There is no need for #ifdef/#else/#endif construction in
network_fields[] to cover "mode" (which is completely independent of
CONFIG_MESH) or two separate conditional blocks for mesh related network
fields, so move these into a single conditionally included block.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
As part of a connection request, set EDMG parameters for the driver to
use in the association. The EDMG parameters are based on EDMG IE
received from the AP's Probe Response frames, the driver's EDMG
capability, and the EDMG configuration from the configuration.
As part of starting an AP, set EDMG parameters for the driver to use for
AP operation. The EDMG parameters are based on the driver's EDMG
capability and the EDMG configuration from the configuration.
This implementation is limited to CB2 (channel bonding of 2 channels)
and the bonded channels must be adjacent, i.e., the supported values for
edmg_channel are 9..13.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Add two new configuration parameters for wpa_supplicant:
enable_edmg: Enable EDMG capability for STA/AP mode
edmg_channel: Configure channel bonding. In AP mode it defines the EDMG
channel to start the AP on. In STA mode it defines the EDMG channel to
use for connection.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
After roaming to an AP, update disable_mbo_oce flag based on the current
BSS capabilities. This flag is used to check whether STA should support
MBO/OCE features and process BTM request received from the current
connected AP.
When a STA roams from a WPA2 MBO/OCE AP with PMF enabled to a
misbehaving WPA2 MBO/OCE AP without PMF, or if the driver chooses a BSS
in which PMF is not enabled for the initial connection, BTM requests
from such APs should not be processed by STA.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process all received DPP Configuration Object attributes from
Configuration Result in Enrollee STA case. If wpa_supplicant is
configured to add networks automatically, this results in one network
being added for each included Configuration Object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SAE password configuration for AP mode requires additional steps
compared to PSK cases. Previous implementation allowed SAE to be
configured, but all authentication attempts would fail due to no
password being available. Now both psk and sae_password/sae_password_id
parameters are translated properly to the hostapd configuration
structures to fix this.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
On NetBSD the ethernet header is net/if_ether.h
This also pulls in net/if.h which defines if_type, which in turn
conflicts with an enum in wpa_supplicant. As such we need to
include this at the bottom rather than at the top.
Signed-off-by: Roy Marples <roy@marples.name>
The MBO and OCE specification require the station to mandate use of PMF
when connecting to an MBO/OCE AP that uses WPA2. The earlier
implementation prevented such misbehaving APs from being selected for
connection completely. This looks like the safest approach to take, but
unfortunately, there are deployed APs that are not compliant with the
MBO/OCE requirements and this strict interpretation of the station
requirements results in interoperability issues by preventing the
association completely.
Relax the approach by allowing noncompliant MBO/OCE APs to be selected
for RSN connection without PMF to avoid the main impact of this
interoperability issue. However, disable MBO/OCE functionality when PMF
cannot be negotiated to try to be as compliant as practical with the
MBO/OCE tech spec requirements (i.e., stop being an MBO/OCE STA for the
duration of such workaround association). Also disable support for BTM
in this workaround state since MBO would expect all BTM frames to be
protected.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be
used to set Configurator to request a station Enrollee to report
connection result after a successfully completed provisioning step. If
the peer supports this, the DPP-CONF-SENT event indicates this with a
new argument (wait_conn_status=1) and the Configurator remains waiting
for the connection result for up to 16 seconds.
Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event
is generated with arguments result, ssid, and channel_list indicating
what the Enrollee reported. result=0 means success while non-zero codes
are for various error cases as specified in the DPP tech spec. If no
report is received from the Enrollee, the event with "timeout" argument
is generated locally.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The config file parser previously would fall through into an error if
CONFIG_AP is defined and it hit a wmm_ac_* rule with a valid value. Add
a return to prevent incorrectly printing an error message and returning
a non-zero exit code.
Signed-off-by: Sujay Patwardhan <sujay@eero.com>
If an AP (P2P GO) has changed its operating channel or SSID recently,
the BSS table may have multiple entries for the same BSSID.
Commit 702621e6dd ('WPS: Use latest updated BSS entry if multiple
BSSID matches found') fetches latest updated BSS entry based on
BSSID. Do the same when fetching an entry based on the P2P Device
Address.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previous support in the 60 GHz band was for channels 1-4.
Add support for channels 5 and 6.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
The WPS component keeps a copy of the network interface MAC address.
When MAC address is changed the WPS copy was not updated so WPS M1
message contained the old address. Some devices check this field
and fail connection attempts.
Update the WPS MAC address on interface MAC address changes.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
These are the driver-specific interface for the non-netdev P2P Device
interface and not something that useful for most use cases. Skip them to
allow the main netdev (e.g., wlan0 over p2p-dev-wlan0) to be selected.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update connect params will update auth_alg and fils_hlp_req in
wpa_supplicant structure before calling function
wpas_notify_state_changed(). This could have resulted in triggering
inconsistent state change events and messages in the Android framework.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Fix CONFIG_DPP2=y with CONFIG_AP=y build for cases where the needed
dependencies were not pulled in by other optional build parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
Fix CONFIG_DPP=y build for cases where the needed dependencies were not
pulled in by other optional build parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is
an explicit request for machine credentials. The network profile
parameters are otherwise same as the Phase 1 parameters, but each one
uses a "machine_" prefix for the parameter name.
Signed-off-by: Jouni Malinen <j@w1.fi>
ENOTCONN, EOPNOTSUPP, and ECANCELED are defined in a newer version of
MinGW, so make this workaround conditional on what is defined in the
header files.
Signed-off-by: Jouni Malinen <j@w1.fi>
OCSP configuration is applicable to each instance of TLS-based
authentication and as such, the configuration might need to be different
for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and
add a separate ocsp2 network profile parameter to set this for Phase 2.
Signed-off-by: Jouni Malinen <j@w1.fi>
These parameters for certificate authentication are identical for the
Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel).
Furthermore, yet another copy would be needed to support separate
machine credential in Phase 2. Clean this up by moving the shared
parameters into a separate data struct that can then be used for each
need without having to define separate struct members for each use.
Signed-off-by: Jouni Malinen <j@w1.fi>
The commit ad9a1bfe78 ("nl80211: Share VHT channel configuration for
HE") always enforced that VHT is enabled when HE was enabled. This broke
the mesh functionality on 2.4 GHz with HE because ibss_mesh_setup_freq()
isn't setting up the VHT parameters for 2.4 GHz.
This problem was resolved for 2.4 GHz by commit df4f959988 ("nl80211:
Don't force VHT channel definition with HE"), but it is still possible
to disable VHT during the mesh/IBSS freq setup on 5 GHz - which would
result in the same problem as seen on 2.4 GHz.
The code enabling HE for IBSS/mesh must now make sure that it doesn't
enable HE when VHT could be enforced by the nl80211 driver code but
disabled by the user.
Fixes: 3459c54ac7 ("mesh: Add support for HE mode")
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
This is an initial step in adding support for configuring separate user
and machine credentials. The new wpa_supplicant network profile
parameters machine_identity and machine_password are similar to the
existing identity and password, but explicitly assigned for the purpose
of machine authentication.
This commit alone does not change actual EAP peer method behavior as
separate commits are needed to determine when there is an explicit
request for machine authentication. Furthermore, this is only addressing
the username/password credential type, i.e., additional changes
following this design approach will be needed for certificate
credentials.
Signed-off-by: Jouni Malinen <j@w1.fi>
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previously used single TOD policy was split into two policies:
TOD-STRICT and TOD-TOFU. Report these separately in the
CTRL-EVENT-EAP-PEER-CERT events (tod=1 for TOD-STRICT and tod=2 for
TOD-TOFU).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed for the drivers implementing SME to include the PMKID in
the Association Request frame directly following SAE authentication.
This commit extends the commit d2b2083843 ("SAE: Allow PMKID to be
added into Association Request frame following SAE") for drivers with
internal SME that use the external authentication mechanism.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
pending_bssid is cleared in the connected state and thus is not valid if
SAE authentication is done to a new BSSID when in the connected state.
Hence use the BSSID from ext_auth_bssid while configuring the PMK for
the external authentication case. This is required for roaming to a new
BSSID with driver-based-SME while the SAE processing happens with
wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
A new DH public key is sent through this interface to the driver after
every successful connection/roam to a BSS. This helps to do OWE roaming
to a new BSS with drivers that implement SME/MLME operations during
roaming.
This updated DH IEs are added in the subsequent (Re)Association Request
frame sent by the station when roaming. The DH IE from the roamed AP is
given to wpa_supplicant in the roam result event. wpa_supplicant shall
further process these DH IEs to generate the PMK for the 4-way
handshake.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
PMF capability check is done as part of BSS selection routines, but
those are not used when going through the enforced roaming operation
("ROAM <BSSID>" control interface command). While that mechanism is
mainly for testing purposes, extend it to do the same check for PMF to
prevent cases where forced roaming could end up disabling PMF against
the local profile requirement.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
An OCE AP with WPA2 enabled shall require PMF negotiation when
associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a
STA when it is operating as an AP. Don't select an OCE AP for connection
if PMF is not enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When required_roaming_consortium is set in a credential, station
should match this against Roaming Consortium(s) for a BSS similar
to how it is matching for roaming_consortiums during Interworking
credentials availability check for roaming_consortium.
In the context of Hotspot 2.0 PPS MO, this means addressing matching
part in the same manner for HomeSP/HomeOIList/<X+>/HomeOI regardless of
how HomeSP/HomeOIList/<X+>/HomeOIRequired is set (i.e., the required
part is used as an independent check for the AP advertising the needed
information while the "credential can be used here and this is a home
network" part is shared).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but
it is not disallowed either, so it is useful to have an option to
identify the derived PMKSA in the immediately following Association
Request frames. This is disabled by default (i.e., no change to previous
behavior) and can be enabled with a global wpa_supplicant configuration
parameter sae_pmkid_in_assoc=1.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The conditions for the eapol_sm_notify_eap_success(FALSE) calls did not
cover the case where eapol_sm_notify_eap_success(TRUE) had been called
based on offloaded 4-way handshake and driver notification of
authorization in wpa_supplicant_event_port_authorized(). This could
result in eapSuccess and altSuccess state machine variables being left
TRUE when roaming to another BSS and that results in EAP failure if the
following roaming case does not get fully authorized through the driver
offload.
Fix this by clearing eapSuccess/altSuccess when processing a new
association (including roaming) event and also when disconnecting from
the network.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, these default scan IEs were set only when parameter values
changed and during the interface initialization, which can get lost in
the driver on an interface restart. Hence, also set these IEs on an
interface restart notification even when there has been no change in the
values since the last update to the driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It is possible to receive the Configuration Request frame before having
seen TX status for the Authentication Confirm. In that sequence, the
DPP-AUTH-SUCCESS event would not be indicated before processing the
configuration step and that could confuse upper layers that follow the
details of the DPP exchange. As a workaround, indicate DPP-AUTH-SUCCESS
when receiving the Configuration Request since the Enrollee/Responser
has clearly receive the Authentication Confirm even if the TX status for
it has not been received.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload
in connect") used the req_key_mgmt_offload flag to indicate to the
driver that it should offload the 802.1X handshake. However, this field
was existing and used for a different offload API. This causes
wpa_supplicant to send a connect request without the WANT_1X_HS flag and
the subsequent set-pmk is rejected causing the connection to fail. Fix
that by introducing a new flag req_handshake_offload so the offloads are
no longer entangled.
Fixes: d896874f86 ("nl80211: Indicate 802.1X 4-way handshake offload in connect")
Reported-by: Stefan Wahren <wahrenst@gmx.net>
Tested-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
We intentionally don't emit property-changed signals on every property
update -- for "less timing critical" messages we delay up to 5
milliseconds waiting to see if we can batch them together. When the
timer hits, we emit the signal anyway and (potentially) log this
message. This amounts to effectively tracing every property update,
which can be quite excessive.
Lower this to MSGDUMP, so MSG_DEBUG can remain slightly more sane.
Signed-off-by: Brian Norris <briannorris@chromium.org>
In order to set up P2P connection with HE capability,
the 'he' flag should be passed to GO negotiation result.
Signed-off-by: Yu Wang <yyuwang@codeaurora.org>