If the currently available scan results include OWE transition mode BSS
with an unknown SSID, optimize the following scan for OWE to use only
the channels on which a known transition mode BSS has been seen.
This is needed to be able to remove the design that updates BSS entries
with the learned OWE SSID in manner that does not result in regression
to scanning latencies.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The local network profile may not have matching SSID (it could be either
the wildcard 0-length SSID or visible SSID in case of OWE transition
mode), so check whether an exact match with a BSS entry can be made
using the current SSID information from the driver (i.e., the SSID of
the current association) when picking the BSS entry to use as the
current one for an association.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Use the Same SSID and Colocated AP bits as an alternative way of finding
a match on the current SSID.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The Reduced Neighbor Report element can include one or more TBTT
Information fields. Only the first one was parsed previously. Extend
this to use a loop to go through all included TBTT Information fields.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Beacon frames are allowed to optionally include one more more Reduced
Neighbor Report elements. Only the first one was parsed previously.
Extend this to use a loop to go through all included RNR elements.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The driver is expected to update the DTIM Count field for each BSS that
corresponds to a nontransmitted BSSID. Initialized this value to 0 in
the Beacon frame template so that the DTIM count would be somewhat
functional even if the driver were not to update this.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In case of low-memory conditions, the computation for legendre symbol
can fail and return -2 as per documentation, but the check for that
was missed here. And this can can cause an infinite loop searching for
qr and qnr if the error repeats for each attempt.
Break the loop if calculation fails, we can leave retry to the callers
or user. This is similar to the way allocation and generation of a new
random number was handled in this loop.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Currently the documentation for QCA_WLAN_VENDOR_ATTR_CONFIG_MLO_LINK_ID
indicates it is only for use inside nest attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_MLO_LINKS. Update the documentation to
allow it to be used outside that nest as well.
Signed-off-by: Mohan Prabu <quic_mprabub@quicinc.com>
Also this EAPOL frame uses the MLD MAC address of the AP MLD when sent
during an MLO association.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
For MLO association, specify destination address as the MLD MAC address
for sending Group Key msg 2/2.
Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Leverage the already available control socket cmd "DRIVER_FLAGS2" and
dump the driver capab "flags2" bitmask on triggering the new CLI CMD
"driver_flags2", similar to the already existing CLI CMD "driver_flags".
$ hostapd_cli -i wlan0 driver_flags2
(OR)
$ wpa_cli -i wlan0 driver_flags2
0000000000000020:
BEACON_RATE_HE
Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
This adds the newer driver capability "flags2" bitmask to the
hostapd_cli/wpa_cli "status driver" result.
Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
This was already done for driver_flags, but the newer driver_flags2 was
not covered here.
Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
Populate the switch case in the driver_flag2_to_string() function with
the full list of feature MACROs represented with the "flags2" bitmask.
Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
gcc 12.1 complains about using pointer after realloc as it could
potentially be moved/freed, causing any uses after UB.
Fix this by doing checks before realloc and use those statuses and
update with new BSS.
Signed-off-by: Krishna T <krishna.t@nordicsemi.no>
Set WPA_DRIVER_FLAGS2_SAE_OFFLOAD flag if the driver indicates SAE
authentication offload support for STA mode. Allow SAE password to be
provided to the driver in such cases when using the CONNECT command.
Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu@infineon.com>
Signed-off-by: Daisuke Mizobuchi <mizo@atmark-techno.com>
The key server may be removed due to the ingress packets delay. In this
situation, the endpoint of the key server may not be aware of this
participant who has removed the key server from the peer list. Because
the egress traffic is normal, the key server will not remove this
participant from the peer list of the key server. So in the next MKA
message, the key server will not dispatch a new SAK to this participant.
And this participant cannot be aware of that that is a new round of
communication so that it will not update its MI at re-adding the key
server to its peer list. So we need to update MI to avoid the failure of
re-establishment MKA session.
Signed-off-by: Ze Gan <ganze718@gmail.com>
The key server may not include dist sak and use sak in one packet.
Meanwhile, after dist sak, the current participant (non-key server) will
install SC or SA(s) after decoding the dist sak which may take few
seconds in real physical platforms. Meanwhile, the peer expire time is
always initialized at adding the key server to peer list. The gap
between adding the key server to peer list and processing next use sak
packet may exceed the threshold of MKA_LIFE_TIME (6 s). It will cause an
unexpected cleanup (delete SC and SA(s)), so update the expire timeout
at dist sak also.
Signed-off-by: Ze Gan <ganze718@gmail.com>
Prevent loading arbitrary executable code based on config at runtime,
while allowing libraries to be specified at compile time when they are
known in advance.
Add the ability to configure libraries to load at compile time.
* CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location.
* CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location.
* CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location.
Add flags with the ability to set each of the libraries to NULL and
prevent loading them at runtime.
* CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine
library.
* CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module
library.
* CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opensc_engine
library.
* CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading EAP libraries at
runtime.
Signed-off-by: David Ruth <druth@chromium.org>
Fix the calls to wc_AesEncryptDirect(). Old versions of wolfCrypt FIPS
had wc_AesEncryptDirect() return void instead of int. Fix this build
issue.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
dpp_config_legacy_gen_two_conf_psk and dpp_config_legacy_gen_two_conf
tried to set a DPP parameter before having verified that CONFIG_DPP was
used in the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
Starting a thread to initiate DPP before starting the responder through
sigma_dut can result in unexpected testing behavior since there may not
be enough time to get the responder enabled before timing out som
initiator actions. Wait a second at the beginning of the initiator
thread in dpp_init_conf() similarly to how this was handled in other
initiator-from-thread cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Wait for stdout/stderr in a more robust manner to avoid blocking the
pipes and kill the sigma_dut process if it fails to terminate cleanly.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpas_dpp_connected() is called from wpa_supplicant_set_state(), i.e.,
from the middle of processing of the post 4-way handshake steps. Sending
a DPP Public Action frame at that point can delay other operations, so
allow those steps to be completed first before sending out the DPP
connection status result.
Signed-off-by: Jouni Malinen <j@w1.fi>