Commit graph

5315 commits

Author SHA1 Message Date
Arowa Suliman
5a4ae6e3ad Replace "native" with a more specific description
Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-22 16:54:58 +03:00
Arowa Suliman
2fb33ce4b6 wpa_supplicant: hostapd: Remove man-in-the-middle
Replace man-in-the-middle attacks with on-path attacks which
is gender-neutral and commonly used.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-22 16:53:30 +03:00
Kees Cook
f332f69513 wpa_supplicant: Try all drivers by default
Some distros carry patches to specify driver fallback, but only in
specific conditions (e.g. the systemd service definition[1]). This leaves
other wpa_supplicant instances needing to define fallback themselves,
which leads to places where wpa_supplicant thinks it can't find a
driver[2]. Instead, when -D is not specified, have wpa_supplicant try
all the drivers it was built with in an attempt to find a working one
instead of just giving up if the first doesn't work.

[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012

Signed-off-by: Kees Cook <kees@ubuntu.com>
2021-10-15 23:33:11 +03:00
Veerendranath Jakkam
4775a5f827 Add support to reconfigure or flush PMKSA cache on interface enable
Update PMKSA cache when interface is disabled and then enabled based on
the new MAC address. If the new MAC address is same as the previous MAC
address, the PMKSA cache entries are valid and hence update the PMKSA
cache entries to the driver. If the new MAC address is not same as the
previous MAC address, the PMKSA cache entries will not be valid anymore
and hence delete the PMKSA cache entries.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-15 19:23:14 +03:00
Veerendranath Jakkam
6f634b0032 PMKSA: Make sure reauth time is not greater than expiration time
While creating a cloned PMKSA entry for OKC both expiration and
reauth_time values are set to maximum values, but later only the
expiration time is copied from the old PMKSA entry to the new PMKSA
entry. Due to this there is a possibility of reauth_time becoming
greater than expiration time in some cloned entries. To avoid this copy
reauth_time also to the cloned entry.

Also, add check to reject control interface commands with reauth time
greater than expiration time.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-15 19:16:37 +03:00
Arowa Suliman
575dc1f3b2 Replace "dummy" with "stub" in preauth_test
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:53:03 +03:00
Arowa Suliman
ed5e1b7223 Replace "dummy" with "stub" in comments/documentation
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:52:50 +03:00
Arowa Suliman
3955d2af73 Replace "dummy" with "stub" in wps_testing_dummy_cred
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:52:21 +03:00
Arowa Suliman
7b50f2f04c Replace "sanity" with "validity"
Replaced the word "sanity" with the inclusive word "validity". The
comment in acs_survey_interference_factor() was referring a function
that does not exist, so remove it instead of trying rename the function.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:25:21 +03:00
Sreeramya Soratkal
891bb1305b P2P: Enforce SAE-H2E for P2P GO in 6 GHz
Allow sae_pwe parameter to be configured per-network and enforce the
SAE hash-to-element mechanism for the P2P GO if it is started on
a 6 GHz channel.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-10-08 00:10:44 +03:00
Veerendranath Jakkam
afcadbbf4e wpa_cli: Add support for SCS, MSCS, and DSCP commands
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-07 23:46:28 +03:00
Vinay Gannevaram
2b3e64a0fb Update ciphers to address GTK renewal failures while roaming
After roaming from WPA2-AP (group=CCMP) to WPA-AP (group=TKIP) using
driver-based SME and roaming trigger, GTK renewal failures are observed
for the currently associated WPA-AP because of group cipher mismatch,
resulting in deauthentication with the AP.

Update the group cipher and pairwise cipher values in wpa_sm from
association event received from the driver in case of SME offload to the
driver to address GTK renewal failures (and similar issues) that could
happen when the driver/firmware roams between APs with different
security profiles.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-06 21:13:19 +03:00
Jouni Malinen
857c4dfa83 Make get_mode() easier for static analyzers
Add an explicit check for modes != NULL instead of depending on
num_modes > 0 implying that. This is to silence invalid static analyzer
reports.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-30 18:23:26 +03:00
Chaoli Zhou
9651deba52 Support vendor element configuration for AP mode from wpa_supplicant
Support adding/deleting vendor elements dynamically for AP mode while it
is started by wpa_supplicant instead of hostapd which already supported
this. This adds ap_assocresp_elements global parameter and UPDATE_BEACON
control interface command to take the changed values into effect.

Usage in wpa_cli:
Add vendor IE for (Re)Association Response frames
> set ap_assocresp_elements=xxxx
Add vendor IE for Beacon/Probe Response frames
> set ap_vendor_elements=xxxx

Delete vendor IE from (Re)Association Response frames
> set ap_assocresp_elements
Delete vendor IE from Beacon/Probe Response frames
> set ap_vendor_elements

To make vendor IE changes take effect
> update_beacon

Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
2021-09-30 18:16:11 +03:00
Veerendranath Jakkam
d144b7f34c DSCP: Add support to send DSCP Policy Query frame
Add support to send DSCP Policy Query frame using a new control
interface command DSCP_QUERY. This includes support for a wildcard DSCP
query and a DSCP query with a single Domain Name attribute.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-30 16:56:56 +03:00
Veerendranath Jakkam
c903257fb1 DSCP: Parse WFA Capabilities element in (Re)Association Response frame
Add support to parse WFA Capabilities element from the (Re)Association
Response frame. Also register a timeout for the station to wait before
sending a new DSCP query if requested by AP.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 17:18:48 +03:00
Veerendranath Jakkam
a4aae9f9b8 DSCP: Indicate DSCP Policy support in (Re)Association Request frame
Indicate DSCP Policy capability by including a WFA Capabilities element
containing the relevant bit set to 1 in the (Re)Association Request
frames when enabled by user.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 17:09:01 +03:00
Veerendranath Jakkam
d57456c1ff DSCP: Allow DSCP Policy Response Action frame to be sent
Add support to prepare and send DSCP response action frame to the
connected AP in response to a new control interface command DSCP_RESP.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 17:01:34 +03:00
Veerendranath Jakkam
2033e318e6 DSCP: Parsing and processing of DSCP Policy Request frames
Add support to parse received DSCP Policy Request frames and send the
request details as control interface events.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 00:20:42 +03:00
Veerendranath Jakkam
fe2a44485e DSCP: DSCP policy capability configuration
The DSCP policy capability is disabled by default. The user frameworks
which have support for handling DSCP policy request messages need to
enable this capability explicitly to allow wpa_supplicant to advertise
the capability to the AP and allow the related frames to be processed.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-28 11:07:21 +03:00
Jouni Malinen
8471d940e3 Move pmf_in_use() into a more generic file
This function is not specific to GAS, so make it available throughout
wpa_supplicant without requiring CONFIG_GAS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-28 11:07:21 +03:00
Hu Wang
ce267f4da9 P2P: DFS offload for the autonomous GO
Enhance the P2P_GROUP_ADD command to support DFS channel with 80 and 160
MHz bandwidth to be used for autonomous GO when using offloaded DFS.

For example, 'P2P_GROUP_ADD freq=5500 max_oper_chwidth=80 ht40 vht'

- Previous behavior: AP fallback to channel 100 using 20 MHz with
  "No VHT higher bandwidth support for the selected channel 100"
- Enhanced behavior: AP starts on channel 100 using 80 MHz with
  "VHT center channel 106 for 80 or 80+80 MHz bandwidth"

This functionality is on top of the driver's capability to offload DFS,
which is advertized through WPA_DRIVER_FLAGS_DFS_OFFLOAD.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-07 17:40:25 +03:00
Sreeramya Soratkal
e5173e8b12 P2P: Enable multiple channel widths for P2P in 6 GHz band
Enable support for P2P connection in 6 GHz with the channel width of 40
MHz, 80 MHz, and 160 MHz. The flag max_oper_chwidth is used to configure
the maximum channel width for P2P connection in 6 GHz with the commands
P2P_CONNECT, P2P_INVITE, and P2P_GROUP_ADD.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-09-02 18:41:12 +03:00
Sreeramya Soratkal
f725254cc1 P2P: Enhance determination of secondary offset to support 6 GHz channels
Current definition of wpas_p2p_get_ht40_mode() determines secondary
offset in the 5 GHz band. Enhance the functionality of this function to
determine offset to support 6 GHz channels also.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-09-02 18:19:33 +03:00
Sreeramya Soratkal
575a8e6ca3 P2P: Clone 6 GHz related parameters to new group interface config
Clone pmf and p2p_6ghz_disable configuration values when creating a new
P2P group interface. PMF is required in 6 GHz band operation.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-09-02 18:07:58 +03:00
Sreeramya Soratkal
9f2217c513 P2P: Consider p2p_no_go_freq for GO preferred frequency
Currently while selecting a preferred frequency when no preference is
known, p2p_no_go_freq is not considered for 5 GHz and 60 GHz channels.
This results in starting GO on the channels that are configured not to
allow the local device as GO.

Use wpas_p2p_supported_freq_go api to check if the p2p_no_go_freq
configuration before selecting the preferred frequency for GO.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-26 15:46:58 +03:00
Sreeramya Soratkal
882c53be50 P2P: Avoid integer overflow in channel
For some 6 GHz operating class like 134, there is a possibility where
the ch variable used for channel iterator overflows when it is
incremented. Fix this by updating the datatype of ch variable to
avoid integer overflow while incrementing.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-26 15:32:56 +03:00
Mathew Hodson
be81bbdc3b doc: Fix grammar in wpa_supplicant overview
Signed-off-by: Mathew Hodson <mathew.hodson@gmail.com>
2021-08-25 16:20:17 +03:00
Andrew Beltrano
0030590fb3 Generate an event when a network is added or removed
Generate an event on the control socket interface when a network is
added or removed. The event name CTRL-EVENT-NETWORK-<ADDED|REMOVED>
is followed by the network entry identifier. The event matches the
corresponding Network<Added|Removed> signal on the d-bus interface.

Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>
2021-08-19 17:21:06 +03:00
Nick Porter
f238610616 Add a --conf option to eapol_test.py
The --conf option specifies a file containing a list of options
to configure the network used for running the test which will be
used in place of the defaults built into the script.

Signed-off-by: Nick Porter <nick@portercomputing.co.uk>
2021-08-19 16:58:45 +03:00
Arowa Suliman
46b60299a4 wpa_supplicant: src: Replace Sane with Valid.
Replace the word Sane with Valid which is inclusive.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-08-19 11:34:45 +03:00
Vinita S. Maloo
e433d06dd5 Allow MSCS support to be disabled for testing purposes
"SET disable_mscs_support 1" can be used to disable indication of MSCS
support in the Extended Capabilities element for testing purposes. This
is also disabling addition of the MSCS element even if valid
configuration parameters had been configured.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
025f8ab52e SCS: Processing of SCS Response frames
Add support to receive and process SCS Response frames from the AP and
indicate the status to upper layers.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
b4e01ae929 Allow SCS supported to be disabled for testing purposes
"SET disable_scs_support 1" can be used to disable indication of SCS
support in the Extended Capabilities element for testing purposes.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
c005283c48 SCS: Sending of SCS Request frames
Add support to parse SCS control interface command and form the SCS
Request frame to be sent to SCS enabled AP.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Sreeramya Soratkal
24774dcc2e P2P: Require PMF for P2P GO in the 6 GHz band
Enable (and require) the management frame protection for the P2P GO if
it is started on a 6 GHz channel.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-05 19:14:52 +03:00
Sreeramya Soratkal
49442194c4 SAE: Derive H2E PT while reconnecting to same SSID also
P2P connections in the 6 GHz band use SAE authentication algorithm after
getting credentials with WPS connection. During WPS connection as it
doesn't use SAE, SAE PT is not derived. After getting SAE credentials,
the STA connects to the same SSID using SAE auth algorithm. Earlier, SAE
H2E PT was not derived while connecting to the same SSID to which the
STA is connected last time. Due to this, the P2P group formation fails
for 6 GHz channels when H2E is enabled as the PT will not be setup by
the P2P client before proceeding to the SAE authentication. Same could
happen with infrastructure WPS when wps_cred_add_sae=1 is used.

Set up the SAE H2E PT while connecting to the same SSID again also to
make sure that the H2E PT is set up in the STA to derive the PWE for
successful SAE authentication. The PT derivation will be skipped in
wpa_s_setup_sae_pt() if PT is already available for that SSID.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-04 00:20:09 +03:00
Sreeramya Soratkal
ac79ed4998 HE: Obtain correct AP mode capabilities for hw_mode with 6 GHz support
Though both 5 GHz channels and 6 GHz channels report the mode as
HOSTAPD_MODE_IEEE80211A, there is a possibility of different HT/VHT/HE
capabilities being available between these bands. Use get_mode() to
obtain correct capabilities to cover cases where the driver reports
different capability values for the 5 GHz and 6 GHz channels.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-03 19:48:12 +03:00
Utkarsh Bhatnagar
84b3de8095 TDLS: Support TDLS operations in HE mode for 6 GHz
Determine if the TDLS peer supports TDLS in 6 GHz band based on the HE 6
GHz Band Capabilities element received in the TDLS Setup Response frame.
Indicate the peer's HE 6 GHz capabilities to the driver through
sta_add().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-07-29 20:07:25 +03:00
Veerendranath Jakkam
b4f7506ff0 FILS: Flush external-PMKSA when connection fails without ERP keys
External applications can store PMKSA entries persistently and
reconfigure them to wpa_supplicant after restart. This can result in
wpa_supplicant having a PMKSA for FILS authentication without having
matching ERP keys for it which would prevent the previously added
mechanism for dropping FILS PMKSA entries to recover from rejected
association attempts.

Fix this by clearing PMKSA entries configured by external applications
upon FILS connection failure even when ERP keys are not available.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-14 21:35:24 +03:00
Veerendranath Jakkam
80bcd7ecd1 FILS: Flush PMKSA entries on FILS connection failure
wpa_supplicant generates both a PMKSA cache entry and ERP keys upon
successful FILS connection and uses FILS authentication algorithm for
subsequent connections when either ERP keys or a PMKSA cache entry is
available.

In some cases, like AP/RADIUS server restart, both ERP keys and PMKSA
becomes invalid. But currently when an AP rejects an association,
wpa_supplicant marks only ERP keys as failed but not clearing PMKSA.

Since PMKSA is not cleared, consecutive connection attempts are still
happening with FILS authentication algorithm and connection attempts are
failing with the same association rejection again instead of trying to
recover from the state mismatch by deriving a new ERP key hierarchy.

Clear PMKSA entries as well on association rejection from an AP to allow
the following connection attempt to go with open authentication to
re-establish a valid ERP key hierarchy. Also, since clearing PMKSA
entries on unprotected (Re)Association Response frames could allow DoS
attack (reduce usability of PMKSA caching), clear PMKSA entries only
when ERP keys exists.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-14 21:20:17 +03:00
Jouni Malinen
914a2f518f SAE: Report authentication rejection over control interface
CTRL-EVENT-AUTH-REJECT reporting was previously skipped when going
through SAE-specific Authentication frame handling. Add this event here
as well to be more consistent with control interface events.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-07-14 18:18:47 +03:00
Sreeramya Soratkal
311091eb43 P2P: Use SAE+PMF for P2P connection in 6 GHz
Use WPA3-Personal (SAE+PMF) for P2P connections in the 6 GHz band to
enable the Wi-Fi Display use case on the 6 GHz band without having to
use WPA2-Personal (PSK) on that new band.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
f0cdacacb3 P2P: Allow connection on 6 GHz channels if requested
Previously, 6 GHz channels were disabled for P2P operations. Use the new
allow_6ghz parameter with P2P_CONNECT, P2P_GROUP_ADD, and P2P_INVITE
commands for P2P connection on the 6 GHz channels when Wi-Fi Display is
enabled on both the devices.

However, the p2p_6ghz_disable parameter in the configuration takes a
higher precedence.

Indicate P2P 6 GHz band capable information in Device Capability Bitmap
of P2P Capability attribute to indicate the P2P Device is capable of P2P
operation in the 6 GHz band.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
b36142a740 P2P: Add allow_6ghz parameter to control interface
Introduce a new allow_6ghz parameter with P2P_CONNECT, P2P_GROUP_ADD,
and P2P_INVITE commands for P2P connection on the 6 GHz channels when
Wi-Fi Display is enabled on both the devices. This commit is only adding
the interface change without changing any actual P2P functionality.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
6423c23e3d P2P: Allow 6 GHz channels to be included in the P2P_FIND operation
Previously, the 6 GHz channels were disabled for P2P operations.
Introduce a new include_6ghz parameter for the P2P_FIND command to
configure P2P discovery on the 6 GHz channels.

However, the p2p_6ghz_disable parameter in the configuration takes a
higher priority. If the p2p_6ghz_disable parameter is not set in the
configuration, include_6ghz parameter can be used to enable or disable
the discovery operation in the 6 GHz channels for the P2P_FIND command.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
eaf850867b P2P: Extend channel determination/validation to 6 GHz channels
Extend the previously 5 GHz specific 80 and 160 MHz channels helper
functions to support 6 GHz channels.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-10 23:43:03 +03:00
Gurumoorthi Gnanasambandhan
9f901e65b4 WNM: Ignore SSID check for hidden SSID in transition candidates
Do not skip scan results with zero length SSID (i.e., a hidden SSID)
when searching for potential BSS transition candidates since such
entries might be for the same ESS (i.e., for the current SSID). Use only
the BSSID check for such cases.

Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
2021-06-09 20:55:39 +03:00
Jouni Malinen
525ec045f3 P2P: Use correct return type for has_channel()
This helper function returns enum chan_allowed values, so use it as the
return type instead of unnecessarily generic int.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-06-08 12:46:45 +03:00
Jouni Malinen
e8662e9d44 Use a helper function to remove struct wpa_bss_tmp_disallowed entries
It is safer to remove and free these entries with a shared helper
function to avoid issues with potentially forgetting to unregister or
free something if this structure is extended in the future.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-06-03 00:11:18 +03:00