On NixOS[1] - a Linux distribution which allows to configure a full OS
declaratively - it's possible to configure SSIDs for `wpa_supplicant`
like this:
networking.wireless.networks = {
myssid = {
pskRaw = "<redacted>";
};
};
It's also possible to add networks "imperatively" using `wpa_gui` or
`wpa_cli`. However it's not possible to do both because if the first
option is used, NixOS creates a read-only symlink at
`/etc/wpa_supplicant.conf` and then it's not possible for
`wpa_supplicant` anymore to write to it.
This patch aims to help us changing this: while "declarative" SSID
configuration can be quite useful, it's a bad idea for e.g. sensitive
stuff like a WPA2 enterprise network.
The original idea was to use `-I`[2] for immutable configs (including
"declarative" networks) on NixOS and `-c /etc/wpa_supplicant.conf` for
anything "imperative".
However this doesn't really work out because if a wifi network from a
config file specified with `-I` is changed by e.g. `wpa_gui`, it's
silently overwritten in `/etc/wpa_supplicant.conf` (specified with
`-c`) which is IMHO unintuitive (in our case at least). This patch
basically declares each network defined in a config file passed via `-I`
to `wpa_supplicant` as "read-only" and doesn't write these "read-only"
networks to `/etc/wpa_supplicant.conf`.
A bit more context can be found on GitHub in the PR where I implemented
this[3].
[1] https://nixos.org/
[2] Added in e6304cad47
[3] https://github.com/NixOS/nixpkgs/pull/113716
Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
Add new 'mac_addr' policy (3) with which supplicant expects to also
obtain 'mac_value' with pregenerated value of MAC address to be used for
given SSID.
The main difference between this policy and policy 1 is the ability to
control persistence of the MAC address used. For example if there is
a requirement to always use the same (but random) MAC address for given
SSID (even if user removes/forgets the network) this could be handled
outside of the wpa_supplicant by using some SSID based hashing scheme to
generate MAC (or by just storing the randomly generated one) and
providing it to wpa_supplicant together with mac_addr=3 policy.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
IEEE Std 802.11ax-2021, 12.12 explicitly disallows use of Open System
authentication without encryption on the 6 GHz band.
Signed-off-by: Sharadanand Karanjkar <skaranjkar@datto.com>
As P2P GOs are not expected to be collocated, i.e., they are not
expected to be announced in the RNR element of other APs, they can
operate only on preferred scanning channels (PSCs).
When performing a full scan for P2P discovery, include only the 6 GHz
PSCs (if supported) to avoid scanning channels on which P2P GOs are not
expected to reside.
While at it also fix couple of places that missed including 60 GHz
channels in P2P full scan.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add a callback handler to notify details of a PMKSA cache entry when it
is added to the PMKSA cache. This can be used to provide external
components more convenient access to the PMKSA cache contents.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
For WPA2/WPA3 authentication mode, wpa_supplicant needs to notify
CurrentAuthMode property change when wpa_s->key_mgmt changes, so
NetworkManager can judge whether it needs to request a password based on
this.
Call wpas_notify_auth_changed() when starting a new connection item,
i.e., after having updated wpa_s->key_mgmt.
Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
SSID may include unprintable characters. This change converts
unprintable characters into printable form before printing SSID in the
function wpas_send_ctrl_req(). The conversion is based on the function
wpa_ssid_txt().
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
In case of drivers supporting 4-way handshake offload, mark port
authorized and state completion only if the driver advertizes authorized
state in the connect event. Otherwise there are fair chances of the
driver port authorization API getting called while 4-way handshake is in
progress at the lower layer.
In order to avoid this possible race condition always update port
authorization and supplicant state WPA_COMPLETED setting from
EVENT_PORT_AUTHORIZED context when the driver is done with the 4-way
handshake.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
Add the support of multiple domains for interworking credentials in
D-Bus API AddCred() using an array of strings.
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
Fix compilation issue when using the following build parameter:
CONFIG_CTRL_IFACE=udp-remote
Fixes: 0aae045af0 ("ctrl: Print the source address of the received commands")
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Until now Hotspot 2.0 credentials were only supporting one home OI (with
roaming_consortium option) and one required home OI (with
required_roaming_consortium option). To improve the compliance with
Passpoint specification, add the support for multiple home and required
OIs.
The lists of OIs are provided using two new configuration options
home_ois and required_home_ois that expect a list of OIs formatted as
the roaming_consortiums list. It allows to keep the old options to avoid
breaking currently running configurations and better fits the vocabulary
used in the spec.
The OI match algorithm is updated to implement the behavior described in
Passpoint specification v3.2 section 9.1.2 (Home OIs nodes description
PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>).
Signed-off-by: Damien Dejean <damiendejean@chromium.org>
There is no way to create or remove a virtual interface with
wpa_supplicant dbus methods. The platform has to use out-of-band methods
to manage the virtual interfaces.
This change adds virtual interface create/remove logic to the dbus
methods CreateInterface and RemoveInterface to achieve similar
functionalities as wpa_cli commands interface_add and interface_remove.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Need to copy own address and peer address locally and pass them to
pasn_deauthenticate(), because this pointer data will be flushed from
the PTKSA cache before sending the Deauthentication frame and these
pointers to then-freed memory would be dereferenced.
Fixes: 24929543 ("PASN: Deauthenticate on PTKSA cache entry expiration")
Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
Map to correct control interface commands for PASN start and stop.
Fixes: ad338cfe58 ("ctrl_iface: Add support for PASN authentication")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
wpa_supplicant used the WPS IE from a Probe Response frame, if one was
received, even if there might have been a more recent Beacon frame with
an updated WPS IE. This could result in using stale information about
active WPS registrar, e.g., when operating on the 6 GHz band.
Prefer WPS IE from a Beacon frame over the default selection of Probe
Response frame (if one has been received) in cases where the Beacon
frame is received more recently than the Probe Response frame and active
WPS Registrar information is being checked. Skip this for the case where
UUID-E is needed since that is not available in the Beacon frame.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
OCV cannot be used without PMF and such a configuration were to be used
with wpa_supplicant, the AP would reject the association. hostapd is
already enabling PMF automatically whenever OCV is being enabled, so do
the same with wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
If a higher priority BSS has invalid security parameters, e.g., an
invalid SAE password, and a lower priority BSS is discovered only after
the local network profile has been temporarily disabled, the BSSID
ignoring mechanism is not sufficient to allow the lower priority BSS to
be tried and all consecutive attempts will continue to use the higher
priority BSS. This might prevent connection in some unexpected cases
with invalid network configuration.
Extend BSSID ignoring mechanism to work in this type of a case by
ignoring the BSSID that resulted in disabling the SSID temporarily
during the first connection attempt after having re-enabled the SSID.
This allows a lower priority BSS, if any is available in scan results,
to be tried next to see if it might have working security parameters.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Fix memory leak of intro.peer_key in wpas_dpp_rx_peer_disc_resp(). The
other code paths were updated to use dpp_peer_intro_deinit(), but this
non-privacy-protection version of the station implementation was missed.
Fixes: 148de3e0dc ("DPP3: Private Peer Introduction protocol")
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This is needed to avoid trying the subsequent connections with the old
PMKID that the AP claims not to hold and continues connection failures.
This was already handled for the SME-in-the-driver case in commit commit
50b77f50e8 ("DPP: Flush PMKSA if an assoc reject without timeout is
received"), but the wpa_supplicant SME case did not have matching
processing.
Add the needed check to avoid recover from cases where the AP has
dropped its PMKSA cache entry. Do this only based on the specific status
code value (53 = invalid PMKID) and only for the PMKSA entry that
triggered this failure to minimize actions taken based on an unprotected
(Re)Association Response frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
This prevents attempts of trying to use PMKSA caching when the existing
entry was created using a different MAC address than the one that is
currently being used. This avoids exposing the longer term PMKID value
when using random MAC addresses for connections.
In practice, similar restriction was already done by flushing the PMKSA
cache entries whenever wpas_update_random_addr() changed the local
address or when the interface was marked down (e.g., for an external
operation to change the MAC address).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to be able to determine whether a PMKSA cache entry is
valid when using changing MAC addresses. This could also be used to
implement a mechanism to restore a previously used MAC address instead
of a new random MAC address.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Using separate variables for BSSID and peer address is needed to support
Wi-Fi Aware (NAN) use cases where the group address is used as the BSSID
and that could be different from any other peer address. The
infrastructure BSS cases will continue to use the AP's BSSID as both the
peer address and BSSID for the PASN exchanges.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Rename struct pasn_data::bssid to peer_addr to be better aligned with
different use cases of PASN and its extensions. This is a step towards
having option to use different peer address and BSSID values for NAN use
cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant has support for only a single FT key hierarchy and as
such, cannot use more than a single mobility domain at a time. Do not
allow FT protocol to be started if there is a request to reassociate to
a different BSS within the same ESS if that BSS is in a different
mobility domain. This results in the initial mobility domain association
being used whenever moving to another mobility domain.
While it would be possible to add support for multiple FT key hierachies
and multiple mobility domains in theory, there does not yet seem to be
sufficient justification to add the complexity needed for that due to
limited, if any, deployment of such networks. As such, it is simplest to
just prevent these attempts for now and start with a clean initial
mobility domain association.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
During cross SSID roaming wpa_supplicant ended up using the default
RSNE/RSNXE in EAPOL-Key msg 2/4 though the driver indicated
(Re)Association Request frame elements without RSNE/RSNXE. This causes
RSNE/RSNXE mismatch between (Re)Association Request frame and EAPOL-Key
msg 2/4.
To avoid this skip copying the default RSNE/RSNXE if the driver
indicates the actually used (Re)Association Request frame elements in
the association event.
Signed-off-by: Utkarsh Soni <quic_usoni@quicinc.com>
Passphrases/PSKs from external password databases were ignored if 4-way
handshake offloading was supported by the driver. Split the PSK loading
functionality into a separate function and calls if to get the PSK for
handshake offloading.
I tested connecting to a WPA2-PSK network with both inline and external
passphrases, using the iwlwifi and brcmfmac drivers.
Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
In a system with multiple interfaces, the boot messages as well as the
status information provided by `systemctl` can be confusing without
an immediate way to differentiate between the different interfaces.
Fix this by adding the interface name to the unit description.
Signed-off-by: Gioele Barabucci <gioele@svario.it>
The received frame buffer was already verified to be long enough to
include the Advertisement Protocol element and that element was verified
to have a valid length value, but use of adv_proto[1] in another
function may have been too difficult to figure out for analyzers.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to specify a Link ID for set key operation for MLO
connection. This does not change the existing uses and only provides the
mechanism for extension in following commits.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Update the following MLO connection information to wpa_sm:
- AP MLD address and link ID of the (re)association link.
- Bitmap of requested links and accepted links
- Own link address for each requested link
- AP link address, RSNE and RSNXE for each requested link
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Currently, PMK parameters in the WPA state machine are set from
configuration only when the interface is initialized. If those
parameters are changed later via D-Bus, the new values don't have any
effect.
Call wpa_sm_set_param() when PMK-related D-Bus properties are changed
to immediately apply the new value; the control interface also does
something similar.
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.
Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.
Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.
Signed-off-by: Jeffery Miller <jefferymiller@google.com>
Stop listen mode if there is not sufficient time remaining to complete
the Authentication exchange within the current remain-on-channel
operation. This speeds up the operation and avoids some timeouts that
could prevent the provisioning step from completing. This addresses an
issue that was found in the following test case sequence:
dpp_controller_relay_discover dpp_chirp_ap_5g
Similar mechanism was already used for Reconfig Announcement frames, so
reuse that for this case with Presence Announcement frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
When scanning for a new connection, we currently optimize by scanning
all frequencies only when our MCC capabilities will allow an additional
operating frequency, and scan only the existing operating frequencies
otherwise. This is problematic when there the current operating
frequency singularly accounts for one of the shared radio frequencies
because we should be able to switch operating frequencies without adding
to the channel count. Fix this.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Connection attempt could have been intermittently drop when reconnecting
to the same ESS due the current BSS entry getting removed immediately
after the disconnection for the purpose of reconnecting to the same ESS.
Avoid this by not removing a BSS entry for the same ESS when in this
special state of trying to reconnect to the same ESS.
Signed-off-by : WooYong Kim <wykim@newratek.com>
Scans are allowed on the current interface for group formation only when
in the P2P_SEARCH, P2P_IDLE, or P2P_PROVISIONING state. But Extended
Listen timeout being enabled moves to the P2P_LISTEN_ONLY state. Due to
this P2P connection fails if the GO is not found with scans triggerred
before Extended Listen timeout. To avoid this skip Extended Listen
timeout to allow scans during group formation on the current interface.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
Clone sae_pwe configuration value when creating a new P2P group
interface. This is needed to avoid P2P connection failure at the P2P
Client side due to SAE H2E being disabled in the 6 GHz band operation
when a new group interface is created for the connection.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
For the 6 GHz opclass 132, ch for loop only allows non-PSC channels { 1,
9, 17, 25, 33, 41, 49,... } to be used. This does not match the IEEE Std
802.11ax-2021 expectation of a 6 GHz-only AP "should set up the BSS with
a primary 20 MHz channel that coincides with a preferred scanning
channel".
Increase ch by 4 to allow PSC channel to be used for 6 GHz BW40.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
struct wpas_pasn is common to both initiator and responder, so rename it
to pasn_data to avoid the "wpas_" prefix that could be seen as a
reference to wpa_supplicant (PASN initiator).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The wpa_s and hapd context are isolated from the PASN initiator and
responder code and this functionality is now in the separate src/pasn
directory. Add option to build libpasn.so with this functionality. This
library can be used by a Wi-Fi Aware component to support NAN pairing
with other devices.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PASN responder validates auth 1 frame and sends auth 2 frame to the
initiator. It analyses the auth 3 frame and verifies successful
authentication. Wi-Fi Aware modules can reuse this functionality through
a shared library libpasn.so generated from this code. Move the PASN
functionality that is now decoupled from the hapd context into a
separate file in a common directory to make it easier to build such a
library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PASN initiator functionality builds auth 1 and auth 3 frames, and
processes auth 2 frame received from the responder. Wi-Fi Aware modules
can reuse this functionality through a shared library libpasn.so
generated from this code. Move the PASN functionality that is now
decoupled from the wpa_s context into a separate file in a common
directory to make it easier to build such a library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is helpful in being able to get the functionality needed for SAE
into a separate library (libpasn.so) without needing all of the
ieee802_11.c functionality.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification defines Beacon RSNE/RSNXE to be same as
RSNE/RSNXE present in Auth2 frame. So, MIC validation should be done
with the RSNE and RSNXE received in Auth2 frame.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification introduces a custom PMKID derived from
Nonce and TAG. This custom PMKID is included in PASN Authentication
frames during pairing verification. So, allow use of a custom PMKID in
PASN frames and validate it using a function handler. Wi-Fi Aware
component that uses libpasn.so should take care of validating the custom
PMKID.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTK is stored in the PTKSA cache following a successful PASN handshake,
however AKMP is removed upon a WPA PASN reset. The PASN handshake is
used in the Wi-Fi Aware R4 specification to define the pairing setup
process. KDK is used to generate a new set of keys, while AKMP is
required for key derivation for pairing. So, keep AKMP in the PTKSA
cache.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
