Add preamble puncturing bitmap to the EHT Operation element as per IEEE
P802.11be/D3.0, Figure 9-1002c (EHT Operation Information field format).
Bits set to 1 indicate that the subchannel is punctured, otherwise
active.
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Balamurugan Mahalingam <quic_bmahalin@quicinc.com>
Legacy modes (VHT, HE) should advertise downgraded bandwidth if
RU puncturing is enabled in EHT mode. This is required for the legacy
stations which cannot parse the EHT Operation elements hence do not
support EHT RU puncturing.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
Add a new option to configure the disabled subchannel bitmap as per
IEEE P802.11be/D3.0, Figure 9-1002c (EHT Operation Information
field format).
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Retrieve the driver support for preamble puncturing.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Maximum NSS calculation assumed the host to be little endian while
retrieving MCS values from HE capabilities which is incorrect. Use
WPA_GET_LE16() instead.
Add a check for HE as the current NSS calculation assumes HE support.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
FILS discovery frame generation currently assumes HE support for
calculating the number of spatial streams. Add a check to reject
the configuration if the feature is enabled without enabling HE.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Once ACS picks a channel, iface->freq and iface->conf->channel are
updated. So, AP comes up in the last operating channel when 'ENABLED'
after 'DISABLED' though ACS is configured.
But this will fail for 6 GHz APs since configured_fixed_chan_to_freq()
checks if iface->conf->channel is filled or not irrespective of ACS
configuration, and the checks inside configured_fixed_chan_to_freq()
fail the AP setup. Fix this by clearing iface->freq and
iface->conf->channel in AP setup for ACS configuration.
Fixes: bb781c763f ("AP: Populate iface->freq before starting AP")
Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
If wiphy idx not provided, kernel returns global reg domain when
processing NL80211_CMD_GET_REG. To obtain the correct country code for
the self-managed regulatory cases, put wiphy idx into nl_msg when
sending this command to kernel.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When writing 64-bit attributes into the netlink buffer, senders may
add a padding attribute to allow the payload of the 64-bit attribute
to be 64-bit aligned. For QCA vendor attributes, currently the
attribute QCA_WLAN_VENDOR_ATTR_PAD in enum qca_wlan_vendor_attr is
defined for this purpose.
Unfortunately, when adding attributes to the netlink buffer, all
attributes at a given level of nesting must be defined in the same
enum so that they can be unambiguously parsed. This means that
QCA_WLAN_VENDOR_ATTR_PAD can only be used to pad 64-bit attributes
defined in enum qca_wlan_vendor_attr.
There are many other QCA vendor enums which define 64-bit attributes,
so add a pad attribute to all of them so that the 64-bit attributes
can be unambiguously padded.
Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Add a new vendor command and attributes to control and fetch the state
information of the MLO links affiliated with a specific interface.
This will enable user space to dynamically control the MLO links states
based on the latency, throughput and power save requirements.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
As a preparation to use AP MLD address and non-AP MLD address
in the RSN Authenticator state machine, add utility functions to
get the current AA and SPA.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
As a preparation for processing an association request with
ML element, split the function such that the elements checking
would be separate from parsing.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
An association request in the context of an MLO connection can
contain an ML element that holds the per station profile for
the additional links negotiated. To support this, add a function
to parse the per station profile.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
As a preparation to parse management frames that include ML elements
with per station profiles, split the function to a helper function that
would not memset() the elements structure.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Multi link stations are represented in the kernel using a single
station with multiple links and the first ADD_STA command also
creates the first link. Subsequent links should be added with
LINK_ADD commands.
Implement this logic and provide the required MLD information per
station/link.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add a driver callback to add a link to an AP interface.
As the kernel removes all links on underline interface removal, there
is currently no need to support individual link removal.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
"multicast_to_unicast" and "hairpin_mode" are usually set outside of
hostapd. However, DFS channel change events pull the BSS out of the
bridge causing these attributes to be lost. Make these settings tunable
within hostapd so they are retained after the BSS is brought up again.
Signed-off-by: Anthony Refuerzo <anthony96922@gmail.com>
In theory, os_snprintf() could have filled the buffer to the end and
while the pos variable would not have been incremented beyond that,
there would not necessarily be a NUL termination at the end. Force the
array to end in NUL just in case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The number of frequencies is increased before the boundary check,
thus it should be allowed to be equal to the number of elements in
the array. Update the limit to allow the full array to be used.
In addition, add the missing byte for the NULL terminator for the debug
print to be able to fit all values (assuming they are <= 9999 MHz).
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
webkit_web_context_set_tls_errors_policy() has been deprecated. Use its
replacement webkit_website_data_manager_set_tls_errors_policy() when
building against sufficiently recent version of webkit2.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add check to filter out 6 GHz frequencies from the local driver
frequency preference list when 6 GHz is not allowed for the P2P
connection. Earlier, 6 GHz frequency channels were included in the
preferred list if the p2p_6ghz_disable parameter was not set
irrespective of the allow_6ghz parameter.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
The flags that indicate that a channel is allowed for 80/160 MHz use
are divided according to the position of the control channel (e.g.,
HOSTAPD_CHAN_VHT_10_70, HOSTAPD_CHAN_VHT_30_50, etc.).
However, the position of the control channel does not add any extra
regulatory information because when trying to use a 80/160 MHz channel
all the desired bandwidth has to be allowed for 80/160 MHz use,
regardless of the control channel position.
In addition, these flags are set only if the driver reports one
regulatory rule that allows the entire 80/160 MHz bandwidth.
However, even when a 80/160 MHz channel is allowed, in some cases the
bandwidth will be split into several regulatory rules because
different segments of the bandwidth differ in other flags (that don't
affect the use of the bandwidth for VHT channels). So, in such cases
these flags will not be set, although VHT channels are allowed.
As the result, VHT channels will not be used although they are allowed
by the regulatory domain.
Fix this by introducing new flags that indicate if a 2 0MHz channel is
allowed to be used as a part of a wider (80/160 MHz) channel.
The new flags are set for each 20 MHz channel independently and thus
will be set even if the regulatory rules for the bandwidth are split.
A 80/160 MHz channel is allowed if all its 20 MHz sub-channels are
allowed for 80/160 MHz usage.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Extend @CONF-OBJ-SEP@ behavior to allow the second entry to be used for
different netRole. In other words, allow both the AP and STA netRole
(though, only a single one per netRole) configuration to be set.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The first call to dpp_configuration_parse_helper() was supposed to use
the separately prepared tmp string with only the first configuration
entry, but it ended up using the full string that included both
configuration entries. This could result in the first configObject
getting a mix of parameters from both entries.
Fix the parsing to use only the text before the @CONF-OBJ-SEP@ separator
for the first entry.
Fixes: 7eb06a3369 ("DPP2: Allow multiple Config Objects to be build on Configurator")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When ACS is configured in multiple BSS case, sometimes a virtual AP
interface does not come up as the channel context information between
different BSSs of the same band does not match.
Same behavior is observed in case of multiple band/hardware under a
single wiphy, when we bring up multiple virtual interface in various
bands simultaneously and the kernel maps a random channel as it has more
than one channel context, e.g., say a 2.4 GHz channel to a 5 GHz virtual
AP interface when the start AP command is sent. This is because the
frequency information is not present in the command.
Add the frequency information into the start AP netlink command so that
the kernel maps the appropriate channel context by parsing it instead of
using a previous set channel information.
Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
This uses libnl3 to communicate with the macsec module available on
Linux. A recent enough version of libnl is needed for the hardware
offload support.
Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
Add the country_code and country3 config parameter to the STATUS output
to easier determine the current values for each of an hostapd
access point. Currently neither STATUS, GET [country_code/country3] nor
GET_CONFIG output it.
This is useful if the hostapd access point has been created with
wpa_ctrl_request() without using a *.conf file (like hostapd.conf).
Signed-off-by: Antonio Prcela <antonio.prcela@gmail.com>
Signed-off-by: Antonio Prcela <antonio.prcela@sartura.hr>
sm->bssid has not yet been updated here, so use the provided bssid
instead. This avoids replacing the PTKSA entry for the previous AP when
a new PTKSA is being stored while using the FT protocol.
Fixes: d70060f966 ("WPA: Add PTKSA cache to wpa_supplicant for PASN")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTKSA was stored for the 4-way handshake and FILS cases, but not when it
was being derived through the use of the FT protocol.
Fixes: f2f8e4f458 ("Add PTKSA cache to hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This function is not used outside wpa_auth.c and it is not mentioned in
any header file either, so it should have been marked static.
Fixes: f2f8e4f458 ("Add PTKSA cache to hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
FT AP was silently ignoring EAPOL-Key msg 2/4 due to Key MIC mismatch
when the STA advertises support for Secure LTF and derives the KDK while
the AP implementation did not derive KDK.
Fix this to include KDK while deriving PTK for FT cases on the AP.
Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
Allows collecting and exposing more information about the station's
current connection from the kernel to the connection manager.
* Add an enum to represent guard interval settings to driver.h.
* Add fields for storing guard interval and dual carrier modulation
information into the hostap_sta_driver_data struct.
* Add bitmask values indicating the presence of fields.
* STA_DRV_DATA_TX_HE_DCM
* STA_DRV_DATA_RX_HE_DCM
* STA_DRV_DATA_TX_HE_GI
* STA_DRV_DATA_RX_HE_GI
* Retrieve NL80211_RATE_INFO_HE_GI and NL80211_RATE_INFO_HE_DCM in
get_sta_handler(), and set appropriate flags.
Signed-off-by: David Ruth <druth@chromium.org>
Currently invitation request wait time is very long and not needed for
sending a single Action frame only. To not interfere with other parallel
channel activities, decrease the wait time to to 150 ms in case of an
active P2P GO on the system.
In addition, if a P2P GO tries to invite a client that doesn't respond,
it will attempt to invite again after 100 ms. This is too aggressive and
may result in missing beacon transmission and affecting GO activity on
its operating channel. Increase the timeout to 120 ms, to allow enough
time for beacon transmission.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support for WNM event report handling for the BSS color collision
and in use events.
Co-developed-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Yi-Chia Hsieh <yi-chia.hsieh@mediatek.com>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Adding the hw_mode config parameter to the STATUS output to easier
determine the current hw_mode of an hostapd access-point. Currently
neither STATUS, GET hw_mode, nor GET_CONFIG output it.
Useful if the hostapd access point has been created with
wpa_ctrl_request() without using a *.conf file, like hostapd.conf.
Signed-off-by: Antonio Prcela <antonio.prcela@gmail.com>
Signed-off-by: Antonio Prcela <antonio.prcela@sartura.hr>
Per RFC 2548, 2.1.5, MS-CHAP-Error contains an Ident field of one octet
followed by an ASCII message. Add the missing Ident field.
Signed-off-by: Yihong Wu <wu@domosekai.com>
Change Probe Response frames to be sent as broadcast for 6 GHz band per
IEEE Std 802.11ax‐2021, 26.17.2.3.2: "If a 6 GHz AP receives a Probe
Request frame and responds with a Probe Response frame (per 11.1.4.3.4),
the Address 1 field of the Probe Response frame shall be set to the
broadcast address, unless the AP is not indicating its actual SSID in
the SSID element of its Beacon frames."
Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
Send NL80211_ATTR_MLO_SUPPORT flag in NL80211_CMD_CONNECT to indicate
wpa_supplicant has support to handle MLO connection for SME-in-driver
case.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Enable MLO for SAE authentication when the driver indicates the AP MLD
address in an external authentication request. The MAC address of the
interface on which the external authentication request received will be
used as the own MLD address.
This commit does below for enabling MLO during external SAE
authentication:
- Use MLD addresses for SAE authentication.
- Add Basic Multi-Link element with the own MLD address in SAE
Authentication frames.
- Send SAE Authentication frames with the source address as the own MLD
address, destination address and BSSID as the AP MLD address to the
driver.
- Validate the MLD address indicated by the AP in SAE Authentication
frames against the AP MLD address indicated in external authentication
request.
- Store the PMKSA with the AP MLD address after completing SAE
authentication.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add QCA_WLAN_VENDOR_MCC_QUOTA_TYPE_LOW_LATENCY attribute
to enable/disable Multi-Channel concurrency low latency mode.
The firmware will do optimization of channel time quota for
low latency in Multi-Channel concurrency state if enabled.
Signed-off-by: Liangwei Dong <quic_liangwei@quicinc.com>
hostapd was previously storing the derived PMK-R0 and PMK-R1 as soon as
these keys were derived. While that is fine for most purposes, it is
unnecessary to do that so quickly and if anything were to fail before
the supplicant is able to return a valid EAPOL-Key msg 2/4, there would
not really be any real use for the derived keys.
For the special case of FT-PSK and VLAN determination based on the
wpa_psk file, the VLAN information is set in the per-STA data structures
only after the EAPOL-Key msg 2/4 MIC has been verified. This ended up
storing the PMK-R0/PMK-R1 entries without correct VLAN assignment and as
such, any use of the FT protocol would not be able to transfer the VLAN
information through RRB.
Split local storing of the FT key hierarchy for the cases using the FT
4-way handshake so that PMK-R0 and PMK-R1 are first derived and then
stored as a separate step after having verified the MIC in the EAPOL-Key
msg 2/4 (i.e., after having confirmed the per-STA passphrase/PSK was
selected) and VLAN update. This fixes VLAN information for the
wpa_psk_file cases with FT-PSK.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
During implementation of commit 257b119c2d ("QCA vendor attribute of
update roaming cached statistics info") some deficiencies were noted as
listed below, so fix them. Since these are pre-implementation changes,
no ABI breakage is introduced.
1) Change all RSSI values to be signed values.
2) Add enums for scan type and dwell type instead of documenting
their values with comments
3) Add missing QCA_ROAM_REASON_STA_KICKOUT to enum qca_roam_reason
Signed-off-by: Chunquan Luo <quic_chunquan@quicinc.com>
The initial MACsec implementation required the EAP Session-Id to be at
least 65 octets long and by truncating the value to that length, the
practical limit of functional cases was limited to that exact length of
65 octets. While that happens to work with EAP method that use TLS, it
does not work with most other EAP methods.
Remove the EAP Session-Id length constraint and allow any length of the
Session-Id as long as the EAP method provides one. In addition, simplify
this be removing the unnecessary copying of the Session Id into a new
allocated buffer.
Fixes: dd10abccc8 ("MACsec: wpa_supplicant integration")
Fixes: a93b369c17 ("macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The received Service Discovery Response frame follows the ap_mgmt_rx()
path in P2P GO mode. If gas_query_rx_frame() doesn't process the frame,
call the Public Action frame callbacks if any are registered for further
processing of the RX frame.
Fixes: 9c2b8204e6 ("DPP: Integration for hostapd")
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
Add vendor subcmd QCA_NL80211_VENDOR_SUBCMD_ROAM_STATS and attribute id
in enum qca_wlan_vendor_attr_roam_cached_stats for collecting roaming
statistics information when diagnosing roaming behavior.
Signed-off-by: Chunquan Luo <quic_chunquan.quicinc.com>
Add new AP concurrency policy QCA_WLAN_CONCURRENT_AP_POLICY_XR to
configure interface for eXtended Reality (XR) requirements.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
Add a new vendor command QCA_NL80211_VENDOR_SUBCMD_GET_MONITOR_MODE to
get the local packet capture status in the monitor mode. Add required
attributes to respond with status of the monitor mode. The monitor mode
can be started/configured by using the
QCA_NL80211_VENDOR_SUBCMD_SET_MONITOR_MODE subcommand.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
Add new QCA vendor attributes to configure the driver for EHT
capabilities and multi link configuration.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add new QCA vendor attributes to configure the driver for EHT
capabilities. These attributes are used for testing purposes.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When I was testing dpp_auth_init on an AP with Enrollee on a different
channel from the AP I was getting failures. This happened on hwsim in
UML with time-travel for me. I don't recall seeing this with real
devices, presumably because of lax offchan implementation.
The DPP authentication would succeed. However the station would then try
to get configuration through a GAS request and fail.
The AP reported the following logs (grepped):
> 1614762426.860212: RX_ACTION category 4 action 10 sa 02:00:00:00:01:00 da 02:00:00:00:00:00 len 227 freq 2412
> 1614762426.860212: wlan0: GAS: GAS Initial Request from 02:00:00:00:01:00 (dialog token 239)
> 1614762426.860233: DPP: Wait for Configuration Result
> 1614762426.860234: nl80211: Send Action frame (ifindex=5, freq=2462 MHz wait=0 ms no_cck=0 offchanok=0)
> 1614762428.861186: DPP: Timeout while waiting for Configuration Result
> 1614762428.861186: wlan0: DPP-CONF-FAILED
While the STA reported the following logs (grepped):
> 1614762426.860193: wlan1: DPP-AUTH-SUCCESS init=0
> 1614762426.860195: DPP: Stop listen on 2412 MHz
> 1614762426.860202: wlan1: GAS-QUERY-START addr=02:00:00:00:00:00 dialog_token=239 freq=2412
> 1614762428.861185: GAS: No response received for query to 02:00:00:00:00:00 dialog token 239
> 1614762428.861189: DPP: GAS query did not succeed
> 1614762428.861189: wlan1: DPP-CONF-FAILED
AP would still receive the GAS request on ch1 but would then try to
respond on ch11 while STA was waiting on ch1.
Signed-off-by: Michal Kazior <michal@plume.com>
IEEE P802.11be/D2.0 added a 4-octet Basic EHT-MCS And Nss Set field into
the EHT Operation element. cfg80211 is now verifying that the EHT
Operation element has large enough payload and that check is failing
with the previous version. This commit does not really set the correct
Basic EHT-MCS And Nss Set values, but the IE length check is now passing
to allow initial mac80211_hwsim testing to succeed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Authentication frames include several fixed body parts (see Table 9-68
(Authentication frame body) and Table 9-69 (Presence of fields and
elements in Authentication frames) in IEEE P802.11-REVme/D2.0).
To be able to parse the IE part, these fields need to be skipped. Since
SAE logic already implements this parsing, change SAE authentication
handling functions to return the offset to the IE part. This preparation
is needed for future MLD patches that need to parse out the ML related
elements in the Authentication frames.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of drivers that offload the 4-way handshake to the driver, there
was no way of updating wpa_supplicant about the transition disable
bitmap received as a part of EAPOL-Key msg 3/4.
With latest provisions in cfg80211_port_authorized(), the TD bitmap can
be sent to the upper layer. Parse that as a part of the port authorized
event and set the transition disable information accordingly.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
Some Wi-Fi SoCs do not ensure unique MAC address for the new virtual
interface. Enforce unique address is used for the created AP interface
similarly to other previously address interface types.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Return value of crypto_bignum_to_bin() wasn't always checked, resulting
in potential access to uninitialized values. Fix it, as some analyzers
complain about it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Micha Hashkes <micha.hashkes@intel.com>
Fix an issue that results in TX failures being stored where TX retries
belongs.
Fixes: ad4fa5dd3c ("Add more nl80211 info to struct wpa_signal_info")
Signed-off-by: David Ruth <druth@chromium.org>
k_pad and tk were not cleared in internal HMAC-SHA256 implementation.
Clear them to avoid leaving secret material in temporary stack
variables.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Use more specific status code values to report error cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
RSNXE bits were modified, so update the relevant places accordingly.
Please note, WLAN_RSNX_CAPAB_PROT_RANGE_NEG was renamed to
WLAN_RSNX_CAPAB_URNM_MFPR and the bit position is changed to 15 instead
of 10, while BIT 10 is used for WLAN_RSNX_CAPAB_URNM_MFPR_X20 and is not
supported yet.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add the assigned values based on IEEE P802.11-REVme/D2.0. In addition,
sort these definitions in ascending order.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Check the HE membership selector and don't use the BSS
if required but not supported by HW.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add the ability to require HE, advertising that via the
BSS membership selector as well as rejecting association
without HE.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When AP is started on a DFS channel and DFS is offloaded to the driver,
AP setup will be separated to two stages. In the first stage, hostapd
will set frequency and initialize BSS, then waits the driver CAC to
complete. Once CAC done, in the second stage,
hostapd_setup_interface_complete() will be called again from a callback
to continue AP/channel setup.
But the driver will fail to restart AP if it is disabled/reenabled
during a driver CAC procedure because some steps such as setting
freq/beacon in the first stage are skipped due to cac_started not
cleared when the AP is disabled.
Avoid this by clearing cac_started when the AP is disabled.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Channel width in HE Capabilities element added to management frames is
calculated in hostapd_eid_he_capab() by intersecting the driver
capabilities and the operating channel width. Kernel uses this value
from the Beacon frames to verify EHT capabilities length. However, EHT
MCS length calculation uses only the driver capabilities which results
in EHT AP bring up failure in some cases dues to different lengths.
Modify the EHT code to use the HE operating channel width as well to
determine matching length for the information.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add new attributes for the destination MAC address and netdev index in
SCS rule config subcommand.
Signed-off-by: Harsh Kumar Bijlani<quic_hbijlani@quicinc.com>
With an MLD connection the BSSID reported in the association
event is the MLD AP address, while the association state reported
in the scan results relates to the MLD AP specific link. In such a
case do not disconnect.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Define additional association parameters for MLD to be able to indicate
information for all the requested links and fill these into nl80211
attributes.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Set MLO attributes for NL80211_CMD_AUTHENTICATE and make sure that MLD
configuration is preserved between authentication retries.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add the required ML and RNR definitions and report the information in
BSS command.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The control fields are 16 bit wide. Combine the per byte definitions to
make it more convenient.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Facilitate emitting more station information over D-Bus for use by the
connection manager.
* Add storage for more NL80211_STA_INFO_* fields to data structures, and
move them through the system.
* Reorder NL80211_STA_INFO_* fields in driver_nl80211.c to match the
ordering in nl80211.h.
* Convert signal field to an integer to support holding WPA_INVALID_NOISE
and avoid changing logging.
* Add fields to hostap_sta_driver_data to capture more information
* fcs_error_count
* beacon_loss_count
* expected_throughput
* rx_drop_misc
* rx_mpdus
* rx_hemcs
* tx_hemcs
* rx_he_nss
* tx_he_nss
* avg_signal
* avg_beacon_signal
* avg_ack_signal
* Add struct hostap_sta_driver_data to struct wpa_signal_info and remove
redundant fields and redundant attribute parsing
* Change logging when printing txrate to handle unsigned long
value
Signed-off-by: David Ruth <druth@chromium.org>
Indicate whether the collocated BSS in the RNR is a part of a multiple
BSSID set and whether it is a transmited BSSID.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Send MBSSID and EMA configuration parameters to the kernel.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
As described in IEEE Std 802.11-2020, 11.1.3.8 Multiple BSSID procedure,
set the lowest AID value assigned to any client equal to 2^n, where n is
the maximum BSSID indicator of the MBSSID set.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Process the Known BSSID elements if included by non-AP stations. The
format is described in IEEE Std 802.11ax-2021, 9.4.2.261.
Non-AP stations may include this element in directed Probe Request
frames to indicate which of the multiple BSSIDs they have already
discovered. AP should exclude these profiles from the Probe Response
frame.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add Multiple BSSID Configuration element data per IEEE Std
802.11ax-2021, 9.4.2.260 when enhanced multiple BSSID advertisement
(EMA) is enabled. This element informs the stations about the EMA
profile periodicity of the multiple BSSID set.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Set extended capabilities as described in IEEE Std 802.11ax-2021,
9.4.2.26. Reset the capability bits to 0 explicitly if MBSSID and/or EMA
is not enabled because otherwise some client devices fail to associate.
Bit 80 (complete list of non-tx profiles) is set for all Probe Response
frames, but for Beacon frames it is set only if EMA is disabled or if
EMA profile periodicity is 1.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Add helper functions to retrieve the context for the transmitting
interfaces of the MBSSID set and the index of a given BSS.
Set device parameters: BSS index and the transmitting BSS.
Include Multiple BSSID elements in Beacon and Probe Response frames.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Add data per IEEE Std 802.11-2020, 9.4.2.240. Current implementation is
added for the security and extended supported rates only.
For the Extended rates element, add a new member 'xrates_supported'
which is set to 1 only if hostapd_eid_ext_supp_rates() returns success.
Without this change, there are cases where this function returns before
adding the element for the transmitting interface resulting in incorrect
addition of this element inside the MBSSID Non-Inheritance element.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Signed-off-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Add Multiple BSSID element data per IEEE Std 802.11ax-2021, 9.4.2.45.
Split the BSSes into multiple elements if the data does not fit in
the 255 bytes allowed for a single element.
Store the total count of elements created and the offset to the start
of each element in the provided buffer.
Set the DTIM periods of non-transmitted profiles equal to the EMA
profile periodicity if those are not a multiple of the latter already as
recommended in IEEE Std 802.11ax-2021, Annex AA (Multiple BSSID
configuration examples).
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
When multiple BSSID advertisement feature is enabled in IEEE 802.11ax
mode or later, Beacon frames are not transmitted per interface, instead
only one of the interfaces transmits Beacon frames that include one or
more Multiple BSSID elements with configuration for the remaining
interfaces on the same radio.
Change the existing logic such that all configuration details for all
the interfaces are available while building the Beacon frame template
for the transmitting interface itself.
Do not change the flow for the cases where multiple BSSID advertisement
is not enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Retrieve driver capabilities for the maximum number of interfaces for
MBSSID and the maximum allowed profile periodicity for enhanced MBSSID
advertisement.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add configuration option 'mbssid' used to enable multiple BSSID (MBSSID)
and enhanced multiple BSSID advertisements (EMA) features.
Reject the configuration if any of the BSSes have hidden SSID enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Add a testing option to delay EAPOL-Key messages 1/4 and 3/4. By setting
delay_eapol_tx=1, the actual EAPOL Tx will occur on the last possible
attempt (wpa_pairwise_update_count) thus all previous attempts will fail
on timeout which is the wanted delay.
In addition, add an hwsim test that uses this testing option to verify
that non protected Robust Action frames are dropped prior to keys
installation in MFP.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Include the start of the next EAP method in an EAP Payload TLV in the
same message with the Crypto-Binding TLV for the previous EAP method to
get rid of one roundtrip when using more than a single EAP
authentication method within the tunnel. The previous, not optimized,
sequence can still be used with eap_teap_method_sequence=1 for more
complete testing coverage.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When using the optimized EAP method sequence within the tunnel, crypto
binding for the previous EAP method can be performed in the same message
with the start of the next EAP method. The Crypto-Binding TLV needs to
be processed before moving to the next EAP method for IMSK to be derived
correctly, so swap the order of these processing steps.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
While RFC 7170 does not describe this, EAP-TEAP has been deployed with
implementations that use the EAP-FAST-MSCHAPv2, instead of the
EAP-MSCHAPv2, way of deriving the MSK for IMSK. Use that design here to
interoperate with other implementations since that seems to be direction
that IETF EMU WG is likely to go with an RFC 7170 update.
This breaks interoperability with earlier hostapd/wpa_supplicant
versions.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
EAP-FAST uses a special variant of EAP-MSHCAPv2 called EAP-FAST-MSCHAPv2
in RFC 5422. The only difference between that and EAP-MSCHAPv2 is in how
the MSK is derived. While this was supposed to be specific to EAP-FAST,
the same design has ended up getting deployed with EAP-TEAP as well.
Move this special handling into EAP-MSCHAPv2 implementation so that it
can be shared for both needs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
With the UHB enabled, the number of scanned frequencies may exceed
the buffer size. Increase it.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support to consider EHT rates while calculating the estimated
throughput for scan results.
- The estimated EHT throughput uses the HE 0.8 usec GI rates from the
relevant EHT-MCS tables from IEEE P802.11be/D2.0, 36.5.
- The minimum SNR values for EHT rates (4096-QAM) are derived by adding
the existing minimum SNR values of 1024-QAM rates from HE tables and
the difference between the values of minimum sensitivity levels of
1024-QAM rates and 4096-QAM rates defined in Table 36-67 (Receiver
minimum input level sensitivity) in IEEE P802.11be/D2.0.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The arguments were swapped. Apparently all the calls to this function
use the same value for both input and output parameters, so it went
unnoticed. Fix it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This is needed to be able to drop the OpenSSL security level, if
necessary, for cases where old certificates (e.g., something using SHA-1
signatures) are still needed. openssl_ciphers="DEFAULT@SECLEVEL=0" can
achieve this, but only if applied before attempting to load the
certificates.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz. So lets automatically enable it by
setting sae_pwe=2. This will allow both the hunting-and-pecking and
hash-to-element to work (and be backward compatible).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
The system may be interested in knowing which bootstrap information
entries are being exercised. This could be used for statistics or
completion signaling to upper application layer outside of hostapd,
along with the public key hash.
Signed-off-by: Michal Kazior <michal@plume.com>
Just like with WPA-PSK and keyids it may be desired to identify
connecting clients to provide additional network filtering.
This does:
- extend DPP_EVENT_AUTH_SUCCESS to expose public
key hash of the peer so the system can pick it
up and use for identification later
- store public key hash in PMKSA from DPP Network
Intro for later use
- extend sta mib to print out the dpp_pkhash
from PMKSA if present
- extend AP_STA_CONNECTED to include the
dpp_pkhash from PMKSA if present
Signed-off-by: Michal Kazior <michal@plume.com>
This event is generated in a couple of places. It'll be easier to extend
the event with additional metadata if it's generated in a single place.
Signed-off-by: Michal Kazior <michal@plume.com>
When considering a channel for a bandwidth of 40/80/160 MHZ on the 5 GHz
or 6 GHz band, allow selecting one of the other channels in the segment
instead of the first one. This is done only if the other channel's
interference_factor is lower than the first one's.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
When using 40/80/160 MHz bandwidth on the 5 GHz or 6 GHz band, enforce
the secondary channel to be the other channel of the corresponding 40
MHz segment.
Even if this is useless for now, this is preparatory work to allow ACS
to select a primary channel which is not the first of its segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
When using 40/80/160 MHz bandwidth, instead of computing the index of
the segment center freq based on the selected channel, lets look it up
in the bw_desc[] table.
This is preparative work to allow selecting a primary channel which is
not the first of the segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
This extracts the 3 lists of allowed channels for 40/80/160 MHz
bandwidth out of their respective functions. It also adds for each
segment the frequency of the segment's last channel and the index of the
segment's "center" channel.
This is preparative work to allow selecting a channel which is not the
first of its segment for 40/80/160 MHz. In addition, this adds the 5 GHz
160 MHz channel defined for 5735-5895 MHz (channels 149-177).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Instead of opening a new TCP connection for each received Presence
Announcement from the same Enrollee from the Relay to the Controller,
use an existing connection if it is still waiting for Authentication
Response. This avoids opening multiple parallel sessions between the
same Controller and Enrollee.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
If wpa_supplicant receives a duplicate DPP chirp over a TCP connection
this causes the connection (and all of its state) to be torn down.
Such a tear-down means that the authentication request state is discarded.
That in turn will cause any otherwise valid authentication response
to not succeed.
This commit addresses that problem. It also does not attempt to check
for duplicates until at least we know that we have an appropriate hash.
Signed-off-by: Eliot Lear <lear@lear.ch>
Add a callback handler to notify details of a PMKSA cache entry when it
is added to the PMKSA cache. This can be used to provide external
components more convenient access to the PMKSA cache contents.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When using multiple BSSes on a single radio, it is sometimes desirable
to reconfigure one BSS, without disconnecting the stations already
connected to other BSSes on the same radio.
When a BSS is reconfigured using the SET command, there is no "old"
configuration we can compare to (so we cannot compare a hash of the
configuration for example).
One possible solution would be to make the current RELOAD command
reload only the current BSS. However, that could break the workflow of
existing users. Instead, introduce a new RELOAD_BSS command, which
reloads only the current BSS.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
In hostapd_clear_old() multiple steps are needed to clear a BSS.
There are some places where it would be desirable to clear only some
BSSes and not all.
To make it easier to clear only some BSSes, split hostapd_clear_old()
with hostapd_clear_old_bss(), which does the same actions but on a
single BSS.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
When using MAC randomization wpa_supplicant can change the local MAC
address during roaming scenario:
1. We attach to AP1 (with MAC1/SSID1).
2. Roaming to AP2 (with MAC2/SSID2) is started:
a) we send DEAUTH(for AP1, with MAC1)
b) we change MAC to MAC2 due to randomization
c) we start authentication for AP2
d) we get notification about DEAUTH for AP1 (which we ignore)
e) we complete association with AP2
In point 2d we completely ignore the notification which later causes
problems. This happens if the deauthentication event is generated by the
local driver (e.g., due to beacon loss) instead of AP2 sending an
explicit Deauthentication frame.
The intended behavior is as follows: during roaming we generate DEAUTH
(2a) and signal this event right away. To protect from handling of our
own DEAUTH for the 2nd time supplicant marks 'ignore_next_local_deauth'
variable. In point 2d we should receive this notification and clear the
flag but this does not happen because MAC1 in the notification is not
the current MAC address (it has been changed in 2b) so this notification
is ignored as a one with a "foreign" address.
So we end up successfully at AP2 but with 'ignore_next_local_deauth'
still set which causes problems. For example if AP2 shuts down it has
been observed on some drivers that the DEAUTH notification is generated
as a local one and since we have flag to ignore it nothing is reported
over D-Bus.
To address the problem let's store the previously used MAC address and
use it for checking for foreign address (in combination with the current
one).
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
This is a step in separating RSN and WPA(v1) processing of EAPOL-Key
frames into separate functions. This allows the implementation to be
simplified and potentially allows the validation rules to be made
stricter more easily. This is also a step towards allowing WPA(v1)
functionality to be removed from the build in the future.
Signed-off-by: Jouni Malinen <j@w1.fi>
The default provider is being loaded here explicitly only because
OSSL_PROVIDER_load() disables the fallback provider loading (on either
success or failure). If the legacy provider fails to load, which it may
in some configurations, it will never load the default provider.
Just use the formulation which attempts to load without changing the
fallback behavior.
"default" will still be/only be loaded if no other provider (notably
FIPS) is loaded to provide algorithms.
Signed-off-by: Norman Hamer <nhamer@absolute.com>
DES and RC4 are not allowed in such builds, so comment out des_encrypt()
and rc4_skip() from the build to force compile time failures for cases
that cannot be supported instead of failing the operations at runtime.
This makes it easier to detect and fix accidental cases where DES/RC4
could still be used in some older protocols.
Signed-off-by: Norman Hamer <nhamer@absolute.com>
CONFIG_NO_RC4=y could have been used to remove this functionality, but
it might as well be done automatically based on CONFIG_FIPS=y as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
PMKSA caching for the FT initial mobility domain association was fully
defined in IEEE Std 802.11-2020. The state before that was unclear and
there has been interoperability issues in this area, so use of PMKSA
caching with FT-EAP has been disabled in wpa_supplicant by default.
The wpa_supplicant and hostapd implementation of PMKSA caching for FT
ended up using an earlier default mechanism (SHA-1) for deriving the
PMKID when using the FT-EAP. This does not match what got defined in
IEEE Std 802.11-2020, 12.11.2.5.2 (SHA256). It is not really desirable
to use SHA-1 for anything with FT since the initial design of FT was
based on SHA256. Furthermore, it is obviously not good to differ in
behavior against the updated standard. As such, there is sufficient
justification to change the implementation to use SHA256 here even
though this ends up breaking backwards compatibility for PMKSA caching
with FT-EAP.
As noted above, this is still disabled in wpa_supplicant by default and
this change results in PMKSA caching not working only in cases where it
has been enabled explicitly with ft_eap_pmksa_caching=1. Those cases
recover by falling back to full EAP authentication.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add QCA_WLAN_VENDOR_ATTR_CONFIG_WFC_STATE vendor attribute. Userspace
uses this attribute to configure wfc state to the driver/firmware. The
driver/firmware uses this information to optimize power savings, rate
adaption, roaming, etc.
Signed-off-by: Mukul Sharma <quic_mukul@quicinc.com>
IEEE Std 802.11-2020, 12.4.7.6 says that status code CHALLENGE_FAILURE,
needs to be sent in case the verification action fails for SAE Confirm
message frame from a STA: "An SAE Confirm message, with a status code
not equal to SUCCESS, shall indicate that a peer rejects a previously
sent SAE Confirm message. An SAE Confirm message that was not
successfully verified is indicated with a status code of
CHALLENGE_FAILURE."
hostapd, however, did not use this status code for this case. In
ieee802_11.c the function sae_check_confirm() is called and in case of
verification failure (-1 is returned), the response is set to
WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). Fix this to use
CHALLENGE_FAILURE.
Signed-off-by: Koen Van Oost <koen.vanoost@airties.com>
Signed-off-by: Mert Ekren <mert.ekren@airties.com>
Explicitly check for invalid cases where the configured channel and
bandwidth might result in the full channel number range going beyond the
list of supported channels to avoid reading beyond the end of the
channel buffer.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The SA/DA checks needs to be reversed for the TX case.
Fixes: 8481c750 ("PASN: Fix Authentication frame checks")
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
If an AP is started on a DFS channel (or any channels within its
bandwidth require DFS) and DFS is offloaded to the driver, hostapd needs
to wait for CAC to complete. But the driver may not do CAC and just
switches to a non-DFS channel instead. This would result in a failure to
start the AP because hostapd fails to receive a CAC complete event and
cannot finish interface setup.
Skip CAC and complete AP setup in the channel switch event handler for
this case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add CLOSE_LOG command to stop hostapd logging to file. This can be
followed with RELOG to restart logging to the same file path.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Add a new subcommand QCA_NL80211_VENDOR_SUBCMD_DOZED_AP to configure
doze mode state on an AP interface. This is also used as an event to
indicate the updated configuration. In doze mode, AP transmits
beacons at higher beacon intervals and RX is disabled.
Uses attributes defined in enum qca_wlan_vendor_attr_dozed_ap.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
During the roam scan, if there are no desired APs found in the partial
frequency list, an immediate full scan on all the supported frequencies
is initiated as a fallback. This would include the 6 GHz PSC
frequencies. Define an attribute to allow that behavior to be modified
to include PSCs only if 6 GHz use has been detected.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When the RADIUS server requests a STA to be deauthenticated imminently
without providing a reason URL, there is no need to allow the STA spend
any additional time associated. Deauthenticate the STA immediately after
it has ACK'ed the WNM-Notification frame indicating imminent
deauthentication or at latest two seconds after having processes the
Access-Accept message.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Currently sta_mlo_info.req_links is not getting cleared before
populating the requested links information for a new connection/roam
event. This is causing wrong requested links bitmap in
sta_mlo_info.req_links if there is a change in requested link IDs
between the previous and the new connection. To avoid such issues fully
clear MLO connection information after disconnection and before
populating MLO connection information during (re)association event.
Fixes: cc2236299f ("nl80211: Get all requested MLO links information from (re)association events")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
IGTK and BIGTK MLO KDEs should be validated only when the AP sends them
in EAPOL-Key msg 3/4. Though IEEE P802.11be/D2.2 mandates MLO AP to
enable PMF and Beacon Protection features there is no text to mandate a
STA to discard connection when the MLO AP doesn't send IGTK and BIGTK
MLO KDEs in EAPOL-Key msg 3/4 for a link. Also, fix
wpa_sm->mgmt_group_cipher checks before processing MLO IGTK and BIGTK
MLO KDEs.
Fixes: f15cc834cb ("MLD STA: Processing of EAPOL-Key msg 3/4 frame when using MLO")
Fixes: 8f2e493bec ("MLD STA: Validation of MLO KDEs for 4-way handshake EAPOL-Key frames")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
During the roam scan, if there are no desired APs found in the partial
frequency list, an immediate full scan on all the supported frequencies
is initiated as a fallback. This flag controls the frequency list
creation for full scan on the following lines.
1 - Full scan to exclude the frequencies that were already scanned by
the previous partial scan.
0 - Full scan to include all the supported frequencies irrespective of
the ones already scanned by partial scan.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Taking sizeof(ptr) is incorrect to determine size of passed in hash and
results in hlen getting set to a very large value since MD5_MAC_LEN >
sizeof(ptr). Provide the actual size of the hash buffer from the caller
to fix this.
tls_key_x_server_params_hash() callers src/tls/tlsv1_client_read.c and
src/tls/tlsv1_server_write.c both pass in a large enough hash (hash[64]
or hash[100]) that this does not appear to have an impact, though it is
still wrong.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This new value was added to verify peer certificate if it is provided,
but not reject the TLS handshake if no peer certificate is provided.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
The dev pointer could potentially be NULL here in some P2PS cases, so
check it explicitly before dereferencing it when checking for 6 GHz
capability.
Fixes: b9e2826b9d ("P2P: Filter 6 GHz channels if peer doesn't support them")
Signed-off-by: Jouni Malinen <j@w1.fi>
Try to make the bounds checking easier for static analyzers by checking
each length field separately in addition to checking them all in the end
against the total buffer length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Try to avoid static analyzer warnings due to use of the FTE length
field instead of the separately stored and validated length field value
when deriving FTE MIC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Try to avoid static analyzer warnings due to use of the RSNE length
field instead of the separately stored and validated length field value
when deriving FTE MIC.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 25b52e5f83 ("FT: Extend FTE parsing for FT-SAE-EXT-KEY") used
possible MIC length iteration to try to figure out the length of the MIC
field in FTE. That was the only option available at the time, but FTE is
now being extended in IEEE 802.11-REVme to explicitly indicate the
length of the MIC field for the new FT-SAE-EXT-KEY AKM to make this
easier.
Use the new design from the approved comment resolution (*) in
REVme/D2.0 ballot CID 3135 to simplify implementation. This gets rid of
the need to pass in key length and the somewhat strange need_{r0kh,r1kh}
parameters to wpa_ft_parse_ies().
(*)
https://mentor.ieee.org/802.11/dcn/22/11-22-1991-02-000m-proposed-resolutions-to-some-lb270-comments.docx
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to avoid trying the subsequent connections with the old
PMKID that the AP claims not to hold and continues connection failures.
This was already handled for the SME-in-the-driver case in commit commit
50b77f50e8 ("DPP: Flush PMKSA if an assoc reject without timeout is
received"), but the wpa_supplicant SME case did not have matching
processing.
Add the needed check to avoid recover from cases where the AP has
dropped its PMKSA cache entry. Do this only based on the specific status
code value (53 = invalid PMKID) and only for the PMKSA entry that
triggered this failure to minimize actions taken based on an unprotected
(Re)Association Response frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
The addition of the "spa" argument was missed in the empty inline
function.
Fixes: 9ff778fa4b ("Check for own address (SPA) match when finding PMKSA entries")
Signed-off-by: Jouni Malinen <j@w1.fi>
Depending on the crypto library, crypto_ec_point_from_bin() can fail if
the element is not on curve, i.e., that error may show up before getting
to the explicit crypto_ec_point_is_on_curve() check. Add a debug print
for that earlier call so that the debug log is clearly identifying
reason for rejecting the SAE commit message.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This prevents attempts of trying to use PMKSA caching when the existing
entry was created using a different MAC address than the one that is
currently being used. This avoids exposing the longer term PMKID value
when using random MAC addresses for connections.
In practice, similar restriction was already done by flushing the PMKSA
cache entries whenever wpas_update_random_addr() changed the local
address or when the interface was marked down (e.g., for an external
operation to change the MAC address).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to be able to determine whether a PMKSA cache entry is
valid when using changing MAC addresses. This could also be used to
implement a mechanism to restore a previously used MAC address instead
of a new random MAC address.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Using separate variables for BSSID and peer address is needed to support
Wi-Fi Aware (NAN) use cases where the group address is used as the BSSID
and that could be different from any other peer address. The
infrastructure BSS cases will continue to use the AP's BSSID as both the
peer address and BSSID for the PASN exchanges.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Rename struct pasn_data::bssid to peer_addr to be better aligned with
different use cases of PASN and its extensions. This is a step towards
having option to use different peer address and BSSID values for NAN use
cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Kernel commit 22e76844c566 - ("ieee80211: Increase PMK maximum length to
64 bytes") increased the maximum allowed length for NL80211_ATTR_PMK to
64 bytes. Thus, allow sending 64 bytes PMK in NL80211_CMD_SET_PMKSA and
if NL80211_CMD_SET_PMKSA fails with ERANGE try NL80211_CMD_SET_PMKSA
again without PMK. Also, skip sending PMK when PMK length is greater
than 64 bytes.
This is needed for some newer cases like DPP with NIST P-521 and
SAE-EXT-KEY with group 21. The kernel change from 48 to 64 octets is
from February 2018, so the new limit should be available in most cases
that might want to use these new mechanisms. Maintain a backwards
compatible fallback option for now to cover some earlier needs for DPP.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
wpa_supplicant has support for only a single FT key hierarchy and as
such, cannot use more than a single mobility domain at a time. Do not
allow FT protocol to be started if there is a request to reassociate to
a different BSS within the same ESS if that BSS is in a different
mobility domain. This results in the initial mobility domain association
being used whenever moving to another mobility domain.
While it would be possible to add support for multiple FT key hierachies
and multiple mobility domains in theory, there does not yet seem to be
sufficient justification to add the complexity needed for that due to
limited, if any, deployment of such networks. As such, it is simplest to
just prevent these attempts for now and start with a clean initial
mobility domain association.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
There is no help from seeing 32 lines of debug prints about clearing
AP's RSNE/RSNXE information for each potential link when such
information has not been set in the first place. These were printed even
when there is no use of MLO whatsoever, so get rid of the prints for any
case where the value has not yet been set.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Alliance specification for Automated Frequency Coordination (AFC)
system ensures that the Standard Power Wi-Fi devices can operate in 6
GHz spectrum under favorable conditions, without any interference with
the incumbent devices.
Add support for vendor command/events and corresponding
attributes to define the interface for exchanging AFC requests and
responses between the driver and a userspace application.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 820211245b ("OpenSSL: Fix HPKE in some corner cases") increased
the buffer size for EVP_PKEY_derive() by 16 octets, but it turns out
that OpenSSL might need significantly more room in some cases. Replace a
fixed length buffer with dynamic query for the maximum size and
allocated buffer to cover that need.
This showed up using the following test case sequence:
dbus_pkcs11 module_wpa_supplicant
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The length of labeled_info is determined separately, so there is no need
to increment the pos pointer after the final entry has been added.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Not only the hash[] array, but also the r0_key_data[] array needs to be
extended in size to fit the longer key and salt.
Fixes: a76a314c15 ("FT: Extend PMK-R0 derivation for FT-SAE-EXT-KEY")
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support for group rekeying in MLO connection. Parse per link MLO
GTK/IGTK/BIGTK KDEs from Group Key msg 1/2 and configure to the driver.
Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Use AP MLD address as the destination address for EAPOL-Key 4-way
handshake frames since authenticator/supplicant operates above MLD. The
driver/firmware will use RA/TA based on the link used for transmitting
the EAPOL frames.
Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Validate new KDEs defined for MLO connection in EAPOL-Key msg 1/4 and
3/4 and reject the 4-way handshake frames if any of the new KDE data is
not matching expected key data.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Process EAPOL-Key msg 3/4 and configure PTK and per-link GTK/IGTK/BIGTK
keys to the driver when MLO is used.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add support to specify a Link ID for set key operation for MLO
connection. This does not change the existing uses and only provides the
mechanism for extension in following commits.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Configure TK to the driver with AP MLD address with MLO is used. Current
changes are handling only EAPOL-Key 4-way handshake and FILS
authentication cases, i.e., FT protocol case needs to be addressed
separately.
Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Use the AP MLD address instead of the BSSID of a link as the
authenticator address in the PMKSA entry.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Use AP MLD address to derive pairwise keys for MLO connection. Current
changes are handling only PTK derivation during EAPOL-Key 4-way
handshake and FILS authentication, i.e., FT protocol case needs to be
addressed separately.
Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add new KDEs introduced for MLO connection as specified in
12.7.2 EAPOL-Key frames, IEEE P802.11be/D2.2.
- Add MAC and MLO Link KDE for each own affliated link (other than the
link on which association happened) in EAPOL-Key msg 2/4.
- Add MAC KDE in 4/4 EAPOL frame.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Update the following MLO connection information to wpa_sm:
- AP MLD address and link ID of the (re)association link.
- Bitmap of requested links and accepted links
- Own link address for each requested link
- AP link address, RSNE and RSNXE for each requested link
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Currently only accepted MLO links information is getting parsed from
(re)association events. Add support to parse all the requested MLO links
information including rejected links. Get the rejected MLO links
information from netlink attributes if the kernel supports indicating
per link status. Otherwise get the rejected MLO links information by
parsing (Re)association Request and Response frame elements.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Make sure the elements were present before trying to parse them. This
was already done for most cases, but be consistent and check each item
explicitly before use.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous version was using typecasting to ignore const marking for
the input buffer to be able to clear the MIC field for MIC calculation.
That is not really appropriate and could result in issues in the future
if the input data cannot be modified. Fix this by using an allocated
copy of the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The way type and subtype of the FC field was checked does not really
work correctly. Fix those to check all bits of the subfields. This does
not really make any practical difference, though, since the caller was
already checking this.
Furthermore, use a helper function to avoid having to maintain two
copies of this same functionality.
Signed-off-by: Jouni Malinen <j@w1.fi>
Document in src/crypto/crypto.h that compressed point format is expected
in DER produced by crypto_ec_key_get_subject_public_key(). This is the
format needed for both SAE-PK and DPP use cases that are the current
users of this function.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
For the 6 GHz opclass 132, ch for loop only allows non-PSC channels { 1,
9, 17, 25, 33, 41, 49,... } to be used. This does not match the IEEE Std
802.11ax-2021 expectation of a 6 GHz-only AP "should set up the BSS with
a primary 20 MHz channel that coincides with a preferred scanning
channel".
Increase ch by 4 to allow PSC channel to be used for 6 GHz BW40.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It's necessary to maintain knowledge of the 6 GHz capability of the
peer. Since the Device Capability field migth change between frames
depending on the context in which they are used, loooking at the last
received message might not always provide accurate information.
Add supports_6ghz bool variable in struct p2p_device, initialize it to
false and set to true if the P2P_DEV_CAPAB_6GHZ_BAND_CAPABLE bit is set
to 1 in any P2P frame that includes the P2P Capability attribute. This
boolean would not be cleared to false at any point in time so that the
info doesn't disappear dynamically.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a new vendor subcommand
QCA_NL80211_VENDOR_SUBCMD_MLO_PEER_PRIM_NETDEV_EVENT to send notification
to application layer about primary netdev of an MLO peer association.
Also define the attributes present in this subcommand.
Signed-off-by: Krunalsinh Padhar <quic_kpadhar@quicinc.com>
Introduce a run time roam configuration for "hand off delay for RX".
This value, in milliseconds, will delay the hand off for the specified
time to receive pending RX frames from the current BSS.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
libpasn.so users, e.g., Wi-Fi Aware module, could use this function
while deriving protocol specific keys using KDK. Move this function to
global scope to allow that.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
struct wpas_pasn is common to both initiator and responder, so rename it
to pasn_data to avoid the "wpas_" prefix that could be seen as a
reference to wpa_supplicant (PASN initiator).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware uses PASN handshake to authenticate peer devices. Devices
can simply verify each other for subsequent sessions as long as the keys
remain valid after authentication has been successful and pairing has
been established.
In pairing verification, Wi-Fi Aware devices uses PASN Authentication
frames with custom PMKID and Wi-Fi Aware R4 specific verification IEs.
It does not use wrapped data in the Authentication frames. This function
provides support to construct PASN Authentication frames for pairing
verification.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Make it clear that this argument is not modified and freed within PASN
processing to be consistent with the only use of it by calling
wpas_pasn_build_auth_1() which has already marked it const.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware defines protocol specific elements in PASN Authentication
frames for pairing setup. Add an option to add this type of custom
elements into PASN frames. This is mainly for the libpasn.so use cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PASN responder validates auth 1 frame and sends auth 2 frame to the
initiator. It analyses the auth 3 frame and verifies successful
authentication. Wi-Fi Aware modules can reuse this functionality through
a shared library libpasn.so generated from this code. Move the PASN
functionality that is now decoupled from the hapd context into a
separate file in a common directory to make it easier to build such a
library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PASN initiator functionality builds auth 1 and auth 3 frames, and
processes auth 2 frame received from the responder. Wi-Fi Aware modules
can reuse this functionality through a shared library libpasn.so
generated from this code. Move the PASN functionality that is now
decoupled from the wpa_s context into a separate file in a common
directory to make it easier to build such a library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is helpful in being able to get the functionality needed for SAE
into a separate library (libpasn.so) without needing all of the
ieee802_11.c functionality.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification defines Beacon RSNE/RSNXE to be same as
RSNE/RSNXE present in Auth2 frame. So, MIC validation should be done
with the RSNE and RSNXE received in Auth2 frame.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification introduces a custom PMKID derived from
Nonce and TAG. This custom PMKID is included in PASN Authentication
frames during pairing verification. So, allow use of a custom PMKID in
PASN frames and validate it using a function handler. Wi-Fi Aware
component that uses libpasn.so should take care of validating the custom
PMKID.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Introduce a function handler to transmit PASN Authentication frames to
the driver. This removes the hapd dependency for sending the frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTK is stored in the PTKSA cache following a successful PASN handshake,
however AKMP is removed upon a WPA PASN reset. The PASN handshake is
used in the Wi-Fi Aware R4 specification to define the pairing setup
process. KDK is used to generate a new set of keys, while AKMP is
required for key derivation for pairing. So, keep AKMP in the PTKSA
cache.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
