Commit graph

323 commits

Author SHA1 Message Date
Ilan Peer
5927455b8b MLD: Add support for disabled APs
An affiliated AP of an AP MLD can temporarily be disabled. Other
affiliated APs of the AP MLD indicate this in the Reduced Neighbor
Report (RNR) elements added to their Beacon and Probe Response frames.

When an affiliated AP is disabled, it should be included in the
association exchange, but can be activated only after it is enabled.

Add support identifying disabled APs and propagate the information
to the driver within the associate() callback.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 15:56:41 +02:00
Veerendranath Jakkam
88984bbb94 MLD STA: Update SAE PWE derivation in hunting-and-pecking loop case
Use AP MLD address instead of BSSID for PWE derivation during MLO
connection. This was already done for H2E in commit e869fdfeef
("wpa_supplicant: Use MLD address in SAE authentication"). While IEEE
P802.11be requires H2E to be used, there are deployed AP MLDs that do
not follow that requirement. This change to the hunting-and-pecking loop
case is needed for interoperability workarounds with such APs.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-12-21 13:06:57 +02:00
Chaitanya Tata
32b5f7f501 Add an option to remove Robust AV (SCS, MSCS, QoS Management)
For a memory constrained system, it may be more important to reduce
binary size than include support for these capabilities.

By default this is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:45 +02:00
Chaitanya Tata
6ed8eba00d Add an option to remove RRM and supported operating class indication
Removing radio measurements and supported operating class indication
might be needed to reduce binary size for a memory constrained system
that does not need more advanced features. However, removing these is
not recommended since they can help the AP manage the network and STA
steering.

By default this functionality is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:43 +02:00
Benjamin Berg
b9c81e2005 MLD: Use MLD MAC address for deauthentication
When connecting, pending_bssid is set to the main link that we are
authenticating/associating on. Later on, the MLD MAC address will be
stored in the bssid, but we may also try to deauthenticate before we are
connected and in that case, pending_bssid is not yet set to the MLD MAC
address.

As such, use the ap_mld_addr instead of pending_bssid if n_mld_links is
non-zero. This is the sensible thing to do and expected behavior on
nl80211.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 21:49:06 +02:00
Ilan Peer
b29ac99d52 scan: Include AP MLD ID in ML probe request if needed
According to IEEE P802.11be/D4.0, 35.3.4.2, the AP MLD ID must be
included in the Probe Request ML element in case it is sent to a
transmitted BSS in which case it should be set to 0. If it is sent to an
non-transmitted BSSID, the AP MLD ID should not be included.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 21:38:57 +02:00
Benjamin Berg
3cd377eb54 MLD: Ignore failed links from association attempt
If for some reason association fails and a link which has an error is
reported, add that specific link to the ignore list. After that,
immediately retrigger the connection code. In the usual case, we are
then going to reconnect to the same AP MLD but with that particular link
not being included in the connection.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-25 17:10:38 +02:00
Benjamin Berg
5af986c75a MLD: Also mark links as failed after association failure
Parse the link status values out of Multi-Link association response. If
the AP rejects ML association and marks the links as failed with a
reason code other than TX_LINK_NOT_ACCEPTED, also report these links to
wpas_connection_failed() and ignore them.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 16:44:01 +02:00
Andrei Otcheretianski
cb90aa3acf wpa_supplicant: Remove duplicate logic in wpas_ml_element()
Parsing multiple RNR elements already exists in
wpa_bss_parse_basic_ml_element(), so wpas_ml_element() just duplicates
the same code. Combine the functionality of both these functions and
remove the duplicate.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 12:03:52 +02:00
Andrei Otcheretianski
74b6884306 wpa_supplicant: Add config parameters for MLD testing
Add band preference, BSSID preference, and single link enforcement
testing options. This is needed for testing MLO.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 11:26:00 +02:00
Benjamin Berg
b3aafd5a87 common: Simplify and avoid confusing defragmentation API
Three functions were provided for defragmentation. First
ieee802_11_defrag(), ieee802_11_defrag_mle() and then
ieee802_11_defrag_data() which would do the actual job. With
ieee802_11_defrag() picking the member in the elements struct for an
EID. The problem with this is, that for the Multi-Link element, there
are multiple entries in the elems struct depending on its type. As such,
remove the intermediate function and simply pass the correct members
directly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 10:56:56 +02:00
Benjamin Berg
9ffebf758d SME: Drop old disassoc_while_authenticating workaround
This workaround from commit 6d6f4bb87f ("nl80211: Work around mac80211
limitation on (re)auth when authenticated") pre-dates the code that
supresses the deauth or disconnect event from nl80211. Should this code
be called it would not actually work at this point, as important
internal state for the authentication attempt has already been lost.

Simply drop the code. This might also fix issues where we could get
into a bad state if a proper deauth/disconnect event happens while we
are authenticating or associating.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-24 22:59:19 +02:00
Ben Greear
a3020f852e MLD: Use BSS Parameters in TBTT Info to check SSID match
Use the Same SSID and Colocated AP bits as an alternative way of finding
a match on the current SSID.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 19:42:29 +02:00
Ben Greear
0635f83e48 MLD: Support multiple TBTT Information fields in RNR elements
The Reduced Neighbor Report element can include one or more TBTT
Information fields.  Only the first one was parsed previously. Extend
this to use a loop to go through all included TBTT Information fields.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 19:38:06 +02:00
Jouni Malinen
c18aef6241 MLD: Move TBTT Information field parsing into a helper function
This makes it more convenient to process multiple TBTT Information
fields within an RNR element.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-07 19:19:22 +02:00
Ben Greear
99a8dd0495 MLD: Support multiple RNR elements
Beacon frames are allowed to optionally include one more more Reduced
Neighbor Report elements. Only the first one was parsed previously.
Extend this to use a loop to go through all included RNR elements.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 18:55:50 +02:00
Jouni Malinen
be212bdb55 MLD: Move RNR element parsing into a helper function
This makes it more convenient to process multiple elements.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-07 18:44:22 +02:00
Sebastian Priebe
e97d7c5a6a Only advertise MSCS and SCS in Association Request if supported by AP
Since wpa_supplicant version 2.10 the extended capabilities MSCS and SCS
are advertised in the (Re)Association Request frames.

This causes the association request to be rejected by several access
points. Issue was observed with:
- D-Link DIR600
- TP-Link AC1900
- Synology MR2200ac

To avoid this issue the extended capabilities MSCS and SCS shall only be
added if the bss also supports them. While this may not follow the exact
behavior described in IEEE 802.11, this is a reasonable compromise to
avoid interoperability issues since these capabilities cannot be used
with an AP that does not support them anyway.

Note: The Extended Capabilities element is only included in the
Association Request frames if the AP also sent its extended capabilities
(see wpas_populate_assoc_ies()) as a workaround for misbehaving APs.
This workaround exists since version 2.1.

Signed-off-by: Sebastian Priebe <sebastian.priebe@konplan.com>
2023-11-03 13:10:01 +02:00
Matthew Wang
42add3c27b Scan 6 GHz channels after change to 6 GHz-allowed regdom
Drivers will often report regdom changes in the middle of a scan if they
detect during that scan that the regulatory domain has changed. If this
happens and we enter a regdom that supports 6 GHz channels when the
previous one didn't (this often happens in 6 GHz-capable regdoms for
devices after suspend/resume), immediately trigger a 6 GHz-only scan if
we were not able to connect to an AP on a legacy band.

This should significantly improve connection time to 6 GHz AP after
regdom has been reset.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Matthew Wang
17bdf34c49 Use default IEs in wpa_supplicant_trigger_scan()
wpa_supplicant_trigger_scan() previously wouldn't include any of the IEs
generated by wpa_supplicant_extra_ies(). Instruct it to do so in most
cases. This is necessary because MBO STAs are required to include MBO
capabilities in their Probe Request frames.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Andrei Otcheretianski
e5ea30feef SME: MLD: Handle reconfiguration Multi-Link element
Parse the reconfiguration Multi-Link element and:

- Don't select a BSS for connection if it is part of an MLD
  and is going to be removed.
- Don't scan for missing links that are to be removed.
- Don't include removed links in association.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-10-29 16:43:34 +02:00
Veerendranath Jakkam
c4c5c991da SAE: Do not reject reauth threshold passed PMKSA in association event
Do not reject reauth threshold passed PMKSA indicated in successful
association event since the PMKSA is still valid.

Additionally, remove the reauth threshold passed PMKSA entry from the
driver to prevent using it further in the driver.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-09-28 18:57:50 +03:00
Veerendranath Jakkam
199b44213c MLD STA: Allow auth frames without ML IE for failure status codes
In some cases like unknown-group rejection, AP MLD can't parse the
received Authentication frame to the point of the Multi-Link element if
the group used by the peer is unknown to the AP MLD.

In such cases, AP MLD not including Multi-Link element in rejection
Authentication frames can be considered as standard compliant since AP
MLD doesn't know whether the received Authentication frame has
Multi-Link element or not.

To avoid connection issues in such cases, don't reject Authentication
frames without Multi-Link element when status code is other than
WLAN_STATUS_SUCCESS, WLAN_STATUS_SAE_HASH_TO_ELEMENT,
WLAN_STATUS_SAE_PK, and WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-05-25 18:03:58 +03:00
Veerendranath Jakkam
8bc84fceeb Allow MLO disabled connection to legacy open/WPA2-Personal-only AP MLDs
wpa_supplicant was skipping MLD APs from network selection when the AP
advertise legacy open, WPA2-Personal-only (PSK without SAE), or PMF
disabled. However, there are already some early Wi-Fi 7 APs in the
market which advertise legacy open, WPA2-Personal-only, or PMF disabled
even though these combinations are unlikely to be allowed for Wi-Fi 7 in
the end.

To avoid connectivity issues with such APs, allow stations to connect
with MLO disabled when an AP MLD is detected to advertise legacy open,
WPA2-Personal-only (PSK without SAE), or PMF disabled.

This reverts commit 7d8b96dcfd ("wpa_supplicant: Apply same
restrictions for MLD as for 6 GHz BSS") except WEP and TKIP checks,
i.e., AP MLDs which advertise only WEP or TKIP are still skipped from
network selection.

For the SME-in-wpa_supplicant case, skip configuring MLD parameters to
the driver if the STA can connect only in legacy open,
WPA2-Personal-only, or PMF disabled mode. For the SME-in-driver case, it
is the driver's responsibility to initiate connection with MLO disabled
with such APs.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-25 17:04:44 +03:00
Veerendranath Jakkam
6002fe87d8 SAE: Fix expected AP MLD address info in a debug print
Print correct expected AP MLD address information when the AP MLD
address validation fails in Authentication frames during external
authentication.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-19 11:51:43 +03:00
Veerendranath Jakkam
c70405cef6 MLD STA: Do not fail on unknown IEs in Authentication frames
Fail MLD address validation only if Authentication frames IE parsing
actually failed, i.e., ignore all unknown IEs.

This is needed to avoid authentication failure when the Authentication
frames include IEs which are not handled by ieee802_11_parse_elems(),
e.g., AKM Suite Selector IE.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-04-19 11:50:55 +03:00
Veerendranath Jakkam
c91852044d MLD STA: Add support for SAE external authentication offload to userspace
Enable MLO for SAE authentication when the driver indicates the AP MLD
address in an external authentication request. The MAC address of the
interface on which the external authentication request received will be
used as the own MLD address.

This commit does below for enabling MLO during external SAE
authentication:
- Use MLD addresses for SAE authentication.
- Add Basic Multi-Link element with the own MLD address in SAE
  Authentication frames.
- Send SAE Authentication frames with the source address as the own MLD
  address, destination address and BSSID as the AP MLD address to the
  driver.
- Validate the MLD address indicated by the AP in SAE Authentication
  frames against the AP MLD address indicated in external authentication
  request.
- Store the PMKSA with the AP MLD address after completing SAE
  authentication.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-02-15 23:49:59 +02:00
Jouni Malinen
bf124a03d5 SAE: Update PT value at later point for SME cases, if needed
It was possible to hit a case where the SAE PT had not yet been derived,
e.g., when using P2P group re-invocation. Update PT use at the time
authentication is started, if needed, to avoid this. While this is not
really ideal from the externally observable timing view point, this is
done only for the case where there is no other option available with a
dynamically changing network configuration for P2P. Similar design was
already in place for the SAE offload-from-driver (external auth) case.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-01-30 23:23:22 +02:00
Jouni Malinen
37f8257c4f SAE: Extend automatic enabling of H2E on 6 GHz to additional cases
Commit 3a0edb2cd8 ("SAE: Enable H2E for 6 GHz BSS") started enabling
H2E automatically for SAE use on the 6 GHz band, but it did not update
these steps in verifying whether the STA has matching configuration for
a BSS that mandates use of H2E and whether to use PT for SAE in SME.
Update these to be aware of automatic H2E enabling.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-01-30 23:21:06 +02:00
Andrei Otcheretianski
e869fdfeef wpa_supplicant: Use MLD address in SAE authentication
Use MLD address in SAE commit derivation and PMKSA storing.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:47:34 +02:00
Andrei Otcheretianski
8c0f83ae88 SME: Accept Authentication frame from an MLD AP
The driver is expected to translate the link addresses to MLD addresses
when processing an Authentication frame from a MLD AP. Thus, accept
Authentication frame when the peer matches the expected MLD address.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:38:03 +02:00
Andrei Otcheretianski
23039f5e4a SME: Add support for handling association with MLD
In case both the local driver and the AP support MLD, request an MLD
association from the driver.

When processing the association event from the driver verify that the
multi link information in the (Re)Association Response frame ML element
matches the links on which the association was expected.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:33:11 +02:00
Andrei Otcheretianski
8f89661df5 SME: Add support for handling authentication with MLD
In case both the local driver and the AP support MLD, request an MLD
authentication from the driver. When processing the authentication event
from the driver verify that the MLD address in the authentication data
matches that of the requested AP.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:31:41 +02:00
Andrei Otcheretianski
694a1c6873 SAE: Make sme_sae_auth() return IE offset
Authentication frames include several fixed body parts (see Table 9-68
(Authentication frame body) and Table 9-69 (Presence of fields and
elements in Authentication frames) in IEEE P802.11-REVme/D2.0).

To be able to parse the IE part, these fields need to be skipped. Since
SAE logic already implements this parsing, change SAE authentication
handling functions to return the offset to the IE part. This preparation
is needed for future MLD patches that need to parse out the ML related
elements in the Authentication frames.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:11:16 +02:00
Veerendranath Jakkam
23e31eb68e SAE: Support cross AKM roaming between SAE AKMs in external auth case
Add support to handle external authentication request with a different
SAE AKM suite compared to the current connection AKM suite. This is
needed to support cross AKM roaming between SAE and SAE-EXT-KEY AKM
suites.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-12-15 18:36:26 +02:00
Micha Hashkes
755aaeb97f wpa_supplicant: Add missing memory allocation checks
There are several cases where memory allocations are not
checked for success. Add conditions and error messages, as some
analyzers complain about that.

Signed-off-by: Micha Hashkes <micha.hashkes@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-11-30 19:14:02 +02:00
Jouni Malinen
bbd5a4689b SAE: Add an enum for defining sae_pwe parameter values
Make this more readable by replacing magic numbers with enum values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-29 20:37:23 +02:00
xinpeng wang
2afb9b1a58 dbus: Add dbus notify when wpa_s->key_mgmt changes
For WPA2/WPA3 authentication mode, wpa_supplicant needs to notify
CurrentAuthMode property change when wpa_s->key_mgmt changes, so
NetworkManager can judge whether it needs to request a password based on
this.

Call wpas_notify_auth_changed() when starting a new connection item,
i.e., after having updated wpa_s->key_mgmt.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2022-11-27 14:18:53 +02:00
Jouni Malinen
5ea7a2f545 DPP: Drop PMKSA entry if AP reject association due to invalid PMKID
This is needed to avoid trying the subsequent connections with the old
PMKID that the AP claims not to hold and continues connection failures.
This was already handled for the SME-in-the-driver case in commit commit
50b77f50e8 ("DPP: Flush PMKSA if an assoc reject without timeout is
received"), but the wpa_supplicant SME case did not have matching
processing.

Add the needed check to avoid recover from cases where the AP has
dropped its PMKSA cache entry. Do this only based on the specific status
code value (53 = invalid PMKID) and only for the PMKSA entry that
triggered this failure to minimize actions taken based on an unprotected
(Re)Association Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-20 11:08:26 +02:00
Jouni Malinen
bbe5f0c1eb FT: Do not try to use FT protocol between mobility domains
wpa_supplicant has support for only a single FT key hierarchy and as
such, cannot use more than a single mobility domain at a time. Do not
allow FT protocol to be started if there is a request to reassociate to
a different BSS within the same ESS if that BSS is in a different
mobility domain. This results in the initial mobility domain association
being used whenever moving to another mobility domain.

While it would be possible to add support for multiple FT key hierachies
and multiple mobility domains in theory, there does not yet seem to be
sufficient justification to add the complexity needed for that due to
limited, if any, deployment of such networks. As such, it is simplest to
just prevent these attempts for now and start with a clean initial
mobility domain association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-09 00:54:41 +02:00
Utkarsh Soni
b92f61885c Don't use default RSNE/RSNXE when the driver indicates cross SSID roaming
During cross SSID roaming wpa_supplicant ended up using the default
RSNE/RSNXE in EAPOL-Key msg 2/4 though the driver indicated
(Re)Association Request frame elements without RSNE/RSNXE. This causes
RSNE/RSNXE mismatch between (Re)Association Request frame and EAPOL-Key
msg 2/4.

To avoid this skip copying the default RSNE/RSNXE if the driver
indicates the actually used (Re)Association Request frame elements in
the association event.

Signed-off-by: Utkarsh Soni <quic_usoni@quicinc.com>
2022-11-08 16:01:12 +02:00
Ben Wolsieffer
bdc35acd5a SAE: Allow loading of the password from an external database
There was no support for loading SAE passwords from an external password
database.

Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
2022-11-07 14:02:55 +02:00
Jeffery Miller
c6f8af507e Add option to disable SAE key_mgmt without PMF
Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.

Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.

Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.

Signed-off-by: Jeffery Miller <jefferymiller@google.com>
2022-11-05 17:48:17 +02:00
Matthew Wang
2e73394426 P2P: Discount current operating frequency when scanning new connection
When scanning for a new connection, we currently optimize by scanning
all frequencies only when our MCC capabilities will allow an additional
operating frequency, and scan only the existing operating frequencies
otherwise. This is problematic when there the current operating
frequency singularly accounts for one of the shared radio frequencies
because we should be able to switch operating frequencies without adding
to the channel count. Fix this.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2022-11-05 13:43:06 +02:00
Jouni Malinen
e5d15e2254 EHT: Allow EHT to be disabled using disable_eht=1 in wpa_supplicant
This is similar to the previously added disable_ht/vht/he parameters.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-17 11:13:09 +03:00
Jouni Malinen
041f6cea94 SAE: Accept FT and -EXT-KEY AKMs for external auth
Use a full list of AKM suite selectors that can use SAE authentication
when checking for authentication trigger from the driver.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 18:35:51 +03:00
Jouni Malinen
8392ea9e75 SAE: Fix AKM suite selector check for external authentication
AKM suite selector check was initially implemented with incorrect byte
swapping of the value from the driver (nl80211). Fix this and leave a
workaround option for any potentially deployed device where the driver
might be using the swapped byte order.

Fixes: 5ff39c1380 ("SAE: Support external authentication offload for driver-SME cases")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 18:25:11 +03:00
Veerendranath Jakkam
d1a7626ff9 SAE: Use correct SSID profile for SAE auth retries during external auth
Previously, wpa_supplicant was using the current SSID for building the
SAE authentication commit frame for retries during external
authentication. But the external authentication SSID can be different
from the current SSID. Fix this by using the correct SSID profile.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-09-13 05:53:05 +03:00
Jouni Malinen
096feac194 SAE: Include the new -EXT-KEY AKMs in external auth case
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-13 05:12:03 +03:00
Veerendranath Jakkam
76793cbbca SAE: Make sure H2E PT is derived for external auth SSID profile
The driver's SME may choose a BSS of a different ESS (SSID) compared to
the current SSID and trigger external authentication. If the chosen SSID
is not associated/selected before by wpa_supplicant it won't have the
H2E PT derived. Make sure to derive PT for SSID indicated in the
external authentication request.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-09-13 05:10:17 +03:00