Commit graph

5817 commits

Author SHA1 Message Date
Jouni Malinen
07525cd5e2 Fix HE enabling for IBSS and mesh
Earlier refactoring of ibss_mesh_setup_freq() ended up dropping the case
where HE would be enabled without VHT on the 2.4 GHz band. Add that back
to allow HE to be used on 2.4 GHz with IBSS and mesh.

Fixes: 64043e6156 ("Split ibss_mesh_setup_freq() into multiple functions")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-14 20:59:42 +02:00
Chenming Huang
40410c04f4 AP MLD: Channel switch for specific link
Link ID needs to be specified for MLD case when doing channel switch.
Add it to the driver command.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2023-12-14 13:14:37 +02:00
Jouni Malinen
8920e03905 P2P: Force clearing of p2p-send-action radio work on P2P_STOP_FIND
Make sure there is no P2P radio work remaining if P2P_STOP_FIND is used
to stop a P2P exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-10 19:40:49 +02:00
Ben Greear
ceb7f65dcc bgscan: Allow simple bgscan to do BTM queries
Allow doing X BSS transition management query calls before falling back
to scan.

Example format to do 4 BTM queries before attempting a scan:
bgscan="simple:30:-65:300:4"

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-12-09 11:31:32 +02:00
Chaitanya Tata
0b5d111653 Fix MBO build with GAS dependency
On the default configuration if MBO only is enabled then build breaks as GAS
is not selected, if other features that auto-enable GAS are selected
then it works.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-06 12:47:22 +02:00
Chaitanya Tata
20c82a2708 Add an option to remove WMM-AC
For a memory constrained system, it may be more important to reduce
binary size than include support for these capabilities.

By default this is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:45 +02:00
Chaitanya Tata
32b5f7f501 Add an option to remove Robust AV (SCS, MSCS, QoS Management)
For a memory constrained system, it may be more important to reduce
binary size than include support for these capabilities.

By default this is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:45 +02:00
Chaitanya Tata
6ed8eba00d Add an option to remove RRM and supported operating class indication
Removing radio measurements and supported operating class indication
might be needed to reduce binary size for a memory constrained system
that does not need more advanced features. However, removing these is
not recommended since they can help the AP manage the network and STA
steering.

By default this functionality is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:43 +02:00
Jun Yu
4b80ad1194 Populate the new beacon hint event to wpa_msg()
Beacon hinting is a feature that can temporarily change the regulatory
rule flags on the channel where the radio hears the beacon. Add a new
event CTRL-EVENT-REGDOM-BEACON-HINT to notify the wpa_supplicant user
about an important update to the regulatory rules including which
frequencies are impacted, new power limit, and new rule flags.

Signed-off-by: Jun Yu <junyuu@chromium.org>
2023-12-02 20:48:15 +02:00
Remi Pommarel
bbb0d3a40e mesh: Add for_each_sta implementation in wpa_auth_callbacks
The wpa_auth_callbacks for mesh was missing a for_each_sta
implementation. This is an issue with pmksa cache, as when a cache entry
expires the for_each_sta callback is called in order to clear the pmksa
reference for all sta that was using this entry. Not having a
for_each_sta callback will prevent this cleanup to happen then a sta
could still use this pmksa entry even after it has been freed.

This used after free was not a problem up until recently where
dpp_pkhash is now stored in pmksa entry and retreived later on causing
crash with below backtrace:

  _wpa_snprintf_hex                        src/utils/common.c:326
  wpa_snprintf_hex                         src/utils/common.c:348
  hostapd_ctrl_iface_sta_mib               src/ap/ctrl_iface_ap.c:542
  hostapd_ctrl_iface_sta_mib               src/ap/ctrl_iface_ap.c:542
  hostapd_ctrl_iface_sta_mib               src/ap/ctrl_iface_ap.c:600
  hostapd_ctrl_iface_sta                   src/ap/ctrl_iface_ap.c:615
  wpa_supplicant_ctrl_iface_process        src/wpa_supplicant/ctrl_iface.c:12741
  wpa_supplicant_global_ctrl_iface_receive src/wpa_supplicant/ctrl_iface_unix.c:1141
  eloop_sock_table_dispatch                src/utils/eloop.c:625
  eloop_run                                src/utils/eloop.c:1238
  wpa_supplicant_run                       src/wpa_supplicant/wpa_supplicant.c:8021
  main                                     src/wpa_supplicant/main.c:393

Adding a for_each_sta callbacks fixes that.

Fixes: 043dedee83 ("DPP: Expose enrollee pubkey hash for identification")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
2023-12-02 20:34:34 +02:00
Jouni Malinen
4f69b4a31e mesh: Fix PMKSA cache entry addition with external PMKSA management
The length of the PMK ended up getting lost when a PMKSA cache entry was
added based on externally managed information. Set the PMK length in SAE
context to get the correct length stored into the actual PMKSA cache
entry that gets created in this path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-02 20:31:16 +02:00
Jouni Malinen
033634019d Ignore missing set_secure_ranging_ctx callback for testing purposes
nl80211_set_secure_ranging_ctx() was already ignoring the operation, but
this is included only with CONFIG_DRIVER_NL80211_QCA=y. Make the default
case use same behavior based on the callback function not being defined.
This is needed to allow the following test cases to work:
pasn_owe_tm_kdk_secure_ltf pasn_sae_kdk_secure_ltf

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-27 12:01:15 +02:00
Benjamin Berg
e9bdecce4d Share TEST_FAIL/TEST_ALLOC_FAIL/GET_FAIL/GET_ALLOC_FAIL handler
Move the hostapd and wpa_supplicant control interface handlers into a
shared functions instead of duplicated implementation.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-26 12:03:47 +02:00
Andrei Otcheretianski
2c89ca9223 wpa_supplicant: Use wpa_msg() in bssid_ignore.c
This allows to use the messages for testing.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-26 10:53:15 +02:00
Benjamin Berg
b9c81e2005 MLD: Use MLD MAC address for deauthentication
When connecting, pending_bssid is set to the main link that we are
authenticating/associating on. Later on, the MLD MAC address will be
stored in the bssid, but we may also try to deauthenticate before we are
connected and in that case, pending_bssid is not yet set to the MLD MAC
address.

As such, use the ap_mld_addr instead of pending_bssid if n_mld_links is
non-zero. This is the sensible thing to do and expected behavior on
nl80211.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 21:49:06 +02:00
Ilan Peer
e5917e2a5b scan: MLD: Include SSID in ML probe request
This improves chances with APs that do not reply to Probe Request frame
with short SSID or with direct BSSID.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-25 21:41:15 +02:00
Ilan Peer
b29ac99d52 scan: Include AP MLD ID in ML probe request if needed
According to IEEE P802.11be/D4.0, 35.3.4.2, the AP MLD ID must be
included in the Probe Request ML element in case it is sent to a
transmitted BSS in which case it should be set to 0. If it is sent to an
non-transmitted BSSID, the AP MLD ID should not be included.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 21:38:57 +02:00
Benjamin Berg
3cd377eb54 MLD: Ignore failed links from association attempt
If for some reason association fails and a link which has an error is
reported, add that specific link to the ignore list. After that,
immediately retrigger the connection code. In the usual case, we are
then going to reconnect to the same AP MLD but with that particular link
not being included in the connection.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-25 17:10:38 +02:00
Benjamin Berg
e6eebd0d5c MLD: Do not consider ignored BSSs for links when parsing RNR info
This avoids, e.g., trying to use a BSS that is rejected by mac80211 as a
link, which could fail the connection as a whole.

Note that this is not perfect. Ideally, the internal state would have a
more context sensitive ignore flag so that one could still use a BSS as
a link in some situation.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 16:52:08 +02:00
Benjamin Berg
5af986c75a MLD: Also mark links as failed after association failure
Parse the link status values out of Multi-Link association response. If
the AP rejects ML association and marks the links as failed with a
reason code other than TX_LINK_NOT_ACCEPTED, also report these links to
wpas_connection_failed() and ignore them.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 16:44:01 +02:00
Andrei Otcheretianski
9160540ec3 wpa_supplicant: Fix ml_ie_len type in wpa_bss_parse_basic_ml_element()
Since the Multi-Link element can be fragmented, use size_t instead of
u8.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 13:40:15 +02:00
Andrei Otcheretianski
cb90aa3acf wpa_supplicant: Remove duplicate logic in wpas_ml_element()
Parsing multiple RNR elements already exists in
wpa_bss_parse_basic_ml_element(), so wpas_ml_element() just duplicates
the same code. Combine the functionality of both these functions and
remove the duplicate.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 12:03:52 +02:00
Andrei Otcheretianski
74b6884306 wpa_supplicant: Add config parameters for MLD testing
Add band preference, BSSID preference, and single link enforcement
testing options. This is needed for testing MLO.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 11:26:00 +02:00
Jouni Malinen
6220fb52e3 dbus: Increase XML buffer size for an interface introspection data
The current set of global configuration fields is getting close to the
previously used 15000 byte limit, so increase this size to 16000 and add
a note about the potential need to change this size when adding new
fields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-25 11:13:42 +02:00
Benjamin Berg
b3aafd5a87 common: Simplify and avoid confusing defragmentation API
Three functions were provided for defragmentation. First
ieee802_11_defrag(), ieee802_11_defrag_mle() and then
ieee802_11_defrag_data() which would do the actual job. With
ieee802_11_defrag() picking the member in the elements struct for an
EID. The problem with this is, that for the Multi-Link element, there
are multiple entries in the elems struct depending on its type. As such,
remove the intermediate function and simply pass the correct members
directly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 10:56:56 +02:00
Benjamin Berg
9ffebf758d SME: Drop old disassoc_while_authenticating workaround
This workaround from commit 6d6f4bb87f ("nl80211: Work around mac80211
limitation on (re)auth when authenticated") pre-dates the code that
supresses the deauth or disconnect event from nl80211. Should this code
be called it would not actually work at this point, as important
internal state for the authentication attempt has already been lost.

Simply drop the code. This might also fix issues where we could get
into a bad state if a proper deauth/disconnect event happens while we
are authenticating or associating.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-24 22:59:19 +02:00
Jouni Malinen
c8b4ad70b1 tests: Set wpa_s->global for module tests
This is needed to avoid NULL pointer deferencing in
wpa_supplicant_ctrl_iface_msg_cb() if any of the functions called from
wpas_bssid_ignore_module_tests_() ends up using wpa_msg().

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-24 21:02:03 +02:00
Jouni Malinen
a768556f7b Prefer SAE over PSK in WPA3-Personal transition mode cases
Order scan results in a manner that prefers BSSs that support SAE over
ones that support PSK without SAE if the SNR of the SAE BSS is good or
at least at the same level as the SNR for the PSK BSS. This improves
likelihood of using SAE when the local network profile allows
WPA3-Personal transition mode and the ESS uses a mix BSSs with different
sets of AKMs.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-23 23:16:58 +02:00
Jouni Malinen
43184bf06a OWE: Optimize transition mode AP scan with owe_only=1 STA configuration
Extend the optimization from commit 9c97126576 ("OWE: Optimize
transition mode scan to use known channels") to cover cases where the
STA is configued with OWE transition mode disabled, but the AP uses OWE
transition mode.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-23 20:41:35 +02:00
Ainy Kumari
4ff287e922 P2P: Do not skip updating BSS table when frequency is changed
BSS table is not updated when a non-P2P station runs a scan without P2P
IE in Probe Response frame, since that would remove P2P IE information.
However, this results also in not updating mandatory rates in Supported
Rates and BSS Membership Selectors element even though AP/GO changes
frequency from 2.4 GHz to 5 GHz band.

This is causing connection failure since BSS table has 1 Mbps as
mandatory rate for AP connection but minimum supported rate in 5 GHz
band is 6 Mbps.

To avoid connection failures in such cases, don't skip updating BSS
table when the BSS frequency is changed. This covers the most important
case addressed in commit ff57398fca ("P2P: Do not drop P2P IEs from
BSS table on non-P2P scans") while still allowing other changes to be
taken into account if the GO were to actually change channels (or band,
which would be the most likely case needing the update).

Signed-off-by: Ainy Kumari <quic_ainykuma@quicinc.com>
2023-11-23 19:56:17 +02:00
Vinayak Yadawad
73b49016f2 Fix references to correct driver capability flag for PSK/OWE offloads
Fix references to the appropriate driver capability drv_flags2. The
initial version used the incorrect drv_flags value and by doing so,
ended up using incorrect driver capabilities (DEAUTH_TX_STATUS,
BSS_SELECT, TDLS_SUPPORT) which could result in incorrect OWE
functionality for both AP and STA cases.

Fixes: d984c7b298 ("hostapd: Add support for OWE offload for STA/AP interface")
Fixes: da364180fb ("hostapd: Support 4-way handshake offload for AP/P2P GO")
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-23 11:41:18 +02:00
Jouni Malinen
9b89df7584 WNM: Do not start scan on disassociation imminent if BSSID is set
If the local network profile specifies a specific BSSID, there will not
be an acceptable alternative AP for the current one. As such, there is
not much point in trying to scan and wait for the results to make this
conclusion. Skip the scan and reject the BSS transition management
request even if that ends up getting disassociated from the BSS that
happens the be the only one that the local configuration allows to be
used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-11 23:44:04 +02:00
Vinayak Yadawad
d984c7b298 hostapd: Add support for OWE offload for STA/AP interface
The driver advertising OWE offload support would take care of
Diffie-Hellman Parameter element generation and processing part. The
driver would be responsible for OWE PMK generation in this case.

Avoid the Diffie-Hellman Parameter element handling in
wpa_supplicant/hostapd for drivers advertising OWE offload support. This
change is applicable only for drivers supporting 4-way handshake
offload.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-11 22:36:24 +02:00
Vinayak Yadawad
da364180fb hostapd: Support 4-way handshake offload for AP/P2P GO
Add support for offloaded 4-way handshake in AP/P2P GO mode. For drivers
supporting the AP PSK offload, wpa_supplicant/hostapd passes down the
PSK for the driver to handle the 4-way handshake. The driver is expected
to indicate port authorized event to indicate that the 4-way handshake
is completed successfully.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-11 22:34:06 +02:00
Kaidong Wang
77386f51ac Adjust the RSSI and throughput estimate in roaming algorithm
The max transmit power of Standard Power (SP) Access Points (AP) on
6 GHz band and APs on 2.4 GHz and 5 GHz bands is limited by effective
isotropic radiated power (EIRP), while the max transmit power of Low
Power Indoor (LPI) APs on 6 GHz Band is limited by power spectral
density (PSD). Therefore the max transmit power of LPI APs grows as the
channel width increases, similar to the noise power which has constant
PSD.

Adjust the RSSI, SNR and throughput estimate based on max transmit power
config and max channel width in the roaming algorithm.

Signed-off-by: Kaidong Wang <kaidong@chromium.org>
2023-11-10 16:34:01 +02:00
Kaidong Wang
790beb84ac Adjust the SNR when comparing BSSes based on Tx power config
The max transmit power of Standard Power (SP) Access Points (AP) on
6 GHz band and APs on 2.4 GHz and 5 GHz bands is limited by effective
isotropic radiated power (EIRP), while the max transmit power of Low
Power Indoor (LPI) APs on 6 GHz Band is limited by power spectral
density (PSD). Therefore the max transmit power of LPI APs grows as the
channel width increases, similar to the noise power which has constant
PSD.

Adjust the SNR of BSSes based on the transmit power config and max
channel width. EIRP limited APs usually have constant max transmit power
on different channel widths, their SNR decreases on larger channel width
because the noise power is higher, while PSD limited APs have constant
SNR over all channel widths.

Signed-off-by: Kaidong Wang <kaidong@chromium.org>
2023-11-10 16:34:01 +02:00
Jouni Malinen
93a68a1fc9 OWE: Remove now unnecessary attempt to update transition mode BSS
With the SSID updating of a BSS entry removed from owe_trans_ssid(),
this call to owe_trans_ssid() is not really doing anything, so remove
it. This reverts 6972b0fa2b ("OWE: Update transition mode information
on selecting a new BSS").

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-08 14:21:41 +02:00
Andrzej Ostruszka
00b3125871 OWE: Do not update the BSS entry with zero length SSID for transition
Overwriting of SSID for the hidden OWE BSS entry has some side effects:
- first the entry is notified over DBus with empty SSID and the update
  of SSID is never signaled (it is not even possible at the moment to
  notify the SSID change - see wpas_dbus_bss_signal_prop_changed()),
- during (and after) association there will be multiple entries
  referring to the same BSSID/SSID pair.

Stop overwriting the SSID in an existing BSS entry based on OWE
transition mode information. Instead, depend on a new BSS entry getting
added for the hidden OWE BSS based on active scans for the SSID learned
from the open BSS. This would not have been sufficient for the initial
OWE design, but with the optimized scanning behavior from commit
c04562e67e ("OWE: Improve discovery of OWE transition mode AP"), this
can now depend on the exact same mechanism as other uses of hidden
SSIDs. This helps in keeping the D-Bus interface in sync with the BSS
parameters.

Signed-off-by: Andrzej Ostruszka <andrzejo@chromium.org>
2023-11-08 14:21:41 +02:00
Jouni Malinen
9c97126576 OWE: Optimize transition mode scan to use known channels
If the currently available scan results include OWE transition mode BSS
with an unknown SSID, optimize the following scan for OWE to use only
the channels on which a known transition mode BSS has been seen.

This is needed to be able to remove the design that updates BSS entries
with the learned OWE SSID in manner that does not result in regression
to scanning latencies.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-08 14:21:40 +02:00
Jouni Malinen
5b12a05590 Use SSID from driver when finding the current BSS entry
The local network profile may not have matching SSID (it could be either
the wildcard 0-length SSID or visible SSID in case of OWE transition
mode), so check whether an exact match with a BSS entry can be made
using the current SSID information from the driver (i.e., the SSID of
the current association) when picking the BSS entry to use as the
current one for an association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-08 11:56:03 +02:00
Ben Greear
a3020f852e MLD: Use BSS Parameters in TBTT Info to check SSID match
Use the Same SSID and Colocated AP bits as an alternative way of finding
a match on the current SSID.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 19:42:29 +02:00
Ben Greear
0635f83e48 MLD: Support multiple TBTT Information fields in RNR elements
The Reduced Neighbor Report element can include one or more TBTT
Information fields.  Only the first one was parsed previously. Extend
this to use a loop to go through all included TBTT Information fields.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 19:38:06 +02:00
Jouni Malinen
c18aef6241 MLD: Move TBTT Information field parsing into a helper function
This makes it more convenient to process multiple TBTT Information
fields within an RNR element.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-07 19:19:22 +02:00
Ben Greear
99a8dd0495 MLD: Support multiple RNR elements
Beacon frames are allowed to optionally include one more more Reduced
Neighbor Report elements. Only the first one was parsed previously.
Extend this to use a loop to go through all included RNR elements.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 18:55:50 +02:00
Jouni Malinen
be212bdb55 MLD: Move RNR element parsing into a helper function
This makes it more convenient to process multiple elements.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-07 18:44:22 +02:00
Gokul Sivakumar
4f20dd52ff wpa_cli/hostapd_cli: Add driver_flags2 command
Leverage the already available control socket cmd "DRIVER_FLAGS2" and
dump the driver capab "flags2" bitmask on triggering the new CLI CMD
"driver_flags2", similar to the already existing CLI CMD "driver_flags".

$ hostapd_cli -i wlan0 driver_flags2
(OR)
$ wpa_cli -i wlan0 driver_flags2
0000000000000020:
BEACON_RATE_HE

Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
2023-11-06 15:16:18 +02:00
krishna T
5025047ac3 Fix use after free warning introduced by gcc 12.1
gcc 12.1 complains about using pointer after realloc as it could
potentially be moved/freed, causing any uses after UB.

Fix this by doing checks before realloc and use those statuses and
update with new BSS.

Signed-off-by: Krishna T <krishna.t@nordicsemi.no>
2023-11-06 10:57:34 +02:00
Chung-Hsien Hsu
236c0cfbcd SAE: Pass SAE password on connect for SAE authentication offload support
Pass SAE password on connect if driver advertises SAE authentication
offload support.

Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu@infineon.com>
Signed-off-by: Daisuke Mizobuchi <mizo@atmark-techno.com>
2023-11-05 20:35:10 +02:00
David Ruth
c84388ee4c Compile-time config for dynamically loading libraries in wpa_supplicant
Prevent loading arbitrary executable code based on config at runtime,
while allowing libraries to be specified at compile time when they are
known in advance.

Add the ability to configure libraries to load at compile time.
	* CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location.
	* CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location.
	* CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location.

Add flags with the ability to set each of the libraries to NULL and
prevent loading them at runtime.
	* CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine
	  library.
	* CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module
	  library.
	* CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opensc_engine
	  library.
	* CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading EAP libraries at
	  runtime.

Signed-off-by: David Ruth <druth@chromium.org>
2023-11-05 10:23:29 +02:00
Jouni Malinen
0776c51ed7 DPP: Handle wpas_dpp_connected() processing in eloop callback
wpas_dpp_connected() is called from wpa_supplicant_set_state(), i.e.,
from the middle of processing of the post 4-way handshake steps. Sending
a DPP Public Action frame at that point can delay other operations, so
allow those steps to be completed first before sending out the DPP
connection status result.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 11:58:14 +02:00
Jouni Malinen
5c5f86900b DPP: Start next auth init from driver event to avoid race condition
It looks like mac80211 ROC handling can end up postponing offchannel TX
operation by the previously started and already canceled wait time if
the new NL80211_CMD_FRAME is issued immediately after
NL80211_CMD_FRAME_WAIT_CANCEL. Make this more robust by waiting for the
driver event that indicates completion of the cancel operation (i.e.,
NL80211_CMD_FRAME_WAIT_CANCEL as an event) before issuing
NL80211_CMD_FRAME for another channel. If the driver event is not
received within 10 ms, start the operation anyway to avoid unexpected
behavior if there are drivers that do not end up notifying end of the
wait.

This fixes some issues with authentication initiation for cases where
multiple channels are iterated. This can also significantly speed up
that process.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 11:11:46 +02:00
Jouni Malinen
f9965a6505 Use os_reltime_initialized() for Michael MIC failure event
The first event could have theoretically been received with reltime
sec=0, so use the helper function to check whether the reltime value is
actually set so that the usec part is checked as well. This is not going
to have a difference in practice, but it was possible to hit this corner
case with mac80211_hwsim testing (ap_cipher_tkip_countermeasures_sta)
using UML and time travel.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 22:02:18 +02:00
Ilan Peer
a8517c132c Add support for AKM suite 00-0F-AC:23
Add support for Authentication negotiated over IEEE Std 802.1X
with key derivation function using SHA-384.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-03 17:08:36 +02:00
Ramya Gnanasekar
544801d74c wpa_supplicant: Add channel 140 to ht40plus allowed list for mesh/IBSS
When channel 140 is configured in mesh, interface fails to come up due
to channel bond (136,140). Since Channel 136 is not HT40+ capable,
validation for HT channel bonding fails when it checks whether first
channel in the bond (channel 136) is HT40+ capable.

In mesh, during channel setup, secondary channel offset for the
configured channel will be selected as +1 if primary channel is capable
of HT40+. In current code, channel 140 is not allowed as HT40+ and hence
secondary channel offset is selected as -1, which makes 136 as secondary
channel. But channel 136 is not HT40+ supported and fails in channel
bonding validation.

Add 140 to HT40+ allowed list as HT40+ is supported for the channel.

Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
2023-11-03 16:04:58 +02:00
Hu Wang
75d33c988f OWE: Fix for entry->ssid possibly NULL dereference
Pointer entry->ssid might be passed to owe_trans_ssid_match() function
as argument 3 with NULL value, and it may be dereferenced there. This
looks like a theoretical case that would not be reached in practice, but
anyway, it is better to check entry->ssid != NULL more consistently.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 15:49:50 +02:00
Sebastian Priebe
e97d7c5a6a Only advertise MSCS and SCS in Association Request if supported by AP
Since wpa_supplicant version 2.10 the extended capabilities MSCS and SCS
are advertised in the (Re)Association Request frames.

This causes the association request to be rejected by several access
points. Issue was observed with:
- D-Link DIR600
- TP-Link AC1900
- Synology MR2200ac

To avoid this issue the extended capabilities MSCS and SCS shall only be
added if the bss also supports them. While this may not follow the exact
behavior described in IEEE 802.11, this is a reasonable compromise to
avoid interoperability issues since these capabilities cannot be used
with an AP that does not support them anyway.

Note: The Extended Capabilities element is only included in the
Association Request frames if the AP also sent its extended capabilities
(see wpas_populate_assoc_ies()) as a workaround for misbehaving APs.
This workaround exists since version 2.1.

Signed-off-by: Sebastian Priebe <sebastian.priebe@konplan.com>
2023-11-03 13:10:01 +02:00
Jurijs Soloveckis
a5d0bb42a2 Reduce delay between Association Request and Association Response
There is a delay between sending Association Response frame after having
received Association Request frame, due to the fact that between
receiving the request and sending the response the Beacon frame contents
is updated, after analyzing inputs from the STA. There may be several
updates if multiple fields need to change. This can cause issues with
some devices in noisy environments with many BSSs and connected STAs.

Optimize this by updating the beacon only once, even if there are
multiple reasons for updates.

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-11-03 12:58:35 +02:00
Matthew Wang
42add3c27b Scan 6 GHz channels after change to 6 GHz-allowed regdom
Drivers will often report regdom changes in the middle of a scan if they
detect during that scan that the regulatory domain has changed. If this
happens and we enter a regdom that supports 6 GHz channels when the
previous one didn't (this often happens in 6 GHz-capable regdoms for
devices after suspend/resume), immediately trigger a 6 GHz-only scan if
we were not able to connect to an AP on a legacy band.

This should significantly improve connection time to 6 GHz AP after
regdom has been reset.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Matthew Wang
0b8a672253 Parse 6 GHz capability from driver capabilities
Store 6 GHz capability on channel list update for wpa_supplicant use.
This will be used in the next commit to extend scanning behavior based
on changes to 6 GHz channel availability.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Matthew Wang
17bdf34c49 Use default IEs in wpa_supplicant_trigger_scan()
wpa_supplicant_trigger_scan() previously wouldn't include any of the IEs
generated by wpa_supplicant_extra_ies(). Instruct it to do so in most
cases. This is necessary because MBO STAs are required to include MBO
capabilities in their Probe Request frames.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Qiwei Cai
2bd8887e9f P2P: Pass the known BSSID to the driver to optimize scan time
After GO negotiation is completed, the P2P Client needs to scan the GO
before connecting. Only SSID was specified for this and the driver still
might need to scan all channels which wastes time. wpa_supplicant can
pass the known BSSID in the scan request in additional P2P cases and
this allows the driver sto stop the scan once the specific BSSID is
found. This helps reduce some time for P2P connection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-30 19:25:42 +02:00
Stefan Paetow
9e426e068d Enable IPv6 in wpa_supplicant and eapol_test builds
eapol_test needs this for RADIUS and wpa_supplicant can use this with
DPP over TCP.

Signed-off-by: Stefan Paetow (OpenSource) <oss@eons.net>
2023-10-29 18:47:21 +02:00
Jouni Malinen
3d8de6191e dbus: Use proper dbus_bool_t value TRUE instead of 1
Signed-off-by: Jouni Malinen <j@w1.fi>
2023-10-29 17:46:46 +02:00
Kaidong Wang
03a9a57aca dbus: Add NonColoc6GHz and 6GHzOnly flags in wpa_supplicant scan
Handler function for "Scan" method call of a network device doesn't set
non_coloc_6ghz, therefore wpa_supplicant doesn't scan non-PSC channels
on 6GHz band only if a co-located AP was reported on the channel.

Add NonColoc6GHz and 6GHzOnly flags to the wpas_dbus_handler_scan, so
that dBus scan requests can cover non-PSC channels and scan only 6 GHz
channels.

Signed-off-by: Kaidong Wang <kaidong@chromium.org>
2023-10-29 17:46:35 +02:00
Andrei Otcheretianski
e5ea30feef SME: MLD: Handle reconfiguration Multi-Link element
Parse the reconfiguration Multi-Link element and:

- Don't select a BSS for connection if it is part of an MLD
  and is going to be removed.
- Don't scan for missing links that are to be removed.
- Don't include removed links in association.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-10-29 16:43:34 +02:00
Andrei Otcheretianski
7ea2798c2c Test command for sending ML probe request
Add a control interface to trigger ML probes for testing purposes.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-10-29 15:49:04 +02:00
Andrei Otcheretianski
de5e01010c wpa_supplicant: Support ML probe request
Add support for building and sending ML probe requests. During connect,
try to send an ML probe request if we are going to connect to an MLD AP
and the BSS information for some of the links is missing.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-10-29 15:48:53 +02:00
Ilan Peer
a12f39ad4c nl80211: Add support for minimal probe request content
Extend 'struct wpa_driver_scan_params' to allow higher layer to indicate
if minimal probe request content should be included by the driver as part
of the scan logic.

Implement this with driver_nl80211, by setting
NL80211_SCAN_FLAG_MIN_PREQ_CONTENT.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-10-29 11:01:03 +02:00
Jouni Malinen
11a6ae242e More consistent use of mesh peer connected/disconnected notification
Use the wpas_notify_mesh_peer_*() functions for sending the control
interface events in addition to the D-Bus events so that these are all
done consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-10-29 10:49:43 +02:00
Nicolas Escande
bd37f86155 Fix MESH-PEER-DISCONNECTED message logic on control iface
When using mesh we have incoherent
MESH-PEER-CONNECTED/MESH-PEER-DISCONNECTED messages when we restart one
of the devices without disconnecting it first. Sometimes we have the
right behavior, a peer disconnect and then a peer connect, sometimes we
only have a a peer connected without a peer disconnected first, and
sometimes we have nothing at all.

As the plink count seem to be correctly tracked and because we only send
the connected event on plink count increase, lets send the peer
disconnected event on plink count decrease.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2023-10-29 10:43:10 +02:00
Nicolas Escande
d986e87023 Respect disable_ht40/disable_vht/disable_he in AP/mesh mode
When using wpa_supplicant to connect to a mesh network or to create an
AP, the current code doesn't respect all CONFIG_XXX_OVERRIDES network
parameters, just disable_ht in CONFIG_HT_OVERRIDES.

Add support for some of the others modulation related disable flags:
 - disable_ht40 with CONFIG_HT_OVERRIDES
 - disable_vht with CONFIG_VHT_OVERRIDES
 - disable_he with CONFIG_HE_OVERRIDES

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2023-10-29 10:36:29 +02:00
Ben Greear
67bf89f554 WNM: Choose the best available BSS, not just the first one
This should allow STA to make better choice about which BSS to roam to.

Use estimated throughput as comparison value. Can improve the estimated
throughput calculation to improve this selection criteria if wanted in
the future.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-10-28 19:54:41 +03:00
David Ruth
5a96a516a8 dbus: Report guard interval and dual carrier modulation
Propagate guard interval as a double value and dual carrier modulation
as a boolean over D-Bus.

Signed-off-by: David Ruth <druth@chromium.org>
2023-10-28 18:35:08 +03:00
Chaitanya Tata
3cb51378f2 Abort ongoing scan on DISCONNECT
Along with canceling queued scan, abort ongoing scan if any, this
ensures Wi-Fi interface is in usable state after disconnect is issued,
else subsequent scan after disconnect might fail with EBUSY.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-10-28 18:24:42 +03:00
Po-Hao Huang
0aa44ccf82 WNM: Lower rankings of current AP if disassociation imminent bit set
If the current AP advertises disassociation imminent, move it to the
back of the candidate list so we don't select it again while other
candidates are available.

Signed-off-by: Po-Hao Huang <phhuang@realtek.com>
2023-10-28 17:43:30 +03:00
Jouni Malinen
3242793cb8 P2P: Remove pending p2p-listen radio work on stopping listen
Some kind of race condition seemed to be hit at least in test sequence
"p2p_ext_vendor_elem_invitation pasn_comeback_after_0_sae" where the P2P
invitation response could have been received just after having scheduled
a new p2p-listen radio work, but before that work had been started. In
the case of accepted invitation, this could result in unnecessary extra
delay when that p2p-listen work ended up getting started at the exact
time that the local device was starting GO.

Avoid this race condition by removing the pending p2p-listen radio work
when P2P listen is stopped.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-10-28 17:23:25 +03:00
Kaidong Wang
2563edb8c5 Use 6 GHz default noise when estimating 6 GHz SNR
wpa_supplicant underestimates 6 GHz SNR as it assumes 2 GHz default
noise in the estimation.

Use 6 GHz default noise when estimating 6 GHz SNR.

Signed-off-by: Kaidong Wang <kaidong@chromium.org>
2023-10-28 13:14:24 +03:00
Johannes Berg
b99bb32f55 Don't disconnect on scan_freq update from control interface
It doesn't make sense to disconnect on updates to the
network's scan_freq, and in fact doing so causes some
(timing-/scheduling-dependent) test failures.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2023-10-28 12:34:57 +03:00
Veerendranath Jakkam
2f911fb155 SAE: Remove current PMKSA from driver after reauth threshold is passed
wpa_supplicant postpones expired PMKSA deletion untillassociation is
lost for SAE to avoid forced disconnection. But during this time the
driver may use the expired PMKSA for reassociation with the current
connected AP.

Remove the current PMKSA for SAE from the driver after reauth threshold
is passed when the driver takes care of BSS selection.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-10-12 18:31:08 +03:00
Veerendranath Jakkam
c4c5c991da SAE: Do not reject reauth threshold passed PMKSA in association event
Do not reject reauth threshold passed PMKSA indicated in successful
association event since the PMKSA is still valid.

Additionally, remove the reauth threshold passed PMKSA entry from the
driver to prevent using it further in the driver.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-09-28 18:57:50 +03:00
Kiran Kumar Lokere
f429064189 TDLS: Set EHT/MLO information for TDLS STA into the driver
Add the copied EHT capabilities into the sta_add() call when adding a
TDLS peer.

The mld_link_id value was previously only for AP mode, but it can now be
used for TDLS links as well to indicate the link on which a
single-link-TDLS direct link is negotiated.

Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
2023-09-08 13:20:31 +03:00
Kiran Kumar Lokere
626501434b TDLS: Learn MLD link ID from TDLS Discovery Response
This is needed to be able to determine which link is used for TDLS setup
when the current association is with an AP MLD.

Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
2023-09-08 13:13:24 +03:00
Kiran Kumar Lokere
e3a68081bc driver: Add option for link ID to be specified for send_tdls_mgmt()
This is needed to allow the driver to know on which operating channel
(as specified by the link that is affiliated with AP MLD for the current
association) is used for transmitting TDLS Discovery Response. This
commit adds the link_id parameter to various functions, but does not
implement the driver interface change itself.

Signed-off-by: Jouni Malinen <quic_klokere@quicinc.com>
2023-09-08 12:51:37 +03:00
Jouni Malinen
3e71516936 Document per-ESS MAC address (mac_addr=3 and mac_value)
Commit 9025def55c ("wpa_supplicant: Add support for pregenerated MAC")
added this capability, but did not update wpa_supplicant.conf to
document it. Add such documentation to match the information in
config_ssid.h.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-09-07 18:28:24 +03:00
Kiran Kumar Lokere
377d617b57 Define new BSS command info mask for AP MLD address
The ap_mld_addr entry was added without introducing a new mask bit which
does not follow the expected style for adding new information into the
BSS command and might result in unexpected behavior for external
components. Define a new BSS command information mask bit for this AP
MLD address and print the AP MLD address in the BSS info only if the
mask bit is set.

Fixes: db99e7341a ("Add AP MLD address into BSS command output")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-08-31 15:23:05 +03:00
Veerendranath Jakkam
32dcec9529 Send actual MFP configuration when driver takes care of BSS selection
Send the actual MFP configuration value to the driver instead of
overriding it with MFP required based on the wpa_supplicant selected BSS
when the driver takes care of BSS selection.

This is needed to allow the driver to know whether it can select an MFP
disabled BSS.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-08-30 15:25:51 +03:00
Purushottam Kushwaha
edfca280cb SCS: Add support for optional QoS Charateristics parameters
Per IEEE P802.11be/D4.0, 9.4.2.316 (QoS Characteristics element), enable
support for the following optional QoS Characteristics parameters:
 - Maximum MSDU Size
 - Service Start Time
 - Service Start Time LinkID
 - Mean Data Rate
 - Delayed Bounded Burst Size
 - MSDU Lifetime
 - MSDU Delivery Info
 - Medium Time

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2023-08-28 16:06:50 +03:00
Purushottam Kushwaha
33da386553 SCS: Add support for QoS Characteristics in SCS request
Add support to configure the mandatory QoS Characteristics parameters
per IEEE P802.11be/D4.0, 9.4.2.316 (QoS Characteristics element), in SCS
request:
 - Minimum Service Interval
 - Maximum Service Interval
 - Minimum Data Rate
 - Delay Bound

Enable STA SCS traffic descriptor support for EHT connection when the
connected EHT AP advertises SCS traffic descriptor capability in the EHT
Capabilities element.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2023-08-28 16:06:50 +03:00
Purushottam Kushwaha
c437665041 Add Non EHT SCS Capability in (Re)Association Request frames
Set WFA capability to allow non-EHT SCS Traffic support in association
elements when the AP advertises support for non-EHT SCS Traffic support
via Beacon or Probe Response frame. This capability is upper layer
functionality and as such, does not need a separate driver capability
indication or configuration, but indicate this only if the AP supports
the feature to minimize risk of interoperability issues with a new
information element.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2023-08-28 16:06:50 +03:00
Jouni Malinen
7637d0f250 P2P: Do not filter pref_freq_list if the driver does not provide one
wpa_drv_get_pref_freq_list() may fail and the 6 GHz channel removal
should not be done unless the operation actually succeeded. The previous
implementation ended up processing uninitialized data. This did not
really result in any observable misbehavior since the result was not
used, but this showed up as a failed test case when running tests with
valgrind.

Fixes: f0cdacacb3 ("P2P: Allow connection on 6 GHz channels if requested")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-08-18 20:40:12 +03:00
Xin Deng
47a65ccbfd P2P: Clean wpa_s->last_ssid when removing a temporary group network
wpa_supplicant could crash due to dereferencing freed memory in a corner
case. When a reestablished P2P GO group gets removed because the
hardware mode is not supported when switching from 2.4 to 5 GHz. Group
removal in wpas_p2p_group_delete() forget to clean wpa_s->last_ssid due
to the missing wpas_notify_network_removed() call before removing the
network with wpa_config_remove_network().

That could cause a crash when flushing old BSSs which age out in
wpa_bss_flush_by_age() which uses wpa_s->last_ssid in some cases.

Fix this by invoking wpas_notify_network_removed() to clean
wpa_s->last_ssid when removing a temporary P2P group network.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-08-18 20:29:18 +03:00
Michael Lee
bc0636841a wpa_supplicant: Fix configuration parsing error for tx_queue_*
In the original flow, after hostapd_config_tx_queue() successfully
parses a tx_queue variable, wpa_config_process_global() would not return
immediately. Then it would print out "unknown global field" later and set
return val to -1.

Return success (0) after hostapd_config_tx_queue() successfully parses a
tx_queue variable to fix this.

Fixes: 790026c3da ("Allow TX queue parameters to be configured for wpa_supplicant AP/P2P GO")
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
2023-08-11 11:53:16 +03:00
Chien Wong
8f148d5132 Fix a compiler warning on prototype mismatch
Fix the warning:
wpa_supplicant.c:2257:5: warning: conflicting types for
‘wpas_update_random_addr’ due to enum/integer mismatch; have ‘int(struct
wpa_supplicant *, enum wpas_mac_addr_style,  struct wpa_ssid *)’
[-Wenum-int-mismatch]
 2257 | int wpas_update_random_addr(struct wpa_supplicant *wpa_s,
      |     ^~~~~~~~~~~~~~~~~~~~~~~
In file included from wpa_supplicant.c:32:
wpa_supplicant_i.h:1653:5: note: previous declaration of
‘wpas_update_random_addr’ with type ‘int(struct wpa_supplicant *, int, 
struct wpa_ssid *)’
 1653 | int wpas_update_random_addr(struct wpa_supplicant *wpa_s, int
style,
      |     ^~~~~~~~~~~~~~~~~~~~~~~

Fixes: 1d4027fdbe ("Make random MAC address style parameters use common enum values")
Signed-off-by: Chien Wong <m@xv97.com>
2023-08-11 11:25:36 +03:00
Veerendranath Jakkam
d320692d91 AP MLD: Handle new STA event when using SME offload to the driver
Parse link id and station MLD address received from the driver in the
NL80211_CMD_NEW_STA event.

Set MLO information of the station to the sta_info and wpa_sm.

Co-authored-by: Manaswini Paluri <quic_mpaluri@quicinc.com>
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-07-21 19:57:25 +03:00
Kiran Kumar Lokere
4636476b7f Set RRM used config if the (Re)Association Request frame has RRM IE
Set the sme RRM used config if the RRM element is present in the
(Re)Association Request frame sent in association event to cover the
cases where the driver SME takes care of negotiating RRM capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-07-18 16:40:59 +03:00
Jouni Malinen
8e6485a1bc PEAP client: Update Phase 2 authentication requirements
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
 * 0 = do not require Phase 2 authentication
 * 1 = require Phase 2 authentication when client certificate
   (private_key/client_cert) is no used and TLS session resumption was
   not used (default)
 * 2 = require Phase 2 authentication in all cases

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-07-17 21:09:26 +03:00
Jouni Malinen
aa4b8492e4 AP MLD: Provide Link ID when requesting current seqnum for a group key
This is needed to match the key configuration design with a single
netdev and the nl80211 driver interface.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-15 17:43:17 +03:00
Andrei Otcheretianski
172b0a9a2b AP/driver: Add link ID to send EAPOL callbacks
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 16:26:56 +03:00
Ilan Peer
5a61644fff driver: Specify link ID for 'send_mlme' and 'sta_deauth' callbacks
This is needed for the driver to know on which link it should transmit
the frames in MLO cases.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 16:26:49 +03:00
Ilan Peer
e3605e8093 driver: Allow to provide a link ID when setting a channel
This includes:

- Modifications of the driver API, to include the link ID as part
  of 'struct hostapd_freq_params'.
- Modifications to nl80211 driver.
- Modifications for the driver wrappers.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-06 20:44:25 +03:00