The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to match the key configuration design with a single
netdev and the nl80211 driver interface.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This is needed for the driver to know on which link it should transmit
the frames in MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This includes:
- Modifications of the driver API, to include the link ID as part
of 'struct hostapd_freq_params'.
- Modifications to nl80211 driver.
- Modifications for the driver wrappers.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support to indicate link reconfiguration event reported by the QCA
vendor interface to the wpa_supplicant control interface.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add support to indicate TID-to-link mapping changes reported by the QCA
vendor interface to the wpa_supplicant control interface.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
The Linux kernel expects to use the AP MLD address in
NL80211_ATTR_PREV_BSSID for reassociation requests when the current
association is MLO capable.
Previously, wpa_supplicant was using the BSSID value in
NL80211_ATTR_PREV_BSSID even if the connection is MLO capable. Fix this
by sending the AP MLD address in NL80211_ATTR_PREV_BSSID for
reassociation requests when MLO is used.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
In some cases like unknown-group rejection, AP MLD can't parse the
received Authentication frame to the point of the Multi-Link element if
the group used by the peer is unknown to the AP MLD.
In such cases, AP MLD not including Multi-Link element in rejection
Authentication frames can be considered as standard compliant since AP
MLD doesn't know whether the received Authentication frame has
Multi-Link element or not.
To avoid connection issues in such cases, don't reject Authentication
frames without Multi-Link element when status code is other than
WLAN_STATUS_SUCCESS, WLAN_STATUS_SAE_HASH_TO_ELEMENT,
WLAN_STATUS_SAE_PK, and WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
When starting a new BSS as AP mode, the network configs have been passed
in from the BSS config. There is no need to scan before creating a new
BSS. Reuse connect_without_scan structure member to bypass scan when the
mode is WPAS_MODE_AP.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
If IEEE8021X_EAPOL is not defined wpa_supplicant will not compile with
following error:
events.c: In function 'wpa_supplicant_connect':
events.c:1827:14: warning: implicit declaration of function 'eap_is_wps_pbc_enrollee' [-Wimplicit-function-declaration]
1827 | if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
| ^~~~~~~~~~~~~~~~~~~~~~~
events.c:1827:43: error: 'struct wpa_ssid' has no member named 'eap'
1827 | if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
| ^~
Add ifdef statements around the calling function to fix the issue.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Some of the information elements added in IEEE Std 802.11ax-2013 for VHT
purposes have since then been taken into use for other cases and renamed
to remove the "VHT" prefix in the standard. Update the defines for those
elements in the implementation to match the names used in the current
standard.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant was skipping MLD APs from network selection when the AP
advertise legacy open, WPA2-Personal-only (PSK without SAE), or PMF
disabled. However, there are already some early Wi-Fi 7 APs in the
market which advertise legacy open, WPA2-Personal-only, or PMF disabled
even though these combinations are unlikely to be allowed for Wi-Fi 7 in
the end.
To avoid connectivity issues with such APs, allow stations to connect
with MLO disabled when an AP MLD is detected to advertise legacy open,
WPA2-Personal-only (PSK without SAE), or PMF disabled.
This reverts commit 7d8b96dcfd ("wpa_supplicant: Apply same
restrictions for MLD as for 6 GHz BSS") except WEP and TKIP checks,
i.e., AP MLDs which advertise only WEP or TKIP are still skipped from
network selection.
For the SME-in-wpa_supplicant case, skip configuring MLD parameters to
the driver if the STA can connect only in legacy open,
WPA2-Personal-only, or PMF disabled mode. For the SME-in-driver case, it
is the driver's responsibility to initiate connection with MLO disabled
with such APs.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The driver-initiated BSS selection case and the "Network configuration
found for the current AP" case ended up clearing the RSN state machine
information on AP RSNE/RSNXE. That could result in incorrect behavior if
some key management operations depended on accurate information. For
example, this could result in not deriving the KDK as part of the PTK
derivation and failing to complete 4-way handshake if both the AP and
the STA indicated support for Secure LTF.
If the scan results for the selected BSS are available, use those to
update the RSN state machine AP RSNE/RSNXE similarly to the way this is
done with wpa_supplicant selects the BSS instead of clearing that
information in the RSN state machine.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It is possible for a new BSS entry to be added for the
hidden-SSID-OWE-BSS when running a new scan after having previously
learned the hidden SSID during a previous OWE connection attempt. That
new entry would not necessarily have the WPA_BSS_OWE_TRANSITION flag set
and that would result in not being able to recognize the appropriate OWE
profile when checking the association event against the transition mode
configuration.
Fix this by updating the BSS entry for OWE transition mode information
for the cases where this might happen.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Print correct expected AP MLD address information when the AP MLD
address validation fails in Authentication frames during external
authentication.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Fail MLD address validation only if Authentication frames IE parsing
actually failed, i.e., ignore all unknown IEs.
This is needed to avoid authentication failure when the Authentication
frames include IEs which are not handled by ieee802_11_parse_elems(),
e.g., AKM Suite Selector IE.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Export the "he" network profile item to be configurable from external
client side, like wpa_cli or NetworkManager. This follows the earlier
changes to allow the previously internal-only parameter (e.g., vht) to
be used for additional purposes for AP mode.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
In theory, each device that supports WMM (or the IEEE 802.11 QoS for
that matter) is expected to advertise how many replay counters it
supports and the peer device is supposed to use that information to
restrict the total number of different MSDU priorities (AC/UP) that
might be used. In practice, this is not really done in deployed devices
and instead, it is just assumed that everyone supports the eight
different replay counters so that there is no need to restrict which
MSDU priorities can be used.
hostapd implementation of WMM has advertised support for 16 PTKSA replay
counters from the beginning while wpa_supplicant has not had any code
for setting the supported replay counter fields in RSNE, i.e., has left
the value to 0 which implies that only a single replay counter is
supported. While this does not really result in any real issues with
deployed devices, this is not really correct behavior based on the
current IEEE 802.11 standard and the WMM specification.
Update wpa_supplicant to use similar design to the hostapd RSNE
generation by setting the number of supported PTKSA replay counters to
16 whenever WMM is enabled. For now, this is done based on the
association being for HT/VHT/HE/EHT and also based on the AP supporting
WMM since it is much more likely for the local device to support WMM and
eight replay counters (which can be indicated only with the value that
implies support for 16 counters since there is no separate value for 8).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add the channels 165 and 173 in allowed channels for ht40_plus. Also add
the allowed frequency 5825 (channel 165; channel center frequency index
171) for 80 MHz bandwidth.
Signed-off-by: Seevalamuthu Mariappan <quic_seevalam@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
The STATUS command showed the interface state as SCANNING even if mesh
bringup fails. This incorrect interface status can mislead
scripts/applications that rely on interface status to bring up different
type of virtual interfaces (AP/MESH) on a single radio.
Fix this by setting the interface status as INACTIVE if mesh bringup
fails.
Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
Retrieve the puncturing bitmap sent by the driver in channel switch
events and add a new member punct_bitmap in struct ch_switch to store
it.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add mesh_eht_enabled and eht ssid configuration parameters to include
EHT Capability and EHT Operation elements in mesh PLINK Action frames.
Update mesh_eht_enabled from EHT capability advertised for mesh mode.
Signed-off-by: Sathishkumar Muruganandam <quic_murugana@quicinc.com>
Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
Multi link stations are represented in the kernel using a single
station with multiple links and the first ADD_STA command also
creates the first link. Subsequent links should be added with
LINK_ADD commands.
Implement this logic and provide the required MLD information per
station/link.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add wowlan_disconnect_on_deinit=1 to wpa_supplicant_template, as
Android expects STA to be disconnected when wpa_supplicant is
terminated.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Currently, the PMK used by the driver is not updated to wpa_sm when
roaming is completed by the driver with the cached PMKSA and the
roam+auth event is indicated with the authorized flag.
To fix this, identify the PMKSA entry from the PMKID sent in
Reassociation Request frame and update the correct PMK to wpa_sm from
the PMKSA entry.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The flags that indicate that a channel is allowed for 80/160 MHz use
are divided according to the position of the control channel (e.g.,
HOSTAPD_CHAN_VHT_10_70, HOSTAPD_CHAN_VHT_30_50, etc.).
However, the position of the control channel does not add any extra
regulatory information because when trying to use a 80/160 MHz channel
all the desired bandwidth has to be allowed for 80/160 MHz use,
regardless of the control channel position.
In addition, these flags are set only if the driver reports one
regulatory rule that allows the entire 80/160 MHz bandwidth.
However, even when a 80/160 MHz channel is allowed, in some cases the
bandwidth will be split into several regulatory rules because
different segments of the bandwidth differ in other flags (that don't
affect the use of the bandwidth for VHT channels). So, in such cases
these flags will not be set, although VHT channels are allowed.
As the result, VHT channels will not be used although they are allowed
by the regulatory domain.
Fix this by introducing new flags that indicate if a 2 0MHz channel is
allowed to be used as a part of a wider (80/160 MHz) channel.
The new flags are set for each 20 MHz channel independently and thus
will be set even if the regulatory rules for the bandwidth are split.
A 80/160 MHz channel is allowed if all its 20 MHz sub-channels are
allowed for 80/160 MHz usage.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This allows the control interface to be used similarly to the way D-Bus
interface was extended to force a specific GO BSSID for optimizing
scanning.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow clients to specify the BSSID of an auto GO. If the auto GO has been
discovered on another interface, optimize scan frequency by performing
a single channel scan first. Android and ChromeOS use this to streamline
auto GO discovery.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
This enables connection managers to receive and use this information in
the same manner that other station information is exposed.
Signed-off-by: David Ruth <druth@chromium.org>
As a workup action during disassociation, wpa_supplicant checks if the
disconnection could have been caused by PSK mismatch during WPA 4-way
handshake with function could_be_psk_mismatch() in event.c. A MSG_INFO
message will be sent on the control interface when there could be a PSK
mismatch, and this heuristic can be useful to indicate if the
disconnection is caused by a wrong passphrase provided by the user.
Here, propagate a new D-Bus signal 'PskMismatch' to notify other
applicantions.
Signed-off-by: Yichen Yu <yichenyu@chromium.org>
- Do not try to enable 80 MHz if 40 MHz is disabled or not selected (e.g.,
due to obss_scan).
- If it is not possible to use 80 HMz or even 40 MHz, still attempt to
configure HE40/VHT40/HE20/VHT20 instead of bailing out.
- When bailing out, also disable HE.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
If the PHY supports both 5 GHz and 6 GHz bands, there will be two
different struct hostapd_hw_modes with mode HOSTAPD_MODE_IEEE80211A,
one for each band, with potentially different capabilities.
Check that the struct hostapd_hw_modes actually contains the frequency
before selecting it.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
ibss_mesh_setup_freq() has become a 342 line function with 23 local
variables, 1 or 2 goto labels depending on ifdefs and its logic is
quite unpredictable.
Split it into multiple functions. No functional change intended, it
should be bug-compatible with the original code, except for some log
messages that are skipped more often.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Add a new network profile option enable_4addr_mode=1 that puts an
interface in 4addr mode, for interfaces meant to be added to a bridge.
Signed-off-by: Konstantinos Natsakis <infradead.org@aleph-0.net>
wpa_supplicant_need_to_roam_within_ess() applies bias to the minimum
difference of the signal level required to roam if the roam is from 2.4
GHz to higher band, but doesn't apply bias if the roam is from a lower
band to 6 GHz. Add bias towards 6 GHz, as 6 GHz networks usually provide
higher throughput.
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
Move the logic of picking the best driver pref freq into a separate
function, and use this to extend the functionality for invitation
process.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Enable MLO for SAE authentication when the driver indicates the AP MLD
address in an external authentication request. The MAC address of the
interface on which the external authentication request received will be
used as the own MLD address.
This commit does below for enabling MLO during external SAE
authentication:
- Use MLD addresses for SAE authentication.
- Add Basic Multi-Link element with the own MLD address in SAE
Authentication frames.
- Send SAE Authentication frames with the source address as the own MLD
address, destination address and BSSID as the AP MLD address to the
driver.
- Validate the MLD address indicated by the AP in SAE Authentication
frames against the AP MLD address indicated in external authentication
request.
- Store the PMKSA with the AP MLD address after completing SAE
authentication.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The initial MACsec implementation required the EAP Session-Id to be at
least 65 octets long and by truncating the value to that length, the
practical limit of functional cases was limited to that exact length of
65 octets. While that happens to work with EAP method that use TLS, it
does not work with most other EAP methods.
Remove the EAP Session-Id length constraint and allow any length of the
Session-Id as long as the EAP method provides one. In addition, simplify
this be removing the unnecessary copying of the Session Id into a new
allocated buffer.
Fixes: dd10abccc8 ("MACsec: wpa_supplicant integration")
Fixes: a93b369c17 ("macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
python2 is deprecated so move script to python3.
While at it, make some minor adjustments.
Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
While checking for stale BSSes, the current time is used as a basis and
then based on age the stale check time is calculated, but if this is
done too early in the boot and if either BOOTTIME/MONOTONIC (the one
Zephyr uses by default) are used then the stale check time underflows
and goes to future causing active BSS entries in the scan to be treated
as stale and flushed.
Fix this by adding a check before calculating stale time and ignore this
check till the system reaches the BSS expiration time (this would never
happen with REALTIME clock).
Signed-off-by: Krishna T <krishna.t@nordicsemi.no>
Signed-off-by: Sridhar Nuvusetty <sridhar.nuvusetty@nordicsemi.no>
The RO variable is being assigned before the SSID is NULL checked, so,
any invalid configuration leads to a segmentation fault.
Fixes: d8d2b3a338 ("Implement read-only mode for SSIDs from the additional config (-I)")
Signed-off-by: Chaitanya Tata <chaitanya.tk17@gmail.com>
The previous implementation handles PMKSA cache attempts with AP MLD
address only for SME-in-wpa_supplicant cases since wpa_s->valid_links
wouldn't be set for SME-in-driver cases.
Fix SME-in-driver behavior by enabling PMKSA cache attempts with AP MLD
address when driver supports MLO and SME offload to driver.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Store PMKSA with AP MLD address while processing connect event for OWE
and FILS when the connection is MLO capable.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
It was possible to hit a case where the SAE PT had not yet been derived,
e.g., when using P2P group re-invocation. Update PT use at the time
authentication is started, if needed, to avoid this. While this is not
really ideal from the externally observable timing view point, this is
done only for the case where there is no other option available with a
dynamically changing network configuration for P2P. Similar design was
already in place for the SAE offload-from-driver (external auth) case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Both P2P GO and client always save key_mgmt = WPA_KEY_MGMT_PSK in the
configuration when storing a persistent group. Next time, when a GO is
started as an autonomous GO on a 6 GHz channel, it will change key_mgmt
to SAE and use hash-to-element mechanism, but the P2P client doesn't
change the parameter even if the group it wants to join is operating on
a 6 GHz channel. The P2P connection will be failed due to reason 'reject
due to mismatch with WPA/WPA2'.
Enable SAE-H2E for P2P client in this case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 3a0edb2cd8 ("SAE: Enable H2E for 6 GHz BSS") started enabling
H2E automatically for SAE use on the 6 GHz band, but it did not update
these steps in verifying whether the STA has matching configuration for
a BSS that mandates use of H2E and whether to use PT for SAE in SME.
Update these to be aware of automatic H2E enabling.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
ssid->ocv is defined within CONFIG_OCV block, so the use for it needs to
match.
Fixes: dc7e330e0b ("Set OCV capability based on Association Request frame RSNE")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Currently, OCV self-capability is being set into the RSN supplicant
state machine only during the initial connection and never getting
updated. But for the driver-SME cases the driver may enable/disable OCV
in (Re)Association Request frame RSNE based on the AP chosen to roam.
This will lead to missing synchronization between wpa_supplicant and the
driver. Thus, update OCV self-capability in the wpa_supplicant RSN state
machine based on the (Re)Association Request frame RSNE indicated in the
connect response.
Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
The check for PBC overlap on a partner link should not be done unless
the current interface is actually in active PBC mode. Furthermore, the
wpa_s->wps_overlap variable needs to be cleared in additional places to
avoid leaving it set indefinitely.
This was found with the following test case sequence:
dbus_wps_pbc_overlap dbus_p2p_two_groups
Fixes: b43e19f3f3 ("WPS: Cross band overlap detection with multiple interfaces")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit ace0fbdb69 ("P2P: Fix segfault when PBC overlap is detected")
removed the external calls to this function, but did not mark it static.
Mark it static now to clarify expected uses through the
wpas_p2p_pbc_overlap_cb() timer handler.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
There was a race condition between the NFC handover requester and
selector role processing that ended up not sending out the alternative
proposal in some cases. Catch those at the end of
run_dpp_handover_client() processing (or immediately after returning
from that function without having sent out the alternative proposal).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
IEEE Std 802.11ax-2021, 12.12.2 requires this, so force MFPR=1 when
associating on the 6 GHz band so that ieee80211w=1 (i.e., MFPC=1 MFPR=0)
configuration can be used to get MFPC=1 behavior on other bands and
MFPR=1 on the 6 GHz band.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow specifying preferred GO band in addition to frequency. If a band
is specified, the first two scans will be limited to only non-DFS
channels to shorten scan times, and the next two will scan the entire
band.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Now that we check in PMKSA cache code whether the entry was created for
the same local address, it is fine to leave the old entries in the cache
even if we have changed addresses. This allows a valid PMKSA cache entry
to be used when restoring the same MAC address for the same ESS.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the implementation more readable by sharing the same set of
enum values for all the parameters related to what kind of random MAC
addresses are used.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_s->last_mac_addr_change.sec might be zero in the special case of UML
testing with time travel since it would be possible to complete the test
case steps within one second of the system start.
Signed-off-by: Jouni Malinen <j@w1.fi>
When MAC address randomization settings change we should use a new MAC
address even if we are associating to the same ESS.
For example, consider this scenario:
- hardware MAC is being used,
- we disconnect from the network,
- policy/style is changed via D-Bus to turn randomization on,
- we reconnect to the same network.
In the last step a randomized MAC address should be used.
Changes to the randomization settings include both changes to the
policy/style to be used and changes to the pregenerated MAC address
value in case of mac_addr==3.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
If the CreateInterface command was used to create a virtual AP
interface, deleting this interface using the RemoveInterface command was
also bringing down the primary interface.
wpa_supplicant never uses hostapd style multi-BSS setup with
type=WPA_IF_AP_BSS and setup_ap=1 to if_add() when creating an AP
interface in wpa_driver_nl80211_if_add(), so it should not go through
the multi-BSS tear down procedure in wpa_driver_nl80211_if_remove(). The
virtual AP resources init and deinit are well handled in
wpa_driver_nl80211_init() and wpa_driver_nl80211_deinit().
Collapse the interface type to WPA_IF_STATION for the D-Bus interface to
skip the multi-BSS cleanup procedure. This is inline with the control
interface design. Add comments before the code to avoid confusion.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
The driver is expected to translate the link addresses to MLD addresses
when processing an Authentication frame from a MLD AP. Thus, accept
Authentication frame when the peer matches the expected MLD address.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case both the local driver and the AP support MLD, request an MLD
association from the driver.
When processing the association event from the driver verify that the
multi link information in the (Re)Association Response frame ML element
matches the links on which the association was expected.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case both the local driver and the AP support MLD, request an MLD
authentication from the driver. When processing the authentication event
from the driver verify that the MLD address in the authentication data
matches that of the requested AP.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Authentication frames include several fixed body parts (see Table 9-68
(Authentication frame body) and Table 9-69 (Presence of fields and
elements in Authentication frames) in IEEE P802.11-REVme/D2.0).
To be able to parse the IE part, these fields need to be skipped. Since
SAE logic already implements this parsing, change SAE authentication
handling functions to return the offset to the IE part. This preparation
is needed for future MLD patches that need to parse out the ML related
elements in the Authentication frames.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of drivers that offload the 4-way handshake to the driver, there
was no way of updating wpa_supplicant about the transition disable
bitmap received as a part of EAPOL-Key msg 3/4.
With latest provisions in cfg80211_port_authorized(), the TD bitmap can
be sent to the upper layer. Parse that as a part of the port authorized
event and set the transition disable information accordingly.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
chromeOS uses random generated MAC address for AP interface so that the
device could remain anonymous and untrackable. Add an address parameter
for CreateInterface method to pass in OS managed MAC address.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Fix a potential memory leak in CreateInterface method.
Fixes: 0ba266d86c ("dbus: Add virtual interface create/remove logic to be inline with ctrl_iface")
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
RSNXE bits were modified, so update the relevant places accordingly.
Please note, WLAN_RSNX_CAPAB_PROT_RANGE_NEG was renamed to
WLAN_RSNX_CAPAB_URNM_MFPR and the bit position is changed to 15 instead
of 10, while BIT 10 is used for WLAN_RSNX_CAPAB_URNM_MFPR_X20 and is not
supported yet.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Check the HE membership selector and don't use the BSS
if required but not supported by HW.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support to handle external authentication request with a different
SAE AKM suite compared to the current connection AKM suite. This is
needed to support cross AKM roaming between SAE and SAE-EXT-KEY AKM
suites.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
PASN deauthentication event is sent by the underlying driver to delete
the keys in wpa_supplicant PTKSA cache. So don't send clear secure
context command to the driver again as it is already aware of it.
Fixes: 74d894a2 ("PASN: Offload handshake for multiple peers from the driver")
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
Though not explicitely forced by IEEE 802.11be draft yet, it makes sense
to apply the same logic for MLD as for 6 GHz BSSs. Change
wpa_supplicant_ssid_bss_match() accordingly.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
MAX_NUM_MLD_LINKS is 15, thus u8 isn't enough for the bitmap. Fix it.
While at it, clean MLO information better.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add the required ML and RNR definitions and report the information in
BSS command.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Allows informing the connection manager of additional information on CQM
events. Allows the connection manager to request the same information
on demand by using the existing "SignalPoll" method.
* Add new property "SignalChange"
* Add storage for wpa_signal_info into wpa_supplicant context
object
* Copy memory from event to context object on CQM Event
* Write a common conversion method to be used by both "SignalPoll" and
this property
Signed-off-by: David Ruth <druth@chromium.org>
Facilitate emitting more station information over D-Bus for use by the
connection manager.
* Add storage for more NL80211_STA_INFO_* fields to data structures, and
move them through the system.
* Reorder NL80211_STA_INFO_* fields in driver_nl80211.c to match the
ordering in nl80211.h.
* Convert signal field to an integer to support holding WPA_INVALID_NOISE
and avoid changing logging.
* Add fields to hostap_sta_driver_data to capture more information
* fcs_error_count
* beacon_loss_count
* expected_throughput
* rx_drop_misc
* rx_mpdus
* rx_hemcs
* tx_hemcs
* rx_he_nss
* tx_he_nss
* avg_signal
* avg_beacon_signal
* avg_ack_signal
* Add struct hostap_sta_driver_data to struct wpa_signal_info and remove
redundant fields and redundant attribute parsing
* Change logging when printing txrate to handle unsigned long
value
Signed-off-by: David Ruth <druth@chromium.org>
Since wpa_supplicant can change MAC address of the interface on its own
(with randomization enabled) it makes sense to introduce MACAddress as a
property of the interface and send notifications about its change.
This allows other applications to just use D-Bus instead of both
communicating over D-Bus with wpa_supplicant and listening to Netlink
notifications for MAC changes.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
Add support to consider EHT rates while calculating the estimated
throughput for scan results.
- The estimated EHT throughput uses the HE 0.8 usec GI rates from the
relevant EHT-MCS tables from IEEE P802.11be/D2.0, 36.5.
- The minimum SNR values for EHT rates (4096-QAM) are derived by adding
the existing minimum SNR values of 1024-QAM rates from HE tables and
the difference between the values of minimum sensitivity levels of
1024-QAM rates and 4096-QAM rates defined in Table 36-67 (Receiver
minimum input level sensitivity) in IEEE P802.11be/D2.0.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
There are several cases where memory allocations are not
checked for success. Add conditions and error messages, as some
analyzers complain about that.
Signed-off-by: Micha Hashkes <micha.hashkes@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz, so enable H2E automatically when
connecting to a BSS on the 6 GHz band if it was not enabled in the
configuration.
Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
When WPS is running simultaneously on multiple per-band radios (e.g., a
separate 2.4 GHz and 5 GHz band radios in an AP device), handle
synchronization of scan results, detect PBC session overlap, and cancel
WPS for enrollees on both interface, if the UUID of the registrars on
different bands differ.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Just like with WPA-PSK and keyids it may be desired to identify
connecting clients to provide additional network filtering.
This does:
- extend DPP_EVENT_AUTH_SUCCESS to expose public
key hash of the peer so the system can pick it
up and use for identification later
- store public key hash in PMKSA from DPP Network
Intro for later use
- extend sta mib to print out the dpp_pkhash
from PMKSA if present
- extend AP_STA_CONNECTED to include the
dpp_pkhash from PMKSA if present
Signed-off-by: Michal Kazior <michal@plume.com>
This event is generated in a couple of places. It'll be easier to extend
the event with additional metadata if it's generated in a single place.
Signed-off-by: Michal Kazior <michal@plume.com>
On NixOS[1] - a Linux distribution which allows to configure a full OS
declaratively - it's possible to configure SSIDs for `wpa_supplicant`
like this:
networking.wireless.networks = {
myssid = {
pskRaw = "<redacted>";
};
};
It's also possible to add networks "imperatively" using `wpa_gui` or
`wpa_cli`. However it's not possible to do both because if the first
option is used, NixOS creates a read-only symlink at
`/etc/wpa_supplicant.conf` and then it's not possible for
`wpa_supplicant` anymore to write to it.
This patch aims to help us changing this: while "declarative" SSID
configuration can be quite useful, it's a bad idea for e.g. sensitive
stuff like a WPA2 enterprise network.
The original idea was to use `-I`[2] for immutable configs (including
"declarative" networks) on NixOS and `-c /etc/wpa_supplicant.conf` for
anything "imperative".
However this doesn't really work out because if a wifi network from a
config file specified with `-I` is changed by e.g. `wpa_gui`, it's
silently overwritten in `/etc/wpa_supplicant.conf` (specified with
`-c`) which is IMHO unintuitive (in our case at least). This patch
basically declares each network defined in a config file passed via `-I`
to `wpa_supplicant` as "read-only" and doesn't write these "read-only"
networks to `/etc/wpa_supplicant.conf`.
A bit more context can be found on GitHub in the PR where I implemented
this[3].
[1] https://nixos.org/
[2] Added in e6304cad47
[3] https://github.com/NixOS/nixpkgs/pull/113716
Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
Add new 'mac_addr' policy (3) with which supplicant expects to also
obtain 'mac_value' with pregenerated value of MAC address to be used for
given SSID.
The main difference between this policy and policy 1 is the ability to
control persistence of the MAC address used. For example if there is
a requirement to always use the same (but random) MAC address for given
SSID (even if user removes/forgets the network) this could be handled
outside of the wpa_supplicant by using some SSID based hashing scheme to
generate MAC (or by just storing the randomly generated one) and
providing it to wpa_supplicant together with mac_addr=3 policy.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
IEEE Std 802.11ax-2021, 12.12 explicitly disallows use of Open System
authentication without encryption on the 6 GHz band.
Signed-off-by: Sharadanand Karanjkar <skaranjkar@datto.com>
As P2P GOs are not expected to be collocated, i.e., they are not
expected to be announced in the RNR element of other APs, they can
operate only on preferred scanning channels (PSCs).
When performing a full scan for P2P discovery, include only the 6 GHz
PSCs (if supported) to avoid scanning channels on which P2P GOs are not
expected to reside.
While at it also fix couple of places that missed including 60 GHz
channels in P2P full scan.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add a callback handler to notify details of a PMKSA cache entry when it
is added to the PMKSA cache. This can be used to provide external
components more convenient access to the PMKSA cache contents.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
For WPA2/WPA3 authentication mode, wpa_supplicant needs to notify
CurrentAuthMode property change when wpa_s->key_mgmt changes, so
NetworkManager can judge whether it needs to request a password based on
this.
Call wpas_notify_auth_changed() when starting a new connection item,
i.e., after having updated wpa_s->key_mgmt.
Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
SSID may include unprintable characters. This change converts
unprintable characters into printable form before printing SSID in the
function wpas_send_ctrl_req(). The conversion is based on the function
wpa_ssid_txt().
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
In case of drivers supporting 4-way handshake offload, mark port
authorized and state completion only if the driver advertizes authorized
state in the connect event. Otherwise there are fair chances of the
driver port authorization API getting called while 4-way handshake is in
progress at the lower layer.
In order to avoid this possible race condition always update port
authorization and supplicant state WPA_COMPLETED setting from
EVENT_PORT_AUTHORIZED context when the driver is done with the 4-way
handshake.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
Add the support of multiple domains for interworking credentials in
D-Bus API AddCred() using an array of strings.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>