Commit graph

198 commits

Author SHA1 Message Date
Andrey Kartashev
e49b78c0d5 mka: Allow configuration of MACsec replay protection
Add new configuration parameters macsec_replay_protect and
macsec_replay_window to allow user to set up MACsec replay protection
feature. Note that according to IEEE Std 802.1X-2010 replay protection
and delay protection are different features: replay protection is
related only to SecY and does not appear on MKA level while delay
protection is something that KaY can use to manage SecY state.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Sergey Matyukevich
cdeea70f59 wpa_supplicant: Allow overriding HT STBC capabilities
Allow user to override STBC configuration for Rx and Tx spatial streams.
Add new configuration options to test for HT capability overrides.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2018-12-23 17:25:11 +02:00
Mathy Vanhoef
ce6829c284 OCV: Add wpa_supplicant config parameter
Add wpa_supplicant network profile parameter ocv to disable or enable
Operating Channel Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Jouni Malinen
d514b50265 WNM: Collocated Interference Reporting
Add support for negotiating WNM Collocated Interference Reporting. This
allows hostapd to request associated STAs to report their collocated
interference information and wpa_supplicant to process such request and
reporting. The actual values (Collocated Interference Report Elements)
are out of scope of hostapd and wpa_supplicant, i.e., external
components are expected to generated and process these.

For hostapd/AP, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration. STAs are requested to perform
reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report
Timeout>" control interface command. The received reports are indicated
as control interface events "COLOC-INTF-REPORT <addr> <dialog token>
<hexdump of report elements>".

For wpa_supplicant/STA, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration and setting Collocated
Interference Report Elements as a hexdump with "SET coloc_intf_elems
<hexdump>" control interface command. The hexdump can contain one or
more Collocated Interference Report Elements (each including the
information element header). For additional testing purposes, received
requests are reported with "COLOC-INTF-REQ <dialog token> <automatic
report enabled> <report timeout>" control interface events and
unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>".

This commit adds support for reporting changes in the collocated
interference (Automatic Report Enabled == 1 and partial 3), but not for
periodic reports (2 and other part of 3).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-30 14:07:51 +02:00
Jouni Malinen
9be19d0b9c SAE: Add support for using the optional Password Identifier
This extends the SAE implementation in both infrastructure and mesh BSS
cases to allow an optional Password Identifier to be used. This uses the
mechanism added in P802.11REVmd/D1.0. The Password Identifier is
configured in a wpa_supplicant network profile as a new string parameter
sae_password_id. In hostapd configuration, the existing sae_password
parameter has been extended to allow the password identifier (and also a
peer MAC address) to be set. In addition, multiple sae_password entries
can now be provided to hostapd to allow multiple per-peer and
per-identifier passwords to be set.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-19 17:30:29 +03:00
Jouni Malinen
72b6e5d1e2 Do not remove CCMP group cipher if any CCMP/GCMP cipher is enabled
CCMP group cipher was removed if CCMP was not allowed as a pairwise
cipher when loading a configuration file (but not actually when changing
configuration during runtime). This is needed to avoid issues with
configurations that use the default group cipher (TKIP CCMP) while
modifying pairwise cipher from the default CCMP TKIP) to TKIP. However,
there is not really a need to remove the CCMP group cipher if any GCMP
or CCMP cipher is enabled as a pairwise cipher.

Change the network profile validation routine to not remove CCMP as
group cipher if CCMP-256, GCMP, or GCMP-256 is enabled as a pairwise
cipher even if CCMP is not.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:43 +03:00
Jouni Malinen
6311547e7b HS 2.0: Add Roaming Consortium Selection network profile parameter
This adds new roaming_consortium_selection network profile parameter
into wpa_supplicant. This is used to store the OI that was used for
network selection (INTERWORKING_SELECT) based on matching against the
Roaming Consortium OIs advertised by the AP. This can also be used when
using an external component to perform selection.

This commit adds the network profile parameter, but does not yet include
it in (Re)Association Request frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 17:26:56 +03:00
Jouni Malinen
909a948b0f HS 2.0: Add a new cred block parameter roaming_consortiums
This new string parameter contains a comma delimited list of OIs
(hexdump) in a string. This is used to store Hotspot 2.0
PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI. This commit
includes the configuration changes to parse and write the parameter. The
actual values are not yet used in Interworking network selection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Danilo Ravotto
19e20c14fb Add ap_isolate configuration option for wpa_supplicant AP mode
Allow client isolation to be configured with ap_isolate inside
wpa_supplicant configuration file.

Signed-off-by: Danilo Ravotto <danilo.ravotto@zirak.it>
2018-02-17 17:48:31 +02:00
Jouni Malinen
3bd35b6816 wpa_supplicant: Fix parsing errors on additional config file
If the -I<config> argument is used and the referenced configuration file
cannot be parsed, wpa_config_read() ended up freeing the main
configuration data structure and that resulted in use of freed memory in
such an error case. Fix this by not freeing the main config data and
handling the error case in the caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-02-04 12:20:13 +02:00
Dmitry Shmidt
9c5fe742a2 wpa_supplicant: Free config only if it was allocated in same call
If option -I:config points to a non-existing file, the the previously
allocated config must not be freed. Avoid use of freed memory in such an
error case by skipping the incorrect freeing operation.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2018-02-04 12:13:12 +02:00
Jouni Malinen
9e834fc648 EAP-SIM/AKA: Separate identity for MK derivation
This allows a separate configuration parameter (imsi_identity) to be
used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK
derivation for the case where the identity is expected to be from the
last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was
not used). This may be needed to avoid sending out an unprotected
permanent identity information over-the-air and if the EAP-SIM/AKA
server ends up using a value based on the real IMSI during the internal
key derivation operation (that does not expose the data to others).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2018-01-21 11:28:53 +02:00
Jouni Malinen
c1790a5ff8 OWE: Allow station in transition mode to connect to an open BSS
If the OWE network profile matches an open network which does not
advertise OWE BSS, allow open connection. The new owe_only=1 network
profile parameter can be used to disable this transition mode and
enforce connection only with OWE networks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-21 11:13:01 +02:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
a34ca59e4d SAE: Allow SAE password to be configured separately (STA)
The new sae_password network profile parameter can now be used to set
the SAE password instead of the previously used psk parameter. This
allows shorter than 8 characters and longer than 63 characters long
passwords to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 23:24:19 +03:00
Jouni Malinen
c77e2ff096 DPP: Remove C-sign-key expiry
This was removed in DPP tech spec v0.2.3.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 01:17:33 +03:00
Jouni Malinen
ec9f483774 OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in station
This extends OWE support in wpa_supplicant to allow DH groups 20 and 21
to be used in addition to the mandatory group 19 (NIST P-256). The group
is configured using the new network profile parameter owe_group.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Sunil Dutt
63bc0ab0ed P2P: Allow GO to advertise Interworking element
This adds new wpa_supplicant configuration parameters (go_interworking,
go_access_network_type, go_internet, go_venue_group, go_venue_type) to
add a possibility of configuring the P2P GO to advertise Interworking
element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-05 14:42:16 +03:00
Jouni Malinen
61a56c1480 Add group_mgmt network parameter for PMF cipher selection
The new wpa_supplicant network parameter group_mgmt can be used to
specify which group management ciphers (AES-128-CMAC, BIP-GMAC-128,
BIP-GMAC-256, BIP-CMAC-256) are allowed for the network. If not
specified, the current behavior is maintained (i.e., follow what the AP
advertises). The parameter can list multiple space separate ciphers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-26 17:40:02 +03:00
Lior David
3031133983 mesh: Move writing of mesh_rssi_threshold inside CONFIG_MESH
Previously, the code that writes mesh_rssi_threshold to a network block
always executes, but the code that reads it from network block and the
code that initializes it to a default value in a new network block are
inside #ifdef CONFIG_MESH. As a result when writing a config file it
will write mesh_rssi_threshold (since it has a non-default value) and
later fail to read the network block.

Fix this by moving the write code under #ifdef CONFIG_MESH as well.
Note, network blocks which already have mesh_rssi_threshold because of
the bug will still fail to read after the fix.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2017-09-12 17:17:21 +03:00
Ashwini Patil
332aadb8a2 STA: Add OCE capability indication attribute
Add OCE capability indication attribute in Probe Request and
(Re)Association Request frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-14 21:19:53 +03:00
Jouni Malinen
44d6b272cf DPP: Fix configuration item list
This was supposed to use semicolons, not commas..

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-02 09:35:00 +03:00
Jouni Malinen
8528994e21 DPP: Automatic network profile creation
wpa_supplicant can now be configured to generate a network profile
automatically based on DPP configuration. The following
dpp_config_processing values can be used to specify the behavior:
0 = report received configuration to an external program for
    processing; do not generate any network profile internally (default)
1 = report received configuration to an external program and generate
    a network profile internally, but do not automatically connect
    to the created (disabled) profile; the network profile id is
    reported to external programs
2 = report received configuration to an external program, generate
    a network profile internally, try to connect to the created
    profile automatically

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-21 18:03:34 +03:00
Jouni Malinen
3c0daa13d5 Make wpa_config_read_blob() easier for static analyzers
While encoded == NULL could happen in the case of an empty blob, that
will result in encoded_len == 0 and base64_decode() not derefencing the
src argument. That seems to be too difficult for some static analyzers,
so to avoid false warnings, explicitly reject the encoded == NULL case
without even trying to base64 decode it. (CID 164709)

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:30:45 +03:00
Jouni Malinen
b979caae57 DPP: Network profile parameters for DPP AKM
Extend wpa_supplicant network profile to include parameters needed for
the DPP AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry,
dpp_csign, dpp_csign_expiry.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Purushottam Kushwaha
43a356b268 Provide option to configure BSSID hint for a network
This exposes user configurable option to set bssid_hint for a network.
bssid_hint indicates which BSS has been found a suitable candidate for
initial association for drivers that use driver/firmware-based BSS
selection. Unlike the bssid parameter, bssid_hint does not limit the
driver from selecting other BSSs in the ESS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-12 00:20:59 +03:00
Masashi Honma
31a856a127 mesh: Make NL80211_MESHCONF_RSSI_THRESHOLD configurable
In some practical cases, it is useful to suppress joining to node in the
distance. The new field mesh_rssi_threshold could be used as RSSI
threshold for joining.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-05-08 16:23:02 +03:00
Jouni Malinen
183d3924cf WPS: Add option for using random UUID
If the uuid configuration parameter is not set, wpa_supplicant generates
an UUID automatically to allow WPS operations to proceed. This was
previously always using an UUID generated from the MAC address. This
commit adds an option to use a random UUID instead. The type of the
automatically generated UUID is set with the auto_uuid parameter: 0 =
based on MAC address (default; old behavior), 1 = random UUID.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-13 17:38:55 +03:00
Jouni Malinen
76e20f4fa7 FILS: Add FILS SK auth PFS support in STA mode
This adds an option to configure wpa_supplicant to use the perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime network profile parameter fils_dh_group is used to enable
this by specifying which DH group to use. For example, fils_dh_group=19
would use FILS SK PFS with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Johannes Berg
b07ff9cb04 wpa_supplicant: Allow disabling HT in AP mode without HT overrides
Since VHT can be toggled explicitly, also expose being able to disable
HT explicitly, without requiring HT overrides. Continue making it
default to enabled though.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-11 11:11:55 +02:00
Johannes Berg
2124a615e3 wpa_supplicant: Allow explicit wide channel configuration for AP mode
Instead of deducing the wide (HT, VHT) channel configuration only
automatically in P2P mode, allow it to be configured in the network
in non-P2P mode.

Also allow all of these parameters to be configured through the control
interface or the configuration file.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-11 10:59:51 +02:00
Purushottam Kushwaha
d0330d57f3 nl80211: Add option to delay start of schedule scan plans
The userspace may want to delay the the first scheduled scan.
This enhances sched_scan to add initial delay (in seconds) before
starting first scan cycle. The driver may optionally choose to
ignore this parameter and start immediately (or at any other time).

This uses NL80211_ATTR_SCHED_SCAN_DELAY to add this via user
global configurable option: sched_scan_start_delay.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-09 15:44:26 +02:00
Kanchanapally, Vidyullatha
af8bc24da3 MBO: Add support for transition reject reason code
Add support for rejecting a BSS transition request using MBO reject
reason codes. A candidate is selected or rejected based on whether it is
found acceptable by both wpa_supplicant and the driver. Also accept any
candidate meeting a certain threshold if disassoc imminent is set in BTM
Request frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-07 00:34:14 +02:00
Vamsi Krishna
1d9d21f376 GAS: Add support to randomize transmitter address
Add support to send GAS requests with a randomized transmitter address
if supported by the driver. The following control interface commands
(and matching configuration file parameters) can be used to configure
different types of randomization:

"SET gas_rand_mac_addr 0" to disable randomizing TX MAC address,
"SET gas_rand_mac_addr 1" to randomize the complete TX MAC address,
"SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI.

A new random MAC address will be generated for every
gas_rand_addr_lifetime seconds and this can be configured with
"SET gas_rand_addr_lifetime <timeout>".

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 19:41:32 +02:00
Jouni Malinen
54736d8358 Store FST parameters to configuration file
This was forgotten when the parameters were added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
35c78f7b97 Store osu_dir to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1f539c78f4 Store autoscan to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
58ed9e31d1 Store filter_rssi to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1fb1bf99d6 Write sec_device_type to configuration file
This is more consistent with other global configuration parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
9284418d00 Fix writing of wpa_supplicant sae_groups configuration parameter
This integer array is zero terminated, so need to check the value is
greater than 0 when writing the parameter.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Badrish Adiga H R
65dfa87286 mka: Make MKA actor priority configurable
This adds a new wpa_supplicant network profile parameter
mka_priority=0..255 to set the priority of the MKA Actor.

Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
2016-12-25 11:41:46 +02:00
Avichal Agarwal
5149a0f04c P2P: Set p2p_persistent_group=1 at the time of reading disabled=2
Configuration file network block with disabled=2 is used for storing
information about a persistent group, so p2p_persitent_group should be
updated according to this when creating a struct wpa_ssid instance. This
will end up using D-Bus persistent network object path for the network.

Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2016-12-12 20:30:31 +02:00
Sabrina Dubroca
e0d9fd344d wpa_supplicant: Allow configuring the MACsec port for MKA
Previously, wpa_supplicant only supported hardcoded port == 1 in the
SCI, but users may want to choose a different port.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:31 +02:00
Sabrina Dubroca
7b4d546e3d wpa_supplicant: Add macsec_integ_only setting for MKA
So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:16 +02:00
Sabrina Dubroca
ad51731abf wpa_supplicant: Allow pre-shared (CAK,CKN) pair for MKA
This enables configuring key_mgmt=NONE + mka_ckn + mka_cak.
This allows wpa_supplicant to work in a peer-to-peer mode, where peers
are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers
can act as key server to distribute keys for the MACsec instances.

This is what some MACsec switches support, and even without HW
support, it's a convenient way to setup a network.

Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
2016-11-20 00:35:08 +02:00
Lior David
d1723c5566 wpa_supplicant: Allow FTM functionality to be published
Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside wpa_supplicant. When
framework is activated, it will use wpa_supplicant to configure the
STA/AP to publish the FTM functionality. See IEEE P802.11-REVmc/D7.0,
9.4.2.27.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-09-05 21:27:23 +03:00
Jouni Malinen
6c33ca9f95 Add group_rekey parameter for IBSS
The new network profile parameter group_rekey can now be used to specify
the group rekeying internal in seconds for IBSS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-13 16:29:01 +03:00
Jouni Malinen
c86bef2913 wpa_supplicant: Make GAS Address3 field selection behavior configurable
IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies
that the wildcard BSSID value is used in Public Action frames that are
transmitted to a STA that is not a member of the same BSS.
wpa_supplicant used to use the actual BSSID value for all such frames
regardless of whether the destination STA is a member of the BSS.

P2P does not follow this rule, so P2P Public Action frame construction
must not be changed. However, the cases using GAS/ANQP for non-P2P
purposes should follow the standard requirements.

Unfortunately, there are deployed AP implementations that do not reply
to a GAS request sent using the wildcard BSSID value. The previously
used behavior (Address3 = AP BSSID even when not associated) continues
to be the default, but the IEEE 802.11 standard compliant addressing
behavior can now be configured with gas_address3=1.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-10 21:44:49 +03:00
Lior David
b6317b417f wpa_supplicant: Add wps_disabled parameter to network block
Add a new parameter wps_disabled to network block (wpa_ssid). This
parameter allows WPS functionality to be disabled in AP mode.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-05-14 19:43:30 +03:00
David Spinadel
c5d193d7b3 MBO: Add cellular capability to MBO IE
Add cellular capability attribute to MBO IE and add MBO IE with cellular
capabilities to Probe Request frames. By default, cellular capability
value is set to Not Cellular capable (3).

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-02-22 19:53:04 +02:00