Add a new "ssid_verified=1" entry into the control interface STATUS
command output if the SSID has been verified for the current
association. This verification may have been done implicitly (e.g., with
SAE H2E and FT protocol binding in the SSID into key derivation or with
FILS protecting the SSID element in the (Re)Association Request frame)
or explicitly with the recently added SSID protection mechanism during
the 4-way handshake.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In case the scan request handling fails, exit cleanly, i.e., without
setting internal state such as the 'scan_res_handler' pointer.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The consumer of the link_bssid array assumes it is a NULL terminated
array of BSSIDs. As such, add one to the maximum number of links to
ensure that there is always a sentinel value.
Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When ignoring a link BSSID the multi-link information was parsed out
into a struct ml_sta_link_info on the stack. However, this stack
variable went out of scope before it was used by passing the link_bssids
pointer array to another function.
Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Explicitly free the previously allocated copy if ServiceDiscoveryRequest
or Service DiscvoveryResponse parsing loop finds multiple instances of
the same dict entry.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using D-Bus it is possible to request an invalid SD response where
"tlvs" is specified and there is an unknown key (e.g. "bar": "foo"). In
this case, "tlv" is allocated and then never used nor freed. Valgrind
complains as follows:
36 bytes in 1 blocks are definitely lost in loss record 20 of 74
at 0x484C214: calloc (vg_replace_malloc.c:1675)
by 0x41C673: wpabuf_alloc (wpabuf.c:124)
by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016)
by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
by 0x5495DF: dispatch_data (dbus_common.c:37)
by 0x5495DF: process_watch (dbus_common.c:73)
by 0x5495DF: process_watch_read (dbus_common.c:89)
by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
by 0x41FA46: eloop_run (eloop.c:1233)
by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074)
by 0x40DB06: main (main.c:393)
Fix it ensuring that "tlv" is freed both in the error and non-error path
of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in
test_dbus.py to verify correct behavior.
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
Using D-Bus it is possible to trigger a valid UPnP SD request where
"tlv" is specified: in this case "tlv" is allocated, and then not used
nor freed. Valgrind complains as follows:
72 bytes in 2 blocks are definitely lost in loss record 46 of 68
at 0x484C214: calloc (vg_replace_malloc.c:1675)
by 0x41C673: wpabuf_alloc (wpabuf.c:124)
by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928)
by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
by 0x5495DF: dispatch_data (dbus_common.c:37)
by 0x5495DF: process_watch (dbus_common.c:73)
by 0x5495DF: process_watch_read (dbus_common.c:89)
by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
by 0x41FA46: eloop_run (eloop.c:1233)
by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
by 0x40DB06: main (main.c:393)
Fix it ensuring that "tlv" is freed, both in the error and non-error
path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in
test_dbus.py to verify correct behavior.
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
wpa_s_setup_sae_pt() derived SAE PT even when the configured key
management options did not include SAE if the global sae_pwe
configuration parameter had been changed to enable H2E. This adds
unnecessary extra delay, so derive PT only if SAE is actually enabled in
the network profile.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.
Fixes: 444d76f74f ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client.
Signed-off-by: Jouni Malinen <j@w1.fi>
The rejected groups list is valid only during each individual SAE
authentication instance and it should not be maintained between separate
instances. In particular, it should not be maintained when roaming to
another AP since the APs might use different configuration for the
allowed SAE groups.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant used to maintain the list of rejected groups for SAE over
multiple failed attempts. This could have some DoS issues, so clear this
list if SAE authentication attempts fails continuously.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).
This functionality is disabled by default and can be enabled with
ssid_protection=1 in the network profile. Once there has been more
testing of this to confirm there is no significant interoperability
issues, the goal is to be able to change this to be enabled by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant might use a wrong BSS entry with the SSID different from
the current SSID of the current BSS while processing a roam event from
the driver when wpa_supplicant has a stale BSS entry with the old SSID
and the driver roams to the same BSS after it is restarted with a new
SSID.
To avoid this, update scan results from the driver when a BSS entry is
not found with the current SSID and try to fetch the BSS entry again
with the current SSID after this.
Also, with this change wpa_supplicant_get_new_bss() itself will update
the BSS table and search for the current BSS entry if it is not found in
the BSS table. So, remove the BSS table update and search logic from the
callers of wpa_supplicant_get_new_bss().
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add a new wpa_supplicant network profile parameter max_idle that can be
used to specify a specific maximum idle period in units of 1000 TUs
(1.024 s) for associations.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allocate static IPv4 address in EAPOL frames during 4-way handshake
instead of DHCP when using P2P invitation. wpa_s->current_bss needs to
be set for the P2P specific IP address assignment mechanism to be used
in wpa_supplicant_rsn_supp_set_config(). This worked for the initial P2P
connection, but not for some cases reinvoking a persistent group.
Since there is only one AP (P2P GO) in the P2P client case, the
conditions added in commit 4d3be9cdd1 ("Postpone updating of
wpa_s->current_bss till association event") are not needed and the
easiest approach for this is to allow current_bss to be set for
p2p_in_invitation cases. If the GO P2P Interface Address (BSSID) could
be determined for all the related cases, this could be addressed a bit
more cleanly by setting the go_bssid argument for
wpas_start_p2p_client(), but that can be left as a possible future step.
Signed-off-by: tzu-meng wang <tzu-meng.wang@mediatek.com>
Make the channel switch complete event, WPA_EVENT_CHANNEL_SWITCH,
accessible to the action script.
Signed-off-by: arun.jose <arun.jose.wg@bp.renesas.com>
D-Bus expects "persistent" to be a bool (0/1) and crashes otherwise.
Since persistent may also be 2 convert it to boolean.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
In case the channel map was updated to include the 6 GHz but these channels
were not scanned yet, do not allow fast associate.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If one sends a Probe Request frame to a non-TX BSSID, no AP MLD ID
should be included in the request. Permit mld_id to be -1 so that it is
not a required argument and can be left out.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When the authentication is an MLD authentication need to use the AP MLD
MAC address when requesting the driver to deauthenticate.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In case of failure handling an Authentication frame from the AP MLD,
clear the MLD state only after the deauthentication is done. This allows
deauthentication process to use the AP MLD MAC address.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If parsing the basic ML element in the Authenticate frame fails,
instead of only disassociating, completely deauthenticate so all
state machines would be in a consistent state.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
When considering to roam to a different BSS and the connection
is an MLD connection, do not roam to a BSS which is already
included in the MLD connection.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
wpa_s->connect_without_scan could have been left pointing to invalid
network when a network profile was removed. It seems to be possible for
this to happen in some hwsim test case scenarios under specific timing,
but the exact reason for this is not clear. In any case, this pointer
needs to be cleared.
Signed-off-by: Jouni Malinen <j@w1.fi>
OBSS scan can be required in different links if operating as an AP MLD.
When triggering scan, specify the link ID for the driver to find the
correct link to scan.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Modules that use libpasn for PASN authentication need the context of
PASN data. PASN data is a common context for the library and the modules
using it. Hence, initialize the context through init and deinit
functions. Also use set and get functions to update the parameters.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PMKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on IEEE8021X_EAPOL define for the
external modules at compile time, remove PMKSA cache static inline
functions from the header file and add wrapper function stubs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on CONFIG_PTKSA_CACHE define for
the external modules at compile time, remove PTKSA cache static inline
functions from the header file and add wrapper function stubs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Try to find the BSS entry that contains the most likely current
information for the target BSS. This is mainly needed to avoid some
unusual behavior with APs changing their Beacon frame information in a
manner that shows up in automated testing, but this might help with some
more dynamic real world uses as well, so better do the BSS entry search
for the newest entry.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This wrapper function was not used at all, so remove it to make it
clearer that the set_ap() driver op is called only from hostapd code.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In case we run command like:
wpa_cli -g <global_ctrl_path> command
don't print
"Selected interface " message.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
When wpa_supplicant needed to update the internal BSS table with the
latest scan results from the driver, it fetched all BSSs and processed
them all. This is unnecessary for cases where an update is needed only
for a specific BSS. Optimize this by filtering out the unnecessary
entries from the results.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 117e812d06 ("Update BSS table entry if roaming event indicates
frequency change") added wpa_supplicant BSS table update based on the
latest driver scan results whenever processing an association event that
results in the current operating channel changing. While that is needed
to cover the case where an AP changes its own operating channel (and
that is noticed as a roam or new connection instead of a channel switch
event), this should not really be needed for cases where the
wpa_supplicant entry for the new BSS is already up to date.
Skip the full BSS table update on association event if the event is for
a roaming case to a different BSS and the BSS entry for the target is
already available and for the current operating channel. This avoids
undesired latency when processing the association event.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Update EAP-WSC parameters to include Multi-AP profile info to pass the
profile information through the provisioning steps. This is needed for
provisioning the STA configuration when different profiles are used.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Allow both hostapd and wpa_supplicant to be configured with the
supported Multi-AP profile. The configured value will be advertised in
the Multi-AP element.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
This makes it more convenient to handle extensions to the element and
allows code to be shared between hostapd and wpa_supplicant.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Add ANQP fields to the BSS properties to allow DBus clients to be
notified and obtain the values when it changes.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
Add a D-Bus method to perform ANQP get requests. The new method is
equivalent to the "anqp_get" command available in wpa_cli.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
To implement an action script that listens for DPP push button events
and for example blinks a LED it is useful to know when push button has
started. Emit an event when push button starts.
Signed-off-by: Evan Benn <evan.benn@morsemicro.com>
This is needed to be able to check validity of the channel parameters
for cases where EHT puncturing impacts what can be enabled for
HT/VHT/HE.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Only the 2.4 and 5 GHz channels were handled previously when removing
operating classes from the Supported Operating Classes element based on
the freq_list parameter. Extend this to include the 6 GHz band as well.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
A previous workaround was used to move the special operating class 130
to the end of the Supported Operating Classes element to avoid getting
any following entry being ignored or misunderstood. That is not really
the correct way of encoding the special cases, i.e., 80+80 MHz channels
that use two nonadjacent frequency segments.
Add support for encoding the 80+80 MHz channel with the 2-octet
operating class design using the Operating Class Duple sequence field of
the Supported Operating Classes element instead of listing the operating
classes that have the 80+ behavior limit set indication in Table E-4
(i.e., opclass 130 and 135) as 1-octet operating classes in the
Operating Classes field.
Fixes: a92660a00e ("Work around Supported Operating Classes element issues for 6 GHz")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 085a3fc76e ("EHT: Add 320 channel width support") added this in
various places, but it did not cover everything. Extend this support to
be more complete. In particular, this allows wpa_supplicant to report
the operating class 137 in the Supported Operating Classes element and
to use it when processing beacon requests.
Signed-off-by: Ainy Kumari <quic_ainykuma@quicinc.com>