Currently, OCV self-capability is being set into the RSN supplicant
state machine only during the initial connection and never getting
updated. But for the driver-SME cases the driver may enable/disable OCV
in (Re)Association Request frame RSNE based on the AP chosen to roam.
This will lead to missing synchronization between wpa_supplicant and the
driver. Thus, update OCV self-capability in the wpa_supplicant RSN state
machine based on the (Re)Association Request frame RSNE indicated in the
connect response.
Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
The check for PBC overlap on a partner link should not be done unless
the current interface is actually in active PBC mode. Furthermore, the
wpa_s->wps_overlap variable needs to be cleared in additional places to
avoid leaving it set indefinitely.
This was found with the following test case sequence:
dbus_wps_pbc_overlap dbus_p2p_two_groups
Fixes: b43e19f3f3 ("WPS: Cross band overlap detection with multiple interfaces")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In case both the local driver and the AP support MLD, request an MLD
authentication from the driver. When processing the authentication event
from the driver verify that the MLD address in the authentication data
matches that of the requested AP.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of drivers that offload the 4-way handshake to the driver, there
was no way of updating wpa_supplicant about the transition disable
bitmap received as a part of EAPOL-Key msg 3/4.
With latest provisions in cfg80211_port_authorized(), the TD bitmap can
be sent to the upper layer. Parse that as a part of the port authorized
event and set the transition disable information accordingly.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
Check the HE membership selector and don't use the BSS
if required but not supported by HW.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Though not explicitely forced by IEEE 802.11be draft yet, it makes sense
to apply the same logic for MLD as for 6 GHz BSSs. Change
wpa_supplicant_ssid_bss_match() accordingly.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
MAX_NUM_MLD_LINKS is 15, thus u8 isn't enough for the bitmap. Fix it.
While at it, clean MLO information better.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Allows informing the connection manager of additional information on CQM
events. Allows the connection manager to request the same information
on demand by using the existing "SignalPoll" method.
* Add new property "SignalChange"
* Add storage for wpa_signal_info into wpa_supplicant context
object
* Copy memory from event to context object on CQM Event
* Write a common conversion method to be used by both "SignalPoll" and
this property
Signed-off-by: David Ruth <druth@chromium.org>
Facilitate emitting more station information over D-Bus for use by the
connection manager.
* Add storage for more NL80211_STA_INFO_* fields to data structures, and
move them through the system.
* Reorder NL80211_STA_INFO_* fields in driver_nl80211.c to match the
ordering in nl80211.h.
* Convert signal field to an integer to support holding WPA_INVALID_NOISE
and avoid changing logging.
* Add fields to hostap_sta_driver_data to capture more information
* fcs_error_count
* beacon_loss_count
* expected_throughput
* rx_drop_misc
* rx_mpdus
* rx_hemcs
* tx_hemcs
* rx_he_nss
* tx_he_nss
* avg_signal
* avg_beacon_signal
* avg_ack_signal
* Add struct hostap_sta_driver_data to struct wpa_signal_info and remove
redundant fields and redundant attribute parsing
* Change logging when printing txrate to handle unsigned long
value
Signed-off-by: David Ruth <druth@chromium.org>
When WPS is running simultaneously on multiple per-band radios (e.g., a
separate 2.4 GHz and 5 GHz band radios in an AP device), handle
synchronization of scan results, detect PBC session overlap, and cancel
WPS for enrollees on both interface, if the UUID of the registrars on
different bands differ.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
In case of drivers supporting 4-way handshake offload, mark port
authorized and state completion only if the driver advertizes authorized
state in the connect event. Otherwise there are fair chances of the
driver port authorization API getting called while 4-way handshake is in
progress at the lower layer.
In order to avoid this possible race condition always update port
authorization and supplicant state WPA_COMPLETED setting from
EVENT_PORT_AUTHORIZED context when the driver is done with the 4-way
handshake.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
If a higher priority BSS has invalid security parameters, e.g., an
invalid SAE password, and a lower priority BSS is discovered only after
the local network profile has been temporarily disabled, the BSSID
ignoring mechanism is not sufficient to allow the lower priority BSS to
be tried and all consecutive attempts will continue to use the higher
priority BSS. This might prevent connection in some unexpected cases
with invalid network configuration.
Extend BSSID ignoring mechanism to work in this type of a case by
ignoring the BSSID that resulted in disabling the SSID temporarily
during the first connection attempt after having re-enabled the SSID.
This allows a lower priority BSS, if any is available in scan results,
to be tried next to see if it might have working security parameters.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This prevents attempts of trying to use PMKSA caching when the existing
entry was created using a different MAC address than the one that is
currently being used. This avoids exposing the longer term PMKID value
when using random MAC addresses for connections.
In practice, similar restriction was already done by flushing the PMKSA
cache entries whenever wpas_update_random_addr() changed the local
address or when the interface was marked down (e.g., for an external
operation to change the MAC address).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
During cross SSID roaming wpa_supplicant ended up using the default
RSNE/RSNXE in EAPOL-Key msg 2/4 though the driver indicated
(Re)Association Request frame elements without RSNE/RSNXE. This causes
RSNE/RSNXE mismatch between (Re)Association Request frame and EAPOL-Key
msg 2/4.
To avoid this skip copying the default RSNE/RSNXE if the driver
indicates the actually used (Re)Association Request frame elements in
the association event.
Signed-off-by: Utkarsh Soni <quic_usoni@quicinc.com>
Add support to specify a Link ID for set key operation for MLO
connection. This does not change the existing uses and only provides the
mechanism for extension in following commits.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Update the following MLO connection information to wpa_sm:
- AP MLD address and link ID of the (re)association link.
- Bitmap of requested links and accepted links
- Own link address for each requested link
- AP link address, RSNE and RSNXE for each requested link
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
For wpa_supplicant_get_new_bss(), wpa_s->current_ssid can be NULL in
some cases. Add a NULL check before accessing it to avoid NULL pointer
dereference errors.
Fixes: 7784964cbe ("MLD STA: Fetch MLO connection info into core wpa_supplicant")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The initial wpa_drv_get_mlo_info() implementation cleared only the
valid_links information within struct driver_sta_mlo_info before trying
to fetch the information from the driver. While this is likely going to
work fine in practice, this can result in static analyzer warnings on
use of uninitialized memory (e.g., mlo.assoc_link_id could have been
read if wpa_s->valid_links was set to a nonzero value). In any case, it
is better to avoid such unnecessary warnings by clearing the full data
structure before using it.
Fixes: 7784964cbe ("MLD STA: Fetch MLO connection info into core wpa_supplicant")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
EAPOL-Key msg 1/4 indication can be received before association
indication from the driver. For MLO connection, the source address check
of such frames should be against the AP MLD address instead of the
associated link BSSID.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Fetch the MLO association Link ID info from the driver to the
wpa_supplicant instance of the corresponding MLD STA interface. This
info is needed when setting the MLO connection info to wpa_sm.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Parse link id info from channel switch events and indicate the info to
control interface using new per link channel switch events. If channel
switch happens on the link which used during association both legacy
and new per-link channel switch events will be reported.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add support to fetch MLO connection info from the driver to the
wpa_supplicant instance of corresponding MLD STA interface. In addition,
return true for BSSs associated with MLO links from wpa_bss_in_use() to
avoid getting them cleared from scan results.
Co-authored-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
This brings in the functionality to hold multiple peers and perform PASN
authentication with each peer at a time and send the PASN response to
the driver. PASN parameters such as AKMP and cipher suite are obtained
from the BSS information of the cached scan results. Also add
functionality to trigger deauthentication to the peer for which PASN
request with action PASN_ACTION_DELETE_SECURE_RANGING_CONTEXT is
received.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to configure SAE, PSK, and PSK-SHA256 AKMs in connect
request when driver's SME in use. This is needed for implementing
WPA3-Personal transition mode correctly with any driver that handles
roaming internally.
Send additional AKMs configured in network block to driver based on
the maximum number of AKMs allowed by driver in connect request. Keep
first AKM in the list AKMs in the connect request as AKM selected by
wpa_supplicant to maintain backwards compatibility.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
4-way handshake was failing after the driver roam from SAE to WPA-PSK
due to wpa_sm having an old PMK which was generated during previous SAE
connection.
To fix this update PSK to wpa_sm when AKM changes from SAE to WPA-PSK
for the target AP to have a correct PMK for 4-way handshake. Also,
update PSK to the driver when key management offload is enabled.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds wifi_generation=7 line to the STATUS output if the driver
reports (Re)Association Request frame and (Re)Association Response frame
information elements in the association or connection event with EHT
capability IEs.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
When a station receives either a Beacon frame or a Probe Response frame
from an AP that contains an MBO element with the Association Disallowed
attribute, the station should prevent association to that AP. When using
passive scanning, it is possible for the scan results to contain the
latest information in the Beacon frame elements instead of the Probe
Response frame elements. That could result in using old information and
not noticing the AP having changed its state to disallowing new
associations.
Make it more likely to follow the AP's change to disallow associations
by checking the Beacon frame elements instead of Probe Response frame
elements if the scan results are known to contain newer information for
the Beacon frame.
Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
On the 6 GHz band the following is not allowed (see IEEE Std
802.11ax-2021, 12.12.2), so do not allow association with an AP using
these configurations:
- WEP/TKIP pairwise or group ciphers
- WPA PSK AKMs
- SAE AKM without H2E
In addition, do not allow association if the AP does not advertise a
matching RSNE or does not declare that it is MFP capable.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
STA needs to check AP's information after receive reassociation
response. STA uses connected AP's Beacon/Probe Response frame to compare
with Reassociation Response frame of the target AP currently. However,
if one AP supports OCV and the other AP doesn't support OCV, STA will
fail to verify RSN capability, then disconnect. Update current_bss to
the target AP before check, so that STA can compare correct AP's RSN
information in Reassociation Response frame.
Signed-off-by: Xin Deng <quic_deng@quicinc.com>
Instead of depending on the TX-wait-response-time to be sufficient to
cover the full GAS exchange, start an ongoing listen operation on the
negotiation channel (if no such listen operation is already in place) to
allow the configuration exchange to take longer amount of time. This is
needed for cases where the conf=query is used to request Configurator
parameters from upper layers and that upper layer processing (e.g., user
interaction) takes significant amount of time.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This reverts commit 3204795d7a.
The commit adds an additional check that checks for overlapping BSSs in
addition to the existing 40 MHz intolerance subfield checks. The commit
cites IEEE Std 802.11-2016, 11.16.12, which defines the proper behavior
for a 20/40 MHz HT STA and AP, but the standard actually doesn't say
anything about overlapping BSSs. Specifically, the standard states that
the only BSSs that belong in the Intolerant channel report are those
that satisfy trigger event A, defined as channels with BSSs that don't
contain the HT capabilities element (which wpa_supplicant already did
before). Note that we also include channels with BSSs that have the 40
MHz intolerance bit set in the Intolerant channel report.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
After roaming to a new AP using driver-based SME and roaming trigger,
update proto type, AKMP suite, and pairwise cipher suite based on the
(Re)Association Request frame. Update PMF, group cipher, and group mgmt
cipher based on the AP's RSNE into wpa_sm. group_mgmt_cipher needs to be
updated based on PMF capabilities of STA and roamed AP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
After roaming to a new AP using driver-based SME and roaming trigger,
AKMP and proto were not updated in wpa_sm. Hence, update AKMP and proto
used with roamed AP when association event received from the driver in
SME offloaded to the driver scenario to avoid incorrect AKMP details in
wpa_supplicant similarly to how the cipher suite updates were added in
commit 2b3e64a0fb ("Update ciphers to address GTK renewal failures
while roaming") .
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit b0f457b619 ("SAE: Do not expire the current PMKSA cache entry")
depends on sm->cur_pmksa to determine if it is the current PMKSA cache
entry, but sm->cur_pmksa was not always correct for SAE in the current
implementation.
Set sm->cur_pmksa in wpa_sm_set_pmk() (which is used with SAE), and skip
clearing of sm->cur_pmksa for SAE in wpa_find_assoc_pmkid(). This latter
case was added by commit c2080e8657 ("Clear current PMKSA cache
selection on association/roam") for driver-based roaming indication and
Suite B, so skipping it for SAE should be fine.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update PMKSA cache when interface is disabled and then enabled based on
the new MAC address. If the new MAC address is same as the previous MAC
address, the PMKSA cache entries are valid and hence update the PMKSA
cache entries to the driver. If the new MAC address is not same as the
previous MAC address, the PMKSA cache entries will not be valid anymore
and hence delete the PMKSA cache entries.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
After roaming from WPA2-AP (group=CCMP) to WPA-AP (group=TKIP) using
driver-based SME and roaming trigger, GTK renewal failures are observed
for the currently associated WPA-AP because of group cipher mismatch,
resulting in deauthentication with the AP.
Update the group cipher and pairwise cipher values in wpa_sm from
association event received from the driver in case of SME offload to the
driver to address GTK renewal failures (and similar issues) that could
happen when the driver/firmware roams between APs with different
security profiles.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support to parse WFA Capabilities element from the (Re)Association
Response frame. Also register a timeout for the station to wait before
sending a new DSCP query if requested by AP.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add support to parse received DSCP Policy Request frames and send the
request details as control interface events.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add support to receive and process SCS Response frames from the AP and
indicate the status to upper layers.
Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
wpa_supplicant generates both a PMKSA cache entry and ERP keys upon
successful FILS connection and uses FILS authentication algorithm for
subsequent connections when either ERP keys or a PMKSA cache entry is
available.
In some cases, like AP/RADIUS server restart, both ERP keys and PMKSA
becomes invalid. But currently when an AP rejects an association,
wpa_supplicant marks only ERP keys as failed but not clearing PMKSA.
Since PMKSA is not cleared, consecutive connection attempts are still
happening with FILS authentication algorithm and connection attempts are
failing with the same association rejection again instead of trying to
recover from the state mismatch by deriving a new ERP key hierarchy.
Clear PMKSA entries as well on association rejection from an AP to allow
the following connection attempt to go with open authentication to
re-establish a valid ERP key hierarchy. Also, since clearing PMKSA
entries on unprotected (Re)Association Response frames could allow DoS
attack (reduce usability of PMKSA caching), clear PMKSA entries only
when ERP keys exists.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add checks for features supported by the specific hardware mode of the
local device that has the channel for which the throughput is being
estimated instead of assuming the local device supports all optional
features. This is more accurate for cases where the local capabilities
might differ based on the band. In addition, this is in preparation for
extending rate estimates to cover optional VHT and HE features.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Simplify the implementation by using shared functions for parsing the
capabilities instead of using various similar but not exactly identical
checks throughout the implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 3ab35a6603 ("Extend EAPOL frames processing workaround for
roaming cases") added a work around to address the issue of EAPOL frame
reception after reassociation replied to with an incorrect destination
address (the BSSID of the old AP). This is due to association events and
EAPOL RX events being reordered for the roaming cases with drivers that
perform BSS selection internally.
This mechanism relies on the fact that the driver always forwards the
EAPOL handshake to wpa_supplicant after the roaming (sets
last_eapol_matches_bssid during the EAPOL processing and resets on the
assoc/reassoc indication).
The above approach does not address the case where the driver does the
EAPOL handshake on the roam, indicating the authorized status to
wpa_supplicant but also forwards the EAPOL handshake to wpa_supplicant
for few other roam attempts. This is because the flag
last_eapol_matches_bssid is not set with the roam+authorized event from
the driver. Thus, the next reorder of roam and EAPOL RX events would
miss this workaround.
Address this by setting last_eapol_matches_bssid=1 on a roam+authorized
event from the driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Rename the network profile parameters bssid_blacklist and
bssid_whitelist to bssid_ignore and bssid_accept to use more specific
names for the configuration of which BSSs are ignored/accepted during
BSS selection. The old parameter names are maintained as aliases for the
new names to avoid breaking compatibility with previously used
configurations.
Signed-off-by: Jouni Malinen <j@w1.fi>
For Android the default value of 5 seconds is usually too short for
scan results from last scan initiated from settings app to be
considered for fast-associate. Make the fast-associate timer value
configurable so that a suitable value can be set based on a systems
regular scan interval.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
wpa_supplicant does not send a D-Bus notification of the BSS frequency
change when a CSA happens. Sending a PropertyChanged signal with the
updated frequency will notify the network manager quickly, instead of
waiting for the next scan results.
Signed-off-by: Arowa Suliman <arowa@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Currently, the external_scan_running flag is not reset when an interface
is removed. Thus, if a connection attempt is made on another iface, it
will fail due to wpa_supplicant incorrectly assuming the radio is still
busy due to the ongoing scan.
To fix this, convert external_scan_running to a pointer to the interface
that started the scan. If this interface is removed, also reset the
pointer to NULL so that other operations may continue on this radio.
Test:
1. Start scan on wlan0
2. Remove wlan0
3. Can connect to a network on wlan1
Signed-off-by: David Su <dysu@google.com>
Add PASN implementation to wpa_supplicant
1. Add functions to initialize and clear PASN data.
2. Add functions to construct PASN Authentication frames.
3. Add function to process PASN Authentication frame.
4. Add function to handle PASN frame TX status.
5. Implement the station side flow processing for PASN.
The implementation is missing support for wrapped data and PMKSA
establishment for base AKMs, and only supports PASN authentication or
base AKM with PMKSA caching.
The missing parts will be added in later patches.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
PASN requires to store the PTK derived during PASN authentication
so it can later be used for secure LTF etc. This is also true
for a PTK derived during regular connection.
Add an instance of a PTKSA cache for each wpa_supplicant
interface when PASN is enabled in build configuration.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add a handler to notify failures to fetch the scan results and provide
an option to override default behavior of requesting a new scan in one
second in such an error condition. Use this new handler mechanism to
continue the p2p_find operation (by invoking p2p_scan_res_handled) for
an interim scenario where the p2p_scan attempt fails to get the scan
results from the driver which can happen, e.g., if there are parallel
updates to the cfg80211 scan results.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If there is a disconnect command from wpa_supplicant immediately after
the driver sends a connection event to userspace but before that event
is received and processed by wpa_supplicant, wpa_supplicant processes
the disconnect command and a self-generated disconnected event first
followed by the connected event received from the driver. As a result
wpa_supplicant moves to the WPA_COMPLETED state. Whereas the driver
processes the disconnect command received from wpa_supplicant after it
sends the connected event and moves to the disconnected state. Due to
this race between the disconnect command from wpa_supplicant and the
connected event from the driver, wpa_supplicant is moving to the
connected state though the driver is moving to the disconnected state
which results in abnormal functionality.
Ignore the connection event coming from the driver when wpa_supplicant
is not trying to connect after a disconnect command is issued but before
the next connect command is issued to fix the above mentioned race
condition.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it easier to change the internal struct wpa_bss design for
storing the variable length IE buffers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support to report a vendor specific connect fail reason code fetched
from the driver to users by adding the reason code to the event
CTRL-EVENT-ASSOC-REJECT. Fetch the connect fail reason code when the
driver sends a failure connection result and append the reason code, if
available, to assoc reject event.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wpa_supplicant keeps a blacklist of BSSs in order to prevent repeated
associations to problematic APs*. Currently, this blacklist is
completely cleared whenever we successfully connect to any AP. This
causes problematic behavior when in the presence of both a bad AP and
a good AP. The device can repeatedly attempt to roam to the bad AP
because it is clearing the blacklist every time it connects to the good
AP. This results in the connection constantly ping-ponging between the
APs, leaving the user stuck without connection.
Instead of clearing the blacklist, implement timeout functionality which
allows association attempts to blacklisted APs after some time has
passed. Each time a BSS would be added to the blacklist, increase the
duration of this timeout exponentially, up to a cap of 1800 seconds.
This means that the device will no longer be able to immediately attempt
to roam back to a bad AP whenever it successfully connects to any other
AP.
Other details:
The algorithm for building up the blacklist count and timeout duration
on a given AP has been designed to be minimally obtrusive. Starting with
a fresh blacklist, the device may attempt to connect to a problematic AP
no more than 6 times in any ~45 minute period. Once an AP has reached a
blacklist count >= 6, the device may attempt to connect to it no more
than once every 30 minutes. The goal of these limits is to find an
ideal balance between minimizing connection attempts to bad APs while
still trying them out occasionally to see if the problems have stopped.
The only exception to the above limits is that the blacklist is still
completely cleared whenever there are no APs available in a scan. This
means that if all nearby APs have been blacklisted, all APs will be
completely exonerated regardless of their blacklist counts or how close
their blacklist entries are to expiring. When all nearby APs have been
blacklisted we know that every nearby AP is in some way problematic.
Once we know that every AP is causing problems, it doesn't really make
sense to sort them beyond that because the blacklist count and timeout
duration don't necessarily reflect the degree to which an AP is
problematic (i.e. they can be manipulated by external factors such as
the user physically moving around). Instead, its best to restart the
blacklist and let the normal roaming algorithm take over to maximize
our chance of getting the best possible connection quality.
As stated above, the time-based blacklisting algorithm is designed to
be minimally obtrusive to user experience, so occasionally restarting
the process is not too impactful on the user.
*problematic AP: rejects new clients, frequently de-auths clients, very
poor connection quality, etc.
Signed-off-by: Kevin Lund <kglund@google.com>
Signed-off-by: Brian Norris <briannorris@chromium.org>
If there is no matching interface given, but interface matching is
enabled, all interfaces on the system will try to be initialized. Non
wireless interfaces will fail and the loopback device will be one of
these, so just log a diagnostic rather than an error.
Signed-off-by: Roy Marples <roy@marples.name>
Previously this fallback from PFS enabled to disabled (and back to
enabled) was used only if the local network profile used key_mgmt=DPP,
i.e., did not enable another other AKM. That leaves out some valid cases
since the local network profile could actually enable both DPP and SAE.
Extend this check to accept cases DPP AKM is enabled and it was selected
for the connection even if there other enabled AKMs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support to parse the (Re)Association Response frames to check if the
AP has accepted/declined the MSCS request in response to the
corresponding (Re)Association Request frame. AP indicates the result by
setting it in the optional MSCS Status subelement of MSCS Descriptor
element in (Re)Association Response frame.
This MSCS Status subelement is defined in the process of being added
into P802.11-REVmd/D4.0 (11-20-0516-17-000m-cr-mscs-and-cid4158).
Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
Add support to receive and process MSCS Response frames from the AP and
indicate the status to upper layers.
Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
Do not process channel switch event in wpa_supplicant's SME when SME is
offloaded to the driver/firmware to avoid SA Query initiation from both
wpa_supplicant and the driver/firmware for the OCV case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SAE-PK password can be set using psk parameter also in case of mixed
SAE+PSK networks, so look for acceptable SAE-PK BSS when SAE password
not set and psk parameter meets SAE-PK password criteria.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add events for within-ESS reassociation. This allows us to monitor roam
events, both skipped and allowed, in tests.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Pull all the within-ESS roam code out of wpa_supplicant_need_to_roam()
and into its own function, wpa_supplicant_need_to_roam_within_ess().
This way, we avoid interleaving several #ifndef's in the original
function and wrap the new function in one big #ifndef. This also
modularizes the within-ESS roam code and makes it easier to test.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
It was possible to find a BSS to local network profile match for a BSS
entry that has no known SSID when going through some of the SSID
wildcard cases. At leas the OWE transition mode case without BSSID match
could result in hitting this. Zero-length SSID (i.e., wildcard SSID) is
not valid in (Re)Association Request frame, so such an association will
fail. Skip such a BSS to avoid known-to-be-failing association attempts.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If there is an acceptable BSS with SAE-PK enabled in the same ESS,
select that over a BSS that does not enable SAE-PK when the network
profile uses automatic SAE-PK selection.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Move the BSS-against-SSID matching into a separate helper function to
make this overly long function a bit more readable and to allow that
helper function to be used for other purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This replaces the previously used sae_pk_only configuration parameter
with a more generic sae_pk that can be used to specify how SAE-PK is
negotiated. The default behavior (sae_pk=0) is to automatically
negotiate SAE-PK whenever the AP supports it and the password is in
appropriate format. sae_pk=1 allows only SAE-PK to be used and sae_pk=2
disables SAE-PK completely.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new wpa_supplicant network profile parameter sae_pk_only=1 can now
be used to disable use of SAE authentication without SAE-PK.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It was possible for the RSN state machine to maintain old PMKSA cache
selection (sm->cur_pmksa) when roaming to another BSS based on
driver-based roaming indication. This could result in mismatching state
and unexpected behavior, e.g., with not generating a Suite B PMKSA cache
entry.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This may be needed to optimize use of offchannel TX operations with
wait-for-response when near the end of a pending remain-on-channel
operation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"SET dpp_version_override <ver>" can now be used to request
wpa_supplicant and hostapd to support a subset of DPP versions. In
practice, the only valid case for now is to fall back from DPP version 2
support to version 1 in builds that include CONFIG_DPP2=y.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define a driver interface event for Beacon frame protection failures.
Report such events over the control interface and send a
WNM-Notification Request frame to the AP as well.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new wpa_supplicant network profile parameter dpp_pfs can be used to
specify how PFS is applied to associations. The default behavior
(dpp_pfs=0) remains same as it was previously, i.e., try to use PFS if
the AP supports it. PFS use can now be required (dpp_pfs=1) or disabled
(dpp_pfs=2).
This is also working around an interoperability issue of DPP R2 STA with
certain hostapd builds that included both OWE and DPP functionality.
That issue was introduced by commit 09368515d1 ("OWE: Process
Diffie-Hellman Parameter element in AP mode") and removed by commit
16a4e931f0 ("OWE: Allow Diffie-Hellman Parameter element to be
included with DPP"). hostapd builds between those two commits would
reject DPP association attempt with PFS. The new wpa_supplicant default
(dpp_pfs=0) behavior is to automatically try to connect again with PFS
disabled if that happens.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
While int and unsigned int are not going overflow in practice as 32-bit
values, these could at least in theory hit an integer overflow with
16-bit int. Use size_t to avoid such potential issue cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to avoid leaving external components (through control
interface or D-Bus) timing out while waiting for the scan completion
events. This was already taken care of for the scan-only case
("TYPE=only"), but the scan-and-allow-roaming case did not report the
scan completion event when operating in AP mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new wpa_supplicant control interface parameter rsne_override_eapol
can be used similarly to the earlier rsnxe_override_eapol to override
the RSNE value added into EAPOL-Key msg 2/4.
Signed-off-by: Jouni Malinen <j@w1.fi>
Split multi_ap_process_assoc_resp() to set 4-address mode after network
selection. Previously, wpa_s->current_ssid might have been NULL in some
cases and that would have resulted in 4-address mode not getting enabled
properly.
Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
It is possible for the hidden OWE BSS to be found based on SSID-specific
scan (e.g., from the special OWE scan mechanism). In that sequence, the
previously used learning of OWE BSS was skipped since the SSID was
already present in the BSS entry. This could result in not being able to
find a matching BSS entry for the OWE BSS in transition mode.
Fix this by adding the BSS flag for transition mode based on SSID
matching against currently enabled OWE network profiles in addition to
the previous mechanism.
Signed-off-by: Jouni Malinen <j@w1.fi>
The "unexpected" change of SSID between the current network profile
(which uses the SSID from the open BSS in OWE transition mode) and the
association with the OWE BSS (which uses a random, hidden SSID) resulted
in wpa_supplicant incorrectly determining that this was a
driver-initiated BSS selection ("Driver-initiated BSS selection changed
the SSID to <the random SSID from OWE BSS>" in debug log).
This ended up with updating security parameters based on the network
profile inwpa_supplicant_set_suites() instead of using the already
discovered information from scan results. In particular, this cleared
the RSN supplicant state machine information of AP RSNE and resulted in
having to fetch the scan results for the current BSS when processing
EAPOL-Key msg 3/4.
Fix this by recognizing the special case for OWE transition mode where
the SSID for the associated AP does not actually match the SSID in the
network profile.
Signed-off-by: Jouni Malinen <j@w1.fi>
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
connection_vht flag was set to true when both Association Request and
Response frame IEs have VHT capability. Thus all devices that have
support for the vendor specific partial VHT support in the 2.4 GHz band
were also being reported as VHT capable. However, IEEE Std 802.11ac-2013
defines VHT STA to operate in frequency bands below 6 GHz excluding the
2.4 GHz band.
Do not set connection_vht when the operating band is 2.4 GHz. This
avoids reporting wifi_generation 5 on the 2.4 GHz band and reserves the
generation value 5 for full VHT as defined in the IEEE 802.11 standard.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This BSS membership selector has impact only for SAE functionality, so
ignore it when configured not to use SAE. This allows WPA-PSK connection
to and AP that advertises WPA-PSK and SAE while requiring H2E for SAE.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If a channel list changed event is received after a scan and before
selecting a BSS for connection, a BSS found on a now disabled channel
may get selected for connection. The connect request issued with the BSS
found on a disabled channel is rejected by cfg80211. Filter out the BSSs
found on disabled channels and select from the other BSSs found on
enabled channels to avoid unnecessary connection attempts that are bound
to fail.
The channel list information will be updated by the driver in cases like
country code update, disabling/enabling specific bands, etc. which can
occur between the scan and connection attempt.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Fix a rebasing issue in the signal difference calculation. The older
patch was not updated to use the new cur_level local variable to get the
possibly updated signal level for the current BSS.
Fixes: a2c1bebd43 ("Improve roaming logic")
Signed-off-by: Jouni Malinen <j@w1.fi>
This is targeting the case of MAC address change for an association
which may require the interface to be set down for a short moment.
Previously, this ended up flushing the BSS table that wpa_supplicant
maintained and that resulted in having to scan again if the MAC address
was changed between the previous scan and the connection attempt. This
is unnecessary extra latency, so maintain the BSS entries for 5 seconds
(i.e., the same time that the old scan results are consider valid for a
new connection attempt) after an interface goes down.
Signed-off-by: Jouni Malinen <j@w1.fi>
Currently, wpa_supplicant may roam too aggressively; the need_to_roam()
function will return early with a roaming decision if the difference in
signal level or throughput between the current and selected APs is
"sufficiently large." In particular, if the selected AP's estimated
throughput is more than 5k greater than the current AP's estimated
throughput, wpa_supplicant will decide to roam. Otherwise, if the
selected AP's signal level is less than the current AP's signal level,
or the selected AP's estimated throughput is at least 5k less than the
current AP's estimated throughput, wpa_supplicant will skip the roam.
These decisions are based only on one factor and can lead to poor
roaming choices (e.g., a roam should not happen if the selected AP's
estimated throughput meets the threshold but the current signal and
throughput are already good, whereas a roam should happen if the signal
is slightly worse but the estimated throughput is significantly better).
This change standardizes the roaming heuristic for signal strength
difference requirements and will hopefully improve user experience. The
change can be summarized as follows: based on the current signal level,
a certain roaming difficulty is assigned. Based on the selected AP's
estimated throughput relative to the current AP's estimated throughput,
the difficulty is adjusted up or down. If the difference in signal level
meets the threshold, a roam happens.
The hard-coded values were selected purely based on the previous version
of this function. They may eventually need to be fine-tuned for optimal
performance.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Do not prevent roam to a different BSS based only on the signal level
with the current BSS being higher than with the selected BSS. If the
estimated throughput is significantly higher (> 20%), allow roaming if
the following conditions are met.
Signed-off-by: Jouni Malinen <j@w1.fi>