Enable MLO for SAE authentication when the driver indicates the AP MLD
address in an external authentication request. The MAC address of the
interface on which the external authentication request received will be
used as the own MLD address.
This commit does below for enabling MLO during external SAE
authentication:
- Use MLD addresses for SAE authentication.
- Add Basic Multi-Link element with the own MLD address in SAE
Authentication frames.
- Send SAE Authentication frames with the source address as the own MLD
address, destination address and BSSID as the AP MLD address to the
driver.
- Validate the MLD address indicated by the AP in SAE Authentication
frames against the AP MLD address indicated in external authentication
request.
- Store the PMKSA with the AP MLD address after completing SAE
authentication.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
It was possible to hit a case where the SAE PT had not yet been derived,
e.g., when using P2P group re-invocation. Update PT use at the time
authentication is started, if needed, to avoid this. While this is not
really ideal from the externally observable timing view point, this is
done only for the case where there is no other option available with a
dynamically changing network configuration for P2P. Similar design was
already in place for the SAE offload-from-driver (external auth) case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This makes the implementation more readable by sharing the same set of
enum values for all the parameters related to what kind of random MAC
addresses are used.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the CreateInterface command was used to create a virtual AP
interface, deleting this interface using the RemoveInterface command was
also bringing down the primary interface.
wpa_supplicant never uses hostapd style multi-BSS setup with
type=WPA_IF_AP_BSS and setup_ap=1 to if_add() when creating an AP
interface in wpa_driver_nl80211_if_add(), so it should not go through
the multi-BSS tear down procedure in wpa_driver_nl80211_if_remove(). The
virtual AP resources init and deinit are well handled in
wpa_driver_nl80211_init() and wpa_driver_nl80211_deinit().
Collapse the interface type to WPA_IF_STATION for the D-Bus interface to
skip the multi-BSS cleanup procedure. This is inline with the control
interface design. Add comments before the code to avoid confusion.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
In case both the local driver and the AP support MLD, request an MLD
authentication from the driver. When processing the authentication event
from the driver verify that the MLD address in the authentication data
matches that of the requested AP.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support to handle external authentication request with a different
SAE AKM suite compared to the current connection AKM suite. This is
needed to support cross AKM roaming between SAE and SAE-EXT-KEY AKM
suites.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
MAX_NUM_MLD_LINKS is 15, thus u8 isn't enough for the bitmap. Fix it.
While at it, clean MLO information better.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Allows informing the connection manager of additional information on CQM
events. Allows the connection manager to request the same information
on demand by using the existing "SignalPoll" method.
* Add new property "SignalChange"
* Add storage for wpa_signal_info into wpa_supplicant context
object
* Copy memory from event to context object on CQM Event
* Write a common conversion method to be used by both "SignalPoll" and
this property
Signed-off-by: David Ruth <druth@chromium.org>
When WPS is running simultaneously on multiple per-band radios (e.g., a
separate 2.4 GHz and 5 GHz band radios in an AP device), handle
synchronization of scan results, detect PBC session overlap, and cancel
WPS for enrollees on both interface, if the UUID of the registrars on
different bands differ.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Add new 'mac_addr' policy (3) with which supplicant expects to also
obtain 'mac_value' with pregenerated value of MAC address to be used for
given SSID.
The main difference between this policy and policy 1 is the ability to
control persistence of the MAC address used. For example if there is
a requirement to always use the same (but random) MAC address for given
SSID (even if user removes/forgets the network) this could be handled
outside of the wpa_supplicant by using some SSID based hashing scheme to
generate MAC (or by just storing the randomly generated one) and
providing it to wpa_supplicant together with mac_addr=3 policy.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
There is no way to create or remove a virtual interface with
wpa_supplicant dbus methods. The platform has to use out-of-band methods
to manage the virtual interfaces.
This change adds virtual interface create/remove logic to the dbus
methods CreateInterface and RemoveInterface to achieve similar
functionalities as wpa_cli commands interface_add and interface_remove.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
If a higher priority BSS has invalid security parameters, e.g., an
invalid SAE password, and a lower priority BSS is discovered only after
the local network profile has been temporarily disabled, the BSSID
ignoring mechanism is not sufficient to allow the lower priority BSS to
be tried and all consecutive attempts will continue to use the higher
priority BSS. This might prevent connection in some unexpected cases
with invalid network configuration.
Extend BSSID ignoring mechanism to work in this type of a case by
ignoring the BSSID that resulted in disabling the SSID temporarily
during the first connection attempt after having re-enabled the SSID.
This allows a lower priority BSS, if any is available in scan results,
to be tried next to see if it might have working security parameters.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
During cross SSID roaming wpa_supplicant ended up using the default
RSNE/RSNXE in EAPOL-Key msg 2/4 though the driver indicated
(Re)Association Request frame elements without RSNE/RSNXE. This causes
RSNE/RSNXE mismatch between (Re)Association Request frame and EAPOL-Key
msg 2/4.
To avoid this skip copying the default RSNE/RSNXE if the driver
indicates the actually used (Re)Association Request frame elements in
the association event.
Signed-off-by: Utkarsh Soni <quic_usoni@quicinc.com>
Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.
Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.
Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.
Signed-off-by: Jeffery Miller <jefferymiller@google.com>
When scanning for a new connection, we currently optimize by scanning
all frequencies only when our MCC capabilities will allow an additional
operating frequency, and scan only the existing operating frequencies
otherwise. This is problematic when there the current operating
frequency singularly accounts for one of the shared radio frequencies
because we should be able to switch operating frequencies without adding
to the channel count. Fix this.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
struct wpas_pasn is common to both initiator and responder, so rename it
to pasn_data to avoid the "wpas_" prefix that could be seen as a
reference to wpa_supplicant (PASN initiator).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is a step towards decoupling the PASN initiator and responder
implemenentation is decoupled from the wpa_s and hapd contexts and
moving to a common folder for better abstraction. Move the struct
wpas_pasn definition to a common file for initiator and responder. The
idea is to provide a library libpasn.so from PASN common code. Include
C++ compatibilty wrapper to extend libpasn.so support for modules using
cpp code base.
This library can be used in applications implementing protocols based on
the PASN handshake.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Introduce a function handler to transmit PASN Authentication frames to
the driver. This removes the wpa_s dependency from PASN functionality
for sending the frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Get ssid and derive required information for SAE and FILS tunneled PASN
authentication to remove struct wpa_ssid dependency for PASN initiator.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Obtain RSNXE capabilities from the driver flags as well and save them in
the wpas_pasn structure.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Remove wpa_s dependency for processing PASN M2 frame and preparing M3
frame. To hold the context of wpa_s when transmitting M3 frame, add cb
ctx.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Store PMKSA cache entry in wpas_pasn and remove wpa_sm dependency to add
an entry to PMKSA cache. This is a step towards allowing the PASN
implementation to be used outside the context of wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Fetch the MLO association Link ID info from the driver to the
wpa_supplicant instance of the corresponding MLD STA interface. This
info is needed when setting the MLO connection info to wpa_sm.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add support to fetch MLO connection info from the driver to the
wpa_supplicant instance of corresponding MLD STA interface. In addition,
return true for BSSs associated with MLO links from wpa_bss_in_use() to
avoid getting them cleared from scan results.
Co-authored-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
Previously, wpa_supplicant was using the current SSID for building the
SAE authentication commit frame for retries during external
authentication. But the external authentication SSID can be different
from the current SSID. Fix this by using the correct SSID profile.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
The driver's SME may choose a BSS of a different ESS (SSID) compared to
the current SSID and trigger external authentication. If the chosen SSID
is not associated/selected before by wpa_supplicant it won't have the
H2E PT derived. Make sure to derive PT for SSID indicated in the
external authentication request.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
This brings in the functionality to hold multiple peers and perform PASN
authentication with each peer at a time and send the PASN response to
the driver. PASN parameters such as AKMP and cipher suite are obtained
from the BSS information of the cached scan results. Also add
functionality to trigger deauthentication to the peer for which PASN
request with action PASN_ACTION_DELETE_SECURE_RANGING_CONTEXT is
received.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The driver requests PASN authentication for a peer with a specified
source (own) MAC address. Use the specified own MAC address for PASN
operations. This is needed to allow random MAC addresses to be used.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to configure SAE, PSK, and PSK-SHA256 AKMs in connect
request when driver's SME in use. This is needed for implementing
WPA3-Personal transition mode correctly with any driver that handles
roaming internally.
Send additional AKMs configured in network block to driver based on
the maximum number of AKMs allowed by driver in connect request. Keep
first AKM in the list AKMs in the connect request as AKM selected by
wpa_supplicant to maintain backwards compatibility.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Use the recently added attribute to determine whether the kernel
supports a larger number of AKM suites in various commands.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
ipv4_params/ip6_params in type4_params maintains separate classifier
mask while type4_params already has a common classifier_mask. Lets
use the common classifier mask for both ipv4/ipv6 params and remove
the redundant params_mask in ipv4_params/ip6_params.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
Extend DPP push button support in wpa_supplicant to allow the role of
the Configurator to be used. This provides similar functionality to the
way the DPP_PUSH_BUTTON command in hostapd worked when providing the
configuration parameters with that command (instead of building the
config object based on current AP configuration).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a privacy protecting variant of the peer introduction protocol to
allow the station device to hide its Connector from 3rd parties. The new
wpa_supplicant network profile parameter dpp_connector_privacy=1 can be
used to select this alternative mechanism to the peer introduction
protocol added in the initial release of DPP.
It should be noted that the new variant does not work with older DPP APs
(i.e., requires support for release 3). As such, this new variant is
disabled by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to use a push button -based bootstrap mechanism with DPP.
The new DPP_PUSH_BUTTON control interface command enables this mode on
the AP/hostapd and station/wpa_supplicant. This goes through the
following sequence of events: a suitable peer in active push button mode
is discovered with session overlap detection, PKEX is executed with
bootstrap key hash validation, DPP authentication and configuration
exchanges are performed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Previously, the driver could optionally (using QCA vendor command)
provide a preferred channel list to wpa_supplicant for channel selection
during the GO negotiation. Channel selection process can be more
efficient with the information of weights and flags of the preferred
channel list that can be provided by the driver. Use a weighted
preferred channel list provided by the driver for channel selection
during GO negotiation if such a list is available.
Signed-off-by: Sreeramya Soratkal <quic_ssramya@quicinc.com>
This can be used to make sure wpa_supplicant does not process DPP
messages sent in Public Action frames when a test setup is targeting
DPP-over-TCP.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a parameter (non_coloc_6ghz=1) to the manual scan command to disable
6 GHz collocated scanning.
This option can be used to disable 6 GHz collocated scan logic. Note
that due to limitations on Probe Request frame transmissions on the 6
GHz band mandated in IEEE Std 802.11ax-2021 it is very likely that
non-PSC channels would be scanned passively and this can take a
significant amount of time.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds wifi_generation=7 line to the STATUS output if the driver
reports (Re)Association Request frame and (Re)Association Response frame
information elements in the association or connection event with EHT
capability IEs.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
When a station receives either a Beacon frame or a Probe Response frame
from an AP that contains an MBO element with the Association Disallowed
attribute, the station should prevent association to that AP. When using
passive scanning, it is possible for the scan results to contain the
latest information in the Beacon frame elements instead of the Probe
Response frame elements. That could result in using old information and
not noticing the AP having changed its state to disallowing new
associations.
Make it more likely to follow the AP's change to disallow associations
by checking the Beacon frame elements instead of Probe Response frame
elements if the scan results are known to contain newer information for
the Beacon frame.
Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
It would have been possible for the authentication attemps to go into a
loop if the AP/Authenticator/authentication server were to believe EAP
authentication succeeded when the local conclusion in Supplicant was
failure. Avoid this by timing out authentication immediately on the
second consecutive EAP authentication failure.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
To support the STA testbed role, the STA has to disable transmitting
EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to
disable sending EAPOL-Key group msg 2/2 of Group Key Handshake.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Allow PKEX v1-only or v2-only behavior to be specific for the Responder
role. This is mainly for testing purposes.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The offchannel frame TX wait was stopped whenever processing
DPP_STOP_LISTEN in most cases. However, there was a corner case on the
Responder side where this operation was skipped after PKEX was completed
successful and the Authentication Request frame had not yet been
received from the Initiator.
While this does not normally cause any significant issue, this could
result in unexpected behavior especially in test cases that run multiple
DPP PKEX operations in a row since the start of a new TX operation might
get delayed while waiting for the previous TX-wait to complete.
This was found with the following test case sequence:
dpp_reconfig_retries dpp_pkex_alloc_fail
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Instead of depending on the TX-wait-response-time to be sufficient to
cover the full GAS exchange, start an ongoing listen operation on the
negotiation channel (if no such listen operation is already in place) to
allow the configuration exchange to take longer amount of time. This is
needed for cases where the conf=query is used to request Configurator
parameters from upper layers and that upper layer processing (e.g., user
interaction) takes significant amount of time.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
After receiving a BSS Transition Management request,
wpa_supplicant_connect() will abort ongoing scans, which will cause scan
results to be reported. Since the reassociate bit is set, this will
trigger a connection attempt based on the aborted scan's scan results
and cancel the initial connection request. This often causes
wpa_supplicant to reassociate to the same AP it is currently associated
to instead of the AP it was asked to transition to.
Add a bss_trans_mgmt_in_progress flag to indicate that we're currently
transitioning to a different AP so that we don't initiate another
connection attempt based on the possibly received scan results from a
scan that was in progress at the time the BSS Transition Management
request was received.
This is the equivalent of commit 5ac977758d ("Reject authentication
start during explicit roam requests") for the roaming scenario.
Signed-off-by: Nicolas Norvez <norvez@chromium.org>