Add support to send GAS requests with a randomized transmitter address
if supported by the driver. The following control interface commands
(and matching configuration file parameters) can be used to configure
different types of randomization:
"SET gas_rand_mac_addr 0" to disable randomizing TX MAC address,
"SET gas_rand_mac_addr 1" to randomize the complete TX MAC address,
"SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI.
A new random MAC address will be generated for every
gas_rand_addr_lifetime seconds and this can be configured with
"SET gas_rand_addr_lifetime <timeout>".
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, VHT capability was default value (=0x0000). This makes
VHT Capabilities Info in VHT Capabilities IE in mesh peering
open/confirm frame 0x0000. This patch fills it with hardware capability.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).
Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
Relying on the group_capab from the P2P peer information can result in
improper information on whether the peer is currently operating as a GO.
However, there is a known implementation in Android that does this.
To reduce issues from this misuse in upper layer to try to determine
whether a specific peer is operationg a group, override the group_capab
value in P2P_PEER output with 0 if there are no BSS entries with the
peer P2P Device as a GO. This is not a perfect information since there
may not have been a recent scan on all channels, but this results in
less issues than trying to decide between new group formation and
joining an existing group based on stale or incorrect information.
Since no upper layer application is really supposed to use the
group_capab field value in P2P_PEER command, this change should not
cause any impact for properly design components and the possibility of
regressions is limited to cases that are already known to work
incorrectly in number of identifiable cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 8d1e693186 ('Use estimated
throughput to avoid signal based roaming decision') added a check for
the current BSS estimated throughput being significantly higher than the
selected BSS estimated throughput. However, this case for skipping a
roam used "return 1" which actually allows the roam. Fix this by
returning 0 in this case.
Signed-off-by: Jouni Malinen <j@w1.fi>
To be more consistent with existing hwaddr_aton() and hexstr2bin()
callers, check the return values in this test command.
Signed-off-by: Jouni Malinen <j@w1.fi>
The local custom version of allocating and initializing struct
hostapd_data within wpa_supplicant_mesh_init() is problematic. This has
already missed couple of initialization steps that are required. Instead
of trying to remember to keep this up to date, use
hostapd_alloc_bss_data() so that there is only one place for this
initialization.
This is fixing a recent issue where FILS HLP started using
hapd->dhcp_server and expected that to be initialized to -1. For the
mesh case, that did not happen and when removing the interface, the FILS
HLP implementation ended up unregistering eloop socket for
hapd->dhcp_server (= 0). This could result in missing socket callbacks
for an arbitrary socket.
Signed-off-by: Jouni Malinen <j@w1.fi>
This wpa_drv_if_remove() call was previously modified to fix a different
issue, but that fix resulted in unconditional use of treed memory here
(wpa_supplicant_deinit_iface() frees wpa_s). Make a local copy of
wpa_s->parent to be able to use it after wpa_s is freed. The
mesh_if_created case has wpa_s->parent != wpa_s, so this should be
sufficient way of handling the wpa_drv_if_remove() call here.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new FILS-HLP-RX control interface event is now used to report
received FILS HLP responses from (Re)Association Response frame as a
response to the HLP requests configured with FILS_HLP_REQ_ADD.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible to hit this WPA_ASSERT when FST-MANAGER SESSION_REMOVE
command is exececuted when in not-associated state. In
CONFIG_EAPOL_TEST=y builds, this would result in the wpa_supplicant
process being terminated. Convert this WPA_ASSERT to a check that does
not terminate the process, but only rejects the command if wpa_s->bssid
does not match the da argument.
Signed-off-by: Jouni Malinen <j@w1.fi>
Increase the EAPOL RX frame timeout from 100 to 200 ms. This fixes lack
of optimization (i.e., first EAPOL frame dropped) in occasional roaming
and authentication cases on EAP networks if the kernel events can be
reordered and delayed a bit longer.
Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
Instead of copying the struct wpa_auth_callbacks, just keep a pointer to
it, keep the context pointer separate, and let the user just provide a
static const structure. This reduces the attack surface of heap
overwrites, since the function pointers move elsewhere.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If the VHT capability override vht_disabled=1 is used in the network
profile, skip VHT configuration of the local channel.
Signed-off-by: Jouni Malinen <j@w1.fi>
The remote mesh STA which had configuration disable_ht40=1 could have HT
Capabilities element which includes Supported Channel Width Set = 1
(both 20 MHz and 40 MHz operation is supported) even though it had HT
Operation element which includes STA Channel Width = 0 (20 MHz channel
width only). Previously, local peer recognized such a remote peer as 40
MHz band width enabled STA because local peer only checked HT
Capabilities element. This could cause disconnection between
disable_ht40=1 mesh STA and disable_ht40=0 mesh STA. They could
establish a mesh BSS but could not ping with ath9k_htc device. This
commit fixes the issue by refering HT Operation element.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This functionality can be used outside wpa_set_disable_ht40(), so move
the generic part to a helper function.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and
FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be
added to the (Re)Association Request frame whenever FILS authentication
is used.
FILS_HLP_REQ_ADD parameters use the following format:
<destination MAC address> <hexdump of payload starting from ethertype>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When AP responds with comeback delay for initial GAS query sent by STA,
gas_query_timeout should be cancelled to avoid GAS failures when
comeback delay is more than GAS_QUERY_TIMEOUT_PERIOD. The
gas_query_timeout is getting registered again when tx_status is received
for GAS comeback request.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These commnds are mesh version of PMKSA_GET/ADD commands. So the usage
and security risk is similar to them. Refer to
commit 3459381dd2 ('External persistent
storage for PMKSA cache entries') also.
The MESH_PMKSA_GET command requires peer MAC address or "any" as an
argument and outputs appropriate stored PMKSA cache. And the
MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store
the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache,
wpa_supplicant can skip commit message creation which can use
significant CPU resources.
The output of the MESH_PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <expiration in seconds>
The example of MESH_PMKSA_ADD command is this.
MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930
MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180
This functionality is disabled by default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This can be used to determine whether the driver supports PMF and if so,
with which group management cipher suites. In addition, add the missing
pairwise and group cipher suite values to the documentation while adding
this new entry there as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
When wpa_supplicant was processing a received Authentication frame (seq
1) from a peer STA for which there was already a TK configured to the
driver, debug log claimed that the PTK gets cleared, but the actual
call to clear the key was actually dropped due to AUTH vs. SUPP set_key
selection. Fix this by explicitly clearing the TK in case it was set
and an Authentication frame (seq 1) is received.
This fixes some cases where EAPOL-Key frames were sent encrypted using
the old key when a peer STA restarted itself and lost the key and had to
re-join the IBSS. Previously, that state required timing out the 4-way
handshake and Deauthentication frame exchange to recover.
Signed-off-by: Jouni Malinen <j@w1.fi>
country[2] needs to be set to ' ' instead of left to '\0' for the case
where wpa_supplicant sets up AP mode operations and includes the Country
element. Currently, this would be only for DFS channels. Without this,
the Beacon frames would go out with incorrect third octet in the country
code.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This control interface command can be used to inject scan results from
test scripts to make it easier to test various scan result processing
operations.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previous version could have used uninitialized char* when a DMG with
invalid capabilities were added to BSS table from scan results.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a call to the notify_beacon_loss() callback functions when
beacon loss is detected. In addition, a new CTRL-EVENT-BEACON-LOSS event
is made available through the wpa_supplicant control interface.
Signed-off-by: Jouni Malinen <j@w1.fi>
These parameters are global configuration parameters for wpa_supplicant
and the special control interface SET command handlers for them were
preventing the configuration update. Make this more consistent by
updating the configuration parameter as well since that is what all the
other SET <global config param> commands do.
Signed-off-by: Jouni Malinen <j@w1.fi>
non_pref_chan is a global configuration parameter for wpa_supplicant and
the special control interface SET command handler for it was preventing
the configuration update. Make this more consistent by updating the
configuration parameter as well since that is what all the other SET
<global config param> commands do.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 483dd6a5e0 ('Include peer
certificate always in EAP events') added this wpa_supplicant global
configuration parameter, but forgot to add the actual parsing of it, so
there was no way of setting the value.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a comment to note which fields are expected to be updated by the
driver. In addition, reorder subfield writing to match the order in
which the fields are in the frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
ieee80211_chan_to_freq() is not really meant for conversion of 20 MHz
primary channel numbers for wider VHT channels, so handle those as
special cases here for now.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpabuf_resize() can handle the initial allocation of a wpabuf and all
the other callers of wpas_rrm_report_elem() were already using a pointer
to a pointer and a wpabuf_resize() call. Simplify this by resizing the
wpabuf (if needed) within wpas_rrm_report_elem() instead of having to
calculate the needed size in all the callers. Thsi is also fixing one of
the allocation sizes to use the correct size instead of a size of a
struct that has nothing to do with the allocation (but is larger than
the needed five octets, so does not break anything).
Signed-off-by: Jouni Malinen <j@w1.fi>
There is only a single caller for wpas_rrm_send_neighbor_rep_request()
and it unconditionally uses a callback function, so cb cannot be NULL
here and there is no need for additional complexity and extra code size
to check for it explicitly.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the check was done after we reached the maximum and another
scan was already triggered.
While at it, remove an irrelevant comment that the previous change in
the logic here missed.
Signed-off-by: Beni Lev <beni.lev@intel.com>