Using D-Bus it is possible to request an invalid SD response where
"tlvs" is specified and there is an unknown key (e.g. "bar": "foo"). In
this case, "tlv" is allocated and then never used nor freed. Valgrind
complains as follows:
36 bytes in 1 blocks are definitely lost in loss record 20 of 74
at 0x484C214: calloc (vg_replace_malloc.c:1675)
by 0x41C673: wpabuf_alloc (wpabuf.c:124)
by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016)
by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
by 0x5495DF: dispatch_data (dbus_common.c:37)
by 0x5495DF: process_watch (dbus_common.c:73)
by 0x5495DF: process_watch_read (dbus_common.c:89)
by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
by 0x41FA46: eloop_run (eloop.c:1233)
by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074)
by 0x40DB06: main (main.c:393)
Fix it ensuring that "tlv" is freed both in the error and non-error path
of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in
test_dbus.py to verify correct behavior.
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
Using D-Bus it is possible to trigger a valid UPnP SD request where
"tlv" is specified: in this case "tlv" is allocated, and then not used
nor freed. Valgrind complains as follows:
72 bytes in 2 blocks are definitely lost in loss record 46 of 68
at 0x484C214: calloc (vg_replace_malloc.c:1675)
by 0x41C673: wpabuf_alloc (wpabuf.c:124)
by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928)
by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
by 0x5495DF: dispatch_data (dbus_common.c:37)
by 0x5495DF: process_watch (dbus_common.c:73)
by 0x5495DF: process_watch_read (dbus_common.c:89)
by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
by 0x41FA46: eloop_run (eloop.c:1233)
by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
by 0x40DB06: main (main.c:393)
Fix it ensuring that "tlv" is freed, both in the error and non-error
path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in
test_dbus.py to verify correct behavior.
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
wpa_s_setup_sae_pt() derived SAE PT even when the configured key
management options did not include SAE if the global sae_pwe
configuration parameter had been changed to enable H2E. This adds
unnecessary extra delay, so derive PT only if SAE is actually enabled in
the network profile.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.
Fixes: 444d76f74f ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client.
Signed-off-by: Jouni Malinen <j@w1.fi>
The rejected groups list is valid only during each individual SAE
authentication instance and it should not be maintained between separate
instances. In particular, it should not be maintained when roaming to
another AP since the APs might use different configuration for the
allowed SAE groups.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant used to maintain the list of rejected groups for SAE over
multiple failed attempts. This could have some DoS issues, so clear this
list if SAE authentication attempts fails continuously.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).
This functionality is disabled by default and can be enabled with
ssid_protection=1 in the network profile. Once there has been more
testing of this to confirm there is no significant interoperability
issues, the goal is to be able to change this to be enabled by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant might use a wrong BSS entry with the SSID different from
the current SSID of the current BSS while processing a roam event from
the driver when wpa_supplicant has a stale BSS entry with the old SSID
and the driver roams to the same BSS after it is restarted with a new
SSID.
To avoid this, update scan results from the driver when a BSS entry is
not found with the current SSID and try to fetch the BSS entry again
with the current SSID after this.
Also, with this change wpa_supplicant_get_new_bss() itself will update
the BSS table and search for the current BSS entry if it is not found in
the BSS table. So, remove the BSS table update and search logic from the
callers of wpa_supplicant_get_new_bss().
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add a new wpa_supplicant network profile parameter max_idle that can be
used to specify a specific maximum idle period in units of 1000 TUs
(1.024 s) for associations.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allocate static IPv4 address in EAPOL frames during 4-way handshake
instead of DHCP when using P2P invitation. wpa_s->current_bss needs to
be set for the P2P specific IP address assignment mechanism to be used
in wpa_supplicant_rsn_supp_set_config(). This worked for the initial P2P
connection, but not for some cases reinvoking a persistent group.
Since there is only one AP (P2P GO) in the P2P client case, the
conditions added in commit 4d3be9cdd1 ("Postpone updating of
wpa_s->current_bss till association event") are not needed and the
easiest approach for this is to allow current_bss to be set for
p2p_in_invitation cases. If the GO P2P Interface Address (BSSID) could
be determined for all the related cases, this could be addressed a bit
more cleanly by setting the go_bssid argument for
wpas_start_p2p_client(), but that can be left as a possible future step.
Signed-off-by: tzu-meng wang <tzu-meng.wang@mediatek.com>
Make the channel switch complete event, WPA_EVENT_CHANNEL_SWITCH,
accessible to the action script.
Signed-off-by: arun.jose <arun.jose.wg@bp.renesas.com>
D-Bus expects "persistent" to be a bool (0/1) and crashes otherwise.
Since persistent may also be 2 convert it to boolean.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
In case the channel map was updated to include the 6 GHz but these channels
were not scanned yet, do not allow fast associate.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If one sends a Probe Request frame to a non-TX BSSID, no AP MLD ID
should be included in the request. Permit mld_id to be -1 so that it is
not a required argument and can be left out.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When the authentication is an MLD authentication need to use the AP MLD
MAC address when requesting the driver to deauthenticate.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In case of failure handling an Authentication frame from the AP MLD,
clear the MLD state only after the deauthentication is done. This allows
deauthentication process to use the AP MLD MAC address.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If parsing the basic ML element in the Authenticate frame fails,
instead of only disassociating, completely deauthenticate so all
state machines would be in a consistent state.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
When considering to roam to a different BSS and the connection
is an MLD connection, do not roam to a BSS which is already
included in the MLD connection.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
wpa_s->connect_without_scan could have been left pointing to invalid
network when a network profile was removed. It seems to be possible for
this to happen in some hwsim test case scenarios under specific timing,
but the exact reason for this is not clear. In any case, this pointer
needs to be cleared.
Signed-off-by: Jouni Malinen <j@w1.fi>
OBSS scan can be required in different links if operating as an AP MLD.
When triggering scan, specify the link ID for the driver to find the
correct link to scan.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Modules that use libpasn for PASN authentication need the context of
PASN data. PASN data is a common context for the library and the modules
using it. Hence, initialize the context through init and deinit
functions. Also use set and get functions to update the parameters.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PMKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on IEEE8021X_EAPOL define for the
external modules at compile time, remove PMKSA cache static inline
functions from the header file and add wrapper function stubs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on CONFIG_PTKSA_CACHE define for
the external modules at compile time, remove PTKSA cache static inline
functions from the header file and add wrapper function stubs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Try to find the BSS entry that contains the most likely current
information for the target BSS. This is mainly needed to avoid some
unusual behavior with APs changing their Beacon frame information in a
manner that shows up in automated testing, but this might help with some
more dynamic real world uses as well, so better do the BSS entry search
for the newest entry.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This wrapper function was not used at all, so remove it to make it
clearer that the set_ap() driver op is called only from hostapd code.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In case we run command like:
wpa_cli -g <global_ctrl_path> command
don't print
"Selected interface " message.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
When wpa_supplicant needed to update the internal BSS table with the
latest scan results from the driver, it fetched all BSSs and processed
them all. This is unnecessary for cases where an update is needed only
for a specific BSS. Optimize this by filtering out the unnecessary
entries from the results.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 117e812d06 ("Update BSS table entry if roaming event indicates
frequency change") added wpa_supplicant BSS table update based on the
latest driver scan results whenever processing an association event that
results in the current operating channel changing. While that is needed
to cover the case where an AP changes its own operating channel (and
that is noticed as a roam or new connection instead of a channel switch
event), this should not really be needed for cases where the
wpa_supplicant entry for the new BSS is already up to date.
Skip the full BSS table update on association event if the event is for
a roaming case to a different BSS and the BSS entry for the target is
already available and for the current operating channel. This avoids
undesired latency when processing the association event.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Update EAP-WSC parameters to include Multi-AP profile info to pass the
profile information through the provisioning steps. This is needed for
provisioning the STA configuration when different profiles are used.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Allow both hostapd and wpa_supplicant to be configured with the
supported Multi-AP profile. The configured value will be advertised in
the Multi-AP element.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
This makes it more convenient to handle extensions to the element and
allows code to be shared between hostapd and wpa_supplicant.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Add ANQP fields to the BSS properties to allow DBus clients to be
notified and obtain the values when it changes.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
Add a D-Bus method to perform ANQP get requests. The new method is
equivalent to the "anqp_get" command available in wpa_cli.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
To implement an action script that listens for DPP push button events
and for example blinks a LED it is useful to know when push button has
started. Emit an event when push button starts.
Signed-off-by: Evan Benn <evan.benn@morsemicro.com>
This is needed to be able to check validity of the channel parameters
for cases where EHT puncturing impacts what can be enabled for
HT/VHT/HE.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Only the 2.4 and 5 GHz channels were handled previously when removing
operating classes from the Supported Operating Classes element based on
the freq_list parameter. Extend this to include the 6 GHz band as well.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
A previous workaround was used to move the special operating class 130
to the end of the Supported Operating Classes element to avoid getting
any following entry being ignored or misunderstood. That is not really
the correct way of encoding the special cases, i.e., 80+80 MHz channels
that use two nonadjacent frequency segments.
Add support for encoding the 80+80 MHz channel with the 2-octet
operating class design using the Operating Class Duple sequence field of
the Supported Operating Classes element instead of listing the operating
classes that have the 80+ behavior limit set indication in Table E-4
(i.e., opclass 130 and 135) as 1-octet operating classes in the
Operating Classes field.
Fixes: a92660a00e ("Work around Supported Operating Classes element issues for 6 GHz")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 085a3fc76e ("EHT: Add 320 channel width support") added this in
various places, but it did not cover everything. Extend this support to
be more complete. In particular, this allows wpa_supplicant to report
the operating class 137 in the Supported Operating Classes element and
to use it when processing beacon requests.
Signed-off-by: Ainy Kumari <quic_ainykuma@quicinc.com>
The INT_RANGE() cases for wpa_supplicant global and network profile
parameters ended up changing the configured value to the minimum value
if the provided value was too small or to the maximum value if the
provided value was too large. This does not seem most logical. Change
this to not change the configured value at all if the provided value is
outside the valid range.
Signed-off-by: Jouni Malinen <j@w1.fi>
These parameters have both a separate SET command handler and a global
configuration parameter handler. Only the global configuration parameter
handler for enforcing valid range checking. Do that for the SET command
as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
The following config file contains invalid items:
----
filter_rssi=1234 # should be rejected
network={
mode=-1 # should be rejected
ssid="ssid"
psk="password"
}
----
But it is accepted by the config parser. The issue is due to using NULL
to represent no limit. If a boundary is set to 0, it's disregarded.
Fix this.
Note that string parser is not affected as length cannot be negative and
we are not limiting any string to be always empty.
Signed-off-by: Chien Wong <m@xv97.com>
Use of wpa_s->p2p_go_no_pri_sec_switch needs to be conditional on
CONFIG_P2P being defined for the build to avoid a compilation error and
ssid->p2p_group to avoid using this for non-P2P AP mode case in
wpa_supplicant. Furthermore, it is better to clear this flag when
stopping a P2P GO to reduce risk of this getting used for a separate
instance of starting a GO.
Fixes: b18d957593 ("P2P: Disable pri/sec channel switch for GO with forced frequency")
Signed-off-by: Jouni Malinen <j@w1.fi>
In the MLD case, the information from the transition management request
is relevant during the association process in order to filter out links
that were disallowed by the BTM request. Also, the information remains
useful should a connection attempt fail.
To enable these scenarios, keep the information around until the
connection has completed. As this might make it impossible to establish
a connection, also clear this information at the same time that a normal
BSS ignore is cleared to avoid getting stuck in case the transition
fails unexpectedly.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
If the last link is dropped, it makes sense to follow the BTM procedure.
However, in that case we need to prevent reconnection to this link
specifically, while if the AP MLD is terminating we need to forbid
connecting to the AP MLD.
As such, add a new variable to track the BSSID or AP MLD MAC address.
Which one it refers to depends on whether wnm_link_removal is set.
This also simplifies the check in wnm_is_bss_excluded() and untangles it
from wpa_s->current_bss.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
All callers of wnm_send_bss_transition_mgmt_resp() are explicitly
passing wpa_s->wnm_dialog_token. As such, we might as well not pass it
and use the variable directly.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
There is no point in the caller to set it to zero. Just do so within
wnm_send_bss_transition_mgmt_resp().
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
The elements are (currently) not used except for sending an immediate
response similar to COLOC_INTF_REPORT with the main difference being
that the dialog token is included.
Do not store the elements. It easy enough to re-add this should the
implementation improve. And this fixes the fact that the variable is
cleared at odd times as wnm_deallocate_memory() is used specifically to
clear the neighbor report list of a BTM request.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
There is no need for this check as wpa_scan_res_match() already calls
the function through wpa_scan_res_ok() before accepting a match.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
The call to wpa_scan_res_match already checks that the SSID matches
current_ssid. Therefore there is no need to do any further checking.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
It should never be NULL. In the unlikely event that it is NULL, the
logic changes slightly to reject all candidates.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When accepting a BSS transition request there is a race between
sending the response and roaming to the target AP. As a result,
the response may not be sent because the station deauthenticated
from the AP before the response was actually sent.
To make sure the BSS transition response is sent, start roaming only
after the TX status is received for the BSS transition response.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
It does not make sense to scan for neighbors that we are not supposed to
use anyway. As such, skip them.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When receiving a BTM request, wpa_supplicant would try to fetch new
results from the driver, and, independently of that, would also process
the latest scan results that were partially updated by the previous
fetch.
Simplify the logic by using wpa_supplicant_get_scan_results() directly
and then process the old scan data as usual. However, this data may be
outdated, so add a new heuristic to avoid roaming to a BSS if it is
either outdated or bad.
Doing this moves all scan data processing into wnm_scan_process() and
removes duplicated functionality for scan result processing in scan.c.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Avoid potential race conditions with the driver operations between
stopping an ongoing wait for responses for an offchannel TX that was
used to send Authentication Request with a request to use a different
channel for Authentication Response and the start of a new ROC on the
other channel by waiting for the TX expiration event before issuing the
ROC request.
Signed-off-by: Jouni Malinen <j@w1.fi>
Avoid potential race conditions with the driver operations between
cancelling an ongoing ROC that was used to receive Authentication
Request that requested a different channel to be used for the
negotiation by waiting for the ROC cancelled event before issuing the
offchannel TX command for the Authentication Response.
In addition, speed up the retry on Authentication Response in this type
of a case if the first attempt on the other channel is not AKC'ed since
it might take the peer device a bit more time to be ready to listen
there.
Signed-off-by: Jouni Malinen <j@w1.fi>
This aligns both the wpa_supplicant and bss structures to use the same
pattern of a valid_links bitmask plus per-link entries.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
This was done using the below semantic patch. There are a few more
places that were missed due to variable declarations or additional
checks in the for loop.
@@
iterator name for_each_link;
identifier max_links =~ "MAX_NUM_MLD_LINKS|MAX_NUM_MLO_LINKS";
expression links;
expression further_tests;
identifier i;
statement stmt;
@@
-for (i = 0; i < max_links; i++)
+for_each_link(links, i)
{
(
- if (!(links & BIT(i)))
- continue;
...
|
- if (!(links & BIT(i)) || further_tests)
+ if (further_tests)
continue;
...
|
- if (further_tests || !(links & BIT(i)))
+ if (further_tests)
continue;
...
|
- if (links & BIT(i))
stmt
|
- if (further_tests && (links & BIT(i)))
+ if (further_tests)
stmt
|
- if ((links & BIT(i)) && further_tests)
+ if (further_tests)
stmt
)
}
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When a device supports both the 5 GHz band and the 6 GHz band,
these are reported as two separate modes, both with mode set to
HOSTAPD_MODE_IEEE80211A. However, as these are different modes,
each with its own characteristics, e.g., rates, capabilities etc.,
specifically differentiate between them by adding a flag to indicate
whether the mode describes a 6 GHz band capabilities or not.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When wpa_supplicant assigns the IP address (WFA EAPOL IP address
allocation feature), the assigned IP address of the P2P Client on the GO
side is notified in the AP-STA-CONNECTED event. So to obtain the IP info
to external programs, modify the STA authorized event to include the the
assigned IP address of the P2P Client.
Test: Establish P2P connection and verified from the logs that
the P2P Client IP address is notified.
Signed-off-by: Sunil Ravi <sunilravi@google.com>
When wpa_supplicant receives a request to start a P2P group owner on a
fixed frequency with bandwidth wider than 20 MHz, wpa_supplicant scans
for neighboring BSSs prior to starting the GO. This is done to switch
the primary/secondary channels if there are any other networks which are
operating on the same secondary channel. Though this logic is defined
for 20/40 MHz coexistence and might improve throughput, there are P2P
use cases where this logic causes problem:
1. The file transfer use case takes time to start the file transfer or
even fails when the 20/40 coex scan repeatedly fails due to an
ongoing externally triggered scan happening in the system.
2. wpa_supplicant overrides the channel which is selected by the
application based on the best channel it derived by looking into
the channel conditions. This degrades the expected throughput.
3. Latency sensitive applications experience long time to
start the group owner which gives a bad user experience.
So do not allow 40 MHz co-ex PRI/SEC switch to force a change to
Autonomous GO PRI channel when the P2P group add is called with a forced
frequency.
Test: Tested autonomous GO and confirmed from the logs that
P2P GO is not triggering 20/40 coex scan.
Signed-off-by: Sunil Ravi <sunilravi@google.com>
This adds initial parts for RADIUS/TLS support in the RADIUS client.
This can be used with eapol_test and hostapd. This functionality is not
included by default and CONFIG_RADIUS_TLS=y in .config can be used to
enable it.
This version does not yet include all the needed functionality for TLS
validation and the rules for dropping a TCP connection based on invalid
RADIUS attributes.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add hostapd support for interacting with the NAN discovery engine to
allow single-channel (i.e., the AP's operating channel) USD as Publisher
or Subscriber.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add wpa_supplicant support for interacting with the NAN discovery engine
to allow USD as Publisher or Subscriber.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.
wpa_supplicant has replaced the PMKID List contents from (Re)Association
Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT.
Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name
without removing the PMKIDs from (Re)Association Request frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant disables BTM capability in Extended Capabilities element
when wpa_supplicant selects a misbehaving MBO/OCE AP that uses RSN
without PMF, but this is disabling BTM support for whole ESS connection
lifetime though the BTM support can be enabled when the driver takes
care of BSS selection and selects/roams to a BSS which is MBO and OCE
specification compliant. Thus, always set the actual BTM capability in
Extended Capabilities element when the driver takes care of BSS
selection.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The previous os_strncmp() calls have already verified that there is a
space in the string, so this os_strchr() call cannot really return NULL.
Anyway, make this easier for static analyzers to understand.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
put_changed_properties() might fail, e.g., due to memory allocation
failure or a failure in a property getter function. Such an error case
would have leaked the message iteration container since the call to
dbus_message_iter_close_container() would have been skipped.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When removing the bootstrap info for the PB context, all the possible
pointers to that information needs to be cleared to avoid accesses to
freed memory.
Fixes: 37bccfcab8 ("DPP3: Push button bootstrap mechanism")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.
Signed-off-by: Jouni Malinen <j@w1.fi>
In associations using PMF (IEEE 802.11w/MFP), the infrastructure
implements SA teardown protection by rejecting an (Re)Association
Request frame from an already-associated client. The AP responds with
error 30 (Association request rejected temporarily) to instruct the
(potentially spoofing) client to back off, while it issues an SA Query
procedure to the already-associated client. If the client can respond to
it within the back-off period, it considers the new association to be a
spoof attempt.
However, there are cases where a legitimate client might need to
handle this error response - consider if the STA has deauthenticated,
but the AP cannot hear it (out of range). If the MFP STA has deleted
its keys, it cannot respond to the SA Query procedure.
This association comeback process has commonly been implemented in the
driver, e.g., within mac80211 in case of the Linux drivers that use SME
in userspace. However, there are drivers that do not implement this
functionality. Extended wpa_supplicant to cover such cases as well.
The current implementation interprets this association error as a true
error, and will either add the BSS to the list of ignored BSSIDs, or
continue to try other BSSes. This can cause wpa_supplicant to back off
trying to reconnect for progressively longer intervals, depending on the
infrastructure's configured comeback timeout.
Allow wpa_supplicant to interpret the error, searching for the Timeout
Interval element in the (Re)Association Response frame and starting a
timer in the SME layer to re-associate after the timeout. This can be a
long delay (1-4 seconds in my experience), but it is likely much shorter
than bouncing between nearby BSSes.
This does not change behavior for drivers that implement association
comeback timer internally since they do not report the temporary
association rejection status code to user space.
Signed-off-by: Harry Bock <hbock@zebra.com>
Add HS20TermsAndConditions signal to D-Bus API to allow clients to be
notified when the network requires the acceptance of terms and
conditions. The URL of the T&C page is provided as a signal parameter.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
Allow the Key Data field to be encrypted in EAPOL-Key msg 2/4 and 4/4.
This is for testing purposes to enable a convenient mechanism for
testing Authenticator behavior with either potential future extensions
or unexpected Supplicant behavior.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow additional elements and KDEs to be added to EAPOL-Key msg 2/4 and
4/4. This is for testing purposes to enable a convenient mechanism for
testing Authenticator behavior with either potential future extensions or
incorrect Supplicant behavior.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
There are multiple redundant MIN macro declarations, some of which are
not protecting against side effects. Move it to common.h instead.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
There is currently a bias towards moving to higher bands but not one
against moving away from them. Fix that.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Decrease the roam difficulty when roaming across the short background
scan threshold (i.e., when the current BSS RSSI is below the threshold
and the selected BSS RSSI is above the threshold). This tends to happen
in normal roaming scenarios when moving from the domain of one AP to
the domain of another.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
These updates do not cause the PMKSA cache to become invalid. As such,
allow setting any of bssid_hint, bssid_ignore, and bssid_accept without
clearing the cache and causing the current connection to be dropped
immediately.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
If the Authentication frame response did not contain the expected ML
element (or it was invalid), we cannot continue with the ML association.
As such, the only choice we have in this case is to abort the
association.
If we do continue, we would end up sending the Association Request frame
with our MLD MAC address.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
The previous implementation would find the correct TBTT record in the
RNR but then always copied the BSSID from the first record out. Fix this
to copy the BSSID from the current position.
Fixes: de5e01010c ("wpa_supplicant: Support ML probe request")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Compare the BSSID against the BSSIDs on the affiliated APs for which
there is a valid link in case of an ML association.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The dpp_test DPP_TEST_STOP_AT_AUTH_CONF case is supposed to prevent the
GAS exchange from happening. It was possible to bypass that testing
functionality if the TX status event for the Authentication Confirm
message was lost or delayed long enough for the GAS Request to be
proessed first. This could happen at least with UML time travel.
Work around this by checking for the special dpp_test case within GAS
request handling.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Extended Request subelement of a Beacon Request is expected to also
include the Requested Element ID field (that identifies the Element ID
used to indicated extended elements) which needs to be skipped to get
the Requested Element ID Extensions.
Fixes: 2d4f905214 ("RRM: Add support for including extended ID elements in beacon report")
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Align MSCS response handling as described in IEEE P802.11-REVme/D4.0,
11.25.3 (MSCS procedures):
AP may send unsolicited MSCS Response frame using dialog_token == 0.
Instead of dropping the frame due to dialog_token mismatch, accept
it and set the status accordingly.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Align MSCS response handling as described in IEEE P802.11-REVme/D4.0,
11.25.3 (MSCS procedures):
If an MSCS Descriptor element is present in a MSCS Response
frame that does not indicate a status of "SUCCESS", the request
type field is set to "change" - the element indicates a suggested
set of parameters that could be accepted by the AP in response to a
subsequent request by the non-AP STA.
Handle both MSCS Response frame and (Re)Association Response frame with
change request by extending WPA_EVENT_MSCS_RESULT with the change
values.
Note: since we extend MSCS_RESULT event, move the original event from
both MSCS Response frame and (Re)Association Response frame handlers to
a common function that handles now both 'change' and other response.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
This was done with spatch using the following semantic patch and minor
manual edits to clean up coding style and avoid compiler warnings in
driver_wext.c:
@@
expression a,b;
@@
- os_memcmp(a, b, ETH_ALEN) == 0
+ ether_addr_equal(a, b)
@@
expression a,b;
@@
- os_memcmp(a, b, ETH_ALEN) != 0
+ !ether_addr_equal(a, b)
@@
expression a,b;
@@
- !os_memcmp(a, b, ETH_ALEN)
+ ether_addr_equal(a, b)
Signed-off-by: Jouni Malinen <j@w1.fi>
Fix build of wpa_supplicant if bgscan_simple is enabled while
WNM is not, as in the defconfig.
Fixes: ceb7f65dcc ("bgscan: Allow simple bgscan to do BTM queries")
Signed-off-by: Chien Wong <m@xv97.com>
As otherwise the mld_link_id would be 0, which the driver would
consider a valid link id and would return an error.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>