Commit graph

5674 commits

Author SHA1 Message Date
Veerendranath Jakkam
d320692d91 AP MLD: Handle new STA event when using SME offload to the driver
Parse link id and station MLD address received from the driver in the
NL80211_CMD_NEW_STA event.

Set MLO information of the station to the sta_info and wpa_sm.

Co-authored-by: Manaswini Paluri <quic_mpaluri@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-07-21 19:57:25 +03:00
Kiran Kumar Lokere
4636476b7f Set RRM used config if the (Re)Association Request frame has RRM IE
Set the sme RRM used config if the RRM element is present in the
(Re)Association Request frame sent in association event to cover the
cases where the driver SME takes care of negotiating RRM capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-07-18 16:40:59 +03:00
Jouni Malinen
8e6485a1bc PEAP client: Update Phase 2 authentication requirements
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
 * 0 = do not require Phase 2 authentication
 * 1 = require Phase 2 authentication when client certificate
   (private_key/client_cert) is no used and TLS session resumption was
   not used (default)
 * 2 = require Phase 2 authentication in all cases

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-07-17 21:09:26 +03:00
Jouni Malinen
aa4b8492e4 AP MLD: Provide Link ID when requesting current seqnum for a group key
This is needed to match the key configuration design with a single
netdev and the nl80211 driver interface.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-15 17:43:17 +03:00
Andrei Otcheretianski
172b0a9a2b AP/driver: Add link ID to send EAPOL callbacks
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 16:26:56 +03:00
Ilan Peer
5a61644fff driver: Specify link ID for 'send_mlme' and 'sta_deauth' callbacks
This is needed for the driver to know on which link it should transmit
the frames in MLO cases.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 16:26:49 +03:00
Ilan Peer
e3605e8093 driver: Allow to provide a link ID when setting a channel
This includes:

- Modifications of the driver API, to include the link ID as part
  of 'struct hostapd_freq_params'.
- Modifications to nl80211 driver.
- Modifications for the driver wrappers.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-06 20:44:25 +03:00
Veerendranath Jakkam
8e16372cff Indicate link reconfiguration with QCA vendor interface
Add support to indicate link reconfiguration event reported by the QCA
vendor interface to the wpa_supplicant control interface.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-06-01 18:21:13 +03:00
Shivani Baranwal
7b9070229d Indicate TID to link mapping changes with QCA vendor interface
Add support to indicate TID-to-link mapping changes reported by the QCA
vendor interface to the wpa_supplicant control interface.

Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
2023-06-01 18:12:03 +03:00
Veerendranath Jakkam
df2f22faf9 MLD STA: Use AP MLD address as previous BSSID for reassociation requests
The Linux kernel expects to use the AP MLD address in
NL80211_ATTR_PREV_BSSID for reassociation requests when the current
association is MLO capable.

Previously, wpa_supplicant was using the BSSID value in
NL80211_ATTR_PREV_BSSID even if the connection is MLO capable. Fix this
by sending the AP MLD address in NL80211_ATTR_PREV_BSSID for
reassociation requests when MLO is used.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-05-25 18:06:50 +03:00
Veerendranath Jakkam
199b44213c MLD STA: Allow auth frames without ML IE for failure status codes
In some cases like unknown-group rejection, AP MLD can't parse the
received Authentication frame to the point of the Multi-Link element if
the group used by the peer is unknown to the AP MLD.

In such cases, AP MLD not including Multi-Link element in rejection
Authentication frames can be considered as standard compliant since AP
MLD doesn't know whether the received Authentication frame has
Multi-Link element or not.

To avoid connection issues in such cases, don't reject Authentication
frames without Multi-Link element when status code is other than
WLAN_STATUS_SUCCESS, WLAN_STATUS_SAE_HASH_TO_ELEMENT,
WLAN_STATUS_SAE_PK, and WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-05-25 18:03:58 +03:00
Jintao Lin
7337232203 wpa_supplicant: Skip scan before starting a BSS in AP mode
When starting a new BSS as AP mode, the network configs have been passed
in from the BSS config. There is no need to scan before creating a new
BSS. Reuse connect_without_scan structure member to bypass scan when the
mode is WPAS_MODE_AP.

Signed-off-by: Jintao Lin <jintaolin@chromium.org>
2023-04-28 21:06:10 +03:00
Nick Hainke
f45cf609c7 wpa_supplicant: Fix compiling without IEEE8021X_EAPOL
If IEEE8021X_EAPOL is not defined wpa_supplicant will not compile with
following error:

  events.c: In function 'wpa_supplicant_connect':
  events.c:1827:14: warning: implicit declaration of function 'eap_is_wps_pbc_enrollee' [-Wimplicit-function-declaration]
   1827 |         if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
        |              ^~~~~~~~~~~~~~~~~~~~~~~
  events.c:1827:43: error: 'struct wpa_ssid' has no member named 'eap'
   1827 |         if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
        |                                           ^~

Add ifdef statements around the calling function to fix the issue.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-28 20:59:30 +03:00
Benjamin Poirier
c62e94d793 Add missing driver entries to wpa_supplicant documentation
There are possible more entries missing but I added only the ones I was
actually able to build.

Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
2023-04-28 20:53:24 +03:00
Jouni Malinen
5d285040d6 Rename VHT elements to match the standard
Some of the information elements added in IEEE Std 802.11ax-2013 for VHT
purposes have since then been taken into use for other cases and renamed
to remove the "VHT" prefix in the standard. Update the defines for those
elements in the implementation to match the names used in the current
standard.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-04-26 23:10:03 +03:00
Veerendranath Jakkam
8bc84fceeb Allow MLO disabled connection to legacy open/WPA2-Personal-only AP MLDs
wpa_supplicant was skipping MLD APs from network selection when the AP
advertise legacy open, WPA2-Personal-only (PSK without SAE), or PMF
disabled. However, there are already some early Wi-Fi 7 APs in the
market which advertise legacy open, WPA2-Personal-only, or PMF disabled
even though these combinations are unlikely to be allowed for Wi-Fi 7 in
the end.

To avoid connectivity issues with such APs, allow stations to connect
with MLO disabled when an AP MLD is detected to advertise legacy open,
WPA2-Personal-only (PSK without SAE), or PMF disabled.

This reverts commit 7d8b96dcfd ("wpa_supplicant: Apply same
restrictions for MLD as for 6 GHz BSS") except WEP and TKIP checks,
i.e., AP MLDs which advertise only WEP or TKIP are still skipped from
network selection.

For the SME-in-wpa_supplicant case, skip configuring MLD parameters to
the driver if the STA can connect only in legacy open,
WPA2-Personal-only, or PMF disabled mode. For the SME-in-driver case, it
is the driver's responsibility to initiate connection with MLO disabled
with such APs.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-25 17:04:44 +03:00
Jouni Malinen
b9c3b57a99 Update AP RSNE/RSNXE to RSN state machine on driver-selected BSS cases
The driver-initiated BSS selection case and the "Network configuration
found for the current AP" case ended up clearing the RSN state machine
information on AP RSNE/RSNXE. That could result in incorrect behavior if
some key management operations depended on accurate information. For
example, this could result in not deriving the KDK as part of the PTK
derivation and failing to complete 4-way handshake if both the AP and
the STA indicated support for Secure LTF.

If the scan results for the selected BSS are available, use those to
update the RSN state machine AP RSNE/RSNXE similarly to the way this is
done with wpa_supplicant selects the BSS instead of clearing that
information in the RSN state machine.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-04-25 13:30:08 +03:00
Jouni Malinen
6972b0fa2b OWE: Update transition mode information on selecting a new BSS
It is possible for a new BSS entry to be added for the
hidden-SSID-OWE-BSS when running a new scan after having previously
learned the hidden SSID during a previous OWE connection attempt. That
new entry would not necessarily have the WPA_BSS_OWE_TRANSITION flag set
and that would result in not being able to recognize the appropriate OWE
profile when checking the association event against the transition mode
configuration.

Fix this by updating the BSS entry for OWE transition mode information
for the cases where this might happen.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-04-25 12:04:01 +03:00
Veerendranath Jakkam
6002fe87d8 SAE: Fix expected AP MLD address info in a debug print
Print correct expected AP MLD address information when the AP MLD
address validation fails in Authentication frames during external
authentication.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-19 11:51:43 +03:00
Veerendranath Jakkam
c70405cef6 MLD STA: Do not fail on unknown IEs in Authentication frames
Fail MLD address validation only if Authentication frames IE parsing
actually failed, i.e., ignore all unknown IEs.

This is needed to avoid authentication failure when the Authentication
frames include IEs which are not handled by ieee802_11_parse_elems(),
e.g., AKM Suite Selector IE.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-19 11:50:55 +03:00
Chaoli Zhou
e8912452ed Export wpa_supplicant config item 'he' for external configuration
Export the "he" network profile item to be configurable from external
client side, like wpa_cli or NetworkManager. This follows the earlier
changes to allow the previously internal-only parameter (e.g., vht) to
be used for additional purposes for AP mode.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2023-04-19 11:34:38 +03:00
Jouni Malinen
07a7bcd7ea WMM: Advertise support for 16 PTKSA replay counters for non-AP STA
In theory, each device that supports WMM (or the IEEE 802.11 QoS for
that matter) is expected to advertise how many replay counters it
supports and the peer device is supposed to use that information to
restrict the total number of different MSDU priorities (AC/UP) that
might be used. In practice, this is not really done in deployed devices
and instead, it is just assumed that everyone supports the eight
different replay counters so that there is no need to restrict which
MSDU priorities can be used.

hostapd implementation of WMM has advertised support for 16 PTKSA replay
counters from the beginning while wpa_supplicant has not had any code
for setting the supported replay counter fields in RSNE, i.e., has left
the value to 0 which implies that only a single replay counter is
supported. While this does not really result in any real issues with
deployed devices, this is not really correct behavior based on the
current IEEE 802.11 standard and the WMM specification.

Update wpa_supplicant to use similar design to the hostapd RSNE
generation by setting the number of supported PTKSA replay counters to
16 whenever WMM is enabled. For now, this is done based on the
association being for HT/VHT/HE/EHT and also based on the AP supporting
WMM since it is much more likely for the local device to support WMM and
eight replay counters (which can be indicated only with the value that
implies support for 16 counters since there is no separate value for 8).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-04-18 11:40:10 +03:00
Seevalamuthu Mariappan
bb945b98fe Add 40 and 80 MHz channels 165 and 173 for 5 GHz IBSS/mesh
Add the channels 165 and 173 in allowed channels for ht40_plus. Also add
the allowed frequency 5825 (channel 165; channel center frequency index
171) for 80 MHz bandwidth.

Signed-off-by: Seevalamuthu Mariappan <quic_seevalam@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <quic_rajkbhag@quicinc.com>
2023-03-29 18:37:31 +03:00
Hari Chandrakanthan
5349a45d32 Set interface state as inactive if mesh bringup fails
The STATUS command showed the interface state as SCANNING even if mesh
bringup fails. This incorrect interface status can mislead
scripts/applications that rely on interface status to bring up different
type of virtual interfaces (AP/MESH) on a single radio.

Fix this by setting the interface status as INACTIVE if mesh bringup
fails.

Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
2023-03-29 18:09:06 +03:00
Aloka Dixit
e3621867c5 EHT: Process puncturing bitmap from channel switch event
Retrieve the puncturing bitmap sent by the driver in channel switch
events and add a new member punct_bitmap in struct ch_switch to store
it.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2023-03-17 19:49:57 +02:00
Sathishkumar Muruganandam
44b32a7526 mesh: Add EHT support
Add mesh_eht_enabled and eht ssid configuration parameters to include
EHT Capability and EHT Operation elements in mesh PLINK Action frames.

Update mesh_eht_enabled from EHT capability advertised for mesh mode.

Signed-off-by: Sathishkumar Muruganandam <quic_murugana@quicinc.com>
Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
2023-03-09 16:19:09 +02:00
Andrei Otcheretianski
df6561ec06 nl80211: AP MLD support for adding multi link stations
Multi link stations are represented in the kernel using a single
station with multiple links and the first ADD_STA command also
creates the first link. Subsequent links should be added with
LINK_ADD commands.

Implement this logic and provide the required MLD information per
station/link.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-03-07 21:43:41 +02:00
Hu Wang
a9012070a6 Android: Add wowlan_disconnect_on_deinit to template configuration
Add wowlan_disconnect_on_deinit=1 to wpa_supplicant_template, as
Android expects STA to be disconnected when wpa_supplicant is
terminated.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-27 21:02:09 +02:00
Veerendranath Jakkam
b2bf7e39ec Update PMK in wpa_sm when roam+auth event indicated with authorized flag
Currently, the PMK used by the driver is not updated to wpa_sm when
roaming is completed by the driver with the cached PMKSA and the
roam+auth event is indicated with the authorized flag.

To fix this, identify the PMKSA entry from the PMKID sent in
Reassociation Request frame and update the correct PMK to wpa_sm from
the PMKSA entry.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-02-23 13:16:52 +02:00
Avraham Stern
6b9c86466c nl80211: Replace the channel flags for VHT support
The flags that indicate that a channel is allowed for 80/160 MHz use
are divided according to the position of the control channel (e.g.,
HOSTAPD_CHAN_VHT_10_70, HOSTAPD_CHAN_VHT_30_50, etc.).

However, the position of the control channel does not add any extra
regulatory information because when trying to use a 80/160 MHz channel
all the desired bandwidth has to be allowed for 80/160 MHz use,
regardless of the control channel position.

In addition, these flags are set only if the driver reports one
regulatory rule that allows the entire 80/160 MHz bandwidth.
However, even when a 80/160 MHz channel is allowed, in some cases the
bandwidth will be split into several regulatory rules because
different segments of the bandwidth differ in other flags (that don't
affect the use of the bandwidth for VHT channels). So, in such cases
these flags will not be set, although VHT channels are allowed.

As the result, VHT channels will not be used although they are allowed
by the regulatory domain.

Fix this by introducing new flags that indicate if a 2 0MHz channel is
allowed to be used as a part of a wider (80/160 MHz) channel.
The new flags are set for each 20 MHz channel independently and thus
will be set even if the regulatory rules for the bandwidth are split.

A 80/160 MHz channel is allowed if all its 20 MHz sub-channels are
allowed for 80/160 MHz usage.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-02-22 21:44:09 +02:00
Jouni Malinen
c31600ce12 P2P: Allow GO BSSID to be specified for P2P_GROUP_ADD commands
This allows the control interface to be used similarly to the way D-Bus
interface was extended to force a specific GO BSSID for optimizing
scanning.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-22 14:11:17 +02:00
Matthew Wang
0430756e65 P2P: Optimize join scan frequency
Allow clients to specify the BSSID of an auto GO. If the auto GO has been
discovered on another interface, optimize scan frequency by performing
a single channel scan first. Android and ChromeOS use this to streamline
auto GO discovery.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-02-22 13:40:21 +02:00
Emeel Hakim
6d24673ab8 mka: Allow configuration of MACsec hardware offload
Add new configuration parameter macsec_offload to allow user to set up
MACsec hardware offload feature.

Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
2023-02-21 19:26:47 +02:00
Jouni Malinen
3f3e356fa0 Mark addr argument to storing PTKSA const
This is not being modified, so mark it const to be more flexible for the
caller.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-21 17:27:29 +02:00
David Ruth
edcad193ae dbus: Add inactive time to D-Bus signal info
This enables connection managers to receive and use this information in
the same manner that other station information is exposed.

Signed-off-by: David Ruth <druth@chromium.org>
2023-02-21 13:51:24 +02:00
Yichen Yu
a678a510fb dbus: Add D-Bus signal for PSK mismatch heuristics
As a workup action during disassociation, wpa_supplicant checks if the
disconnection could have been caused by PSK mismatch during WPA 4-way
handshake with function could_be_psk_mismatch() in event.c. A MSG_INFO
message will be sent on the control interface when there could be a PSK
mismatch, and this heuristic can be useful to indicate if the
disconnection is caused by a wrong passphrase provided by the user.
Here, propagate a new D-Bus signal 'PskMismatch' to notify other
applicantions.

Signed-off-by: Yichen Yu <yichenyu@chromium.org>
2023-02-21 11:24:06 +02:00
Nicolas Cavallari
f4a7e2a07c Rework IBSS/mesh 80 MHz channel selection
- Do not try to enable 80 MHz if 40 MHz is disabled or not selected (e.g.,
  due to obss_scan).
- If it is not possible to use 80 HMz or even 40 MHz, still attempt to
  configure HE40/VHT40/HE20/VHT20 instead of bailing out.
- When bailing out, also disable HE.

Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
2023-02-21 00:32:37 +02:00
Nicolas Cavallari
f91f971bde Fix creating 6 GHz IBSS/mesh on 5/6 GHz-capable PHYs
If the PHY supports both 5 GHz and 6 GHz bands, there will be two
different struct hostapd_hw_modes with mode HOSTAPD_MODE_IEEE80211A,
one for each band, with potentially different capabilities.

Check that the struct hostapd_hw_modes actually contains the frequency
before selecting it.

Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
2023-02-21 00:32:10 +02:00
Nicolas Cavallari
c623cee421 Make arrays static const in ibss_mesh_select_*()
Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
2023-02-21 00:32:08 +02:00
Nicolas Cavallari
64043e6156 Split ibss_mesh_setup_freq() into multiple functions
ibss_mesh_setup_freq() has become a 342 line function with 23 local
variables, 1 or 2 goto labels depending on ifdefs and its logic is
quite unpredictable.

Split it into multiple functions. No functional change intended, it
should be bug-compatible with the original code, except for some log
messages that are skipped more often.

Signed-off-by: Nicolas Cavallari <nicolas.cavallari@green-communications.fr>
2023-02-21 00:28:11 +02:00
Konstantinos Natsakis
8085a7e656 wpa_supplicant: Add option to explicitly set 4addr mode
Add a new network profile option enable_4addr_mode=1 that puts an
interface in 4addr mode, for interfaces meant to be added to a bridge.

Signed-off-by: Konstantinos Natsakis <infradead.org@aleph-0.net>
2023-02-21 00:00:07 +02:00
Kaidong Wang
1ffc7d1c65 Apply bias towards 6 GHz in roaming
wpa_supplicant_need_to_roam_within_ess() applies bias to the minimum
difference of the signal level required to roam if the roam is from 2.4
GHz to higher band, but doesn't apply bias if the roam is from a lower
band to 6 GHz. Add bias towards 6 GHz, as 6 GHz networks usually provide
higher throughput.

Signed-off-by: Kaidong Wang <kaidong@chromium.org>
2023-02-20 23:52:18 +02:00
Remco Rijnders
97405be969 Small textual improvements to wpa_supplicant man page
Signed-off-by: Remco Rijnders <remco@webconquest.com>
2023-02-20 19:38:02 +02:00
Hu Wang
4ae798a22c P2P: Pick the best driver pref freq for invitation process
Move the logic of picking the best driver pref freq into a separate
function, and use this to extend the functionality for invitation
process.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-20 19:37:26 +02:00
Veerendranath Jakkam
c91852044d MLD STA: Add support for SAE external authentication offload to userspace
Enable MLO for SAE authentication when the driver indicates the AP MLD
address in an external authentication request. The MAC address of the
interface on which the external authentication request received will be
used as the own MLD address.

This commit does below for enabling MLO during external SAE
authentication:
- Use MLD addresses for SAE authentication.
- Add Basic Multi-Link element with the own MLD address in SAE
  Authentication frames.
- Send SAE Authentication frames with the source address as the own MLD
  address, destination address and BSSID as the AP MLD address to the
  driver.
- Validate the MLD address indicated by the AP in SAE Authentication
  frames against the AP MLD address indicated in external authentication
  request.
- Store the PMKSA with the AP MLD address after completing SAE
  authentication.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-02-15 23:49:59 +02:00
Jouni Malinen
72b8193f41 MACsec: Remove EAP Session-Id length constraint
The initial MACsec implementation required the EAP Session-Id to be at
least 65 octets long and by truncating the value to that length, the
practical limit of functional cases was limited to that exact length of
65 octets. While that happens to work with EAP method that use TLS, it
does not work with most other EAP methods.

Remove the EAP Session-Id length constraint and allow any length of the
Session-Id as long as the EAP method provides one. In addition, simplify
this be removing the unnecessary copying of the Session Id into a new
allocated buffer.

Fixes: dd10abccc8 ("MACsec: wpa_supplicant integration")
Fixes: a93b369c17 ("macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-10 12:31:01 +02:00
Mordechay Goodstein
2cff340d17 utils: Move log2pcap to python3
python2 is deprecated so move script to python3.
While at it, make some minor adjustments.

Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-02-01 18:34:57 +02:00
Krishna T
12de8112b7 Fix BSS age underflow
While checking for stale BSSes, the current time is used as a basis and
then based on age the stale check time is calculated, but if this is
done too early in the boot and if either BOOTTIME/MONOTONIC (the one
Zephyr uses by default) are used then the stale check time underflows
and goes to future causing active BSS entries in the scan to be treated
as stale and flushed.

Fix this by adding a check before calculating stale time and ignore this
check till the system reaches the BSS expiration time (this would never
happen with REALTIME clock).

Signed-off-by: Krishna T <krishna.t@nordicsemi.no>
Signed-off-by: Sridhar Nuvusetty <sridhar.nuvusetty@nordicsemi.no>
2023-02-01 18:30:27 +02:00
Krishna
d31c2b43aa Fix segfault in case of an invalid configuration
The RO variable is being assigned before the SSID is NULL checked, so,
any invalid configuration leads to a segmentation fault.

Fixes: d8d2b3a338 ("Implement read-only mode for SSIDs from the additional config (-I)")
Signed-off-by: Chaitanya Tata <chaitanya.tk17@gmail.com>
2023-02-01 18:24:13 +02:00
Veerendranath Jakkam
a32b424a3d MLD STA: Use AP MLD address in PMKSA cache attempts for driver-SME case
The previous implementation handles PMKSA cache attempts with AP MLD
address only for SME-in-wpa_supplicant cases since wpa_s->valid_links
wouldn't be set for SME-in-driver cases.

Fix SME-in-driver behavior by enabling PMKSA cache attempts with AP MLD
address when driver supports MLO and SME offload to driver.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-01-31 11:20:18 +02:00