Prevent loading arbitrary executable code based on config at runtime,
while allowing libraries to be specified at compile time when they are
known in advance.
Add the ability to configure libraries to load at compile time.
* CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location.
* CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location.
* CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location.
Add flags with the ability to set each of the libraries to NULL and
prevent loading them at runtime.
* CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine
library.
* CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module
library.
* CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opensc_engine
library.
* CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading EAP libraries at
runtime.
Signed-off-by: David Ruth <druth@chromium.org>
wpas_dpp_connected() is called from wpa_supplicant_set_state(), i.e.,
from the middle of processing of the post 4-way handshake steps. Sending
a DPP Public Action frame at that point can delay other operations, so
allow those steps to be completed first before sending out the DPP
connection status result.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like mac80211 ROC handling can end up postponing offchannel TX
operation by the previously started and already canceled wait time if
the new NL80211_CMD_FRAME is issued immediately after
NL80211_CMD_FRAME_WAIT_CANCEL. Make this more robust by waiting for the
driver event that indicates completion of the cancel operation (i.e.,
NL80211_CMD_FRAME_WAIT_CANCEL as an event) before issuing
NL80211_CMD_FRAME for another channel. If the driver event is not
received within 10 ms, start the operation anyway to avoid unexpected
behavior if there are drivers that do not end up notifying end of the
wait.
This fixes some issues with authentication initiation for cases where
multiple channels are iterated. This can also significantly speed up
that process.
Signed-off-by: Jouni Malinen <j@w1.fi>
The first event could have theoretically been received with reltime
sec=0, so use the helper function to check whether the reltime value is
actually set so that the usec part is checked as well. This is not going
to have a difference in practice, but it was possible to hit this corner
case with mac80211_hwsim testing (ap_cipher_tkip_countermeasures_sta)
using UML and time travel.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support for Authentication negotiated over IEEE Std 802.1X
with key derivation function using SHA-384.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
When channel 140 is configured in mesh, interface fails to come up due
to channel bond (136,140). Since Channel 136 is not HT40+ capable,
validation for HT channel bonding fails when it checks whether first
channel in the bond (channel 136) is HT40+ capable.
In mesh, during channel setup, secondary channel offset for the
configured channel will be selected as +1 if primary channel is capable
of HT40+. In current code, channel 140 is not allowed as HT40+ and hence
secondary channel offset is selected as -1, which makes 136 as secondary
channel. But channel 136 is not HT40+ supported and fails in channel
bonding validation.
Add 140 to HT40+ allowed list as HT40+ is supported for the channel.
Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
Pointer entry->ssid might be passed to owe_trans_ssid_match() function
as argument 3 with NULL value, and it may be dereferenced there. This
looks like a theoretical case that would not be reached in practice, but
anyway, it is better to check entry->ssid != NULL more consistently.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Since wpa_supplicant version 2.10 the extended capabilities MSCS and SCS
are advertised in the (Re)Association Request frames.
This causes the association request to be rejected by several access
points. Issue was observed with:
- D-Link DIR600
- TP-Link AC1900
- Synology MR2200ac
To avoid this issue the extended capabilities MSCS and SCS shall only be
added if the bss also supports them. While this may not follow the exact
behavior described in IEEE 802.11, this is a reasonable compromise to
avoid interoperability issues since these capabilities cannot be used
with an AP that does not support them anyway.
Note: The Extended Capabilities element is only included in the
Association Request frames if the AP also sent its extended capabilities
(see wpas_populate_assoc_ies()) as a workaround for misbehaving APs.
This workaround exists since version 2.1.
Signed-off-by: Sebastian Priebe <sebastian.priebe@konplan.com>
There is a delay between sending Association Response frame after having
received Association Request frame, due to the fact that between
receiving the request and sending the response the Beacon frame contents
is updated, after analyzing inputs from the STA. There may be several
updates if multiple fields need to change. This can cause issues with
some devices in noisy environments with many BSSs and connected STAs.
Optimize this by updating the beacon only once, even if there are
multiple reasons for updates.
Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
Drivers will often report regdom changes in the middle of a scan if they
detect during that scan that the regulatory domain has changed. If this
happens and we enter a regdom that supports 6 GHz channels when the
previous one didn't (this often happens in 6 GHz-capable regdoms for
devices after suspend/resume), immediately trigger a 6 GHz-only scan if
we were not able to connect to an AP on a legacy band.
This should significantly improve connection time to 6 GHz AP after
regdom has been reset.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Store 6 GHz capability on channel list update for wpa_supplicant use.
This will be used in the next commit to extend scanning behavior based
on changes to 6 GHz channel availability.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
wpa_supplicant_trigger_scan() previously wouldn't include any of the IEs
generated by wpa_supplicant_extra_ies(). Instruct it to do so in most
cases. This is necessary because MBO STAs are required to include MBO
capabilities in their Probe Request frames.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
After GO negotiation is completed, the P2P Client needs to scan the GO
before connecting. Only SSID was specified for this and the driver still
might need to scan all channels which wastes time. wpa_supplicant can
pass the known BSSID in the scan request in additional P2P cases and
this allows the driver sto stop the scan once the specific BSSID is
found. This helps reduce some time for P2P connection.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Handler function for "Scan" method call of a network device doesn't set
non_coloc_6ghz, therefore wpa_supplicant doesn't scan non-PSC channels
on 6GHz band only if a co-located AP was reported on the channel.
Add NonColoc6GHz and 6GHzOnly flags to the wpas_dbus_handler_scan, so
that dBus scan requests can cover non-PSC channels and scan only 6 GHz
channels.
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
Parse the reconfiguration Multi-Link element and:
- Don't select a BSS for connection if it is part of an MLD
and is going to be removed.
- Don't scan for missing links that are to be removed.
- Don't include removed links in association.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add a control interface to trigger ML probes for testing purposes.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support for building and sending ML probe requests. During connect,
try to send an ML probe request if we are going to connect to an MLD AP
and the BSS information for some of the links is missing.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Extend 'struct wpa_driver_scan_params' to allow higher layer to indicate
if minimal probe request content should be included by the driver as part
of the scan logic.
Implement this with driver_nl80211, by setting
NL80211_SCAN_FLAG_MIN_PREQ_CONTENT.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Use the wpas_notify_mesh_peer_*() functions for sending the control
interface events in addition to the D-Bus events so that these are all
done consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
When using mesh we have incoherent
MESH-PEER-CONNECTED/MESH-PEER-DISCONNECTED messages when we restart one
of the devices without disconnecting it first. Sometimes we have the
right behavior, a peer disconnect and then a peer connect, sometimes we
only have a a peer connected without a peer disconnected first, and
sometimes we have nothing at all.
As the plink count seem to be correctly tracked and because we only send
the connected event on plink count increase, lets send the peer
disconnected event on plink count decrease.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
When using wpa_supplicant to connect to a mesh network or to create an
AP, the current code doesn't respect all CONFIG_XXX_OVERRIDES network
parameters, just disable_ht in CONFIG_HT_OVERRIDES.
Add support for some of the others modulation related disable flags:
- disable_ht40 with CONFIG_HT_OVERRIDES
- disable_vht with CONFIG_VHT_OVERRIDES
- disable_he with CONFIG_HE_OVERRIDES
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
This should allow STA to make better choice about which BSS to roam to.
Use estimated throughput as comparison value. Can improve the estimated
throughput calculation to improve this selection criteria if wanted in
the future.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Along with canceling queued scan, abort ongoing scan if any, this
ensures Wi-Fi interface is in usable state after disconnect is issued,
else subsequent scan after disconnect might fail with EBUSY.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
If the current AP advertises disassociation imminent, move it to the
back of the candidate list so we don't select it again while other
candidates are available.
Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
Some kind of race condition seemed to be hit at least in test sequence
"p2p_ext_vendor_elem_invitation pasn_comeback_after_0_sae" where the P2P
invitation response could have been received just after having scheduled
a new p2p-listen radio work, but before that work had been started. In
the case of accepted invitation, this could result in unnecessary extra
delay when that p2p-listen work ended up getting started at the exact
time that the local device was starting GO.
Avoid this race condition by removing the pending p2p-listen radio work
when P2P listen is stopped.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant underestimates 6 GHz SNR as it assumes 2 GHz default
noise in the estimation.
Use 6 GHz default noise when estimating 6 GHz SNR.
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
It doesn't make sense to disconnect on updates to the
network's scan_freq, and in fact doing so causes some
(timing-/scheduling-dependent) test failures.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
wpa_supplicant postpones expired PMKSA deletion untillassociation is
lost for SAE to avoid forced disconnection. But during this time the
driver may use the expired PMKSA for reassociation with the current
connected AP.
Remove the current PMKSA for SAE from the driver after reauth threshold
is passed when the driver takes care of BSS selection.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Do not reject reauth threshold passed PMKSA indicated in successful
association event since the PMKSA is still valid.
Additionally, remove the reauth threshold passed PMKSA entry from the
driver to prevent using it further in the driver.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add the copied EHT capabilities into the sta_add() call when adding a
TDLS peer.
The mld_link_id value was previously only for AP mode, but it can now be
used for TDLS links as well to indicate the link on which a
single-link-TDLS direct link is negotiated.
Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
This is needed to be able to determine which link is used for TDLS setup
when the current association is with an AP MLD.
Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
This is needed to allow the driver to know on which operating channel
(as specified by the link that is affiliated with AP MLD for the current
association) is used for transmitting TDLS Discovery Response. This
commit adds the link_id parameter to various functions, but does not
implement the driver interface change itself.
Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
Commit 9025def55c ("wpa_supplicant: Add support for pregenerated MAC")
added this capability, but did not update wpa_supplicant.conf to
document it. Add such documentation to match the information in
config_ssid.h.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The ap_mld_addr entry was added without introducing a new mask bit which
does not follow the expected style for adding new information into the
BSS command and might result in unexpected behavior for external
components. Define a new BSS command information mask bit for this AP
MLD address and print the AP MLD address in the BSS info only if the
mask bit is set.
Fixes: db99e7341a ("Add AP MLD address into BSS command output")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Send the actual MFP configuration value to the driver instead of
overriding it with MFP required based on the wpa_supplicant selected BSS
when the driver takes care of BSS selection.
This is needed to allow the driver to know whether it can select an MFP
disabled BSS.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Per IEEE P802.11be/D4.0, 9.4.2.316 (QoS Characteristics element), enable
support for the following optional QoS Characteristics parameters:
- Maximum MSDU Size
- Service Start Time
- Service Start Time LinkID
- Mean Data Rate
- Delayed Bounded Burst Size
- MSDU Lifetime
- MSDU Delivery Info
- Medium Time
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
Add support to configure the mandatory QoS Characteristics parameters
per IEEE P802.11be/D4.0, 9.4.2.316 (QoS Characteristics element), in SCS
request:
- Minimum Service Interval
- Maximum Service Interval
- Minimum Data Rate
- Delay Bound
Enable STA SCS traffic descriptor support for EHT connection when the
connected EHT AP advertises SCS traffic descriptor capability in the EHT
Capabilities element.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
Set WFA capability to allow non-EHT SCS Traffic support in association
elements when the AP advertises support for non-EHT SCS Traffic support
via Beacon or Probe Response frame. This capability is upper layer
functionality and as such, does not need a separate driver capability
indication or configuration, but indicate this only if the AP supports
the feature to minimize risk of interoperability issues with a new
information element.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
wpa_drv_get_pref_freq_list() may fail and the 6 GHz channel removal
should not be done unless the operation actually succeeded. The previous
implementation ended up processing uninitialized data. This did not
really result in any observable misbehavior since the result was not
used, but this showed up as a failed test case when running tests with
valgrind.
Fixes: f0cdacacb3 ("P2P: Allow connection on 6 GHz channels if requested")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant could crash due to dereferencing freed memory in a corner
case. When a reestablished P2P GO group gets removed because the
hardware mode is not supported when switching from 2.4 to 5 GHz. Group
removal in wpas_p2p_group_delete() forget to clean wpa_s->last_ssid due
to the missing wpas_notify_network_removed() call before removing the
network with wpa_config_remove_network().
That could cause a crash when flushing old BSSs which age out in
wpa_bss_flush_by_age() which uses wpa_s->last_ssid in some cases.
Fix this by invoking wpas_notify_network_removed() to clean
wpa_s->last_ssid when removing a temporary P2P group network.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In the original flow, after hostapd_config_tx_queue() successfully
parses a tx_queue variable, wpa_config_process_global() would not return
immediately. Then it would print out "unknown global field" later and set
return val to -1.
Return success (0) after hostapd_config_tx_queue() successfully parses a
tx_queue variable to fix this.
Fixes: 790026c3da ("Allow TX queue parameters to be configured for wpa_supplicant AP/P2P GO")
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Fix the warning:
wpa_supplicant.c:2257:5: warning: conflicting types for
‘wpas_update_random_addr’ due to enum/integer mismatch; have ‘int(struct
wpa_supplicant *, enum wpas_mac_addr_style, struct wpa_ssid *)’
[-Wenum-int-mismatch]
2257 | int wpas_update_random_addr(struct wpa_supplicant *wpa_s,
| ^~~~~~~~~~~~~~~~~~~~~~~
In file included from wpa_supplicant.c:32:
wpa_supplicant_i.h:1653:5: note: previous declaration of
‘wpas_update_random_addr’ with type ‘int(struct wpa_supplicant *, int,
struct wpa_ssid *)’
1653 | int wpas_update_random_addr(struct wpa_supplicant *wpa_s, int
style,
| ^~~~~~~~~~~~~~~~~~~~~~~
Fixes: 1d4027fdbe ("Make random MAC address style parameters use common enum values")
Signed-off-by: Chien Wong <m@xv97.com>
Parse link id and station MLD address received from the driver in the
NL80211_CMD_NEW_STA event.
Set MLO information of the station to the sta_info and wpa_sm.
Co-authored-by: Manaswini Paluri <quic_mpaluri@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Set the sme RRM used config if the RRM element is present in the
(Re)Association Request frame sent in association event to cover the
cases where the driver SME takes care of negotiating RRM capabilities.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to match the key configuration design with a single
netdev and the nl80211 driver interface.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This is needed for the driver to know on which link it should transmit
the frames in MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This includes:
- Modifications of the driver API, to include the link ID as part
of 'struct hostapd_freq_params'.
- Modifications to nl80211 driver.
- Modifications for the driver wrappers.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support to indicate link reconfiguration event reported by the QCA
vendor interface to the wpa_supplicant control interface.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add support to indicate TID-to-link mapping changes reported by the QCA
vendor interface to the wpa_supplicant control interface.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
The Linux kernel expects to use the AP MLD address in
NL80211_ATTR_PREV_BSSID for reassociation requests when the current
association is MLO capable.
Previously, wpa_supplicant was using the BSSID value in
NL80211_ATTR_PREV_BSSID even if the connection is MLO capable. Fix this
by sending the AP MLD address in NL80211_ATTR_PREV_BSSID for
reassociation requests when MLO is used.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
In some cases like unknown-group rejection, AP MLD can't parse the
received Authentication frame to the point of the Multi-Link element if
the group used by the peer is unknown to the AP MLD.
In such cases, AP MLD not including Multi-Link element in rejection
Authentication frames can be considered as standard compliant since AP
MLD doesn't know whether the received Authentication frame has
Multi-Link element or not.
To avoid connection issues in such cases, don't reject Authentication
frames without Multi-Link element when status code is other than
WLAN_STATUS_SUCCESS, WLAN_STATUS_SAE_HASH_TO_ELEMENT,
WLAN_STATUS_SAE_PK, and WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
When starting a new BSS as AP mode, the network configs have been passed
in from the BSS config. There is no need to scan before creating a new
BSS. Reuse connect_without_scan structure member to bypass scan when the
mode is WPAS_MODE_AP.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
If IEEE8021X_EAPOL is not defined wpa_supplicant will not compile with
following error:
events.c: In function 'wpa_supplicant_connect':
events.c:1827:14: warning: implicit declaration of function 'eap_is_wps_pbc_enrollee' [-Wimplicit-function-declaration]
1827 | if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
| ^~~~~~~~~~~~~~~~~~~~~~~
events.c:1827:43: error: 'struct wpa_ssid' has no member named 'eap'
1827 | if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
| ^~
Add ifdef statements around the calling function to fix the issue.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Some of the information elements added in IEEE Std 802.11ax-2013 for VHT
purposes have since then been taken into use for other cases and renamed
to remove the "VHT" prefix in the standard. Update the defines for those
elements in the implementation to match the names used in the current
standard.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant was skipping MLD APs from network selection when the AP
advertise legacy open, WPA2-Personal-only (PSK without SAE), or PMF
disabled. However, there are already some early Wi-Fi 7 APs in the
market which advertise legacy open, WPA2-Personal-only, or PMF disabled
even though these combinations are unlikely to be allowed for Wi-Fi 7 in
the end.
To avoid connectivity issues with such APs, allow stations to connect
with MLO disabled when an AP MLD is detected to advertise legacy open,
WPA2-Personal-only (PSK without SAE), or PMF disabled.
This reverts commit 7d8b96dcfd ("wpa_supplicant: Apply same
restrictions for MLD as for 6 GHz BSS") except WEP and TKIP checks,
i.e., AP MLDs which advertise only WEP or TKIP are still skipped from
network selection.
For the SME-in-wpa_supplicant case, skip configuring MLD parameters to
the driver if the STA can connect only in legacy open,
WPA2-Personal-only, or PMF disabled mode. For the SME-in-driver case, it
is the driver's responsibility to initiate connection with MLO disabled
with such APs.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The driver-initiated BSS selection case and the "Network configuration
found for the current AP" case ended up clearing the RSN state machine
information on AP RSNE/RSNXE. That could result in incorrect behavior if
some key management operations depended on accurate information. For
example, this could result in not deriving the KDK as part of the PTK
derivation and failing to complete 4-way handshake if both the AP and
the STA indicated support for Secure LTF.
If the scan results for the selected BSS are available, use those to
update the RSN state machine AP RSNE/RSNXE similarly to the way this is
done with wpa_supplicant selects the BSS instead of clearing that
information in the RSN state machine.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It is possible for a new BSS entry to be added for the
hidden-SSID-OWE-BSS when running a new scan after having previously
learned the hidden SSID during a previous OWE connection attempt. That
new entry would not necessarily have the WPA_BSS_OWE_TRANSITION flag set
and that would result in not being able to recognize the appropriate OWE
profile when checking the association event against the transition mode
configuration.
Fix this by updating the BSS entry for OWE transition mode information
for the cases where this might happen.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Print correct expected AP MLD address information when the AP MLD
address validation fails in Authentication frames during external
authentication.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Fail MLD address validation only if Authentication frames IE parsing
actually failed, i.e., ignore all unknown IEs.
This is needed to avoid authentication failure when the Authentication
frames include IEs which are not handled by ieee802_11_parse_elems(),
e.g., AKM Suite Selector IE.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Export the "he" network profile item to be configurable from external
client side, like wpa_cli or NetworkManager. This follows the earlier
changes to allow the previously internal-only parameter (e.g., vht) to
be used for additional purposes for AP mode.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
In theory, each device that supports WMM (or the IEEE 802.11 QoS for
that matter) is expected to advertise how many replay counters it
supports and the peer device is supposed to use that information to
restrict the total number of different MSDU priorities (AC/UP) that
might be used. In practice, this is not really done in deployed devices
and instead, it is just assumed that everyone supports the eight
different replay counters so that there is no need to restrict which
MSDU priorities can be used.
hostapd implementation of WMM has advertised support for 16 PTKSA replay
counters from the beginning while wpa_supplicant has not had any code
for setting the supported replay counter fields in RSNE, i.e., has left
the value to 0 which implies that only a single replay counter is
supported. While this does not really result in any real issues with
deployed devices, this is not really correct behavior based on the
current IEEE 802.11 standard and the WMM specification.
Update wpa_supplicant to use similar design to the hostapd RSNE
generation by setting the number of supported PTKSA replay counters to
16 whenever WMM is enabled. For now, this is done based on the
association being for HT/VHT/HE/EHT and also based on the AP supporting
WMM since it is much more likely for the local device to support WMM and
eight replay counters (which can be indicated only with the value that
implies support for 16 counters since there is no separate value for 8).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add the channels 165 and 173 in allowed channels for ht40_plus. Also add
the allowed frequency 5825 (channel 165; channel center frequency index
171) for 80 MHz bandwidth.
Signed-off-by: Seevalamuthu Mariappan <quic_seevalam@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
The STATUS command showed the interface state as SCANNING even if mesh
bringup fails. This incorrect interface status can mislead
scripts/applications that rely on interface status to bring up different
type of virtual interfaces (AP/MESH) on a single radio.
Fix this by setting the interface status as INACTIVE if mesh bringup
fails.
Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
Retrieve the puncturing bitmap sent by the driver in channel switch
events and add a new member punct_bitmap in struct ch_switch to store
it.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add mesh_eht_enabled and eht ssid configuration parameters to include
EHT Capability and EHT Operation elements in mesh PLINK Action frames.
Update mesh_eht_enabled from EHT capability advertised for mesh mode.
Signed-off-by: Sathishkumar Muruganandam <quic_murugana@quicinc.com>
Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
Multi link stations are represented in the kernel using a single
station with multiple links and the first ADD_STA command also
creates the first link. Subsequent links should be added with
LINK_ADD commands.
Implement this logic and provide the required MLD information per
station/link.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add wowlan_disconnect_on_deinit=1 to wpa_supplicant_template, as
Android expects STA to be disconnected when wpa_supplicant is
terminated.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Currently, the PMK used by the driver is not updated to wpa_sm when
roaming is completed by the driver with the cached PMKSA and the
roam+auth event is indicated with the authorized flag.
To fix this, identify the PMKSA entry from the PMKID sent in
Reassociation Request frame and update the correct PMK to wpa_sm from
the PMKSA entry.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The flags that indicate that a channel is allowed for 80/160 MHz use
are divided according to the position of the control channel (e.g.,
HOSTAPD_CHAN_VHT_10_70, HOSTAPD_CHAN_VHT_30_50, etc.).
However, the position of the control channel does not add any extra
regulatory information because when trying to use a 80/160 MHz channel
all the desired bandwidth has to be allowed for 80/160 MHz use,
regardless of the control channel position.
In addition, these flags are set only if the driver reports one
regulatory rule that allows the entire 80/160 MHz bandwidth.
However, even when a 80/160 MHz channel is allowed, in some cases the
bandwidth will be split into several regulatory rules because
different segments of the bandwidth differ in other flags (that don't
affect the use of the bandwidth for VHT channels). So, in such cases
these flags will not be set, although VHT channels are allowed.
As the result, VHT channels will not be used although they are allowed
by the regulatory domain.
Fix this by introducing new flags that indicate if a 2 0MHz channel is
allowed to be used as a part of a wider (80/160 MHz) channel.
The new flags are set for each 20 MHz channel independently and thus
will be set even if the regulatory rules for the bandwidth are split.
A 80/160 MHz channel is allowed if all its 20 MHz sub-channels are
allowed for 80/160 MHz usage.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This allows the control interface to be used similarly to the way D-Bus
interface was extended to force a specific GO BSSID for optimizing
scanning.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow clients to specify the BSSID of an auto GO. If the auto GO has been
discovered on another interface, optimize scan frequency by performing
a single channel scan first. Android and ChromeOS use this to streamline
auto GO discovery.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
This enables connection managers to receive and use this information in
the same manner that other station information is exposed.
Signed-off-by: David Ruth <druth@chromium.org>
As a workup action during disassociation, wpa_supplicant checks if the
disconnection could have been caused by PSK mismatch during WPA 4-way
handshake with function could_be_psk_mismatch() in event.c. A MSG_INFO
message will be sent on the control interface when there could be a PSK
mismatch, and this heuristic can be useful to indicate if the
disconnection is caused by a wrong passphrase provided by the user.
Here, propagate a new D-Bus signal 'PskMismatch' to notify other
applicantions.
Signed-off-by: Yichen Yu <yichenyu@chromium.org>
- Do not try to enable 80 MHz if 40 MHz is disabled or not selected (e.g.,
due to obss_scan).
- If it is not possible to use 80 HMz or even 40 MHz, still attempt to
configure HE40/VHT40/HE20/VHT20 instead of bailing out.
- When bailing out, also disable HE.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
If the PHY supports both 5 GHz and 6 GHz bands, there will be two
different struct hostapd_hw_modes with mode HOSTAPD_MODE_IEEE80211A,
one for each band, with potentially different capabilities.
Check that the struct hostapd_hw_modes actually contains the frequency
before selecting it.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
ibss_mesh_setup_freq() has become a 342 line function with 23 local
variables, 1 or 2 goto labels depending on ifdefs and its logic is
quite unpredictable.
Split it into multiple functions. No functional change intended, it
should be bug-compatible with the original code, except for some log
messages that are skipped more often.
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
Add a new network profile option enable_4addr_mode=1 that puts an
interface in 4addr mode, for interfaces meant to be added to a bridge.
Signed-off-by: Konstantinos Natsakis <infradead.org@aleph-0.net>
wpa_supplicant_need_to_roam_within_ess() applies bias to the minimum
difference of the signal level required to roam if the roam is from 2.4
GHz to higher band, but doesn't apply bias if the roam is from a lower
band to 6 GHz. Add bias towards 6 GHz, as 6 GHz networks usually provide
higher throughput.
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
Move the logic of picking the best driver pref freq into a separate
function, and use this to extend the functionality for invitation
process.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Enable MLO for SAE authentication when the driver indicates the AP MLD
address in an external authentication request. The MAC address of the
interface on which the external authentication request received will be
used as the own MLD address.
This commit does below for enabling MLO during external SAE
authentication:
- Use MLD addresses for SAE authentication.
- Add Basic Multi-Link element with the own MLD address in SAE
Authentication frames.
- Send SAE Authentication frames with the source address as the own MLD
address, destination address and BSSID as the AP MLD address to the
driver.
- Validate the MLD address indicated by the AP in SAE Authentication
frames against the AP MLD address indicated in external authentication
request.
- Store the PMKSA with the AP MLD address after completing SAE
authentication.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The initial MACsec implementation required the EAP Session-Id to be at
least 65 octets long and by truncating the value to that length, the
practical limit of functional cases was limited to that exact length of
65 octets. While that happens to work with EAP method that use TLS, it
does not work with most other EAP methods.
Remove the EAP Session-Id length constraint and allow any length of the
Session-Id as long as the EAP method provides one. In addition, simplify
this be removing the unnecessary copying of the Session Id into a new
allocated buffer.
Fixes: dd10abccc8 ("MACsec: wpa_supplicant integration")
Fixes: a93b369c17 ("macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
python2 is deprecated so move script to python3.
While at it, make some minor adjustments.
Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
While checking for stale BSSes, the current time is used as a basis and
then based on age the stale check time is calculated, but if this is
done too early in the boot and if either BOOTTIME/MONOTONIC (the one
Zephyr uses by default) are used then the stale check time underflows
and goes to future causing active BSS entries in the scan to be treated
as stale and flushed.
Fix this by adding a check before calculating stale time and ignore this
check till the system reaches the BSS expiration time (this would never
happen with REALTIME clock).
Signed-off-by: Krishna T <krishna.t@nordicsemi.no>
Signed-off-by: Sridhar Nuvusetty <sridhar.nuvusetty@nordicsemi.no>
The RO variable is being assigned before the SSID is NULL checked, so,
any invalid configuration leads to a segmentation fault.
Fixes: d8d2b3a338 ("Implement read-only mode for SSIDs from the additional config (-I)")
Signed-off-by: Chaitanya Tata <chaitanya.tk17@gmail.com>
The previous implementation handles PMKSA cache attempts with AP MLD
address only for SME-in-wpa_supplicant cases since wpa_s->valid_links
wouldn't be set for SME-in-driver cases.
Fix SME-in-driver behavior by enabling PMKSA cache attempts with AP MLD
address when driver supports MLO and SME offload to driver.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Store PMKSA with AP MLD address while processing connect event for OWE
and FILS when the connection is MLO capable.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
It was possible to hit a case where the SAE PT had not yet been derived,
e.g., when using P2P group re-invocation. Update PT use at the time
authentication is started, if needed, to avoid this. While this is not
really ideal from the externally observable timing view point, this is
done only for the case where there is no other option available with a
dynamically changing network configuration for P2P. Similar design was
already in place for the SAE offload-from-driver (external auth) case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Both P2P GO and client always save key_mgmt = WPA_KEY_MGMT_PSK in the
configuration when storing a persistent group. Next time, when a GO is
started as an autonomous GO on a 6 GHz channel, it will change key_mgmt
to SAE and use hash-to-element mechanism, but the P2P client doesn't
change the parameter even if the group it wants to join is operating on
a 6 GHz channel. The P2P connection will be failed due to reason 'reject
due to mismatch with WPA/WPA2'.
Enable SAE-H2E for P2P client in this case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 3a0edb2cd8 ("SAE: Enable H2E for 6 GHz BSS") started enabling
H2E automatically for SAE use on the 6 GHz band, but it did not update
these steps in verifying whether the STA has matching configuration for
a BSS that mandates use of H2E and whether to use PT for SAE in SME.
Update these to be aware of automatic H2E enabling.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>