Commit graph

333 commits

Author SHA1 Message Date
Jouni Malinen
5b4a78b1f9 Optimize internal BSS table updates based on a specific BSSID
When wpa_supplicant needed to update the internal BSS table with the
latest scan results from the driver, it fetched all BSSs and processed
them all. This is unnecessary for cases where an update is needed only
for a specific BSS. Optimize this by filtering out the unnecessary
entries from the results.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-20 12:00:46 +02:00
Manoj Sekar
420afbdbdf Multi-AP: Allow supported profile to be configured
Allow both hostapd and wpa_supplicant to be configured with the
supported Multi-AP profile. The configured value will be advertised in
the Multi-AP element.

Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
2024-03-19 18:57:35 +02:00
Manoj Sekar
61e46f860c Multi-AP: Move IE parameters into a struct for extensibility
This makes it easier to extend the information that is encoded in the
Multi-AP element.

Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
2024-03-19 16:40:13 +02:00
Benjamin Berg
45fffac0fe BSS: Switch struct wpa_bss to use valid_links bitmask
This aligns both the wpa_supplicant and bss structures to use the same
pattern of a valid_links bitmask plus per-link entries.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 12:24:15 +02:00
Benjamin Berg
dbdf7ef679 Use for_each_link() in most cases
This was done using the below semantic patch. There are a few more
places that were missed due to variable declarations or additional
checks in the for loop.

@@
iterator name for_each_link;
identifier max_links =~ "MAX_NUM_MLD_LINKS|MAX_NUM_MLO_LINKS";
expression links;
expression further_tests;
identifier i;
statement stmt;
@@
-for (i = 0; i < max_links; i++)
+for_each_link(links, i)
 {
(
-  if (!(links & BIT(i)))
-    continue;
   ...
|
-  if (!(links & BIT(i)) || further_tests)
+  if (further_tests)
     continue;
   ...
|
-  if (further_tests || !(links & BIT(i)))
+  if (further_tests)
     continue;
   ...
|
-  if (links & BIT(i))
     stmt
|
-  if (further_tests && (links & BIT(i)))
+  if (further_tests)
     stmt
|
-  if ((links & BIT(i)) && further_tests)
+  if (further_tests)
     stmt
)
 }

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:11:12 +02:00
Jouni Malinen
8fa52a7974 FT: Allow wpa_supplicant to be configured to prepend PMKR1Name
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.

wpa_supplicant has replaced the PMKID List contents from (Re)Association
Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT.
Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name
without removing the PMKIDs from (Re)Association Request frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-03 20:58:01 +02:00
Jouni Malinen
ee9375fb3b tests: Association comeback mechanism in wpa_supplicant
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 12:17:23 +02:00
Harry Bock
33179cd291 SME: Handle PMF association comeback when not handled in driver
In associations using PMF (IEEE 802.11w/MFP), the infrastructure
implements SA teardown protection by rejecting an (Re)Association
Request frame from an already-associated client.  The AP responds with
error 30 (Association request rejected temporarily) to instruct the
(potentially spoofing) client to back off, while it issues an SA Query
procedure to the already-associated client. If the client can respond to
it within the back-off period, it considers the new association to be a
spoof attempt.

However, there are cases where a legitimate client might need to
handle this error response - consider if the STA has deauthenticated,
but the AP cannot hear it (out of range).  If the MFP STA has deleted
its keys, it cannot respond to the SA Query procedure.

This association comeback process has commonly been implemented in the
driver, e.g., within mac80211 in case of the Linux drivers that use SME
in userspace. However, there are drivers that do not implement this
functionality. Extended wpa_supplicant to cover such cases as well.

The current implementation interprets this association error as a true
error, and will either add the BSS to the list of ignored BSSIDs, or
continue to try other BSSes. This can cause wpa_supplicant to back off
trying to reconnect for progressively longer intervals, depending on the
infrastructure's configured comeback timeout.

Allow wpa_supplicant to interpret the error, searching for the Timeout
Interval element in the (Re)Association Response frame and starting a
timer in the SME layer to re-associate after the timeout. This can be a
long delay (1-4 seconds in my experience), but it is likely much shorter
than bouncing between nearby BSSes.

This does not change behavior for drivers that implement association
comeback timer internally since they do not report the temporary
association rejection status code to user space.

Signed-off-by: Harry Bock <hbock@zebra.com>
2024-01-21 12:00:15 +02:00
Benjamin Berg
05c167eb0a MLD: Fail connection if ML Authentication frame could not be parsed
If the Authentication frame response did not contain the expected ML
element (or it was invalid), we cannot continue with the ML association.
As such, the only choice we have in this case is to abort the
association.

If we do continue, we would end up sending the Association Request frame
with our MLD MAC address.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-14 17:47:48 +02:00
Jouni Malinen
2d83d224ff Use ether_addr_equal() to compare whether two MAC addresses are equal
This was done with spatch using the following semantic patch and minor
manual edits to clean up coding style and avoid compiler warnings in
driver_wext.c:

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) == 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) != 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!os_memcmp(a, b, ETH_ALEN)
+	ether_addr_equal(a, b)

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 23:47:21 +02:00
Ilan Peer
5927455b8b MLD: Add support for disabled APs
An affiliated AP of an AP MLD can temporarily be disabled. Other
affiliated APs of the AP MLD indicate this in the Reduced Neighbor
Report (RNR) elements added to their Beacon and Probe Response frames.

When an affiliated AP is disabled, it should be included in the
association exchange, but can be activated only after it is enabled.

Add support identifying disabled APs and propagate the information
to the driver within the associate() callback.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 15:56:41 +02:00
Veerendranath Jakkam
88984bbb94 MLD STA: Update SAE PWE derivation in hunting-and-pecking loop case
Use AP MLD address instead of BSSID for PWE derivation during MLO
connection. This was already done for H2E in commit e869fdfeef
("wpa_supplicant: Use MLD address in SAE authentication"). While IEEE
P802.11be requires H2E to be used, there are deployed AP MLDs that do
not follow that requirement. This change to the hunting-and-pecking loop
case is needed for interoperability workarounds with such APs.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-12-21 13:06:57 +02:00
Chaitanya Tata
32b5f7f501 Add an option to remove Robust AV (SCS, MSCS, QoS Management)
For a memory constrained system, it may be more important to reduce
binary size than include support for these capabilities.

By default this is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:45 +02:00
Chaitanya Tata
6ed8eba00d Add an option to remove RRM and supported operating class indication
Removing radio measurements and supported operating class indication
might be needed to reduce binary size for a memory constrained system
that does not need more advanced features. However, removing these is
not recommended since they can help the AP manage the network and STA
steering.

By default this functionality is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:43 +02:00
Benjamin Berg
b9c81e2005 MLD: Use MLD MAC address for deauthentication
When connecting, pending_bssid is set to the main link that we are
authenticating/associating on. Later on, the MLD MAC address will be
stored in the bssid, but we may also try to deauthenticate before we are
connected and in that case, pending_bssid is not yet set to the MLD MAC
address.

As such, use the ap_mld_addr instead of pending_bssid if n_mld_links is
non-zero. This is the sensible thing to do and expected behavior on
nl80211.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 21:49:06 +02:00
Ilan Peer
b29ac99d52 scan: Include AP MLD ID in ML probe request if needed
According to IEEE P802.11be/D4.0, 35.3.4.2, the AP MLD ID must be
included in the Probe Request ML element in case it is sent to a
transmitted BSS in which case it should be set to 0. If it is sent to an
non-transmitted BSSID, the AP MLD ID should not be included.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 21:38:57 +02:00
Benjamin Berg
3cd377eb54 MLD: Ignore failed links from association attempt
If for some reason association fails and a link which has an error is
reported, add that specific link to the ignore list. After that,
immediately retrigger the connection code. In the usual case, we are
then going to reconnect to the same AP MLD but with that particular link
not being included in the connection.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-25 17:10:38 +02:00
Benjamin Berg
5af986c75a MLD: Also mark links as failed after association failure
Parse the link status values out of Multi-Link association response. If
the AP rejects ML association and marks the links as failed with a
reason code other than TX_LINK_NOT_ACCEPTED, also report these links to
wpas_connection_failed() and ignore them.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 16:44:01 +02:00
Andrei Otcheretianski
cb90aa3acf wpa_supplicant: Remove duplicate logic in wpas_ml_element()
Parsing multiple RNR elements already exists in
wpa_bss_parse_basic_ml_element(), so wpas_ml_element() just duplicates
the same code. Combine the functionality of both these functions and
remove the duplicate.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 12:03:52 +02:00
Andrei Otcheretianski
74b6884306 wpa_supplicant: Add config parameters for MLD testing
Add band preference, BSSID preference, and single link enforcement
testing options. This is needed for testing MLO.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 11:26:00 +02:00
Benjamin Berg
b3aafd5a87 common: Simplify and avoid confusing defragmentation API
Three functions were provided for defragmentation. First
ieee802_11_defrag(), ieee802_11_defrag_mle() and then
ieee802_11_defrag_data() which would do the actual job. With
ieee802_11_defrag() picking the member in the elements struct for an
EID. The problem with this is, that for the Multi-Link element, there
are multiple entries in the elems struct depending on its type. As such,
remove the intermediate function and simply pass the correct members
directly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 10:56:56 +02:00
Benjamin Berg
9ffebf758d SME: Drop old disassoc_while_authenticating workaround
This workaround from commit 6d6f4bb87f ("nl80211: Work around mac80211
limitation on (re)auth when authenticated") pre-dates the code that
supresses the deauth or disconnect event from nl80211. Should this code
be called it would not actually work at this point, as important
internal state for the authentication attempt has already been lost.

Simply drop the code. This might also fix issues where we could get
into a bad state if a proper deauth/disconnect event happens while we
are authenticating or associating.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-24 22:59:19 +02:00
Ben Greear
a3020f852e MLD: Use BSS Parameters in TBTT Info to check SSID match
Use the Same SSID and Colocated AP bits as an alternative way of finding
a match on the current SSID.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 19:42:29 +02:00
Ben Greear
0635f83e48 MLD: Support multiple TBTT Information fields in RNR elements
The Reduced Neighbor Report element can include one or more TBTT
Information fields.  Only the first one was parsed previously. Extend
this to use a loop to go through all included TBTT Information fields.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 19:38:06 +02:00
Jouni Malinen
c18aef6241 MLD: Move TBTT Information field parsing into a helper function
This makes it more convenient to process multiple TBTT Information
fields within an RNR element.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-07 19:19:22 +02:00
Ben Greear
99a8dd0495 MLD: Support multiple RNR elements
Beacon frames are allowed to optionally include one more more Reduced
Neighbor Report elements. Only the first one was parsed previously.
Extend this to use a loop to go through all included RNR elements.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 18:55:50 +02:00
Jouni Malinen
be212bdb55 MLD: Move RNR element parsing into a helper function
This makes it more convenient to process multiple elements.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-07 18:44:22 +02:00
Sebastian Priebe
e97d7c5a6a Only advertise MSCS and SCS in Association Request if supported by AP
Since wpa_supplicant version 2.10 the extended capabilities MSCS and SCS
are advertised in the (Re)Association Request frames.

This causes the association request to be rejected by several access
points. Issue was observed with:
- D-Link DIR600
- TP-Link AC1900
- Synology MR2200ac

To avoid this issue the extended capabilities MSCS and SCS shall only be
added if the bss also supports them. While this may not follow the exact
behavior described in IEEE 802.11, this is a reasonable compromise to
avoid interoperability issues since these capabilities cannot be used
with an AP that does not support them anyway.

Note: The Extended Capabilities element is only included in the
Association Request frames if the AP also sent its extended capabilities
(see wpas_populate_assoc_ies()) as a workaround for misbehaving APs.
This workaround exists since version 2.1.

Signed-off-by: Sebastian Priebe <sebastian.priebe@konplan.com>
2023-11-03 13:10:01 +02:00
Matthew Wang
42add3c27b Scan 6 GHz channels after change to 6 GHz-allowed regdom
Drivers will often report regdom changes in the middle of a scan if they
detect during that scan that the regulatory domain has changed. If this
happens and we enter a regdom that supports 6 GHz channels when the
previous one didn't (this often happens in 6 GHz-capable regdoms for
devices after suspend/resume), immediately trigger a 6 GHz-only scan if
we were not able to connect to an AP on a legacy band.

This should significantly improve connection time to 6 GHz AP after
regdom has been reset.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Matthew Wang
17bdf34c49 Use default IEs in wpa_supplicant_trigger_scan()
wpa_supplicant_trigger_scan() previously wouldn't include any of the IEs
generated by wpa_supplicant_extra_ies(). Instruct it to do so in most
cases. This is necessary because MBO STAs are required to include MBO
capabilities in their Probe Request frames.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Andrei Otcheretianski
e5ea30feef SME: MLD: Handle reconfiguration Multi-Link element
Parse the reconfiguration Multi-Link element and:

- Don't select a BSS for connection if it is part of an MLD
  and is going to be removed.
- Don't scan for missing links that are to be removed.
- Don't include removed links in association.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-10-29 16:43:34 +02:00
Veerendranath Jakkam
c4c5c991da SAE: Do not reject reauth threshold passed PMKSA in association event
Do not reject reauth threshold passed PMKSA indicated in successful
association event since the PMKSA is still valid.

Additionally, remove the reauth threshold passed PMKSA entry from the
driver to prevent using it further in the driver.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-09-28 18:57:50 +03:00
Veerendranath Jakkam
199b44213c MLD STA: Allow auth frames without ML IE for failure status codes
In some cases like unknown-group rejection, AP MLD can't parse the
received Authentication frame to the point of the Multi-Link element if
the group used by the peer is unknown to the AP MLD.

In such cases, AP MLD not including Multi-Link element in rejection
Authentication frames can be considered as standard compliant since AP
MLD doesn't know whether the received Authentication frame has
Multi-Link element or not.

To avoid connection issues in such cases, don't reject Authentication
frames without Multi-Link element when status code is other than
WLAN_STATUS_SUCCESS, WLAN_STATUS_SAE_HASH_TO_ELEMENT,
WLAN_STATUS_SAE_PK, and WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-05-25 18:03:58 +03:00
Veerendranath Jakkam
8bc84fceeb Allow MLO disabled connection to legacy open/WPA2-Personal-only AP MLDs
wpa_supplicant was skipping MLD APs from network selection when the AP
advertise legacy open, WPA2-Personal-only (PSK without SAE), or PMF
disabled. However, there are already some early Wi-Fi 7 APs in the
market which advertise legacy open, WPA2-Personal-only, or PMF disabled
even though these combinations are unlikely to be allowed for Wi-Fi 7 in
the end.

To avoid connectivity issues with such APs, allow stations to connect
with MLO disabled when an AP MLD is detected to advertise legacy open,
WPA2-Personal-only (PSK without SAE), or PMF disabled.

This reverts commit 7d8b96dcfd ("wpa_supplicant: Apply same
restrictions for MLD as for 6 GHz BSS") except WEP and TKIP checks,
i.e., AP MLDs which advertise only WEP or TKIP are still skipped from
network selection.

For the SME-in-wpa_supplicant case, skip configuring MLD parameters to
the driver if the STA can connect only in legacy open,
WPA2-Personal-only, or PMF disabled mode. For the SME-in-driver case, it
is the driver's responsibility to initiate connection with MLO disabled
with such APs.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-25 17:04:44 +03:00
Veerendranath Jakkam
6002fe87d8 SAE: Fix expected AP MLD address info in a debug print
Print correct expected AP MLD address information when the AP MLD
address validation fails in Authentication frames during external
authentication.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-19 11:51:43 +03:00
Veerendranath Jakkam
c70405cef6 MLD STA: Do not fail on unknown IEs in Authentication frames
Fail MLD address validation only if Authentication frames IE parsing
actually failed, i.e., ignore all unknown IEs.

This is needed to avoid authentication failure when the Authentication
frames include IEs which are not handled by ieee802_11_parse_elems(),
e.g., AKM Suite Selector IE.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-19 11:50:55 +03:00
Veerendranath Jakkam
c91852044d MLD STA: Add support for SAE external authentication offload to userspace
Enable MLO for SAE authentication when the driver indicates the AP MLD
address in an external authentication request. The MAC address of the
interface on which the external authentication request received will be
used as the own MLD address.

This commit does below for enabling MLO during external SAE
authentication:
- Use MLD addresses for SAE authentication.
- Add Basic Multi-Link element with the own MLD address in SAE
  Authentication frames.
- Send SAE Authentication frames with the source address as the own MLD
  address, destination address and BSSID as the AP MLD address to the
  driver.
- Validate the MLD address indicated by the AP in SAE Authentication
  frames against the AP MLD address indicated in external authentication
  request.
- Store the PMKSA with the AP MLD address after completing SAE
  authentication.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-02-15 23:49:59 +02:00
Jouni Malinen
bf124a03d5 SAE: Update PT value at later point for SME cases, if needed
It was possible to hit a case where the SAE PT had not yet been derived,
e.g., when using P2P group re-invocation. Update PT use at the time
authentication is started, if needed, to avoid this. While this is not
really ideal from the externally observable timing view point, this is
done only for the case where there is no other option available with a
dynamically changing network configuration for P2P. Similar design was
already in place for the SAE offload-from-driver (external auth) case.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-01-30 23:23:22 +02:00
Jouni Malinen
37f8257c4f SAE: Extend automatic enabling of H2E on 6 GHz to additional cases
Commit 3a0edb2cd8 ("SAE: Enable H2E for 6 GHz BSS") started enabling
H2E automatically for SAE use on the 6 GHz band, but it did not update
these steps in verifying whether the STA has matching configuration for
a BSS that mandates use of H2E and whether to use PT for SAE in SME.
Update these to be aware of automatic H2E enabling.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-01-30 23:21:06 +02:00
Andrei Otcheretianski
e869fdfeef wpa_supplicant: Use MLD address in SAE authentication
Use MLD address in SAE commit derivation and PMKSA storing.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:47:34 +02:00
Andrei Otcheretianski
8c0f83ae88 SME: Accept Authentication frame from an MLD AP
The driver is expected to translate the link addresses to MLD addresses
when processing an Authentication frame from a MLD AP. Thus, accept
Authentication frame when the peer matches the expected MLD address.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:38:03 +02:00
Andrei Otcheretianski
23039f5e4a SME: Add support for handling association with MLD
In case both the local driver and the AP support MLD, request an MLD
association from the driver.

When processing the association event from the driver verify that the
multi link information in the (Re)Association Response frame ML element
matches the links on which the association was expected.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:33:11 +02:00
Andrei Otcheretianski
8f89661df5 SME: Add support for handling authentication with MLD
In case both the local driver and the AP support MLD, request an MLD
authentication from the driver. When processing the authentication event
from the driver verify that the MLD address in the authentication data
matches that of the requested AP.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:31:41 +02:00
Andrei Otcheretianski
694a1c6873 SAE: Make sme_sae_auth() return IE offset
Authentication frames include several fixed body parts (see Table 9-68
(Authentication frame body) and Table 9-69 (Presence of fields and
elements in Authentication frames) in IEEE P802.11-REVme/D2.0).

To be able to parse the IE part, these fields need to be skipped. Since
SAE logic already implements this parsing, change SAE authentication
handling functions to return the offset to the IE part. This preparation
is needed for future MLD patches that need to parse out the ML related
elements in the Authentication frames.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:11:16 +02:00
Veerendranath Jakkam
23e31eb68e SAE: Support cross AKM roaming between SAE AKMs in external auth case
Add support to handle external authentication request with a different
SAE AKM suite compared to the current connection AKM suite. This is
needed to support cross AKM roaming between SAE and SAE-EXT-KEY AKM
suites.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-12-15 18:36:26 +02:00
Micha Hashkes
755aaeb97f wpa_supplicant: Add missing memory allocation checks
There are several cases where memory allocations are not
checked for success. Add conditions and error messages, as some
analyzers complain about that.

Signed-off-by: Micha Hashkes <micha.hashkes@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-11-30 19:14:02 +02:00
Jouni Malinen
bbd5a4689b SAE: Add an enum for defining sae_pwe parameter values
Make this more readable by replacing magic numbers with enum values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-29 20:37:23 +02:00
xinpeng wang
2afb9b1a58 dbus: Add dbus notify when wpa_s->key_mgmt changes
For WPA2/WPA3 authentication mode, wpa_supplicant needs to notify
CurrentAuthMode property change when wpa_s->key_mgmt changes, so
NetworkManager can judge whether it needs to request a password based on
this.

Call wpas_notify_auth_changed() when starting a new connection item,
i.e., after having updated wpa_s->key_mgmt.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2022-11-27 14:18:53 +02:00
Jouni Malinen
5ea7a2f545 DPP: Drop PMKSA entry if AP reject association due to invalid PMKID
This is needed to avoid trying the subsequent connections with the old
PMKID that the AP claims not to hold and continues connection failures.
This was already handled for the SME-in-the-driver case in commit commit
50b77f50e8 ("DPP: Flush PMKSA if an assoc reject without timeout is
received"), but the wpa_supplicant SME case did not have matching
processing.

Add the needed check to avoid recover from cases where the AP has
dropped its PMKSA cache entry. Do this only based on the specific status
code value (53 = invalid PMKID) and only for the PMKSA entry that
triggered this failure to minimize actions taken based on an unprotected
(Re)Association Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-20 11:08:26 +02:00
Jouni Malinen
bbe5f0c1eb FT: Do not try to use FT protocol between mobility domains
wpa_supplicant has support for only a single FT key hierarchy and as
such, cannot use more than a single mobility domain at a time. Do not
allow FT protocol to be started if there is a request to reassociate to
a different BSS within the same ESS if that BSS is in a different
mobility domain. This results in the initial mobility domain association
being used whenever moving to another mobility domain.

While it would be possible to add support for multiple FT key hierachies
and multiple mobility domains in theory, there does not yet seem to be
sufficient justification to add the complexity needed for that due to
limited, if any, deployment of such networks. As such, it is simplest to
just prevent these attempts for now and start with a clean initial
mobility domain association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-09 00:54:41 +02:00