Commit graph

4027 commits

Author SHA1 Message Date
Jouni Malinen
d3c43e5855 privsep: Fix scan result fetching with Beacon frame IEs
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which
resulted in invalid scan data being accepted in driver_privsep.c. Add
support for res->beacon_ie_len and also fix the validation step to take
this new variable length field into account.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:02:49 +02:00
Jouni Malinen
0771e912ae wpa_priv: Document reduced functionality
wpa_priv has never really been fully up-to-date with the wpa_supplicant
driver interface extensions. This does not seem like something that
would change in the future either, so document this reduced
functionality as a potential drawback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:49:37 +02:00
Jouni Malinen
6d97561dcd wpa_priv: Handler driver global_deinit() on termination path
This avoids a theoretical resource leak on exit path if wpa_priv is
killed while there is a wpa_supplicant process using it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00
Jouni Malinen
ce0f899a3d wpa_priv: Explicitly clear padding in message structures
This avoids some valgrind warnings about use of uninitialized memory in
cases where a struct may have padding octets between the fields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00
Jouni Malinen
e0641772a3 wpa_priv: Use fromlen instead sizeof(struct sockaddr_un)
This gets rid of some dependencies on how extra octets at the end of the
struct sockaddr_un get "uninitialized" consistently by only using the
exact length of the address data from the recvfrom() call. This resolves
number of valgrind warnings about use of uninitialized memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:28:18 +02:00
Jouni Malinen
128d3c69fc wpa_priv: Add support for multiple l2_packet connections
This is needed to be able to work with many wpa_supplicant use cases,
e.g., due to use of TDLS or RSN pre-authentication needing a separate
l2_packet socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 11:37:41 +02:00
Sabrina Dubroca
ba5ea11687 mka: Remove references to macsec_qca from wpa_supplicant.conf
Make the documentation generic, as this is no longer the only macsec
driver.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-30 20:08:39 +02:00
Sunil Dutt
bf88401d23 Add support to abort vendor scan
This commit enhances the existing implementation of abort scan to also
abort concurrent active vendor scans. This is achieved by passing the
the scan_cookie to the driver interface with the intention to abort
the specific scan request. This scan_cookie is returned from the driver
interface when the scan request is scheduled.

This scan_cookie is 0 if the scan is triggered through the upstream
cfg80211 interface. Thus, the scan_cookie is used to determine whether
to abort the cfg80211 or vendor scan request.

Also, the previous implementation of relying on scan_work/p2p_scan_work
for the active work to trigger the abort scan is enhanced to check for
the started state of either of these work operations. This should also
help to abort the concurrent active scan/p2p-scan operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-30 19:33:43 +02:00
Sunil Dutt
eeb34a432e nl80211: Enhance abort scan to also abort the vendor scan
This commit enhances the abort scan implementation to also abort the
vendor scan, if one was used to trigger the scan.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-30 19:33:39 +02:00
Srinivas Dasari
346b333d9a Use random MAC address for scanning only in non-connected state
cfg80211 rejects the scans issued with random MAC address if the STA is
in connected state. This resulted in failures when using MAC_RAND_SCAN
while connected (CTRL-EVENT-SCAN-FAILED ret=-95). Enable random MAC
address functionality only if the STA is not in connected state to avoid
this. The real MAC address of the STA is already revealed in the
association, so this is an acceptable fallback mechanism for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-25 22:52:39 +02:00
Nishant Chaprana
18f1611797 D-Bus: Send P2P IP address assignment info with GroupStarted event
This commit adds IP address information into GroupStarted event on the
P2P client side like it is sent over the control interface.

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-11-21 14:45:13 +02:00
Nishant Chaprana
046fa6fd11 D-Bus: Add getter and setter for P2P IP address config parameters
This patch adds setter and getter for P2P IP address config parameters:
1. ip_addr_go
2. ip_addr_mask
3. ip_addr_start
4. ip_addr_end

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-11-20 12:41:39 +02:00
Sabrina Dubroca
e0d9fd344d wpa_supplicant: Allow configuring the MACsec port for MKA
Previously, wpa_supplicant only supported hardcoded port == 1 in the
SCI, but users may want to choose a different port.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:31 +02:00
Sabrina Dubroca
1d3d0666a6 mka: Add enable_encrypt op and call it from CP state machine
This allows MKA to turn encryption on/off down to the driver.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:23 +02:00
Sabrina Dubroca
7b4d546e3d wpa_supplicant: Add macsec_integ_only setting for MKA
So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:16 +02:00
Sabrina Dubroca
ad51731abf wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA
This enables configuring key_mgmt=NONE + mka_ckn + mka_cak.
This allows wpa_supplicant to work in a peer-to-peer mode, where peers
are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers
can act as key server to distribute keys for the MACsec instances.

This is what some MACsec switches support, and even without HW
support, it's a convenient way to setup a network.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:08 +02:00
Kenny Root
88f93c30ec Android: Remove BoringSSL guard
BoringSSL is the only supported version of SSL, so remove this guard so
we can continue to compile when the flavor.mk is removed.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2016-11-19 17:43:03 +02:00
Jouni Malinen
e65a87b399 Debug print scan results matching the currently selected network
This provides more details on BSS selection process in the debug log.
Previously, the BSSs that were not either the current or the selected
one were not necessarily printed at all. Now all BSSs that match the
currently selected network are listed with their frequency and signal
strength details.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-11-13 18:22:38 +02:00
Jouni Malinen
8d1e693186 Use estimated throughput to avoid signal based roaming decision
Previously, the estimated throughput was used to enable roaming to a
better AP. However, this information was not used when considering a
roam to an AP that has better signal strength, but smaller estimated
throughput. This could result in allowing roaming from 5 GHz band to 2.4
GHz band in cases where 2.4 GHz band has significantly higher signal
strength, but still a lower throughput estimate.

Make this less likely to happen by increasing/reducing the minimum
required signal strength difference based on the estimated throughputs
of the current and selected AP. In addition, add more details about the
selection process to the debug log to make it easier to determine whaty
happened and why.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-11-13 17:52:32 +02:00
Ilan Peer
4ec1fd8e42 FT: Differentiate between FT for station and for AP in build
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.

Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 22:14:54 +03:00
Avrahams Stern
c433c50c9c wpa_supplicant: Make CONFIG_MBO independent of CONFIG_AP
CONFIG_MBO was defined inside ifdef CONFIG_AP, so when AP support
was not compiled, MBO was not compiled either. However, CONFIG_MBO
is not related AP support, so it should not depend on CONFIG_AP.

Fix this by moving CONFIG_MBO outside of ifdef CONFIG_AP.

Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
2016-10-29 19:31:38 +03:00
Eliad Peller
d044d2f7d8 wpa_supplicant: Get scan_result IE also from Beacon frames
No reason to require ie_len if only beacon_ie_len is given.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2016-10-29 19:28:37 +03:00
Sabrina Dubroca
23c3528a84 mka: Add support for removing SAs
So that the core can notify drivers that need to perform some operations
when an SA is deleted.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-10-29 11:35:38 +03:00
Sabrina Dubroca
6f551abdfc mka: Remove "channel" hacks from the stack and the macsec_qca driver
This is specific to the macsec_qca driver. The core implementation
shouldn't care about this, and only deal with the complete secure
channel, and pass this down to the driver.

Drivers that have such limitations should take care of these in their
->create functions and throw an error.

Since the core MKA no longer saves the channel number, the macsec_qca
driver must be able to recover it. Add a map (which is just an array
since it's quite short) to match SCIs to channel numbers, and lookup
functions that will be called in every place where functions would get
the channel from the core code. Getting an available channel should be
part of channel creation, instead of being a preparation step.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-10-29 11:24:08 +03:00
Avrahams Stern
847ee1aac3 wpa_supplicant: Use correct interface type when creating P2P interface
When starting ASP provisioning with connection capability set to NEW,
don't create the pending P2P interface as a GO interface because
Go negotiation will determine which side will be the GO and it is
possible that eventually this interface will become the client.
In this case, when the P2P client is started it will start scanning
and do other station specific operations while the interface type
is AP.

Instead, use type WPA_IF_P2P_GROUP when creating the interface which
means the interface type will be determined later.

Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
2016-10-29 00:55:49 +03:00
Jouni Malinen
913c3e1e83 Add CONFIG_IBSS_RSN=y into wpa_supplicant defconfig
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-28 19:39:13 +03:00
Jouni Malinen
81a10a9442 Do not try to start/join RSN IBSS without CONFIG_IBSS_RSN=y
Previously, a build without IBSS RSN support tried to start/join an IBSS
even if the profile was configured with RSN parameters. This does not
work and resulted in quite confusing debug log. Make this clearer by
explicitly checking for this case and reject the connection attempt with
a clearer debug log entry instead of trying something that is known to
fail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-28 19:33:20 +03:00
Sunil Dutt
2e4e4fb71c nl80211: Allow TDLS trigger modes to be configured to the host driver
This commit adds a control interface command to configure the TDLS
trigger mode to the host driver. This TDLS mode is configured through
the "SET tdls_trigger_control" control interface command.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-27 23:22:33 +03:00
Jouni Malinen
061dac1d3c FILS: Claim FILS capability only if driver supports it
"GET_CAPABILITY fils" used to return "FILS" based on wpa_supplicant
configuration. This can be made more useful by checking both for
wpa_supplicant and driver support for FILS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:41:04 +03:00
Jouni Malinen
706df4291b FILS: Association Response processing (STA)
Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and
configure keys to the driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:20:04 +03:00
Jouni Malinen
86cd6928e0 FILS: Add elements to FILS Association Request frame
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-25 20:01:06 +03:00
Sunil Dutt
783c2920cc P2P: Check if the pref_freq reported by the driver supports P2P
Filter out get_pref_freq_list() (i.e.,
QCA_NL80211_VENDOR_SUBCMD_GET_PREFERRED_FREQ_LIST) output in case of
channel negotiation by removing channels that do not allow P2P operation
at all. Previously, only the explicitly disallowed channels were removed
and that could have resulted in selecting an operating channel that is
not allowed for P2P and failing to complete the operation to start the
group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-24 18:37:27 +03:00
Jouni Malinen
a660993772 FILS: Authentication frame processing (STA)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:28:36 +03:00
Jouni Malinen
c1bd4bac5f FILS: Extend wpa_auth_pmksa_get() to support PMKID matching
This is needed for FILS processing to enable PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
f00b9b8864 FILS: Try to use FILS authentication if PMKSA or ERP entry is available
If a PMKSA cache entry for the target AP is available, try to use FILS
with PMKSA caching.

If an ERP key for the target AP is available, try to use FILS with
EAP-Initiate/Re-auth added as Wrapper Data element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
2c2c557917 SME: Clear possibly used WPA/RSN IE for new connection
This was already done in the case SME in the driver is used, but the SME
code path was resetting the local WPA/RSN IE only for association. While
that was fine for existing use cases, FILS needs a new RSN IE to be set
for PMKSA caching case in Authentication frames, so clear the local IE
before starting new authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 22:55:27 +03:00
Jouni Malinen
ce16c489d8 Rename sae_data to more generic auth_data
This makes it cleaner for the FILS implementation to use the same design
for setting Authentication frame elements as was already done with SAE.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 17:51:43 +03:00
Jouni Malinen
a2675b3232 wpa_cli: Mark number of char *cmd constant
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-10-16 12:30:32 +03:00
Mikael Kanstrup
c43cf332c0 wpa_cli: Add completion for ssid config commands
Add network id command completion support for identity, password,
new_password, pin, otp, passphrase, sim and bssid commands.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:29:39 +03:00
Mikael Kanstrup
624259d4b7 wpa_cli: Add completion for sta, deauthenticate and disassociate
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:28:42 +03:00
Mikael Kanstrup
4c43f44b29 cli: Add list_sta command
Add list_sta command to print addresses of all stations. Command
added to both wpa_cli and hostapd_cli.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-10-16 12:28:02 +03:00
Benjamin Richter
5d30f927ea wpa_supplicant: Restore permanent MAC address on reassociation
With mac_addr=0 and preassoc_mac_addr=1, the permanent MAC address
should be restored for association. Previously this did not happen when
reassociating to the same ESS.

Signed-off-by: Benjamin Richter <br@waldteufel.eu>
2016-10-16 11:44:34 +03:00
Avraham Stern
e3e2fe3a42 Always propagate scan results to all interfaces
Scan results were not propagated to all interfaces if scan results
started a new operation, in order to prevent concurrent operations. But
this can cause other interfaces to trigger a new scan when scan results
are already available. Instead, always notify other interfaces of the
scan results, but note that new operations are not allowed.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2016-10-15 19:13:30 +03:00
Joel Cunningham
33111c910b Check for NULL qsort() base pointers
There are a couple of places in wpa_supplicant/hostapd where qsort() can
be called with a NULL base pointer. This results in undefined behavior
according to the C standard and with some standard C libraries (ARM RVCT
2.2) results in a data abort/memory exception. Fix this by skipping such
calls since there is nothing needing to be sorted.

Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
2016-10-15 18:58:27 +03:00
Jouni Malinen
4b5b8a53a1 WPS: Force BSSID for WPS provisioning step connection
This was already done for most driver cases, but it is possible that the
BSSID/frequency is not forced if the driver reports BSS selection
capability (e.g., NL80211_ATTR_ROAM_SUPPORT). That could potentially
result in the driver ignoring the BSSID/frequency hint and associating
with another (incorrect) AP for the WPS provisioning step if that
another AP in the same ESS is more preferred (e.g., better signal
strength) by the driver and only one of the APs (the not preferred one)
is in active WPS registrar state.

While most drivers follow the BSSID hint for the initial connection to
an ESS, not doing it here for the WPS provisioning would break the
protocol. Fix this by enforcing a single BSSID/frequency to disallow the
driver from selecting an incorrect AP for the WPS provisioning
association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-11 00:25:20 +03:00
Jouni Malinen
2022f1d08d FILS: Use AEAD cipher to protect EAPOL-Key frames (STA)
This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS
AKMs) to provide both integrity protection for the EAPOL-Key frame and
encryption for the Key Data field. It should be noted that this starts
encrypting the Key Data field in EAPOL-Key message 2/4 while it remains
unencrypted (but integrity protected) in non-FILS cases. Similarly, the
empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD
cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
b8ae56e4d0 FILS: Allow wpa_supplicant to select FILS AKM for connection
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
7147a834df FILS: Add FILS flags into wpa_supplicant BSS command output
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
379e2b4d04 FILS: Add 'GET_CAPABILITY fils' for runtime check
This can be used to check whether the running wpa_supplicant version was
built with CONFIG_FILS=y.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
e4d2ce1b52 FILS: Set FILS Capability bit in management frames from station
If FILS is supported, indicate that in Probe Request and (Re)Association
Request frames in the Extended Capabilities element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00