pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Add support for IMSI privacy in the EAP-SIM/AKA peer implementation. If
the new wpa_supplicant network configuration parameter imsi_privacy_key
is used to specify an RSA public key in a form of a PEM encoded X.509v3
certificate, that key will be used to encrypt the permanent identity
(IMSI) in the transmitted EAP messages.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The DH file parameters are applicable only for the TLS server, so this
parameter did not really have any impact to functionality. Remove it to
get rid of useless code and confusing documentation for the network
block configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow macsec_csindex to be configured and select the cipher suite when
the participant acts as a key server.
Signed-off-by: leiwei <quic_leiwei@quicinc.com>
Allow mesh_fwding (dot11MeshForwarding) to be specified in a mesh BSS
config, pass that to the driver (only nl80211 implemented for now) and
announce forwarding capability accordingly.
Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add the support of engine, engine_id, ca_cert_id, cert_id, and key_id
parameters to credential blocks for Hotspot 2.0.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
Align the process logic for ap_vendor_elements and ap_assocresp_elements
parsing by using the wpabuf_parse_bin() helper function in both.
Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
Allow sae_pwe parameter to be configured per-network and enforce the
SAE hash-to-element mechanism for the P2P GO if it is started on
a 6 GHz channel.
Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
Support adding/deleting vendor elements dynamically for AP mode while it
is started by wpa_supplicant instead of hostapd which already supported
this. This adds ap_assocresp_elements global parameter and UPDATE_BEACON
control interface command to take the changed values into effect.
Usage in wpa_cli:
Add vendor IE for (Re)Association Response frames
> set ap_assocresp_elements=xxxx
Add vendor IE for Beacon/Probe Response frames
> set ap_vendor_elements=xxxx
Delete vendor IE from (Re)Association Response frames
> set ap_assocresp_elements
Delete vendor IE from Beacon/Probe Response frames
> set ap_vendor_elements
To make vendor IE changes take effect
> update_beacon
Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
For testing purposes, add support for corrupting the MIC in PASN
Authentication frames for both wpa_supplicant and hostapd.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Rename the network profile parameters bssid_blacklist and
bssid_whitelist to bssid_ignore and bssid_accept to use more specific
names for the configuration of which BSSs are ignored/accepted during
BSS selection. The old parameter names are maintained as aliases for the
new names to avoid breaking compatibility with previously used
configurations.
Signed-off-by: Jouni Malinen <j@w1.fi>
For Android the default value of 5 seconds is usually too short for
scan results from last scan initiated from settings app to be
considered for fast-associate. Make the fast-associate timer value
configurable so that a suitable value can be set based on a systems
regular scan interval.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
Extend the wpa_pmk_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.
Update the wpa_supplicant and hostapd configuration and the
corresponding WPA and WPA Auth state machine, to allow enabling of KDK
derivation. For now, use a testing parameter to control whether KDK is
derived.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Commit 02c21c02d0 ("wpa_supplicant: Do not disconnect on deinit if
WoWLAN is enabled") prevents the disconnection on deinit if the driver
indicates that WoWLAN is enabled. This is not the expected behavior in
some earlier use cases where the wpa_supplicant process is left running
when going to sleep and killing of the wpa_supplicant process is used
only when there is an expectation of Wi-Fi connection being disabled.
To support the use cases which require the WLAN to disconnect on deinit
even if WoWLAN is enabled, introduce a configuration parameter
wowlan_disconnect_on_deinit. This is set to 0 by default thereby not
impacting the functionality in the above mentioned commit. Setting it to
1 restores the old behavior before the commit identified above.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add initial_freq_list to wpa_supplicant configuration. This option
allows wpa_supplicant to scan a smaller list of frequencies when it
starts. This in turn allows for a faster connection to an already known
network. This limit applies only for the initial scan operation and does
not restrict other channels from being used in consecutive scans.
Tests have shown this to reduce the amount of time for connecting to a
network from roughly 3 seconds to roughly 0.1 second.
Signed-off-by: Frederik Juul <frederik.juul@3shape.com>
pos can't be NULL in wpa_global_config_parse_str(), so there is no point
checking this, especially when pos was already dereferenced earlier.
Remove the redundant conditions.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Enable VHT and HE as default config parameters in order for
wpa_supplicant AP mode to use it, if hw support is given.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Store the received privacy protection key from Connector into
wpa_supplicant network profile and indicate it through the control
interface similarly to C-sign-key.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the stored configurations for an SSID have changed, we can no longer
trust the current blacklist state of that SSID, since the updated
configs could change the behavior of the network. E.g., the BSS could be
blacklisted due to a bad password, and the config could be updated to
store the correct password. In this case, keeping the BSS in the
blacklist will prevent the user from connecting to the BSS after the
correct password has been updated.
Add the value was_changed_recently to the wpa_ssid struct. Update this
value every time a config is changed through wpa_set_config(). Check
this value in wpa_blacklist_get() to clear the blacklist whenever the
configs of current_ssid have changed.
This solution was chosen over simply clearing the blacklist whenever
configs change because the user should be able to change configs on an
inactive SSID without affecting the blacklist for the currently active
SSID. This way, the blacklist won't be cleared until the user attempts
to connect to the inactive network again. Furthermore, the blacklist is
stored per-BSSID while configs are stored per-SSID, so we don't have the
option to just clear out certain blacklist entries that would be
affected by the configs.
Finally, the function wpa_supplicant_reload_configuration() causes the
configs to be reloaded from scratch, so after a call to this function
all bets are off as to the relevance of our current blacklist state.
Thus, we clear the entire blacklist within this function.
Signed-off-by: Kevin Lund <kglund@google.com>
Signed-off-by: Brian Norris <briannorris@chromium.org>
commit f4e3860f ("Fix AP mode default TXOP Limit values for AC_VI
and AC_VO") corrects the default values of txop_limit from 93/46
to 94/47 for AP. STA would also need the same change.
Signed-off-by: Yogesh Kulkarni <yogesh.kulkarni@nxp.com>
Signed-off-by: Cathy Luo <xiaohua.luo@nxp.com>
Signed-off-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
Teach wpa_supplicant to {de,}initialize bgscans when bgscan parameters
are set after initial connection.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Currently, wpa_config_set(), the function that sets wpa_supplicant
per-network properties, returns 1 when a property it attempts to set is
unchanged. Its global parallel, wpa_config_process_global(), doesn't do
this even though much of the code is very similar. Change this, and
several of the parser functions, to resemble the per-network parser and
setter functions.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Add a new configuration parameter p2p_6ghz_disable=1 to disable P2P
operation in the 6 GHz band. This avoids additional delays caused by
scanning 6 GHz channels in p2p_find and p2p_join operations in the cases
where user doesn't want P2P connection in the 6 GHz band.
Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
Allow user to configure the TX queue parameters through the
wpa_supplicant configuration file similarly to the way these can be set
in hostapd.
Parse the tx_queue_* parameters in the wpa_supplicant configuration file
and update the TX queue configuration to the AP/P2P GO interface in the
function wpa_supplicant_create_ap().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This replaces the previously used sae_pk_only configuration parameter
with a more generic sae_pk that can be used to specify how SAE-PK is
negotiated. The default behavior (sae_pk=0) is to automatically
negotiate SAE-PK whenever the AP supports it and the password is in
appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2
disables SAE-PK completely.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new wpa_supplicant network profile parameter sae_pk_only=1 can now
be used to disable use of SAE authentication without SAE-PK.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add HE override support under the build parameter CONFIG_HE_OVERRIDES=y.
The disable_he=1 network profile parameter can be used to disable HE.
This requires a fallback to VHT on the 5 GHz band and to HT on the 2.4
GHz band.
There is no nl80211 support for configuring the driver to disable HE, so
for now, this applies only to IBSS and mesh cases.
Signed-off-by: P Praneesh <ppranees@codeaurora.org>
The new wpa_supplicant network profile parameter dpp_pfs can be used to
specify how PFS is applied to associations. The default behavior
(dpp_pfs=0) remains same as it was previously, i.e., try to use PFS if
the AP supports it. PFS use can now be required (dpp_pfs=1) or disabled
(dpp_pfs=2).
This is also working around an interoperability issue of DPP R2 STA with
certain hostapd builds that included both OWE and DPP functionality.
That issue was introduced by commit 09368515d1 ("OWE: Process
Diffie-Hellman Parameter element in AP mode") and removed by commit
16a4e931f0 ("OWE: Allow Diffie-Hellman Parameter element to be
included with DPP"). hostapd builds between those two commits would
reject DPP association attempt with PFS. The new wpa_supplicant default
(dpp_pfs=0) behavior is to automatically try to connect again with PFS
disabled if that happens.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow AP mode network profile in wpa_supplicant to be configured to
advertise Transition Disable DKE.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Support Extended Key ID in wpa_supplicant according to
IEEE Std 802.11-2016 for infrastructure (AP) associations.
Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing STAs to also connect to APs not supporting it.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
While int and unsigned int are not going overflow in practice as 32-bit
values, these could at least in theory hit an integer overflow with
16-bit int. Use size_t to avoid such potential issue cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Add a new wpa_supplicant network profile configuration parameter
beacon_prot=<0/1> to allow Beacon protection to be enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Initial OWE implementation used SHA256 when deriving the PTK for all OWE
groups. This was supposed to change to SHA384 for group 20 and SHA512
for group 21. The new owe_ptk_workaround=1 network parameter can be used
to enable older behavior mainly for testing purposes. There is no impact
to group 19 behavior, but if enabled, this will make group 20 and 21
cases use SHA256-based PTK derivation which will not work with the
updated OWE implementation on the AP side.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows a P2P connection over P802.11ay EDMG channels to achieve the
highest link speed that the standard allows for channel bonding (CB) up
to CB4.
Let each P2P peer add its EDMG channels to the Supported Channels IE
advertised in P2P GO negotiation. Give EDMG channels priority when peers
negotiate for operating channel.
User may add 'edmg' parameter to p2p_connect, p2p_add_group, and
p2p_invite commands to prefer an EDMG channel for the P2P link. User may
also set p2p_go_edmg=1 in wpa_supplicant configuration file to prefer
EDMG.
When EDMG is used, P2P will try to find the highest channel bonding
supported channel that matches the frequency parameter, if the devices
do not support EDMG, the P2P connection will use a legacy (1-6) 60 GHz
channel.
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
This parameter can be used to specify which PWE derivation mechanism(s)
is enabled. This commit is only introducing the new parameter; actual
use of it will be address in separate commits.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add two new configuration parameters for wpa_supplicant:
enable_edmg: Enable EDMG capability for STA/AP mode
edmg_channel: Configure channel bonding. In AP mode it defines the EDMG
channel to start the AP on. In STA mode it defines the EDMG channel to
use for connection.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The config file parser previously would fall through into an error if
CONFIG_AP is defined and it hit a wmm_ac_* rule with a valid value. Add
a return to prevent incorrectly printing an error message and returning
a non-zero exit code.
Signed-off-by: Sujay Patwardhan <sujay@eero.com>
The previous support in the 60 GHz band was for channels 1-4.
Add support for channels 5 and 6.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is
an explicit request for machine credentials. The network profile
parameters are otherwise same as the Phase 1 parameters, but each one
uses a "machine_" prefix for the parameter name.
Signed-off-by: Jouni Malinen <j@w1.fi>
OCSP configuration is applicable to each instance of TLS-based
authentication and as such, the configuration might need to be different
for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and
add a separate ocsp2 network profile parameter to set this for Phase 2.
Signed-off-by: Jouni Malinen <j@w1.fi>
These parameters for certificate authentication are identical for the
Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel).
Furthermore, yet another copy would be needed to support separate
machine credential in Phase 2. Clean this up by moving the shared
parameters into a separate data struct that can then be used for each
need without having to define separate struct members for each use.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is an initial step in adding support for configuring separate user
and machine credentials. The new wpa_supplicant network profile
parameters machine_identity and machine_password are similar to the
existing identity and password, but explicitly assigned for the purpose
of machine authentication.
This commit alone does not change actual EAP peer method behavior as
separate commits are needed to determine when there is an explicit
request for machine authentication. Furthermore, this is only addressing
the username/password credential type, i.e., additional changes
following this design approach will be needed for certificate
credentials.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but
it is not disallowed either, so it is useful to have an option to
identify the derived PMKSA in the immediately following Association
Request frames. This is disabled by default (i.e., no change to previous
behavior) and can be enabled with a global wpa_supplicant configuration
parameter sae_pmkid_in_assoc=1.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support to disable/enable BTM support using configuration and
wpa_cli command. This is useful mainly for testing purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>