Commit graph

5903 commits

Author SHA1 Message Date
Jouni Malinen
5452a4a302 SSID verification based on beacon protection
If SSID was not verified during the initial setup of an association, but
beacon protection was negotiated, try verify the SSID based on Beacon
frames that have been received after the first BIGTK has been
configured.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 23:55:05 +03:00
Jouni Malinen
89b164138c BSS: Add wpa_bss_get_ie_beacon()
This is a variant of wpa_bss_get_ie() to allow IEs to be checked from
only Beacon frames similarly to how wpa_bss_get_vendor_ie_beacon()
behaves for vendor specific elements.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 23:50:55 +03:00
Jouni Malinen
7436b5b012 Indicate if BIGTK has been set in STATUS output
The new "bigtk_set=1" entry in the control interface STATUS command
output indicates that a BIGTK has been successfully configured. This
shows that beacon protection has been enabled for the current
association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 23:14:02 +03:00
Jouni Malinen
c6f394b888 Indicate if SSID has been verified in STATUS output
Add a new "ssid_verified=1" entry into the control interface STATUS
command output if the SSID has been verified for the current
association. This verification may have been done implicitly (e.g., with
SAE H2E and FT protocol binding in the SSID into key derivation or with
FILS protecting the SSID element in the (Re)Association Request frame)
or explicitly with the recently added SSID protection mechanism during
the 4-way handshake.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 22:58:12 +03:00
Ilan Peer
e5f76b9153 dbus: Fix error path in scan request handling
In case the scan request handling fails, exit cleanly, i.e., without
setting internal state such as the 'scan_res_handler' pointer.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-07-11 19:56:08 +03:00
Benjamin Berg
7bcede06e0 MLD: Ensure link_bssid array has space for sentinel
The consumer of the link_bssid array assumes it is a NULL terminated
array of BSSIDs. As such, add one to the maximum number of links to
ensure that there is always a sentinel value.

Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 18:53:59 +03:00
Benjamin Berg
cf3883f3d1 MLD: Ensure link BSSIDs remain on stack for ignore
When ignoring a link BSSID the multi-link information was parsed out
into a struct ml_sta_link_info on the stack. However, this stack
variable went out of scope before it was used by passing the link_bssids
pointer array to another function.

Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 18:53:59 +03:00
Jouni Malinen
9f0429c9e1 dbus: Make sure ServiceDiscoveryRequest/Result does not override pointers
Explicitly free the previously allocated copy if ServiceDiscoveryRequest
or Service DiscvoveryResponse parsing loop finds multiple instances of
the same dict entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-11 18:47:12 +03:00
Davide Caratti
d22401d895 dbus: Fix memory leak in case dbus provides 'tlvs' in invalid P2P SD response
Using D-Bus it is possible to request an invalid SD response where
"tlvs" is specified and there is an unknown key (e.g. "bar": "foo"). In
this case, "tlv" is allocated and then never used nor freed. Valgrind
complains as follows:

 36 bytes in 1 blocks are definitely lost in loss record 20 of 74
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix it ensuring that "tlv" is freed both in the error and non-error path
of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in
test_dbus.py to verify correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-11 18:39:39 +03:00
Davide Caratti
0c2d8417c6 dbus: Fix memory leak in case dbus provides tlv in P2P UPnP SD request
Using D-Bus it is possible to trigger a valid UPnP SD request where
"tlv" is specified: in this case "tlv" is allocated, and then not used
nor freed. Valgrind complains as follows:

 72 bytes in 2 blocks are definitely lost in loss record 46 of 68
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix it ensuring that "tlv" is freed, both in the error and non-error
path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in
test_dbus.py to verify correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-11 18:37:14 +03:00
Hu Wang
438a27b369 Do not derive SAE PT if the network profile does not include SAE
wpa_s_setup_sae_pt() derived SAE PT even when the configured key
management options did not include SAE if the global sae_pwe
configuration parameter had been changed to enable H2E. This adds
unnecessary extra delay, so derive PT only if SAE is actually enabled in
the network profile.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 17:39:19 +03:00
Jouni Malinen
593a7c2f8c SAE: Check for invalid Rejected Groups element length explicitly on STA
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Fixes: 444d76f74f ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 23:34:21 +03:00
Jouni Malinen
689a248260 eapol_test: Move Message-Authenticator attribute to be the first one
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
d944ef1c01 SAE: Clear rejected groups list on completing authentication
The rejected groups list is valid only during each individual SAE
authentication instance and it should not be maintained between separate
instances. In particular, it should not be maintained when roaming to
another AP since the APs might use different configuration for the
allowed SAE groups.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 12:14:34 +03:00
Jouni Malinen
0ab009db3c SAE: Clear rejected groups list on continuous failures
wpa_supplicant used to maintain the list of rejected groups for SAE over
multiple failed attempts. This could have some DoS issues, so clear this
list if SAE authentication attempts fails continuously.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 11:58:18 +03:00
Jouni Malinen
dab7549d68 SSID protection in 4-way handshake on STA
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).

This functionality is disabled by default and can be enabled with
ssid_protection=1 in the network profile. Once there has been more
testing of this to confirm there is no significant interoperability
issues, the goal is to be able to change this to be enabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-19 12:31:04 +03:00
Veerendranath Jakkam
9a022cdc70 STA: Update scan results when BSS entry with current SSID is not found
wpa_supplicant might use a wrong BSS entry with the SSID different from
the current SSID of the current BSS while processing a roam event from
the driver when wpa_supplicant has a stale BSS entry with the old SSID
and the driver roams to the same BSS after it is restarted with a new
SSID.

To avoid this, update scan results from the driver when a BSS entry is
not found with the current SSID and try to fetch the BSS entry again
with the current SSID after this.

Also, with this change wpa_supplicant_get_new_bss() itself will update
the BSS table and search for the current BSS entry if it is not found in
the BSS table. So, remove the BSS table update and search logic from the
callers of wpa_supplicant_get_new_bss().

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-06-13 18:36:08 +03:00
Jouni Malinen
2c89b56d64 WNM: Include BSS max idle period in STATUS command output
This makes it a bit easier to test BSS max idle period management.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-05-29 23:40:22 +03:00
Jouni Malinen
6594ea9ef1 WNM: Allow a specific BSS max idle period to be requested
Add a new wpa_supplicant network profile parameter max_idle that can be
used to specify a specific maximum idle period in units of 1000 TUs
(1.024 s) for associations.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-05-29 22:12:48 +03:00
mtk30479
ed56dfc339 P2P: Fix fast IP address allocation for invitation of a persistent group
Allocate static IPv4 address in EAPOL frames during 4-way handshake
instead of DHCP when using P2P invitation. wpa_s->current_bss needs to
be set for the P2P specific IP address assignment mechanism to be used
in wpa_supplicant_rsn_supp_set_config(). This worked for the initial P2P
connection, but not for some cases reinvoking a persistent group.

Since there is only one AP (P2P GO) in the P2P client case, the
conditions added in commit 4d3be9cdd1 ("Postpone updating of
wpa_s->current_bss till association event") are not needed and the
easiest approach for this is to allow current_bss to be set for
p2p_in_invitation cases. If the GO P2P Interface Address (BSSID) could
be determined for all the related cases, this could be addressed a bit
more cleanly by setting the go_bssid argument for
wpas_start_p2p_client(), but that can be left as a possible future step.

Signed-off-by: tzu-meng wang <tzu-meng.wang@mediatek.com>
2024-05-08 00:32:46 +03:00
arun.jose
f44a07d5c4 wpa_cli: Make WPA_EVENT_CHANNEL_SWITCH events accessible to action scripts
Make the channel switch complete event, WPA_EVENT_CHANNEL_SWITCH,
accessible to the action script.

Signed-off-by: arun.jose <arun.jose.wg@bp.renesas.com>
2024-04-21 11:55:53 +03:00
Andrei Otcheretianski
9b1e0ab4e8 dbus: Use correct values for persistent group
D-Bus expects "persistent" to be a bool (0/1) and crashes otherwise.
Since persistent may also be 2 convert it to boolean.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-04-21 11:55:53 +03:00
Ilan Peer
cf36ffd43c wpa_supplicant: Do not allow fast associate before scanning 6 GHz
In case the channel map was updated to include the 6 GHz but these channels
were not scanned yet, do not allow fast associate.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-04-21 11:55:53 +03:00
Benjamin Berg
ff798fbb83 ctrl_iface: Allow sending ML probe without AP MLD ID
If one sends a Probe Request frame to a non-TX BSSID, no AP MLD ID
should be included in the request. Permit mld_id to be -1 so that it is
not a required argument and can be left out.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-04-21 11:55:53 +03:00
Ilan Peer
4d2f76fabf MLD: Use AP MLD MAC address with deauthenticate
When the authentication is an MLD authentication need to use the AP MLD
MAC address when requesting the driver to deauthenticate.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-04-21 11:55:53 +03:00
Ilan Peer
5d9b4a1a14 SME: MLD: Clear MLD state only after the deauthentication
In case of failure handling an Authentication frame from the AP MLD,
clear the MLD state only after the deauthentication is done. This allows
deauthentication process to use the AP MLD MAC address.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-04-21 11:55:53 +03:00
Ilan Peer
39fefeada6 SME: MLD: Deauthenticate when failing to parse ML element
If parsing the basic ML element in the Authenticate frame fails,
instead of only disassociating, completely deauthenticate so all
state machines would be in a consistent state.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-04-21 11:01:28 +03:00
Ilan Peer
6f3e7c5d3e wpa_supplicant: Do not roam to an associated link
When considering to roam to a different BSS and the connection
is an MLD connection, do not roam to a BSS which is already
included in the MLD connection.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-04-21 11:00:13 +03:00
Jouni Malinen
2bbe4822a6 Clear connect_without_scan on network profile removal
wpa_s->connect_without_scan could have been left pointing to invalid
network when a network profile was removed. It seems to be possible for
this to happen in some hwsim test case scenarios under specific timing,
but the exact reason for this is not clear. In any case, this pointer
needs to be cleared.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-04-20 18:42:26 +03:00
Rameshkumar Sundaram
84d2a36da0 AP MLD: Require same AKM and pairwise cipher for all links
Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Co-developed-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-04-20 18:31:11 +03:00
Felix Fietkau
dec6fccf17 Support qos_map_set without CONFIG_INTERWORKING
This feature is useful on its own even without full interworking
support.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-15 23:18:24 +03:00
Chenming Huang
d5e6f79988 AP MLD: Request Handle OBSS scan for a specific link
OBSS scan can be required in different links if operating as an AP MLD.
When triggering scan, specify the link ID for the driver to find the
correct link to scan.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-04-12 10:52:19 +03:00
Vinay Gannevaram
147f836924 PASN: Add set and get API for PASN data context
Modules that use libpasn for PASN authentication need the context of
PASN data. PASN data is a common context for the library and the modules
using it. Hence, initialize the context through init and deinit
functions. Also use set and get functions to update the parameters.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-04-06 00:12:54 +03:00
Vinay Gannevaram
ab37a57314 Replace PMKSA cache inline stubs with wrapper function stubs
PMKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on IEEE8021X_EAPOL define for the
external modules at compile time, remove PMKSA cache static inline
functions from the header file and add wrapper function stubs.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-04-06 00:12:52 +03:00
Vinay Gannevaram
ba55088a73 Replace PTKSA cache inline stubs with wrapper function stubs
PTKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on CONFIG_PTKSA_CACHE define for
the external modules at compile time, remove PTKSA cache static inline
functions from the header file and add wrapper function stubs.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-04-05 20:07:32 +03:00
Jouni Malinen
94506e8ed8 Use the latest updated BSS entry for sending ANQP requests
Try to find the BSS entry that contains the most likely current
information for the target BSS. This is mainly needed to avoid some
unusual behavior with APs changing their Beacon frame information in a
manner that shows up in automated testing, but this might help with some
more dynamic real world uses as well, so better do the BSS entry search
for the newest entry.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-27 22:37:18 +02:00
Jouni Malinen
666e954ca2 Remove unused wpa_drv_set_ap()
This wrapper function was not used at all, so remove it to make it
clearer that the set_ap() driver op is called only from hostapd code.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-26 19:14:43 +02:00
Janusz Dziedzic
ec4b755b06 wpa_cli: Don't select interface when using global socket
In case we run command like:
wpa_cli -g <global_ctrl_path> command

don't print
"Selected interface " message.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-03-23 22:03:54 +02:00
Jouni Malinen
5b4a78b1f9 Optimize internal BSS table updates based on a specific BSSID
When wpa_supplicant needed to update the internal BSS table with the
latest scan results from the driver, it fetched all BSSs and processed
them all. This is unnecessary for cases where an update is needed only
for a specific BSS. Optimize this by filtering out the unnecessary
entries from the results.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-20 12:00:46 +02:00
Jouni Malinen
8d0bd7f9c8 Update BSS entry on roaming only for actual BSS frequency change
Commit 117e812d06 ("Update BSS table entry if roaming event indicates
frequency change") added wpa_supplicant BSS table update based on the
latest driver scan results whenever processing an association event that
results in the current operating channel changing. While that is needed
to cover the case where an AP changes its own operating channel (and
that is noticed as a roam or new connection instead of a channel switch
event), this should not really be needed for cases where the
wpa_supplicant entry for the new BSS is already up to date.

Skip the full BSS table update on association event if the event is for
a roaming case to a different BSS and the BSS entry for the target is
already available and for the current operating channel. This avoids
undesired latency when processing the association event.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-20 11:08:16 +02:00
Manoj Sekar
024d4bca13 Multi-AP: WPS support for different Multi-AP profiles
Update EAP-WSC parameters to include Multi-AP profile info to pass the
profile information through the provisioning steps. This is needed for
provisioning the STA configuration when different profiles are used.

Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
2024-03-19 19:24:29 +02:00
Manoj Sekar
420afbdbdf Multi-AP: Allow supported profile to be configured
Allow both hostapd and wpa_supplicant to be configured with the
supported Multi-AP profile. The configured value will be advertised in
the Multi-AP element.

Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
2024-03-19 18:57:35 +02:00
Manoj Sekar
364cb7c943 Multi-AP: Parse the Multi-AP element using a shared helper function
This makes it more convenient to handle extensions to the element and
allows code to be shared between hostapd and wpa_supplicant.

Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
2024-03-19 18:53:42 +02:00
Manoj Sekar
61e46f860c Multi-AP: Move IE parameters into a struct for extensibility
This makes it easier to extend the information that is encoded in the
Multi-AP element.

Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
2024-03-19 16:40:13 +02:00
Damien Dejean
2ae1e6f18b DBus: Add ANQP fields to BSS properties
Add ANQP fields to the BSS properties to allow DBus clients to be
notified and obtain the values when it changes.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2024-03-09 17:59:22 +02:00
Damien Dejean
2ea04435ec DBus: Signal ANQP query done
Add a D-Bus signal "ANQPQueryDone" to notify of the result of an ANQP
request.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2024-03-09 17:20:52 +02:00
Damien Dejean
d71c838519 DBus: Add a method to get ANQP fields
Add a D-Bus method to perform ANQP get requests. The new method is
equivalent to the "anqp_get" command available in wpa_cli.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2024-03-09 17:16:27 +02:00
Damien Dejean
5eb409c4bc DBus: Add dict helper for uint16 arrays
Extend dict helper to support uint16 arrays.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2024-03-09 17:05:29 +02:00
Evan Benn
35df7ee09e DPP: Emit a DPP PB_STATUS event when push button starts
To implement an action script that listens for DPP push button events
and for example blinks a LED it is useful to know when push button has
started. Emit an event when push button starts.

Signed-off-by: Evan Benn <evan.benn@morsemicro.com>
2024-03-08 10:37:28 +02:00
Jouni Malinen
9f43c1e26b Provide punct_bitmap to hostapd_set_freq_params()
This is needed to be able to check validity of the channel parameters
for cases where EHT puncturing impacts what can be enabled for
HT/VHT/HE.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-08 10:01:30 +02:00