[wpa_supplicant] Cumulative patch from commit 27e828d72
Bug: 231272394
Test: connect/disconnect to WPA2, WPA3 networks
Test: SoftAp & p2p connection
Test: Regression test(b/231636895)
BYPASS_INCLUSIVE_LANGUAGE_REASON=Merged from Open source
27e828d72 ACS: Send EHT enabled info to driver
82066bd36 nl80211: Don't force VHT channel definition with EHT
43fe1ce35 EHT: Add [EHT] flag into AP mode STA command
696ad5c2d EHT: Indicate wifi_generation=7 in wpa_supplicant STATUS output
4994c41f2 EHT: Indicate ieee80211be configuration in hostapd STATUS output
50d883710 EHT: Fix invalid length checking for EHT Capability element
6c7b2be42 SAE: Send real status code to the driver when AP rejects external auth
2c78f11a9 Fix compilation due to forward declaration of macaddr_acl
c8e822801 OpenSSL: Fix build with old library versions that do not support TLS 1.3
c24e18e5c LibreSSL: Fix compilation issue with TLS 1.3 session ticket limit
eb5e63985 LibreSSL: Fix compilation issue with RSA-OAEP
5d56cf1c7 BoringSSL: Fix compilation error due to TLS 1.3 session tickets
a561d12d2 EAP peer status notification for server not supporting RFC 5746
566ce69a8 EAP peer: Workaround for servers that do not support safe TLS renegotiation
ccb3206b6 Fix tls_connection_set_success_data() in TLS library wrappers
decac7cd1 OpenSSL: Do not send out a TLS 1.3 session ticket if caching disabled
05406f7ae EAP-PEAP server: Fix TLS 1.3 move to Phase 2 without a new session ticket
10746875e OpenSSL: Allow no OCSP response when resuming a session with TLS 1.3
2be1bcaf7 EAP-TLS peer: Fix protected success indication check for resumed session
1c66276d9 EAP-TLS server: Send final TLS message for resumed session with TLS 1.3
81e249888 OpenSSL: Limit the number of TLS 1.3 session tickets to one
d26247c3d wpa_supplicant/README-WPS: Beautifications
a8d058c93 OpenSSL: SSLKEYLOGFILE capability to allow Wireshark TLS decoding
23f389068 wolfSSL: Fix OCSP stapling
a2971f8d8 wolfSSL: Allow TLS version 1.3 to be disabled
a40e48fbe wolfSSL: Fix TLS 1.3 session handling
0c3f68f2a wolfSSL: Check for the too-short-password error in pbkdf2_sha1()
ca2622481 Check the return of pbkdf2_sha1() for errors
013cd694d wolfSSL: Fixes for FIPS builds
9d5f8168f wolfSSL: Register a FIPS callback
8f36e6c0f wolfSSL: Implement crypto_ec_key wrappers
1f7e10177 wolfSSL: Add missing free calls for wolfSSL structs
ec1cd91e7 wolfSSL: Support both DER and PEM blobs
42871a5d2 EAP-SIM/AKA peer: IMSI privacy
21098e39f EAP-SIM/AKA server: IMSI privacy
36b11bbcf OpenSSL: RSA-OAEP-SHA-256 encryption/decryption
c3d389b72 EHT: Channel switch command support
dae7940a4 EHT: Additions to hostapd_set_freq_params()
e646b11fe EHT: Indicate EHT support in Neighbor Report element
f915d52de EHT: Provide EHT capabilities in STA addition path
a6d1b4c46 EHT: Process (Re)Association Request frame capabilities
340c0e212 EHT: Parse elements received in Management frames
d54e3d049 EHT: Add operation element in AP mode Management frames
9b7202d66 EHT: Add capabilities element in AP mode Management frames
a7ea72188 EHT: Add configuration options for beamforming capabilities
8db3881c7 EHT: Add operating channel width configuration
8dcc2139f EHT: AP mode configuration options to enable/disable the support
9f7da264b nl80211: Pass station's EHT capabilities to the driver in sta_add()
0c8a9aa5d nl80211: Parse EHT capabilities from the driver
c08b735fd EHT: Define EHT elements
1a716f86a defconfig: Document IEEE 802.11ax as a published amendment
86310c220 Set hostapd hw_mode automatically based on 6 GHz op_class
664fd83d5 nl80211: Increase the buffer length for debug printing channels
563162a5f QCA vendor attribute to allow eMLSR HW mode
1e34bc49c OpenSSL: Track SSL_SESSION ex data separately
734fa392f MBO: Check association disallowed in Beacon frames, if newer
284e3ad19 Determine whether Beacon frame information is newer in scan results
28c9f29a3 scan: Print SSID in scan results dump
5a0471579 Install wpa_passphrase when not disabled
f1686d776 hostapd: Allow enabling background radar
08d7738bb wolfSSL: Speed up crypto_ec_point_compute_y_sqr()
f50d5c9a8 wolfSSL: Fix crypto_ec_point_compute_y_sqr() error case processing
7302aa761 wolfSSL: Fix the memory leak of crypto_ec_point_compute_y_sqr()
e7dd0fff1 wolfSSL: Use wc_HmacInit() to avoid potential use of uninitialized values
f7be558d6 OpenSSL: Fix build with BoringSSL
6d33ef362 OpenSSL: Remove compatibility options for older versions than 1.0.2
78c2a4cd0 OpenSSL: Drop compatibility options for LibreSSL older than 2.7
b06250767 OpenSSL: Implement crypto_ecdh routines without EC_KEY for OpenSSL 3.0
fc96f6802 OpenSSL: Use new name for the EC_POINT set/get coordinate functions
0aae045af ctrl: Print the source address of the received commands
f94214968 wpa_ctrl: Wait for a total of 10 seconds, not 10 seconds per iteration
0d9be8855 wolfSSL: Fix certificate commonName checking
94e0f39d9 wolfSSL: Use wolfSSL_export_keying_material() when available
c31fc7a64 wolfSSL: Fix crypto_dh_init() and dh5_init()
d7b8c6eef wolfSSL: Fix crypto_ecdh_* with ECC_TIMING_RESISTANT
ae1fb6455 EAP-EKE server: Fix a memory leak on an error path
166acab4e wolfSSL: TLS session caching
12dee16d7 wolfSSL: Add a debug logging callback
a5d190650 wolfSSL: Implement tls_get_tls_unique()
a419fef36 wolfSSL: Implement tls_connection_get_cipher_suite()
364876b7d wolfSSL: Implement tls_connection_get_peer_subject()
d9c716400 wolfSSL: Implement tls_connection_get_own_cert_used()
d677b9dc6 wolfSSL: Conditional build for aes_wrap/aes_unwrap()
b0f016b87 eapol_test: Update with src/ap/ieee802_1x.c changes
747c5f228 Include MS_FUNCS=y for EAP-pwd peer build
c7f71fb86 Include HMAC-SHA384/512 KDF for SAE if SHA384/512 is included
3a759dcc8 ACS: Honor acs_exclude_dfs with hostapd's ACS implementation
3240cedd6 eapol_test: Print out names for additional known EAP types
f5c711c85 OpenSSL: Unload providers only at process exit
33c4dd26c BSS coloring: Handle the collision and CCA events coming from the kernel
27b4cc712 nl80211: Handle driver events for BSS coloring
399d6e64d nl80211: Add the switch_color() handler for BSS color changes
86bd90eb3 BSS coloring: Disable BSS color during CCA
f7d0b740e BSS coloring: BSS Color Change Announcement element generation
654d2395d BSS coloring: Handling of collision events and triggering CCA
52e2516f1 wpa_supplicant: Add the CONFIG_HE_OVERRIDES option to the defconfig
6a2a60f1d OpenSSL: Do not use the deprecated RSAPrivateKey function
ebb3055e1 OpenSSL: Generate DH parameters automatically if not set with dh_file
bcd299b32 OpenSSL: Convert DH/DSA parameter loading to new API
28c1c91d0 Remove unused dh_blob parameter
4a774cf31 Remove useless DH file configuration from TLS library wrappers
65652c67f Remove DH file configuration from TLS client functionality
b94371af8 RADIUS attributes for EAPOL-Key message details
24763e3cd RADIUS: Attributes with Extended Types (RFC 6929)
feed2f9e7 BoringSSL: Use accessor functions for X509 key usage flags
80be88a08 BoringSSL: Replace stack-allocated X509_STORE_CTX with heap one
b95ed17f6 OpenSSL: Fix build with BoringSSL and LibreSSL 3.3.x and older
ae0f6ee97 OpenSSL: CMAC using the OpenSSL library for non-FIPS cases as well
0c61f6234 OpenSSL: Implement CMAC using the EVP_MAC API
4fcd29660 OpenSSL: Extend CMAC to support 192-bit AES
117617843 OpenSSL: Remove now unused compatibility wrapper for RSA_bits()
a2dbb2558 Android: Compile hs20-osu-client to /vendor/bin in test builds
b0769ce61 DPP: Allow a list of supported curves to be used in bootstrapping URI
ef85328a6 QCA vendor command support to reset configuration for eLNA bypass
7008c50fa OpenSSL: Implement DH using the EVP API
e31500ade OpenSSL: Implement HMAC using the EVP_MAC API
097ca6bf0 OpenSSL: Unload providers on deinit
092efd45a OpenSSL: Implement AES keywrap using the EVP API
7e4984d9c OpenSSL: Use a correct EVP_CIPHER_CTX freeing function on an error path
8e0ac5366 RRM: Include passive channels in active beacon report scan
0adc67612 wpa_supplicant: Use unique IDs for networks and credentials
dacb6d278 Update IEEE P802.11ax draft references to published amendment
8128ea76a Add Transmit Power Envelope element in 6 GHz
bc3dc72a3 Extend 6 GHz Operation Info field in HE Operation element
0eb686637 hostapd: Add config option to specify 6 GHz regulatory AP type
ee06165e9 hostapd: Extend Country element to support 6 GHz band
f5ad97245 PASN: Fix build without CONFIG_TESTING_OPTIONS=y
3467a701c wpa_supplicant: Do not associate on 6 GHz with forbidden configurations
43c6eb5e4 SAE-PK: Add the option to the defconfigs
0482251a6 EAP-TLS: Allow TLSv1.3 support to be enabled with build config
7114e5606 EAP-TLS: Testing functionality to skip protected success indication
95fd54b86 Disconnect STA on continuous EAP reauth without 4-way handshake completion
9e11e746f EAP-TLS: Do not allow TLSv1.3 success without protected result indication
6135a8a6a Stop authentication attemps if AP does not disconnect us
88ab59d71 EAP-TLS: Replace the Commitment Message term with RFC 9190 language
63f311b10 EAP-TLS: Update specification references to RFC 5216 and 9190
5ab385321 Revert "Android: Compile hs20-osu-client to /vendor/bin in test builds"
b746cb28b Add support for not transmitting EAPOL-Key group msg 2/2
d27f7bd94 FILS: Fix config check to allow unsolicited broadcast Probe Response
65a3a273c OWE: Reuse own DH private key in AP if STA tries OWE association again
6ff8bda99 hostapd: Add the missing CONFIG_SAE option to the defconfig
1f5b6085c Fix SIGSEGV of eapol_test
576662d27 ieee802_11_auth: Coding style cleanup - NULL comparison
945acf3ef ieee802_11_auth: Coding style cleanup - no string constant splitting
1c3438fec RADIUS ACL/PSK check during 4-way handshake
5b5c954c0 Fix AP config check to recognize all PSK AKMs
c5d9f9064 QCA vendor attribute to indicate NDP interface managemtn using nl80211
a9c90475b FT: Update current_bss to target AP before check for SME-in-driver
0c88d1487 Debug print on CONFIG_NO_TKIP=y prevent RSNE with TKIP as group cipher
d5a9331f9 P2P: Copy only valid opclasses while filtering out 6 GHz channels
99c91beaa Sync with wireless-next.git include/uapi/linux/nl80211.h
d9121335a wpa_cli: Add ACL and BTM control commands
00622fcfe Extend ACL to install allow/deny list to the driver dynamically
077bce96f Set drv_max_acl_mac_addrs in wpa_supplicant AP mode
9828aba16 Support ACL operations in wpa_supplicant AP mode
fd0d738ff Add return value to ACL functions
f5ac42811 Move ACL control interface commands into shared files
930695662 Add BSS-TM-QUERY event to indicate reception of BSS TM Query
febcdf324 Support BTM operations in wpa_supplicant AP mode
0f8c6e995 Move BTM control interface commands into shared file
e059d8ece Update the Extended Capability element to struct sta_info
eb2e6b56b Enable BSS Transition Management in wpa_supplicant AP mode
30ecf0181 DPP: Update Controller parameters when it was already started
b93d1083e DPP: Fix msg_ctx for PKEX over TCP as Controller/Responder
3085e1a67 hs20-osu-client: dNSName values from OSU server certificate for PPS MO
ce86f2446 DFS: Remove unnecessary variable
760a5ae26 DFS: Switch to background radar channel if available
b63d953fe DFS: Enable CSA for background radar detection
25663241c DFS: Introduce hostapd_dfs_request_channel_switch()
316a9dc63 DFS: Configure background radar/CAC detection
bad12effe nl80211: Radar background flag setting
effd6111b DFS: Rely on channel_type in dfs_downgrade_bandwidth()
f9ba3d5c8 OpenSSL 3.0: Set SSL groups using SSL_set1_groups()
09c62aaf1 OpenSSL: Determine RSA key size without low-level routines
b700a56e1 OpenSSL 3.0: Determine the prime length for an EC key group using EVP_PKEY
3c61f4db4 OpenSSL: Replace EC_GROUP_get_curve_GFp() calls with EC_GROUP_get_curve()
e2cb0ca1a OpenSSL 3.0: Implement crypto_ec_key_group() with new API
f6a53f64a OpenSSL: Replace EVP_PKEY_cmp() with EVP_PKEY_eq() when available
5b093570d D-Bus: Add 'wep_disabled' capability
56a14cc72 DFS: Don't let cac_time_left_seconds overflow
ae512c30a DPP: Fix uninitialised variable on error path
3a157fe92 dbus: Set CurrentAuthMode to INACTIVE only if network is not selected
0ce8d55a2 hs20-osu-client: Allow EST server to use different host name
5eaf596e1 HTTP: Make URL available to the cert_cb
abed7978f HS 2.0 server: Event log entry on missing configuration for the realm
1192d5721 Android: Compile hs20-osu-client to /vendor/bin in test builds
1fee1c40c Enhance QCA vendor interface to indicate TWT required capability of AP
a192305a4 Add QCA vendor attributes for AFC support in external ACS
de5939ef5 DPP: Allow Configurator net_access_key_curve to be changed
9638452a6 DPP: Update Configurator to require same netAccessKey curve to be used
2b406eece DPP: Update Auth-I derivation operations
de64dfe98 DPP: Curve change for netAccessKey
fd2eb7a41 DPP: Fix a memory leak on error path
e9551efe0 DPP: Missing/invalid Protocol Version in Reconfig Auth Req
eeb72e7c9 DPP: Extend DPP_PKEX_ADD ver=<1/2> to cover Responder role
6c3c431bb Add QCA vendor attribute to enable Spectral FFT recapture
fcbdaae8a SAE: Add support for RADIUS passphrase as the SAE password
3d86fcee0 cleanup: Remove unreachable code
9683195ee qca-vendor: Fix typos
4c9ef9322 brcm_vendor: Fix typos
d65285ab8 src/drivers: Fix typos
203a027b2 nl80211: Report background radar/CAC detection capability
0a73649b6 DFS: Add capability to select radar-only channels
f39765369 DFS: Introduce dfs_set_valid_channel() utility routine
d001b301b Fix removal of wpa_passphrase on 'make clean'
cb41c214b build: Re-enable options for libwpa_client.so and wpa_passphrase
dec626109 HE: Fix invalid length checking for HE Capability element
53be64f7d HE: Fix calculation of the PPE Threshold field length
738fef2f0 Clear PSK explicitly from memory in couple more cases on deinit
567b9764f Clear PMK explicitly even without FT support in AP build
0bd29c176 Remove duplicated pointer check
007fd6111 Clear temporary results from stack in PBKDF2-SHA1
1364f322b Remove GTK/IGTK/BIGTK from memory explicitly in AP mode
af1f0694e Clear last set keys (for testing purposes) from memory explicitly
6c850a1c0 nl80211: Clear bss->freq when stopping AP mode
a44fa15cb Define a vendor specific NDP attribute for NAN service id
414ca953f DPP: Clear SCANNING state when starting network introduction
0b5f8e3d8 DPP: Clear netrole on starting chirping or reconfiguration
2fcc076d1 Clear wpa_s->last/current_ssid in more cases
7a7f803a9 DPP: Stop offchannel frame TX wait on DPP_STOP_LISTEN in a corner case
7e941e7a1 macsec_linux: Support cipher suite configuration
46c635910 MACsec: Support GCM-AES-256 cipher suite
42944de69 nl80211: Do not store no-wait TX frame cookies to be cancelled
340ec48cd DPP: Clear state on configuration failure in GAS server hander
7e6f59c70 nl80211: Clear the last saved TX frame cookie on wait expiration
9d5fd3328 Update QCA vendor attribute to indicate maximum PCL attributes
19169a53a atheros: Do not include p2p.h
f43d31dda nl80211: Debug print association comeback event data
a91072503 OCV: Don't start SA Query timer on CSA when SA Query is offloaded
f5c8697c0 Sync with mac80211-next.git include/uapi/linux/nl80211.h
632a9995c Clear ignore_old_scan_res on FLUSH command
Change-Id: I35fd1fb999d045ced8c153fe3d8284c9a71069b1
diff --git a/wpa_supplicant/Android.bp b/wpa_supplicant/Android.bp
index 0d088bb..db11387 100644
--- a/wpa_supplicant/Android.bp
+++ b/wpa_supplicant/Android.bp
@@ -301,7 +301,6 @@
"src/common/sae_pk.c",
"src/common/wpa_common.c",
"src/crypto/aes-ctr.c",
- "src/crypto/aes-omac1.c",
"src/crypto/aes-siv.c",
"src/crypto/crypto_openssl.c",
"src/crypto/dh_groups.c",
diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index cdf8943..d1436e2 100644
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -119,7 +119,6 @@
ifdef CONFIG_FIPS
CONFIG_NO_RANDOM_POOL=
-CONFIG_OPENSSL_CMAC=y
endif
OBJS = config.c
@@ -515,6 +514,9 @@
endif
TLS_FUNCS=y
CONFIG_IEEE8021X_EAPOL=y
+ifdef CONFIG_EAP_TLSV1_3
+L_CFLAGS += -DEAP_TLSV1_3
+endif
endif
ifdef CONFIG_EAP_UNAUTH_TLS
@@ -775,6 +777,7 @@
CONFIG_IEEE8021X_EAPOL=y
NEED_ECC=y
NEED_DRAGONFLY=y
+MS_FUNCS=y
endif
ifdef CONFIG_EAP_EKE
@@ -945,6 +948,9 @@
ifdef CONFIG_IEEE80211AX
OBJS += src/ap/ieee802_11_he.c
endif
+ifdef CONFIG_IEEE80211BE
+OBJS += src/ap/ieee802_11_eht.c
+endif
ifdef CONFIG_WNM_AP
L_CFLAGS += -DCONFIG_WNM_AP
OBJS += src/ap/wnm_ap.c
@@ -967,6 +973,10 @@
ifdef CONFIG_IEEE80211AC
L_CFLAGS += -DCONFIG_IEEE80211AC
endif
+ifdef CONFIG_IEEE80211BE
+CONFIG_IEEE80211AX=y
+L_CFLAGS += -DCONFIG_IEEE80211BE
+endif
ifdef CONFIG_IEEE80211AX
L_CFLAGS += -DCONFIG_IEEE80211AX
endif
@@ -1099,6 +1109,7 @@
endif
ifeq ($(CONFIG_TLS), openssl)
+L_CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
ifdef TLS_FUNCS
L_CFLAGS += -DEAP_TLS_OPENSSL
OBJS += src/crypto/tls_openssl.c
@@ -1303,9 +1314,7 @@
AESOBJS += src/crypto/aes-encblock.c
endif
NEED_AES_ENC=y
-ifdef CONFIG_OPENSSL_CMAC
-L_CFLAGS += -DCONFIG_OPENSSL_CMAC
-else
+ifneq ($(CONFIG_TLS), openssl)
AESOBJS += src/crypto/aes-omac1.c
endif
ifdef NEED_AES_WRAP
@@ -1399,6 +1408,17 @@
endif
endif
+ifdef CONFIG_SAE
+ifdef NEED_SHA384
+# Need to add HMAC-SHA384 KDF as well, if SHA384 was enabled.
+NEED_HMAC_SHA384_KDF=y
+endif
+ifdef NEED_SHA512
+# Need to add HMAC-SHA512 KDF as well, if SHA512 was enabled.
+NEED_HMAC_SHA512_KDF=y
+endif
+endif
+
SHA256OBJS = # none by default
L_CFLAGS += -DCONFIG_SHA256
ifneq ($(CONFIG_TLS), openssl)
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 18ffbcb..1c6911b 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1,24 +1,29 @@
BINALL=wpa_supplicant wpa_cli
-ifndef CONFIG_NO_WPA_PASSPHRASE
-BINALL += wpa_passphrase
-endif
-
ALL = $(BINALL)
ALL += systemd/wpa_supplicant.service
ALL += systemd/wpa_supplicant@.service
ALL += systemd/wpa_supplicant-nl80211@.service
ALL += systemd/wpa_supplicant-wired@.service
ALL += dbus/fi.w1.wpa_supplicant1.service
-ifdef CONFIG_BUILD_WPA_CLIENT_SO
-ALL += libwpa_client.so
-endif
EXTRA_TARGETS=dynamic_eap_methods
CONFIG_FILE=.config
include ../src/build.rules
+ifdef CONFIG_BUILD_WPA_CLIENT_SO
+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO
+# being set in the config which is read by build.rules
+_all: libwpa_client.so
+endif
+
+ifndef CONFIG_NO_WPA_PASSPHRASE
+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE
+# being set in the config which is read by build.rules
+_all: wpa_passphrase
+endif
+
ifdef LIBS
# If LIBS is set with some global build system defaults, clone those for
# LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well.
@@ -68,6 +73,9 @@
install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))
$(MAKE) -C ../src install
+ifndef CONFIG_NO_WPA_PASSPHRASE
+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase
+endif
ifdef CONFIG_BUILD_WPA_CLIENT_SO
install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so
install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h
@@ -79,7 +87,6 @@
ifdef CONFIG_FIPS
CONFIG_NO_RANDOM_POOL=
-CONFIG_OPENSSL_CMAC=y
endif
OBJS = config.o
@@ -484,6 +491,9 @@
endif
TLS_FUNCS=y
CONFIG_IEEE8021X_EAPOL=y
+ifdef CONFIG_EAP_TLSV1_3
+CFLAGS += -DEAP_TLSV1_3
+endif
endif
ifdef CONFIG_EAP_UNAUTH_TLS
@@ -750,6 +760,7 @@
CONFIG_IEEE8021X_EAPOL=y
NEED_ECC=y
NEED_DRAGONFLY=y
+MS_FUNCS=y
endif
ifdef CONFIG_EAP_EKE
@@ -939,6 +950,9 @@
ifdef CONFIG_IEEE80211AX
OBJS += ../src/ap/ieee802_11_he.o
endif
+ifdef CONFIG_IEEE80211BE
+OBJS += ../src/ap/ieee802_11_eht.o
+endif
ifdef CONFIG_WNM_AP
CFLAGS += -DCONFIG_WNM_AP
OBJS += ../src/ap/wnm_ap.o
@@ -961,6 +975,10 @@
ifdef CONFIG_IEEE80211AC
CFLAGS += -DCONFIG_IEEE80211AC
endif
+ifdef CONFIG_IEEE80211BE
+CONFIG_IEEE80211AX=y
+CFLAGS += -DCONFIG_IEEE80211BE
+endif
ifdef CONFIG_IEEE80211AX
CFLAGS += -DCONFIG_IEEE80211AX
endif
@@ -1107,6 +1125,7 @@
endif
ifeq ($(CONFIG_TLS), openssl)
+CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
ifdef TLS_FUNCS
CFLAGS += -DEAP_TLS_OPENSSL
OBJS += ../src/crypto/tls_openssl.o
@@ -1358,9 +1377,7 @@
AESOBJS += ../src/crypto/aes-encblock.o
endif
NEED_AES_ENC=y
-ifdef CONFIG_OPENSSL_CMAC
-CFLAGS += -DCONFIG_OPENSSL_CMAC
-else
+ifneq ($(CONFIG_TLS), openssl)
ifneq ($(CONFIG_TLS), linux)
ifneq ($(CONFIG_TLS), wolfssl)
AESOBJS += ../src/crypto/aes-omac1.o
@@ -1474,6 +1491,17 @@
endif
endif
+ifdef CONFIG_SAE
+ifdef NEED_SHA384
+# Need to add HMAC-SHA384 KDF as well, if SHA384 was enabled.
+NEED_HMAC_SHA384_KDF=y
+endif
+ifdef NEED_SHA512
+# Need to add HMAC-SHA512 KDF as well, if SHA512 was enabled.
+NEED_HMAC_SHA512_KDF=y
+endif
+endif
+
SHA256OBJS = # none by default
CFLAGS += -DCONFIG_SHA256
ifneq ($(CONFIG_TLS), openssl)
@@ -2076,3 +2104,4 @@
rm -f libwpa_client.a
rm -f libwpa_client.so
rm -f libwpa_test1 libwpa_test2
+ rm -f wpa_passphrase
diff --git a/wpa_supplicant/README-HS20 b/wpa_supplicant/README-HS20
index b076621..a099a85 100644
--- a/wpa_supplicant/README-HS20
+++ b/wpa_supplicant/README-HS20
@@ -168,6 +168,12 @@
# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
# format
#
+# imsi_privacy_key: IMSI privacy key (PEM encoded X.509v3 certificate)
+# This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
+# identity (IMSI) to improve privacy. The X.509v3 certificate needs to
+# include a 2048-bit RSA public key and this is from the operator who
+# authenticates the SIM/USIM.
+#
# domain_suffix_match: Constraint for server domain name
# If set, this FQDN is used as a suffix match requirement for the AAA
# server certificate in SubjectAltName dNSName element(s). If a
diff --git a/wpa_supplicant/README-WPS b/wpa_supplicant/README-WPS
index b884f67..e902cc8 100644
--- a/wpa_supplicant/README-WPS
+++ b/wpa_supplicant/README-WPS
@@ -24,8 +24,8 @@
environments that require secure network access without chance for
allowing outsiders to gain access during the setup phase.
-WPS uses following terms to describe the entities participating in the
-network setup:
+WPS uses the following terms to describe the entities participating
+in the network setup:
- access point: the WLAN access point
- Registrar: a device that control a network and can authorize
addition of new devices); this may be either in the AP ("internal
@@ -55,22 +55,22 @@
WPS is an optional component that needs to be enabled in
wpa_supplicant build configuration (.config). Here is an example
-configuration that includes WPS support and Linux nl80211 -based
+configuration that includes WPS support and Linux nl80211-based
driver interface:
CONFIG_DRIVER_NL80211=y
CONFIG_WPS=y
If you want to enable WPS external registrar (ER) functionality, you
-will also need to add following line:
+will also need to add the following line:
CONFIG_WPS_ER=y
-Following parameter can be used to enable support for NFC config method:
+The following parameter can be used to enable support for NFC config
+method:
CONFIG_WPS_NFC=y
-
WPS needs the Universally Unique IDentifier (UUID; see RFC 4122) for
the device. This is configured in the runtime configuration for
wpa_supplicant (if not set, UUID will be generated based on local MAC
@@ -91,7 +91,6 @@
update_config=1
-
External operations
-------------------
@@ -118,7 +117,6 @@
the client will be enrolled with credentials needed to connect to the
AP to access the network.
-
If the client device does not have a display that could show the
random PIN, a hardcoded PIN that is printed on a label can be
used. wpa_supplicant is notified this with a control interface
@@ -135,7 +133,6 @@
wpa_cli wps_pin any 12345670 300
-
If a random PIN is needed for a user interface, "wpa_cli wps_pin get"
can be used to generate a new PIN without starting WPS negotiation.
This random PIN can then be passed as an argument to another wps_pin
@@ -154,7 +151,6 @@
negotiation which will generate a new WPA PSK in the same way as the
PIN method described above.
-
If the client wants to operate in the Registrar role to learn the
current AP configuration and optionally, to configure an AP,
wpa_supplicant is notified over the control interface, e.g., with
@@ -218,7 +214,8 @@
processing the credential attributes and updating wpa_supplicant
configuration based on them.
-Following control interface messages are sent out for external programs:
+The following control interface messages are sent out for external
+programs:
WPS-CRED-RECEIVED <hexdump of Credential attribute(s)>
For example:
@@ -236,7 +233,7 @@
Separate wpa_supplicant process can be started for WPS ER
operations. A special "none" driver can be used in such a case to
indicate that no local network interface is actually controlled. For
-example, following command could be used to start the ER:
+example, the following command could be used to start the ER:
wpa_supplicant -Dnone -c er.conf -ieth0
@@ -245,7 +242,6 @@
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin
device_name=WPS External Registrar
-
wpa_cli commands for ER functionality:
wps_er_start [IP address]
@@ -275,7 +271,6 @@
<auth> must be one of the following: OPEN WPAPSK WPA2PSK
<encr> must be one of the following: NONE WEP TKIP CCMP
-
wps_er_pbc <Enrollee UUID|MAC address>
- accept an Enrollee PBC using External Registrar
@@ -285,7 +280,6 @@
- if the MAC address of the enrollee is known, it should be configured
to allow the AP to advertise list of authorized enrollees
-
WPS ER events:
WPS_EVENT_ER_AP_ADD
diff --git a/wpa_supplicant/ap.c b/wpa_supplicant/ap.c
index 0559822..7b31d8e 100644
--- a/wpa_supplicant/ap.c
+++ b/wpa_supplicant/ap.c
@@ -1028,6 +1028,7 @@
hapd_iface->extended_capa = wpa_s->extended_capa;
hapd_iface->extended_capa_mask = wpa_s->extended_capa_mask;
hapd_iface->extended_capa_len = wpa_s->extended_capa_len;
+ hapd_iface->drv_max_acl_mac_addrs = wpa_s->drv_max_acl_mac_addrs;
wpa_s->ap_iface->conf = conf = hostapd_config_defaults();
if (conf == NULL) {
@@ -1105,6 +1106,11 @@
hapd_iface->bss[i]->ext_eapol_frame_io =
wpa_s->ext_eapol_frame_io;
#endif /* CONFIG_TESTING_OPTIONS */
+
+#ifdef CONFIG_WNM_AP
+ if (ssid->mode == WPAS_MODE_AP)
+ hapd_iface->bss[i]->conf->bss_transition = 1;
+#endif /* CONFIG_WNM_AP */
}
os_memcpy(hapd_iface->bss[0]->own_addr, wpa_s->own_addr, ETH_ALEN);
@@ -1564,6 +1570,183 @@
return pos - buf;
}
+
+#ifdef CONFIG_WNM_AP
+
+int ap_ctrl_iface_disassoc_imminent(struct wpa_supplicant *wpa_s,
+ const char *buf)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+ return hostapd_ctrl_iface_disassoc_imminent(hapd, buf);
+}
+
+
+int ap_ctrl_iface_ess_disassoc(struct wpa_supplicant *wpa_s, const char *buf)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+ return hostapd_ctrl_iface_ess_disassoc(hapd, buf);
+}
+
+
+int ap_ctrl_iface_bss_tm_req(struct wpa_supplicant *wpa_s, const char *buf)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+ return hostapd_ctrl_iface_bss_tm_req(hapd, buf);
+}
+
+#endif /* CONFIG_WNM_AP */
+
+
+int ap_ctrl_iface_acl_add_mac(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type,
+ const char *buf)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+
+ hapd->conf->macaddr_acl = acl_type;
+
+ if (acl_type == ACCEPT_UNLESS_DENIED)
+ return hostapd_ctrl_iface_acl_add_mac(&hapd->conf->deny_mac,
+ &hapd->conf->num_deny_mac,
+ buf);
+ if (acl_type == DENY_UNLESS_ACCEPTED)
+ return hostapd_ctrl_iface_acl_add_mac(
+ &hapd->conf->accept_mac,
+ &hapd->conf->num_accept_mac, buf);
+
+ return -1;
+}
+
+
+int ap_ctrl_iface_acl_del_mac(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type,
+ const char *buf)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+
+ hapd->conf->macaddr_acl = acl_type;
+
+ if (acl_type == ACCEPT_UNLESS_DENIED)
+ return hostapd_ctrl_iface_acl_del_mac(&hapd->conf->deny_mac,
+ &hapd->conf->num_deny_mac,
+ buf);
+ if (acl_type == DENY_UNLESS_ACCEPTED)
+ return hostapd_ctrl_iface_acl_del_mac(
+ &hapd->conf->accept_mac, &hapd->conf->num_accept_mac,
+ buf);
+
+ return -1;
+}
+
+
+int ap_ctrl_iface_acl_show_mac(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type, char *buf,
+ size_t buflen)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+
+ if (acl_type == ACCEPT_UNLESS_DENIED)
+ return hostapd_ctrl_iface_acl_show_mac(hapd->conf->deny_mac,
+ hapd->conf->num_deny_mac,
+ buf, buflen);
+ if (acl_type == DENY_UNLESS_ACCEPTED)
+ return hostapd_ctrl_iface_acl_show_mac(
+ hapd->conf->accept_mac, hapd->conf->num_accept_mac,
+ buf, buflen);
+
+ return -1;
+}
+
+
+void ap_ctrl_iface_acl_clear_list(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return;
+
+ hapd->conf->macaddr_acl = acl_type;
+
+ if (acl_type == ACCEPT_UNLESS_DENIED)
+ hostapd_ctrl_iface_acl_clear_list(&hapd->conf->deny_mac,
+ &hapd->conf->num_deny_mac);
+ else if (acl_type == DENY_UNLESS_ACCEPTED)
+ hostapd_ctrl_iface_acl_clear_list(&hapd->conf->accept_mac,
+ &hapd->conf->num_accept_mac);
+}
+
+
+int ap_ctrl_iface_disassoc_deny_mac(struct wpa_supplicant *wpa_s)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+
+ return hostapd_disassoc_deny_mac(hapd);
+}
+
+
+int ap_ctrl_iface_disassoc_accept_mac(struct wpa_supplicant *wpa_s)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+
+ return hostapd_disassoc_accept_mac(hapd);
+}
+
+
+int ap_ctrl_iface_set_acl(struct wpa_supplicant *wpa_s)
+{
+ struct hostapd_data *hapd;
+
+ if (wpa_s->ap_iface)
+ hapd = wpa_s->ap_iface->bss[0];
+ else
+ return -1;
+
+ return hostapd_set_acl(hapd);
+}
+
#endif /* CONFIG_CTRL_IFACE */
diff --git a/wpa_supplicant/ap.h b/wpa_supplicant/ap.h
index 7bc1b78..ccd3e7b 100644
--- a/wpa_supplicant/ap.h
+++ b/wpa_supplicant/ap.h
@@ -10,6 +10,8 @@
#ifndef AP_H
#define AP_H
+enum macaddr_acl;
+
int wpa_supplicant_create_ap(struct wpa_supplicant *wpa_s,
struct wpa_ssid *ssid);
void wpa_supplicant_ap_deinit(struct wpa_supplicant *wpa_s);
@@ -38,6 +40,22 @@
const char *txtaddr);
int ap_ctrl_iface_wpa_get_status(struct wpa_supplicant *wpa_s, char *buf,
size_t buflen, int verbose);
+int ap_ctrl_iface_disassoc_imminent(struct wpa_supplicant *wpa_s,
+ const char *buf);
+int ap_ctrl_iface_ess_disassoc(struct wpa_supplicant *wpa_s, const char *buf);
+int ap_ctrl_iface_bss_tm_req(struct wpa_supplicant *wpa_s, const char *buf);
+int ap_ctrl_iface_acl_add_mac(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type, const char *buf);
+int ap_ctrl_iface_acl_del_mac(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type, const char *buf);
+int ap_ctrl_iface_acl_show_mac(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type, char *buf,
+ size_t buflen);
+void ap_ctrl_iface_acl_clear_list(struct wpa_supplicant *wpa_s,
+ enum macaddr_acl acl_type);
+int ap_ctrl_iface_disassoc_deny_mac(struct wpa_supplicant *wpa_s);
+int ap_ctrl_iface_disassoc_accept_mac(struct wpa_supplicant *wpa_s);
+int ap_ctrl_iface_set_acl(struct wpa_supplicant *wpa_s);
void ap_tx_status(void *ctx, const u8 *addr,
const u8 *buf, size_t len, int ack);
void ap_eapol_tx_status(void *ctx, const u8 *dst,
diff --git a/wpa_supplicant/bss.c b/wpa_supplicant/bss.c
index e13783c..429c6e7 100644
--- a/wpa_supplicant/bss.c
+++ b/wpa_supplicant/bss.c
@@ -291,6 +291,7 @@
dst->noise = src->noise;
dst->level = src->level;
dst->tsf = src->tsf;
+ dst->beacon_newer = src->beacon_newer;
dst->est_throughput = src->est_throughput;
dst->snr = src->snr;
diff --git a/wpa_supplicant/bss.h b/wpa_supplicant/bss.h
index 4078b9b..146aaee 100644
--- a/wpa_supplicant/bss.h
+++ b/wpa_supplicant/bss.h
@@ -108,6 +108,8 @@
int level;
/** Timestamp of last Beacon/Probe Response frame */
u64 tsf;
+ /** Whether the Beacon frame data is known to be newer */
+ bool beacon_newer;
/** Time of the last update (i.e., Beacon or Probe Response RX) */
struct os_reltime last_update;
/** Estimated throughput in kbps */
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index f344e1d..c8844bb 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2451,7 +2451,6 @@
{ STRe(client_cert, cert.client_cert) },
{ STRe(private_key, cert.private_key) },
{ STR_KEYe(private_key_passwd, cert.private_key_passwd) },
- { STRe(dh_file, cert.dh_file) },
{ STRe(subject_match, cert.subject_match) },
{ STRe(check_cert_subject, cert.check_cert_subject) },
{ STRe(altsubject_match, cert.altsubject_match) },
@@ -2462,7 +2461,6 @@
{ STRe(client_cert2, phase2_cert.client_cert) },
{ STRe(private_key2, phase2_cert.private_key) },
{ STR_KEYe(private_key2_passwd, phase2_cert.private_key_passwd) },
- { STRe(dh_file2, phase2_cert.dh_file) },
{ STRe(subject_match2, phase2_cert.subject_match) },
{ STRe(check_cert_subject2, phase2_cert.check_cert_subject) },
{ STRe(altsubject_match2, phase2_cert.altsubject_match) },
@@ -2490,7 +2488,6 @@
{ STRe(machine_private_key, machine_cert.private_key) },
{ STR_KEYe(machine_private_key_passwd,
machine_cert.private_key_passwd) },
- { STRe(machine_dh_file, machine_cert.dh_file) },
{ STRe(machine_subject_match, machine_cert.subject_match) },
{ STRe(machine_check_cert_subject, machine_cert.check_cert_subject) },
{ STRe(machine_altsubject_match, machine_cert.altsubject_match) },
@@ -2506,6 +2503,7 @@
{ INTe(machine_ocsp, machine_cert.ocsp) },
{ INT(eapol_flags) },
{ INTe(sim_num, sim_num) },
+ { STRe(imsi_privacy_key, imsi_privacy_key) },
{ STRe(openssl_ciphers, openssl_ciphers) },
{ INTe(erp, erp) },
#endif /* IEEE8021X_EAPOL */
@@ -2612,6 +2610,7 @@
{ INT(macsec_replay_window) },
{ INT_RANGE(macsec_port, 1, 65534) },
{ INT_RANGE(mka_priority, 0, 255) },
+ { INT_RANGE(macsec_csindex, 0, 1) },
{ FUNC_KEY(mka_cak) },
{ FUNC_KEY(mka_ckn) },
#endif /* CONFIG_MACSEC */
@@ -2753,7 +2752,6 @@
os_free(cert->client_cert);
os_free(cert->private_key);
str_clear_free(cert->private_key_passwd);
- os_free(cert->dh_file);
os_free(cert->subject_match);
os_free(cert->check_cert_subject);
os_free(cert->altsubject_match);
@@ -2773,6 +2771,7 @@
bin_clear_free(eap->identity, eap->identity_len);
os_free(eap->anonymous_identity);
os_free(eap->imsi_identity);
+ os_free(eap->imsi_privacy_key);
os_free(eap->machine_identity);
bin_clear_free(eap->password, eap->password_len);
bin_clear_free(eap->machine_password, eap->machine_password_len);
@@ -2876,6 +2875,7 @@
os_free(cred->req_conn_capab_port[i]);
os_free(cred->req_conn_capab_port);
os_free(cred->req_conn_capab_proto);
+ os_free(cred->imsi_privacy_key);
os_free(cred);
}
@@ -3155,6 +3155,26 @@
}
+static const char *removed_fields[] = {
+ "dh_file",
+ "dh_file2",
+ "machine_dh_file",
+ NULL
+};
+
+static bool removed_field(const char *field)
+{
+ int i;
+
+ for (i = 0; removed_fields[i]; i++) {
+ if (os_strcmp(field, removed_fields[i]) == 0)
+ return true;
+ }
+
+ return false;
+}
+
+
/**
* wpa_config_set - Set a variable in network configuration
* @ssid: Pointer to network configuration data
@@ -3203,6 +3223,12 @@
break;
}
if (i == NUM_SSID_FIELDS) {
+ if (removed_field(var)) {
+ wpa_printf(MSG_INFO,
+ "Line %d: Ignore removed configuration field '%s'",
+ line, var);
+ return ret;
+ }
if (line) {
wpa_printf(MSG_ERROR, "Line %d: unknown network field "
"'%s'.", line, var);
@@ -3400,8 +3426,11 @@
void wpa_config_update_psk(struct wpa_ssid *ssid)
{
#ifndef CONFIG_NO_PBKDF2
- pbkdf2_sha1(ssid->passphrase, ssid->ssid, ssid->ssid_len, 4096,
- ssid->psk, PMK_LEN);
+ if (pbkdf2_sha1(ssid->passphrase, ssid->ssid, ssid->ssid_len, 4096,
+ ssid->psk, PMK_LEN) != 0) {
+ wpa_printf(MSG_ERROR, "Error in pbkdf2_sha1()");
+ return;
+ }
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
ssid->psk, PMK_LEN);
ssid->psk_set = 1;
@@ -3882,6 +3911,12 @@
return 0;
}
+ if (os_strcmp(var, "imsi_privacy_key") == 0) {
+ os_free(cred->imsi_privacy_key);
+ cred->imsi_privacy_key = val;
+ return 0;
+ }
+
if (line) {
wpa_printf(MSG_ERROR, "Line %d: unknown cred field '%s'.",
line, var);
@@ -4032,6 +4067,9 @@
if (os_strcmp(var, "imsi") == 0)
return alloc_strdup(cred->imsi);
+ if (os_strcmp(var, "imsi_privacy_key") == 0)
+ return alloc_strdup(cred->imsi_privacy_key);
+
if (os_strcmp(var, "milenage") == 0) {
if (!(cred->milenage))
return NULL;
diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h
index 696fb38..77d6ab5 100644
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@@ -182,6 +182,16 @@
char *milenage;
/**
+ * imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate)
+ *
+ * This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
+ * identity (IMSI) to improve privacy. The X.509v3 certificate needs to
+ * include a 2048-bit RSA public key and this is from the operator who
+ * authenticates the SIM/USIM.
+ */
+ char *imsi_privacy_key;
+
+ /**
* engine - Use an engine for private key operations
*/
int engine;
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 778da45..978cc6a 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -297,8 +297,8 @@
struct wpa_ssid *ssid, *tail, *head;
struct wpa_cred *cred, *cred_tail, *cred_head;
struct wpa_config *config;
- int id = 0;
- int cred_id = 0;
+ static int id = 0;
+ static int cred_id = 0;
if (name == NULL)
return NULL;
@@ -699,7 +699,6 @@
STR(client_cert);
STR(private_key);
STR(private_key_passwd);
- STR(dh_file);
STR(subject_match);
STR(check_cert_subject);
STR(altsubject_match);
@@ -710,7 +709,6 @@
STR(client_cert2);
STR(private_key2);
STR(private_key2_passwd);
- STR(dh_file2);
STR(subject_match2);
STR(check_cert_subject2);
STR(altsubject_match2);
@@ -721,7 +719,6 @@
STR(machine_client_cert);
STR(machine_private_key);
STR(machine_private_key_passwd);
- STR(machine_dh_file);
STR(machine_subject_match);
STR(machine_check_cert_subject);
STR(machine_altsubject_match);
@@ -810,6 +807,7 @@
INT(macsec_replay_window);
INT(macsec_port);
INT_DEF(mka_priority, DEFAULT_PRIO_NOT_KEY_SERVER);
+ INT(macsec_csindex);
#endif /* CONFIG_MACSEC */
#ifdef CONFIG_HS20
INT(update_identifier);
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index dd8b1d9..4d3d114 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -911,6 +911,13 @@
int mka_priority;
/**
+ * macsec_csindex - Cipher suite index for MACsec
+ *
+ * Range: 0-1 (default: 0)
+ */
+ int macsec_csindex;
+
+ /**
* mka_ckn - MKA pre-shared CKN
*/
#define MACSEC_CKN_MAX_LEN 32
diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c
index 1b7f96e..b27c6cf 100644
--- a/wpa_supplicant/config_winreg.c
+++ b/wpa_supplicant/config_winreg.c
@@ -905,7 +905,6 @@
STR(client_cert);
STR(private_key);
STR(private_key_passwd);
- STR(dh_file);
STR(subject_match);
STR(check_cert_subject);
STR(altsubject_match);
@@ -914,7 +913,6 @@
STR(client_cert2);
STR(private_key2);
STR(private_key2_passwd);
- STR(dh_file2);
STR(subject_match2);
STR(check_cert_subject2);
STR(altsubject_match2);
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index dc6c772..e8a8118 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -674,6 +674,9 @@
} else if (os_strcasecmp(cmd, "dpp_configurator_params") == 0) {
os_free(wpa_s->dpp_configurator_params);
wpa_s->dpp_configurator_params = os_strdup(value);
+#ifdef CONFIG_DPP2
+ dpp_controller_set_params(wpa_s->dpp, value);
+#endif /* CONFIG_DPP2 */
} else if (os_strcasecmp(cmd, "dpp_init_max_tries") == 0) {
wpa_s->dpp_init_max_tries = atoi(value);
} else if (os_strcasecmp(cmd, "dpp_init_retry_time") == 0) {
@@ -836,6 +839,11 @@
wpa_s->disable_scs_support = !!atoi(value);
} else if (os_strcasecmp(cmd, "disable_mscs_support") == 0) {
wpa_s->disable_mscs_support = !!atoi(value);
+ } else if (os_strcasecmp(cmd, "disable_eapol_g2_tx") == 0) {
+ wpa_s->disable_eapol_g2_tx = !!atoi(value);
+ /* Populate value to wpa_sm if already associated. */
+ wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_DISABLE_EAPOL_G2_TX,
+ wpa_s->disable_eapol_g2_tx);
#ifdef CONFIG_DPP
} else if (os_strcasecmp(cmd, "dpp_config_obj_override") == 0) {
os_free(wpa_s->dpp_config_obj_override);
@@ -2306,11 +2314,12 @@
if (wpa_s->connection_set &&
(wpa_s->connection_ht || wpa_s->connection_vht ||
- wpa_s->connection_he)) {
+ wpa_s->connection_he || wpa_s->connection_eht)) {
ret = os_snprintf(pos, end - pos,
"wifi_generation=%u\n",
- wpa_s->connection_he ? 6 :
- (wpa_s->connection_vht ? 5 : 4));
+ wpa_s->connection_eht ? 7 :
+ (wpa_s->connection_he ? 6 :
+ (wpa_s->connection_vht ? 5 : 4)));
if (os_snprintf_error(end - pos, ret))
return pos - buf;
pos += ret;
@@ -8539,6 +8548,7 @@
wpa_s->oci_freq_override_ft_assoc = 0;
wpa_s->oci_freq_override_fils_assoc = 0;
wpa_s->oci_freq_override_wnm_sleep = 0;
+ wpa_s->disable_eapol_g2_tx = 0;
#ifdef CONFIG_DPP
os_free(wpa_s->dpp_config_obj_override);
wpa_s->dpp_config_obj_override = NULL;
@@ -8592,6 +8602,8 @@
if (wpa_s->mac_addr_changed && wpa_s->conf->mac_addr == 0)
wpas_restore_permanent_mac_addr(wpa_s);
+
+ wpa_s->conf->ignore_old_scan_res = 0;
}
@@ -9984,8 +9996,9 @@
int flow_id = 0;
bool protection = false;
u8 twt_channel = 0;
- u8 control = BIT(4); /* Control field (IEEE P802.11ax/D8.0 Figure
- * 9-687): B4 = TWT Information Frame Disabled */
+ u8 control = BIT(4); /* Control field (IEEE Std 802.11ax-2021,
+ * Figure 9-687 - Control field format):
+ * B4 = TWT Information Frame Disabled */
const char *tok_s;
tok_s = os_strstr(cmd, " dialog=");
@@ -10687,7 +10700,7 @@
#endif /* CONFIG_FILS */
-static int wpas_ctrl_cmd_debug_level(const char *cmd)
+int wpas_ctrl_cmd_debug_level(const char *cmd)
{
if (os_strcmp(cmd, "PING") == 0 ||
os_strncmp(cmd, "BSS ", 4) == 0 ||
@@ -12019,6 +12032,58 @@
} else if (os_strcmp(buf, "UPDATE_BEACON") == 0) {
if (wpas_ap_update_beacon(wpa_s))
reply_len = -1;
+ } else if (os_strncmp(buf, "ACCEPT_ACL ", 11) == 0) {
+ if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) {
+ if (ap_ctrl_iface_acl_add_mac(wpa_s,
+ DENY_UNLESS_ACCEPTED,
+ buf + 19) ||
+ ap_ctrl_iface_set_acl(wpa_s))
+ reply_len = -1;
+ } else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) {
+ if (ap_ctrl_iface_acl_del_mac(wpa_s,
+ DENY_UNLESS_ACCEPTED,
+ buf + 19) ||
+ ap_ctrl_iface_set_acl(wpa_s) ||
+ ap_ctrl_iface_disassoc_accept_mac(wpa_s))
+ reply_len = -1;
+ } else if (os_strcmp(buf + 11, "SHOW") == 0) {
+ reply_len = ap_ctrl_iface_acl_show_mac(
+ wpa_s, DENY_UNLESS_ACCEPTED,
+ reply, reply_size);
+ } else if (os_strcmp(buf + 11, "CLEAR") == 0) {
+ ap_ctrl_iface_acl_clear_list(wpa_s,
+ DENY_UNLESS_ACCEPTED);
+ if (ap_ctrl_iface_set_acl(wpa_s) ||
+ ap_ctrl_iface_disassoc_accept_mac(wpa_s))
+ reply_len = -1;
+ } else {
+ reply_len = -1;
+ }
+ } else if (os_strncmp(buf, "DENY_ACL ", 9) == 0) {
+ if (os_strncmp(buf + 9, "ADD_MAC ", 8) == 0) {
+ if (ap_ctrl_iface_acl_add_mac(wpa_s,
+ ACCEPT_UNLESS_DENIED,
+ buf + 17) ||
+ ap_ctrl_iface_set_acl(wpa_s) ||
+ ap_ctrl_iface_disassoc_deny_mac(wpa_s))
+ reply_len = -1;
+ } else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) {
+ if (ap_ctrl_iface_acl_del_mac(wpa_s,
+ ACCEPT_UNLESS_DENIED,
+ buf + 17) ||
+ ap_ctrl_iface_set_acl(wpa_s))
+ reply_len = -1;
+ } else if (os_strcmp(buf + 9, "SHOW") == 0) {
+ reply_len = ap_ctrl_iface_acl_show_mac(
+ wpa_s, ACCEPT_UNLESS_DENIED, reply, reply_size);
+ } else if (os_strcmp(buf + 9, "CLEAR") == 0) {
+ ap_ctrl_iface_acl_clear_list(wpa_s,
+ ACCEPT_UNLESS_DENIED);
+ if (ap_ctrl_iface_set_acl(wpa_s))
+ reply_len = -1;
+ } else {
+ reply_len = -1;
+ }
#endif /* CONFIG_AP */
} else if (os_strcmp(buf, "SUSPEND") == 0) {
wpas_notify_suspend(wpa_s->global);
@@ -12114,6 +12179,17 @@
if (wpas_ctrl_iface_coloc_intf_report(wpa_s, buf + 18))
reply_len = -1;
#endif /* CONFIG_WNM */
+#ifdef CONFIG_WNM_AP
+ } else if (os_strncmp(buf, "DISASSOC_IMMINENT ", 18) == 0) {
+ if (ap_ctrl_iface_disassoc_imminent(wpa_s, buf + 18))
+ reply_len = -1;
+ } else if (os_strncmp(buf, "ESS_DISASSOC ", 13) == 0) {
+ if (ap_ctrl_iface_ess_disassoc(wpa_s, buf + 13))
+ reply_len = -1;
+ } else if (os_strncmp(buf, "BSS_TM_REQ ", 11) == 0) {
+ if (ap_ctrl_iface_bss_tm_req(wpa_s, buf + 11))
+ reply_len = -1;
+#endif /* CONFIG_WNM_AP */
} else if (os_strcmp(buf, "FLUSH") == 0) {
wpa_supplicant_ctrl_iface_flush(wpa_s);
} else if (os_strncmp(buf, "RADIO_WORK ", 11) == 0) {
@@ -12312,6 +12388,9 @@
if (os_snprintf_error(reply_size, reply_len))
reply_len = -1;
}
+ } else if (os_strncmp(buf, "DPP_CONFIGURATOR_SET ", 21) == 0) {
+ if (dpp_configurator_set(wpa_s->dpp, buf + 20) < 0)
+ reply_len = -1;
} else if (os_strncmp(buf, "DPP_CONFIGURATOR_REMOVE ", 24) == 0) {
if (dpp_configurator_remove(wpa_s->dpp, buf + 24) < 0)
reply_len = -1;
diff --git a/wpa_supplicant/ctrl_iface.h b/wpa_supplicant/ctrl_iface.h
index dfbd25a..9842ea1 100644
--- a/wpa_supplicant/ctrl_iface.h
+++ b/wpa_supplicant/ctrl_iface.h
@@ -122,6 +122,8 @@
void wpas_ctrl_radio_work_flush(struct wpa_supplicant *wpa_s);
+int wpas_ctrl_cmd_debug_level(const char *cmd);
+
#else /* CONFIG_CTRL_IFACE */
static inline struct ctrl_iface_priv *
diff --git a/wpa_supplicant/ctrl_iface_udp.c b/wpa_supplicant/ctrl_iface_udp.c
index 1cbf7fa..1178f40 100644
--- a/wpa_supplicant/ctrl_iface_udp.c
+++ b/wpa_supplicant/ctrl_iface_udp.c
@@ -337,6 +337,9 @@
else
reply_len = 2;
} else {
+ sockaddr_print(wpas_ctrl_cmd_debug_level(buf),
+ "Control interface recv command from:",
+ &from, fromlen);
reply = wpa_supplicant_ctrl_iface_process(wpa_s, pos,
&reply_len);
}
diff --git a/wpa_supplicant/ctrl_iface_unix.c b/wpa_supplicant/ctrl_iface_unix.c
index 639573d..2052873 100644
--- a/wpa_supplicant/ctrl_iface_unix.c
+++ b/wpa_supplicant/ctrl_iface_unix.c
@@ -178,6 +178,9 @@
else
reply_len = 2;
} else {
+ sockaddr_print(wpas_ctrl_cmd_debug_level(buf),
+ "Control interface recv command from:",
+ &from, fromlen);
reply_buf = wpa_supplicant_ctrl_iface_process(wpa_s, buf,
&reply_len);
reply = reply_buf;
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index 959a68b..0b1002b 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -1121,7 +1121,7 @@
const struct wpa_dbus_property_desc *property_desc,
DBusMessageIter *iter, DBusError *error, void *user_data)
{
- const char *capabilities[13];
+ const char *capabilities[14];
size_t num_items = 0;
struct wpa_global *global = user_data;
struct wpa_supplicant *wpa_s;
@@ -1177,6 +1177,9 @@
#endif /* CONFIG_SUITEB192 */
if (ext_key_id_supported)
capabilities[num_items++] = "extended_key_id";
+#ifndef CONFIG_WEP
+ capabilities[num_items++] = "wep_disabled";
+#endif /* !CONFIG_WEP */
return wpas_dbus_simple_array_property_getter(iter,
DBUS_TYPE_STRING,
@@ -3951,7 +3954,7 @@
const char *auth_mode;
char eap_mode_buf[WPAS_DBUS_AUTH_MODE_MAX];
- if (wpa_s->wpa_state != WPA_COMPLETED) {
+ if (wpa_s->wpa_state <= WPA_SCANNING) {
auth_mode = "INACTIVE";
} else if (wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X ||
wpa_s->key_mgmt == WPA_KEY_MGMT_IEEE8021X_NO_WPA) {
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index 6208e9e..95dc4e3 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -101,6 +101,9 @@
# EAP-TLS
CONFIG_EAP_TLS=y
+# Enable EAP-TLSv1.3 support by default (currently disabled unless explicitly
+# enabled in network configuration)
+#CONFIG_EAP_TLSV1_3=y
# EAL-PEAP
CONFIG_EAP_PEAP=y
@@ -203,6 +206,9 @@
# Support VHT overrides (disable VHT, mask MCS rates, etc.)
#CONFIG_VHT_OVERRIDES=y
+# Support HE overrides
+#CONFIG_HE_OVERRIDES=y
+
# Development testing
#CONFIG_EAPOL_TEST=y
@@ -248,6 +254,9 @@
# Simultaneous Authentication of Equals (SAE), WPA3-Personal
CONFIG_SAE=y
+# SAE Public Key, WPA3-Personal
+#CONFIG_SAE_PK=y
+
# Disable scan result processing (ap_scan=1) to save code size by about 1 kB.
# This can be used if ap_scan=1 mode is never enabled.
#CONFIG_NO_SCAN_PROCESSING=y
@@ -474,6 +483,16 @@
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
CONFIG_IEEE80211AC=y
+# IEEE 802.11ax HE support (mainly for AP mode)
+CONFIG_IEEE80211AX=y
+
+# IEEE 802.11be EHT support (mainly for AP mode)
+# CONFIG_IEEE80211AX is mandatory for setting CONFIG_IEEE80211BE.
+# Note: This is experimental and work in progress. The definitions are still
+# subject to change and this should not be expected to interoperate with the
+# final IEEE 802.11be version.
+#CONFIG_IEEE80211BE=y
+
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
diff --git a/wpa_supplicant/dpp_supplicant.c b/wpa_supplicant/dpp_supplicant.c
index d570cfe..b6dbc98 100644
--- a/wpa_supplicant/dpp_supplicant.c
+++ b/wpa_supplicant/dpp_supplicant.c
@@ -1148,6 +1148,7 @@
return;
}
+ wpa_s->dpp_pkex_wait_auth_req = false;
wpa_s->dpp_gas_client = 0;
wpa_s->dpp_gas_server = 0;
wpa_s->dpp_auth_ok_on_ack = 0;
@@ -1661,6 +1662,21 @@
#endif /* CONFIG_DPP2 */
+#ifdef CONFIG_DPP3
+static void wpas_dpp_build_new_key(void *eloop_ctx, void *timeout_ctx)
+{
+ struct wpa_supplicant *wpa_s = eloop_ctx;
+ struct dpp_authentication *auth = wpa_s->dpp_auth;
+
+ if (!auth || !auth->waiting_new_key)
+ return;
+
+ wpa_printf(MSG_DEBUG, "DPP: Build config request with a new key");
+ wpas_dpp_start_gas_client(wpa_s);
+}
+#endif /* CONFIG_DPP3 */
+
+
static void wpas_dpp_gas_resp_cb(void *ctx, const u8 *addr, u8 dialog_token,
enum gas_query_result result,
const struct wpabuf *adv_proto,
@@ -1714,6 +1730,14 @@
return;
}
#endif /* CONFIG_DPP2 */
+#ifdef CONFIG_DPP3
+ if (res == -3) {
+ wpa_printf(MSG_DEBUG, "DPP: New protocol key needed");
+ eloop_register_timeout(0, 0, wpas_dpp_build_new_key, wpa_s,
+ NULL);
+ return;
+ }
+#endif /* CONFIG_DPP3 */
if (res < 0) {
wpa_printf(MSG_DEBUG, "DPP: Configuration attempt failed");
goto fail;
@@ -2748,14 +2772,8 @@
#endif /* CONFIG_DPP2 */
-enum wpas_dpp_pkex_ver {
- PKEX_VER_AUTO,
- PKEX_VER_ONLY_1,
- PKEX_VER_ONLY_2,
-};
-
static int wpas_dpp_pkex_init(struct wpa_supplicant *wpa_s,
- enum wpas_dpp_pkex_ver ver,
+ enum dpp_pkex_ver ver,
const struct hostapd_ip_addr *ipaddr,
int tcp_port)
{
@@ -2908,6 +2926,17 @@
wpa_printf(MSG_DEBUG, "DPP: PKEX Exchange Request from " MACSTR,
MAC2STR(src));
+ if (wpa_s->dpp_pkex_ver == PKEX_VER_ONLY_1 && v2) {
+ wpa_printf(MSG_DEBUG,
+ "DPP: Ignore PKEXv2 Exchange Request when configured to be PKEX v1 only");
+ return;
+ }
+ if (wpa_s->dpp_pkex_ver == PKEX_VER_ONLY_2 && !v2) {
+ wpa_printf(MSG_DEBUG,
+ "DPP: Ignore PKEXv1 Exchange Request when configured to be PKEX v2 only");
+ return;
+ }
+
/* TODO: Support multiple PKEX codes by iterating over all the enabled
* values here */
@@ -2935,6 +2964,7 @@
return;
}
+ wpa_s->dpp_pkex_wait_auth_req = false;
msg = wpa_s->dpp_pkex->exchange_resp;
wait_time = wpa_s->max_remain_on_chan;
if (wait_time > 2000)
@@ -3051,6 +3081,7 @@
wpabuf_free(msg);
wpas_dpp_pkex_finish(wpa_s, src, freq);
+ wpa_s->dpp_pkex_wait_auth_req = true;
}
@@ -3332,11 +3363,13 @@
return NULL;
}
+ auth->conf_resp = resp;
if (!resp) {
wpa_msg(wpa_s, MSG_INFO, DPP_EVENT_CONF_FAILED);
wpas_notify_dpp_configuration_failure(wpa_s);
+ dpp_auth_deinit(wpa_s->dpp_auth);
+ wpa_s->dpp_auth = NULL;
}
- auth->conf_resp = resp;
return resp;
}
@@ -3367,6 +3400,14 @@
}
#endif /* CONFIG_DPP2 */
+#ifdef CONFIG_DPP3
+ if (auth->waiting_new_key && ok) {
+ wpa_printf(MSG_DEBUG, "DPP: Waiting for a new key");
+ wpabuf_free(resp);
+ return;
+ }
+#endif /* CONFIG_DPP3 */
+
wpa_printf(MSG_DEBUG, "DPP: Configuration exchange completed (ok=%d)",
ok);
eloop_cancel_timeout(wpas_dpp_reply_wait_timeout, wpa_s, NULL);
@@ -3493,6 +3534,8 @@
wpa_printf(MSG_DEBUG,
"DPP: Starting network introduction protocol to derive PMKSA for "
MACSTR, MAC2STR(bss->bssid));
+ if (wpa_s->wpa_state == WPA_SCANNING)
+ wpa_supplicant_set_state(wpa_s, wpa_s->scan_prev_wpa_state);
len = 5 + 4 + os_strlen(ssid->dpp_connector);
#ifdef CONFIG_DPP2
@@ -3614,6 +3657,11 @@
{
struct dpp_bootstrap_info *own_bi;
const char *pos, *end;
+#ifdef CONFIG_DPP3
+ enum dpp_pkex_ver ver = PKEX_VER_AUTO;
+#else /* CONFIG_DPP3 */
+ enum dpp_pkex_ver ver = PKEX_VER_ONLY_1;
+#endif /* CONFIG_DPP3 */
int tcp_port = DPP_TCP_PORT;
struct hostapd_ip_addr *ipaddr = NULL;
#ifdef CONFIG_DPP2
@@ -3679,27 +3727,22 @@
if (!wpa_s->dpp_pkex_code)
return -1;
+ pos = os_strstr(cmd, " ver=");
+ if (pos) {
+ int v;
+
+ pos += 5;
+ v = atoi(pos);
+ if (v == 1)
+ ver = PKEX_VER_ONLY_1;
+ else if (v == 2)
+ ver = PKEX_VER_ONLY_2;
+ else
+ return -1;
+ }
+ wpa_s->dpp_pkex_ver = ver;
+
if (os_strstr(cmd, " init=1")) {
-#ifdef CONFIG_DPP3
- enum wpas_dpp_pkex_ver ver = PKEX_VER_AUTO;
-#else /* CONFIG_DPP3 */
- enum wpas_dpp_pkex_ver ver = PKEX_VER_ONLY_1;
-#endif /* CONFIG_DPP3 */
-
- pos = os_strstr(cmd, " ver=");
- if (pos) {
- int v;
-
- pos += 5;
- v = atoi(pos);
- if (v == 1)
- ver = PKEX_VER_ONLY_1;
- else if (v == 2)
- ver = PKEX_VER_ONLY_2;
- else
- return -1;
- }
-
if (wpas_dpp_pkex_init(wpa_s, ver, ipaddr, tcp_port) < 0)
return -1;
} else {
@@ -3751,12 +3794,13 @@
void wpas_dpp_stop(struct wpa_supplicant *wpa_s)
{
- if (wpa_s->dpp_auth || wpa_s->dpp_pkex)
+ if (wpa_s->dpp_auth || wpa_s->dpp_pkex || wpa_s->dpp_pkex_wait_auth_req)
offchannel_send_action_done(wpa_s);
dpp_auth_deinit(wpa_s->dpp_auth);
wpa_s->dpp_auth = NULL;
dpp_pkex_free(wpa_s->dpp_pkex);
wpa_s->dpp_pkex = NULL;
+ wpa_s->dpp_pkex_wait_auth_req = false;
if (wpa_s->dpp_gas_client && wpa_s->dpp_gas_dialog_token >= 0)
gas_query_stop(wpa_s->gas, wpa_s->dpp_gas_dialog_token);
}
@@ -3822,6 +3866,9 @@
dpp_free_reconfig_id(wpa_s->dpp_reconfig_id);
wpa_s->dpp_reconfig_id = NULL;
#endif /* CONFIG_DPP2 */
+#ifdef CONFIG_DPP3
+ eloop_cancel_timeout(wpas_dpp_build_new_key, wpa_s, NULL);
+#endif /* CONFIG_DPP3 */
offchannel_send_action_done(wpa_s);
wpas_dpp_listen_stop(wpa_s);
wpas_dpp_stop(wpa_s);
@@ -4236,6 +4283,7 @@
wpas_dpp_chirp_stop(wpa_s);
wpa_s->dpp_allowed_roles = DPP_CAPAB_ENROLLEE;
+ wpa_s->dpp_netrole = DPP_NETROLE_STA;
wpa_s->dpp_qr_mutual = 0;
wpa_s->dpp_chirp_bi = bi;
wpa_s->dpp_presence_announcement = dpp_build_presence_announcement(bi);
@@ -4320,6 +4368,7 @@
}
wpas_dpp_chirp_stop(wpa_s);
wpa_s->dpp_allowed_roles = DPP_CAPAB_ENROLLEE;
+ wpa_s->dpp_netrole = DPP_NETROLE_STA;
wpa_s->dpp_qr_mutual = 0;
wpa_s->dpp_reconfig_ssid = ssid;
wpa_s->dpp_reconfig_ssid_id = ssid->id;
diff --git a/wpa_supplicant/eapol_test.c b/wpa_supplicant/eapol_test.c
index e256ac5..f806895 100644
--- a/wpa_supplicant/eapol_test.c
+++ b/wpa_supplicant/eapol_test.c
@@ -15,6 +15,7 @@
#include "common.h"
#include "utils/ext_password.h"
#include "common/version.h"
+#include "crypto/crypto.h"
#include "crypto/tls.h"
#include "config.h"
#include "eapol_supp/eapol_supp_sm.h"
@@ -732,16 +733,27 @@
case EAP_TYPE_IDENTITY: return "Identity";
case EAP_TYPE_NOTIFICATION: return "Notification";
case EAP_TYPE_NAK: return "Nak";
- case EAP_TYPE_TLS: return "TLS";
- case EAP_TYPE_TTLS: return "TTLS";
- case EAP_TYPE_PEAP: return "PEAP";
- case EAP_TYPE_SIM: return "SIM";
- case EAP_TYPE_GTC: return "GTC";
+
case EAP_TYPE_MD5: return "MD5";
case EAP_TYPE_OTP: return "OTP";
+ case EAP_TYPE_GTC: return "GTC";
+ case EAP_TYPE_TLS: return "TLS";
+ case EAP_TYPE_LEAP: return "LEAP";
+ case EAP_TYPE_SIM: return "SIM";
+ case EAP_TYPE_TTLS: return "TTLS";
+ case EAP_TYPE_AKA: return "AKA";
+ case EAP_TYPE_PEAP: return "PEAP";
+ case EAP_TYPE_MSCHAPV2: return "MSCHAPv2";
case EAP_TYPE_FAST: return "FAST";
- case EAP_TYPE_SAKE: return "SAKE";
+ case EAP_TYPE_PAX: return "PAX";
case EAP_TYPE_PSK: return "PSK";
+ case EAP_TYPE_SAKE: return "SAKE";
+ case EAP_TYPE_IKEV2: return "IKEv2";
+ case EAP_TYPE_AKA_PRIME: return "AKA-PRIME";
+ case EAP_TYPE_GPSK: return "GPSK";
+ case EAP_TYPE_PWD: return "PWD";
+ case EAP_TYPE_EKE: return "EKE";
+ case EAP_TYPE_TEAP: return "TEAP";
default: return "Unknown";
}
}
@@ -761,20 +773,20 @@
msg = e->last_recv_radius;
eap = radius_msg_get_eap(msg);
- if (eap == NULL) {
- /* draft-aboba-radius-rfc2869bis-20.txt, Chap. 2.6.3:
+ if (!eap) {
+ /* RFC 3579, Chap. 2.6.3:
* RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
* attribute */
- wpa_printf(MSG_DEBUG, "could not extract "
- "EAP-Message from RADIUS message");
+ wpa_printf(MSG_DEBUG,
+ "could not extract EAP-Message from RADIUS message");
wpabuf_free(e->last_eap_radius);
e->last_eap_radius = NULL;
return;
}
if (wpabuf_len(eap) < sizeof(*hdr)) {
- wpa_printf(MSG_DEBUG, "too short EAP packet "
- "received from authentication server");
+ wpa_printf(MSG_DEBUG,
+ "too short EAP packet received from authentication server");
wpabuf_free(eap);
return;
}
@@ -810,11 +822,11 @@
wpa_hexdump_buf(MSG_DEBUG, "Decapsulated EAP packet", eap);
break;
}
- wpa_printf(MSG_DEBUG, "decapsulated EAP packet (code=%d "
- "id=%d len=%d) from RADIUS server: %s",
- hdr->code, hdr->identifier, ntohs(hdr->length), buf);
-
- /* sta->eapol_sm->be_auth.idFromServer = hdr->identifier; */
+ buf[sizeof(buf) - 1] = '\0';
+ wpa_printf(MSG_DEBUG,
+ "decapsulated EAP packet (code=%d id=%d len=%d) from RADIUS server: %s",
+ hdr->code, hdr->identifier, be_to_host16(hdr->length),
+ buf);
wpabuf_free(e->last_eap_radius);
e->last_eap_radius = eap;
@@ -847,7 +859,7 @@
keys = radius_msg_get_ms_keys(msg, req, shared_secret,
shared_secret_len);
- if (keys && keys->send == NULL && keys->recv == NULL) {
+ if (keys && !keys->send && !keys->recv) {
os_free(keys);
keys = radius_msg_get_cisco_keys(msg, req, shared_secret,
shared_secret_len);
@@ -908,20 +920,19 @@
radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
0) < 0 &&
radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
- wpa_printf(MSG_DEBUG, "Allowing RADIUS "
- "Access-Reject without Message-Authenticator "
- "since it does not include EAP-Message\n");
+ wpa_printf(MSG_DEBUG,
+ "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message");
} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
req, 1)) {
- printf("Incoming RADIUS packet did not have correct "
- "Message-Authenticator - dropped\n");
- return RADIUS_RX_UNKNOWN;
+ wpa_printf(MSG_INFO,
+ "Incoming RADIUS packet did not have correct Message-Authenticator - dropped");
+ return RADIUS_RX_INVALID_AUTHENTICATOR;
}
if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
hdr->code != RADIUS_CODE_ACCESS_REJECT &&
hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
- printf("Unknown RADIUS message code\n");
+ wpa_printf(MSG_INFO, "Unknown RADIUS message code");
return RADIUS_RX_UNKNOWN;
}
@@ -1549,6 +1560,7 @@
else
printf("SUCCESS\n");
+ crypto_unload();
os_program_deinit();
return ret;
diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c
index 35467ce..170cec7 100644
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
@@ -149,19 +149,22 @@
}
-static void wpa_supplicant_update_current_bss(struct wpa_supplicant *wpa_s)
+static struct wpa_bss *
+wpa_supplicant_update_current_bss(struct wpa_supplicant *wpa_s, const u8 *bssid)
{
- struct wpa_bss *bss = wpa_supplicant_get_new_bss(wpa_s, wpa_s->bssid);
+ struct wpa_bss *bss = wpa_supplicant_get_new_bss(wpa_s, bssid);
if (!bss) {
wpa_supplicant_update_scan_results(wpa_s);
/* Get the BSS from the new scan results */
- bss = wpa_supplicant_get_new_bss(wpa_s, wpa_s->bssid);
+ bss = wpa_supplicant_get_new_bss(wpa_s, bssid);
}
if (bss)
wpa_s->current_bss = bss;
+
+ return bss;
}
@@ -173,7 +176,7 @@
int res;
if (wpa_s->conf->ap_scan == 1 && wpa_s->current_ssid) {
- wpa_supplicant_update_current_bss(wpa_s);
+ wpa_supplicant_update_current_bss(wpa_s, wpa_s->bssid);
if (wpa_s->current_ssid->ssid_len == 0)
return 0; /* current profile still in use */
@@ -250,7 +253,7 @@
old_ssid = wpa_s->current_ssid;
wpa_s->current_ssid = ssid;
- wpa_supplicant_update_current_bss(wpa_s);
+ wpa_supplicant_update_current_bss(wpa_s, wpa_s->bssid);
wpa_supplicant_rsn_supp_set_config(wpa_s, wpa_s->current_ssid);
wpa_supplicant_initiate_eapol(wpa_s);
@@ -567,6 +570,7 @@
#ifdef CONFIG_WEP
int wep_ok;
#endif /* CONFIG_WEP */
+ bool is_6ghz_bss = is_6ghz_freq(bss->freq);
ret = wpas_wps_ssid_bss_match(wpa_s, ssid, bss);
if (ret >= 0)
@@ -581,6 +585,13 @@
#endif /* CONFIG_WEP */
rsn_ie = wpa_bss_get_ie(bss, WLAN_EID_RSN);
+ if (is_6ghz_bss && !rsn_ie) {
+ if (debug_print)
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ " skip - 6 GHz BSS without RSNE");
+ return 0;
+ }
+
while ((ssid->proto & (WPA_PROTO_RSN | WPA_PROTO_OSEN)) && rsn_ie) {
proto_match++;
@@ -595,6 +606,16 @@
if (!ie.has_group)
ie.group_cipher = wpa_default_rsn_cipher(bss->freq);
+ if (is_6ghz_bss) {
+ /* WEP and TKIP are not allowed on 6 GHz */
+ ie.pairwise_cipher &= ~(WPA_CIPHER_WEP40 |
+ WPA_CIPHER_WEP104 |
+ WPA_CIPHER_TKIP);
+ ie.group_cipher &= ~(WPA_CIPHER_WEP40 |
+ WPA_CIPHER_WEP104 |
+ WPA_CIPHER_TKIP);
+ }
+
#ifdef CONFIG_WEP
if (wep_ok &&
(ie.group_cipher & (WPA_CIPHER_WEP40 | WPA_CIPHER_WEP104)))
@@ -636,6 +657,21 @@
break;
}
+ if (is_6ghz_bss) {
+ /* MFPC must be supported on 6 GHz */
+ if (!(ie.capabilities & WPA_CAPABILITY_MFPC)) {
+ if (debug_print)
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ " skip RSNE - 6 GHz without MFPC");
+ break;
+ }
+
+ /* WPA PSK is not allowed on the 6 GHz band */
+ ie.key_mgmt &= ~(WPA_KEY_MGMT_PSK |
+ WPA_KEY_MGMT_FT_PSK |
+ WPA_KEY_MGMT_PSK_SHA256);
+ }
+
if (!(ie.key_mgmt & ssid->key_mgmt)) {
if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG,
@@ -666,6 +702,13 @@
return 1;
}
+ if (is_6ghz_bss) {
+ if (debug_print)
+ wpa_dbg(wpa_s, MSG_DEBUG,
+ " skip - 6 GHz BSS without matching RSNE");
+ return 0;
+ }
+
if (wpas_get_ssid_pmf(wpa_s, ssid) == MGMT_FRAME_PROTECTION_REQUIRED &&
(!(ssid->key_mgmt & WPA_KEY_MGMT_OWE) || ssid->owe_only)) {
if (debug_print)
@@ -1317,7 +1360,10 @@
}
#ifdef CONFIG_SAE
- if ((wpa_s->conf->sae_pwe == 1 || ssid->sae_password_id) &&
+ /* When using SAE Password Identifier and when operationg on the 6 GHz
+ * band, only H2E is allowed. */
+ if ((wpa_s->conf->sae_pwe == 1 || is_6ghz_freq(bss->freq) ||
+ ssid->sae_password_id) &&
wpa_s->conf->sae_pwe != 3 && wpa_key_mgmt_sae(ssid->key_mgmt) &&
#ifdef CONFIG_DRIVER_NL80211_BRCM
!(wpa_key_mgmt_wpa_psk_no_sae(ssid->key_mgmt)) &&
@@ -1412,7 +1458,7 @@
if (wpa_s->ignore_assoc_disallow)
goto skip_assoc_disallow;
#endif /* CONFIG_TESTING_OPTIONS */
- assoc_disallow = wpas_mbo_get_bss_attr(bss, MBO_ATTR_ID_ASSOC_DISALLOW);
+ assoc_disallow = wpas_mbo_check_assoc_disallow(bss);
if (assoc_disallow && assoc_disallow[1] >= 1) {
if (debug_print)
wpa_dbg(wpa_s, MSG_DEBUG,
@@ -2961,6 +3007,8 @@
BAND_2_4_GHZ);
wpa_s->connection_he = req_elems.he_capabilities &&
resp_elems.he_capabilities;
+ wpa_s->connection_eht = req_elems.eht_capabilities &&
+ resp_elems.eht_capabilities;
int max_nss_rx_req = get_max_nss_capability(&req_elems, 1);
int max_nss_rx_resp = get_max_nss_capability(&resp_elems, 1);
@@ -3394,6 +3442,26 @@
#endif /* CONFIG_DRIVER_NL80211_BRCM || CONFIG_DRIVER_NL80211_SYNA */
ft_completed = wpa_ft_is_completed(wpa_s->wpa);
+
+ if (wpa_drv_get_bssid(wpa_s, bssid) < 0) {
+ wpa_dbg(wpa_s, MSG_ERROR, "Failed to get BSSID");
+ wpa_supplicant_deauthenticate(
+ wpa_s, WLAN_REASON_DEAUTH_LEAVING);
+ return;
+ }
+
+ if (ft_completed &&
+ (wpa_s->drv_flags & WPA_DRIVER_FLAGS_BSS_SELECTION)) {
+ wpa_msg(wpa_s, MSG_INFO, "Attempt to roam to " MACSTR,
+ MAC2STR(bssid));
+ if (!wpa_supplicant_update_current_bss(wpa_s, bssid)) {
+ wpa_printf(MSG_ERROR,
+ "Can't find target AP's information!");
+ return;
+ }
+ wpa_supplicant_assoc_update_ie(wpa_s);
+ }
+
if (data && wpa_supplicant_event_associnfo(wpa_s, data) < 0)
return;
/*
@@ -3404,13 +3472,6 @@
if (!ft_completed)
ft_completed = wpa_fils_is_completed(wpa_s->wpa);
- if (wpa_drv_get_bssid(wpa_s, bssid) < 0) {
- wpa_dbg(wpa_s, MSG_ERROR, "Failed to get BSSID");
- wpa_supplicant_deauthenticate(
- wpa_s, WLAN_REASON_DEAUTH_LEAVING);
- return;
- }
-
#if defined(CONFIG_DRIVER_NL80211_BRCM) || defined(CONFIG_DRIVER_NL80211_SYNA)
/* For driver based roaming, insert PSK during the initial association */
if (is_zero_ether_addr(wpa_s->bssid) &&
diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c
index ca380b9..9a459c2 100644
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@@ -1065,6 +1065,12 @@
goto fail;
}
+ if (cred->imsi_privacy_key && cred->imsi_privacy_key[0]) {
+ if (wpa_config_set_quoted(ssid, "imsi_privacy_key",
+ cred->imsi_privacy_key) < 0)
+ goto fail;
+ }
+
wpa_s->next_ssid = ssid;
wpa_config_update_prio_list(wpa_s->conf);
if (!only_add)
diff --git a/wpa_supplicant/main.c b/wpa_supplicant/main.c
index 51a8a02..9229eb5 100644
--- a/wpa_supplicant/main.c
+++ b/wpa_supplicant/main.c
@@ -12,6 +12,7 @@
#endif /* __linux__ */
#include "common.h"
+#include "crypto/crypto.h"
#include "fst/fst.h"
#include "wpa_supplicant_i.h"
#include "driver_i.h"
@@ -403,6 +404,7 @@
#endif /* CONFIG_MATCH_IFACE */
os_free(params.pid_file);
+ crypto_unload();
os_program_deinit();
return exitcode;
diff --git a/wpa_supplicant/mbo.c b/wpa_supplicant/mbo.c
index 8ac73ef..31d0fce 100644
--- a/wpa_supplicant/mbo.c
+++ b/wpa_supplicant/mbo.c
@@ -65,14 +65,18 @@
}
-const u8 * wpas_mbo_get_bss_attr(struct wpa_bss *bss, enum mbo_attr_id attr)
+static const u8 * wpas_mbo_get_bss_attr(struct wpa_bss *bss,
+ enum mbo_attr_id attr, bool beacon)
{
const u8 *mbo, *end;
if (!bss)
return NULL;
- mbo = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE);
+ if (beacon)
+ mbo = wpa_bss_get_vendor_ie_beacon(bss, MBO_IE_VENDOR_TYPE);
+ else
+ mbo = wpa_bss_get_vendor_ie(bss, MBO_IE_VENDOR_TYPE);
if (!mbo)
return NULL;
@@ -83,6 +87,19 @@
}
+const u8 * wpas_mbo_check_assoc_disallow(struct wpa_bss *bss)
+{
+ const u8 *assoc_disallow;
+
+ assoc_disallow = wpas_mbo_get_bss_attr(bss, MBO_ATTR_ID_ASSOC_DISALLOW,
+ bss->beacon_newer);
+ if (assoc_disallow && assoc_disallow[1] >= 1)
+ return assoc_disallow;
+
+ return NULL;
+}
+
+
void wpas_mbo_check_pmf(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
struct wpa_ssid *ssid)
{
@@ -92,8 +109,8 @@
wpa_s->disable_mbo_oce = 0;
if (!bss)
return;
- mbo = wpas_mbo_get_bss_attr(bss, MBO_ATTR_ID_AP_CAPA_IND);
- oce = wpas_mbo_get_bss_attr(bss, OCE_ATTR_ID_CAPA_IND);
+ mbo = wpas_mbo_get_bss_attr(bss, MBO_ATTR_ID_AP_CAPA_IND, false);
+ oce = wpas_mbo_get_bss_attr(bss, OCE_ATTR_ID_CAPA_IND, false);
if (!mbo && !oce)
return;
if (oce && oce[1] >= 1 && (oce[2] & OCE_IS_STA_CFON))
diff --git a/wpa_supplicant/mesh.c b/wpa_supplicant/mesh.c
index d6b8a1a..b67396d 100644
--- a/wpa_supplicant/mesh.c
+++ b/wpa_supplicant/mesh.c
@@ -225,12 +225,13 @@
ifmsh->conf->ieee80211n,
ifmsh->conf->ieee80211ac,
ifmsh->conf->ieee80211ax,
+ false,
ifmsh->conf->secondary_channel,
hostapd_get_oper_chwidth(ifmsh->conf),
hostapd_get_oper_centr_freq_seg0_idx(ifmsh->conf),
hostapd_get_oper_centr_freq_seg1_idx(ifmsh->conf),
ifmsh->conf->vht_capab,
- he_capab)) {
+ he_capab, NULL)) {
wpa_printf(MSG_ERROR, "Error updating mesh frequency params");
wpa_supplicant_mesh_deinit(wpa_s, true);
return -1;
diff --git a/wpa_supplicant/notify.c b/wpa_supplicant/notify.c
index 4c30518..1442353 100644
--- a/wpa_supplicant/notify.c
+++ b/wpa_supplicant/notify.c
@@ -420,6 +420,10 @@
{
if (wpa_s->next_ssid == ssid)
wpa_s->next_ssid = NULL;
+ if (wpa_s->last_ssid == ssid)
+ wpa_s->last_ssid = NULL;
+ if (wpa_s->current_ssid == ssid)
+ wpa_s->current_ssid = NULL;
if (wpa_s->wpa)
wpa_sm_pmksa_cache_flush(wpa_s->wpa, ssid);
if (!ssid->p2p_group && wpa_s->global->p2p_group_formation != wpa_s &&
diff --git a/wpa_supplicant/p2p_supplicant.c b/wpa_supplicant/p2p_supplicant.c
index f1d033b..c8f2e5c 100644
--- a/wpa_supplicant/p2p_supplicant.c
+++ b/wpa_supplicant/p2p_supplicant.c
@@ -8899,7 +8899,7 @@
hapd->conf->ssid.wpa_psk = psk->next;
rem = psk;
psk = psk->next;
- os_free(rem);
+ bin_clear_free(rem, sizeof(*rem));
} else {
prev = psk;
psk = psk->next;
diff --git a/wpa_supplicant/pasn_supplicant.c b/wpa_supplicant/pasn_supplicant.c
index baf4c26..dc21b6a 100644
--- a/wpa_supplicant/pasn_supplicant.c
+++ b/wpa_supplicant/pasn_supplicant.c
@@ -1000,6 +1000,7 @@
struct wpa_ssid *ssid = NULL;
struct wpabuf *frame;
int ret;
+ bool derive_kdk;
/* TODO: Currently support only ECC groups */
if (!dragonfly_suitable_group(group, 1)) {
@@ -1079,9 +1080,14 @@
pasn->group = group;
pasn->freq = freq;
- if (wpa_s->conf->force_kdk_derivation ||
- (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF &&
- ieee802_11_rsnx_capab(beacon_rsnxe, WLAN_RSNX_CAPAB_SECURE_LTF)))
+ derive_kdk = (wpa_s->drv_flags2 & WPA_DRIVER_FLAGS2_SEC_LTF) &&
+ ieee802_11_rsnx_capab(beacon_rsnxe,
+ WLAN_RSNX_CAPAB_SECURE_LTF);
+#ifdef CONFIG_TESTING_OPTIONS
+ if (!derive_kdk)
+ derive_kdk = wpa_s->conf->force_kdk_derivation;
+#endif /* CONFIG_TESTING_OPTIONS */
+ if (derive_kdk)
pasn->kdk_len = WPA_KDK_MAX_LEN;
else
pasn->kdk_len = 0;
diff --git a/wpa_supplicant/preauth_test.c b/wpa_supplicant/preauth_test.c
index 31b5532..3ae99da 100644
--- a/wpa_supplicant/preauth_test.c
+++ b/wpa_supplicant/preauth_test.c
@@ -13,6 +13,7 @@
#include <assert.h>
#include "common.h"
+#include "crypto/crypto.h"
#include "config.h"
#include "eapol_supp/eapol_supp_sm.h"
#include "eloop.h"
@@ -365,6 +366,7 @@
eloop_destroy();
+ crypto_unload();
os_program_deinit();
return ret;
diff --git a/wpa_supplicant/rrm.c b/wpa_supplicant/rrm.c
index cf107eb..4457b6c 100644
--- a/wpa_supplicant/rrm.c
+++ b/wpa_supplicant/rrm.c
@@ -501,7 +501,7 @@
static int * wpas_add_channels(const struct oper_class_map *op,
- struct hostapd_hw_modes *mode, int active,
+ struct hostapd_hw_modes *mode,
const u8 *channels, const u8 size)
{
int *freqs, *next_freq;
@@ -532,7 +532,7 @@
enum chan_allowed res = verify_channel(mode, op->op_class, chan,
op->bw);
- if (res == NOT_ALLOWED || (res == NO_IR && active))
+ if (res == NOT_ALLOWED)
continue;
if (wpas_add_channel(op->op_class, chan, num_primary_channels,
@@ -554,7 +554,7 @@
static int * wpas_op_class_freqs(const struct oper_class_map *op,
- struct hostapd_hw_modes *mode, int active)
+ struct hostapd_hw_modes *mode)
{
u8 channels_80mhz_5ghz[] = { 42, 58, 106, 122, 138, 155, 171 };
u8 channels_160mhz_5ghz[] = { 50, 114, 163 };
@@ -581,11 +581,11 @@
ARRAY_SIZE(channels_160mhz_5ghz);
}
- return wpas_add_channels(op, mode, active, channels, num_chan);
+ return wpas_add_channels(op, mode, channels, num_chan);
}
-static int * wpas_channel_report_freqs(struct wpa_supplicant *wpa_s, int active,
+static int * wpas_channel_report_freqs(struct wpa_supplicant *wpa_s,
const char *country, const u8 *subelems,
size_t len)
{
@@ -633,7 +633,7 @@
* by a corresponding AP Channel Report element as specified in
* IEEE Std 802.11-2016, 11.11.9.1.
*/
- new_freqs = wpas_add_channels(op, mode, active, pos, left);
+ new_freqs = wpas_add_channels(op, mode, pos, left);
if (new_freqs)
int_array_concat(&freqs, new_freqs);
@@ -648,7 +648,7 @@
static int * wpas_beacon_request_freqs(struct wpa_supplicant *wpa_s,
- u8 op_class, u8 chan, int active,
+ u8 op_class, u8 chan,
const u8 *subelems, size_t len)
{
int *freqs = NULL, *ext_freqs = NULL;
@@ -678,7 +678,7 @@
switch (chan) {
case 0:
- freqs = wpas_op_class_freqs(op, mode, active);
+ freqs = wpas_op_class_freqs(op, mode);
if (!freqs)
return NULL;
break;
@@ -686,14 +686,13 @@
/* freqs will be added from AP channel subelements */
break;
default:
- freqs = wpas_add_channels(op, mode, active, &chan, 1);
+ freqs = wpas_add_channels(op, mode, &chan, 1);
if (!freqs)
return NULL;
break;
}
- ext_freqs = wpas_channel_report_freqs(wpa_s, active, country, subelems,
- len);
+ ext_freqs = wpas_channel_report_freqs(wpa_s, country, subelems, len);
if (ext_freqs) {
int_array_concat(&freqs, ext_freqs);
os_free(ext_freqs);
@@ -1220,10 +1219,9 @@
goto out;
}
- params->freqs = wpas_beacon_request_freqs(
- wpa_s, req->oper_class, req->channel,
- req->mode == BEACON_REPORT_MODE_ACTIVE,
- req->variable, len - sizeof(*req));
+ params->freqs = wpas_beacon_request_freqs(wpa_s, req->oper_class,
+ req->channel, req->variable,
+ len - sizeof(*req));
if (!params->freqs) {
wpa_printf(MSG_DEBUG, "Beacon request: No valid channels");
reject_mode = MEASUREMENT_REPORT_MODE_REJECT_REFUSED;
diff --git a/wpa_supplicant/scan.c b/wpa_supplicant/scan.c
index dde2f44..042b24e 100644
--- a/wpa_supplicant/scan.c
+++ b/wpa_supplicant/scan.c
@@ -2194,20 +2194,33 @@
for (i = 0; i < scan_res->num; i++) {
struct wpa_scan_res *r = scan_res->res[i];
u8 *pos;
+ const u8 *ssid_ie, *ssid = NULL;
+ size_t ssid_len = 0;
+
+ ssid_ie = wpa_scan_get_ie(r, WLAN_EID_SSID);
+ if (ssid_ie) {
+ ssid = ssid_ie + 2;
+ ssid_len = ssid_ie[1];
+ }
+
if (r->flags & WPA_SCAN_LEVEL_DBM) {
int noise_valid = !(r->flags & WPA_SCAN_NOISE_INVALID);
- wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d "
- "noise=%d%s level=%d snr=%d%s flags=0x%x age=%u est=%u",
- MAC2STR(r->bssid), r->freq, r->qual,
+ wpa_printf(MSG_EXCESSIVE, MACSTR
+ " ssid=%s freq=%d qual=%d noise=%d%s level=%d snr=%d%s flags=0x%x age=%u est=%u",
+ MAC2STR(r->bssid),
+ wpa_ssid_txt(ssid, ssid_len),
+ r->freq, r->qual,
r->noise, noise_valid ? "" : "~", r->level,
r->snr, r->snr >= GREAT_SNR ? "*" : "",
r->flags,
r->age, r->est_throughput);
} else {
- wpa_printf(MSG_EXCESSIVE, MACSTR " freq=%d qual=%d "
- "noise=%d level=%d flags=0x%x age=%u est=%u",
- MAC2STR(r->bssid), r->freq, r->qual,
+ wpa_printf(MSG_EXCESSIVE, MACSTR
+ " ssid=%s freq=%d qual=%d noise=%d level=%d flags=0x%x age=%u est=%u",
+ MAC2STR(r->bssid),
+ wpa_ssid_txt(ssid, ssid_len),
+ r->freq, r->qual,
r->noise, r->level, r->flags, r->age,
r->est_throughput);
}
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 0b02f75..cc55fa6 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -1366,7 +1366,7 @@
" auth_type=%u auth_transaction=%u status_code=%u",
MAC2STR(bssid), WLAN_AUTH_SAE,
auth_transaction, status_code);
- return -1;
+ return -2;
}
if (auth_transaction == 1) {
@@ -1517,7 +1517,10 @@
if (res < 0) {
/* Notify failure to the driver */
sme_send_external_auth_status(
- wpa_s, WLAN_STATUS_UNSPECIFIED_FAILURE);
+ wpa_s,
+ res == -2 ?
+ le_to_host16(header->u.auth.status_code) :
+ WLAN_STATUS_UNSPECIFIED_FAILURE);
return;
}
if (res != 1)
diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 033589f..0e2315d 100644
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -1418,11 +1418,11 @@
#ifdef IEEE8021X_EAPOL
"eap", "identity", "anonymous_identity", "password", "ca_cert",
"ca_path", "client_cert", "private_key", "private_key_passwd",
- "dh_file", "subject_match", "altsubject_match",
+ "subject_match", "altsubject_match",
"check_cert_subject",
"domain_suffix_match", "domain_match", "ca_cert2", "ca_path2",
"client_cert2", "private_key2", "private_key2_passwd",
- "dh_file2", "subject_match2", "altsubject_match2",
+ "subject_match2", "altsubject_match2",
"check_cert_subject2",
"domain_suffix_match2", "domain_match2", "phase1", "phase2",
"pcsc", "pin", "engine_id", "key_id", "cert_id", "ca_cert_id",
@@ -2046,6 +2046,20 @@
return wpa_ctrl_command(ctrl, "UPDATE_BEACON");
}
+
+static int wpa_cli_cmd_accept_macacl(struct wpa_ctrl *ctrl, int argc,
+ char *argv[])
+{
+ return wpa_cli_cmd(ctrl, "ACCEPT_ACL", 1, argc, argv);
+}
+
+
+static int wpa_cli_cmd_deny_macacl(struct wpa_ctrl *ctrl, int argc,
+ char *argv[])
+{
+ return wpa_cli_cmd(ctrl, "DENY_ACL", 1, argc, argv);
+}
+
#endif /* CONFIG_AP */
@@ -2894,6 +2908,31 @@
#endif /* CONFIG_WNM */
+#ifdef CONFIG_WNM_AP
+
+static int wpa_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
+ char *argv[])
+{
+ return wpa_cli_cmd(ctrl, "DISASSOC_IMMINENT", 2, argc, argv);
+}
+
+
+static int wpa_cli_cmd_ess_disassoc(struct wpa_ctrl *ctrl, int argc,
+ char *argv[])
+{
+ return wpa_cli_cmd(ctrl, "ESS_DISASSOC", 3, argc, argv);
+}
+
+
+static int wpa_cli_cmd_bss_tm_req(struct wpa_ctrl *ctrl, int argc,
+ char *argv[])
+{
+ return wpa_cli_cmd(ctrl, "BSS_TM_REQ", 1, argc, argv);
+}
+
+#endif /* CONFIG_WNM_AP */
+
+
static int wpa_cli_cmd_raw(struct wpa_ctrl *ctrl, int argc, char *argv[])
{
if (argc == 0)
@@ -3599,6 +3638,10 @@
{ "update_beacon", wpa_cli_cmd_update_beacon, NULL,
cli_cmd_flag_none,
"= update Beacon frame contents"},
+ { "accept_acl", wpa_cli_cmd_accept_macacl, NULL, cli_cmd_flag_none,
+ "=Add/Delete/Show/Clear allow MAC ACL" },
+ { "deny_acl", wpa_cli_cmd_deny_macacl, NULL, cli_cmd_flag_none,
+ "=Add/Delete/Show/Clear deny MAC ACL" },
#endif /* CONFIG_AP */
{ "suspend", wpa_cli_cmd_suspend, NULL, cli_cmd_flag_none,
"= notification of suspend/hibernate" },
@@ -3845,6 +3888,14 @@
" [neighbor=<BSSID>,<BSSID information>,<operating class>,<channel number>,<PHY type>[,<hexdump of optional subelements>]"
" = Send BSS Transition Management Query" },
#endif /* CONFIG_WNM */
+#ifdef CONFIG_WNM_AP
+ { "disassoc_imminent", wpa_cli_cmd_disassoc_imminent, NULL, cli_cmd_flag_none,
+ "= send Disassociation Imminent notification" },
+ { "ess_disassoc", wpa_cli_cmd_ess_disassoc, NULL, cli_cmd_flag_none,
+ "= send ESS Dissassociation Imminent notification" },
+ { "bss_tm_req", wpa_cli_cmd_bss_tm_req, NULL, cli_cmd_flag_none,
+ "= send BSS Transition Management Request" },
+#endif /* CONFIG_WNM_AP */
{ "raw", wpa_cli_cmd_raw, NULL, cli_cmd_flag_sensitive,
"<params..> = Sent unprocessed command" },
{ "flush", wpa_cli_cmd_flush, NULL, cli_cmd_flag_none,
diff --git a/wpa_supplicant/wpa_passphrase.c b/wpa_supplicant/wpa_passphrase.c
index 538997e..d9c07e6 100644
--- a/wpa_supplicant/wpa_passphrase.c
+++ b/wpa_supplicant/wpa_passphrase.c
@@ -58,7 +58,11 @@
return 1;
}
- pbkdf2_sha1(passphrase, (u8 *) ssid, os_strlen(ssid), 4096, psk, 32);
+ if (pbkdf2_sha1(passphrase, (u8 *) ssid, os_strlen(ssid), 4096, psk, 32)
+ != 0) {
+ fprintf(stderr, "Error in pbkdf2_sha1()\n");
+ return 1;
+ }
printf("network={\n");
printf("\tssid=\"%s\"\n", ssid);
diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 99af85e..24c8818 100644
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -1715,6 +1715,8 @@
wpa_s->oci_freq_override_ft_assoc);
wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_OCI_FREQ_FILS_ASSOC,
wpa_s->oci_freq_override_fils_assoc);
+ wpa_sm_set_param(wpa_s->wpa, WPA_PARAM_DISABLE_EAPOL_G2_TX,
+ wpa_s->disable_eapol_g2_tx);
#endif /* CONFIG_TESTING_OPTIONS */
/* Extended Key ID is only supported in infrastructure BSS so far */
@@ -1786,9 +1788,15 @@
if (bss && ssid->bssid_set && ssid->ssid_len == 0 &&
ssid->passphrase && !sae_only) {
u8 psk[PMK_LEN];
- pbkdf2_sha1(ssid->passphrase, bss->ssid, bss->ssid_len,
- 4096, psk, PMK_LEN);
- wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
+
+ if (pbkdf2_sha1(ssid->passphrase, bss->ssid,
+ bss->ssid_len,
+ 4096, psk, PMK_LEN) != 0) {
+ wpa_msg(wpa_s, MSG_WARNING,
+ "Error in pbkdf2_sha1()");
+ return -1;
+ }
+ wpa_hexdump_key(MSG_MSGDUMP, "PSK (from passphrase)",
psk, PMK_LEN);
wpa_sm_set_pmk(wpa_s->wpa, psk, PMK_LEN, NULL, NULL);
psk_set = 1;
@@ -1822,8 +1830,14 @@
#ifndef CONFIG_NO_PBKDF2
if (wpabuf_len(pw) >= 8 && wpabuf_len(pw) < 64 && bss)
{
- pbkdf2_sha1(pw_str, bss->ssid, bss->ssid_len,
- 4096, psk, PMK_LEN);
+ if (pbkdf2_sha1(pw_str, bss->ssid,
+ bss->ssid_len,
+ 4096, psk, PMK_LEN) != 0) {
+ wpa_msg(wpa_s, MSG_WARNING,
+ "Error in pbkdf2_sha1()");
+ ext_password_free(pw);
+ return -1;
+ }
os_memset(pw_str, 0, sizeof(pw_str));
wpa_hexdump_key(MSG_MSGDUMP, "PSK (from "
"external passphrase)",
@@ -2247,6 +2261,7 @@
else
rand_style = ssid->mac_addr;
+ wpa_s->eapol_failed = 0;
wpa_s->multi_ap_ie = 0;
wmm_ac_clear_saved_tspecs(wpa_s);
wpa_s->reassoc_same_bss = 0;
@@ -2779,9 +2794,11 @@
freq->channel, ssid->enable_edmg,
ssid->edmg_channel, freq->ht_enabled,
vht_freq.vht_enabled, freq->he_enabled,
+ false,
freq->sec_channel_offset,
chwidth, seg0, seg1, vht_caps,
- &mode->he_capab[ieee80211_mode]) != 0)
+ &mode->he_capab[ieee80211_mode],
+ NULL) != 0)
return;
*freq = vht_freq;
@@ -4280,7 +4297,7 @@
*/
int wpa_supplicant_remove_network(struct wpa_supplicant *wpa_s, int id)
{
- struct wpa_ssid *ssid;
+ struct wpa_ssid *ssid, *prev = wpa_s->current_ssid;
int was_disabled;
ssid = wpa_config_get_network(wpa_s->conf, id);
@@ -4288,10 +4305,7 @@
return -1;
wpas_notify_network_removed(wpa_s, ssid);
- if (wpa_s->last_ssid == ssid)
- wpa_s->last_ssid = NULL;
-
- if (ssid == wpa_s->current_ssid || !wpa_s->current_ssid) {
+ if (ssid == prev || !prev) {
#ifdef CONFIG_SME
wpa_s->sme.prev_bssid_set = 0;
#endif /* CONFIG_SME */
@@ -4302,7 +4316,7 @@
eapol_sm_invalidate_cached_session(wpa_s->eapol);
}
- if (ssid == wpa_s->current_ssid) {
+ if (ssid == prev) {
wpa_sm_set_config(wpa_s->wpa, NULL);
eapol_sm_notify_config(wpa_s->eapol, NULL, NULL);
@@ -4365,8 +4379,6 @@
id = ssid->id;
ssid = ssid->next;
- if (wpa_s->last_ssid == remove_ssid)
- wpa_s->last_ssid = NULL;
wpas_notify_network_removed(wpa_s, remove_ssid);
wpa_config_remove_network(wpa_s->conf, id);
}
@@ -6747,6 +6759,7 @@
wpa_s->drv_flags2 = capa.flags2;
wpa_s->drv_enc = capa.enc;
wpa_s->drv_rrm_flags = capa.rrm_flags;
+ wpa_s->drv_max_acl_mac_addrs = capa.max_acl_mac_addrs;
wpa_s->probe_resp_offloads = capa.probe_resp_offloads;
wpa_s->max_scan_ssids = capa.max_scan_ssids;
wpa_s->max_sched_scan_ssids = capa.max_sched_scan_ssids;
diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 9376b03..fd54fef 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -1234,14 +1234,6 @@
# to blob://<blob name>.
# private_key_passwd: Password for private key file (if left out, this will be
# asked through control interface)
-# dh_file: File path to DH/DSA parameters file (in PEM format)
-# This is an optional configuration file for setting parameters for an
-# ephemeral DH key exchange. In most cases, the default RSA
-# authentication does not use this configuration. However, it is possible
-# setup RSA to use ephemeral DH key exchange. In addition, ciphers with
-# DSA keys always use ephemeral DH keys. This can be used to achieve
-# forward secrecy. If the file is in DSA parameters format, it will be
-# automatically converted into DH params.
# subject_match: Substring to be matched against the subject of the
# authentication server certificate. If this string is set, the server
# certificate is only accepted if it contains this string in the subject.
@@ -1378,6 +1370,11 @@
# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
# particular when using Suite B with RSA keys of >= 3K (3072) bits
+# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
+# not support safe renegotiation (RFC 5746); please note that this
+# workaround should be only when having to authenticate with an old
+# authentication server that cannot be updated to use secure TLS
+# implementation.
#
# Following certificate/private key fields are used in inner Phase2
# authentication when using EAP-TTLS or EAP-PEAP.
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 1d2c3e2..3adb819 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -14,6 +14,7 @@
#include "common/defs.h"
#include "common/sae.h"
#include "common/wpa_ctrl.h"
+#include "common/dpp.h"
#include "crypto/sha384.h"
#include "eapol_supp/eapol_supp_sm.h"
#include "wps/wps_defs.h"
@@ -929,6 +930,7 @@
u64 drv_flags2;
unsigned int drv_enc;
unsigned int drv_rrm_flags;
+ unsigned int drv_max_acl_mac_addrs;
/*
* A bitmap of supported protocols for probe response offload. See
@@ -965,6 +967,7 @@
struct os_reltime pending_eapol_rx_time;
u8 pending_eapol_rx_src[ETH_ALEN];
unsigned int last_eapol_matches_bssid:1;
+ unsigned int eapol_failed:1;
unsigned int eap_expected_failure:1;
unsigned int reattach:1; /* reassociation to the same BSS requested */
unsigned int mac_addr_changed:1;
@@ -976,6 +979,7 @@
unsigned int connection_ht:1;
unsigned int connection_vht:1;
unsigned int connection_he:1;
+ unsigned int connection_eht:1;
unsigned int connection_max_nss_rx:4;
unsigned int connection_max_nss_tx:4;
unsigned int connection_channel_bandwidth:5;
@@ -1368,6 +1372,7 @@
unsigned int oci_freq_override_fils_assoc;
unsigned int oci_freq_override_wnm_sleep;
int force_hunting_and_pecking_pwe;
+ unsigned int disable_eapol_g2_tx;
#endif /* CONFIG_TESTING_OPTIONS */
struct wmm_ac_assoc_data *wmm_ac_assoc_info;
@@ -1483,6 +1488,7 @@
struct dpp_bootstrap_info *dpp_pkex_bi;
char *dpp_pkex_code;
char *dpp_pkex_identifier;
+ enum dpp_pkex_ver dpp_pkex_ver;
char *dpp_pkex_auth_cmd;
char *dpp_configurator_params;
struct os_reltime dpp_last_init;
@@ -1495,6 +1501,7 @@
u8 dpp_last_ssid[SSID_MAX_LEN];
size_t dpp_last_ssid_len;
bool dpp_conf_backup_received;
+ bool dpp_pkex_wait_auth_req;
#ifdef CONFIG_DPP2
struct dpp_pfs *dpp_pfs;
int dpp_pfs_fallback;
@@ -1707,7 +1714,7 @@
int wpas_mbo_ie(struct wpa_supplicant *wpa_s, u8 *buf, size_t len,
int add_oce_capa);
const u8 * mbo_attr_from_mbo_ie(const u8 *mbo_ie, enum mbo_attr_id attr);
-const u8 * wpas_mbo_get_bss_attr(struct wpa_bss *bss, enum mbo_attr_id attr);
+const u8 * wpas_mbo_check_assoc_disallow(struct wpa_bss *bss);
void wpas_mbo_check_pmf(struct wpa_supplicant *wpa_s, struct wpa_bss *bss,
struct wpa_ssid *ssid);
const u8 * mbo_get_attr_from_ies(const u8 *ies, size_t ies_len,
diff --git a/wpa_supplicant/wpas_glue.c b/wpa_supplicant/wpas_glue.c
index 85028f0..c2bd45f 100644
--- a/wpa_supplicant/wpas_glue.c
+++ b/wpa_supplicant/wpas_glue.c
@@ -298,13 +298,21 @@
EAPOL_SUPP_RESULT_EXPECTED_FAILURE;
if (result != EAPOL_SUPP_RESULT_SUCCESS) {
+ int timeout = 2;
/*
* Make sure we do not get stuck here waiting for long EAPOL
* timeout if the AP does not disconnect in case of
* authentication failure.
*/
- wpa_supplicant_req_auth_timeout(wpa_s, 2, 0);
+ if (wpa_s->eapol_failed) {
+ wpa_printf(MSG_DEBUG,
+ "EAPOL authentication failed again and AP did not disconnect us");
+ timeout = 0;
+ }
+ wpa_s->eapol_failed = 1;
+ wpa_supplicant_req_auth_timeout(wpa_s, timeout, 0);
} else {
+ wpa_s->eapol_failed = 0;
ieee802_1x_notify_create_actor(wpa_s, wpa_s->last_eapol_src);
}
diff --git a/wpa_supplicant/wpas_kay.c b/wpa_supplicant/wpas_kay.c
index defd0f2..c3ef93b 100644
--- a/wpa_supplicant/wpas_kay.c
+++ b/wpa_supplicant/wpas_kay.c
@@ -103,7 +103,6 @@
switch (co) {
case CONFIDENTIALITY_OFFSET_30:
return 30;
- break;
case CONFIDENTIALITY_OFFSET_50:
return 50;
default:
@@ -241,8 +240,8 @@
res = ieee802_1x_kay_init(kay_ctx, policy, ssid->macsec_replay_protect,
ssid->macsec_replay_window, ssid->macsec_port,
- ssid->mka_priority, wpa_s->ifname,
- wpa_s->own_addr);
+ ssid->mka_priority, ssid->macsec_csindex,
+ wpa_s->ifname, wpa_s->own_addr);
/* ieee802_1x_kay_init() frees kay_ctx on failure */
if (res == NULL)
return -1;
diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index 1ba360e..7428f02 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -356,8 +356,6 @@
/* Remove the duplicated older network entry. */
wpa_printf(MSG_DEBUG, "Remove duplicate network %d", ssid->id);
wpas_notify_network_removed(wpa_s, ssid);
- if (wpa_s->current_ssid == ssid)
- wpa_s->current_ssid = NULL;
wpa_config_remove_network(wpa_s->conf, ssid->id);
}
}