Commit graph

781 commits

Author SHA1 Message Date
Jouni Malinen
6135a8a6aa Stop authentication attemps if AP does not disconnect us
It would have been possible for the authentication attemps to go into a
loop if the AP/Authenticator/authentication server were to believe EAP
authentication succeeded when the local conclusion in Supplicant was
failure. Avoid this by timing out authentication immediately on the
second consecutive EAP authentication failure.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:28:49 +03:00
Veerendranath Jakkam
b746cb28bc Add support for not transmitting EAPOL-Key group msg 2/2
To support the STA testbed role, the STA has to disable transmitting
EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to
disable sending EAPOL-Key group msg 2/2 of Group Key Handshake.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-04-05 17:06:32 +03:00
Chaoli Zhou
077bce96f3 Set drv_max_acl_mac_addrs in wpa_supplicant AP mode
hostapd code will need this for offloading ACL to the driver.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Jouni Malinen
2fcc076d1c Clear wpa_s->last/current_ssid in more cases
It was possible for at least the wpa_s->last_ssid to be left pointing to
a removed network which could result in processing the following
association as a reassociation-within-an-ESS even when it was moving to
a different ESS. This could result in unexpected behavior. This was
found with the following test case sequence:
sigma_dut_ap_psk_sae_ft sae_h2e_password_id ap_wps_pk_oom sigma_dut_client_privacy

Move clearing of wpa_s->last_ssid and wpa_s->current_ssid into
wpas_notify_network_removed() to catch all cases similarily to the way
wpa_s->next_ssid was already cleared.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-24 00:23:25 +02:00
Jouni Malinen
7a57eb3156 Update copyright notices for the new year 2022
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-01-16 22:51:29 +02:00
Jouni Malinen
7ffcbd08cf Clear roam/BSS TM in progress flags for additional cases
It looks like the recently added roam_in_progress and
bss_trans_mgmt_in_progress flags could end up getting set, but not
cleared, in some cases. Make sure these get cleared on explicit
disconnection request and also in case the SME-in-driver path is used
(while that path does not really use these flags yet, it is better to
not allow them to be forgotten to be set should it be extended to cover
similar functionality).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-11 18:02:53 +02:00
Damien Dejean
4262e6ca49 Move credential removal operations into helper functions
This allows the same functions to be used for both the control interface
and the D-Bus interface.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2021-12-12 17:10:05 +02:00
Pradeep Kumar Chitrapu
c8b94bc7b3 mesh: Enable 160 MHz bandwidth support for 6 GHz in IEEE 802.11s mesh
Since the 6 GHz band has no DFS channels, enable 6 GHz 160 MHz bandwidth
as the default configuration for IEEE 802.11s mesh.

example:
network={
 ssid="6gmesh160"
 key_mgmt=SAE
 mode=5
 frequency=6275
 psk="1234567890"
}

Signed-off-by: P Praneesh <ppranees@codeaurora.org>
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-11-09 21:21:42 +02:00
Pradeep Kumar Chitrapu
d10a01e221 mesh: Enable 80 MHz support for 11s mesh in 6 GHz
Add support for 80 MHz bandwidth operation in 6 GHz 11s mesh.

example:
    network={
        ssid="6GHz-mesh-node"
        key_mgmt=SAE
        mode=5
        frequency=6195
        psk="1234567890"
    }

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-11-09 21:06:43 +02:00
Pradeep Kumar Chitrapu
d6c5feb8ce mesh: Change channel to frequency based lookup for starting mesh
Channel numbers of the 6 GHz band overlap those of the 2.4 GHz and 5 GHz
bands. Thus converting to frequency based mesh channel selection helps
accommodate 6 GHz mesh.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-11-09 20:42:45 +02:00
Kees Cook
f332f69513 wpa_supplicant: Try all drivers by default
Some distros carry patches to specify driver fallback, but only in
specific conditions (e.g. the systemd service definition[1]). This leaves
other wpa_supplicant instances needing to define fallback themselves,
which leads to places where wpa_supplicant thinks it can't find a
driver[2]. Instead, when -D is not specified, have wpa_supplicant try
all the drivers it was built with in an attempt to find a working one
instead of just giving up if the first doesn't work.

[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012

Signed-off-by: Kees Cook <kees@ubuntu.com>
2021-10-15 23:33:11 +03:00
Vinay Gannevaram
2b3e64a0fb Update ciphers to address GTK renewal failures while roaming
After roaming from WPA2-AP (group=CCMP) to WPA-AP (group=TKIP) using
driver-based SME and roaming trigger, GTK renewal failures are observed
for the currently associated WPA-AP because of group cipher mismatch,
resulting in deauthentication with the AP.

Update the group cipher and pairwise cipher values in wpa_sm from
association event received from the driver in case of SME offload to the
driver to address GTK renewal failures (and similar issues) that could
happen when the driver/firmware roams between APs with different
security profiles.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-06 21:13:19 +03:00
Jouni Malinen
857c4dfa83 Make get_mode() easier for static analyzers
Add an explicit check for modes != NULL instead of depending on
num_modes > 0 implying that. This is to silence invalid static analyzer
reports.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-30 18:23:26 +03:00
Veerendranath Jakkam
a4aae9f9b8 DSCP: Indicate DSCP Policy support in (Re)Association Request frame
Indicate DSCP Policy capability by including a WFA Capabilities element
containing the relevant bit set to 1 in the (Re)Association Request
frames when enabled by user.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 17:09:01 +03:00
Veerendranath Jakkam
2033e318e6 DSCP: Parsing and processing of DSCP Policy Request frames
Add support to parse received DSCP Policy Request frames and send the
request details as control interface events.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 00:20:42 +03:00
Jouni Malinen
8471d940e3 Move pmf_in_use() into a more generic file
This function is not specific to GAS, so make it available throughout
wpa_supplicant without requiring CONFIG_GAS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-28 11:07:21 +03:00
Arowa Suliman
46b60299a4 wpa_supplicant: src: Replace Sane with Valid.
Replace the word Sane with Valid which is inclusive.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-08-19 11:34:45 +03:00
Vinita S. Maloo
e433d06dd5 Allow MSCS support to be disabled for testing purposes
"SET disable_mscs_support 1" can be used to disable indication of MSCS
support in the Extended Capabilities element for testing purposes. This
is also disabling addition of the MSCS element even if valid
configuration parameters had been configured.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
025f8ab52e SCS: Processing of SCS Response frames
Add support to receive and process SCS Response frames from the AP and
indicate the status to upper layers.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
b4e01ae929 Allow SCS supported to be disabled for testing purposes
"SET disable_scs_support 1" can be used to disable indication of SCS
support in the Extended Capabilities element for testing purposes.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
c005283c48 SCS: Sending of SCS Request frames
Add support to parse SCS control interface command and form the SCS
Request frame to be sent to SCS enabled AP.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Sreeramya Soratkal
49442194c4 SAE: Derive H2E PT while reconnecting to same SSID also
P2P connections in the 6 GHz band use SAE authentication algorithm after
getting credentials with WPS connection. During WPS connection as it
doesn't use SAE, SAE PT is not derived. After getting SAE credentials,
the STA connects to the same SSID using SAE auth algorithm. Earlier, SAE
H2E PT was not derived while connecting to the same SSID to which the
STA is connected last time. Due to this, the P2P group formation fails
for 6 GHz channels when H2E is enabled as the PT will not be setup by
the P2P client before proceeding to the SAE authentication. Same could
happen with infrastructure WPS when wps_cred_add_sae=1 is used.

Set up the SAE H2E PT while connecting to the same SSID again also to
make sure that the H2E PT is set up in the STA to derive the PWE for
successful SAE authentication. The PT derivation will be skipped in
wpa_s_setup_sae_pt() if PT is already available for that SSID.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-04 00:20:09 +03:00
Veerendranath Jakkam
b4f7506ff0 FILS: Flush external-PMKSA when connection fails without ERP keys
External applications can store PMKSA entries persistently and
reconfigure them to wpa_supplicant after restart. This can result in
wpa_supplicant having a PMKSA for FILS authentication without having
matching ERP keys for it which would prevent the previously added
mechanism for dropping FILS PMKSA entries to recover from rejected
association attempts.

Fix this by clearing PMKSA entries configured by external applications
upon FILS connection failure even when ERP keys are not available.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-14 21:35:24 +03:00
Veerendranath Jakkam
80bcd7ecd1 FILS: Flush PMKSA entries on FILS connection failure
wpa_supplicant generates both a PMKSA cache entry and ERP keys upon
successful FILS connection and uses FILS authentication algorithm for
subsequent connections when either ERP keys or a PMKSA cache entry is
available.

In some cases, like AP/RADIUS server restart, both ERP keys and PMKSA
becomes invalid. But currently when an AP rejects an association,
wpa_supplicant marks only ERP keys as failed but not clearing PMKSA.

Since PMKSA is not cleared, consecutive connection attempts are still
happening with FILS authentication algorithm and connection attempts are
failing with the same association rejection again instead of trying to
recover from the state mismatch by deriving a new ERP key hierarchy.

Clear PMKSA entries as well on association rejection from an AP to allow
the following connection attempt to go with open authentication to
re-establish a valid ERP key hierarchy. Also, since clearing PMKSA
entries on unprotected (Re)Association Response frames could allow DoS
attack (reduce usability of PMKSA caching), clear PMKSA entries only
when ERP keys exists.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-14 21:20:17 +03:00
Jouni Malinen
e8662e9d44 Use a helper function to remove struct wpa_bss_tmp_disallowed entries
It is safer to remove and free these entries with a shared helper
function to avoid issues with potentially forgetting to unregister or
free something if this structure is extended in the future.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-06-03 00:11:18 +03:00
Hu Wang
ecaacb47b7 OCE: Remove AP from driver disallow list with sufficient AP RSSI
When a STA makes an association request that is rejected by an OCE AP
due to the RSSI being insufficient, the AP is added to the driver
disallow list by wpa_set_driver_tmp_disallow_list().

Once the AP increases TX power which makes the AP RSSI higher than
Association Rejection RSSI threshold, the AP is supposed to be removed
from the driver disallow list but that was not the case.

wpa_is_bss_tmp_disallowed() is called in the scan result handler, so it
is the best place to put the logic of removing the AP from the driver
disallow list with sufficient AP RSSI.

This is needed with drivers that use the temporarily disallowed BSS list
(which is currently supported only with a QCA vendor command). The
wpa_supplicant internal functionality was already taking care of this
with the wpa_is_bss_tmp_disallowed() return value even for cases where
the entry remaining in the list.

Signed-off-by: Hu Wang <huw@codeaurora.org>
2021-06-03 00:06:00 +03:00
Jouni Malinen
7f0a2e4225 Report EAPOL-RX events for testing purposes
This makes it more convenient to track EAPOL frame reception from an
external test script.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Vamsi Krishna
1d2118b509 Check local supported features for estimating BSS throughputs accurately
Add checks for features supported by the specific hardware mode of the
local device that has the channel for which the throughput is being
estimated instead of assuming the local device supports all optional
features. This is more accurate for cases where the local capabilities
might differ based on the band. In addition, this is in preparation for
extending rate estimates to cover optional VHT and HE features.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-07 12:27:21 +03:00
Jouni Malinen
8ca330bd70 Flush pending control interface message for an interface to be removed
wpa_supplicant_ctrl_iface_deinit() was executed only if the
per-interface control interface initialization had been completed. This
is not the case if driver initialization fails and that could result in
leaving behind references to the freed wpa_s instance in a corner case
where control interface messages ended up getting queued.

Fix this by calling wpa_supplicant_ctrl_iface_deinit() in all cases to
cancel the potential eloop timeout for wpas_ctrl_msg_queue_timeout with
the reference to the wpa_s pointer. In addition, flush any pending
message from the global queue for this interface since such a message
cannot be of use after this and there is no need to leave them in the
queue until the global control interface gets deinitialized.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-26 00:21:18 +02:00
Andrei Otcheretianski
82a348eda4 wpa_supplicant: Don't process EAPOL frames while disconnecting
An EAPOL frame may be pending when wpa_supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL frame is
processed and results in a crash due to NULL dereference.

This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in commit
ab89291928 exposing this race.

Fix it by ignoring EAPOL frames while the deauthentication is in
progress.

Fixes: ab89291928 ("nl80211: Use process_bss_event() for the nl_connect handler")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-03-12 09:57:23 +02:00
Jouni Malinen
40551a15c1 Fix a memory leak in WPS with ap_scan=2
The wpa_ie buffer is now allocated here and needs to be freed before
returning from the function.

Fixes: d2ba0d719e ("Move assoc param setting into a helper function")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:46:32 +02:00
Jouni Malinen
900adb3c9f FILS: Simplify code paths
Use a shared code path for freeing the wpa_ie buffer to avoid
unnecessary complexity with a separate return for the non-FILS case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:42:06 +02:00
Jouni Malinen
f03580e319 Restore permanent MAC address on the FLUSH command
Clear previously used random MAC address on the FLUSH command if
mac_addr setting has been disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 17:22:37 +02:00
Veerendranath Jakkam
73ebd58fc8 STA: Check driver capability to enable OCV when driver SME is used
When the driver SME is used, offloaded RSN handshakes like SA Query, GTK
rekeying, FT authentication, etc. would fail if wpa_supplicant enables
OCV in initial connection based on configuration but the driver doesn't
support OCV. To avoid such failures check the driver's capability for
enabling OCV when the driver SME used.

This commit also adds a capability flag for indicating OCV support
by the driver.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Michal Kazior
1b45b8d3f6 wpa_supplicant: Don't exit scanning state on config reload
There's a chance that prior to config reload being requested a scan work
was started. As such forcing wpa_supplicant to WPA_DISCONNECTED was
removing any hints that the actual driver is busy with work. That led to
wpa_supplicant reporting "Failed to initialize AP scan" over and over
again for a few seconds (depending on driver/capabilities) until the
untracked scan finished.

Cancelling a scan isn't really a solution because there's a bunch of
scanning state bits sprinkled across wpa_supplicant structure and they
get updated as driver events actually flow in in async manner.

As far as I can tell this is only preventing unnecessary warning
messages. This doesn't seem like it was crippling any logic per se.

Signed-off-by: Michal Kazior <michal@plume.com>
2021-02-13 23:12:38 +02:00
Pradeep Kumar Chitrapu
35756c02ea mesh: Assign channel in frequency params in all bands
Previously, the channel number was set in hostapd_freq_params only with
the presence of HT capabilities. Set the channel number before the check
for HT mode to accommodate the 6 GHz band cases.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-02-10 00:25:36 +02:00
Jouni Malinen
48cfb52b7e Rename blacklist.[ch] to bssid_ignore.[ch]
This completes renaming of this functionality for a list of temporarily
ignored BSSIDs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 17:28:45 +02:00
Jouni Malinen
626fc0dcd0 Rename wpa_blacklist to wpa_bssid_ignore
This is more accurate name for this functionality of temporarily
ignoring BSSIDs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 17:28:45 +02:00
Jouni Malinen
8f557d2047 Make wpa_bss_ext_capab() handle NULL bss argument
This simplifies the callers that use wpa_s->current_bss (which could be
NULL).

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-06 12:09:30 +02:00
David Su
11355a122d Reset external_scan_running on interface deletion
Currently, the external_scan_running flag is not reset when an interface
is removed. Thus, if a connection attempt is made on another iface, it
will fail due to wpa_supplicant incorrectly assuming the radio is still
busy due to the ongoing scan.

To fix this, convert external_scan_running to a pointer to the interface
that started the scan. If this interface is removed, also reset the
pointer to NULL so that other operations may continue on this radio.

Test:
  1. Start scan on wlan0
  2. Remove wlan0
  3. Can connect to a network on wlan1

Signed-off-by: David Su <dysu@google.com>
2021-02-02 23:48:14 +02:00
Ilan Peer
363768c8ac PASN: Add support for PASN processing to wpa_supplicant
Add PASN implementation to wpa_supplicant

1. Add functions to initialize and clear PASN data.
2. Add functions to construct PASN Authentication frames.
3. Add function to process PASN Authentication frame.
4. Add function to handle PASN frame TX status.
5. Implement the station side flow processing for PASN.

The implementation is missing support for wrapped data and PMKSA
establishment for base AKMs, and only supports PASN authentication or
base AKM with PMKSA caching.

The missing parts will be added in later patches.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 19:15:44 +02:00
Ilan Peer
d70060f966 WPA: Add PTKSA cache to wpa_supplicant for PASN
PASN requires to store the PTK derived during PASN authentication
so it can later be used for secure LTF etc. This is also true
for a PTK derived during regular connection.

Add an instance of a PTKSA cache for each wpa_supplicant
interface when PASN is enabled in build configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Sunil Dutt
62657365f8 Add a configuration to disconnect on deinit if WoWLAN is enabled
Commit 02c21c02d0 ("wpa_supplicant: Do not disconnect on deinit if
WoWLAN is enabled") prevents the disconnection on deinit if the driver
indicates that WoWLAN is enabled. This is not the expected behavior in
some earlier use cases where the wpa_supplicant process is left running
when going to sleep and killing of the wpa_supplicant process is used
only when there is an expectation of Wi-Fi connection being disabled.

To support the use cases which require the WLAN to disconnect on deinit
even if WoWLAN is enabled, introduce a configuration parameter
wowlan_disconnect_on_deinit. This is set to 0 by default thereby not
impacting the functionality in the above mentioned commit. Setting it to
1 restores the old behavior before the commit identified above.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-01-21 18:21:30 +02:00
Shiva Sankar Gajula
71718b628b FT: Update key mgmt properly in RSNE during roaming
When STA is performing roam from WPA3 AP to WPA2 AP, the STA was
including key mgmt FT-SAE instead of FT-PSK in FT Authentication request
RSNE when using driver-based SME. This is because the RSNE/MDE/FTE were
updated and forwarded to the driver using the NL80211_CMD_UPDATE_FT_IES
command before updating key mgmt properly. Because of this, the AP is
rejecting FT Authentication request with WLAN_REASON_UNSPECIFIED reason
code which is due to the invalid keymgmt in RSNE.

Fix this by reordering IE population to happen earlier in the sequence
so that the updated key mgmt information can be provided when using
NL80211_CMD_UPDATE_FT_IES.

Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
2021-01-15 12:10:10 +02:00
Jouni Malinen
6ead8b897f Use bool for is_6ghz variables and functions
Replace the implicit boolean checks that used int variables with use of
a more explicit bool variable type.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-11 19:56:14 +02:00
Veerendranath Jakkam
7131fede34 Extend the setband support for 6 GHz and band combinations
Support possible band combinations of 2.4 GHz, 5 GHz, and 6 GHz with
QCA_WLAN_VENDOR_ATTR_SETBAND_MASK attribute. Ensure backwards
compatibility with old drivers that are using
QCA_WLAN_VENDOR_ATTR_SETBAND_VALUE attribute and supporting only 2.4 GHz
and 5 GHz bands.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-12-11 19:56:14 +02:00
Markus Theil
0896c442dc mesh: Fix for mesh init/deinit
Send mesh group started notification after join completion
callback is called.

Implement outstanding TODO, to leave the mesh network on deinit.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-12-01 00:23:15 +02:00
Jouni Malinen
be7ee264f6 BSS: Use wrapper function for getting a pointer to the IE buffer
This makes it easier to change the internal struct wpa_bss design for
storing the variable length IE buffers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:21:56 +02:00
Jouni Malinen
95edd81441 BSS: Add wpa_bss_get_ie_ext() wrapper
This removes need from the callers to know the struct wpa_bss details
for the location of the memory area for storing the IEs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:00:21 +02:00
Rohan Dutta
fdf114641f nl80211: Send the sae_pwe value to the driver
Use NL80211_ATTR_SAE_PWE attribute to indicate the sae_pwe value
to the driver during the NL80211_CMD_START_AP and NL80211_CMD_CONNECT
in WPA3-Personal networks which are using SAE authentication.

Signed-off-by: Rohan Dutta <drohan@codeaurora.org>
2020-11-16 15:50:44 +02:00