wpa_supplicant: Apply same restrictions for MLD as for 6 GHz BSS
Though not explicitely forced by IEEE 802.11be draft yet, it makes sense
to apply the same logic for MLD as for 6 GHz BSSs. Change
wpa_supplicant_ssid_bss_match() accordingly.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Wed, 30 Nov 2022 13:09:35 +0000 (15:09 +0200)]
nl80211: Handle scan results with MLD connection
With an MLD connection the BSSID reported in the association
event is the MLD AP address, while the association state reported
in the scan results relates to the MLD AP specific link. In such a
case do not disconnect.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Wed, 30 Nov 2022 13:09:29 +0000 (15:09 +0200)]
nl80211: Support MLD association request
Define additional association parameters for MLD to be able to indicate
information for all the requested links and fill these into nl80211
attributes.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Wed, 30 Nov 2022 13:09:28 +0000 (15:09 +0200)]
nl80211: Add support for MLD authentication
Set MLO attributes for NL80211_CMD_AUTHENTICATE and make sure that MLD
configuration is preserved between authentication retries.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
David Ruth [Wed, 30 Nov 2022 23:33:10 +0000 (23:33 +0000)]
dbus: Emit more information over D-Bus
Allows informing the connection manager of additional information on CQM
events. Allows the connection manager to request the same information
on demand by using the existing "SignalPoll" method.
* Add new property "SignalChange"
* Add storage for wpa_signal_info into wpa_supplicant context
object
* Copy memory from event to context object on CQM Event
* Write a common conversion method to be used by both "SignalPoll" and
this property
David Ruth [Wed, 30 Nov 2022 23:33:09 +0000 (23:33 +0000)]
Add more nl80211 info to struct wpa_signal_info
Facilitate emitting more station information over D-Bus for use by the
connection manager.
* Add storage for more NL80211_STA_INFO_* fields to data structures, and
move them through the system.
* Reorder NL80211_STA_INFO_* fields in driver_nl80211.c to match the
ordering in nl80211.h.
* Convert signal field to an integer to support holding WPA_INVALID_NOISE
and avoid changing logging.
* Add fields to hostap_sta_driver_data to capture more information
* fcs_error_count
* beacon_loss_count
* expected_throughput
* rx_drop_misc
* rx_mpdus
* rx_hemcs
* tx_hemcs
* rx_he_nss
* tx_he_nss
* avg_signal
* avg_beacon_signal
* avg_ack_signal
* Add struct hostap_sta_driver_data to struct wpa_signal_info and remove
redundant fields and redundant attribute parsing
* Change logging when printing txrate to handle unsigned long
value
Aloka Dixit [Thu, 1 Dec 2022 03:18:44 +0000 (19:18 -0800)]
tests: MBSSID and EMA
Add test cases for MBSSID functionality with EMA.
Add helper functions to create the configuration file, start hostapd
instance and client association with the transmitting interface.
he_ap_mbssid_open: 4 VAPs with open security in multiple BSSID
configuration. The first interface transmits beacons and probe responses
which include the multiple BSSID element(s) with remaining profiles.
he_ap_mbssid_same_security: 2 VAPs, all with SAE. In such a case the
Multiple BSSID elements in management frames do not include RSN and RSNE
elements as all non-transmitting profiles have exact same security
configuration as the transmitting interface.
he_ap_mbssid_mixed_security{1,2}: 8 VAPs with mixed security
configurations (SAE, OWE, WPA2-PSK, open). he_ap_mbssid_mixed_security1:
Transmitting interface uses SAE. In this case the non-transmitting
profiles will include non inheritance element (IEEE Std 802.11-2020,
9.4.2.240) wherever the security differs from the transmitting profile.
he_ap_mbssid_mixed_security2: Transmitting profile is open hence no need
for the non inheritance elements. Instead each non-transmitting profile
includes RSN, RSNE if applicable.
he_ap_ema: Enhanced multi-BSS advertisements (EMA) with 8 VAPs all with
SAE configuration.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Aloka Dixit [Thu, 1 Dec 2022 03:18:42 +0000 (19:18 -0800)]
mbssid: Make the AID space shared
As described in IEEE Std 802.11-2020, 11.1.3.8 Multiple BSSID procedure,
set the lowest AID value assigned to any client equal to 2^n, where n is
the maximum BSSID indicator of the MBSSID set.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com> Co-developed-by: John Crispin <john@phrozen.org> Signed-off-by: John Crispin <john@phrozen.org>
Aloka Dixit [Thu, 1 Dec 2022 03:18:41 +0000 (19:18 -0800)]
mbssid: Process Known BSSID element
Process the Known BSSID elements if included by non-AP stations. The
format is described in IEEE Std 802.11ax-2021, 9.4.2.261.
Non-AP stations may include this element in directed Probe Request
frames to indicate which of the multiple BSSIDs they have already
discovered. AP should exclude these profiles from the Probe Response
frame.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Aloka Dixit [Thu, 1 Dec 2022 03:18:40 +0000 (19:18 -0800)]
mbssid: Add MBSSID Configuration element
Add Multiple BSSID Configuration element data per IEEE Std
802.11ax-2021, 9.4.2.260 when enhanced multiple BSSID advertisement
(EMA) is enabled. This element informs the stations about the EMA
profile periodicity of the multiple BSSID set.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Aloka Dixit [Thu, 1 Dec 2022 03:18:39 +0000 (19:18 -0800)]
mbssid: Set extended capabilities
Set extended capabilities as described in IEEE Std 802.11ax-2021,
9.4.2.26. Reset the capability bits to 0 explicitly if MBSSID and/or EMA
is not enabled because otherwise some client devices fail to associate.
Bit 80 (complete list of non-tx profiles) is set for all Probe Response
frames, but for Beacon frames it is set only if EMA is disabled or if
EMA profile periodicity is 1.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com> Co-developed-by: John Crispin <john@phrozen.org> Signed-off-by: John Crispin <john@phrozen.org>
Aloka Dixit [Thu, 1 Dec 2022 03:18:37 +0000 (19:18 -0800)]
mbssid: Add Non-Inheritance element
Add data per IEEE Std 802.11-2020, 9.4.2.240. Current implementation is
added for the security and extended supported rates only.
For the Extended rates element, add a new member 'xrates_supported'
which is set to 1 only if hostapd_eid_ext_supp_rates() returns success.
Without this change, there are cases where this function returns before
adding the element for the transmitting interface resulting in incorrect
addition of this element inside the MBSSID Non-Inheritance element.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com> Co-developed-by: John Crispin <john@phrozen.org> Signed-off-by: John Crispin <john@phrozen.org> Co-developed-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com> Signed-off-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Aloka Dixit [Thu, 1 Dec 2022 03:18:36 +0000 (19:18 -0800)]
mbssid: Functions for building Multiple BSSID elements
Add Multiple BSSID element data per IEEE Std 802.11ax-2021, 9.4.2.45.
Split the BSSes into multiple elements if the data does not fit in
the 255 bytes allowed for a single element.
Store the total count of elements created and the offset to the start
of each element in the provided buffer.
Set the DTIM periods of non-transmitted profiles equal to the EMA
profile periodicity if those are not a multiple of the latter already as
recommended in IEEE Std 802.11ax-2021, Annex AA (Multiple BSSID
configuration examples).
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com> Co-developed-by: John Crispin <john@phrozen.org> Signed-off-by: John Crispin <john@phrozen.org>
Aloka Dixit [Thu, 1 Dec 2022 03:18:35 +0000 (19:18 -0800)]
mbssid: Configure all BSSes before beacon setup
When multiple BSSID advertisement feature is enabled in IEEE 802.11ax
mode or later, Beacon frames are not transmitted per interface, instead
only one of the interfaces transmits Beacon frames that include one or
more Multiple BSSID elements with configuration for the remaining
interfaces on the same radio.
Change the existing logic such that all configuration details for all
the interfaces are available while building the Beacon frame template
for the transmitting interface itself.
Do not change the flow for the cases where multiple BSSID advertisement
is not enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Aloka Dixit [Thu, 1 Dec 2022 03:18:34 +0000 (19:18 -0800)]
mbssid: Retrieve driver capabilities
Retrieve driver capabilities for the maximum number of interfaces for
MBSSID and the maximum allowed profile periodicity for enhanced MBSSID
advertisement.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Daniel Gabay [Thu, 1 Dec 2022 16:54:35 +0000 (18:54 +0200)]
AP: Add testing option to delay EAPOL Tx
Add a testing option to delay EAPOL-Key messages 1/4 and 3/4. By setting
delay_eapol_tx=1, the actual EAPOL Tx will occur on the last possible
attempt (wpa_pairwise_update_count) thus all previous attempts will fail
on timeout which is the wanted delay.
In addition, add an hwsim test that uses this testing option to verify
that non protected Robust Action frames are dropped prior to keys
installation in MFP.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Since wpa_supplicant can change MAC address of the interface on its own
(with randomization enabled) it makes sense to introduce MACAddress as a
property of the interface and send notifications about its change.
This allows other applications to just use D-Bus instead of both
communicating over D-Bus with wpa_supplicant and listening to Netlink
notifications for MAC changes.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
Jouni Malinen [Thu, 1 Dec 2022 15:04:13 +0000 (17:04 +0200)]
EAP-TEAP server: Allow tunneled EAP method sequence to be optimized
Include the start of the next EAP method in an EAP Payload TLV in the
same message with the Crypto-Binding TLV for the previous EAP method to
get rid of one roundtrip when using more than a single EAP
authentication method within the tunnel. The previous, not optimized,
sequence can still be used with eap_teap_method_sequence=1 for more
complete testing coverage.
Jouni Malinen [Thu, 1 Dec 2022 15:00:56 +0000 (17:00 +0200)]
EAP-TEAP peer: Process Crypto-Binding TLV before EAP Payload TLV
When using the optimized EAP method sequence within the tunnel, crypto
binding for the previous EAP method can be performed in the same message
with the start of the next EAP method. The Crypto-Binding TLV needs to
be processed before moving to the next EAP method for IMSK to be derived
correctly, so swap the order of these processing steps.
Jouni Malinen [Thu, 1 Dec 2022 14:03:06 +0000 (16:03 +0200)]
EAP-TEAP: Use EAP-FAST-MSCHAPv2 in the tunnel
While RFC 7170 does not describe this, EAP-TEAP has been deployed with
implementations that use the EAP-FAST-MSCHAPv2, instead of the
EAP-MSCHAPv2, way of deriving the MSK for IMSK. Use that design here to
interoperate with other implementations since that seems to be direction
that IETF EMU WG is likely to go with an RFC 7170 update.
This breaks interoperability with earlier hostapd/wpa_supplicant
versions.
Jouni Malinen [Thu, 1 Dec 2022 13:56:29 +0000 (15:56 +0200)]
EAP-FAST: Move EAP-MSCHAPv2 special MSK handling into MSCHAPv2
EAP-FAST uses a special variant of EAP-MSHCAPv2 called EAP-FAST-MSCHAPv2
in RFC 5422. The only difference between that and EAP-MSCHAPv2 is in how
the MSK is derived. While this was supposed to be specific to EAP-FAST,
the same design has ended up getting deployed with EAP-TEAP as well.
Move this special handling into EAP-MSCHAPv2 implementation so that it
can be shared for both needs.
Ayala Beker [Wed, 30 Nov 2022 15:02:46 +0000 (17:02 +0200)]
wpa_supplicant: Support throughput estimation for EHT rates
Add support to consider EHT rates while calculating the estimated
throughput for scan results.
- The estimated EHT throughput uses the HE 0.8 usec GI rates from the
relevant EHT-MCS tables from IEEE P802.11be/D2.0, 36.5.
- The minimum SNR values for EHT rates (4096-QAM) are derived by adding
the existing minimum SNR values of 1024-QAM rates from HE tables and
the difference between the values of minimum sensitivity levels of
1024-QAM rates and 4096-QAM rates defined in Table 36-67 (Receiver
minimum input level sensitivity) in IEEE P802.11be/D2.0.
Signed-off-by: Ayala Beker <ayala.beker@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
There are several cases where memory allocations are not
checked for success. Add conditions and error messages, as some
analyzers complain about that.
Signed-off-by: Micha Hashkes <micha.hashkes@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The arguments were swapped. Apparently all the calls to this function
use the same value for both input and output parameters, so it went
unnoticed. Fix it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Wed, 30 Nov 2022 12:01:55 +0000 (14:01 +0200)]
OpenSSL: Apply connection flags before reading certificates
This is needed to be able to drop the OpenSSL security level, if
necessary, for cases where old certificates (e.g., something using SHA-1
signatures) are still needed. openssl_ciphers="DEFAULT@SECLEVEL=0" can
achieve this, but only if applied before attempting to load the
certificates.
Jimmy Chen [Tue, 13 Apr 2021 06:55:52 +0000 (14:55 +0800)]
SAE: Enable H2E for 6 GHz BSS
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz, so enable H2E automatically when
connecting to a BSS on the 6 GHz band if it was not enabled in the
configuration.
Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
Nicolas Escande [Tue, 29 Nov 2022 16:02:37 +0000 (17:02 +0100)]
AP: Enable H2E on 6 GHz when SAE is used
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz. So lets automatically enable it by
setting sae_pwe=2. This will allow both the hunting-and-pecking and
hash-to-element to work (and be backward compatible).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
WPS: Cross band overlap detection with multiple interfaces
When WPS is running simultaneously on multiple per-band radios (e.g., a
separate 2.4 GHz and 5 GHz band radios in an AP device), handle
synchronization of scan results, detect PBC session overlap, and cancel
WPS for enrollees on both interface, if the UUID of the registrars on
different bands differ.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Michal Kazior [Tue, 11 May 2021 10:56:18 +0000 (10:56 +0000)]
DPP: Expose own and peer bootstrap info ids on authentication success
The system may be interested in knowing which bootstrap information
entries are being exercised. This could be used for statistics or
completion signaling to upper application layer outside of hostapd,
along with the public key hash.
Implement read-only mode for SSIDs from the additional config (-I)
On NixOS[1] - a Linux distribution which allows to configure a full OS
declaratively - it's possible to configure SSIDs for `wpa_supplicant`
like this:
It's also possible to add networks "imperatively" using `wpa_gui` or
`wpa_cli`. However it's not possible to do both because if the first
option is used, NixOS creates a read-only symlink at
`/etc/wpa_supplicant.conf` and then it's not possible for
`wpa_supplicant` anymore to write to it.
This patch aims to help us changing this: while "declarative" SSID
configuration can be quite useful, it's a bad idea for e.g. sensitive
stuff like a WPA2 enterprise network.
The original idea was to use `-I`[2] for immutable configs (including
"declarative" networks) on NixOS and `-c /etc/wpa_supplicant.conf` for
anything "imperative".
However this doesn't really work out because if a wifi network from a
config file specified with `-I` is changed by e.g. `wpa_gui`, it's
silently overwritten in `/etc/wpa_supplicant.conf` (specified with
`-c`) which is IMHO unintuitive (in our case at least). This patch
basically declares each network defined in a config file passed via `-I`
to `wpa_supplicant` as "read-only" and doesn't write these "read-only"
networks to `/etc/wpa_supplicant.conf`.
A bit more context can be found on GitHub in the PR where I implemented
this[3].
Nicolas Escande [Wed, 27 Apr 2022 13:37:02 +0000 (15:37 +0200)]
ACS: Allow selecting a better channel when using 40/80/160 MHz
When considering a channel for a bandwidth of 40/80/160 MHZ on the 5 GHz
or 6 GHz band, allow selecting one of the other channels in the segment
instead of the first one. This is done only if the other channel's
interference_factor is lower than the first one's.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Nicolas Escande [Wed, 27 Apr 2022 13:37:01 +0000 (15:37 +0200)]
ACS: introduce acs_adjust_secondary
When using 40/80/160 MHz bandwidth on the 5 GHz or 6 GHz band, enforce
the secondary channel to be the other channel of the corresponding 40
MHz segment.
Even if this is useless for now, this is preparatory work to allow ACS
to select a primary channel which is not the first of its segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Nicolas Escande [Wed, 27 Apr 2022 13:37:00 +0000 (15:37 +0200)]
ACS: Introduce acs_get_bw_center_chan()
When using 40/80/160 MHz bandwidth, instead of computing the index of
the segment center freq based on the selected channel, lets look it up
in the bw_desc[] table.
This is preparative work to allow selecting a primary channel which is
not the first of the segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Nicolas Escande [Wed, 27 Apr 2022 13:36:59 +0000 (15:36 +0200)]
ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan()
This extracts the 3 lists of allowed channels for 40/80/160 MHz
bandwidth out of their respective functions. It also adds for each
segment the frequency of the segment's last channel and the index of the
segment's "center" channel.
This is preparative work to allow selecting a channel which is not the
first of its segment for 40/80/160 MHz. In addition, this adds the 5 GHz
160 MHz channel defined for 5735-5895 MHz (channels 149-177).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Add new 'mac_addr' policy (3) with which supplicant expects to also
obtain 'mac_value' with pregenerated value of MAC address to be used for
given SSID.
The main difference between this policy and policy 1 is the ability to
control persistence of the MAC address used. For example if there is
a requirement to always use the same (but random) MAC address for given
SSID (even if user removes/forgets the network) this could be handled
outside of the wpa_supplicant by using some SSID based hashing scheme to
generate MAC (or by just storing the randomly generated one) and
providing it to wpa_supplicant together with mac_addr=3 policy.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
Ilan Peer [Wed, 11 May 2022 09:40:36 +0000 (12:40 +0300)]
P2P: Include only 6 GHz PSCs in full scan
As P2P GOs are not expected to be collocated, i.e., they are not
expected to be announced in the RNR element of other APs, they can
operate only on preferred scanning channels (PSCs).
When performing a full scan for P2P discovery, include only the 6 GHz
PSCs (if supported) to avoid scanning channels on which P2P GOs are not
expected to reside.
While at it also fix couple of places that missed including 60 GHz
channels in P2P full scan.
Jouni Malinen [Mon, 28 Nov 2022 14:35:01 +0000 (16:35 +0200)]
DPP: Use existing TCP connection to replay duplicate Presence Announcement
Instead of opening a new TCP connection for each received Presence
Announcement from the same Enrollee from the Relay to the Controller,
use an existing connection if it is still waiting for Authentication
Response. This avoids opening multiple parallel sessions between the
same Controller and Enrollee.
Eliot Lear [Thu, 23 Jun 2022 10:58:38 +0000 (12:58 +0200)]
DPP: Don't close TCP connection for duplicate Presence Announcements
If wpa_supplicant receives a duplicate DPP chirp over a TCP connection
this causes the connection (and all of its state) to be torn down.
Such a tear-down means that the authentication request state is discarded.
That in turn will cause any otherwise valid authentication response
to not succeed.
This commit addresses that problem. It also does not attempt to check
for duplicates until at least we know that we have an appropriate hash.
Johannes Berg [Mon, 13 Jun 2022 13:25:37 +0000 (15:25 +0200)]
tests: Add mode for running UML kernel under gdb
The new --gdb option can be used when KERNELDIR (and optionally
MODULEDIR) are set and we therefore run UML. It runs the entire
VM under the debugger, with a script to load the right modules
into gdb so you can debug easily.
This needs CONFIG_GDB_SCRIPTS=y to be used in the kernel build.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Vinay Gannevaram [Sun, 20 Nov 2022 13:57:51 +0000 (19:27 +0530)]
Add a callback to notify added PMKSA cache entry details
Add a callback handler to notify details of a PMKSA cache entry when it
is added to the PMKSA cache. This can be used to provide external
components more convenient access to the PMKSA cache contents.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:27 +0000 (13:08 +0200)]
tests: Add ap_reload_bss_only
The test checks that when the SSID of a BSS is changed using
SET+RELOAD_BSS, the stations already connected to other BSSes on the
same radio are not disconnected.
It also checks that stations can connect using the new SSID after the
reload.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:26 +0000 (13:08 +0200)]
hostapd: Add RELOAD_BSS
When using multiple BSSes on a single radio, it is sometimes desirable
to reconfigure one BSS, without disconnecting the stations already
connected to other BSSes on the same radio.
When a BSS is reconfigured using the SET command, there is no "old"
configuration we can compare to (so we cannot compare a hash of the
configuration for example).
One possible solution would be to make the current RELOAD command
reload only the current BSS. However, that could break the workflow of
existing users. Instead, introduce a new RELOAD_BSS command, which
reloads only the current BSS.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:25 +0000 (13:08 +0200)]
tests: Add ap_config_reload_on_sighup_config_id
The test checks that when reloading the configuration with SIGHUP,
stations that are connected to BSSes whose config_id did not change are
not disconnected. It also checks that for the BSSes that have a
different config_id and SSID, the new SSID is applied correctly.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:21 +0000 (13:08 +0200)]
Split BSS-specific hostapd_clear_old_bss() from hostapd_clear_old()
In hostapd_clear_old() multiple steps are needed to clear a BSS.
There are some places where it would be desirable to clear only some
BSSes and not all.
To make it easier to clear only some BSSes, split hostapd_clear_old()
with hostapd_clear_old_bss(), which does the same actions but on a
single BSS.
xinpeng wang [Thu, 28 Jul 2022 08:19:42 +0000 (16:19 +0800)]
dbus: Add dbus notify when wpa_s->key_mgmt changes
For WPA2/WPA3 authentication mode, wpa_supplicant needs to notify
CurrentAuthMode property change when wpa_s->key_mgmt changes, so
NetworkManager can judge whether it needs to request a password based on
this.
Call wpas_notify_auth_changed() when starting a new connection item,
i.e., after having updated wpa_s->key_mgmt.
Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
nl80211: Check previous MAC address for locally-generated-deauth
When using MAC randomization wpa_supplicant can change the local MAC
address during roaming scenario:
1. We attach to AP1 (with MAC1/SSID1).
2. Roaming to AP2 (with MAC2/SSID2) is started:
a) we send DEAUTH(for AP1, with MAC1)
b) we change MAC to MAC2 due to randomization
c) we start authentication for AP2
d) we get notification about DEAUTH for AP1 (which we ignore)
e) we complete association with AP2
In point 2d we completely ignore the notification which later causes
problems. This happens if the deauthentication event is generated by the
local driver (e.g., due to beacon loss) instead of AP2 sending an
explicit Deauthentication frame.
The intended behavior is as follows: during roaming we generate DEAUTH
(2a) and signal this event right away. To protect from handling of our
own DEAUTH for the 2nd time supplicant marks 'ignore_next_local_deauth'
variable. In point 2d we should receive this notification and clear the
flag but this does not happen because MAC1 in the notification is not
the current MAC address (it has been changed in 2b) so this notification
is ignored as a one with a "foreign" address.
So we end up successfully at AP2 but with 'ignore_next_local_deauth'
still set which causes problems. For example if AP2 shuts down it has
been observed on some drivers that the DEAUTH notification is generated
as a local one and since we have flag to ignore it nothing is reported
over D-Bus.
To address the problem let's store the previously used MAC address and
use it for checking for foreign address (in combination with the current
one).
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
Kaidong Wang [Wed, 15 Jun 2022 19:55:43 +0000 (19:55 +0000)]
wpa_supplicant: Convert SSID into printable form before printing
SSID may include unprintable characters. This change converts
unprintable characters into printable form before printing SSID in the
function wpas_send_ctrl_req(). The conversion is based on the function
wpa_ssid_txt().
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
Vinayak Yadawad [Thu, 30 Jun 2022 04:07:53 +0000 (09:37 +0530)]
Mark authorization completed on driver indication during 4-way HS offload
In case of drivers supporting 4-way handshake offload, mark port
authorized and state completion only if the driver advertizes authorized
state in the connect event. Otherwise there are fair chances of the
driver port authorization API getting called while 4-way handshake is in
progress at the lower layer.
In order to avoid this possible race condition always update port
authorization and supplicant state WPA_COMPLETED setting from
EVENT_PORT_AUTHORIZED context when the driver is done with the 4-way
handshake.
Jouni Malinen [Sun, 27 Nov 2022 06:30:58 +0000 (08:30 +0200)]
RSN: Split WPA(v1) processing of EAPOL-Key frames into a separate function
This is a step in separating RSN and WPA(v1) processing of EAPOL-Key
frames into separate functions. This allows the implementation to be
simplified and potentially allows the validation rules to be made
stricter more easily. This is also a step towards allowing WPA(v1)
functionality to be removed from the build in the future.
Until now Hotspot 2.0 credentials were only supporting one home OI (with
roaming_consortium option) and one required home OI (with
required_roaming_consortium option). To improve the compliance with
Passpoint specification, add the support for multiple home and required
OIs.
The lists of OIs are provided using two new configuration options
home_ois and required_home_ois that expect a list of OIs formatted as
the roaming_consortiums list. It allows to keep the old options to avoid
breaking currently running configurations and better fits the vocabulary
used in the spec.
The OI match algorithm is updated to implement the behavior described in
Passpoint specification v3.2 section 9.1.2 (Home OIs nodes description
PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>).
Norman Hamer [Mon, 31 Oct 2022 23:06:22 +0000 (23:06 +0000)]
OpenSSL: Load OpenSSL 3.0 legacy provider but let default be loaded
The default provider is being loaded here explicitly only because
OSSL_PROVIDER_load() disables the fallback provider loading (on either
success or failure). If the legacy provider fails to load, which it may
in some configurations, it will never load the default provider.
Just use the formulation which attempts to load without changing the
fallback behavior.
"default" will still be/only be loaded if no other provider (notably
FIPS) is loaded to provide algorithms.
Norman Hamer [Fri, 14 Oct 2022 18:37:34 +0000 (18:37 +0000)]
OpenSSL: Don't provide implementation of DES/RC4 for FIPS builds
DES and RC4 are not allowed in such builds, so comment out des_encrypt()
and rc4_skip() from the build to force compile time failures for cases
that cannot be supported instead of failing the operations at runtime.
This makes it easier to detect and fix accidental cases where DES/RC4
could still be used in some older protocols.
Jintao Lin [Mon, 7 Nov 2022 19:25:26 +0000 (19:25 +0000)]
dbus: Add virtual interface create/remove logic to be inline with ctrl_iface
There is no way to create or remove a virtual interface with
wpa_supplicant dbus methods. The platform has to use out-of-band methods
to manage the virtual interfaces.
This change adds virtual interface create/remove logic to the dbus
methods CreateInterface and RemoveInterface to achieve similar
functionalities as wpa_cli commands interface_add and interface_remove.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Vinay Gannevaram [Fri, 11 Nov 2022 18:45:36 +0000 (00:15 +0530)]
PASN: Fix passing own address and peer address to pasn_deauthenticate()
Need to copy own address and peer address locally and pass them to
pasn_deauthenticate(), because this pointer data will be flushed from
the PTKSA cache before sending the Deauthentication frame and these
pointers to then-freed memory would be dereferenced.
Jouni Malinen [Fri, 25 Nov 2022 07:37:17 +0000 (09:37 +0200)]
FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
PMKSA caching for the FT initial mobility domain association was fully
defined in IEEE Std 802.11-2020. The state before that was unclear and
there has been interoperability issues in this area, so use of PMKSA
caching with FT-EAP has been disabled in wpa_supplicant by default.
The wpa_supplicant and hostapd implementation of PMKSA caching for FT
ended up using an earlier default mechanism (SHA-1) for deriving the
PMKID when using the FT-EAP. This does not match what got defined in
IEEE Std 802.11-2020, 12.11.2.5.2 (SHA256). It is not really desirable
to use SHA-1 for anything with FT since the initial design of FT was
based on SHA256. Furthermore, it is obviously not good to differ in
behavior against the updated standard. As such, there is sufficient
justification to change the implementation to use SHA256 here even
though this ends up breaking backwards compatibility for PMKSA caching
with FT-EAP.
As noted above, this is still disabled in wpa_supplicant by default and
this change results in PMKSA caching not working only in cases where it
has been enabled explicitly with ft_eap_pmksa_caching=1. Those cases
recover by falling back to full EAP authentication.
Mukul Sharma [Tue, 22 Nov 2022 09:28:09 +0000 (14:58 +0530)]
Add a new QCA vendor attribute to configure wifi calling (wfc) state
Add QCA_WLAN_VENDOR_ATTR_CONFIG_WFC_STATE vendor attribute. Userspace
uses this attribute to configure wfc state to the driver/firmware. The
driver/firmware uses this information to optimize power savings, rate
adaption, roaming, etc.
wpa_supplicant used the WPS IE from a Probe Response frame, if one was
received, even if there might have been a more recent Beacon frame with
an updated WPS IE. This could result in using stale information about
active WPS registrar, e.g., when operating on the 6 GHz band.
Prefer WPS IE from a Beacon frame over the default selection of Probe
Response frame (if one has been received) in cases where the Beacon
frame is received more recently than the Probe Response frame and active
WPS Registrar information is being checked. Skip this for the case where
UUID-E is needed since that is not available in the Beacon frame.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Jouni Malinen [Thu, 24 Nov 2022 15:16:26 +0000 (17:16 +0200)]
Enable PMF automatically if OCV is enabled
OCV cannot be used without PMF and such a configuration were to be used
with wpa_supplicant, the AP would reject the association. hostapd is
already enabling PMF automatically whenever OCV is being enabled, so do
the same with wpa_supplicant.
Mert Ekren [Wed, 23 Nov 2022 12:15:16 +0000 (12:15 +0000)]
SAE: Use Challenge Failure status code in confirm message failure cases
IEEE Std 802.11-2020, 12.4.7.6 says that status code CHALLENGE_FAILURE,
needs to be sent in case the verification action fails for SAE Confirm
message frame from a STA: "An SAE Confirm message, with a status code
not equal to SUCCESS, shall indicate that a peer rejects a previously
sent SAE Confirm message. An SAE Confirm message that was not
successfully verified is indicated with a status code of
CHALLENGE_FAILURE."
hostapd, however, did not use this status code for this case. In
ieee802_11.c the function sae_check_confirm() is called and in case of
verification failure (-1 is returned), the response is set to
WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). Fix this to use
CHALLENGE_FAILURE.
Signed-off-by: Koen Van Oost <koen.vanoost@airties.com> Signed-off-by: Mert Ekren <mert.ekren@airties.com>
projects / thirdparty / hostap.git / log
