Commit graph

5504 commits

Author SHA1 Message Date
Jouni Malinen
8219d2b7dd PASN: Fix CONFIG_PASN=y build without CONFIG_IEEE80211R=y
Do not try to use variables that are not defined without
CONFIG_IEEE80211R=y and add the forgotten "inline" for the function
wrapper.

Fixes: 5c65ad6c0b ("PASN: Support PASN with FT key derivation")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-04 20:41:54 +03:00
Sunil Ravi
c5b950b6af Fix compilation error due to use of bitwise '&' with boolean operands
Compiler throws a warning for using bitwise operation in
wpa_s_setup_sae_pt() function instead of logical AND operation on two
boolean values.

Fixes: e81ec0962d ("SAE: Use H2E unconditionally with the new AKM suites")
Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-09-23 00:37:30 +03:00
Sunil
7bdd3f2aa6 P2P: Allow P2P CSA from 5 GHz to 2.4 GHz band
IEEE Std 802.11-2020, 11.8.8 (Selecting and advertising a new channel)
doesn't restrict switching to a channel which is not in the same band as
the current band. But at the same time, there are some issues in
switching between the 2.4/5 GHz bands and the 6 GHz band. So limit the
check to consider the critical use case of switching from a 5 GHz channel
to a 2.4 GHz channel.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-09-23 00:29:24 +03:00
Sunil
768537921e P2P: Set operating class along with operating channel width
While setting up the P2P GO interface, wpa_supplicant sets the operating
channel width to CHANWIDTH_USE_HT in cases where it fails to set 80 MHz
bandwidth. In the same flow, update the operating class, too, according
to the channel width. This is to avoid setting up the operational
channel width back to 80 MHz from hostapd interface setup.

Signed-off-by: Sunil <sunilravi@google.com>
2022-09-23 00:04:30 +03:00
Sunil Ravi
ee7eec5185 P2P: Fix the issue in setting optimized listen channel
wpas_p2p_optimize_listen_channel() checks for the state and current ssid
of the interface calling this function. This check prevents the function
from setting the optimized listen channel. Since the listen channel is
stored in global P2P configuration data, do not check the state and
current interface of the caller.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-09-22 18:35:53 +03:00
Clemens Famulla-Conrad
3a7fe1e213 dbus: Omit FT key mgmt capabilities without CONFIG_IEEE80211R
If wpa_supplicant was build without CONFIG_IEEE80211R, the
exposed key-management capabilities should not include one of the
FT protocols. If someone would use a FT protocol in such situation,
it would fail anyway.

Signed-off-by: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
2022-09-16 22:15:56 +03:00
Clemens Famulla-Conrad
d2caf6ef54 dbus: Fix property DebugShowKeys and DebugTimestamp
It is possible to specify -t or -K multiple times. With this the
value isn't boolean anymore and we hit a assert in libdbus
function `dbus_message_iter_append_basic()`, which expect 0 or 1
for DBUS_TYPE_BOOLEAN.

Signed-off-by: Clemens Famulla-Conrad <cfamullaconrad@suse.de>
2022-09-16 22:15:56 +03:00
Robert Hernandez
1f795df7aa wpa_supplicant man page missing -I flag
wpa_supplicant: Missing manpage -I entry

Signed-off-by: Robert James Hernandez <rob@sarcasticadmin.com>
2022-09-16 20:55:45 +03:00
Veerendranath Jakkam
1b6f3b5850 MLD STA: Indicate per link channel switch
Parse link id info from channel switch events and indicate the info to
control interface using new per link channel switch events. If channel
switch happens on the link which used during association both legacy
and new per-link channel switch events will be reported.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-09-15 16:00:51 +03:00
Veerendranath Jakkam
b7f98d92dc MLD STA: Add per-link MLO signal poll
Add support to fetch and indicate per-link MLO signal poll information
via a new control interface command MLO_SIGNAL_POLL.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-09-15 16:00:51 +03:00
Shivani Baranwal
28b2256da2 MLD STA: Add MLO_STATUS control interface command
Add support for MLO_STATUS control interface command to indicate
per-link information.

Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
2022-09-15 16:00:51 +03:00
Aleti Nageshwar Reddy
6ca98040a2 MLD STA: Indicate AP MLD address in STATUS command
Append AP MLD address info into the STATUS control interface command.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2022-09-15 16:00:51 +03:00
Aleti Nageshwar Reddy
22ba81cfed MLD STA: Indicate AP MLD address in CTRL-EVENT-CONNECTED
Append the AP MLD address to CTRL-EVENT-CONNECTED when the current
connection uses MLO.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2022-09-15 16:00:51 +03:00
Aleti Nageshwar Reddy
db99e7341a Add AP MLD address into BSS command output
Indicate AP MLD address in the response to the BSS control interface
command.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2022-09-15 16:00:51 +03:00
Veerendranath Jakkam
4bd3165249 bss: Parse and store MLD address of the AP from Multi-Link element
Parse Multi-Link element received in scan result to get AP MLD address
and cache it in the wpa_bss structure.

Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-09-15 16:00:51 +03:00
Shivani Baranwal
9a8bd7be0f scan: Helper function to get ML IE of specified type from scan result IEs
Add a helper function to get Multi-Link element of a specified type from
scan result Probe Response frame or Beacon frame elements.

Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
2022-09-15 06:08:20 +03:00
Shivani Baranwal
7784964cbe MLD STA: Fetch MLO connection info into core wpa_supplicant
Add support to fetch MLO connection info from the driver to the
wpa_supplicant instance of corresponding MLD STA interface. In addition,
return true for BSSs associated with MLO links from wpa_bss_in_use() to
avoid getting them cleared from scan results.

Co-authored-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
2022-09-15 05:55:40 +03:00
Qiwei Cai
62612dfc1a P2P: Use only PSC for P2P group in the 6 GHz band
P2P connections in the 6 GHz band should be limited to preferred
scanning channels since AP/GO discovery cannot depend on 2.4/5 GHz
discovery.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-14 23:54:20 +03:00
Veerendranath Jakkam
d1a7626ff9 SAE: Use correct SSID profile for SAE auth retries during external auth
Previously, wpa_supplicant was using the current SSID for building the
SAE authentication commit frame for retries during external
authentication. But the external authentication SSID can be different
from the current SSID. Fix this by using the correct SSID profile.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-09-13 05:53:05 +03:00
Jouni Malinen
096feac194 SAE: Include the new -EXT-KEY AKMs in external auth case
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-13 05:12:03 +03:00
Veerendranath Jakkam
76793cbbca SAE: Make sure H2E PT is derived for external auth SSID profile
The driver's SME may choose a BSS of a different ESS (SSID) compared to
the current SSID and trigger external authentication. If the chosen SSID
is not associated/selected before by wpa_supplicant it won't have the
H2E PT derived. Make sure to derive PT for SSID indicated in the
external authentication request.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-09-13 05:10:17 +03:00
Hu Wang
ed442e8dc7 Add p2p_optimize_listen_chan=1 to default Android template
Commit e3bd6e9dc0 ("P2P: Use another interface operating channel as
listen channel") allows P2P listen channel to be selected based on
another interface operating channel if it is one of social channels
(i.e., 2.4 GHz 1, 6, 11).

This optimization is disabled by default due to the technical
specification expectations, but since this can be quite helpful for
optimized behavior, enable it by adding p2p_optimize_listen_chan=1 to
the default Android configuration template.
2022-09-13 04:08:17 +03:00
Vinay Gannevaram
85e28a79ba PASN: Set secure ranging context to driver after association
After the secure association and PTK derivation are completed, if the
device supports LTF keyseed, generate the LTF keyseed using KDK and set
the ranging context to the driver by using the command
QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 17:07:56 +03:00
Vinay Gannevaram
edd89d6dbb PASN: Set keys from PTKSA cache for a valid PTKSA entry
Set secure ranging context to the driver for a valid PTKSA entry in the
PTKSA cache, if available. When the driver requests for PASN keys,
wpa_supplicant configures the keys from its cache if the keys for the
peer derived with the same own MAC address are available in the cache
instead of doing the full PASN handshake again.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 16:18:14 +03:00
Vinay Gannevaram
24929543ba PASN: Deauthenticate on PTKSA cache entry expiration
Add an option for an alternative processing of PTKSA life time expiry.

Register a callback in wpa_supplicant to handle the life time expiry of
the keys in PTKSA cache. Send PASN deauthentication when a PTKSA cache
entry expires.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 16:18:14 +03:00
Vinay Gannevaram
74d894a2ea PASN: Offload handshake for multiple peers from the driver
This brings in the functionality to hold multiple peers and perform PASN
authentication with each peer at a time and send the PASN response to
the driver. PASN parameters such as AKMP and cipher suite are obtained
from the BSS information of the cached scan results. Also add
functionality to trigger deauthentication to the peer for which PASN
request with action PASN_ACTION_DELETE_SECURE_RANGING_CONTEXT is
received.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 16:18:12 +03:00
Vinay Gannevaram
06317f5e32 PASN: Add driver operation to set secure ranging context and PASN response
This is used to set secure ranging context and send PASN response to the
driver.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 15:27:54 +03:00
Vinay Gannevaram
9391f71004 Add own MAC address in PASN supplicant start and deauthentication
The driver requests PASN authentication for a peer with a specified
source (own) MAC address. Use the specified own MAC address for PASN
operations. This is needed to allow random MAC addresses to be used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 19:01:21 +03:00
Vinay Gannevaram
580bd04cf3 Add own MAC address used for key derivation to PTKSA cache
On successful PASN handshake or 4-way handshake with a peer, PTK is
derived using the local and peer MAC addresses as input. Store the own
MAC address that is used for key derivation in PTKSA cache to maintain
that state over potential MAC addresses changes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 19:01:21 +03:00
Vinay Gannevaram
d0d585c481 Store secure ranging driver capabilities in WPA state machine
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 18:59:58 +03:00
Vinay Gannevaram
96a604128b Use separate PASN capabilities for AP and STA modes
Use separate capabilities for AP and STA modes for P802.11az security
parameters secure LTF support, secure RTT measurement exchange support,
and protection of range negotiation and measurement management frames
support.

P802.11az security parameters are considered to be supported for both
station and AP modes if the driver sets NL80211_EXT_FEATURE_SECURE_LTF,
NL80211_EXT_FEATURE_SECURE_RTT, and
NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE flags. The driver can
advertize capabilities specific to each mode using
QCA_WLAN_VENDOR_FEATURE_SECURE_LTF*,
QCA_WLAN_VENDOR_FEATURE_SECURE_RTT*, and
QCA_WLAN_VENDOR_FEATURE_PROT_RANGE_NEGO_AND_MEASURE* flags.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 18:59:52 +03:00
Vinayak Yadawad
909fa448e0 EAPOL: Update PMK length in EAPOL callback to support longer keys
With introduction of newer AKMs, there is a need to update the PMK
length plumbed for the driver based 4-way handshake. To support this,
the current update the PMK length to 48, if the key management type uses
SHA-384. This is needed, e.g., for SUITE-B-192.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2022-08-31 17:23:45 +03:00
Jouni Malinen
723eb4f389 P2P: Fix a typo in a comment about removing 6 GHz channels
This was supposed to be talking about excluding 6 GHz channels, not 5
GHz.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-31 17:14:58 +03:00
Hector Jiang
e9627f8c32 P2P: Skip 6 GHz band directly if 6 GHz P2P is disabled
If 6 GHz is supported by the device but 6 GHz P2P is disabled, P2P
invitation would fail if the GO select an operating channel which is not
the preferred channel. The root cause is that the 5 GHz and 6 GHz bands
are both HOSTAPD_MODE_IEEE80211A so the 5 GHz channels would be added
twice for the P2P Client's following scanning frequency list. This will
cause scanning to fail with -EINVAL. Fix this by adding the 5 GHz
channels only once.

Signed-off-by: Hector Jiang <jianghaitao@zeku.com>
2022-08-31 17:12:58 +03:00
Seongsu Choi
03f7f633a2 Fix wrong AKM priority for FILS
According to the OCE specification, the STA shall select the AKM in
priority order from the list below.

1. FT Authentication over FILS (SHA-384) 00-0F-AC:17
2. FILS (SHA-384) 00-0F-AC:15
3. FT Authentication over FILS (SHA-256) 00-0F-AC:16
4. FILS (SHA-256) 00-0F-AC:14
5. FT Authentication using IEEE Std 802.1X (SHA-256) 00-0F-AC:3
6. Authentication using IEEE Std 802.1X (SHA-256) 00-0F-AC:5
7. Authentication using IEEE Std 802.1X 00-0F-AC:1

Move the FT-FILS-SHA256 check to be after the FILS-SHA384 one to match
this.

Signed-off-by: Seongsu Choi <seongsu.choi@samsung.com>
2022-08-31 17:02:03 +03:00
Veerendranath Jakkam
5de45546d5 Add support to send multi AKM connect request when driver's SME in use
Add support to configure SAE, PSK, and PSK-SHA256 AKMs in connect
request when driver's SME in use. This is needed for implementing
WPA3-Personal transition mode correctly with any driver that handles
roaming internally.

Send additional AKMs configured in network block to driver based on
the maximum number of AKMs allowed by driver in connect request. Keep
first AKM in the list AKMs in the connect request as AKM selected by
wpa_supplicant to maintain backwards compatibility.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-08-26 17:54:12 +03:00
Veerendranath Jakkam
0ce1545dcb nl80211: Determine maximum number of supported AKMs
Use the recently added attribute to determine whether the kernel
supports a larger number of AKM suites in various commands.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-08-26 17:27:45 +03:00
Veerendranath Jakkam
48c620829c Update PSK after cross AKM roaming to WPA-PSK when driver's SME in use
4-way handshake was failing after the driver roam from SAE to WPA-PSK
due to wpa_sm having an old PMK which was generated during previous SAE
connection.

To fix this update PSK to wpa_sm when AKM changes from SAE to WPA-PSK
for the target AP to have a correct PMK for 4-way handshake. Also,
update PSK to the driver when key management offload is enabled.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-08-26 17:27:45 +03:00
Jouni Malinen
4ae14deeef DPP3: Use chirping channel list in PB discovery
This design was changed in the draft specification, so update
implementation to match the new design. Instead of including all
supported 2.4 and 5 GHz channels, generate the channel list using the
same mechanism that was already used for chirping.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-25 15:59:13 +03:00
Jouni Malinen
c58be1d8fd DPP: Channel list generation for presence announcement to helper funcion
This procedure will be used for PB discovery as well, so move the
frequency array generation into a helper function.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-25 12:19:58 +03:00
Jouni Malinen
57968faea5 DPP: Do not discard network introduction frames in test mode
dpp_discard_public_action=1 was not supposed to prevent network
introduction, i.e., it was only for frames that could go through the
DPP-over-TCP path. Fix this not to prevent network introduction when
using DPP-over-TCP to configure a DPP AKM profile.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-24 18:31:54 +03:00
Jouni Malinen
d72302c6b6 DPP: Do not use 6 GHz channels for push button
For now, do not include 6 GHz channels since finding a Configurator from
a large number of channels would take excessive amount of time.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-22 19:09:27 +03:00
Jouni Malinen
89de431f23 DPP: Add config response status value to DPP-CONF-SENT
This can be helpful for upper layers to be able to determine whether the
configuration was rejected.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-29 18:55:37 +03:00
Purushottam Kushwaha
ef4cd8e33c QoS: Use common classifier_mask for ipv4/ipv6
ipv4_params/ip6_params in type4_params maintains separate classifier
mask while type4_params already has a common classifier_mask. Lets
use the common classifier mask for both ipv4/ipv6 params and remove
the redundant params_mask in ipv4_params/ip6_params.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2022-07-28 12:31:37 +03:00
Jouni Malinen
4cfb484e90 DPP: Allow dpp_controller_start without arguments in CLIs
The DPP_CONTROLLER_START control interface command can be used without
any arguments, so do not force at least a single argument to be included
in wpa_cli and hostapd_cli.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-27 12:33:40 +03:00
Jouni Malinen
c97000933c Fix ifdef condition for imsi_privacy_cert
CRYPTO_RSA_OAEP_SHA256 is not sufficient here since ssid->eap does not
exist without IEEE8021X_EAPOL.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 11:12:11 +03:00
Jouni Malinen
e81ec0962d SAE: Use H2E unconditionally with the new AKM suites
The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
f8eed2e8b8 SAE: Store PMK length and AKM in SAE data
These are needed to be able to support new AKM suites with variable
length PMK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
a32ef3cfb2 SAE: Driver capability flags for the new SAE AKM suites
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
91df8c9c65 SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00