
memory for constructing the GroupStarted signal values. Fix this by
filling those in only if the IP addressed are actually available.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-15 20:27:52 +03:00
Avraham Stern
56ac1f9dfe RRM: Set last beacon report indication in the last element only
The last beacon report indication was set in all the beacon report
elements in the last frame of the beacon report, while it should be
set only in the last beacon report element of the last frame.

Fixes: ecef0687dc ("RRM: Support for Last Beacon Report Indication subelement")
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2019-04-13 11:51:05 +03:00
Ben Greear
6f484978fb Document BSS expiration configurables
Help the user be aware of the options to configure when
wpa_supplicant will remove a BSS due to expiration.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2019-04-13 11:41:51 +03:00
Jouni Malinen
dd1a8cef4c Remove unnecessary copying of SSID and BSSID for external_auth
The external authentication command and event does not need to copy the
BSSID/SSID values into struct external_auth since those values are used
before returning from the call. Simplify this by using const u8 * to
external data instead of the array with a copy of the external data.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-12 20:43:26 +03:00
Jouni Malinen
242e857285 Extend domain_match and domain_suffix_match to allow list of values
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-09 16:24:38 +03:00
Ilan Peer
0a42f1eded scan: Use normal scans after connection failure
In case of connection attempt failure, set 'normal_scans'
to zero, as otherwise it is possible that scheduled scan
would be used and not normal scan, which might delay the
next connection attempt.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-04-06 17:13:10 +03:00
Ilan Peer
0487967153 OWE: Fix a possible memory leak on error path
Properly handle the case where OWE IE is allocated, but
there is no space left to add it in the WPA IE buffer.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-04-06 17:02:13 +03:00
Peng Xu
edcaf16f9e P2P: Enable HE for both 2G and 5G bands
Previously HE was only enabled for a 2G P2P GO. This change enables HE
for both 2G and 5G P2P GO.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 20:59:48 +03:00
Ankita Bajaj
822c756e8c MBO: Update connect params with new MBO attributes to driver
MBO attributes Non-preferred channel list and Cellular capabilities are
updated using WNM-Notification Request frame to the current connected
BSS. These same attributes need to be added in the (Re)Association
Request frame sent by the station when roaming, including the case where
the driver/firmware takes care of SME/MLME operations during roaming, so
we need to update the MBO IE to the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 20:56:03 +03:00
Ankita Bajaj
74f8e768f2 MBO: Always include Non-preferred Channel Report attribute in AssocReq
Include the Non-preferred Channel Report attribute in (Re)Association
Request frames even when the MBO STA has no non-preferred channels in
any operating classes. In case of no non-preferred channels the
attribute length field shall be set to zero and the Operating Class,
Channel List, Preference and Reason Code fields shall not be included.
This indicates to the MBO AP that the MBO STA has no non-preferred
channels access all supported operating classes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-05 20:43:59 +03:00
Jouni Malinen
bd23daa8e6 DPP: Move GAS encapsulation into dpp_build_conf_req()
Avoid duplicated code in each user of dpp_build_conf_req() by moving the
common encapsulation case into this helper function.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-03 19:10:47 +03:00
Jouni Malinen
be609c6fc6 SAE: Fix commit message override with external authentication
Do not add duplicate Transaction Sequence and Status Code fields when
using test functionality to override SAE commit message.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-01 13:28:26 +03:00
Jouni Malinen
9af1eea37a Prefer FT-SAE over FT-PSK if both are enabled
FT-SAE is considered stronger than FT-PSK, so prefer it over FT-PSK
similarly to how SAE is preferred over WPA-PSK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-28 03:27:35 +02:00
Jouni Malinen
853bd19f22 Add more debug prints on suite selector selection
This makes it a bit easier to figure out why wpa_supplicant selects a
specific cipher/AKM for association.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-28 02:58:00 +02:00
Jouni Malinen
6d77014e71 Suite B: Prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192
If both of these AKMs are enabled in the wpa_supplicant network profile
and the target AP advertises support for both, prefer the FT version
over the non-FT version to allow FT to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-28 01:57:10 +02:00
Jouni Malinen
ab3aebcce5 SAE: Fix PMKSA cache entry search for FT-SAE case
Previously, PMKSA cache entries were search for AKM=SAE and that did not
find an entry that was created with FT-SAE when trying to use FT-SAE
again. That resulted in having to use full SAE authentication instead of
the faster PMKSA caching alternative.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-27 04:03:12 +02:00
vamsi krishna
bcf1900058 FT-SAE: Enable external auth support for FT-SAE also
Extend the external authentication support to FT-SAE mode connections
also in addition to SAE mode connections.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-27 03:18:13 +02:00
Jouni Malinen
76fd782abe SAE: Reorder SAE and FT-SAE AKM selection to prefer the FT option
If a network profile has both SAE and FT-SAE enabled, SAE was previously
picked (and used incorrectly as explained in the previous commit). This
is not ideal since use of FT protocol can speed up roaming within in
mobility domain. Reorder this checks so that FT-SAE is preferred over
SAE if both are enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-26 22:50:17 +02:00
Jouni Malinen
322d328e71 FT: Fix SAE + FT-SAE behavior in association parameter selection
Do not try to initialize FT reassociation if the selected AKM is for SAE
instead of FT-SAE when both of these are enabled in a network profile.
This fixes an issue with MDE being included in an (Re)Association
Request frame even when using a non-FT AKM (which is something that
results in hostapd rejecting the association).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-26 22:50:17 +02:00
Jouni Malinen
87d8435cf9 DPP: Common configurator/bootstrapping data management
Merge the practically copy-pasted implementations in wpa_supplicant and
hostapd into a single shared implementation in dpp.c for managing
configurator and boostrapping information. This avoid unnecessary code
duplication and provides a convenient location for adding new global DPP
data.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-24 17:29:45 +02:00
Jouni Malinen
10ec6a5f38 DPP2: PFS for PTK derivation
Use Diffie-Hellman key exchange to derivate additional material for
PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element
(defined in OWE RFC 8110) is used in association frames to exchange the
DH public keys. For backwards compatibility, ignore missing
request/response DH parameter and fall back to no PFS in such cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-18 18:32:31 +02:00
Jouni Malinen
18015fc8a4 DPP2: Support new legacy+DPP config object credentials
This allows devices supporting DPP protocol version 2 or newer to
provision networks that enable both the legacy (PSK/SAE) and DPP
credentials.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-16 18:52:06 +02:00
Jouni Malinen
dd6c598007 DPP: Support DPP and SAE in the same network profile
Make both DPP and SAE code aware of the cases where the same network
profile is configured to enable both DPP and SAE. Prefer DPP over SAE in
such cases and start DPP/SAE exchanges based on what both the station
and the AP support.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-16 17:29:59 +02:00
Jouni Malinen
9305c2332b DPP: Clean up configuration parsing
Share a single parsing implementation for both hostapd and
wpa_supplicant to avoid code duplication. In addition, clean up the
implementation to be more easily extensible.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-16 17:29:59 +02:00
Jouni Malinen
f5db775049 Remove pending connect and sme-connect radio works on disconnect
There was a race condition in a case where a new connection attempt was
scheduled as a pending radio work and that was followed by a DISCONNECT
command before the pending radio work is started. The pending radio work
would not have been deleted in that sequence and instead, it was
executed when the radio became available next. This could result in an
unexpected connection after an explicit request to disconnect.

Fix this by removing pending connect and sme-connect radio works on
disconnection request.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-15 13:03:31 +02:00
Jouni Malinen
67b3bcc954 DPP2: Testing option for Config Object rejction
Add a new testing option to force Enrollee to reject the receive Config
Object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-15 00:31:09 +02:00
Jouni Malinen
22f90b32f1 DPP2: Configuration Result message generation and processing
Use this new message from Enrollee to Configurator to indicate result of
the config object provisioning if both devices support protocol version
2 or newer.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-15 00:31:09 +02:00
Jouni Malinen
c98617b48d DPP2: Make DPP version number support available over control interface
"GET_CAPABILITY dpp" can now be used to determine which version number
of DPP is supported in the build.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-15 00:31:09 +02:00
Jayachandran Sreekumaran
2b7fa03559 P2P: Fix ACS offloading behavior with p2p_no_group_iface=1
wpa_s->p2p_go_do_acs was not cleared during P2P group deletion and that
resulted in the case of no separate group interface continuing to assume
ACS was to be used for consecutive GO starts even if they tried to
specify a frequency. Fix this by explicitly clearing
wpa_s->p2p_go_do_acs during P2P group deletion and also clear this when
processing the P2P_GROUP_ADD if the parameters do not request ACS to be
used.

Fixes: 37ed3254de ("P2P: ACS offload for the autonomous GO")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 13:22:40 +02:00
Jouni Malinen
ce7effd08f DPP2: Build configuration flags for DPP version 2 support
The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is
used to control whether new functionality defined after the DPP
specification v1.0 is included. All such functionality are considered
experimental and subject to change without notice and as such, not
suitable for production use.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 12:00:09 +02:00
Jared Bents
841205a1ce OpenSSL: Add 'check_cert_subject' support for TLS server
This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.

This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).

Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.

Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-03-11 14:09:45 +02:00
Jouni Malinen
9571f945c6 mesh: Check that SAE state initialization succeeded for PMKID check
mesh_rsn_auth_sae_sta() might fail, so verify that sta->sae got
allocated before dereferencing it for a PMKID check.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-03-09 18:55:58 +02:00
Lubomir Rintel
fafad85274 defconfig: Enable DBus
Acquire the new name, along with introspection. This is generally useful
for other daemons to integrate with wpa_supplicant, notably
NetworkManager.

Debian and Fedora (and likely any other distro that configured wireless
via NetworkManager) enable this.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-03-09 18:35:49 +02:00
Lubomir Rintel
6a8dee76d4 wpa_supplicant: Drop the old D-Bus interface support
This drops support for the fi.epitest.hostap.WPASupplicant D-Bus name
along with the associated CONFIG_CTRL_IFACE_DBUS option. Nothing should
really be using this since 2010.

This is a just a straightforward removal. Perhaps the dbus_common.c and
dbus_new.c can be merged now. Also, the "_NEW" suffix of the config
option seems to make even less sense than it used to.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-03-09 18:33:26 +02:00
Jouni Malinen
954c535a50 DPP: Update wpa_supplicant configuration file after provisioning
WPS was already doing this if update_config=1 was set and DPP should be
consistent with that behavior. Update the configuration file if
update_config=1 and dpp_config_processing is set to 1 or 2.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-03-09 16:21:54 +02:00
Jouni Malinen
339dc8bd6b WPS: Allow SAE configuration to be added automatically for PSK
The new wpa_supplicant configuration parameter wps_cred_add_sae=1 can be
used to request wpa_supplicant to add SAE configuration whenever WPS is
used to provision WPA2-PSK credentials and the credential includes a
passphrase (instead of PSK). This can be used to enable WPA3-Personal
transition mode with both SAE and PSK enabled and also with PMF enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 21:52:49 +02:00
Jouni Malinen
fd83089120 SAE: Reuse previously generated PWE on a retry with the same AP
Do not start SAE authentication from scratch when the AP requests
anti-clogging token to be used. Instead, use the previously generated
PWE as-is if the retry is for the same AP and the same group. This saves
unnecessary processing on the station side in case the AP is under heavy
SAE authentiation load.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:07:11 +02:00
Jouni Malinen
a9fe13035e SAE: Enable only groups 19, 20, and 21 in station mode
Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP
Group) from the default SAE groups in station mode since those groups
are not as strong as the mandatory group 19 (NIST P-256).

In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 17:23:58 +02:00
Lubomir Rintel
611308365e defconfig: Enable IEEE 802.11w management frame protection (wpa_supplicant)
NetworkManager can use these if available and the distros generally
enable this already.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
9515fa9250 defconfig: enable IEEE 802.11r fast BSS transition (wpa_supplicant)
Generally useful. Linux distros already enable these, upcoming
NetworkManager will support it too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
6b7a0da75b defconfig: Enable IEEE 802.11n and 802.11ac (wpa_supplicant)
I guess there's no reason anyone with capable hardware wouldn't want to
enable these. Debian and Fedora aleady do.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
467004d632 defconfig: Enable Hotspot 2.0 (wpa_supplicant)
Generally useful, Debian enables this. Other distros should too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
ec52faa2b2 defconfig: Enable RSN on IBSS networks (wpa_supplicant)
Fedora and Debian enable this. NetworkManager actually rejects such
configurations citing kernel bugs, but that actually might not be the
right thing to do anymore.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Jouni Malinen
67d99d2e07 defconfig: Remove obsolete notes about OpenSSL requirements for EAP-FAST
OpenSSL 0.9.8 reached its end-of-life long time ago, so remove these old
notes about need of a newer OpenSSL version for EAP-FAST since all
current OpenSSL versions include the needed functionality.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
eafc5fec22 defconfig: Enable a handful of EAP methods (wpa_supplicant)
Fedora uses AKA, FAST, GPSK_SHA256, GPSK, IKEV2, PAX, SAKE and TNC. I
don't know why these in particular. AKA wouldn't work, because
CONFIG_PCSC is off anyways; let's enable all the other ones, and also
PWD (openSUSE enabled it because users demanded it).

Debian enables all of the above uses, but also PWD, AKA_PRIME, SIM, PSK
and EKE.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
f64050da02 defconfig: Enable logging to file and syslog (wpa_supplicant)
Debian and Fedora enable both and log to syslog. openSUSE seems to log
to a flat file instead.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
ae5240db86 defconfig: Enable simple bgscan module (wpa_supplicant)
Generally useful. Linux distros enable this and also utilize it via
NetworkManager.

Debian also enables the learn module. I'm leaving it off as it's marked
experimental.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
2d6d47219e defconfig: Enable AP (wpa_supplicant)
Generally useful. Debian and Fedora enable this and support creating
access points via NetworkManager too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
f87450a73f defconfig: Enable WPS (wpa_supplicant)
WPS is generally useful with consumer hardware, and exposed to desktop
users via NetworkManager.

The Linux distros, including Debian, Fedora, and openSUSE enable it.
Debian also enables external registar support and NFC.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Jouni Malinen
d989e67d07 defconfig: Fix typos in Wi-Fi Display description
These were supposed to be talking about Wi-Fi Display, not Wi-Fi Direct.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00