Allow the phase2_auth=2 parameter (in phase1 configuration item) to be
used with EAP-TTLS to require Phase 2 authentication. In practice, this
disables TLS session resumption since EAP-TTLS is defined to skip Phase
2 when resuming a session.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the +HTC bit in FC to determine if the HT Control field is present
when decrypting Robust Management frames. This was already done for QoS
Data frames, but the Management frame case had not been extended to
cover this option.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Update documentation of the QCA_WLAN_VENDOR_ATTR_CONFIG_CHANNEL_WIDTH
and QCA_WLAN_VENDOR_ATTR_CONFIG_CHAN_WIDTH_UPDATE_TYPE attributes to
indicate support for per-MLO link configuration.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add support for per-MLO link configurations in
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_CONFIGURATION commands.
Additionally, add documentation for
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_CONFIGURATION commands.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Define a new QCA vendor test config attribute to configure powersave
on MLO links.
This attribute is used for testing purposes.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Extend bitwise mask in enum qca_wlan_tdls_caps_features_supported to get
the TDLS wider bandwidth capability from the driver.
Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
Retrieve the puncturing bitmap sent by the driver in channel select
events for ACS when using the QCA vendor specific event.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Previously, NL_STOP was returned from the survey dump handler if the
maximum number of frequencies was reached for storing survey
information, but this is causing wpa_supplicant context getting stuck if
the current SKB returned by the kernel itself ends with NLMSG_DONE type
message. This is due to libnl immediately stopping processing the
current SKB upon receiving NL_STOP and not being able to process
NLMSG_DONE type message, and due to this wpa_supplicant's
finish_handler() not getting called. Fix this by returning NL_SKIP
instead while still ignoring all possible additional frequencies.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
There are two hw modes (5 GHz and 6 GHz) with HOSTAPD_MODE_IEEE80211A
and the current hw mode may be wrong after one channel switch to 6 GHz.
This will cause hostapd_set_freq_params() to return -1 when saving
previous state and the second channel switch to fail. Fix this by adding
hostapd_determine_mode() before every channel switch.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Use zero value with QCA_WLAN_VENDOR_ATTR_CONFIG_EHT_MLO_MAX_NUM_LINKS to
restore the device default maximum number of allowed MLO links
capability.
Also, as per IEEE 802.11be/D3.0, the maximum number of allowed links for
an MLO connection is 15. Update the documentation of the attribute to
indicate the same.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
This is needed to match the key configuration design with a single
netdev and the nl80211 driver interface.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In case of MLO AP and legacy client, make sure received EAPOL frames are
processed on the correct BSS.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of MLO AP and legacy client, make sure Management frame TX
status is processed on the correct BSS.
Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the
status to the correct BSS. Store the link ID when transmitting
Managements frames and report it in TX status.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of MLO AP and legacy client, make sure EAPOL TX status is
processed on the correct BSS.
Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the EAPOL
TX status to the correct BSS. Store the link ID when transmitting EAPOL
frames over control interface and report it in TX status.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Only the main link handles SAE authentication and OWE, skip them on
other links.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
MLO associations use the MLD address instead of the MAC address in SAE
derivation.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
If the AP is part of an AP MLD specify the link ID in the set_key
parameters whenever setting a group key.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Verify that the MLD address in EAPOL-Key msg 4/4 is set correctly for
MLO cases. Note that the mechanism used here for distinguishing between
EAPOL-Key msg 2/4 and 4/4 is not exactly ideal and should be improved in
the future.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Allow RSN authenticator to fetch the current group key information with
the keys and the last used PN/IPN/BIPN for MLO specific KDEs.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Verify that the affiliated link information matches between association
(unprotected) and 4-way handshake (protected).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Make the MLO related information available for the RSN Authenticator
state machine to be able to perform steps needed on an AP MLD. The
actual use of this information will be in the following commits.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This is needed since link_id is not always available. In addition,
recognize the link address as a known address.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This allows proper TX status handling when MLD addressing is used for
Management frames. Note, that the statuses are still not forwarded to
the correct link BSS. This will be handled in later commits.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This is needed for the driver to know on which link it should transmit
the frames in MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Get rid of the duplicated code for setting IEEE 802.1X port
authorization for MLD and non-MLD cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Handle IEEE 802.1X port authorization in the context of MLO.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When a non-AP MLD is deauthenticated/disassociated from an MLD AP, make
sure to clean up its state from all links.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This is a step towards handling of deauthentication/disassociation from
an MLD AP.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>