Use the new nss_macsec_secy_id_get() function, if available, instead of
the hardcoded ifname to secy_id mapping.
Signed-off-by: leiwei <leiwei@codeaurora.org>
The disable_dgaf config field is only available in case hostapd is
compiled with Hotspot 2.0 support (CONFIG_HS20=y), however Proxy-ARP
(CONFIG_PROXYARP=y) does not depend on Hotspot 2.0.
Only add the code related to this config field when Hotspot 2.0 is
enabled to fix compilation with the aformentioned preconditions.
Signed-off-by: David Bauer <mail@david-bauer.net>
There is no convenient mechanism for reauthenticating and generating a
new PMK during an association with SAE. As such, forced PMK update would
mean having to disassociate and reauthenticate which is not really
desired especially when the default PMKLifetime is only 12 hours.
Postpone PMKSA cache entry expiration of the currently used entry with
SAE until the association is lost. In addition, do not try to force the
EAPOL state machine to perform reauthentication for SAE since that won't
work.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some distros carry patches to specify driver fallback, but only in
specific conditions (e.g. the systemd service definition[1]). This leaves
other wpa_supplicant instances needing to define fallback themselves,
which leads to places where wpa_supplicant thinks it can't find a
driver[2]. Instead, when -D is not specified, have wpa_supplicant try
all the drivers it was built with in an attempt to find a working one
instead of just giving up if the first doesn't work.
[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012
Signed-off-by: Kees Cook <kees@ubuntu.com>
Update PMKSA cache when interface is disabled and then enabled based on
the new MAC address. If the new MAC address is same as the previous MAC
address, the PMKSA cache entries are valid and hence update the PMKSA
cache entries to the driver. If the new MAC address is not same as the
previous MAC address, the PMKSA cache entries will not be valid anymore
and hence delete the PMKSA cache entries.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
While creating a cloned PMKSA entry for OKC both expiration and
reauth_time values are set to maximum values, but later only the
expiration time is copied from the old PMKSA entry to the new PMKSA
entry. Due to this there is a possibility of reauth_time becoming
greater than expiration time in some cloned entries. To avoid this copy
reauth_time also to the cloned entry.
Also, add check to reject control interface commands with reauth time
greater than expiration time.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
The change to support variable length PMK in wlantest missed couple of
places where the PMK length did not get used or set properly. In
particular, this ended up breaking FT key derivation for the case where
a passphrase was used to derive a potential per-BSS PMK. Fix this by
setting and using the PMK length properly.
Fixes: 6c29d95a90 ("wlantest: Support variable length PMK")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Replaced the word "sanity" with the inclusive word "validity". The
comment in acs_survey_interference_factor() was referring a function
that does not exist, so remove it instead of trying rename the function.
Signed-off-by: Arowa Suliman <arowa@chromium.org>
Allow sae_pwe parameter to be configured per-network and enforce the
SAE hash-to-element mechanism for the P2P GO if it is started on
a 6 GHz channel.
Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
Existing logic to disable HE in hostapd_set_freq_params() is to check
he_cap != NULL, but this is not correct as he_cap is defined as a stack
member of hostapd_hw_modes which can't be NULL. Add one more check
!he_cap->he_supported to make sure HE can be disabled if the driver not
support it.
This fixes a case where a driver does not support HE, but hostapd.conf
enables HE/HT40 on the 2.4 GHz band and hostapd failed to start with
error '40 MHz channel width is not supported in 2.4 GHz'.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a QCA vendor attribute to indicate agile spectral scan support for
320 MHz mode. Add another attribute to indicate the number of detectors
used for spectral scan in 320 MHz mode.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
After roaming from WPA2-AP (group=CCMP) to WPA-AP (group=TKIP) using
driver-based SME and roaming trigger, GTK renewal failures are observed
for the currently associated WPA-AP because of group cipher mismatch,
resulting in deauthentication with the AP.
Update the group cipher and pairwise cipher values in wpa_sm from
association event received from the driver in case of SME offload to the
driver to address GTK renewal failures (and similar issues) that could
happen when the driver/firmware roams between APs with different
security profiles.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Introduce a new vendor command QCA_NL80211_VENDOR_SUBCMD_ROAM_EVENTS
that aims to configure/trigger the roam events from the driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an explicit check for msg->channel_list != NULL instead of depending
on msg->channel_list_len > 0 implying that. This is to silence invalid
static analyzer reports.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an explicit check for modes != NULL instead of depending on
num_modes > 0 implying that. This is to silence invalid static analyzer
reports.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Support adding/deleting vendor elements dynamically for AP mode while it
is started by wpa_supplicant instead of hostapd which already supported
this. This adds ap_assocresp_elements global parameter and UPDATE_BEACON
control interface command to take the changed values into effect.
Usage in wpa_cli:
Add vendor IE for (Re)Association Response frames
> set ap_assocresp_elements=xxxx
Add vendor IE for Beacon/Probe Response frames
> set ap_vendor_elements=xxxx
Delete vendor IE from (Re)Association Response frames
> set ap_assocresp_elements
Delete vendor IE from Beacon/Probe Response frames
> set ap_vendor_elements
To make vendor IE changes take effect
> update_beacon
Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
Add support to send DSCP Policy Query frame using a new control
interface command DSCP_QUERY. This includes support for a wildcard DSCP
query and a DSCP query with a single Domain Name attribute.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add support to parse WFA Capabilities element from the (Re)Association
Response frame. Also register a timeout for the station to wait before
sending a new DSCP query if requested by AP.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Indicate DSCP Policy capability by including a WFA Capabilities element
containing the relevant bit set to 1 in the (Re)Association Request
frames when enabled by user.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add support to prepare and send DSCP response action frame to the
connected AP in response to a new control interface command DSCP_RESP.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add support to parse received DSCP Policy Request frames and send the
request details as control interface events.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
The DSCP policy capability is disabled by default. The user frameworks
which have support for handling DSCP policy request messages need to
enable this capability explicitly to allow wpa_supplicant to advertise
the capability to the AP and allow the related frames to be processed.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
This function is not specific to GAS, so make it available throughout
wpa_supplicant without requiring CONFIG_GAS.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 0cb39f4fd5 ("HE: Extend BSS color support") sets the BSS Color
default value to 1 as "Interoperability testing showed that stations
will require a BSS color to be set even if the feature is disabled."
A new interop issue was observed with hardcoded BSS color value of 1:
- REF device using one interface (e.g., wlan0) to connect to an HE
AP, whose BSS color is enabled and value is 1.
- REF device using another interface (e.g., p2p0) to connect to a
P2P GO using BSS color default settings.
(i.e., BSS color disabled and value is 1).
- REF device checks both AP's and P2P GO's BSS Color values even though
GO's BSS color is disabled. This causes collision of the BSS
color somehow causing RX problems.
For DUT as a P2P GO, its firmware uses default BSS color value 1 from
wpa_supplicant, then triggers a timer (e.g., 120 s) to update its BSS
color values based on its neighboring BSSes. To reduce the likelihood of
BSS color collision with REF device before that, use a random BSS Color
if not defined in the config file.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This new vendor command aims to indicate the driver to enable the
monitor mode for an interface on which this command is issued. Once
enabled, the frames (both TX and RX) on this interface are sent to an
active coexisting monitor interface.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add new attributes for supporting MBSSID multi groups notifications
to qca_wlan_vendor_attr_mbssid_tx_vdev_status
(QCA_NL80211_VENDOR_SUBCMD_MBSSID_TX_VDEV_STATUS).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
QCA_ROAM_REASON_USER_TRIGGER was wrongly documented as
QCA_ROAM_REASON_EXPLICIT_REQUEST, so correct it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>