Commit graph

5674 commits

Author SHA1 Message Date
Vinay Gannevaram
96a604128b Use separate PASN capabilities for AP and STA modes
Use separate capabilities for AP and STA modes for P802.11az security
parameters secure LTF support, secure RTT measurement exchange support,
and protection of range negotiation and measurement management frames
support.

P802.11az security parameters are considered to be supported for both
station and AP modes if the driver sets NL80211_EXT_FEATURE_SECURE_LTF,
NL80211_EXT_FEATURE_SECURE_RTT, and
NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE flags. The driver can
advertize capabilities specific to each mode using
QCA_WLAN_VENDOR_FEATURE_SECURE_LTF*,
QCA_WLAN_VENDOR_FEATURE_SECURE_RTT*, and
QCA_WLAN_VENDOR_FEATURE_PROT_RANGE_NEGO_AND_MEASURE* flags.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 18:59:52 +03:00
Vinayak Yadawad
909fa448e0 EAPOL: Update PMK length in EAPOL callback to support longer keys
With introduction of newer AKMs, there is a need to update the PMK
length plumbed for the driver based 4-way handshake. To support this,
the current update the PMK length to 48, if the key management type uses
SHA-384. This is needed, e.g., for SUITE-B-192.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2022-08-31 17:23:45 +03:00
Jouni Malinen
723eb4f389 P2P: Fix a typo in a comment about removing 6 GHz channels
This was supposed to be talking about excluding 6 GHz channels, not 5
GHz.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-31 17:14:58 +03:00
Hector Jiang
e9627f8c32 P2P: Skip 6 GHz band directly if 6 GHz P2P is disabled
If 6 GHz is supported by the device but 6 GHz P2P is disabled, P2P
invitation would fail if the GO select an operating channel which is not
the preferred channel. The root cause is that the 5 GHz and 6 GHz bands
are both HOSTAPD_MODE_IEEE80211A so the 5 GHz channels would be added
twice for the P2P Client's following scanning frequency list. This will
cause scanning to fail with -EINVAL. Fix this by adding the 5 GHz
channels only once.

Signed-off-by: Hector Jiang <jianghaitao@zeku.com>
2022-08-31 17:12:58 +03:00
Seongsu Choi
03f7f633a2 Fix wrong AKM priority for FILS
According to the OCE specification, the STA shall select the AKM in
priority order from the list below.

1. FT Authentication over FILS (SHA-384) 00-0F-AC:17
2. FILS (SHA-384) 00-0F-AC:15
3. FT Authentication over FILS (SHA-256) 00-0F-AC:16
4. FILS (SHA-256) 00-0F-AC:14
5. FT Authentication using IEEE Std 802.1X (SHA-256) 00-0F-AC:3
6. Authentication using IEEE Std 802.1X (SHA-256) 00-0F-AC:5
7. Authentication using IEEE Std 802.1X 00-0F-AC:1

Move the FT-FILS-SHA256 check to be after the FILS-SHA384 one to match
this.

Signed-off-by: Seongsu Choi <seongsu.choi@samsung.com>
2022-08-31 17:02:03 +03:00
Veerendranath Jakkam
5de45546d5 Add support to send multi AKM connect request when driver's SME in use
Add support to configure SAE, PSK, and PSK-SHA256 AKMs in connect
request when driver's SME in use. This is needed for implementing
WPA3-Personal transition mode correctly with any driver that handles
roaming internally.

Send additional AKMs configured in network block to driver based on
the maximum number of AKMs allowed by driver in connect request. Keep
first AKM in the list AKMs in the connect request as AKM selected by
wpa_supplicant to maintain backwards compatibility.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-08-26 17:54:12 +03:00
Veerendranath Jakkam
0ce1545dcb nl80211: Determine maximum number of supported AKMs
Use the recently added attribute to determine whether the kernel
supports a larger number of AKM suites in various commands.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-08-26 17:27:45 +03:00
Veerendranath Jakkam
48c620829c Update PSK after cross AKM roaming to WPA-PSK when driver's SME in use
4-way handshake was failing after the driver roam from SAE to WPA-PSK
due to wpa_sm having an old PMK which was generated during previous SAE
connection.

To fix this update PSK to wpa_sm when AKM changes from SAE to WPA-PSK
for the target AP to have a correct PMK for 4-way handshake. Also,
update PSK to the driver when key management offload is enabled.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-08-26 17:27:45 +03:00
Jouni Malinen
4ae14deeef DPP3: Use chirping channel list in PB discovery
This design was changed in the draft specification, so update
implementation to match the new design. Instead of including all
supported 2.4 and 5 GHz channels, generate the channel list using the
same mechanism that was already used for chirping.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-25 15:59:13 +03:00
Jouni Malinen
c58be1d8fd DPP: Channel list generation for presence announcement to helper funcion
This procedure will be used for PB discovery as well, so move the
frequency array generation into a helper function.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-25 12:19:58 +03:00
Jouni Malinen
57968faea5 DPP: Do not discard network introduction frames in test mode
dpp_discard_public_action=1 was not supposed to prevent network
introduction, i.e., it was only for frames that could go through the
DPP-over-TCP path. Fix this not to prevent network introduction when
using DPP-over-TCP to configure a DPP AKM profile.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-24 18:31:54 +03:00
Jouni Malinen
d72302c6b6 DPP: Do not use 6 GHz channels for push button
For now, do not include 6 GHz channels since finding a Configurator from
a large number of channels would take excessive amount of time.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-22 19:09:27 +03:00
Jouni Malinen
89de431f23 DPP: Add config response status value to DPP-CONF-SENT
This can be helpful for upper layers to be able to determine whether the
configuration was rejected.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-29 18:55:37 +03:00
Purushottam Kushwaha
ef4cd8e33c QoS: Use common classifier_mask for ipv4/ipv6
ipv4_params/ip6_params in type4_params maintains separate classifier
mask while type4_params already has a common classifier_mask. Lets
use the common classifier mask for both ipv4/ipv6 params and remove
the redundant params_mask in ipv4_params/ip6_params.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2022-07-28 12:31:37 +03:00
Jouni Malinen
4cfb484e90 DPP: Allow dpp_controller_start without arguments in CLIs
The DPP_CONTROLLER_START control interface command can be used without
any arguments, so do not force at least a single argument to be included
in wpa_cli and hostapd_cli.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-27 12:33:40 +03:00
Jouni Malinen
c97000933c Fix ifdef condition for imsi_privacy_cert
CRYPTO_RSA_OAEP_SHA256 is not sufficient here since ssid->eap does not
exist without IEEE8021X_EAPOL.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 11:12:11 +03:00
Jouni Malinen
e81ec0962d SAE: Use H2E unconditionally with the new AKM suites
The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
f8eed2e8b8 SAE: Store PMK length and AKM in SAE data
These are needed to be able to support new AKM suites with variable
length PMK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
a32ef3cfb2 SAE: Driver capability flags for the new SAE AKM suites
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
91df8c9c65 SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
5c8a714b18 SAE: Use wpa_key_mgmt_sae() helper
Use the existing helper function instead of maintaining multiple copies
of lists of SAE key management suites.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
def33101c8 DPP: Clear push button announcement state on wpa_supplicant FLUSH
This was already done in hostapd and same is needed for wpa_supplicant
to avoid testing issues due to session overlap detection from previous
test cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
d2388bcca5 DPP: Strict validation of PKEX peer bootstrapping key during auth
Verify that the peer does not change its bootstrapping key between the
PKEX exchange and the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:08:08 +03:00
Jouni Malinen
a7b8cef8b7 DPP3: Fix push button boostrapping key passing through PKEX
When PKEX was started through the push button mechanism, the own
bootstrapping key was not bound correctly to the Authentication phase
information and that ended up in incorrectly generating a new
bootstrapping key for the Authentication exchange. Fix this by added the
needed own=<id> parameter into the cached parameters when using push
button.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:06:04 +03:00
Jouni Malinen
69d7c8e6bb DPP: Add peer=id entry for PKEX-over-TCP case
The peer=<id> information about the specific boostrapping key provided
through PKEX was added for Public Action frame cases, but the TCP
variant did not do same. Add the same information there to maintain
knowledge of the specific peer bootstrapping key from PKEX to
Authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:04:08 +03:00
Jouni Malinen
1ff9251a83 DPP3: Push button Configurator in wpa_supplicant
Extend DPP push button support in wpa_supplicant to allow the role of
the Configurator to be used. This provides similar functionality to the
way the DPP_PUSH_BUTTON command in hostapd worked when providing the
configuration parameters with that command (instead of building the
config object based on current AP configuration).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 12:28:18 +03:00
Jouni Malinen
e9137950fa DPP: Recognize own PKEX Exchange Request if it ends up being received
It is possible for a Controller to receive a copy of its own PKEX
Exchange Request in the case where the Controller is initiating a PKEX
exchange through a Relay. The Configurator role in the device would have
a matching PKEX code in that case and the device might reply as a PKEX
responder which would result in going through the exchange with the
Controller device itself. That is clearly not desired, so recognize this
special case by checking whether the Encrypted Key attribute value
matches a pending locally generated one when processing a received PKEX
Exchange Request.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 20:30:07 +03:00
Jouni Malinen
6929564467 DPP: Note PKEX code/identifier deletion in debug log
This was already done in hostapd, but not in wpa_supplicant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 17:48:54 +03:00
Jouni Malinen
15af83cf18 DPP: Delete PKEX code and identifier on success completion of PKEX
We are not supposed to reuse these without being explicitly requested to
perform PKEX again. There is not a strong use case for being able to
provision an Enrollee multiple times with PKEX, so this should have no
issues on the Enrollee. For a Configurator, there might be some use
cases that would benefit from being able to use the same code with
multiple Enrollee devices, e.g., for guess access with a laptop and a
smart phone. That case will now require a new DPP_PKEX_ADD command on
the Configurator after each completion of the provisioning exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 23:28:33 +03:00
Jouni Malinen
479e412a67 DPP3: Default value for dpp_connector_privacy
The new global configuration parameter
dpp_connector_privacy_default=<0/1> can now be used to set the default
value for the dpp_connector_privacy parameter for all new networks
provisioned using DPP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
148de3e0dc DPP3: Private Peer Introduction protocol
Add a privacy protecting variant of the peer introduction protocol to
allow the station device to hide its Connector from 3rd parties. The new
wpa_supplicant network profile parameter dpp_connector_privacy=1 can be
used to select this alternative mechanism to the peer introduction
protocol added in the initial release of DPP.

It should be noted that the new variant does not work with older DPP APs
(i.e., requires support for release 3). As such, this new variant is
disabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
0e2217c95b DPP: Allow 3rd party information to be added into config request obj
This allows the DPP Configuration Request Object from an Enrollee to be
extended with 3rd party information. The new dpp_extra_conf_req_name and
dpp_extra_conf_req_value configuration parameters specify the name of
the added JSON node and its contents. For example:
dpp_extra_conf_req_name=org.example
dpp_extra_conf_req_value={"a":1,"b":"test"}

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-16 17:22:23 +03:00
Jouni Malinen
8db786a43b DPP3: Testing functionality for push button announcements
Allow the Responder/Initiator hash values to be corrupted in Push Button
Presence Announcement messages for testing purposes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-07 12:58:49 +03:00
Jouni Malinen
37bccfcab8 DPP3: Push button bootstrap mechanism
Add support to use a push button -based bootstrap mechanism with DPP.
The new DPP_PUSH_BUTTON control interface command enables this mode on
the AP/hostapd and station/wpa_supplicant. This goes through the
following sequence of events: a suitable peer in active push button mode
is discovered with session overlap detection, PKEX is executed with
bootstrap key hash validation, DPP authentication and configuration
exchanges are performed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-07 00:31:30 +03:00
Veerendranath Jakkam
085a3fc76e EHT: Add 320 channel width support
Add initial changes to support 320 MHz channel width.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
2022-06-20 14:39:26 +03:00
Aleti Nageshwar Reddy
bafe35df03 Move CHANWIDTH_* definitions from ieee80211_defs.h to defs.h
Move most of CHANWIDTH_* definitions from ieee80211_defs.h to defs.h as
the definitions are getting used mostly for internal purpose only. Also
change prefix of the definitions to CONF_OPER_CHWIDTH_* and update in
all the files accordingly.

Leave the couple of VHT-specific exceptions to use the old defines (the
reason why they were originally added as VHT values), to avoid use of
clearly marked configuration values in information elements. In
addition, use the defines instead of magic values where appropriate.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2022-06-20 14:39:18 +03:00
Xinyue Ling
6b461f68c7 Set current_ssid before changing state to ASSOCIATING
For hidden GBK encoding of a Chinese SSID, both the UTF-8 and GBK
encoding profiles are added into wpa_supplicant to make sure the
connection succeeds. In this situation, wpa_supplicant_select_network()
will not be called so current_ssid is NULL when association begins.

Android monitors the WPA_EVENT_STATE_CHANGE event to get the SSID and
BSSID. When connecting to a Chinese SSID, in case of association
rejection happens, Android will report null SSID to OEM APP because
current_ssid is updated after wpa_supplicant_set_state(wpa_s,
WPA_ASSOCIATING), which may cause confusion.

Fix this by setting the current_ssid before changing state to
ASSOCIATING.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-06-16 18:02:07 +03:00
Sreeramya Soratkal
4383528e01 P2P: Use weighted preferred channel list for channel selection
Previously, the driver could optionally (using QCA vendor command)
provide a preferred channel list to wpa_supplicant for channel selection
during the GO negotiation. Channel selection process can be more
efficient with the information of weights and flags of the preferred
channel list that can be provided by the driver. Use a weighted
preferred channel list provided by the driver for channel selection
during GO negotiation if such a list is available.

Signed-off-by: Sreeramya Soratkal <quic_ssramya@quicinc.com>
2022-06-02 17:09:10 +03:00
Jouni Malinen
9e305878c0 SAE-PK: Fix build without AES-SIV
CONFIG_SAE_PK=y was not pulling in AES-SIV implementation even though it
needs this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:23 +03:00
Jouni Malinen
5636991749 EAP-SIM/AKA peer: IMSI privacy attribute
Extend IMSI privacy functionality to allow an attribute (in name=value
format) to be added using the new imsi_privacy_attr parameter.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-25 20:18:40 +03:00
Jouni Malinen
1004fb7ee4 tests: Testing functionality to discard DPP Public Action frames
This can be used to make sure wpa_supplicant does not process DPP
messages sent in Public Action frames when a test setup is targeting
DPP-over-TCP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 23:30:39 +03:00
Jouni Malinen
99165cc4b0 Rename wpa_supplicant imsi_privacy_key configuration parameter
Use imsi_privacy_cert as the name of the configuration parameter for the
X.509v3 certificate that contains the RSA public key needed for IMSI
privacy. The only allowed format for this information is a PEM-encoded
X.509 certificate, so the previous name was somewhat confusing.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:44:03 +03:00
Jouni Malinen
1328cdeb19 Do not try to use network profile with invalid imsi_privacy_key
Disable a network profile that has set the imsi_privacy_key if a valid
key cannot be read from the specified file. Previously, this check was
done only after having associated, but there is no point in associating
just to see EAP authentication fail in such a case. This is needed for
avoiding connection attempts if the X.509 certificate for IMSI privacy
has expired.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:34:08 +03:00
Jouni Malinen
ed325ff0f9 DPP: Allow TCP destination (address/port) to be used from peer URI
tcp_addr=from-uri can now be used as a special case for initiating
DPP-over-TCP to the destination indicated in the peer bootstrapping URI.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-19 22:53:36 +03:00
Jouni Malinen
b859b9bcea Simplify wpa_bss_get_vendor_ie_multi_beacon() bounds checking
This makes it easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:28:58 +03:00
Jouni Malinen
63eb98a8ee SAE: Make Anti-Clogging token element parsing simpler
This will hopefully be easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:14:34 +03:00
Jouni Malinen
a6e04a0676 Simplify DSCP policy parsing
Make the bounds checking easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:09:08 +03:00
Jouni Malinen
3f3ce0571c Check sscanf() return value in TWT_SETUP parsing
Reject invalid values instead of proceeding.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:55:45 +03:00
Jouni Malinen
6e8518749f GAS: Limit maximum comeback delay value
Limit the GAS comeback delay to 60000 TUs, i.e., about 60 seconds. This
is mostly to silence static analyzers that complain about unbounded
value from external sources even though this is clearly bounded by being
a 16-bit value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:41:37 +03:00
Jouni Malinen
fe1dc9ba77 WNM: Try to make bounds checking easier for static analyzers
The length of the URL, i.e., pos[0], is verified here to be within the
bounds of the recieved message, but that seemed to be done in a manner
that might bee too complex for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:41:31 +03:00
Jouni Malinen
993eb12407 FST: Make sure get_hw_modes() callback is set for hostapd
It looks like fst_wpa_obj::get_hw_modes would have been left
uninitialized in hostapd. It is not obviously clear why this would not
have caused issues earlier, but in any case, better make this set
properly to allow unexpected behavior should that function pointer ever
be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 00:27:51 +03:00
Ilan Peer
79dc7f6190 scan: Add option to disable 6 GHz collocated scanning
Add a parameter (non_coloc_6ghz=1) to the manual scan command to disable
6 GHz collocated scanning.

This option can be used to disable 6 GHz collocated scan logic. Note
that due to limitations on Probe Request frame transmissions on the 6
GHz band mandated in IEEE Std 802.11ax-2021 it is very likely that
non-PSC channels would be scanned passively and this can take a
significant amount of time.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2022-05-07 21:37:08 +03:00
Tova Mussai
3b8d9da9b5 nl80211: Set NL80211_SCAN_FLAG_COLOCATED_6GHZ in scan
Set NL80211_SCAN_FLAG_COLOCATED_6GHZ in the scan parameters to enable
scanning for co-located APs discovered based on neighbor reports from
the 2.4/5 GHz bands when not scanning passively. Do so only when
collocated scanning is not disabled by higher layer logic.

Signed-off-by: Tova Mussai <tova.mussai@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2022-05-07 21:37:08 +03:00
Jouni Malinen
3c2fbe9f56 Discard unencrypted EAPOL-EAP when TK is set and PMF is enabled
RSN design is supposed to encrypt all Data frames, including EAPOL
frames, once the TK has been configured. However, there are deployed
implementations that do not really follow this design and there are
various examples from the older uses of EAPOL frame where those frames
were not encrypted. As such, strict filtering of unencrypted EAPOL
frames might results in undesired interoperation issues.

However, some of the most important cases of missing EAPOL frame
encryption should be possible to handle without causing too significant
issues. These are for cases where an attacker could potentially cause an
existing association to be dropped when PMF is used. EAP-Request is one
potential candidate for such attacks since that frame could be used to
initiate a new EAP authentication and the AP/Authenticator might not
allow that to complete or a large number of EAP-Request frames could be
injected to exceed the maximum number of EAP frames. Such an attack
could result in the station ending up disconnecting or at minimum,
getting into somewhat mismatching state with the AP.

Drop EAPOL-EAP frames when it is known that it was not encrypted but
should have been and when PMF is enabled. While it would be correct to
drop this even without PMF, that does not provide any significant
benefit since it is trivial to force disconnection in no-PMF cases. It
should also be noted that not all drivers provide information about the
encryption status of the EAPOL frames and this change has no impact with
drivers that do not indicate whether the frame was encrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
18c0ac8901 Provide information about the encryption status of received EAPOL frames
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:03 +03:00
Veerendranath Jakkam
696ad5c2d7 EHT: Indicate wifi_generation=7 in wpa_supplicant STATUS output
This adds wifi_generation=7 line to the STATUS output if the driver
reports (Re)Association Request frame and (Re)Association Response frame
information elements in the association or connection event with EHT
capability IEs.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:21:04 +03:00
Veerendranath Jakkam
6c7b2be424 SAE: Send real status code to the driver when AP rejects external auth
Send the status code from the AP authentication response instead of
sending the hardcoded WLAN_STATUS_UNSPECIFIED_FAILURE when the external
SAE authentication failure is due to an explicit rejection by the AP.
This will allow the driver to indicate the correct status in connect
response.

For example, an AP can send WLAN_STATUS_AP_UNABLE_TO_HANDLE_NEW_STA in
SAE authentication response. With this change the driver gets the real
status for the SAE authentication failure and it can fill the correct
status in the connect response event.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:08:16 +03:00
Jouni Malinen
566ce69a8d EAP peer: Workaround for servers that do not support safe TLS renegotiation
The TLS protocol design for renegotiation was identified to have a
significant security flaw in 2009 and an extension to secure this design
was published in 2010 (RFC 5746). However, some old RADIUS
authentication servers without support for this are still used commonly.

This is obviously not good from the security view point, but since there
are cases where the user of a network service has no realistic means for
getting the authentication server upgraded, TLS handshake may still need
to be allowed to be able to use the network.

OpenSSL 3.0 disabled the client side workaround by default and this
resulted in issues connection to some networks with insecure
authentication servers. With OpenSSL 3.0, the client is now enforcing
security by refusing to authenticate with such servers. The pre-3.0
behavior of ignoring this issue and leaving security to the server can
now be enabled with a new phase1 parameter allow_unsafe_renegotiation=1.
This should be used only when having to connect to a network that has an
insecure authentication server that cannot be upgraded.

The old (pre-2010) TLS renegotiation mechanism might open security
vulnerabilities if the authentication server were to allow TLS
renegotiation to be initiated. While this is unlikely to cause real
issues with EAP-TLS, there might be cases where use of PEAP or TTLS with
an authentication server that does not support RFC 5746 might result in
a security vulnerability.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 00:20:19 +03:00
Yegor Yefremov
d26247c3de wpa_supplicant/README-WPS: Beautifications
Fix grammar, remove spaces, and new lines.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-05-01 18:24:23 +03:00
Juliusz Sosinowicz
ca26224815 Check the return of pbkdf2_sha1() for errors
pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:13:31 +03:00
Jouni Malinen
42871a5d25 EAP-SIM/AKA peer: IMSI privacy
Add support for IMSI privacy in the EAP-SIM/AKA peer implementation. If
the new wpa_supplicant network configuration parameter imsi_privacy_key
is used to specify an RSA public key in a form of a PEM encoded X.509v3
certificate, that key will be used to encrypt the permanent identity
(IMSI) in the transmitted EAP messages.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:16 +03:00
Jouni Malinen
36b11bbcff OpenSSL: RSA-OAEP-SHA-256 encryption/decryption
Add new crypto wrappers for performing RSA-OAEP-SHA-256 encryption and
decryption. These are needed for IMSI privacy.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:06 +03:00
Muna Sinada
dae7940a48 EHT: Additions to hostapd_set_freq_params()
Modify hostapd_set_freq_params() to include EHT parameters and update
the calling functions to match.

Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:40:13 +03:00
Aloka Dixit
9b7202d665 EHT: Add capabilities element in AP mode Management frames
Add EHT Capabilities element in Beacon, Probe Response, and
(Re)Association Response frames.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
8dcc2139ff EHT: AP mode configuration options to enable/disable the support
Add compilation support for IEEE 802.11be along with options to enable
EHT support per radio and disable per interface.

Enabling HE is mandatory to enable EHT mode.

Tested-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Jouni Malinen
1a716f86af defconfig: Document IEEE 802.11ax as a published amendment
The comment about the IEEE 802.11ax functionality being experimental and
based on a not yet finalized standard is not accurate anymore since IEEE
Std 802.11ax-2021 has already been published. Remove that comment and
add the entry for wpa_supplicant as well.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-29 15:13:08 +03:00
Kuan-Chung Chen
734fa392f7 MBO: Check association disallowed in Beacon frames, if newer
When a station receives either a Beacon frame or a Probe Response frame
from an AP that contains an MBO element with the Association Disallowed
attribute, the station should prevent association to that AP. When using
passive scanning, it is possible for the scan results to contain the
latest information in the Beacon frame elements instead of the Probe
Response frame elements. That could result in using old information and
not noticing the AP having changed its state to disallowing new
associations.

Make it more likely to follow the AP's change to disallow associations
by checking the Beacon frame elements instead of Probe Response frame
elements if the scan results are known to contain newer information for
the Beacon frame.

Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
2022-04-24 12:12:21 +03:00
Jouni Malinen
284e3ad196 Determine whether Beacon frame information is newer in scan results
It can be helpful to know whether the information elements from the
Beacon frame or the Probe Response frame are newer when using BSS table
entries, so make this information known, if available. This allows the
Beacon frame elements to be preferred over the Probe Response frame
elements when desired.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-24 12:08:28 +03:00
xinpeng wang
28c9f29a31 scan: Print SSID in scan results dump
Add printing of SSID into the "Sorted scan reslts" dump for easy reading
and debugging.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2022-04-23 23:50:23 +03:00
Alex Kiernan
5a04715793 Install wpa_passphrase when not disabled
As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
built, its not installed during `make install`.

Fixes: cb41c214b7 ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
2022-04-23 23:41:32 +03:00
xinpeng wang
0aae045af0 ctrl: Print the source address of the received commands
Sometimes there is a program error to send a large number of commands to
wpa_supplicant, and the source address can help quickly find the program
that sends commands.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2022-04-18 17:57:21 +03:00
Jouni Malinen
b0f016b873 eapol_test: Update with src/ap/ieee802_1x.c changes
eapol_test.c contains variants of couple of functions from the hostapd
implementation. Those had not been updated for a while and this commit
brings in the main changes to keep the implementations closer to
each other.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 19:51:09 +03:00
Jouni Malinen
747c5f2281 Include MS_FUNCS=y for EAP-pwd peer build
This is needed to allow wpa_supplicant to be built with EAP-pwd, but
without any other EAP method that pulled in MS_FUNCS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 19:50:23 +03:00
Jouni Malinen
c7f71fb867 Include HMAC-SHA384/512 KDF for SAE if SHA384/512 is included
It was possible to miss the HMAC functions if some other build
configuration parameters ended up setting NEED_SHA384/512=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 19:50:23 +03:00
Alan T. DeKok
3240cedd6a eapol_test: Print out names for additional known EAP types
And order the names by number.

Signed-off-by: Alan DeKok <aland@freeradius.org>
2022-04-17 11:50:25 +03:00
Jouni Malinen
f5c711c855 OpenSSL: Unload providers only at process exit
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.

Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.

Fixes: 097ca6bf0b ("OpenSSL: Unload providers on deinit")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-16 18:51:32 +03:00
Yegor Yefremov
52e2516f1d wpa_supplicant: Add the CONFIG_HE_OVERRIDES option to the defconfig
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-04-16 16:48:35 +03:00
Jouni Malinen
65652c67f5 Remove DH file configuration from TLS client functionality
The DH file parameters are applicable only for the TLS server, so this
parameter did not really have any impact to functionality. Remove it to
get rid of useless code and confusing documentation for the network
block configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-15 23:42:15 +03:00
Jouni Malinen
ae0f6ee97e OpenSSL: CMAC using the OpenSSL library for non-FIPS cases as well
Commit 0b5e98557e ("FIPS: Use OpenSSL CMAC implementation instead of
aes-omac1.c") added this implementation initially only for the FIPS
builds. However, there does not seem to be any remaining need to avoid
depending on the OpenSSL library implementation for builds, so move to
that implementation unconditionally to reduce the binary size a bit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-15 12:00:10 +03:00
Avraham Stern
8e0ac53660 RRM: Include passive channels in active beacon report scan
When receiving a beacon report request with the mode set to active,
channels that are marked as NO_IR were not added to the scan request.
However, active mode just mean that active scan is allowed, but not
that it is a must, so these channels should not be omitted.
Include channels that are marked as NO_IR in the scan request even
if the mode is set to active.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2022-04-09 19:16:35 +03:00
Naïm Favier
0adc67612d wpa_supplicant: Use unique IDs for networks and credentials
The id and cred_id variables are reset to 0 every time the
wpa_config_read() function is called, which is fine as long as it is
only called once. However, this is not the case when using both the -c
and -I options to specify two config files.

This is a problem because the GUI, since commit eadfeb0e93 ("wpa_gui:
Show entire list of networks"), relies on the network IDs being unique
(and increasing), and might get into an infinite loop otherwise.

This is solved by simply making the variables static.

Signed-off-by: Naïm Favier <n@monade.li>
2022-04-09 18:47:01 +03:00
Jouni Malinen
dacb6d278d Update IEEE P802.11ax draft references to published amendment
Get rid of the old references to drafts since the amendment has been
published.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-08 19:50:32 +03:00
Jouni Malinen
f5ad972455 PASN: Fix build without CONFIG_TESTING_OPTIONS=y
force_kdk_derivation is defined within CONFIG_TESTING_OPTIONS, so need
to use matching condition when accessing it.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:47:31 +03:00
Ilan Peer
3467a701cd wpa_supplicant: Do not associate on 6 GHz with forbidden configurations
On the 6 GHz band the following is not allowed (see IEEE Std
802.11ax-2021, 12.12.2), so do not allow association with an AP using
these configurations:

- WEP/TKIP pairwise or group ciphers
- WPA PSK AKMs
- SAE AKM without H2E

In addition, do not allow association if the AP does not advertise a
matching RSNE or does not declare that it is MFP capable.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-04-07 00:47:31 +03:00
Yegor Yefremov
43c6eb5e47 SAE-PK: Add the option to the defconfigs
So far, this option was only present in the Makefiles. Document it as
being available for configuration since the WFA program has already been
launched.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-04-07 00:47:31 +03:00
Jouni Malinen
0482251a6d EAP-TLS: Allow TLSv1.3 support to be enabled with build config
The default behavior in wpa_supplicant is to disable use of TLSv1.3 in
EAP-TLS unless explicitly enabled in network configuration. The new
CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to
enable TLSv1.3 by default (if supported by the TLS library).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:45:40 +03:00
Jouni Malinen
6135a8a6aa Stop authentication attemps if AP does not disconnect us
It would have been possible for the authentication attemps to go into a
loop if the AP/Authenticator/authentication server were to believe EAP
authentication succeeded when the local conclusion in Supplicant was
failure. Avoid this by timing out authentication immediately on the
second consecutive EAP authentication failure.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:28:49 +03:00
Veerendranath Jakkam
b746cb28bc Add support for not transmitting EAPOL-Key group msg 2/2
To support the STA testbed role, the STA has to disable transmitting
EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to
disable sending EAPOL-Key group msg 2/2 of Group Key Handshake.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-04-05 17:06:32 +03:00
Xin Deng
a9c90475bb FT: Update current_bss to target AP before check for SME-in-driver
STA needs to check AP's information after receive reassociation
response. STA uses connected AP's Beacon/Probe Response frame to compare
with Reassociation Response frame of the target AP currently. However,
if one AP supports OCV and the other AP doesn't support OCV, STA will
fail to verify RSN capability, then disconnect. Update current_bss to
the target AP before check, so that STA can compare correct AP's RSN
information in Reassociation Response frame.

Signed-off-by: Xin Deng <quic_deng@quicinc.com>
2022-04-01 12:22:47 +03:00
Chaoli Zhou
d9121335a0 wpa_cli: Add ACL and BTM control commands
Add AP mode commands for ACL and BTM into wpa_cli similarly to the way
these were already available in hostapd_cli.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
00622fcfef Extend ACL to install allow/deny list to the driver dynamically
Support installing the updated allow/deny list to the driver if it
supports ACL offload. Previously, only the not-offloaded cases were
updated dynamically.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
077bce96f3 Set drv_max_acl_mac_addrs in wpa_supplicant AP mode
hostapd code will need this for offloading ACL to the driver.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
9828aba16e Support ACL operations in wpa_supplicant AP mode
Extend AP mode ACL control interface commands to work from
wpa_supplicant in addition to the previously supported hostapd case.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
febcdf3243 Support BTM operations in wpa_supplicant AP mode
Extend AP mode BTM control interface commands to work from
wpa_supplicant in additiona to the previously support hostapd case.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Chaoli Zhou
eb2e6b56bb Enable BSS Transition Management in wpa_supplicant AP mode
Enable BTM capability for AP mode only and do not affect P2P GO mode.
This can be used for AP band steering when using wpa_supplicant to
control AP mode operations.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Jouni Malinen
30ecf0181d DPP: Update Controller parameters when it was already started
dpp_configurator_params changes were taken into use in the
non-TCP/Controller case immediately on change, but that was not the case
for the Controller where this was updated only when explicitly starting
it. Change this to update dpp_configurator_params for the Controller as
well even if it is already running.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-24 00:56:53 +02:00
Lubomir Rintel
5b093570dc D-Bus: Add 'wep_disabled' capability
Since commit 200c7693c9 ('Make WEP functionality an optional build
parameter'), WEP support is optional and, indeed, off by default.

The distributions are now catching up and disabling WEP in their builds.
Unfortunately, there's no indication prior to an attempt to connect to a
WEP network that it's not going to work. Add a capability to communicate
that.

Unlike other capabilities, this one is negative. That is, it indicates
lack of a WEP support as opposed to its presence. This is necessary
because historically there has been no capability to indicate presence
of WEP support and therefore NetworkManager (and probably others) just
assumes it's there.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Acked-by: Davide Caratti <davide.caratti@gmail.com>
2022-03-12 10:40:01 +02:00
ArisAachen
3a157fe92f dbus: Set CurrentAuthMode to INACTIVE only if network is not selected
CurrentAuthMode should be set as a real auth type when authentication is
in progress. wpa_supplicant has a property "State" which indicates the
authentication stage already. I think setting auth mode as "INACTIVE" in
all auth progress stages is not a good idea, because sometimes we need
to handle this connection according to the auth type even when
authentication is not complete. For example, NetworkManager may recall
ask-password-dialog when auth mode is "wpa-psk" and "sae", try next
access point when auth mode is "EAP-xx" when password is incorrect.
Since "CurrentAuthMode" is set as "INACTIVE" in all not fully completed
situations, we do not know how to handle it.

Signed-off-by: Aris Aachen <chenyunxiong@unionitech.com>
Signed-off-by: ArisAachen <chenyunxiong@uniontech.com>
2022-03-12 10:30:26 +02:00
Jouni Malinen
de5939ef52 DPP: Allow Configurator net_access_key_curve to be changed
This is mainly for testing purposes to allow a Configurator to the curve
between provisioning cases. This would not work for real deployement
cases unless every Enrollee were reconfigured.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-10 01:30:33 +02:00
Jouni Malinen
de64dfe98e DPP: Curve change for netAccessKey
Allow the Configurator to be configured to use a specific curve for the
netAccessKey so that it can request the Enrollee to generate a new key
during the configuration exchange to allow a compatible Connector to be
generated when the network uses a different curve than the protocol keys
used during the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 01:07:59 +02:00
Jouni Malinen
eeb72e7c9a DPP: Extend DPP_PKEX_ADD ver=<1/2> to cover Responder role
Allow PKEX v1-only or v2-only behavior to be specific for the Responder
role. This is mainly for testing purposes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-07 21:37:40 +02:00
Baligh Gasmi
3d86fcee07 cleanup: Remove unreachable code
There is no need for unreachable code in these places, so remove it.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2022-03-04 12:07:46 +02:00
Jouni Malinen
d001b301ba Fix removal of wpa_passphrase on 'make clean'
Fixes: 0430bc8267 ("build: Add a common-clean target")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-03 13:26:42 +02:00
Sergey Matyukevich
cb41c214b7 build: Re-enable options for libwpa_client.so and wpa_passphrase
Commit a41a29192e ("build: Pull common fragments into a build.rules
file") introduced a regression into wpa_supplicant build process. The
build target libwpa_client.so is not built regardless of whether the
option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because
this config option is used before it is imported from the configuration
file. Moving its use after including build.rules does not help: the
variable ALL is processed by build.rules and further changes are not
applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work
as expected: wpa_passphrase is always built regardless of whether the
option is set or not.

Re-enable these options by adding both build targets to _all
dependencies.

Fixes: a41a29192e ("build: Pull common fragments into a build.rules file")
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
2022-03-03 13:22:55 +02:00
Jouni Malinen
738fef2f0b Clear PSK explicitly from memory in couple more cases on deinit
Couple of the WPS/P2P/RADIUS-PSK cases were freeing heap memory
allocations without explicitly clearing the PSK value. Add such clearing
for these to avoid leaving the PSK in memory after it is not needed
anymore.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
414ca953f1 DPP: Clear SCANNING state when starting network introduction
This is needed to avoid leaving wpa_state to SCANNING if network
introduction fails and a new association is not started.

This was found with the following test case sequence:
dpp_conn_status_connector_mismatch scan_trigger_failure

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2022-02-24 00:23:25 +02:00
Jouni Malinen
0b5f8e3d8e DPP: Clear netrole on starting chirping or reconfiguration
A previously set netrole (e.g., from DPP_LISTEN or DPP_AUTH_INIT) could
have been used in a following DPP_CHIRP or DPP_RECONFIG operation. This
could result in trying to request incorrect configuration and likely
rejection from the Configurator. Fix this by clearing the netrole when
starting these operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2022-02-24 00:23:25 +02:00
Jouni Malinen
2fcc076d1c Clear wpa_s->last/current_ssid in more cases
It was possible for at least the wpa_s->last_ssid to be left pointing to
a removed network which could result in processing the following
association as a reassociation-within-an-ESS even when it was moving to
a different ESS. This could result in unexpected behavior. This was
found with the following test case sequence:
sigma_dut_ap_psk_sae_ft sae_h2e_password_id ap_wps_pk_oom sigma_dut_client_privacy

Move clearing of wpa_s->last_ssid and wpa_s->current_ssid into
wpas_notify_network_removed() to catch all cases similarily to the way
wpa_s->next_ssid was already cleared.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-24 00:23:25 +02:00
Jouni Malinen
7a7f803a90 DPP: Stop offchannel frame TX wait on DPP_STOP_LISTEN in a corner case
The offchannel frame TX wait was stopped whenever processing
DPP_STOP_LISTEN in most cases. However, there was a corner case on the
Responder side where this operation was skipped after PKEX was completed
successful and the Authentication Request frame had not yet been
received from the Initiator.

While this does not normally cause any significant issue, this could
result in unexpected behavior especially in test cases that run multiple
DPP PKEX operations in a row since the start of a new TX operation might
get delayed while waiting for the previous TX-wait to complete.

This was found with the following test case sequence:
dpp_reconfig_retries dpp_pkex_alloc_fail

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-24 00:23:11 +02:00
leiwei
46c635910a MACsec: Support GCM-AES-256 cipher suite
Allow macsec_csindex to be configured and select the cipher suite when
the participant acts as a key server.

Signed-off-by: leiwei <quic_leiwei@quicinc.com>
2022-02-16 22:54:49 +02:00
Jouni Malinen
340ec48cdd DPP: Clear state on configuration failure in GAS server hander
There is no need to maintain the DPP authentication state if config
request processing fails, so clear state also in the GAS server request
handler similarly to the other failure cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-15 16:24:43 +02:00
Jouni Malinen
632a9995c8 Clear ignore_old_scan_res on FLUSH command
The hwsim test cases are trying to clear this parameter between test
cases, but that was not really done correctly for many of the sigma_dut
test cases. Instead of fixing the text scripts to do this more
carefully, it seems to be simpler to just force the FLUSH command to
clear this.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-04 21:26:24 +02:00
Jouni Malinen
1f26a0a34c DPP: Use a 120 second timeout for GAS query
This is needed since the gas_query_req() operation could remain waiting
indefinitely for the response if the Configurator keeps sending out
comeback responses with additional delay. The DPP technical
specification expects the Enrollee to continue sending out new Config
Requests for 60 seconds, so this gives an extra 60 second time after the
last expected new Config Request for the Configurator to determine what
kind of configuration to provide.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-04 12:15:33 +02:00
Jouni Malinen
a6d157b6f6 DPP: Start a listen operation for GAS server if needed
Instead of depending on the TX-wait-response-time to be sufficient to
cover the full GAS exchange, start an ongoing listen operation on the
negotiation channel (if no such listen operation is already in place) to
allow the configuration exchange to take longer amount of time. This is
needed for cases where the conf=query is used to request Configurator
parameters from upper layers and that upper layer processing (e.g., user
interaction) takes significant amount of time.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-04 00:23:19 +02:00
Sunil Ravi
9aaf3e1d13 P2P: Update GO operating frequency after interface setup is completed
Once the GO/AP interface initialization is completed, check if the
operating frequency set in the wpa_supplicant group interface structure
is different than the one set in the hostapd interface structure
associated with the group interface. If yes, update the frequency in the
wpa_supplicant group interface and network configuration to the
frequency set in the hostapd interface structure.

The frequency set in the hostapd interface is the correct/final
frequency wpa_supplicant configured in the kernel/driver. This is done
because wpa_supplicant may switch the initially requested primary and
secondary frequencies to get a secondary frequency with no beacons (to
avoid interference or 20/40 MHz coex logic). And the updated frequency
is informed by the driver only after the interface setup is completed
through the channel switch event - EVENT_CH_SWITCH. But wpa_supplicant
updates the frequency to applications through the P2P_GROUP_STARTED
event which is triggered before the EVENT_CH_SWITCH event. To send the
correct frequency to applications the frequency must be updated before
sending the P2P_GROUP_STARTED event.

Bug: 191272346
Test: Manual - Verified that GO frequency is updated and reported
correctly to Nearby application.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-02-03 00:35:49 +02:00
Jouni Malinen
033ad6ffaa DPP: Allow Configurator parameters to be provided during config exchange
This provides an alternative mechanism for upper layer components to
control configuration parameters to be used by the local Configurator.
Instead of the previously used design where the Configurator parameters
had to be provided before initiating the DPP Authentication exchange,
the new alternative approach allows the DPP Authentication exchange to
be started before any Configurator parameters have been determined and
wpa_supplicant will then request the parameters once the DPP
Configuration Request has been received from the Enrollee. This allows
the Config Request information to be used at upper layers to determine
how the Enrollee should be configured.

For example for an Initiator:

CTRL: DPP_QR_CODE <URI from Responder/Enrollee>
CTRL: DPP_AUTH_INIT peer=1 conf=query
<3>DPP-CONF-NEEDED peer=1 src=02:00:00:00:00:00 net_role=sta name="Test" opclass=81,82,83,84,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130 mud_url=N/A
(upper layer processing; potentially including user interaction)
CTRL: DPP_CONF_SET peer=1 conf=sta-sae ssid=736165 pass=70617373776f7264
<3>DPP-CONF-SENT

For example for a Responder:

CTRL: SET dpp_configurator_params conf=query
CTRL: DPP_LISTEN 2412 role=configurator
<3>DPP-CONF-NEEDED peer=2 src=02:00:00:00:01:00 net_role=sta name="Test" opclass=81,82,83,84,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130 mud_url=N/A
(upper layer processing; potentially including user interaction)
CTRL: DPP_CONF_SET peer=2 conf=sta-sae ssid=736165 pass=70617373776f7264
<3>DPP-CONF-SENT

For example for an Initiator that can act both as a Configurator and an
Enrollee in a case where the Initiator becomes the Enrollee:

CTRL: DPP_AUTH_INIT peer=1 role=either conf=query
<3>DPP-CONF-RECEIVED

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-03 00:35:49 +02:00
Jouni Malinen
d4961a7755 GAS server: Asynchronous request handler comeback time indication
Extend the GAS server functionality to allow a request handler to return
the initial comeback delay with a later callback instead of having to
indicate the comeback delay when returning from the handler function.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-02 16:59:59 +02:00
Jouni Malinen
33cb47cf01 DPP: Fix connection result reporting when using TCP
The TCP code path did not handle the postponed connection attempt on TX
status and the following result message from the Enrollee to the
Configurator. Fix this by adding TCP-versions of these operations to
match the way wpa_supplicant implemented this for the Public Action
frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-28 17:28:49 +02:00
Jouni Malinen
1822bd3789 DPP: Testing capability for invalid Protocol Version in Network Intro
This extends dpp_test functionality to allow DPP Network Introduction
exchanges to use an incorrect value in the Protocol Version attribute.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-27 18:44:07 +02:00
Jouni Malinen
d7be749335 DPP3: PKEX over TCP
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2022-01-26 00:40:09 +02:00
Jouni Malinen
bdcccbc275 DPP: Change PKEX version configuration design
Use a separate ver=<1|2> parameter to DPP_PKEX_ADD instead of
overloading init=1 with version indication. This allows additional
options for forcing v1-only and v2-only in addition to automatic mode
(start with v2 and fall back to v1, if needed).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-25 20:32:48 +02:00
Jouni Malinen
8021362998 DPP3: Start with PKEXv2 and fall back to v1
Use automatic PKEX version negotiation as the initiator by starting with
PKEXv2 and if no response is received, trying again with PKEXv1. For
now, this is enabled only in wpa_supplicant CONFIG_DPP3=y builds.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-24 22:58:38 +02:00
Qiwei Cai
f32f99df11 P2P: Send response frame on channel where the request is received
The rx_freq of Public Action frame was not maintained by the GO and the
GO always sent the response on the operating channel. This causes
provision discovery failure when a P2P Device is sending a PD Request on
a 2.4 GHz social channel and the GO is responding on a 5 GHz operating
channel.

Save the rx_freq and use it for GO to sent the response. This extends
commit c5cc7a59ac ("Report offchannel RX frame frequency to hostapd")
to cover additional frame types.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-17 20:27:37 +02:00
Arowa Suliman
ffe80cb8e6 wpa_supplicant: ap: Update comment
Update the comment to use the word "include" instead of the oppressive
term "white-list".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2022-01-17 17:24:40 +02:00
Jouni Malinen
cff80b4f7d Preparations for v2.10 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.9 and v2.10.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-01-16 22:51:29 +02:00
Jouni Malinen
7a57eb3156 Update copyright notices for the new year 2022
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-01-16 22:51:29 +02:00
Jouni Malinen
7ffcbd08cf Clear roam/BSS TM in progress flags for additional cases
It looks like the recently added roam_in_progress and
bss_trans_mgmt_in_progress flags could end up getting set, but not
cleared, in some cases. Make sure these get cleared on explicit
disconnection request and also in case the SME-in-driver path is used
(while that path does not really use these flags yet, it is better to
not allow them to be forgotten to be set should it be extended to cover
similar functionality).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-11 18:02:53 +02:00
Nicolas Norvez
16b5ea9e91 Reject authentication start during BSS TM requests
After receiving a BSS Transition Management request,
wpa_supplicant_connect() will abort ongoing scans, which will cause scan
results to be reported. Since the reassociate bit is set, this will
trigger a connection attempt based on the aborted scan's scan results
and cancel the initial connection request. This often causes
wpa_supplicant to reassociate to the same AP it is currently associated
to instead of the AP it was asked to transition to.

Add a bss_trans_mgmt_in_progress flag to indicate that we're currently
transitioning to a different AP so that we don't initiate another
connection attempt based on the possibly received scan results from a
scan that was in progress at the time the BSS Transition Management
request was received.

This is the equivalent of commit 5ac977758d ("Reject authentication
start during explicit roam requests") for the roaming scenario.

Signed-off-by: Nicolas Norvez <norvez@chromium.org>
2022-01-11 17:57:38 +02:00
Alex Kiernan
af6d4031d7 D-Bus: Fix build without CONFIG_INTERWORKING
Make wpas_dbus_handler_interworking_select() conditional on
CONFIG_INTERWORKING to avoid compilation issues.

Fixes: c8e4283f90 ("D-Bus: Interworking network selection")
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
2022-01-11 17:50:17 +02:00
Chenming Huang
b26f5c0fe3 DPP: Remove dpp-listen radio work when stopping
The radio work starting may be delayed. If the DPP listen operation is
stopped before the radio work starts, the pending dpp-listen radio work
won't get cleaned up, which might lead to failing to start the next DPP
listen operation.

Issue scenario: DPP start -> dpp-listen radio work added but not started
-> DPP stop, pending radio work not cleaned up -> radio work start ->
trying to start DPP but failing because a dpp-listen work already
exists.

This commit removes the potential pending dpp-listen radio
work when DPP stops.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-21 00:09:28 +02:00
Shivani Baranwal
3f8c83a65e SAE: Make sure BSS entry is available to determine RSNXE information
wpa_supplicant may use wrong SAE authentication method if it doesn't
have the scan result for the target BSS since RSNXE information is not
available.

For example, STA might use the hunting-and-pecking loop method for SAE
authentication even though AP supports SAE H2E and STA is configured
with sae_pwe=2.

This is possible in cases like EXTERNAL_AUTH triggered by the driver
during roaming. To avoid this update scan results to fetch the target
BSS scan result from the driver.

Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
2021-12-21 00:06:19 +02:00
Daniel Golle
e6db1bc5da mesh: Make forwarding configurable
Allow mesh_fwding (dot11MeshForwarding) to be specified in a mesh BSS
config, pass that to the driver (only nl80211 implemented for now) and
announce forwarding capability accordingly.

Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-12-12 22:31:13 +02:00
Damien Dejean
c8e4283f90 D-Bus: Interworking network selection
Add the "InterworkingSelect" method to the DBus API to trigger an
Interworking scan with ANQP fetches. When a BSS that matches a
configured credential is found, the result is emitted using the signal
"InterworkingAPAdded". Completion of the full InterworkingSelect
operation is indicated with the "InterworkingSelectDone" signal.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2021-12-12 17:51:46 +02:00
Damien Dejean
b44e199676 D-Bus: Interworking/Hotspot 2.0 credential operations
Add "AddCred", "RemoveCred", and "RemoveAllCreds" methods to the D-Bus
API of the network interface to allow the caller to manipulate a set of
Interworking credentials similarly to the way this was enabled through
the control interface.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2021-12-12 17:32:51 +02:00
Damien Dejean
4262e6ca49 Move credential removal operations into helper functions
This allows the same functions to be used for both the control interface
and the D-Bus interface.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2021-12-12 17:10:05 +02:00
Damien Dejean
e232d97776 HS 2.0: Crypto engine support for creds
Add the support of engine, engine_id, ca_cert_id, cert_id, and key_id
parameters to credential blocks for Hotspot 2.0.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2021-12-12 16:47:47 +02:00
Hassoubi, Hicham
97607de5e6 D-Bus: Capture group ifname before switching to global P2P instance
The P2P DBus interface was using the wrong interface name when calling
wpas_p2p_invite_group(). Capture the group interface name before calling
the method to fix this.

Signed-off-by: Hicham Hassoubi <Hicham_hassoubi@bose.com>
2021-12-11 13:17:47 +02:00
Ernst Sjöstrand
36973aac2c SME: No need for OBSS scan if HT40 is disabled
Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com>
2021-12-11 13:10:58 +02:00
Matthew Wang
e480321f8c Revert "STA OBSS: Add check for overlapping BSSs"
This reverts commit 3204795d7a.

The commit adds an additional check that checks for overlapping BSSs in
addition to the existing 40 MHz intolerance subfield checks. The commit
cites IEEE Std 802.11-2016, 11.16.12, which defines the proper behavior
for a 20/40 MHz HT STA and AP, but the standard actually doesn't say
anything about overlapping BSSs. Specifically, the standard states that
the only BSSs that belong in the Intolerant channel report are those
that satisfy trigger event A, defined as channels with BSSs that don't
contain the HT capabilities element (which wpa_supplicant already did
before). Note that we also include channels with BSSs that have the 40
MHz intolerance bit set in the Intolerant channel report.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2021-12-11 13:05:47 +02:00
Jouni Malinen
b57273d069 DPP2: PKEXv2 core protocol changes
Add support for PKEXv2 core protocol. This defines a new PKEX Exchange
Request message type with protocol negotiation and different rules for
key derivation with PKEXv2 or newer is used.

This does not change existing behavior for PKEX, i.e., the PKEXv1
variant will still be used by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-07 23:26:29 +02:00
Jouni Malinen
b21b310148 DPP: Testing functionality to omit Protocol Version from Peer Discovery
Allow the dpp_test parameter to be used to request the Protocol Version
attributed to be omitted from the Peer Discovery Request/Response
message.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Jouni Malinen
341e7cd664 DPP3: Verify version match during Network Introduction
Verify that the Protocol Version attribute is used appropriate in Peer
Discovery Request/Response messages in cases where the signed Connector
includes the version information.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Jouni Malinen
f26fd5ee6c DPP3: Use Connector version instead of current version in Peer Discovery
Generate Peer Discovery Request/Response messages using the protected
version from the Connector, if present, instead of the currently
supported protocol version which might be higher than the one that got
included into the signed Connector during provisioning earlier.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Jouni Malinen
77ddd38b66 DPP3: Add build option for version 3 functionality
CONFIG_DPP3=y can now be used to configure hostapd and wpa_supplicant
builds to include DPP version 3 functionality. This functionality is
still under design and the implementation is experimental and not
suitable to be enabled in production uses before the specification has
been finalized.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Chaoli Zhou
14ab4a816c Reject ap_vendor_elements if its length is odd
Align the process logic for ap_vendor_elements and ap_assocresp_elements
parsing by using the wpabuf_parse_bin() helper function in both.

Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
2021-11-26 23:46:06 +02:00
Jouni Malinen
2c2bfebca4 Fix bool type values for setband
wpa_add_scan_freqs_list() was updated to use bool for the is_6ghz
argument, but these callers were missed when updating the values from
0/1 to false/true.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-11-26 23:46:06 +02:00
Sreeramya Soratkal
7dc7b88148 P2P: Remove 6 GHz channels from full scan if 6 GHz not enabled for P2P
The channels included for the scan to connect to a P2P GO are optimized
such that the P2P GO preferred channel and the common channels are
included for the first few scans followed by a full scan in which all
the channels supported by the local device are included. This results in
P2P client including the 6 GHz channels for the full scan after GO
Negotiation even when 6 GHz channels are not used for the P2P
connection.

Exclude the 6 GHz channels from the full scan if 6 GHz channels are
supported but are not used for P2P connection.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-11-26 23:45:54 +02:00
Vinay Gannevaram
0b853303ae Update AKMP, cipher, PMF for driver-based SME while roaming
After roaming to a new AP using driver-based SME and roaming trigger,
update proto type, AKMP suite, and pairwise cipher suite based on the
(Re)Association Request frame. Update PMF, group cipher, and group mgmt
cipher based on the AP's RSNE into wpa_sm. group_mgmt_cipher needs to be
updated based on PMF capabilities of STA and roamed AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-11-16 23:50:35 +02:00
Pradeep Kumar Chitrapu
c8b94bc7b3 mesh: Enable 160 MHz bandwidth support for 6 GHz in IEEE 802.11s mesh
Since the 6 GHz band has no DFS channels, enable 6 GHz 160 MHz bandwidth
as the default configuration for IEEE 802.11s mesh.

example:
network={
 ssid="6gmesh160"
 key_mgmt=SAE
 mode=5
 frequency=6275
 psk="1234567890"
}

Signed-off-by: P Praneesh <ppranees@codeaurora.org>
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-11-09 21:21:42 +02:00
Pradeep Kumar Chitrapu
ab0af709df mesh: Enable MFP by default for 6 GHz 11s mesh
IEEE Std 802.11ax-2021 mandates 6 GHz STA to use Management Frame
Protection (MFP) when RSN is enabled.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-11-09 21:08:52 +02:00
Pradeep Kumar Chitrapu
d10a01e221 mesh: Enable 80 MHz support for 11s mesh in 6 GHz
Add support for 80 MHz bandwidth operation in 6 GHz 11s mesh.

example:
    network={
        ssid="6GHz-mesh-node"
        key_mgmt=SAE
        mode=5
        frequency=6195
        psk="1234567890"
    }

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-11-09 21:06:43 +02:00
Pradeep Kumar Chitrapu
d6c5feb8ce mesh: Change channel to frequency based lookup for starting mesh
Channel numbers of the 6 GHz band overlap those of the 2.4 GHz and 5 GHz
bands. Thus converting to frequency based mesh channel selection helps
accommodate 6 GHz mesh.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-11-09 20:42:45 +02:00
Vinay Gannevaram
8d881d9427 Update AKMP and proto for driver-based SME while roaming
After roaming to a new AP using driver-based SME and roaming trigger,
AKMP and proto were not updated in wpa_sm. Hence, update AKMP and proto
used with roamed AP when association event received from the driver in
SME offloaded to the driver scenario to avoid incorrect AKMP details in
wpa_supplicant similarly to how the cipher suite updates were added in
commit 2b3e64a0fb ("Update ciphers to address GTK renewal failures
while roaming") .

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-11-04 20:42:21 +02:00
Masashi Honma
bf161b6609 Ignore CONFIG_WIFI_DISPLAY without CONFIG_P2P
Wi-Fi Display functionality needs P2P to be enabled. Ignore
CONFIG_WIFI_DISPLAY if CONFIG_P2P is not enabled for the build. This
avoids following compilation issue with invalid build configuration:

../src/ap/ap_drv_ops.c: In function 'hostapd_build_ap_extra_ies':
../src/ap/ap_drv_ops.c:163:10: error: 'struct hostapd_data' has no member named 'p2p_group'
  163 |  if (hapd->p2p_group) {
      |          ^~
../src/ap/ap_drv_ops.c:165:35: error: 'struct hostapd_data' has no member named 'p2p_group'
  165 |   a = p2p_group_assoc_resp_ie(hapd->p2p_group, P2P_SC_SUCCESS);
      |                                   ^~

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-03 13:19:30 +02:00
Masashi Honma
b306a92dfc Fix compiler error on CONFIG_AP without CONFIG_P2P builds
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/ap.o: in function `wpas_conf_ap_he_6ghz':
/home/honma/git/hostap/wpa_supplicant/ap.c:245: undefined reference to `wpas_p2p_get_sec_channel_offset_40mhz'

Fixes: e5173e8b12 ("P2P: Enable multiple channel widths for P2P in 6 GHz band")
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-03 13:19:30 +02:00
Hu Wang
cb285e80c4 SAE: Fix sm->cur_pmksa assignment
Commit b0f457b619 ("SAE: Do not expire the current PMKSA cache entry")
depends on sm->cur_pmksa to determine if it is the current PMKSA cache
entry, but sm->cur_pmksa was not always correct for SAE in the current
implementation.

Set sm->cur_pmksa in wpa_sm_set_pmk() (which is used with SAE), and skip
clearing of sm->cur_pmksa for SAE in wpa_find_assoc_pmkid(). This latter
case was added by commit c2080e8657 ("Clear current PMKSA cache
selection on association/roam") for driver-based roaming indication and
Suite B, so skipping it for SAE should be fine.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-25 19:03:32 +03:00
Reinhard Tartler
3f6c02f29a Use pkg-config for libpcsclite linkage flags
Using pkg-config for libpcsclite can provide more accurate linking
flags.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2021-10-22 17:04:33 +03:00
Stefan Lippers-Hollmann
e797959b86 systemd: Order wpa_supplicant after dbus
Make sure that D-Bus isn't shut down before wpa_supplicant, as that would
also bring down wireless links which are still holding open NFS shares.

Debian bug: https://bugs.debian.org/785579
systemd upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=89847

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2021-10-22 17:01:20 +03:00
Andrej Shadura
95bf9fc93d Remove extra slash from BIN/INC/LIBDIR defaults
Every usage of these variables appends an extra slash, so keeping
a slash in the default values leads to double slashes in resulting
paths.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2021-10-22 16:58:10 +03:00
Arowa Suliman
5a4ae6e3ad Replace "native" with a more specific description
Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-22 16:54:58 +03:00
Arowa Suliman
2fb33ce4b6 wpa_supplicant: hostapd: Remove man-in-the-middle
Replace man-in-the-middle attacks with on-path attacks which
is gender-neutral and commonly used.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-22 16:53:30 +03:00
Kees Cook
f332f69513 wpa_supplicant: Try all drivers by default
Some distros carry patches to specify driver fallback, but only in
specific conditions (e.g. the systemd service definition[1]). This leaves
other wpa_supplicant instances needing to define fallback themselves,
which leads to places where wpa_supplicant thinks it can't find a
driver[2]. Instead, when -D is not specified, have wpa_supplicant try
all the drivers it was built with in an attempt to find a working one
instead of just giving up if the first doesn't work.

[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012

Signed-off-by: Kees Cook <kees@ubuntu.com>
2021-10-15 23:33:11 +03:00
Veerendranath Jakkam
4775a5f827 Add support to reconfigure or flush PMKSA cache on interface enable
Update PMKSA cache when interface is disabled and then enabled based on
the new MAC address. If the new MAC address is same as the previous MAC
address, the PMKSA cache entries are valid and hence update the PMKSA
cache entries to the driver. If the new MAC address is not same as the
previous MAC address, the PMKSA cache entries will not be valid anymore
and hence delete the PMKSA cache entries.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-15 19:23:14 +03:00
Veerendranath Jakkam
6f634b0032 PMKSA: Make sure reauth time is not greater than expiration time
While creating a cloned PMKSA entry for OKC both expiration and
reauth_time values are set to maximum values, but later only the
expiration time is copied from the old PMKSA entry to the new PMKSA
entry. Due to this there is a possibility of reauth_time becoming
greater than expiration time in some cloned entries. To avoid this copy
reauth_time also to the cloned entry.

Also, add check to reject control interface commands with reauth time
greater than expiration time.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-15 19:16:37 +03:00
Arowa Suliman
575dc1f3b2 Replace "dummy" with "stub" in preauth_test
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:53:03 +03:00
Arowa Suliman
ed5e1b7223 Replace "dummy" with "stub" in comments/documentation
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:52:50 +03:00
Arowa Suliman
3955d2af73 Replace "dummy" with "stub" in wps_testing_dummy_cred
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:52:21 +03:00
Arowa Suliman
7b50f2f04c Replace "sanity" with "validity"
Replaced the word "sanity" with the inclusive word "validity". The
comment in acs_survey_interference_factor() was referring a function
that does not exist, so remove it instead of trying rename the function.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:25:21 +03:00
Sreeramya Soratkal
891bb1305b P2P: Enforce SAE-H2E for P2P GO in 6 GHz
Allow sae_pwe parameter to be configured per-network and enforce the
SAE hash-to-element mechanism for the P2P GO if it is started on
a 6 GHz channel.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-10-08 00:10:44 +03:00
Veerendranath Jakkam
afcadbbf4e wpa_cli: Add support for SCS, MSCS, and DSCP commands
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-10-07 23:46:28 +03:00
Vinay Gannevaram
2b3e64a0fb Update ciphers to address GTK renewal failures while roaming
After roaming from WPA2-AP (group=CCMP) to WPA-AP (group=TKIP) using
driver-based SME and roaming trigger, GTK renewal failures are observed
for the currently associated WPA-AP because of group cipher mismatch,
resulting in deauthentication with the AP.

Update the group cipher and pairwise cipher values in wpa_sm from
association event received from the driver in case of SME offload to the
driver to address GTK renewal failures (and similar issues) that could
happen when the driver/firmware roams between APs with different
security profiles.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-06 21:13:19 +03:00
Jouni Malinen
857c4dfa83 Make get_mode() easier for static analyzers
Add an explicit check for modes != NULL instead of depending on
num_modes > 0 implying that. This is to silence invalid static analyzer
reports.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-30 18:23:26 +03:00
Chaoli Zhou
9651deba52 Support vendor element configuration for AP mode from wpa_supplicant
Support adding/deleting vendor elements dynamically for AP mode while it
is started by wpa_supplicant instead of hostapd which already supported
this. This adds ap_assocresp_elements global parameter and UPDATE_BEACON
control interface command to take the changed values into effect.

Usage in wpa_cli:
Add vendor IE for (Re)Association Response frames
> set ap_assocresp_elements=xxxx
Add vendor IE for Beacon/Probe Response frames
> set ap_vendor_elements=xxxx

Delete vendor IE from (Re)Association Response frames
> set ap_assocresp_elements
Delete vendor IE from Beacon/Probe Response frames
> set ap_vendor_elements

To make vendor IE changes take effect
> update_beacon

Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
2021-09-30 18:16:11 +03:00
Veerendranath Jakkam
d144b7f34c DSCP: Add support to send DSCP Policy Query frame
Add support to send DSCP Policy Query frame using a new control
interface command DSCP_QUERY. This includes support for a wildcard DSCP
query and a DSCP query with a single Domain Name attribute.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-30 16:56:56 +03:00
Veerendranath Jakkam
c903257fb1 DSCP: Parse WFA Capabilities element in (Re)Association Response frame
Add support to parse WFA Capabilities element from the (Re)Association
Response frame. Also register a timeout for the station to wait before
sending a new DSCP query if requested by AP.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 17:18:48 +03:00
Veerendranath Jakkam
a4aae9f9b8 DSCP: Indicate DSCP Policy support in (Re)Association Request frame
Indicate DSCP Policy capability by including a WFA Capabilities element
containing the relevant bit set to 1 in the (Re)Association Request
frames when enabled by user.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 17:09:01 +03:00
Veerendranath Jakkam
d57456c1ff DSCP: Allow DSCP Policy Response Action frame to be sent
Add support to prepare and send DSCP response action frame to the
connected AP in response to a new control interface command DSCP_RESP.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 17:01:34 +03:00
Veerendranath Jakkam
2033e318e6 DSCP: Parsing and processing of DSCP Policy Request frames
Add support to parse received DSCP Policy Request frames and send the
request details as control interface events.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-29 00:20:42 +03:00
Veerendranath Jakkam
fe2a44485e DSCP: DSCP policy capability configuration
The DSCP policy capability is disabled by default. The user frameworks
which have support for handling DSCP policy request messages need to
enable this capability explicitly to allow wpa_supplicant to advertise
the capability to the AP and allow the related frames to be processed.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-09-28 11:07:21 +03:00
Jouni Malinen
8471d940e3 Move pmf_in_use() into a more generic file
This function is not specific to GAS, so make it available throughout
wpa_supplicant without requiring CONFIG_GAS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-28 11:07:21 +03:00
Hu Wang
ce267f4da9 P2P: DFS offload for the autonomous GO
Enhance the P2P_GROUP_ADD command to support DFS channel with 80 and 160
MHz bandwidth to be used for autonomous GO when using offloaded DFS.

For example, 'P2P_GROUP_ADD freq=5500 max_oper_chwidth=80 ht40 vht'

- Previous behavior: AP fallback to channel 100 using 20 MHz with
  "No VHT higher bandwidth support for the selected channel 100"
- Enhanced behavior: AP starts on channel 100 using 80 MHz with
  "VHT center channel 106 for 80 or 80+80 MHz bandwidth"

This functionality is on top of the driver's capability to offload DFS,
which is advertized through WPA_DRIVER_FLAGS_DFS_OFFLOAD.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-07 17:40:25 +03:00
Sreeramya Soratkal
e5173e8b12 P2P: Enable multiple channel widths for P2P in 6 GHz band
Enable support for P2P connection in 6 GHz with the channel width of 40
MHz, 80 MHz, and 160 MHz. The flag max_oper_chwidth is used to configure
the maximum channel width for P2P connection in 6 GHz with the commands
P2P_CONNECT, P2P_INVITE, and P2P_GROUP_ADD.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-09-02 18:41:12 +03:00
Sreeramya Soratkal
f725254cc1 P2P: Enhance determination of secondary offset to support 6 GHz channels
Current definition of wpas_p2p_get_ht40_mode() determines secondary
offset in the 5 GHz band. Enhance the functionality of this function to
determine offset to support 6 GHz channels also.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-09-02 18:19:33 +03:00
Sreeramya Soratkal
575a8e6ca3 P2P: Clone 6 GHz related parameters to new group interface config
Clone pmf and p2p_6ghz_disable configuration values when creating a new
P2P group interface. PMF is required in 6 GHz band operation.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-09-02 18:07:58 +03:00
Sreeramya Soratkal
9f2217c513 P2P: Consider p2p_no_go_freq for GO preferred frequency
Currently while selecting a preferred frequency when no preference is
known, p2p_no_go_freq is not considered for 5 GHz and 60 GHz channels.
This results in starting GO on the channels that are configured not to
allow the local device as GO.

Use wpas_p2p_supported_freq_go api to check if the p2p_no_go_freq
configuration before selecting the preferred frequency for GO.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-26 15:46:58 +03:00
Sreeramya Soratkal
882c53be50 P2P: Avoid integer overflow in channel
For some 6 GHz operating class like 134, there is a possibility where
the ch variable used for channel iterator overflows when it is
incremented. Fix this by updating the datatype of ch variable to
avoid integer overflow while incrementing.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-26 15:32:56 +03:00
Mathew Hodson
be81bbdc3b doc: Fix grammar in wpa_supplicant overview
Signed-off-by: Mathew Hodson <mathew.hodson@gmail.com>
2021-08-25 16:20:17 +03:00
Andrew Beltrano
0030590fb3 Generate an event when a network is added or removed
Generate an event on the control socket interface when a network is
added or removed. The event name CTRL-EVENT-NETWORK-<ADDED|REMOVED>
is followed by the network entry identifier. The event matches the
corresponding Network<Added|Removed> signal on the d-bus interface.

Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>
2021-08-19 17:21:06 +03:00
Nick Porter
f238610616 Add a --conf option to eapol_test.py
The --conf option specifies a file containing a list of options
to configure the network used for running the test which will be
used in place of the defaults built into the script.

Signed-off-by: Nick Porter <nick@portercomputing.co.uk>
2021-08-19 16:58:45 +03:00
Arowa Suliman
46b60299a4 wpa_supplicant: src: Replace Sane with Valid.
Replace the word Sane with Valid which is inclusive.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-08-19 11:34:45 +03:00
Vinita S. Maloo
e433d06dd5 Allow MSCS support to be disabled for testing purposes
"SET disable_mscs_support 1" can be used to disable indication of MSCS
support in the Extended Capabilities element for testing purposes. This
is also disabling addition of the MSCS element even if valid
configuration parameters had been configured.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
025f8ab52e SCS: Processing of SCS Response frames
Add support to receive and process SCS Response frames from the AP and
indicate the status to upper layers.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
b4e01ae929 Allow SCS supported to be disabled for testing purposes
"SET disable_scs_support 1" can be used to disable indication of SCS
support in the Extended Capabilities element for testing purposes.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Vinita S. Maloo
c005283c48 SCS: Sending of SCS Request frames
Add support to parse SCS control interface command and form the SCS
Request frame to be sent to SCS enabled AP.

Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
2021-08-12 18:28:07 +03:00
Sreeramya Soratkal
24774dcc2e P2P: Require PMF for P2P GO in the 6 GHz band
Enable (and require) the management frame protection for the P2P GO if
it is started on a 6 GHz channel.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-05 19:14:52 +03:00
Sreeramya Soratkal
49442194c4 SAE: Derive H2E PT while reconnecting to same SSID also
P2P connections in the 6 GHz band use SAE authentication algorithm after
getting credentials with WPS connection. During WPS connection as it
doesn't use SAE, SAE PT is not derived. After getting SAE credentials,
the STA connects to the same SSID using SAE auth algorithm. Earlier, SAE
H2E PT was not derived while connecting to the same SSID to which the
STA is connected last time. Due to this, the P2P group formation fails
for 6 GHz channels when H2E is enabled as the PT will not be setup by
the P2P client before proceeding to the SAE authentication. Same could
happen with infrastructure WPS when wps_cred_add_sae=1 is used.

Set up the SAE H2E PT while connecting to the same SSID again also to
make sure that the H2E PT is set up in the STA to derive the PWE for
successful SAE authentication. The PT derivation will be skipped in
wpa_s_setup_sae_pt() if PT is already available for that SSID.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-04 00:20:09 +03:00
Sreeramya Soratkal
ac79ed4998 HE: Obtain correct AP mode capabilities for hw_mode with 6 GHz support
Though both 5 GHz channels and 6 GHz channels report the mode as
HOSTAPD_MODE_IEEE80211A, there is a possibility of different HT/VHT/HE
capabilities being available between these bands. Use get_mode() to
obtain correct capabilities to cover cases where the driver reports
different capability values for the 5 GHz and 6 GHz channels.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-08-03 19:48:12 +03:00
Utkarsh Bhatnagar
84b3de8095 TDLS: Support TDLS operations in HE mode for 6 GHz
Determine if the TDLS peer supports TDLS in 6 GHz band based on the HE 6
GHz Band Capabilities element received in the TDLS Setup Response frame.
Indicate the peer's HE 6 GHz capabilities to the driver through
sta_add().

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-07-29 20:07:25 +03:00
Veerendranath Jakkam
b4f7506ff0 FILS: Flush external-PMKSA when connection fails without ERP keys
External applications can store PMKSA entries persistently and
reconfigure them to wpa_supplicant after restart. This can result in
wpa_supplicant having a PMKSA for FILS authentication without having
matching ERP keys for it which would prevent the previously added
mechanism for dropping FILS PMKSA entries to recover from rejected
association attempts.

Fix this by clearing PMKSA entries configured by external applications
upon FILS connection failure even when ERP keys are not available.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-14 21:35:24 +03:00
Veerendranath Jakkam
80bcd7ecd1 FILS: Flush PMKSA entries on FILS connection failure
wpa_supplicant generates both a PMKSA cache entry and ERP keys upon
successful FILS connection and uses FILS authentication algorithm for
subsequent connections when either ERP keys or a PMKSA cache entry is
available.

In some cases, like AP/RADIUS server restart, both ERP keys and PMKSA
becomes invalid. But currently when an AP rejects an association,
wpa_supplicant marks only ERP keys as failed but not clearing PMKSA.

Since PMKSA is not cleared, consecutive connection attempts are still
happening with FILS authentication algorithm and connection attempts are
failing with the same association rejection again instead of trying to
recover from the state mismatch by deriving a new ERP key hierarchy.

Clear PMKSA entries as well on association rejection from an AP to allow
the following connection attempt to go with open authentication to
re-establish a valid ERP key hierarchy. Also, since clearing PMKSA
entries on unprotected (Re)Association Response frames could allow DoS
attack (reduce usability of PMKSA caching), clear PMKSA entries only
when ERP keys exists.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-07-14 21:20:17 +03:00
Jouni Malinen
914a2f518f SAE: Report authentication rejection over control interface
CTRL-EVENT-AUTH-REJECT reporting was previously skipped when going
through SAE-specific Authentication frame handling. Add this event here
as well to be more consistent with control interface events.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-07-14 18:18:47 +03:00
Sreeramya Soratkal
311091eb43 P2P: Use SAE+PMF for P2P connection in 6 GHz
Use WPA3-Personal (SAE+PMF) for P2P connections in the 6 GHz band to
enable the Wi-Fi Display use case on the 6 GHz band without having to
use WPA2-Personal (PSK) on that new band.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
f0cdacacb3 P2P: Allow connection on 6 GHz channels if requested
Previously, 6 GHz channels were disabled for P2P operations. Use the new
allow_6ghz parameter with P2P_CONNECT, P2P_GROUP_ADD, and P2P_INVITE
commands for P2P connection on the 6 GHz channels when Wi-Fi Display is
enabled on both the devices.

However, the p2p_6ghz_disable parameter in the configuration takes a
higher precedence.

Indicate P2P 6 GHz band capable information in Device Capability Bitmap
of P2P Capability attribute to indicate the P2P Device is capable of P2P
operation in the 6 GHz band.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
b36142a740 P2P: Add allow_6ghz parameter to control interface
Introduce a new allow_6ghz parameter with P2P_CONNECT, P2P_GROUP_ADD,
and P2P_INVITE commands for P2P connection on the 6 GHz channels when
Wi-Fi Display is enabled on both the devices. This commit is only adding
the interface change without changing any actual P2P functionality.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
6423c23e3d P2P: Allow 6 GHz channels to be included in the P2P_FIND operation
Previously, the 6 GHz channels were disabled for P2P operations.
Introduce a new include_6ghz parameter for the P2P_FIND command to
configure P2P discovery on the 6 GHz channels.

However, the p2p_6ghz_disable parameter in the configuration takes a
higher priority. If the p2p_6ghz_disable parameter is not set in the
configuration, include_6ghz parameter can be used to enable or disable
the discovery operation in the 6 GHz channels for the P2P_FIND command.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Sreeramya Soratkal
eaf850867b P2P: Extend channel determination/validation to 6 GHz channels
Extend the previously 5 GHz specific 80 and 160 MHz channels helper
functions to support 6 GHz channels.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-10 23:43:03 +03:00
Gurumoorthi Gnanasambandhan
9f901e65b4 WNM: Ignore SSID check for hidden SSID in transition candidates
Do not skip scan results with zero length SSID (i.e., a hidden SSID)
when searching for potential BSS transition candidates since such
entries might be for the same ESS (i.e., for the current SSID). Use only
the BSSID check for such cases.

Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
2021-06-09 20:55:39 +03:00
Jouni Malinen
525ec045f3 P2P: Use correct return type for has_channel()
This helper function returns enum chan_allowed values, so use it as the
return type instead of unnecessarily generic int.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-06-08 12:46:45 +03:00
Jouni Malinen
e8662e9d44 Use a helper function to remove struct wpa_bss_tmp_disallowed entries
It is safer to remove and free these entries with a shared helper
function to avoid issues with potentially forgetting to unregister or
free something if this structure is extended in the future.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-06-03 00:11:18 +03:00
Hu Wang
ecaacb47b7 OCE: Remove AP from driver disallow list with sufficient AP RSSI
When a STA makes an association request that is rejected by an OCE AP
due to the RSSI being insufficient, the AP is added to the driver
disallow list by wpa_set_driver_tmp_disallow_list().

Once the AP increases TX power which makes the AP RSSI higher than
Association Rejection RSSI threshold, the AP is supposed to be removed
from the driver disallow list but that was not the case.

wpa_is_bss_tmp_disallowed() is called in the scan result handler, so it
is the best place to put the logic of removing the AP from the driver
disallow list with sufficient AP RSSI.

This is needed with drivers that use the temporarily disallowed BSS list
(which is currently supported only with a QCA vendor command). The
wpa_supplicant internal functionality was already taking care of this
with the wpa_is_bss_tmp_disallowed() return value even for cases where
the entry remaining in the list.

Signed-off-by: Hu Wang <huw@codeaurora.org>
2021-06-03 00:06:00 +03:00
Vamsi Krishna
6abfb1418c Use estimated throughputs irrespective of RSSI delta for 6 GHz APs
APs in 6 GHz operating with LPI/VLP rules will have significantly lower
SNR values compared to 2.4/5 GHz band APs. Earlier, the estimated
throughputs were used for comparison only when the delta of SNRs between
both the APs was not greater than 7 and as a result for comparing 6 GHz
APs with 2.4/5 GHz APs, estimated throughputs were not getting used.

The estimated throughput calculations takes SNR value also into
consideration, hence remove RSSI delta check if any of the APs are from
the 6 GHz band. This change is limited to the 6 GHz band only in order
to avoid possible regressions with 2.4/5 GHz APs.

Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2021-05-21 18:41:59 +03:00
Jouni Malinen
1c5aa2579d Add EAPOL_TX command to extend ext_eapol_frame_io possibilities
This makes it convenient for an external test script to use
ext_eapol_frame_io=1 to delay and/or modify transmission of EAPOL-Key
msg 1/4 without having to use separate frame injection mechanisms.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
7f0a2e4225 Report EAPOL-RX events for testing purposes
This makes it more convenient to track EAPOL frame reception from an
external test script.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Vamsi Krishna
46f8976196 Prefer 6 GHz APs for connection in BSS selection
Prefer 6 GHz APs when estimated throughputs are equal with APs from the
2.4/5 GHz bands while selecting APs for connection. Also add a 6 GHz
specific noise floor default value for the 6 GHz band (with the same
value as was used for 5 GHz previously) to make this step clearer.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-07 13:05:58 +03:00
Vamsi Krishna
84008457ed Add support to calculate estimated throughputs for HE rates
Add support to consider HE rates while estimating throughputs for the
scan results from HE enabled APs. HE 0.8 usec GI rates are used in all
tables. The minimum SNR values for HE rates (1024-QAM) are derived by
adding the existing minimum SNR values of 256-QAM rates from VHT tables
and the difference between the values of minimum sensitivity levels of
256-QAM rates and 1024-QAM rates defined in Table 27-51 (Receiver
minimum input level sensitivity) in IEEE P802.11ax/D8.0.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-07 13:05:58 +03:00
Vamsi Krishna
658b6a0b08 Add support to estimate throughput for VHT 160/80+80 MHz supporting APs
Add support to calculate estimated throughputs for APs which support the
160 MHz (including 80+80 MHz) mode in VHT. The minimum SNR values for
VHT 160 MHz mode are derived from minimum SNR values used for VHT 80 MHz
mode + 3 dBm. The min-SNR values are derived relatively based on the
information that the minimum sensitivity levels defined in Table 21-25
(Receiver minimum input level sensitivity) in IEEE Std 802.11-2020 for
the 160 MHz mode are higher by 3 dBm compared to the values of the 80
MHz mode for each rate.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-07 12:28:46 +03:00
Vamsi Krishna
1d2118b509 Check local supported features for estimating BSS throughputs accurately
Add checks for features supported by the specific hardware mode of the
local device that has the channel for which the throughput is being
estimated instead of assuming the local device supports all optional
features. This is more accurate for cases where the local capabilities
might differ based on the band. In addition, this is in preparation for
extending rate estimates to cover optional VHT and HE features.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-07 12:27:21 +03:00
Kani M
b8d337c632 DPP2: Fix channel 6 inclusion for chirping with non-2 GHz interfaces
When the driver provides a list of supported modes, chan6 ended getting
added even if the 2.4 GHz mode was not included. This resulted in
incorrect behavior of trying to transmit on a not supported channel in
case of 5 GHz only radios.

Fix this by adding the channel 6 by default only if the driver does not
provide a list of supported modes. Whenever the supported modes are
available, only add this channel if it is explicitly listed as an
enabled channel.

Fixes: 8e5739c3ac ("DPP2: Check channel 6 validity before adding it to chirp channel list")
Signed-off-by: Kani M <kanisumi@codeaurora.org>
2021-04-21 23:14:04 +03:00
Jouni Malinen
d675d3b15b Add helper functions for parsing RSNXE capabilities
Simplify the implementation by using shared functions for parsing the
capabilities instead of using various similar but not exactly identical
checks throughout the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-04-10 12:43:38 +03:00
Jouni Malinen
663e190b72 SAE: Remove now unused password identifier argument from non-H2E case
IEEE Std 802.11-2020 mandates H2E to be used whenever an SAE password
identifier is used. While this was already covered in the
implementation, the sae_prepare_commit() function still included an
argument for specifying the password identifier since that was used in
an old test vector. Now that that test vector has been updated, there is
no more need for this argument anymore. Simplify the older non-H2E case
to not pass through a pointer to the (not really used) password
identifier.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-10 12:12:54 +03:00
Ilan Peer
79f87f4734 PASN: Change PASN flows to use SAE H2E only
Do so for both wpa_supplicant and hostapd. While this was not explicitly
required in IEEE P802.11az/D3.0, likely direction for the draft is to
start requiring use of H2E for all cases where SAE is used with PASN.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 12:12:22 +03:00
Ilan Peer
8c786e0687 PASN: Derive KDK only when required
When a PTK derivation is done as part of PASN authentication flow, a KDK
derivation should be done if and only if the higher layer protocol is
supported by both parties.

Fix the code accordingly, so KDK would be derived if and only if both
sides support Secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 11:55:55 +03:00
Sunil Dutt
0bae161229 Set last_eapol_matches_bssid=1 on a roam+auth indication from driver
Commit 3ab35a6603 ("Extend EAPOL frames processing workaround for
roaming cases") added a work around to address the issue of EAPOL frame
reception after reassociation replied to with an incorrect destination
address (the BSSID of the old AP). This is due to association events and
EAPOL RX events being reordered for the roaming cases with drivers that
perform BSS selection internally.

This mechanism relies on the fact that the driver always forwards the
EAPOL handshake to wpa_supplicant after the roaming (sets
last_eapol_matches_bssid during the EAPOL processing and resets on the
assoc/reassoc indication).

The above approach does not address the case where the driver does the
EAPOL handshake on the roam, indicating the authorized status to
wpa_supplicant but also forwards the EAPOL handshake to wpa_supplicant
for few other roam attempts. This is because the flag
last_eapol_matches_bssid is not set with the roam+authorized event from
the driver. Thus, the next reorder of roam and EAPOL RX events would
miss this workaround.

Address this by setting last_eapol_matches_bssid=1 on a roam+authorized
event from the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-09 21:51:46 +03:00
Jouni Malinen
2445e18b6f tests: assoc+auth driver event
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 13:33:40 +03:00
Jouni Malinen
00bec7b5be tests: IEEE 802.1X and FORCE_UNAUTH state
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 12:36:18 +03:00
Jouni Malinen
8ca330bd70 Flush pending control interface message for an interface to be removed
wpa_supplicant_ctrl_iface_deinit() was executed only if the
per-interface control interface initialization had been completed. This
is not the case if driver initialization fails and that could result in
leaving behind references to the freed wpa_s instance in a corner case
where control interface messages ended up getting queued.

Fix this by calling wpa_supplicant_ctrl_iface_deinit() in all cases to
cancel the potential eloop timeout for wpas_ctrl_msg_queue_timeout with
the reference to the wpa_s pointer. In addition, flush any pending
message from the global queue for this interface since such a message
cannot be of use after this and there is no need to leave them in the
queue until the global control interface gets deinitialized.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-26 00:21:18 +02:00
Jouni Malinen
354f87e2e3 MSCS: Fix MSCS Response frame Status field parsing
This is a 2 octet field, so need to use WPA_GET_LE16() here instead of
using only the first octet of the value.

Fixes: bbd3178af4 ("MSCS: Add support to process MSCS Response frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-23 00:42:06 +02:00
Jouni Malinen
37306a0042 PASN: Use a helper function to free radio work data
This is safer in avoiding memory leaks now that there is a dynamically
allocated member within the data struct.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 18:33:17 +02:00
Jouni Malinen
349e9eafbb PASN: Mark pubkey/comeback arguments constant for frame construction
These parameters are only copied to the frame, so mark them as constant.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 18:30:52 +02:00
Ilan Peer
67014b3f74 PASN: Add support for comeback flow to wpa_supplicant
Process the received comeback cookie and retry automatically if the AP
allows this. Otherwise, provide the cookie to upper layers to allow a
later attempt with the cookie.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-21 18:28:34 +02:00
Ilan Peer
eaeec4da2d PASN: Add support for deauthentication flow in station
The new wpa_supplicant control interface command "PASN_DEAUTH
bssid=<BSSID>" can now be used to flush the local PTKSA cache for the
specified BSS and to notify the AP to request it to drop its PTKSA as
well.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 22:49:28 +02:00
Ilan Peer
b866786338 PASN: For testing purposes allow to corrupt MIC
For testing purposes, add support for corrupting the MIC in PASN
Authentication frames for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 17:19:12 +02:00
Ilan Peer
2efa60344e PASN: Encode the public key properly
When a public key is included in the PASN Parameters element, it should
be encoded using the RFC 5480 conventions, and thus the first octet of
the Ephemeral Public Key field should indicate whether the public key is
compressed and the actual key part starts from the second octet.

Fix the implementation to properly adhere to the convention
requirements for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 12:31:31 +02:00
Ben Greear
a746393dcf TWT: Allow specifying Control field value in TWT Request
See IEEE P802.11ax/D8.0, Figure 9-687 (Control field format) for
details.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-12 10:53:02 +02:00
Andrei Otcheretianski
82a348eda4 wpa_supplicant: Don't process EAPOL frames while disconnecting
An EAPOL frame may be pending when wpa_supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL frame is
processed and results in a crash due to NULL dereference.

This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in commit
ab89291928 exposing this race.

Fix it by ignoring EAPOL frames while the deauthentication is in
progress.

Fixes: ab89291928 ("nl80211: Use process_bss_event() for the nl_connect handler")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-03-12 09:57:23 +02:00
Stefan Paetow
e80e6a2f17 eapol_test: Add address family for IPv4 in Windows build
Add the address family when manually constructing IPv4 addresses in
eapol_test on Windows. Otherwise other functions, like hostapd_ip_txt()
in src/utils/ip_addr.c, that rely on addr->af being set fail miserably.
The non-Windows option uses hostapd_parse_ip_addr() which does this as
part of the helper function.

Signed-off-by: Stefan Paetow <oss@eons.net>
2021-03-12 09:49:20 +02:00
Ben Greear
7fd2f24962 TWT: Support sending TWT Setup and Teardown Action frames
This adds new control interface commands TWT_SETUP and TWT_TEARDOWN. For
now, these are only for testing purposes to be able to trigger
transmission of the TWT Action frames without configuring any local
behavior for TWT in the driver.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-07 22:07:37 +02:00
Matthew Wang
5ac977758d Reject authentication start during explicit roam requests
The roam D-Bus and ROAM control itnerface commands flip the reassociate
bit before calling wpa_supplicant_connect(). wpa_supplicant connect
eventually aborts ongoing scans (if any), which causes scan results to
be reported. Since the reassociate bit is set, this will trigger a
connection attempt based on the aborted scan's scan results and cancel
the initial connetion request. This often causes wpa_supplicant to
reassociate to the same AP it is currently associated to instead of the
explicitly requested roaming target.

Add a roam_in_progress flag to indicate that we're currently attempting
to roam via an explicitly request to a specific BSS so that we don't
initiate another connection attempt based on the possibly received scan
results from a scan that was in progress at the time the roam command
was received.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2021-03-06 10:59:05 +02:00
Jouni Malinen
40551a15c1 Fix a memory leak in WPS with ap_scan=2
The wpa_ie buffer is now allocated here and needs to be freed before
returning from the function.

Fixes: d2ba0d719e ("Move assoc param setting into a helper function")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:46:32 +02:00
Jouni Malinen
900adb3c9f FILS: Simplify code paths
Use a shared code path for freeing the wpa_ie buffer to avoid
unnecessary complexity with a separate return for the non-FILS case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:42:06 +02:00
Jouni Malinen
6035969e0e Fix dynamic EAP library building
Build eap_*.so into the wpa_supplicant similarly with the wpa_supplicant
binary and include the shared helper functions from additional files
into the builds. This got broken at some point with the build system
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 23:42:21 +02:00
Jouni Malinen
a826ff2d95 Ignore group-addressed SA Query frames
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:00 +02:00
Jimmy Chen
d314213f6c P2P: Pick a 5 GHz channel from more possible channels
For an autonomous P2P group on the 5 GHz band, a channel was picked only
from the operating class 115 which is not available in the EU region
anymore. As a result, an autonomous group creation would always fail in
this generic 5 GHz channel case.

There are more possible available channels for the 5 GHz currently.
Especially in the EU region, the operating class 115 channels are no
longer available, but SRD channels (the operating class 124) are
available. Allow them to be used here if they are marked as allowed for
P2P GO use.

In addition, iterate through all the potential options instead of just
checking the first randomly picked channel. Start this iteration from
random position to maintain some randomness in this process.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2021-02-27 19:19:35 +02:00
Sreeramya Soratkal
50baf345b4 TDLS: Support TDLS operations in HE mode
Determine if the TDLS peer is HE capable based on HE Capability element
received in the TDLS Setup Response frame. Indicate the peer's HE
capabilities to the driver through sta_add().

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-02-26 20:16:48 +02:00
Jouni Malinen
f03580e319 Restore permanent MAC address on the FLUSH command
Clear previously used random MAC address on the FLUSH command if
mac_addr setting has been disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 17:22:37 +02:00
Jouni Malinen
976c3c161f DPP2: Accept Config Result before GAS response TX status
The TX event for the next frame in the sequence might be received before
the TX status for the final GAS response frame is processed. This used
to result in the Config Result getting discarded and the negotiation not
completing successfully on the Configurator side.

Accept the Config Result message as an indication of the final GAS
response frame having went through fine even if the TX status has not
yet been processed to avoid this issue from a potential race condition
on kernel events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 16:44:33 +02:00
Jouni Malinen
1ba8a315cd Avoid use of C++ keyword in a header file
Don't use 'protected' as the name of the variable in bss.h since this
might be used in control interfaces that use C++.

Fixes: 1c77f3d3f9 ("Indicate whether additional ANQP elements were protected")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 12:48:13 +02:00
Ilan Peer
85eb47e3a9 PASN: Correctly set RSNXE bits from STA
These defines are for the capability bit number, not the binary value
from the bit index. As such, need to use BIT() here to set the bitmap
appropriately.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:25:10 +02:00
Andrei Otcheretianski
be5f7f3746 wpa_supplicant: Fix potential memleak on an error path
extra_buf allocation was missed in one of the error cases.

Fixes: 170775232d ("ANQP: Add support to specify frequency in ANQP_GET command")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:18:45 +02:00
Veerendranath Jakkam
8f204f69ac Show OCV and beacon protection capabilities in control interface
Indicate local support for Operating Channel Validation (OCV) and beacon
protection.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00