Commit graph

5843 commits

Author SHA1 Message Date
Benjamin Berg
770f3cb30b WNM: Remove dialog_token parameter
All callers of wnm_send_bss_transition_mgmt_resp() are explicitly
passing wpa_s->wnm_dialog_token. As such, we might as well not pass it
and use the variable directly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
c7cafef8a1 WNM: Set wnm_reply to 0 when sending it
There is no point in the caller to set it to zero. Just do so within
wnm_send_bss_transition_mgmt_resp().

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
261f7f9e51 WNM: Do not store coloc_intf_elems
The elements are (currently) not used except for sending an immediate
response similar to COLOC_INTF_REPORT with the main difference being
that the dialog token is included.

Do not store the elements. It easy enough to re-add this should the
implementation improve. And this fixes the fact that the variable is
cleared at odd times as wnm_deallocate_memory() is used specifically to
clear the neighbor report list of a BTM request.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
033adbf833 WNM: Drop explicit wpa_is_bss_tmp_disallowed() check
There is no need for this check as wpa_scan_res_match() already calls
the function through wpa_scan_res_ok() before accepting a match.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
8b51310f4e WNM: Drop explicit SSID check
The call to wpa_scan_res_match already checks that the SSID matches
current_ssid. Therefore there is no need to do any further checking.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
939cd294b2 WNM: Drop check for current_ssid
It should never be NULL. In the unlikely event that it is NULL, the
logic changes slightly to reject all candidates.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
436f07d02b WNM: Define a stub wnm_is_bss_excluded if WNM is disabled
This removes the need to check for CONFIG_WNM.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Avraham Stern
e164943f43 WNM: Wait for BTM response TX status before roaming
When accepting a BSS transition request there is a race between
sending the response and roaming to the target AP. As a result,
the response may not be sent because the station deauthenticated
from the AP before the response was actually sent.

To make sure the BSS transition response is sent, start roaming only
after the TX status is received for the BSS transition response.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
40ef706e55 WNM: Don't scan frequencies of neighbors that should be ignored
It does not make sense to scan for neighbors that we are not supposed to
use anyway. As such, skip them.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
20ed289a78 WNM: Clean up old scan data processing
When receiving a BTM request, wpa_supplicant would try to fetch new
results from the driver, and, independently of that, would also process
the latest scan results that were partially updated by the previous
fetch.

Simplify the logic by using wpa_supplicant_get_scan_results() directly
and then process the old scan data as usual. However, this data may be
outdated, so add a new heuristic to avoid roaming to a BSS if it is
either outdated or bad.

Doing this moves all scan data processing into wnm_scan_process() and
removes duplicated functionality for scan result processing in scan.c.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:14 +02:00
Jouni Malinen
4750a4f62a DPP: Wait for TX wait expiration on moving to neg_freq for Auth Resp
Avoid potential race conditions with the driver operations between
stopping an ongoing wait for responses for an offchannel TX that was
used to send Authentication Request with a request to use a different
channel for Authentication Response and the start of a new ROC on the
other channel by waiting for the TX expiration event before issuing the
ROC request.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-02 19:39:49 +02:00
Jouni Malinen
451d299528 DPP: Wait for ROC cancelled event on Auth Resp TX on another channel
Avoid potential race conditions with the driver operations between
cancelling an ongoing ROC that was used to receive Authentication
Request that requested a different channel to be used for the
negotiation by waiting for the ROC cancelled event before issuing the
offchannel TX command for the Authentication Response.

In addition, speed up the retry on Authentication Response in this type
of a case if the first attempt on the other channel is not AKC'ed since
it might take the peer device a bit more time to be ready to listen
there.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-02 19:39:49 +02:00
Benjamin Berg
45fffac0fe BSS: Switch struct wpa_bss to use valid_links bitmask
This aligns both the wpa_supplicant and bss structures to use the same
pattern of a valid_links bitmask plus per-link entries.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 12:24:15 +02:00
Benjamin Berg
11f26fed64 Use for_each_link() where possible
This takes care of the places that the spatch did not catch already.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:12:13 +02:00
Benjamin Berg
dbdf7ef679 Use for_each_link() in most cases
This was done using the below semantic patch. There are a few more
places that were missed due to variable declarations or additional
checks in the for loop.

@@
iterator name for_each_link;
identifier max_links =~ "MAX_NUM_MLD_LINKS|MAX_NUM_MLO_LINKS";
expression links;
expression further_tests;
identifier i;
statement stmt;
@@
-for (i = 0; i < max_links; i++)
+for_each_link(links, i)
 {
(
-  if (!(links & BIT(i)))
-    continue;
   ...
|
-  if (!(links & BIT(i)) || further_tests)
+  if (further_tests)
     continue;
   ...
|
-  if (further_tests || !(links & BIT(i)))
+  if (further_tests)
     continue;
   ...
|
-  if (links & BIT(i))
     stmt
|
-  if (further_tests && (links & BIT(i)))
+  if (further_tests)
     stmt
|
-  if ((links & BIT(i)) && further_tests)
+  if (further_tests)
     stmt
)
 }

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:11:12 +02:00
Ilan Peer
408a399aa4 nl80211: Explicitly differentiate between 5 GHz and 6 GHz modes
When a device supports both the 5 GHz band and the 6 GHz band,
these are reported as two separate modes, both with mode set to
HOSTAPD_MODE_IEEE80211A. However, as these are different modes,
each with its own characteristics, e.g., rates, capabilities etc.,
specifically differentiate between them by adding a flag to indicate
whether the mode describes a 6 GHz band capabilities or not.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 10:53:19 +02:00
Sunil Ravi
dbcf9ff156 P2P: Notify the IP address of the connected P2P Client
When wpa_supplicant assigns the IP address (WFA EAPOL IP address
allocation feature), the assigned IP address of the P2P Client on the GO
side is notified in the AP-STA-CONNECTED event. So to obtain the IP info
to external programs, modify the STA authorized event to include the the
assigned IP address of the P2P Client.

Test: Establish P2P connection and verified from the logs that
      the P2P Client IP address is notified.
Signed-off-by: Sunil Ravi <sunilravi@google.com>
2024-03-01 20:36:41 +02:00
Sunil Ravi
b18d957593 P2P: Disable pri/sec channel switch for GO with forced frequency
When wpa_supplicant receives a request to start a P2P group owner on a
fixed frequency with bandwidth wider than 20 MHz, wpa_supplicant scans
for neighboring BSSs prior to starting the GO. This is done to switch
the primary/secondary channels if there are any other networks which are
operating on the same secondary channel. Though this logic is defined
for 20/40 MHz coexistence and might improve throughput, there are P2P
use cases where this logic causes problem:

1. The file transfer use case takes time to start the file transfer or
   even fails when the 20/40 coex scan repeatedly fails due to an
   ongoing externally triggered scan happening in the system.
2. wpa_supplicant overrides the channel which is selected by the
   application based on the best channel it derived by looking into
   the channel conditions. This degrades the expected throughput.
3. Latency sensitive applications experience long time to
   start the group owner which gives a bad user experience.

So do not allow 40 MHz co-ex PRI/SEC switch to force a change to
Autonomous GO PRI channel when the P2P group add is called with a forced
frequency.

Test: Tested autonomous GO and confirmed from the logs that
P2P GO is not triggering 20/40 coex scan.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2024-03-01 20:04:13 +02:00
Jouni Malinen
95a825bc43 RADIUS: Preliminary support RADIUS/TLS as an alternative to RADIUS/UDP
This adds initial parts for RADIUS/TLS support in the RADIUS client.
This can be used with eapol_test and hostapd. This functionality is not
included by default and CONFIG_RADIUS_TLS=y in .config can be used to
enable it.

This version does not yet include all the needed functionality for TLS
validation and the rules for dropping a TCP connection based on invalid
RADIUS attributes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-25 20:54:14 +02:00
Jouni Malinen
3a5d1a7e6d NAN: USD in hostapd
Add hostapd support for interacting with the NAN discovery engine to
allow single-channel (i.e., the AP's operating channel) USD as Publisher
or Subscriber.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-02-15 19:54:17 +02:00
Jouni Malinen
e3f9ab3c3a NAN: USD in wpa_supplicant
Add wpa_supplicant support for interacting with the NAN discovery engine
to allow USD as Publisher or Subscriber.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-02-15 19:54:17 +02:00
Jouni Malinen
8fa52a7974 FT: Allow wpa_supplicant to be configured to prepend PMKR1Name
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.

wpa_supplicant has replaced the PMKID List contents from (Re)Association
Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT.
Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name
without removing the PMKIDs from (Re)Association Request frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-03 20:58:01 +02:00
Veerendranath Jakkam
e3fb9e6f2d Send actual BTM capability when the driver takes care of BSS selection
wpa_supplicant disables BTM capability in Extended Capabilities element
when wpa_supplicant selects a misbehaving MBO/OCE AP that uses RSN
without PMF, but this is disabling BTM support for whole ESS connection
lifetime though the BTM support can be enabled when the driver takes
care of BSS selection and selects/roams to a BSS which is MBO and OCE
specification compliant. Thus, always set the actual BTM capability in
Extended Capabilities element when the driver takes care of BSS
selection.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-01-25 20:11:07 +02:00
Jouni Malinen
5ae8838a06 Make test code easier for static analyzers
The previous os_strncmp() calls have already verified that there is a
space in the string, so this os_strchr() call cannot really return NULL.
Anyway, make this easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 22:16:49 +02:00
Jouni Malinen
7184e63ced dbus: Avoid memory leak on error when signaling PropertiesChanged
put_changed_properties() might fail, e.g., due to memory allocation
failure or a failure in a property getter function. Such an error case
would have leaked the message iteration container since the call to
dbus_message_iter_close_container() would have been skipped.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:47 +02:00
Jouni Malinen
9456adeeba DPP3: Fix potential use-after-free on push button bootstrap info
When removing the bootstrap info for the PB context, all the possible
pointers to that information needs to be cleared to avoid accesses to
freed memory.

Fixes: 37bccfcab8 ("DPP3: Push button bootstrap mechanism")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 12:51:53 +02:00
Jouni Malinen
ee9375fb3b tests: Association comeback mechanism in wpa_supplicant
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 12:17:23 +02:00
Harry Bock
33179cd291 SME: Handle PMF association comeback when not handled in driver
In associations using PMF (IEEE 802.11w/MFP), the infrastructure
implements SA teardown protection by rejecting an (Re)Association
Request frame from an already-associated client.  The AP responds with
error 30 (Association request rejected temporarily) to instruct the
(potentially spoofing) client to back off, while it issues an SA Query
procedure to the already-associated client. If the client can respond to
it within the back-off period, it considers the new association to be a
spoof attempt.

However, there are cases where a legitimate client might need to
handle this error response - consider if the STA has deauthenticated,
but the AP cannot hear it (out of range).  If the MFP STA has deleted
its keys, it cannot respond to the SA Query procedure.

This association comeback process has commonly been implemented in the
driver, e.g., within mac80211 in case of the Linux drivers that use SME
in userspace. However, there are drivers that do not implement this
functionality. Extended wpa_supplicant to cover such cases as well.

The current implementation interprets this association error as a true
error, and will either add the BSS to the list of ignored BSSIDs, or
continue to try other BSSes. This can cause wpa_supplicant to back off
trying to reconnect for progressively longer intervals, depending on the
infrastructure's configured comeback timeout.

Allow wpa_supplicant to interpret the error, searching for the Timeout
Interval element in the (Re)Association Response frame and starting a
timer in the SME layer to re-associate after the timeout. This can be a
long delay (1-4 seconds in my experience), but it is likely much shorter
than bouncing between nearby BSSes.

This does not change behavior for drivers that implement association
comeback timer internally since they do not report the temporary
association rejection status code to user space.

Signed-off-by: Harry Bock <hbock@zebra.com>
2024-01-21 12:00:15 +02:00
Damien Dejean
0ef4b1e1db D-Bus: Add a signal for HS2.0 terms and conditions
Add HS20TermsAndConditions signal to D-Bus API to allow clients to be
notified when the network requires the acceptance of terms and
conditions. The URL of the T&C page is provided as a signal parameter.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2024-01-20 20:16:36 +02:00
Jouni Malinen
2314a3569f Testing functionality for EAPOL-Key Key Data field encryption
Allow the Key Data field to be encrypted in EAPOL-Key msg 2/4 and 4/4.
This is for testing purposes to enable a convenient mechanism for
testing Authenticator behavior with either potential future extensions
or unexpected Supplicant behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 22:04:55 +02:00
Jouni Malinen
f591732af7 Supplicant side testing functionality for EAPOL-Key Key Data field
Allow additional elements and KDEs to be added to EAPOL-Key msg 2/4 and
4/4. This is for testing purposes to enable a convenient mechanism for
testing Authenticator behavior with either potential future extensions or
incorrect Supplicant behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 16:38:30 +02:00
Andrei Otcheretianski
abc239a0b0 Get rid of multiple MIN macros
There are multiple redundant MIN macro declarations, some of which are
not protecting against side effects. Move it to common.h instead.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-14 20:13:20 +02:00
Matthew Wang
5290523db3 Apply a symmetrical bias against moving away from higher bands
There is currently a bias towards moving to higher bands but not one
against moving away from them. Fix that.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2024-01-14 20:07:25 +02:00
Matthew Wang
05474b34bf Decrease cross-threshold roam difficulty with bgscan_simple
Decrease the roam difficulty when roaming across the short background
scan threshold (i.e., when the current BSS RSSI is below the threshold
and the selected BSS RSSI is above the threshold). This tends to happen
in normal roaming scenarios when moving from the domain of one AP to
the domain of another.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2024-01-14 20:03:31 +02:00
Benjamin Berg
73f06af143 wpa_supplicant: Do not invalidate PMKSA cache for bssid_* updates
These updates do not cause the PMKSA cache to become invalid. As such,
allow setting any of bssid_hint, bssid_ignore, and bssid_accept without
clearing the cache and causing the current connection to be dropped
immediately.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-14 17:50:17 +02:00
Benjamin Berg
05c167eb0a MLD: Fail connection if ML Authentication frame could not be parsed
If the Authentication frame response did not contain the expected ML
element (or it was invalid), we cannot continue with the ML association.
As such, the only choice we have in this case is to abort the
association.

If we do continue, we would end up sending the Association Request frame
with our MLD MAC address.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-14 17:47:48 +02:00
Benjamin Berg
a80dcf0e24 MLD: Read the correct BSSID from the RNR
The previous implementation would find the correct TBTT record in the
RNR but then always copied the BSSID from the first record out. Fix this
to copy the BSSID from the current position.

Fixes: de5e01010c ("wpa_supplicant: Support ML probe request")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-14 17:43:00 +02:00
Ilan Peer
906dade4f9 RRM: Handle scan TSF BSSID matching in context of MLD
Compare the BSSID against the BSSIDs on the affiliated APs for which
there is a valid link in case of an ML association.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-14 17:37:40 +02:00
Jouni Malinen
f9b3ecb0ad DPP: Work arouind missing Auth Confirm ACK for testing
The dpp_test DPP_TEST_STOP_AT_AUTH_CONF case is supposed to prevent the
GAS exchange from happening. It was possible to bypass that testing
functionality if the TX status event for the Authentication Confirm
message was lost or delayed long enough for the GAS Request to be
proessed first. This could happen at least with UML time travel.

Work around this by checking for the special dpp_test case within GAS
request handling.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 12:10:04 +02:00
Ilan Peer
655794898f RRM: Fix the parsing of the Extended Request subelement in beacon req
The Extended Request subelement of a Beacon Request is expected to also
include the Requested Element ID field (that identifies the Element ID
used to indicated extended elements) which needs to be skipped to get
the Requested Element ID Extensions.

Fixes: 2d4f905214 ("RRM: Add support for including extended ID elements in beacon report")
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-14 11:42:04 +02:00
Daniel Gabay
b9983b35db MSCS: Process unsolciited MSCS Response frames
Align MSCS response handling as described in IEEE P802.11-REVme/D4.0,
11.25.3 (MSCS procedures):

AP may send unsolicited MSCS Response frame using dialog_token == 0.
Instead of dropping the frame due to dialog_token mismatch, accept
it and set the status accordingly.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
2024-01-14 11:13:02 +02:00
Daniel Gabay
b427683bf0 MSCS: Extend MSCS response handling
Align MSCS response handling as described in IEEE P802.11-REVme/D4.0,
11.25.3 (MSCS procedures):

If an MSCS Descriptor element is present in a MSCS Response
frame that does not indicate a status of "SUCCESS", the request
type field is set to "change" - the element indicates a suggested
set of parameters that could be accepted by the AP in response to a
subsequent request by the non-AP STA.

Handle both MSCS Response frame and (Re)Association Response frame with
change request by extending WPA_EVENT_MSCS_RESULT with the change
values.

Note: since we extend MSCS_RESULT event, move the original event from
both MSCS Response frame and (Re)Association Response frame handlers to
a common function that handles now both 'change' and other response.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
2024-01-14 11:12:38 +02:00
Jouni Malinen
db036b5345 MSCS: Use a define for the MSCS Descriptor element fixed field length
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 11:07:34 +02:00
Jouni Malinen
2d83d224ff Use ether_addr_equal() to compare whether two MAC addresses are equal
This was done with spatch using the following semantic patch and minor
manual edits to clean up coding style and avoid compiler warnings in
driver_wext.c:

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) == 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) != 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!os_memcmp(a, b, ETH_ALEN)
+	ether_addr_equal(a, b)

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 23:47:21 +02:00
Andrei Otcheretianski
f048e66260 wpa_supplicant: Don't assign pointer to bool
As it may result in compilation error.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 23:47:20 +02:00
Jouni Malinen
e0a2b3222d Fix compiler warnings on supplicant build with PASN but no FILS
Get rid of unused variables and functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 23:47:20 +02:00
Chien Wong
a2fd63964c build: bgscan_simple depends on WNM
Fix build of wpa_supplicant if bgscan_simple is enabled while
WNM is not, as in the defconfig.

Fixes: ceb7f65dcc ("bgscan: Allow simple bgscan to do BTM queries")
Signed-off-by: Chien Wong <m@xv97.com>
2024-01-13 23:47:20 +02:00
Benjamin Berg
594f85e30b mesh: Set the mld_link_id to -1 when adding a station
As otherwise the mld_link_id would be 0, which the driver would
consider a valid link id and would return an error.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-13 23:47:20 +02:00
Benjamin Berg
a1d7a9e3b7 build: Properly grab the libpcsclite cflags
We should be grabbing the include directory using pkg-config and not
just the libs. Without this, the header file might not be found on all
systems because it may not be in /usr/include but elsewhere in the
system.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-13 20:07:37 +02:00
Andrei Otcheretianski
9569315dea Disable _FORTIFY_SOURCE when building with -O0
_FORTIFY_SOURCE requires at least -O2 optimization level.
This may result in compilation warnings. Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 20:07:04 +02:00