This allows the internal TLS client implementation to accept
CertificateStatus message from the server when trying to use OCSP
stapling. The actual OCSPResponse is not yet processed in this commit,
but the CertificateStatus message is accepted to allow the TLS handshake
to continue.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
There was only a single file remaining in this directory. All the other
old test functionality has been moved under the top level tests
directory. Move the remaining file to the wpa_supplicant directory to
get rid of the subdirectory.
Signed-off-by: Jouni Malinen <j@w1.fi>
The old wpa_supplicant/Makefile target test-eap_sim_common did not work
anymore and anyway, this test is better placed in the newer hwsim
framework to make sure the test case gets executed automatically.
Signed-off-by: Jouni Malinen <j@w1.fi>
These wpa_supplicant test programs have not been maintained for years
and it would take significant effort to get these into working state.
Since there does not seem to be any real need for these based on lack of
maintenance, it is easier to just drop these tools for now.
Signed-off-by: Jouni Malinen <j@w1.fi>
Number of places were calling functions that are not included in
CONFIG_NO_WPA=y build anymore. Comment out such calls. In addition, pull
in SHA1 and MD5 for config_internal.c, if needed.
Signed-off-by: Jouni Malinen <j@w1.fi>
libwpa_test1 and libwpa_test2 targets can now be used to check
libwpa_client linking for static and shared library cases respectively.
Signed-off-by: Jouni Malinen <j@w1.fi>
Building libwpa_client requires src/utils/common.c for bin_clear_free()
else loading the library fails with:
Error relocating /usr/lib/libwpa_client.so: bin_clear_free: symbol not found
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.
Signed-off-by: Jouni Malinen <j@w1.fi>
Linux packet socket workaround(*) has an impact in performance when the
workaround socket needs to be kept open to receive EAPOL frames. While
this is normally avoided with a kernel that has the issue addressed by
closing the workaround packet socket when detecting a frame through the
main socket, it is possible for that mechanism to not be sufficient,
e.g., when an open network connection (no EAPOL frames) is used.
Add a build option (CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y) to disable the
workaround. This build option is disabled by default and can be enabled
explicitly on distributions which have an older kernel or a fix for the
kernel regression.
Also remove the unused variable num_rx.
(*) Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596
('bridge: respect RFC2863 operational state') from 2012 introduced a
regression for using wpa_supplicant with EAPOL frames and a station
interface in a bridge.
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
If hostapd or wpa_supplicant is built from a git repository, add a
VERSION_STR postfix from the current git branch state. This is from "git
describe --dirty=+". VERSION_STR will thus look something like
"2.6-devel-hostap_2_5-132-g4363c0d+" for development builds from a
modified repository.
This behavior is enabled automatically if a build within git repository
is detected (based on ../.git existing). This can be disabled with
CONFIG_NO_GITVER=y in wpa_supplicant/.config and hostapd/.config.
Signed-off-by: Jouni Malinen <j@w1.fi>
The readline library depends on ncurses, so it should be set before
ncurses on the linker command line to be able to be statically linked
successfully.
Signed-off-by: David du Colombier <0intro@gmail.com>
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.
This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are
unfortunately not available in FIPS mode. Trying to use them results in
"aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API
call to cipher AES forbidden in FIPS mode!" and process termination.
Work around this by reverting commit
f19c907822 ('OpenSSL: Implement aes_wrap()
and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this
ends up using the internal AES key wrap/unwrap implementation through
the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y
is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues
to be used to minimize code size.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed when enabling TLSv1.2 support for EAP-FAST since the
SSL_export_keying_material() call does not support the needed parameters
for TLS PRF and the external-to-OpenSSL PRF needs to be used instead.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support to compile libwpa_client.so. This can be used by external
programs to interact with the wpa_supplicant control interface. Also
rename the static version of this library to libwpa_client.a to be
consistent with the name used previous in Android builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit e9af53ad39 introduced new
CONFIG_NO_ROAMING configuration parameter but unfortunately it was added
only to Android.mk. Enabling this parameter didn't have any effect when
Makefile was used to build wpa_supplicant. This commit fixes that problem
and cleans "unused variable" compiler warning.
Signed-off-by: Lauri Hintsala <lauri.hintsala@silabs.com>
This replaces the internal CBC mode implementation in
aes_128_cbc_encrypt() and aes_128_cbc_decrypt() with the OpenSSL
implementation for CONFIG_TLS=openssl builds.
Signed-off-by: Jouni Malinen <j@w1.fi>
SChannel/CryptoAPI as a TLS/crypto library alternative was never
completed. Critical functionality is missing and there are bugs in this
implementation. Since there are no known plans of completing this
support, it is better to remove this code.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant/p2p_supplicant.c has reached almost 10000 lines in length
and was getting a bit inconvenient to edit, so start splitting it into
separate files.
Signed-off-by: Jouni Malinen <j@w1.fi>
"make -C wpa_supplicant libwpa_ctrl.a" can now be used to build a static
library that can be linked with external programs using wpa_ctrl.h. This
makes it easier to create a separate library package that does not
depend in any other hostap.git file other than src/common/wpa_ctrl.h and
the libwpa_ctrl.a built with this new make target.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some packages don't install its headers in the default directory
(e.g.: In Arch Linux libiberty and libn13 includes are installed)
in their own subdirectory under /usr/include) and the build fails
trying to find the headers.
This patch will allow passing extra CFLAGS values without discarding
the assignments made in the Makefile. The CFLAGS values in the Makefile
are ignored, if defined directly in the make command line.
Signed-off-by: Roger Zanoni <roger.zanoni@openbossa.org>
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use OpenSSL HMAC_* functions to implement HMAC-MD5 instead of depending
on the src/crypto/md5.c implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.
Signed-off-by: Jouni Malinen <j@w1.fi>
This moves the AES-SIV test case from tests/test-aes.c to be part of
wpa_supplicant module testing framework with a new
src/crypto/crypto_module_tests.c component. In addition, the second test
vector from RFC 5297 is also included for additional coverage.
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant
network configuration parameter erp=1 can now be used to configure the
EAP peer to derive EMSK, rRK, and rIK at the successful completion of an
EAP authentication method. This functionality is not included in the
default build and can be enabled with CONFIG_ERP=y.
If EAP authenticator indicates support for re-authentication protocol,
initiate this with EAP-Initiate/Re-auth and complete protocol when
receiving EAP-Finish/Re-auth.
Signed-off-by: Jouni Malinen <j@w1.fi>
Initialize WMM AC data structures upon successful association
with an AP that publishes WMM support, and deinitialize the data
structure when the association is no longer valid.
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
The new AKM uses a different mechanism of deriving the PMKID based on
KCK instead of PMK. hostapd was already doing this after the KCK had
been derived, but wpa_supplicant functionality needs to be moved from
processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available.
Signed-off-by: Jouni Malinen <j@w1.fi>
The mesh peering manager establishes and maintains links among
mesh peers, tracking each peer link via a finite state machine.
This implementation supports open mesh peerings.
[assorted fixes from Yu Niiro <yu.niiro@gmail.com>]
[more fixes from Masashi Honma <masashi.honma@gmail.com>]
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Ashok Nagarajan <ashok.dragon@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-hostap: Bob Copeland <me@bobcopeland.com>
Add routines to (de)initialize mesh interface data structures and
join and leave mesh networks.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
The new "bss_load_update_period" parameter can be used to configure
hostapd to advertise its BSS Load element in Beacon and Probe Response
frames. This parameter is in the units of BUs (Beacon Units).
When enabled, the STA Count and the Channel Utilization value will be
updated periodically in the BSS Load element. The AAC is set to 0 sinze
explicit admission control is not supported. Channel Utilization is
calculated based on the channel survey information from the driver and
as such, requires a driver that supports providing that information for
the current operating channel.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
Create init_mesh, mesh_join, and mesh_leave actions to kernel.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Add an implementation of Synthetic Initialization Vector (SIV)
Authenticated Encryption Using the Advanced Encryption Standard (AES).
This mode of AES is used to protect peering frames when using
the authenticated mesh peering exchange.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
This is needed for number of items and it was possible to make a build
configuration that did not include ieee802_11_common.c while still
trying to use functions from there. While it would be possible to add
NEED_80211_COMMON=y to all the cases where this file is needed, the
extra complexity from this is not really justifiable anymore, so include
the file unconditionally.
Signed-off-by: Jouni Malinen <j@w1.fi>
The driver_test.c driver wrapper (-Dtest in wpa_supplicant and
driver=test in hostapd) was previously used for testing without real
Wi-Fi hardware. mac80211_hwsim-based tests have practically replaced all
these needs and there has been no improvements or use for driver_test.c
in a long while. Because of this, there has not really been any effort
to maintain this older test tool and no justification to change this
either. Remove the obsoleted test mechanism to clean up the repository.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant was giving below error when "CONFIG_MODULE_TESTS=y" and
"CONFIG_P2P=y" are in .config file:
"wpas_module_tests.c:84: undefined reference to `wps_module_tests'"
This error is coming because "CONFIG_WPS=y" is commented out in .config
file but CONFIG_WPS is getting enabled by CONFIG_P2P in Makefile.
Signed-off-by: Amit Khatri <amit.khatri@samsung.com>
This patch adds epoll option for the eloop implementation. This can be
selected with the CONFIG_ELOOP_EPOLL=y build option.
[merit]
See Table1.
Table1. comparison table
+--------+--------+-----------+------------+-------------+
| | add fd | remove fd | prepare fd | dispatch fd |
+--------+--------+-----------+------------+-------------+
| select | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| poll | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| epoll | O(1) | O(1) | 0 | O(M) |
+--------+--------+-----------+------------+-------------+
"add fd" is addition of fd by eloop_sock_table_add_sock().
"remove fd" is removal of fd by eloop_sock_table_remove_sock().
"prepare fd" is preparation of fds before wait in eloop_run().
"dispatch fd" is dispatchment of fds by eloop_sock_table_dispatch().
"N" is all watching fds.
"M" is fds which could be dispatched after waiting.
As shown in Table1, epoll option has better performance on "prepare fd" column.
Because select/poll option requires setting fds before every select()/poll().
But epoll_wait() doesn't need it.
And epoll option has also better performance on "dispatch fd" column.
Because select/poll option needs to check all registered fds to find out
dispatchable fds. But epoll option doesn't require checking all registered fds.
Because epoll_wait() returns dispatchable fd set.
So epoll option is effective for GO/AP functionality.
[demerit]
The epoll option requires additional heap memory. In case of P2P GO, it is
about 8K bytes.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Rename the eap_proxy_*.mk file to eap_proxy_*.mak for non-Android builds
so that the same eap_proxy implementation can be more easily included in
the same directory for both cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, EAP-SIM/AKA/AKA' did not work with number of crypto
libraries (GnuTLS, CryptoAPI, NSS) since the required FIPS 186-2 PRF
function was not implemented. This resulted in somewhat confusing error
messages since the placeholder functions were silently returning an
error. Fix this by using the internal implementation of FIP 186-2 PRF
(including internal SHA-1 implementation) with crypto libraries that do
not implement this in case EAP-SIM/AKA/AKA' is included in the build.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add IPv6 support when using udp/udp-remote control interface using the
following new build configuration options:
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote
This is useful for testing, while we don't need to assign IPv4 address
(static or using DHCP) and can just use auto configured IPv6 addresses
(link local, which is based on the MAC address). Also add scope id
support for link local case.
For example,
./wpa_cli
./wpa_cli -i ::1,9877
./wpa_cli -i fe80::203:7fff:fe05:69%wlan0,9877
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
CONFIG_MODULE_TESTS=y build option can now be used to build in module
tests into hostapd and wpa_supplicant binaries. These test cases will be
used to get better testing coverage for various details that are
difficult to test otherwise through the control interface control. A
single control interface command is used to executed these tests within
the hwsim test framework. This commit adds just the new mechanism, but no
module tests are yet integrated into this mechanism.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using binutils >= 2.24.x and setting
CONFIG_WPA_TRACE/CONFIG_WPA_TRACE_BDF causes both builds to fail with
"#error config.h must be included before this header" message.
Since version 2.24.x, the bfd header checks for PACKAGE and
PACKAGE_VERSION macros.
As suggested in http://sourceware.org/bugzilla/show_bug.cgi?id=14243
projects that use bfd and don't use autotools should define a PACKAGE
macro.
Signed-off-by: Roger Zanoni <roger.zanoni@openbossa.org>
This new mechanism allows P2P Client to request an IPv4 address from the
GO as part of the 4-way handshake to avoid use of DHCP exchange after
4-way handshake. If the new mechanism is used, the assigned IP address
is shown in the P2P-GROUP-STARTED event on the client side with
following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP
address is included in the AP-STA-CONNECTED event on the GO side as a
new ip_addr parameter. The IP address is valid for the duration of the
association.
The IP address pool for this new mechanism is configured as global
wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask,
ip_addr_star, ip_addr_end. For example:
ip_addr_go=192.168.42.1
ip_addr_mask=255.255.255.0
ip_addr_start=192.168.42.2
ip_addr_end=192.168.42.100
DHCP mechanism is expected to be enabled at the same time to support P2P
Devices that do not use the new mechanism. The easiest way of managing
the IP addresses is by splitting the IP address range into two parts and
assign a separate range for wpa_supplicant and DHCP server.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to enable various testing parameters and
functionality in build configuration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
In addition, update build rules to compile object files in the same
directory as the source code file if CONFIG_CODE_COVERAGE=y is set to
make lcov find the source code files.
Signed-hostap: Jouni Malinen <j@w1.fi>
Relative time shouldn't be calculated based on gettimeofday
because that clock can jump (e.g., when the time is adjusted
by the system administrator.)
On systems where that is available, use CLOCK_BOOTTIME (on
fairly recent Linux systems, this clock takes into account
the time spend suspended) or CLOCK_MONOTONIC (on Linux and
some POSIX systems, this clock is just freely running with
no adjustments.)
Reported-by: Holger Schurig <holgerschurig@gmail.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
In order to support P2P GO with 11ac support, add CONFIG_IEEE80211AC
config option support to the Makefile.
Signed-hostap: Eliad Peller <eliadx.peller@intel.com>
Add DFS structures/events handlers, CAC handling, and radar detection.
By default, after radar is detected or the channel became unavailable, a
random channel will be chosen.
This patches are based on the original work by Boris Presman and
Victor Goldenshtein. Most of the DFS code is moved to a new dfs.c/dfs.h
files.
Cc: Boris Presman <boris.presman@ti.com>
Cc: Victor Goldenshtein <victorg@ti.com>
Signed-hostap: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
There is not much use for enabling WPA without WPA2 nowadays since most
networks have been upgraded to WPA2. Furthermore, the code size savings
from disabling just WPA2 are pretty small, so there is not much
justification for maintaining this build option. Remove it to get rid of
undesired complexity.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add support for VHT capability overrides to allow testing connections
with a subset of the VHT capabilities that are actually supported by
the device. The only thing that isn't currently supported (by mac80211
and this code) is the RX/TX highest rate field.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
In addition to the offload mechanism, the Android configuration and
makefiles are extended to allow this to be configured for the build by
dropping in platform specific configuration files and makefile without
having to modify any existing files.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows FFC groups to be used with SAE. Though, these groups are not
included in the default sae_groups value based on what is available
since the FFC groups have the additional requirement of using a safe
prime with the current implementation (or specification of the group
order).
Signed-hostap: Jouni Malinen <j@w1.fi>
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. Previously it was possible to
define CONFIG_IEEE80211V without CONFIG_WNM which would break the build.
In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and
WNM is a better term to use for this new functionality anyway.
Signed-hostap: Jouni Malinen <j@w1.fi>
This code was within ifdef CONFIG_AP and did not get included unless
AP mode support was also enabled.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit ee431d77a5 broke wpa_supplicant
compilation:
../src/ap/ieee802_1x.o: In function `ieee802_1x_get_eap_user':
/../src/ap/ieee802_1x.c:1689: undefined reference to `hostapd_get_eap_user'
collect2: error: ld returned 1 exit status
make: *** [wpa_supplicant] Error 1
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
The UFD (USB flash drive) configuration method was deprecated in WSC
2.0. Since this is not known to be used, remove the UFD implementation
from hostapd and wpa_supplicant to allow the WPS implementation to be
cleaned up. This removes the now unused OOB operations and ctrl_iface
commands that had already been deprecated by the new NFC operations.
Signed-hostap: Jouni Malinen <j@w1.fi>
The old WPS interface for using NFC has no known deployments and even
the binary libraries referenced here are not easily available anymore.
Since the new interface for using NFC with WPS covers the same
functionality, remove the old implementation to clean up WPS
implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
This introduces new AKM for SAE and FT-SAE and adds the initial parts
for going through the SAE Authentication frame exchange. The actual SAE
algorithm and new fields in Authentication frames are not yet included
in this commit and will be added separately. This version is able to
complete a dummy authentication with the correct authentication
algorithm and transaction values to allow cfg80211/mac80211 drivers to
be tested (all the missing parts can be handled with
hostapd/wpa_supplicant changes).
Signed-hostap: Jouni Malinen <j@w1.fi>
This commit adds control interface commands and internal storage of
Wi-Fi Display related configuration. In addition, WFD IE is now added
to various P2P frames, Probe Request/Response, and (Re)Association
Request/Response frames. WFD subelements from peers are stored in the
P2P peer table.
Following control interface commands are now available:
SET wifi_display <0/1>
GET wifi_display
WFD_SUBELEM_SET <subelem> [hexdump of length+body]
WFD_SUBELEM_GET <subelem>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.
The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit c9e08af24f removed the only user of
the special case MD5 use that would be allowed in FIPS mode in
tls_prf_sha1_md5(). Commit 271dbf1594
removed the file from the build, but left the implementation into the
repository. To clean things up even further, remove this functionality
completely since it is not expected to be needed for FIPS mode anymore.
Signed-hostap: Jouni Malinen <j@w1.fi>
When CONFIG_FIPS=y is used, do not include MD5 in the build and disable
EAPOL-Key frames that use MD5 (WPA/TKIP and dynamic WEP with IEEE
802.1X).
Signed-hostap: Jouni Malinen <j@w1.fi>
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.
Signed-hostap: Jouni Malinen <j@w1.fi>
OpenSSL-based builds may need libdl in the linker line after the OpenSSL
library. CONFIG_TLS_ADD_DL=y can now be used to force that if needed.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used for convenience to build wpa_supplicant with OpenSSL
FIPS object module. CONFIG_FIPS=y is expected to be used in
wpa_supplicant/.config when using this option.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add new option for ctrl iface: CONFIG_CTRL_IFACE=udp-remote. This
enables remote access to control interface via UDP port(s). This should
be used for testing purpose only since there is no authentication or
access control on the commands.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
nfc_pw_token can be used to build random NFC password token for WPS.
This tool prints out the wpa_supplicant.conf (or hostapd.conf)
parameters and the hexdump of the WPS password token (with and without
NDEF encapsulation) so that it can be written to a NFC tag with an
external program.
Signed-hostap: Jouni Malinen <j@w1.fi>
This module will sets a fixed scanning interval. Thus, the parameter to
this module is following this format: <fixed interval>
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
This module will compute the interval on a base exponential. Thus,
params to this module are following this format: <base>:<limit>
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Like bgscan, autoscan is an optional module based feature to automate
scanning but while disconnected or inactive.
Instead of requesting directly a scan, it only sets the scan_interval
and the sched_scan_interval. So, if the driver supports sched_scan,
autoscan will be able to tweak its interval. Otherwise, the tweaked
scan_interval will be used. If scan parameters needs to be tweaked, an
autoscan_params pointer in wpa_s will provide those. So req_scan /
req_sched_scan will not set the scan parameters as they usually do, but
instead will use this pointer.
Modules will not have to request a scan directly, like bgscan does.
Instead, it will need to return the interval it wants after each
notification.
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
If WNM is enabled for the build (CONFIG_WNM=y), add BSS max idle period
information to the (Re)Association Response frame from the AP and parse
this information on the station. For SME-in-wpa_supplicant case, add a
timer to handle periodic transmission of the keep-alive frame. The
actual request for the driver to transmit a frame is not yet
implemented.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add the option (-T) to wpa_supplicant to log all debug messages into the
kernel tracing, allowing to aggregate kernel debugging with
wpa_supplicant debugging and recording all with trace-cmd.
Since tracing has relatively low overhead and can be filtered
afterwards, record all messages regardless of log level. However, it
will honor the -K option and not record key material by default.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When using more than around 200 virtual stations, we start hitting the
max number of file descriptors supported by select(). This patch adds
support for poll(), which has no hard upper limit.
Signed-hostap: Ben Greear <greearb@candelatech.com>
This allows HT capabilities overrides on kernels that
support these features.
MCS Rates can be disabled to force to slower speeds when using HT.
Rates cannot be forced higher.
HT can be disabled, forcing an 802.11a/b/g/n station to act like
an 802.11a/b/g station.
HT40 can be disabled.
MAX A-MSDU can be disabled.
A-MPDU Factor and A-MPDU Density can be modified.
Please note that these are suggestions to the kernel. Only mac80211
drivers will work at all. The A-MPDU Factor can only be decreased and
the A-MPDU Density can only be increased currently.
Signed-hostap: Ben Greear <greearb@candelatech.com>
This changes the install target such that parent directories of
installed paths area created and each path is only installed
on a dependency basis.
Signed-off-by: Grant Erickson <marathon96@gmail.com>
Perforce does not like @ in the file name and since these template files
do not really need to have that in the name, make the files in
repository friendlier to Perforce. The generated *.service file will
maintain their old names.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows the internal TLS implementation to be built for TLS v1.2
support. In addition to the build option, this changes the TLS PRF
based on the negotiated version number. Though, this commit does not
yet complete support for TLS v1.2.
Signed-hostap: Jouni Malinen <j@w1.fi>
The source code compiles into different objects depending on
the contents of .config. Therefore, the objects should depend
on .config.
Previously, only the executables depended on .config. This meant
that they were re-linked when .config changed. But that relink
process used the old (and now wrong) objects.
This code has not been maintained for years and there is no plan on
doing so either in the future. The Qt4-based wpa_gui-qt4 version can be
used as a replacement for this older wpa_gui version.
Signed-hostap: Jouni Malinen <j@w1.fi>
This code was used only with driver_test.c to allow MLME operations
in hostapd to be tested without having to use a real radio. There
are no plans on extending this to any other use than testing and
mac80211_hwsim has now obsoled the need for this type of testing.
As such, we can drop this code from wpa_supplicant to clean up the
implementation of unnecessary complexity.
This is the first step in allowing SA Query mechanism in hostapd to be
used with drivers that implement authentication and association MLME/SME
(i.e., do not use ieee802_11.c).
Add mechanism for using GAS/ANQP to query Interworking related
information from APs. The received information is stored in the BSS
table and can be viewed with ctrl_iface BSS command.
New ctrl_iface command ANQP_GET can be used to fetch ANQP elements from
a specific AP. Additional commands FETCH_ANQP and STOP_FETCH_ANQP can be
used to initiate and stop an iteration through all APs in the BSS table
that indicate support Interworking to fetch ANQP elements from them.
The new wpa_supplicant.conf file global parameters interworking and
hessid can be used to configure wpa_supplicant to include
Interworking element in Probe Request frames.
This implements GAS request mechanism that is aimed at being used to
replace use case specific GAS/ANQP implementations in the future.
Compared to the earlier implementation in P2P SD, this implementation
includes support for multiple concurrent requests and more thorough
validation of frames against the pending query data.
GAS header processing, including comeback and reassembly, are handled
within gas_query.c and the users of this module will only need to
provide the Query Request and process the (possibly reassembled)
Query Response.
GAS/ANQP is a generic protocol and in no way specific to P2P, so move
routines used to build GAS/ANQP frames to a separate file that can be
shared for other uses than just P2P service discovery.
These protocols seem to be abandoned: latest IETF drafts have expired
years ago and it does not seem likely that EAP-TTLSv1 would be
deployed. The implementation in hostapd/wpa_supplicant was not complete
and not fully tested. In addition, the TLS/IA functionality was only
available when GnuTLS was used. Since GnuTLS removed this functionality
in 3.0.0, there is no available TLS/IA implementation in the latest
version of any supported TLS library.
Remove the EAP-TTLSv1 and TLS/IA implementation to clean up unwanted
complexity from hostapd and wpa_supplicant. In addition, this removes
any potential use of the GnuTLS extra library.
This is required for cross-compilation support on certain
platforms to avoid changing the pkg-config files themselves.
Signed-off-by: David James <davidjames@chromium.org>
Signed-off-by: Paul Stewart <pstew@chromium.org>
Need to define CONFIG_NO_PBKDF2 even though the crypto cleanup moved
the function to a separate file since there is conditional code in
wpa_supplicant/config.c. In addition, wpa_passphrase should not be
built at all if passphrase functionality is removed.