wpa_supplicant used the WPS IE from a Probe Response frame, if one was
received, even if there might have been a more recent Beacon frame with
an updated WPS IE. This could result in using stale information about
active WPS registrar, e.g., when operating on the 6 GHz band.
Prefer WPS IE from a Beacon frame over the default selection of Probe
Response frame (if one has been received) in cases where the Beacon
frame is received more recently than the Probe Response frame and active
WPS Registrar information is being checked. Skip this for the case where
UUID-E is needed since that is not available in the Beacon frame.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
OCV cannot be used without PMF and such a configuration were to be used
with wpa_supplicant, the AP would reject the association. hostapd is
already enabling PMF automatically whenever OCV is being enabled, so do
the same with wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
If a higher priority BSS has invalid security parameters, e.g., an
invalid SAE password, and a lower priority BSS is discovered only after
the local network profile has been temporarily disabled, the BSSID
ignoring mechanism is not sufficient to allow the lower priority BSS to
be tried and all consecutive attempts will continue to use the higher
priority BSS. This might prevent connection in some unexpected cases
with invalid network configuration.
Extend BSSID ignoring mechanism to work in this type of a case by
ignoring the BSSID that resulted in disabling the SSID temporarily
during the first connection attempt after having re-enabled the SSID.
This allows a lower priority BSS, if any is available in scan results,
to be tried next to see if it might have working security parameters.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Fix memory leak of intro.peer_key in wpas_dpp_rx_peer_disc_resp(). The
other code paths were updated to use dpp_peer_intro_deinit(), but this
non-privacy-protection version of the station implementation was missed.
Fixes: 148de3e0dc ("DPP3: Private Peer Introduction protocol")
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This is needed to avoid trying the subsequent connections with the old
PMKID that the AP claims not to hold and continues connection failures.
This was already handled for the SME-in-the-driver case in commit commit
50b77f50e8 ("DPP: Flush PMKSA if an assoc reject without timeout is
received"), but the wpa_supplicant SME case did not have matching
processing.
Add the needed check to avoid recover from cases where the AP has
dropped its PMKSA cache entry. Do this only based on the specific status
code value (53 = invalid PMKID) and only for the PMKSA entry that
triggered this failure to minimize actions taken based on an unprotected
(Re)Association Response frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
This prevents attempts of trying to use PMKSA caching when the existing
entry was created using a different MAC address than the one that is
currently being used. This avoids exposing the longer term PMKID value
when using random MAC addresses for connections.
In practice, similar restriction was already done by flushing the PMKSA
cache entries whenever wpas_update_random_addr() changed the local
address or when the interface was marked down (e.g., for an external
operation to change the MAC address).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to be able to determine whether a PMKSA cache entry is
valid when using changing MAC addresses. This could also be used to
implement a mechanism to restore a previously used MAC address instead
of a new random MAC address.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Using separate variables for BSSID and peer address is needed to support
Wi-Fi Aware (NAN) use cases where the group address is used as the BSSID
and that could be different from any other peer address. The
infrastructure BSS cases will continue to use the AP's BSSID as both the
peer address and BSSID for the PASN exchanges.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Rename struct pasn_data::bssid to peer_addr to be better aligned with
different use cases of PASN and its extensions. This is a step towards
having option to use different peer address and BSSID values for NAN use
cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant has support for only a single FT key hierarchy and as
such, cannot use more than a single mobility domain at a time. Do not
allow FT protocol to be started if there is a request to reassociate to
a different BSS within the same ESS if that BSS is in a different
mobility domain. This results in the initial mobility domain association
being used whenever moving to another mobility domain.
While it would be possible to add support for multiple FT key hierachies
and multiple mobility domains in theory, there does not yet seem to be
sufficient justification to add the complexity needed for that due to
limited, if any, deployment of such networks. As such, it is simplest to
just prevent these attempts for now and start with a clean initial
mobility domain association.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
During cross SSID roaming wpa_supplicant ended up using the default
RSNE/RSNXE in EAPOL-Key msg 2/4 though the driver indicated
(Re)Association Request frame elements without RSNE/RSNXE. This causes
RSNE/RSNXE mismatch between (Re)Association Request frame and EAPOL-Key
msg 2/4.
To avoid this skip copying the default RSNE/RSNXE if the driver
indicates the actually used (Re)Association Request frame elements in
the association event.
Signed-off-by: Utkarsh Soni <quic_usoni@quicinc.com>
Passphrases/PSKs from external password databases were ignored if 4-way
handshake offloading was supported by the driver. Split the PSK loading
functionality into a separate function and calls if to get the PSK for
handshake offloading.
I tested connecting to a WPA2-PSK network with both inline and external
passphrases, using the iwlwifi and brcmfmac drivers.
Signed-off-by: Ben Wolsieffer <benwolsieffer@gmail.com>
In a system with multiple interfaces, the boot messages as well as the
status information provided by `systemctl` can be confusing without
an immediate way to differentiate between the different interfaces.
Fix this by adding the interface name to the unit description.
Signed-off-by: Gioele Barabucci <gioele@svario.it>
The received frame buffer was already verified to be long enough to
include the Advertisement Protocol element and that element was verified
to have a valid length value, but use of adv_proto[1] in another
function may have been too difficult to figure out for analyzers.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to specify a Link ID for set key operation for MLO
connection. This does not change the existing uses and only provides the
mechanism for extension in following commits.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Update the following MLO connection information to wpa_sm:
- AP MLD address and link ID of the (re)association link.
- Bitmap of requested links and accepted links
- Own link address for each requested link
- AP link address, RSNE and RSNXE for each requested link
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Currently, PMK parameters in the WPA state machine are set from
configuration only when the interface is initialized. If those
parameters are changed later via D-Bus, the new values don't have any
effect.
Call wpa_sm_set_param() when PMK-related D-Bus properties are changed
to immediately apply the new value; the control interface also does
something similar.
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add the `sae_check_mfp` global option to limit SAE when PMF will
not be selected for the connection.
With this option SAE is avoided when the hardware is not capable
of PMF due to missing ciphers.
With this option SAE is avoided on capable hardware when the AP
does not enable PMF.
Allows falling back to PSK on drivers with the
WPA_DRIVER_FLAGS_SAE capability but do not support the BIP cipher
necessary for PMF. This enables configurations that can fall back
to WPA-PSK and avoid problems associating with APs configured
with `sae_require_mfp=1`.
Useful when `pmf=1` and `sae_check_mfp=1` are enabled and networks
are configured with ieee80211w=3 (default) and key_mgmt="WPA-PSK SAE".
In this configuration if the device is unable to use PMF due to
lacking BIP group ciphers it will avoid SAE and fallback to
WPA-PSK for that connection.
Signed-off-by: Jeffery Miller <jefferymiller@google.com>
Stop listen mode if there is not sufficient time remaining to complete
the Authentication exchange within the current remain-on-channel
operation. This speeds up the operation and avoids some timeouts that
could prevent the provisioning step from completing. This addresses an
issue that was found in the following test case sequence:
dpp_controller_relay_discover dpp_chirp_ap_5g
Similar mechanism was already used for Reconfig Announcement frames, so
reuse that for this case with Presence Announcement frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
When scanning for a new connection, we currently optimize by scanning
all frequencies only when our MCC capabilities will allow an additional
operating frequency, and scan only the existing operating frequencies
otherwise. This is problematic when there the current operating
frequency singularly accounts for one of the shared radio frequencies
because we should be able to switch operating frequencies without adding
to the channel count. Fix this.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Connection attempt could have been intermittently drop when reconnecting
to the same ESS due the current BSS entry getting removed immediately
after the disconnection for the purpose of reconnecting to the same ESS.
Avoid this by not removing a BSS entry for the same ESS when in this
special state of trying to reconnect to the same ESS.
Signed-off-by : WooYong Kim <wykim@newratek.com>
Scans are allowed on the current interface for group formation only when
in the P2P_SEARCH, P2P_IDLE, or P2P_PROVISIONING state. But Extended
Listen timeout being enabled moves to the P2P_LISTEN_ONLY state. Due to
this P2P connection fails if the GO is not found with scans triggerred
before Extended Listen timeout. To avoid this skip Extended Listen
timeout to allow scans during group formation on the current interface.
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
Clone sae_pwe configuration value when creating a new P2P group
interface. This is needed to avoid P2P connection failure at the P2P
Client side due to SAE H2E being disabled in the 6 GHz band operation
when a new group interface is created for the connection.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
For the 6 GHz opclass 132, ch for loop only allows non-PSC channels { 1,
9, 17, 25, 33, 41, 49,... } to be used. This does not match the IEEE Std
802.11ax-2021 expectation of a 6 GHz-only AP "should set up the BSS with
a primary 20 MHz channel that coincides with a preferred scanning
channel".
Increase ch by 4 to allow PSC channel to be used for 6 GHz BW40.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
struct wpas_pasn is common to both initiator and responder, so rename it
to pasn_data to avoid the "wpas_" prefix that could be seen as a
reference to wpa_supplicant (PASN initiator).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The wpa_s and hapd context are isolated from the PASN initiator and
responder code and this functionality is now in the separate src/pasn
directory. Add option to build libpasn.so with this functionality. This
library can be used by a Wi-Fi Aware component to support NAN pairing
with other devices.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PASN responder validates auth 1 frame and sends auth 2 frame to the
initiator. It analyses the auth 3 frame and verifies successful
authentication. Wi-Fi Aware modules can reuse this functionality through
a shared library libpasn.so generated from this code. Move the PASN
functionality that is now decoupled from the hapd context into a
separate file in a common directory to make it easier to build such a
library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PASN initiator functionality builds auth 1 and auth 3 frames, and
processes auth 2 frame received from the responder. Wi-Fi Aware modules
can reuse this functionality through a shared library libpasn.so
generated from this code. Move the PASN functionality that is now
decoupled from the wpa_s context into a separate file in a common
directory to make it easier to build such a library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is helpful in being able to get the functionality needed for SAE
into a separate library (libpasn.so) without needing all of the
ieee802_11.c functionality.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification defines Beacon RSNE/RSNXE to be same as
RSNE/RSNXE present in Auth2 frame. So, MIC validation should be done
with the RSNE and RSNXE received in Auth2 frame.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification introduces a custom PMKID derived from
Nonce and TAG. This custom PMKID is included in PASN Authentication
frames during pairing verification. So, allow use of a custom PMKID in
PASN frames and validate it using a function handler. Wi-Fi Aware
component that uses libpasn.so should take care of validating the custom
PMKID.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTK is stored in the PTKSA cache following a successful PASN handshake,
however AKMP is removed upon a WPA PASN reset. The PASN handshake is
used in the Wi-Fi Aware R4 specification to define the pairing setup
process. KDK is used to generate a new set of keys, while AKMP is
required for key derivation for pairing. So, keep AKMP in the PTKSA
cache.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This makes hostapd use the struct defines from pasn_common.h so that the
same struct is shared with wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is a step towards decoupling the PASN initiator and responder
implemenentation is decoupled from the wpa_s and hapd contexts and
moving to a common folder for better abstraction. Move the struct
wpas_pasn definition to a common file for initiator and responder. The
idea is to provide a library libpasn.so from PASN common code. Include
C++ compatibilty wrapper to extend libpasn.so support for modules using
cpp code base.
This library can be used in applications implementing protocols based on
the PASN handshake.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Introduce a function handler to transmit PASN Authentication frames to
the driver. This removes the wpa_s dependency from PASN functionality
for sending the frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Get ssid and derive required information for SAE and FILS tunneled PASN
authentication to remove struct wpa_ssid dependency for PASN initiator.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Before invoking wpas_pasn_start(), derive KDK and secure LTF flags.
Instead of using network id for pasn_start(), use a pointer to the
struct wpa_ssid.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Obtain RSNXE capabilities from the driver flags as well and save them in
the wpas_pasn structure.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Remove wpa_s dependency for processing PASN M2 frame and preparing M3
frame. To hold the context of wpa_s when transmitting M3 frame, add cb
ctx.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is a step towards allowing the PASN implementation to be used
outside the context of wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Store PMKSA cache entry in wpas_pasn and remove wpa_sm dependency to add
an entry to PMKSA cache. This is a step towards allowing the PASN
implementation to be used outside the context of wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Use struct wpas_pasn (i.e., &wpa_s->pasn) as the function argument for
the SAE functionality that does not need the full struct wpa_supplicant
context. This is a step towards allowing PASN to be used outside the
context of wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Split wpas_pasn_reset() so that the main reset steps can be used without
an instance of struct wpa_supplicant. This is needed to allow PASN
implementation to be used for additional purposes outside the context of
wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
For wpa_supplicant_get_new_bss(), wpa_s->current_ssid can be NULL in
some cases. Add a NULL check before accessing it to avoid NULL pointer
dereference errors.
Fixes: 7784964cbe ("MLD STA: Fetch MLO connection info into core wpa_supplicant")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The initial wpa_drv_get_mlo_info() implementation cleared only the
valid_links information within struct driver_sta_mlo_info before trying
to fetch the information from the driver. While this is likely going to
work fine in practice, this can result in static analyzer warnings on
use of uninitialized memory (e.g., mlo.assoc_link_id could have been
read if wpa_s->valid_links was set to a nonzero value). In any case, it
is better to avoid such unnecessary warnings by clearing the full data
structure before using it.
Fixes: 7784964cbe ("MLD STA: Fetch MLO connection info into core wpa_supplicant")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>