Commit Graph

141 Commits

Author SHA1 Message Date
Jouni Malinen
3459381dd2 External persistent storage for PMKSA cache entries
This adds new wpa_supplicant control interface commands PMKSA_GET and
PMKSA_ADD that can be used to store PMKSA cache entries in an external
persistent storage when terminating a wpa_supplicant process and then
restore those entries when starting a new process. The previously added
PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing
the external storage with the memory-only volatile storage within
wpa_supplicant.

"PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to
a specific network profile. The network_id of the current profile is
available with the STATUS command (id=<network_id). In addition, the
network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The
output of the PMKSA_GET command uses the following format:

<BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds>
<akmp> <opportunistic>

For example:

02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0
02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0

The PMKSA_GET command uses the following format:

<network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration
in seconds> <akmp> <opportunistic>

(i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET
output data; however, the reauth_time and expiration values need to be
updated by decrementing them by number of seconds between the PMKSA_GET
and PMKSA_ADD commands)

For example:

PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0
PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0

This functionality is disabled be default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be
noted that this allows any process that has access to the wpa_supplicant
control interface to use PMKSA_ADD command to fetch keying material
(PMK), so this is for environments in which the control interface access
is restricted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 23:47:04 +02:00
vamsi krishna
065c029a55 Remove MBO dependency from Supported Operating Classes element
Supported Operating Classes element and its use is define in the IEEE
802.11 standard and can be sent even when MBO is disabled in the build.
As such, move this functionality out from the CONFIG_MBO=y only mbo.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-11 22:07:58 +02:00
Kenny Root
88f93c30ec Android: Remove BoringSSL guard
BoringSSL is the only supported version of SSL, so remove this guard so
we can continue to compile when the flavor.mk is removed.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2016-11-19 17:43:03 +02:00
Ilan Peer
4ec1fd8e42 FT: Differentiate between FT for station and for AP in build
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.

Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 22:14:54 +03:00
Avrahams Stern
c433c50c9c wpa_supplicant: Make CONFIG_MBO independent of CONFIG_AP
CONFIG_MBO was defined inside ifdef CONFIG_AP, so when AP support
was not compiled, MBO was not compiled either. However, CONFIG_MBO
is not related AP support, so it should not depend on CONFIG_AP.

Fix this by moving CONFIG_MBO outside of ifdef CONFIG_AP.

Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
2016-10-29 19:31:38 +03:00
Jouni Malinen
2022f1d08d FILS: Use AEAD cipher to protect EAPOL-Key frames (STA)
This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS
AKMs) to provide both integrity protection for the EAPOL-Key frame and
encryption for the Key Data field. It should be noted that this starts
encrypting the Key Data field in EAPOL-Key message 2/4 while it remains
unencrypted (but integrity protected) in non-FILS cases. Similarly, the
empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD
cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
9b7a2b836a FILS: Add wpa_supplicant configuration options
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:44 +03:00
Roshan Pius
fe1d0771f7 binder: Expose an aidl interface module
Restructure the binder related makefile sections to expose a separate
|libwpa_binder_interface| which can be imported by clients/tests.

While there,
Change the name of the binder service to the name used in the selinux
permissions.

Signed-off-by: Roshan Pius <rpius@google.com>
2016-08-07 11:21:28 +03:00
Mikael Kanstrup
977c0796f9 Move parts of wpa_cli to a new common file
In preparation for adding further command completion support
to hostapd_cli move some cli related utility functions out of
wpa_cli into a new common cli file.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2016-08-06 12:25:58 +03:00
David Spinadel
2572df34b2 hostapd: Handle Neighbor Report Request frame
Process Neighbor Report Request frame and send Neighbor Report Response
frame based on the configured neighbor report data.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:07 +03:00
David Spinadel
9b4b226426 hostapd: Add a database of neighboring APs
Add a configurable neighbor database that includes the content of
Nighbor Report element, LCI and Location Civic subelements and SSID.

All parameters for a neighbor must be updated at once; Neighbor Report
element and SSID are mandatory, LCI and civic are optional. The age of
LCI is set to the time of neighbor update.

The control interface API is:
SET_NEIGHBOR <BSSID> <ssid=SSID> <nr=data> [lci=<data>] [civic=<data>]

To delete a neighbor use:
REMOVE_NEIGHBOR <BSSID> <SSID>

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-16 21:05:40 +03:00
Roshan Pius
7b4bbb9f94 binder: Add binder skeletal code for Android
Create the skeletal binder interface for wpa_supplicant. The interface
hierarchy is based off the existing dbus
interface(https://w1.fi/wpa_supplicant/devel/dbus.html).

Since we use libbinder, the binder interface codebase needs to be
written in C++ and can only be compiled on Android platform for now.

The aidl files define binder RPC interfaces. The Android build system
generates the corresponding C++ interface classes which needs to be
implemented by the server process.

The clients can obtain a reference to the binder service (root object)
using:
android::String16 service_name("fi.w1.wpa_supplicant");
android::sp<android::IBinder> binder =
  android::defaultServiceManager()->getService(service_name);

Once a reference to the root object is retrieved, the clients can
obtain references to other RPC objects using that root object methods.

Signed-off-by: Roshan Pius <rpius@google.com>
2016-04-02 17:35:26 +03:00
Jouni Malinen
90377029c6 wpa_supplicant: Fix CONFIG_IBSS_RSN=y build without CONFIG_AP=y
Commit 1889af2e0f ('VLAN: Separate station
grouping and uplink configuration') added an ap_sta_set_vlan() function
that gets called from pmksa_cache_auth.c. This broke CONFIG_IBSS_RSN=y
build if src/ap/sta_info.c did not get included in the build, i.e., if
CONFIG_AP=y was not set.

Fix this by making the ap_sta_set_vlan() call conditional on
CONFIG_NO_VLAN being undefined and define this for CONFIG_IBSS_RSN=y
builds. This is fine for wpa_supplicant since CONFIG_AP=y case was
already defining this. For hostapd, this function call is not needed for
CONFIG_NO_VLAN case either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-21 21:12:20 +02:00
Janusz Dziedzic
1a2124c650 wpa_supplicant: Use common functions for ctrl_iface
Use the common functions, structures when UNIX socket ctrl_iface used.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-05 17:15:05 +02:00
Adam Langley
8f38eed628 Android: Remove superfluous OpenSSL include paths
The libcrypto and libssl modules (and their respective static and host
versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module
is sufficient.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2016-03-03 16:27:10 +02:00
Jouni Malinen
6332aaf3b2 MBO: Track STA cellular data capability from association request
This makes hostapd parse the MBO attribute in (Re)Association Request
frame and track the cellular data capability (mbo_cell_capa=<val> in STA
control interface command).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
David Spinadel
92c6e2e3a9 MBO: Implement MBO non-preferred channel report in Association Request
Add MBO IE with non-preferred channels to (Re)Association Request
frames.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-02-22 19:53:04 +02:00
David Spinadel
facf2c728a MBO: Add non-preferred channel configuration in wpa_supplicant
Add non-preferred channel configuration to wpa_config for MBO.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-02-21 17:55:16 +02:00
Tomasz Bursztyka
d99097177a wpa_supplicant: Enable Automatic Channel Selection support for AP mode
Since hostapd supports ACS now, let's enable its support in
wpa_supplicant as well when starting AP mode.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
[u.oelmann@pengutronix.de: adjusted added text in defconfig]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
2015-12-24 22:24:05 +02:00
Jouni Malinen
d560288a44 TLS: Parse CertificateStatus message
This allows the internal TLS client implementation to accept
CertificateStatus message from the server when trying to use OCSP
stapling. The actual OCSPResponse is not yet processed in this commit,
but the CertificateStatus message is accepted to allow the TLS handshake
to continue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-14 15:49:01 +02:00
Jouni Malinen
213e158ca8 BoringSSL: Move OCSP implementation into a separate file
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-04 20:08:31 +02:00
Pali Rohár
6bb6a9ce29 Add SHA384 and SHA512 implementations from LibTomCrypt library
These will be used with the internal TLS implementation to extend hash
algorithm support for new certificates and TLS v1.2.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
2015-11-29 18:19:32 +02:00
Jouni Malinen
9b635d0bde Remove link_test and test_wpa
These wpa_supplicant test programs have not been maintained for years
and it would take significant effort to get these into working state.
Since there does not seem to be any real need for these based on lack of
maintenance, it is easier to just drop these tools for now.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-24 00:00:21 +02:00
Samuel Tan
3b49719130 Android: Use libdbus rather than dbus-1
The upstream wpa_supplicant uses the dbus-1 library when it is compiled
with D-Bus support. In Android, we imported the D-Bus shared libraries
under the name "libdbus", so use this shared library instead of dbus-1
when compiling wpa_supplicant with D-Bus support.

Signed-off-by: Samuel Tan <samueltan@google.com>
2015-11-15 19:26:49 +02:00
Jouni Malinen
8f3ea3175f tests: Fix build without CONFIG_ERP=y
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-26 00:42:14 +02:00
Adam Langley
aeeb0bca71 Android: Fix keystore-backed keys with BoringSSL
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2015-10-06 23:10:17 +03:00
Jouni Malinen
de78844b33 Fix EAP-EKE peer build rules
NEED_AES_CBC is needed for EAP-EKE builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-25 19:43:44 +03:00
Jouni Malinen
d9c807cab1 Fix key derivation for Suite B 192-bit AKM to use SHA384
While the EAPOL-Key MIC derivation was already changed from SHA256 to
SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly.
Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK
from PMK when using the Suite B 192-bit AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-27 20:42:14 +03:00
Jouni Malinen
812f28b79c BoringSSL: Allow internal AES key wrap to be used with "OpenSSL" build
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-18 01:56:02 +03:00
Daichi Ueura
884c649e26 Android: Make wpa_cli work on wifi.interface without extra params
Currently wpa_cli connects to global control interface if -i/-p
parameters are not specified. wpa_cli on global control interface
is not useful since the prefix like "IFNAME=wlan0 " needs to be
added to some commands like "IFNAME=wlan0 scan". And, specifying
-i/-p parameters every time is annoying. To improve efficiency of
debugging, this patch enables to make wpa_cli work without extra
parameters.

If you still want to connect to global control interface,
the following command can be used instead:

 $ wpa_cli -g@android:wpa_wlan0 (or -gwlan0)

Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
2015-08-02 21:37:10 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
835c89a16b EAP-TTLS: Disable CHAP, MSCHAP, and MSCHAPV2 in CONFIG_FIPS=y builds
FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 21:07:44 +03:00
Jouni Malinen
276a3c44dd OpenSSL: Implement aes_wrap/aes_unwrap through EVP for CONFIG_FIPS=y
The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are
unfortunately not available in FIPS mode. Trying to use them results in
"aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API
call to cipher AES forbidden in FIPS mode!" and process termination.
Work around this by reverting commit
f19c907822 ('OpenSSL: Implement aes_wrap()
and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this
ends up using the internal AES key wrap/unwrap implementation through
the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y
is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues
to be used to minimize code size.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 16:56:59 +03:00
Jouni Malinen
16bc3b8935 OpenSSL: Add SHA256 support in openssl_tls_prf() for TLSv1.2
This is needed when enabling TLSv1.2 support for EAP-FAST since the
SSL_export_keying_material() call does not support the needed parameters
for TLS PRF and the external-to-OpenSSL PRF needs to be used instead.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-28 21:00:17 +03:00
Anton Nayshtut
a8dab08a28 FST: Testing support
This patch introduces infrastructure needed for FST module tests.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:16 +03:00
Anton Nayshtut
79c7b36d12 FST: wpa_supplicant build rules
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Kevin Cernekee
a1407217b1 Android: Rename ANDROID_P2P_STUB to ANDROID_LIB_STUB
If BOARD_HOSTAPD_PRIVATE_LIB is not used on an Android build, we will
need to replace both the p2p functions *and* wpa_driver_nl80211_driver_cmd
in order to successfully link.  Let's make the name more generic so it is
more obvious what it is used for.

Suggested-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Kevin Cernekee <cernekee@google.com>
2015-06-26 22:46:16 +03:00
Jouni Malinen
65a7b21f5e OpenSSL: Implement AES-128 CBC using EVP API
This replaces the internal CBC mode implementation in
aes_128_cbc_encrypt() and aes_128_cbc_decrypt() with the OpenSSL
implementation for CONFIG_TLS=openssl builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 20:30:58 +03:00
Mikael Kanstrup
ba87329d96 wpa_cli: Use .wpa_cli_history under Android
wpa_cli already implements a command history file for easy accessing
commands previously used. Enable the functionality on Android, too.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-03-26 15:29:13 +02:00
Jouni Malinen
55e8f0eafc Fix CONFIG_EAP_UNAUTH_TLS without CONFIG_EAP_TLS build
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-20 15:56:59 +02:00
Jouni Malinen
6784168d07 Remove SChannel support
SChannel/CryptoAPI as a TLS/crypto library alternative was never
completed. Critical functionality is missing and there are bugs in this
implementation. Since there are no known plans of completing this
support, it is better to remove this code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-18 22:31:36 +02:00
Jouni Malinen
0f89328575 P2P: Move upper layer SD interaction into a separate file
wpa_supplicant/p2p_supplicant.c has reached almost 10000 lines in length
and was getting a bit inconvenient to edit, so start splitting it into
separate files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-15 20:25:48 +02:00
Jouni Malinen
f19c907822 OpenSSL: Implement aes_wrap() and aes_unwrap()
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
983c6a606b OpenSSL: Replace internal HMAC-MD5 implementation
Use OpenSSL HMAC_* functions to implement HMAC-MD5 instead of depending
on the src/crypto/md5.c implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
5e3b5197cc Add Suite B 192-bit AKM
WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into
use as the key management method.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:52 +02:00
Jouni Malinen
97ae35a848 Add HMAC-SHA384
For now, this is only implemented with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:51 +02:00
Jouni Malinen
0b402479bf Remove Network Security Service (NSS) support
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Janusz Dziedzic
269dfe232b Introduce common hw features
Introduce wpa_supplicant/hostapd hw features.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Jouni Malinen
02a8d45ace ERP: Add support for ERP on EAP peer
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant
network configuration parameter erp=1 can now be used to configure the
EAP peer to derive EMSK, rRK, and rIK at the successful completion of an
EAP authentication method. This functionality is not included in the
default build and can be enabled with CONFIG_ERP=y.

If EAP authenticator indicates support for re-authentication protocol,
initiate this with EAP-Initiate/Re-auth and complete protocol when
receiving EAP-Finish/Re-auth.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:29 +02:00
Moshe Benji
a0413b1734 WMM AC: Parse WMM IE on association
Initialize WMM AC data structures upon successful association
with an AP that publishes WMM support, and deinitialize the data
structure when the association is no longer valid.

Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2014-11-16 20:47:34 +02:00