Davide Caratti [Wed, 15 Jan 2025 17:04:54 +0000 (18:04 +0100)]
OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined
Now that ENGINE API starts being deprecated in distros (like Fedora [1])
wpa_supplicant users might need a way to load certificates and keys from
PKCS11 URIs even when OPENSSL_NO_ENGINE is defined. We can do that using
pkcs11-provider: load it by default in wpa_supplicant, and try to use it
when OPENSSL_NO_ENGINE is defined and configuration requests PKCS11 URIs
for certificates / keys.
Inspired by pkcs11-provider test program 'tlssetkey.c' [2]
Jouni Malinen [Sun, 2 Feb 2025 15:25:01 +0000 (17:25 +0200)]
tests: Enable TLS 1.3 tests with OpenSSL 3.4
Replace the explicit list of OpenSSL 3.x versions with a wildcard 3.*
entry since TLS 1.3 support is very unlikely to be removed in the future
versions.
Jouni Malinen [Sun, 2 Feb 2025 09:54:46 +0000 (11:54 +0200)]
AP: Fix disconnect from EAPOL state machine handling
An earlier change to extend ap_sta_disconnect() to cover MLD cases ended
up calling ieee802_1x_free_station() from the step function in the EAPOL
authenticator state machine in case of EAP timeout and by doing so,
ended up leaving the EAPOL state machine operations continuing to be run
on freed memory.
Fix this by leaving the EAPOL state machine allocated when going through
all the other ap_sta_disconnect() steps so that the possible ongoing
operations can be finished safely before freeing memory. Actual freeing
of the state machine happens when freeing the full STA entry in the same
way that was used previously.
Fixes: 01677c47fb13 ("AP: Support disconnect with MLD") Signed-off-by: Jouni Malinen <j@w1.fi>
Quentin Feraboli [Thu, 30 Jan 2025 08:19:42 +0000 (09:19 +0100)]
AP: Include the Probe Request frame inside RX_PROBE_REQUEST event
If notify_mgmt_frames is enabled, send the frame as a hexadecimal string
in the RX_PROBE_REQUEST events similarly to the AP-MGMT-FRAME-RECEIVED
events.
Jouni Malinen [Sat, 1 Feb 2025 17:13:53 +0000 (19:13 +0200)]
GnuTLS: Do not override priority string on shutdown for reauth
Use the previously configured priority string instead of the default
value whenever shutting down a TLS connection in preparation for
reauthentication. This fixes an issue with GnuTLS ending up using TLS
1.3 for reauthentication even when 1.3 was explicitly disabled in the
configuration. That attempt to use TLS 1.3 failed in such case due to
different key derivation between TLS 1.3 and older versions.
Mike Crowe [Thu, 30 Jan 2025 19:59:32 +0000 (19:59 +0000)]
GnuTLS: Disable TLS 1.3 if instructed
Ensure that if TLS 1.3 is disabled (which is the default currently),
GnuTLS is told to disable support for it too. Some RADIUS servers
apparently object to downgrading from TLS 1.3 to TLS 1.2 later even
though FreeRADIUS doesn't seem to mind in my testing.
Extend QCA vendor attributes for PASN offload from driver to userspace
Extend the QCA vendor interface to allow the driver to initiate PASN
Authentication using user-preferred AKM and cipher suites for secure
ranging with configured security, providing greater flexibility. Add
support for SAE-tunneled PASN authentication with Password and PMKID
(PMKSA caching) attributes for an unsaved network profile with known and
valid credentials. Enable the comeback mechanism by including comeback
time and cookie in the status report to extend PASN Authentication with
a comeback.
Benjamin Berg [Wed, 8 Jan 2025 09:10:33 +0000 (10:10 +0100)]
tests: Pass extra_bss_membership_selectors to nl80211 driver
mac80211 will start checking whether the BSS membership selectors
present in the supported rates set are supported by the local station.
Add the appropriate options so that the check is bypassed when
implemented on newer kernels.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 8 Jan 2025 09:10:31 +0000 (10:10 +0100)]
nl80211: Send a list of BSS membership selectors supported by SME
On authenticate and associate, include the
NL80211_ATTR_SUPPORTED_SELECTORS attribute to send a list of BSS
membership selectors that are supported by wpa_supplicant. This list
currently only contains the SAE H2E BSS membership selector as all the
other ones are handled by mac80211.
However, a new driver parameter is added to allow adding BSS membership
selectors for testing purposes.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 8 Jan 2025 09:10:29 +0000 (10:10 +0100)]
AP: Only include SAE H2E BSS membership selector if SAE is required
Including a BSS membership selector mandates the STA not to try to
connect in case it does not implement the indicated feature. However, in
the case of SAE H2E this may not be a hard requirement if the STA is
permitted to use a non-SAE AKM as well.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Daniel Gabay [Tue, 7 Jan 2025 12:51:48 +0000 (14:51 +0200)]
STA: Support SPP A-MSDU negotiation
Implement SPP (Signaling and Payload Protected) A-MSDU negotiation.
Station advertise support in the RSNXE in the (Re)Association Request
frame whenever:
- The driver supports SPP A-MSDU.
- AP advertises SPP A-MSDU support in the RSNXE.
- CCMP/GCMP cipher is used as the pairwise cipher in the connection.
Indicate to the driver to enable SPP A-MSDU in association parameters
when AP also advertised support in its RSNXE.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Daniel Gabay [Tue, 7 Jan 2025 12:51:46 +0000 (14:51 +0200)]
AP: Support SPP A-MSDU negotiation
Implement SPP (Signaling and Payload Protected) A-MSDU negotiation.
AP advertises support in the RSNXE whenever:
- The spp_amsdu configuration parameter is enabled.
- The driver supports SPP A-MSDU.
- CCMP or GCMP cipher is enabled as a pairwise cipher.
Indicate to the driver to enable SPP A-MSDU when an associating station
advertised SPP A-MSDU support in the RSNXE in (Re)Association Request
frame.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Daniel Gabay [Tue, 7 Jan 2025 12:51:44 +0000 (14:51 +0200)]
AP: Add spp_amsdu configuration parameter
Add spp_amsdu (Signaling and Payload Protected A-MSDU) configuration
parameter for hostapd. This functionality depends on the driver
indicating support for it and CCMP/GCMP cipher suite being used. For the
time being, this functionality is disabled by default (spp_amsdu=0) to
avoid introducing known interoperability issues with the RSNXE in the
default configuration and since there has been quite minimal
interoperability testing of SPP A-MSDU so far.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Daniel Gabay [Tue, 7 Jan 2025 12:51:43 +0000 (14:51 +0200)]
nl80211: SPP A-MSDU driver capability
cfg80211 introduced a new device capability, add a new driver capability
and station flag. In addition, since mac80211_hwsim does not implement
this feature in offload mode, make sure to disable it when
force_connect_cmd is set.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Jouni Malinen [Sun, 26 Jan 2025 09:01:12 +0000 (11:01 +0200)]
NAN USD: Add NAN_UNPAUSE_PUBLISH to cancel pauseState
This allows a publisher to be unpaused when service follow-up has been
completed with a peer. This functionality is not defined in the Wi-Fi
Aware specification for USD, but this is needed to avoid having to wait
for the 60 second pause state expiration since it is not clear when "USD
terminates" without upper layer service specific knowledge.
Hancheng Yang [Mon, 13 Jan 2025 13:30:20 +0000 (14:30 +0100)]
hostapd: Fix 'start_disabled' option being ignored
Fix two cases where 'start_disabled' were not respected:
- when ieee802_11_set_beacon() is called for a BSS, same operation will
be called for all its colocated BSSs. Now we set beacon only for BSSs
which have already had their beacon setting done.
- replace ieee802_11_set_beacons() by ieee802_11_update_beacons() in
hostapd_setup_interface_complete_sync() for the same reason.
Benjamin Berg [Mon, 6 Jan 2025 15:31:30 +0000 (17:31 +0200)]
build: Disable some optimizations if TRACE_BFD is enabled
When TRACE_BFD is enabled we need to be able to fetch stack traces.
However, some required functions might be inlined by the compiler or
hidden due to tail call optimizations. Add -fno-inline and
-fno-optimize-sibling-calls to avoid these optimizations.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
It is useful to support different versions of tshark which may have
updated disectors. In that case, there may be no filter that works with
all version of tshark.
Permit passing multiple filters which will be tried in-order. This
allows first trying the filter for the newer version and then falling
back to an older filter in order to support different tshark versions.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
P2P: Provide better failure reason for group formation errors
I was playing with the DBUS P2P interface of wpa_supplicant, and it's
hard to know what's going on when you get a group formation failure with
empty messages, to the point I usually need to resort to debugging
wpa_supplicant itself.
Provide meaningful failure reasons for these errors.
ext_password_file: Ensure full key match with password file entries
When searching for a matching key in the external password file, strings
were only compared up to the length of the key in the file. This meant
searching for key "foo" could retrieve the incorrect password if keys
"f" or "fo" were defined earlier in the file.
Signed-off-by: Joshua Manchester <joshuamanchester4@gmail.com>
Jouni Malinen [Sat, 25 Jan 2025 17:36:11 +0000 (19:36 +0200)]
STA: Known STA Identification to skip association comeback mechanism
Add a Known STA Identification element into (Re)Association Request
frame when using PMF with an AP with which we were last associated and
for which have stored the last used KCK in case that AP advertises
support for this capability to skip association comeback mechanism and
SA Query procedure.
Jouni Malinen [Sat, 25 Jan 2025 17:32:50 +0000 (19:32 +0200)]
AP: Known STA Identification to skip association comeback mechanism
Allow AP to skip association comeback mechanism and SA Query procedure
if a currently associated STA tries to (re)association again by
including a valid Known STA Identification element in the
(Re)Association Request frame. This capability is disabled by default
and can be enabled with known_sta_identification=1.
Jouni Malinen [Sat, 25 Jan 2025 09:21:16 +0000 (11:21 +0200)]
RADIUS: Drop pending request only when accepting the response
The case of an invalid authenticator in a RADIUS response could imply
that the response is not from the correct RADIUS server and as such,
such a response should be discarded without changing internal state for
the pending request. The case of an unknown response (RADIUS_RX_UNKNOWN)
is somewhat more complex since it could have been indicated before
validating the authenticator. In any case, it seems better to change the
state for the pending request only when we have fully accepted the
response.
Allowing the internal state of pending RADIUS request to change based on
responses that are not fully validation could have allow at least a
theoretical DoS attack if an attacker were to have means for injecting
RADIUS messages to the network using the IP address of the real RADIUS
server and being able to do so more quickly than the real server and
with the matching identifier from the request header (i.e., either by
flooding 256 responses quickly or by having means to capture the RADIUS
request). These should not really be realistic options in a properly
protected deployment, but nevertheless it is good to be more careful in
processing RADIUS responses.
Remove a pending RADIUS request from the internal list only when having
fully accepted a matching RADIUS response, i.e., after one of the
registered handlers has confirmed that the authenticator is valid and
processing of the response has succeeded.
Vinay Gannevaram [Wed, 22 Jan 2025 10:04:15 +0000 (15:34 +0530)]
P2P2: Bootstrapping through wpas_p2p_prov_disc()
Upper layer component can use separate calls for bootstrapping and
pairing. Add support for bootstrapping through wpas_p2p_prov_disc() and
pairing through wpas_p2p_connect() by skipping bootstrapping with input
parameter pd equals to 0.
Vinay Gannevaram [Wed, 22 Jan 2025 11:11:23 +0000 (16:41 +0530)]
tests: Add provdisc parameter for P2P_CONNECT for P2P2 tests
For P2P2 connection, provdisc parameter in the P2P_CONNECT command is
used to initiate bootstrapping before pairing. Default enabling of
bootstrapping before pairing will be removed in a subsequent commit to
provide support for bootstrapping and pairing independently.
Vinay Gannevaram [Sun, 19 Jan 2025 17:57:27 +0000 (23:27 +0530)]
P2P2: Control interface command to validate DIRA info
Add a control interface command P2P_VALIDATE_DIRA to validate DIRA for
all the available Device Identity keys in the config file. Upper layer
components can use this to validate DIRA obtained from a peer in BLE
frames during BLE Assisted P2P R2 discovery.
Vinay Gannevaram [Sun, 19 Jan 2025 17:22:27 +0000 (22:52 +0530)]
P2P2: Control interface command to get DIRA info of a P2P device
Add a control interface command P2P_GET_DIRA to get DIRA nonce and tag
of a P2P device when pairing support is enabled. Upper layer components
can fetch DIRA info of a device and populate it in BLE frames for
BLE-Assisted P2P R2 Discovery.
Vinay Gannevaram [Sun, 19 Jan 2025 16:53:11 +0000 (22:23 +0530)]
P2P2: Save the latest nonce and tag from a P2P USD discovery frame
During the P2P USD discovery, validate DIRA and store the valid nonce
and tag in the peer info structure. Upper layer components can identify
paired peer information with a new MAC address when valid nonce and tag
pair information is posted with device found event.
Jouni Malinen [Fri, 24 Jan 2025 18:25:19 +0000 (20:25 +0200)]
wlantest: Parse Link Reconfiguration Request/Response
Learn additional link addresses when link reconfiguration is used to add
new links. This commit does not remove links or update group keys, i.e.,
only the minimal case of adding new links is covered to allow unicast
frames on the new links to be decrypted.
AP MLD: Skip over Extended MLD Capabilities And Operations field
Skip over the Extended MLD Capabilities And Operations field in the
Common Info field of the Basic Multi-Link element so that processing of
the information after the Common Info field can continue from the
correct offset.
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Benjamin Berg [Sun, 19 Jan 2025 07:48:46 +0000 (09:48 +0200)]
tests: Succeed P2P group removal test if SSIDs happen to match
The test would fail in the unlikely event that the two SSIDs were the
same. Fix this by detecting the case and simply changing the expected
value (as the old entry will have been overwritten).
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 22 Jan 2025 11:14:19 +0000 (13:14 +0200)]
tests: Increase default go_neg_pbc timeout to 30 s
Occasionally, the two device simply cannot find themselves within the 15
seconds (20 s - 5 s). Increase the default timeout to avoid random test
failures.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jouni Malinen [Fri, 24 Jan 2025 08:48:06 +0000 (10:48 +0200)]
Do not write mesh_fwding network parameter if it has default value
This is set to 1 by default but the condition for writing it into the
configuration file used 0 as the default. Make these match so that there
won't be confusing entries in network block for cases that do not have
anything to do with mesh.
Vinay Gannevaram [Sat, 11 Jan 2025 06:08:10 +0000 (11:38 +0530)]
P2P2: Update P2P_INVITE processing for SSID randomization
With SSID randomization for P2P2 group reinvocation, the control
interface command P2P_INVITE requires the peer device address to be
present, but the network id is not required.
Vinay Gannevaram [Sat, 11 Jan 2025 06:08:10 +0000 (11:38 +0530)]
P2P2: SSID randomization on group reinvoke
P2P R2 allows the GO to randomize SSID and Group BSSID when a group is
reinvoked. Add support to fetch the group details based on the device
identity block info of the peer with which the group reinvoke is
initiated. As the previous SSID of the network is no longer valid, fetch
the network details based on the ID of the device identity block.
Vinay Gannevaram [Sat, 11 Jan 2025 05:50:11 +0000 (11:20 +0530)]
P2P2: Store ID of Device Identity block in network block
Each peer's Device Identity key is unique, while Group SSID, P2P Device
Addresses, and P2P Interface addresses can be randomized. Add support to
map the GO or P2P2 client information of a network block with the
identifier of the Device Identity block. On a P2P Device with the role
of a client, store the ID of the GO in go_dik_id, and on a device with
the role of GO, store the IDs of P2P clients in a list.
P2P2: Add USD service hash in the P2P2 PASN M1 frame
Add USD service hash in PASN M1 authentication frame for the P2P GO
negotiation and P2P verification cases. This can help a P2P Device that
operates multiple GOs to select which group a peer device should be
added to.
Jouni Malinen [Fri, 27 Dec 2024 14:07:30 +0000 (19:37 +0530)]
P2P2: Return ID of identity block for p2p_validate_dira()
Start the identity block ID from a non-zero value and return the ID on
successful DIRA validation. This is used to process invitation request
and handle random SSID by group owner which will be covered in separate
commits.
Ben Lai [Fri, 27 Dec 2024 06:13:38 +0000 (14:13 +0800)]
OWE: Consider the currently associated transition mode SSID known
When the BSS table size limit is reached the oldest unknown BSS entry is
removed when needing to add a new BSS. This could have resulted in use
of freed memory before wpa_bss_remove_oldest_unknown() was extended to
use wpa_bss_in_use() as a condition for removing a BSS entry. Even with
that issue addressed, it is better to recognize BSS entries that match
the current network profiles SSID in cases where that match is through
the OWE transition mode mechanism. This avoids removing entries that
might be used finding a better BSS.
Jouni Malinen [Tue, 21 Jan 2025 17:34:23 +0000 (19:34 +0200)]
Do not remove a currently used BSS entry when removing oldest unknown BSS
wpa_bss_known() might not be sufficient to catch all cases where a BSS
entry is in use. One known example of such a case is OWE transition mode
where the SSID of the transition mode AP is not the same as the one in
the local network profile. Some other cases might exists as well.
If the oldest unknown BSS needs to be removed due to running out of room
in the BSS table and that removed BSS happens to be the currently
associated one, wpa_s->current_bss might become invalid and point to
freed memory. This needs to be avoided to prevent use of freed memory,
so use wpa_bss_in_use() as an extra condition for removing the oldest
unknown BSS.
Sunil Ravi [Wed, 8 Jan 2025 18:49:27 +0000 (18:49 +0000)]
nl80211: Fix compilation error when CONFIG_DRIVER_NL80211_BRCM is enabled
wpa_driver_do_broadcom_acs() does not use the bss variable, so it should
not have been converted from nl80211_drv_msg() to nl80211_msg_bss().
Revert that part of the earlier changes to fix compilation.
Fixes: e3fe940ac2ce ("nl80211: Use nl80211_bss_msg() helper wherever BSS is accessible") Signed-off-by: Sunil Ravi <sunilravi@google.com>
Enable beacon protection if IEEE 802.11be/EHT is enabled for BSS
IEEE P802.11be/D7.0, 12.12.9 (Security constraints for EHT) mandates
beacon protection to be enabled in EHT AP when using RSN. Do this
automatically even if beacon_prot=1 is not included in the
configuration.
Hu Wang [Mon, 6 Jan 2025 03:23:41 +0000 (19:23 -0800)]
DPP: Discard DPP Action frame in AP mode if no global DPP context
For AP mode in wpa_supplicant, e.g., for P2P GO interfaces, the global
DPP context does not exist support DPP functionality and this could
result in dereferencing a NULL pointer in wpa_supplicant if an
unexpected frame is received. Discard the received DPP Action frames in
such cases instead of trying to process them.
RSNO: Generate IGTK if any of the RSN variants has PMF enabled
With RSN overriding enabled, AP can be configured to set MFPC to 0 and
MFPR to 0 in the RSNE and MFPC to 1 and MFPR to 1 in the RSNOE and
RSNO2E. IGTK generation, configuration to the driver, and inclusion of
the IGTK KDE in 4-way handshake should also take into account the
management frame protection settings in the override variants.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Add a vendor attribute for a testbed STA to configure firmware to reject
AP's BSS Transition Management (BTM) request frame by sending a BTM
response with error status code.
Add QCA vendor attribute for triggered SU BF support
Add vendor attribute for EHT testbed STA to configure the triggered
single user beamforming feedback in the EHT capabilities of an
Association Request frame.
Jouni Malinen [Wed, 1 Jan 2025 09:17:31 +0000 (11:17 +0200)]
EAP-TEAP: Add a compatibility mode for FreeRADIUS
FreeRADIUS (at least the current snapshot of the v3.2.x branch) uses
different style for deriving S-IMCK[j]. It tracks S_IMCK_MSK[j] and
S_IMCK_EMSK[j] variants through all inner methods instead of selecting a
single S_IMCK[j] at the end of each inner method. IMHO, that does not
match what is most likely described in RFC 7170bis, it is a potential
interpretation of the draft and is closer to what wpa_supplicant used to
do earlier. However, that design has a weakness in EMSK derivation from
TEAP since it does not actually get any input from inner methods that do
not derive an EMSK.
Obviously, there should be only a single shared interpretation on how
TEAPv1 is supposed to work, but until we get to that point, it is
convenient to be able to test other parts of the protocol without having
to modify source code to work around differences. Introduce a new
phase1="teap_compat=freeradius" configuration parameter to
wpa_supplicant to allow EAP-TEAP peer behavior to be modified to match
what FreeRADIUS expects.
This compatibility mode was now able to successfully authenticate (and
also to derive matching MSK and EMSK) against FreeRADIUS v3.2.x branch
snapshot with all four combinations of machine(EAP-TLS) and
user(EAP-MSCHAPv2) authentication.
Jouni Malinen [Tue, 31 Dec 2024 18:07:09 +0000 (20:07 +0200)]
EAP-TEAP: Fix S-IMCK derivation based on RFC 7170bis
draft-ietf-emu-rfc7170bis-19 has clarified some of the operations
related to how keys are derived in EAP-TEAP. Update hostapd and
wpa_supplicant implementations to match this.
Derive S-IMCK_MSK[j] for Basic-Password-Auth using 32 octet all zeros
MSK. This was already done in the previous implementation, but this
updates that design to use the common S-IMCK/CMK derivation helper
function.
While there are two variants of IMSK, S-IMCK, and CMK being derived afte
r reach inner method, only one of those variants are selected based on
which MSK/EMSK combinations are supported by the server and the client.
This is not completely clear in Section 5.2, but the rules there for the
"received of the Crypto-Binding TLV" (which is really talking about the
EAP client, not server when the server is receiving Client-Binding TLV
from the client) seem to imply this design.
The design for crypto bindings and selection on MSK vs. EMSK related
keys as follows: Both the server and the client derive CMK_MSK[j] and
CMK_EMSK[j], if possible (i.e., if their implementation of the inner
method derived those keys). The server includes both MSK Compound MAC
and EMSK Compound MAC (if both MSK and EMSK were derived by the inner
method). The client selects which one of these to use based on what its
implementation of the inner method derived. The client includes only one
of these (i.e., EMSK Compound MAC if both the server and the client
derived EMSK or MSK Compound MAC otherwise). This determines which of
the S-IMCK[j] variants (i.e., S-IMCK_MSK[j] or S-IMCK_EMSK[j]) is
selected to be used as the S-IMCK[j].
With the clarified selection of a single S-IMCK[j] after each inner
method, the unclear parts about overall MSK/EMSK derivation from TEAP is
clarified since there is not actually need to explicitly indicate
variant of S-IMCK[n] is used.
In addition, this removes FIX comments for the cases that were clarified
in the draft to match what was previously implemented (e.g., fixed 20
octet length for Compound MAC).
These changes are not backwards compatible. Some cases might work, but
more or less everything with more than a single inner method is going to
fail between the previous and the new implementation. Taken into account
the limited deployment of EAP-TEAP so far and the work to clarify things
in RFC 7170bis, there is enough justification for this compatibility
breaking change at this point.
Jouni Malinen [Mon, 30 Dec 2024 16:31:21 +0000 (18:31 +0200)]
WNM: A more explicit check for a connection
wnm_scan_process() was only implicitly verifying that there is an
association based on wpa_s->wnm_dialog_token having been set. While that
may be sufficient for normal uses within wpa_supplicant, this was not
covered in a separate WNM fuzzer. Add an explicit check for
wpa_s->current_ssid to be set within wnm_scan_process() to avoid
unexpected behavior if something were to allow wnm_dialog_token to be
set when not actually associated.
Jouni Malinen [Mon, 30 Dec 2024 16:29:25 +0000 (18:29 +0200)]
tests: Fix WNM fuzzzer to work with wnm_sta.c changes
wpa_s->current_ssid needs to be set for processing BSS transition
management operations now witht he wnm_san_process() changes to use
wpa_supplicant_select_bss(), so set that in the WNM fuzzer to avoid
false errors due to dereferencing a NULL pointer.
Jouni Malinen [Sun, 29 Dec 2024 10:11:25 +0000 (12:11 +0200)]
MBO: Get rid of the is_first flag in neighbor report array
This was set to 1 for the entry at position 0 if
wnm_mbo_trans_reason_present is set. The flag was used only under that
condition and the array position is known, so it is simpler to just use
that without an explicit flag indicating which entry is first.
Benjamin Berg [Thu, 19 Sep 2024 10:19:17 +0000 (12:19 +0200)]
WNM: Use standard BSS selection and enable abridged bit handling
Most of the logic to reject BSSs during transition has been moved into
wnm_is_bss_excluded(). In addition to this, since commit 67bf89f55442
("WNM: Choose the best available BSS, not just the first one") we will
simply choose the BSS with the best throughput.
Overall, this matches the behavior that wpa_supplicant will use anyway
in wpa_supplicant_select_bss(). The only bigger difference is that using
this will check all known BSSs instead of only the ones in the candidate
list. This means that with this change the abridged bit is handled
according to standard.
There are some subtle changes to the logic. One is, that candidates with
a very low signal level are not explicitly dropped anymore. However,
that code pre-dates the logic to prefer the best BSS and should not be
relevant anymore.
Another small adjustment is to change the custom logic to avoid roaming
when it is not needed to use wpa_supplicant_need_to_roam_within_ess().
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 19 Sep 2024 10:19:16 +0000 (12:19 +0200)]
WNM: Fix pre-scan rejection heuristic for BTM handling
The idea was to only accept the cached scan results if the new target is
reasonably good. To avoid having to write a custom quality logic, a call
to wpa_supplicant_need_to_roam_within_ess() was used. However, the
intention was to swap the parameters and check whether we would want to
roam from the new BSS back to the current one.
Fix the heuristic to match the comment. To do that, we need to add a
parameter to not poll the current signal level as that would result in
comparing the current BSS with itself within the function.
Fixes: 20ed289a785c ("WNM: Clean up old scan data processing") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 19 Sep 2024 10:19:15 +0000 (12:19 +0200)]
WNM: Move driver MBO transition rejection into wnm_is_bss_excluded()
Change the logic a bit to not directly use the result of the
wpa_drv_get_bss_trans_status() call and instead use the same selection
logic as usual but taking into account the driver rejections.
This changes the logic in minor ways. The main change is that this
aligns the ordering of BSSs to be identical in all cases. More
precisely, we'll select the best BSS as found by find_better_target().
Beyond that, it also means that in the case of an non-abridged BTM
request we'll also consider candidates that were found through the scan
and not in the neighbor report. In this case, the driver will not have a
chance to reject them.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jouni Malinen [Fri, 27 Dec 2024 21:51:55 +0000 (23:51 +0200)]
Clear the pending EAPOL RX on disconnection
Avoid any potentially unexpected behavior if the postponed EAPOL RX
could end up being processed in a different association that the one in
which the frame was postponed.
Jouni Malinen [Fri, 27 Dec 2024 21:49:57 +0000 (23:49 +0200)]
WPS: Fix a race condition on WPS_CANCEL handling
If the WPS_CANCEL command were issued between the driver command
requesting association and the driver event indicating completion of
association, i.e., within the WPA_ASSOCIATING state, it was possible for
the association to continue and the WPS procedure to be completed after
this.
Address this by forcing deauthentication and WPS state clearing also in
the WPS_ASSOCIATING state and not only if the association has been
completed.
Jouni Malinen [Fri, 27 Dec 2024 21:23:15 +0000 (23:23 +0200)]
Use BSS-specific ACL configuration when setting up driver-based ACL
This capability was originally added with only the entries from the
first BSS being supported likely due to the target use case not actually
using the multiple BSSs with a single radio. However, there does not
seem to be any specific reason for such constraint, so change this to
use the current BSS's own configuration instead of the first BSS's to
support per-BSS configuration with driver-based ACL.
Baligh Gasmi [Wed, 11 Dec 2024 20:37:38 +0000 (21:37 +0100)]
MBSSID: Allow BSS Index and maximum number of BSSs to be configured
Configuring hostapd's BSSs with a custom BSSID via the `bssid` parameter
in the config file can lead to a misconfigured Multiple BSSID element
consequently leading to stations failing to calculate the correct BSSID
for non-transmitting BSSs, as specified in IEEE Std 802.11-2020,
9.4.2.45.
To ensure consistency, the configuration need to include critical
parameters: `MaxBSSID Indicator` and `Multiple BSSID Index` to customize
the Multiple BSSID element following the custom BSSIDs as well.
Add a new global parameter, `mbssid_max`, to set the `MaxBSSID
Indicator` and a per-BSS parameter, `mbssid_index`, to explicitly set
the `Multiple BSSID Index`. If these are not set, the previous behavior
of determining these values automatically is maintained (with its limits
to dynamic addition of BSSs to a Multiple BSSID set).
Jouni Malinen [Fri, 27 Dec 2024 20:48:13 +0000 (22:48 +0200)]
tests: Run mbo_assoc_disallow in the beginning of UML VM
This test case could take significant amount of time in some cases when
run after large number of other test cases with UML. This might be due
to multiple tshark operations that seemed to suffer from some resource
issues with UML time travel.
Jouni Malinen [Fri, 27 Dec 2024 20:36:29 +0000 (22:36 +0200)]
Do not add extra IEs to scan request if they do not fit driver limit
For now, each separate IE is being checked on its own, so this is not a
complete check on the total length, but a useful step in avoiding some
known issues with drivers that do not support any IEs being added. A
more complete validation would need rules on determining which IE is of
higher priority than the other ones, but that might not be needed unless
there are drivers that have nonzero, but still quite small, limit on
extra IEs.
Marek Puzyniak [Wed, 9 Oct 2024 08:15:02 +0000 (10:15 +0200)]
Introduce DUMP_BEACON command
Occasionally, external applications require information about AP
configurations and capabilities. One potentially useful source for this
is the Beacon frame content. To support this need, introduce a new
control interface command: DUMP_BEACON. This return a hexdump of the
Beacon frame template, i.e., IEEE 802.11 frame header and frame body
with the TIM element missing since it is added by the driver and some of
the fields like the Timestamp field left to all zeros since they will be
filled in by the driver/hardware.
This can be fetched with hostapd_cli:
hostapd_cli -i wlxxx raw DUMP_BEACON 80000000ffffffffffff...
7f080400000200000040dd180050f2020101010003a4000027a4000042435e0062322f00
Signed-off-by: Marek Puzyniak <marek.puzyniak@holisticon.pl>
Jouni Malinen [Fri, 27 Dec 2024 17:50:07 +0000 (19:50 +0200)]
tests: Make WPS protocol tests for credential processing more robust
Clear the scan cache at the beginning of these test cases to avoid
issues with WPS_PBC and WPS_PIN commands if there were to be an old scan
result from a previous test case with the same BSSID.
Arowa Suliman [Tue, 5 Nov 2024 05:36:11 +0000 (05:36 +0000)]
Check last scan SSIDs before triggering new scan for hidden network
Commit 92374d59d4ef ("Enhance select_network() to trigger new scans in
some cases") introduced a redundant scan when selecting a hidden network
that was previously scanned and found. This occurs because the code only
checks for the condition `(wpa_s->no_suitable_network ||
wpa_s->last_scan_external)`, which doesn't cover the case where the last
scan successfully found the hidden SSID.
Save the scanned SSIDs from the last scan and updates the condition to
check if the hidden SSID was included. If the hidden SSID is not found
in `last_scan_ssids`, the code checks if the SSID was found in earlier
scan results. If not, it triggers a new scan. If the SSID is found, a
new scan is avoided, resulting in faster connection times.
Jouni Malinen [Thu, 26 Dec 2024 22:19:33 +0000 (00:19 +0200)]
Handle CONFIG_NO_WPA for wpa_sm_has_ptk_installed()
There was no empty wrapper for wpa_sm_has_ptk_installed() for the
CONFIG_NO_WPA=y builds. The previously renamed wpa_sm_has_ptk() wrapper
was still in place even though it is not used anymore, so rename it to
cover this newer need.
projects / thirdparty / hostap.git / log
