Aloka Dixit [Thu, 1 Dec 2022 03:18:35 +0000 (19:18 -0800)]
mbssid: Configure all BSSes before beacon setup
When multiple BSSID advertisement feature is enabled in IEEE 802.11ax
mode or later, Beacon frames are not transmitted per interface, instead
only one of the interfaces transmits Beacon frames that include one or
more Multiple BSSID elements with configuration for the remaining
interfaces on the same radio.
Change the existing logic such that all configuration details for all
the interfaces are available while building the Beacon frame template
for the transmitting interface itself.
Do not change the flow for the cases where multiple BSSID advertisement
is not enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Aloka Dixit [Thu, 1 Dec 2022 03:18:34 +0000 (19:18 -0800)]
mbssid: Retrieve driver capabilities
Retrieve driver capabilities for the maximum number of interfaces for
MBSSID and the maximum allowed profile periodicity for enhanced MBSSID
advertisement.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Daniel Gabay [Thu, 1 Dec 2022 16:54:35 +0000 (18:54 +0200)]
AP: Add testing option to delay EAPOL Tx
Add a testing option to delay EAPOL-Key messages 1/4 and 3/4. By setting
delay_eapol_tx=1, the actual EAPOL Tx will occur on the last possible
attempt (wpa_pairwise_update_count) thus all previous attempts will fail
on timeout which is the wanted delay.
In addition, add an hwsim test that uses this testing option to verify
that non protected Robust Action frames are dropped prior to keys
installation in MFP.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Since wpa_supplicant can change MAC address of the interface on its own
(with randomization enabled) it makes sense to introduce MACAddress as a
property of the interface and send notifications about its change.
This allows other applications to just use D-Bus instead of both
communicating over D-Bus with wpa_supplicant and listening to Netlink
notifications for MAC changes.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
Jouni Malinen [Thu, 1 Dec 2022 15:04:13 +0000 (17:04 +0200)]
EAP-TEAP server: Allow tunneled EAP method sequence to be optimized
Include the start of the next EAP method in an EAP Payload TLV in the
same message with the Crypto-Binding TLV for the previous EAP method to
get rid of one roundtrip when using more than a single EAP
authentication method within the tunnel. The previous, not optimized,
sequence can still be used with eap_teap_method_sequence=1 for more
complete testing coverage.
Jouni Malinen [Thu, 1 Dec 2022 15:00:56 +0000 (17:00 +0200)]
EAP-TEAP peer: Process Crypto-Binding TLV before EAP Payload TLV
When using the optimized EAP method sequence within the tunnel, crypto
binding for the previous EAP method can be performed in the same message
with the start of the next EAP method. The Crypto-Binding TLV needs to
be processed before moving to the next EAP method for IMSK to be derived
correctly, so swap the order of these processing steps.
Jouni Malinen [Thu, 1 Dec 2022 14:03:06 +0000 (16:03 +0200)]
EAP-TEAP: Use EAP-FAST-MSCHAPv2 in the tunnel
While RFC 7170 does not describe this, EAP-TEAP has been deployed with
implementations that use the EAP-FAST-MSCHAPv2, instead of the
EAP-MSCHAPv2, way of deriving the MSK for IMSK. Use that design here to
interoperate with other implementations since that seems to be direction
that IETF EMU WG is likely to go with an RFC 7170 update.
This breaks interoperability with earlier hostapd/wpa_supplicant
versions.
Jouni Malinen [Thu, 1 Dec 2022 13:56:29 +0000 (15:56 +0200)]
EAP-FAST: Move EAP-MSCHAPv2 special MSK handling into MSCHAPv2
EAP-FAST uses a special variant of EAP-MSHCAPv2 called EAP-FAST-MSCHAPv2
in RFC 5422. The only difference between that and EAP-MSCHAPv2 is in how
the MSK is derived. While this was supposed to be specific to EAP-FAST,
the same design has ended up getting deployed with EAP-TEAP as well.
Move this special handling into EAP-MSCHAPv2 implementation so that it
can be shared for both needs.
Ayala Beker [Wed, 30 Nov 2022 15:02:46 +0000 (17:02 +0200)]
wpa_supplicant: Support throughput estimation for EHT rates
Add support to consider EHT rates while calculating the estimated
throughput for scan results.
- The estimated EHT throughput uses the HE 0.8 usec GI rates from the
relevant EHT-MCS tables from IEEE P802.11be/D2.0, 36.5.
- The minimum SNR values for EHT rates (4096-QAM) are derived by adding
the existing minimum SNR values of 1024-QAM rates from HE tables and
the difference between the values of minimum sensitivity levels of
1024-QAM rates and 4096-QAM rates defined in Table 36-67 (Receiver
minimum input level sensitivity) in IEEE P802.11be/D2.0.
Signed-off-by: Ayala Beker <ayala.beker@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
There are several cases where memory allocations are not
checked for success. Add conditions and error messages, as some
analyzers complain about that.
Signed-off-by: Micha Hashkes <micha.hashkes@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The arguments were swapped. Apparently all the calls to this function
use the same value for both input and output parameters, so it went
unnoticed. Fix it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Wed, 30 Nov 2022 12:01:55 +0000 (14:01 +0200)]
OpenSSL: Apply connection flags before reading certificates
This is needed to be able to drop the OpenSSL security level, if
necessary, for cases where old certificates (e.g., something using SHA-1
signatures) are still needed. openssl_ciphers="DEFAULT@SECLEVEL=0" can
achieve this, but only if applied before attempting to load the
certificates.
Jimmy Chen [Tue, 13 Apr 2021 06:55:52 +0000 (14:55 +0800)]
SAE: Enable H2E for 6 GHz BSS
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz, so enable H2E automatically when
connecting to a BSS on the 6 GHz band if it was not enabled in the
configuration.
Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
Nicolas Escande [Tue, 29 Nov 2022 16:02:37 +0000 (17:02 +0100)]
AP: Enable H2E on 6 GHz when SAE is used
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz. So lets automatically enable it by
setting sae_pwe=2. This will allow both the hunting-and-pecking and
hash-to-element to work (and be backward compatible).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
WPS: Cross band overlap detection with multiple interfaces
When WPS is running simultaneously on multiple per-band radios (e.g., a
separate 2.4 GHz and 5 GHz band radios in an AP device), handle
synchronization of scan results, detect PBC session overlap, and cancel
WPS for enrollees on both interface, if the UUID of the registrars on
different bands differ.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Michal Kazior [Tue, 11 May 2021 10:56:18 +0000 (10:56 +0000)]
DPP: Expose own and peer bootstrap info ids on authentication success
The system may be interested in knowing which bootstrap information
entries are being exercised. This could be used for statistics or
completion signaling to upper application layer outside of hostapd,
along with the public key hash.
Implement read-only mode for SSIDs from the additional config (-I)
On NixOS[1] - a Linux distribution which allows to configure a full OS
declaratively - it's possible to configure SSIDs for `wpa_supplicant`
like this:
It's also possible to add networks "imperatively" using `wpa_gui` or
`wpa_cli`. However it's not possible to do both because if the first
option is used, NixOS creates a read-only symlink at
`/etc/wpa_supplicant.conf` and then it's not possible for
`wpa_supplicant` anymore to write to it.
This patch aims to help us changing this: while "declarative" SSID
configuration can be quite useful, it's a bad idea for e.g. sensitive
stuff like a WPA2 enterprise network.
The original idea was to use `-I`[2] for immutable configs (including
"declarative" networks) on NixOS and `-c /etc/wpa_supplicant.conf` for
anything "imperative".
However this doesn't really work out because if a wifi network from a
config file specified with `-I` is changed by e.g. `wpa_gui`, it's
silently overwritten in `/etc/wpa_supplicant.conf` (specified with
`-c`) which is IMHO unintuitive (in our case at least). This patch
basically declares each network defined in a config file passed via `-I`
to `wpa_supplicant` as "read-only" and doesn't write these "read-only"
networks to `/etc/wpa_supplicant.conf`.
A bit more context can be found on GitHub in the PR where I implemented
this[3].
Nicolas Escande [Wed, 27 Apr 2022 13:37:02 +0000 (15:37 +0200)]
ACS: Allow selecting a better channel when using 40/80/160 MHz
When considering a channel for a bandwidth of 40/80/160 MHZ on the 5 GHz
or 6 GHz band, allow selecting one of the other channels in the segment
instead of the first one. This is done only if the other channel's
interference_factor is lower than the first one's.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Nicolas Escande [Wed, 27 Apr 2022 13:37:01 +0000 (15:37 +0200)]
ACS: introduce acs_adjust_secondary
When using 40/80/160 MHz bandwidth on the 5 GHz or 6 GHz band, enforce
the secondary channel to be the other channel of the corresponding 40
MHz segment.
Even if this is useless for now, this is preparatory work to allow ACS
to select a primary channel which is not the first of its segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Nicolas Escande [Wed, 27 Apr 2022 13:37:00 +0000 (15:37 +0200)]
ACS: Introduce acs_get_bw_center_chan()
When using 40/80/160 MHz bandwidth, instead of computing the index of
the segment center freq based on the selected channel, lets look it up
in the bw_desc[] table.
This is preparative work to allow selecting a primary channel which is
not the first of the segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Nicolas Escande [Wed, 27 Apr 2022 13:36:59 +0000 (15:36 +0200)]
ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan()
This extracts the 3 lists of allowed channels for 40/80/160 MHz
bandwidth out of their respective functions. It also adds for each
segment the frequency of the segment's last channel and the index of the
segment's "center" channel.
This is preparative work to allow selecting a channel which is not the
first of its segment for 40/80/160 MHz. In addition, this adds the 5 GHz
160 MHz channel defined for 5735-5895 MHz (channels 149-177).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Add new 'mac_addr' policy (3) with which supplicant expects to also
obtain 'mac_value' with pregenerated value of MAC address to be used for
given SSID.
The main difference between this policy and policy 1 is the ability to
control persistence of the MAC address used. For example if there is
a requirement to always use the same (but random) MAC address for given
SSID (even if user removes/forgets the network) this could be handled
outside of the wpa_supplicant by using some SSID based hashing scheme to
generate MAC (or by just storing the randomly generated one) and
providing it to wpa_supplicant together with mac_addr=3 policy.
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
Ilan Peer [Wed, 11 May 2022 09:40:36 +0000 (12:40 +0300)]
P2P: Include only 6 GHz PSCs in full scan
As P2P GOs are not expected to be collocated, i.e., they are not
expected to be announced in the RNR element of other APs, they can
operate only on preferred scanning channels (PSCs).
When performing a full scan for P2P discovery, include only the 6 GHz
PSCs (if supported) to avoid scanning channels on which P2P GOs are not
expected to reside.
While at it also fix couple of places that missed including 60 GHz
channels in P2P full scan.
Jouni Malinen [Mon, 28 Nov 2022 14:35:01 +0000 (16:35 +0200)]
DPP: Use existing TCP connection to replay duplicate Presence Announcement
Instead of opening a new TCP connection for each received Presence
Announcement from the same Enrollee from the Relay to the Controller,
use an existing connection if it is still waiting for Authentication
Response. This avoids opening multiple parallel sessions between the
same Controller and Enrollee.
Eliot Lear [Thu, 23 Jun 2022 10:58:38 +0000 (12:58 +0200)]
DPP: Don't close TCP connection for duplicate Presence Announcements
If wpa_supplicant receives a duplicate DPP chirp over a TCP connection
this causes the connection (and all of its state) to be torn down.
Such a tear-down means that the authentication request state is discarded.
That in turn will cause any otherwise valid authentication response
to not succeed.
This commit addresses that problem. It also does not attempt to check
for duplicates until at least we know that we have an appropriate hash.
Johannes Berg [Mon, 13 Jun 2022 13:25:37 +0000 (15:25 +0200)]
tests: Add mode for running UML kernel under gdb
The new --gdb option can be used when KERNELDIR (and optionally
MODULEDIR) are set and we therefore run UML. It runs the entire
VM under the debugger, with a script to load the right modules
into gdb so you can debug easily.
This needs CONFIG_GDB_SCRIPTS=y to be used in the kernel build.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Vinay Gannevaram [Sun, 20 Nov 2022 13:57:51 +0000 (19:27 +0530)]
Add a callback to notify added PMKSA cache entry details
Add a callback handler to notify details of a PMKSA cache entry when it
is added to the PMKSA cache. This can be used to provide external
components more convenient access to the PMKSA cache contents.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:27 +0000 (13:08 +0200)]
tests: Add ap_reload_bss_only
The test checks that when the SSID of a BSS is changed using
SET+RELOAD_BSS, the stations already connected to other BSSes on the
same radio are not disconnected.
It also checks that stations can connect using the new SSID after the
reload.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:26 +0000 (13:08 +0200)]
hostapd: Add RELOAD_BSS
When using multiple BSSes on a single radio, it is sometimes desirable
to reconfigure one BSS, without disconnecting the stations already
connected to other BSSes on the same radio.
When a BSS is reconfigured using the SET command, there is no "old"
configuration we can compare to (so we cannot compare a hash of the
configuration for example).
One possible solution would be to make the current RELOAD command
reload only the current BSS. However, that could break the workflow of
existing users. Instead, introduce a new RELOAD_BSS command, which
reloads only the current BSS.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:25 +0000 (13:08 +0200)]
tests: Add ap_config_reload_on_sighup_config_id
The test checks that when reloading the configuration with SIGHUP,
stations that are connected to BSSes whose config_id did not change are
not disconnected. It also checks that for the BSSes that have a
different config_id and SSID, the new SSID is applied correctly.
Raphaël Mélotte [Mon, 1 Aug 2022 11:08:21 +0000 (13:08 +0200)]
Split BSS-specific hostapd_clear_old_bss() from hostapd_clear_old()
In hostapd_clear_old() multiple steps are needed to clear a BSS.
There are some places where it would be desirable to clear only some
BSSes and not all.
To make it easier to clear only some BSSes, split hostapd_clear_old()
with hostapd_clear_old_bss(), which does the same actions but on a
single BSS.
xinpeng wang [Thu, 28 Jul 2022 08:19:42 +0000 (16:19 +0800)]
dbus: Add dbus notify when wpa_s->key_mgmt changes
For WPA2/WPA3 authentication mode, wpa_supplicant needs to notify
CurrentAuthMode property change when wpa_s->key_mgmt changes, so
NetworkManager can judge whether it needs to request a password based on
this.
Call wpas_notify_auth_changed() when starting a new connection item,
i.e., after having updated wpa_s->key_mgmt.
Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
nl80211: Check previous MAC address for locally-generated-deauth
When using MAC randomization wpa_supplicant can change the local MAC
address during roaming scenario:
1. We attach to AP1 (with MAC1/SSID1).
2. Roaming to AP2 (with MAC2/SSID2) is started:
a) we send DEAUTH(for AP1, with MAC1)
b) we change MAC to MAC2 due to randomization
c) we start authentication for AP2
d) we get notification about DEAUTH for AP1 (which we ignore)
e) we complete association with AP2
In point 2d we completely ignore the notification which later causes
problems. This happens if the deauthentication event is generated by the
local driver (e.g., due to beacon loss) instead of AP2 sending an
explicit Deauthentication frame.
The intended behavior is as follows: during roaming we generate DEAUTH
(2a) and signal this event right away. To protect from handling of our
own DEAUTH for the 2nd time supplicant marks 'ignore_next_local_deauth'
variable. In point 2d we should receive this notification and clear the
flag but this does not happen because MAC1 in the notification is not
the current MAC address (it has been changed in 2b) so this notification
is ignored as a one with a "foreign" address.
So we end up successfully at AP2 but with 'ignore_next_local_deauth'
still set which causes problems. For example if AP2 shuts down it has
been observed on some drivers that the DEAUTH notification is generated
as a local one and since we have flag to ignore it nothing is reported
over D-Bus.
To address the problem let's store the previously used MAC address and
use it for checking for foreign address (in combination with the current
one).
Signed-off-by: Andrzej Ostruszka <amo@semihalf.com>
Kaidong Wang [Wed, 15 Jun 2022 19:55:43 +0000 (19:55 +0000)]
wpa_supplicant: Convert SSID into printable form before printing
SSID may include unprintable characters. This change converts
unprintable characters into printable form before printing SSID in the
function wpas_send_ctrl_req(). The conversion is based on the function
wpa_ssid_txt().
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
Vinayak Yadawad [Thu, 30 Jun 2022 04:07:53 +0000 (09:37 +0530)]
Mark authorization completed on driver indication during 4-way HS offload
In case of drivers supporting 4-way handshake offload, mark port
authorized and state completion only if the driver advertizes authorized
state in the connect event. Otherwise there are fair chances of the
driver port authorization API getting called while 4-way handshake is in
progress at the lower layer.
In order to avoid this possible race condition always update port
authorization and supplicant state WPA_COMPLETED setting from
EVENT_PORT_AUTHORIZED context when the driver is done with the 4-way
handshake.
Jouni Malinen [Sun, 27 Nov 2022 06:30:58 +0000 (08:30 +0200)]
RSN: Split WPA(v1) processing of EAPOL-Key frames into a separate function
This is a step in separating RSN and WPA(v1) processing of EAPOL-Key
frames into separate functions. This allows the implementation to be
simplified and potentially allows the validation rules to be made
stricter more easily. This is also a step towards allowing WPA(v1)
functionality to be removed from the build in the future.
Until now Hotspot 2.0 credentials were only supporting one home OI (with
roaming_consortium option) and one required home OI (with
required_roaming_consortium option). To improve the compliance with
Passpoint specification, add the support for multiple home and required
OIs.
The lists of OIs are provided using two new configuration options
home_ois and required_home_ois that expect a list of OIs formatted as
the roaming_consortiums list. It allows to keep the old options to avoid
breaking currently running configurations and better fits the vocabulary
used in the spec.
The OI match algorithm is updated to implement the behavior described in
Passpoint specification v3.2 section 9.1.2 (Home OIs nodes description
PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>).
Norman Hamer [Mon, 31 Oct 2022 23:06:22 +0000 (23:06 +0000)]
OpenSSL: Load OpenSSL 3.0 legacy provider but let default be loaded
The default provider is being loaded here explicitly only because
OSSL_PROVIDER_load() disables the fallback provider loading (on either
success or failure). If the legacy provider fails to load, which it may
in some configurations, it will never load the default provider.
Just use the formulation which attempts to load without changing the
fallback behavior.
"default" will still be/only be loaded if no other provider (notably
FIPS) is loaded to provide algorithms.
Norman Hamer [Fri, 14 Oct 2022 18:37:34 +0000 (18:37 +0000)]
OpenSSL: Don't provide implementation of DES/RC4 for FIPS builds
DES and RC4 are not allowed in such builds, so comment out des_encrypt()
and rc4_skip() from the build to force compile time failures for cases
that cannot be supported instead of failing the operations at runtime.
This makes it easier to detect and fix accidental cases where DES/RC4
could still be used in some older protocols.
Jintao Lin [Mon, 7 Nov 2022 19:25:26 +0000 (19:25 +0000)]
dbus: Add virtual interface create/remove logic to be inline with ctrl_iface
There is no way to create or remove a virtual interface with
wpa_supplicant dbus methods. The platform has to use out-of-band methods
to manage the virtual interfaces.
This change adds virtual interface create/remove logic to the dbus
methods CreateInterface and RemoveInterface to achieve similar
functionalities as wpa_cli commands interface_add and interface_remove.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Vinay Gannevaram [Fri, 11 Nov 2022 18:45:36 +0000 (00:15 +0530)]
PASN: Fix passing own address and peer address to pasn_deauthenticate()
Need to copy own address and peer address locally and pass them to
pasn_deauthenticate(), because this pointer data will be flushed from
the PTKSA cache before sending the Deauthentication frame and these
pointers to then-freed memory would be dereferenced.
Jouni Malinen [Fri, 25 Nov 2022 07:37:17 +0000 (09:37 +0200)]
FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
PMKSA caching for the FT initial mobility domain association was fully
defined in IEEE Std 802.11-2020. The state before that was unclear and
there has been interoperability issues in this area, so use of PMKSA
caching with FT-EAP has been disabled in wpa_supplicant by default.
The wpa_supplicant and hostapd implementation of PMKSA caching for FT
ended up using an earlier default mechanism (SHA-1) for deriving the
PMKID when using the FT-EAP. This does not match what got defined in
IEEE Std 802.11-2020, 12.11.2.5.2 (SHA256). It is not really desirable
to use SHA-1 for anything with FT since the initial design of FT was
based on SHA256. Furthermore, it is obviously not good to differ in
behavior against the updated standard. As such, there is sufficient
justification to change the implementation to use SHA256 here even
though this ends up breaking backwards compatibility for PMKSA caching
with FT-EAP.
As noted above, this is still disabled in wpa_supplicant by default and
this change results in PMKSA caching not working only in cases where it
has been enabled explicitly with ft_eap_pmksa_caching=1. Those cases
recover by falling back to full EAP authentication.
Mukul Sharma [Tue, 22 Nov 2022 09:28:09 +0000 (14:58 +0530)]
Add a new QCA vendor attribute to configure wifi calling (wfc) state
Add QCA_WLAN_VENDOR_ATTR_CONFIG_WFC_STATE vendor attribute. Userspace
uses this attribute to configure wfc state to the driver/firmware. The
driver/firmware uses this information to optimize power savings, rate
adaption, roaming, etc.
wpa_supplicant used the WPS IE from a Probe Response frame, if one was
received, even if there might have been a more recent Beacon frame with
an updated WPS IE. This could result in using stale information about
active WPS registrar, e.g., when operating on the 6 GHz band.
Prefer WPS IE from a Beacon frame over the default selection of Probe
Response frame (if one has been received) in cases where the Beacon
frame is received more recently than the Probe Response frame and active
WPS Registrar information is being checked. Skip this for the case where
UUID-E is needed since that is not available in the Beacon frame.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Jouni Malinen [Thu, 24 Nov 2022 15:16:26 +0000 (17:16 +0200)]
Enable PMF automatically if OCV is enabled
OCV cannot be used without PMF and such a configuration were to be used
with wpa_supplicant, the AP would reject the association. hostapd is
already enabling PMF automatically whenever OCV is being enabled, so do
the same with wpa_supplicant.
Mert Ekren [Wed, 23 Nov 2022 12:15:16 +0000 (12:15 +0000)]
SAE: Use Challenge Failure status code in confirm message failure cases
IEEE Std 802.11-2020, 12.4.7.6 says that status code CHALLENGE_FAILURE,
needs to be sent in case the verification action fails for SAE Confirm
message frame from a STA: "An SAE Confirm message, with a status code
not equal to SUCCESS, shall indicate that a peer rejects a previously
sent SAE Confirm message. An SAE Confirm message that was not
successfully verified is indicated with a status code of
CHALLENGE_FAILURE."
hostapd, however, did not use this status code for this case. In
ieee802_11.c the function sae_check_confirm() is called and in case of
verification failure (-1 is returned), the response is set to
WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). Fix this to use
CHALLENGE_FAILURE.
Signed-off-by: Koen Van Oost <koen.vanoost@airties.com> Signed-off-by: Mert Ekren <mert.ekren@airties.com>
Jouni Malinen [Thu, 24 Nov 2022 10:03:01 +0000 (12:03 +0200)]
Allow a lower priority BSS to be tried after network disabling
If a higher priority BSS has invalid security parameters, e.g., an
invalid SAE password, and a lower priority BSS is discovered only after
the local network profile has been temporarily disabled, the BSSID
ignoring mechanism is not sufficient to allow the lower priority BSS to
be tried and all consecutive attempts will continue to use the higher
priority BSS. This might prevent connection in some unexpected cases
with invalid network configuration.
Extend BSSID ignoring mechanism to work in this type of a case by
ignoring the BSSID that resulted in disabling the SSID temporarily
during the first connection attempt after having re-enabled the SSID.
This allows a lower priority BSS, if any is available in scan results,
to be tried next to see if it might have working security parameters.
Jouni Malinen [Wed, 23 Nov 2022 20:51:50 +0000 (22:51 +0200)]
DFS: Do not allow channel checks to go beyond the channel list
Explicitly check for invalid cases where the configured channel and
bandwidth might result in the full channel number range going beyond the
list of supported channels to avoid reading beyond the end of the
channel buffer.
Qiwei Cai [Wed, 9 Nov 2022 11:46:04 +0000 (19:46 +0800)]
Skip CAC if the driver switches channel to non-DFS
If an AP is started on a DFS channel (or any channels within its
bandwidth require DFS) and DFS is offloaded to the driver, hostapd needs
to wait for CAC to complete. But the driver may not do CAC and just
switches to a non-DFS channel instead. This would result in a failure to
start the AP because hostapd fails to receive a CAC complete event and
cannot finish interface setup.
Skip CAC and complete AP setup in the channel switch event handler for
this case.
Add QCA vendor interface for AP doze mode configuration
Add a new subcommand QCA_NL80211_VENDOR_SUBCMD_DOZED_AP to configure
doze mode state on an AP interface. This is also used as an event to
indicate the updated configuration. In doze mode, AP transmits
beacons at higher beacon intervals and RX is disabled.
Uses attributes defined in enum qca_wlan_vendor_attr_dozed_ap.
Sunil Dutt [Tue, 22 Nov 2022 11:12:54 +0000 (16:42 +0530)]
Roam control configuration for 6 GHz in full scan only on prior discovery
During the roam scan, if there are no desired APs found in the partial
frequency list, an immediate full scan on all the supported frequencies
is initiated as a fallback. This would include the 6 GHz PSC
frequencies. Define an attribute to allow that behavior to be modified
to include PSCs only if 6 GHz use has been detected.
Jouni Malinen [Mon, 21 Nov 2022 20:53:07 +0000 (22:53 +0200)]
HS 2.0: Deauthenticate STA on deauth-imminent more quickly if no URL
When the RADIUS server requests a STA to be deauthenticated imminently
without providing a reason URL, there is no need to allow the STA spend
any additional time associated. Deauthenticate the STA immediately after
it has ACK'ed the WNM-Notification frame indicating imminent
deauthentication or at latest two seconds after having processes the
Access-Accept message.
nl80211: Fix wrong requested links bitmap in sta_mlo_info.req_links
Currently sta_mlo_info.req_links is not getting cleared before
populating the requested links information for a new connection/roam
event. This is causing wrong requested links bitmap in
sta_mlo_info.req_links if there is a change in requested link IDs
between the previous and the new connection. To avoid such issues fully
clear MLO connection information after disconnection and before
populating MLO connection information during (re)association event.
Fixes: cc2236299f99 ("nl80211: Get all requested MLO links information from (re)association events") Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
IGTK and BIGTK MLO KDEs should be validated only when the AP sends them
in EAPOL-Key msg 3/4. Though IEEE P802.11be/D2.2 mandates MLO AP to
enable PMF and Beacon Protection features there is no text to mandate a
STA to discard connection when the MLO AP doesn't send IGTK and BIGTK
MLO KDEs in EAPOL-Key msg 3/4 for a link. Also, fix
wpa_sm->mgmt_group_cipher checks before processing MLO IGTK and BIGTK
MLO KDEs.
Fixes: f15cc834cb77 ("MLD STA: Processing of EAPOL-Key msg 3/4 frame when using MLO") Fixes: 8f2e493bec99 ("MLD STA: Validation of MLO KDEs for 4-way handshake EAPOL-Key frames") Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Sunil Dutt [Mon, 7 Nov 2022 12:09:11 +0000 (17:39 +0530)]
Add a vendor attribute for roam control configuration for full scan
During the roam scan, if there are no desired APs found in the partial
frequency list, an immediate full scan on all the supported frequencies
is initiated as a fallback. This flag controls the frequency list
creation for full scan on the following lines.
1 - Full scan to exclude the frequencies that were already scanned by
the previous partial scan.
0 - Full scan to include all the supported frequencies irrespective of
the ones already scanned by partial scan.
Glenn Strauss [Tue, 8 Nov 2022 05:05:54 +0000 (00:05 -0500)]
TLS: Fix unsigned int underflow in internal TLS 1.0/1.1 implementation
Taking sizeof(ptr) is incorrect to determine size of passed in hash and
results in hlen getting set to a very large value since MD5_MAC_LEN >
sizeof(ptr). Provide the actual size of the hash buffer from the caller
to fix this.
tls_key_x_server_params_hash() callers src/tls/tlsv1_client_read.c and
src/tls/tlsv1_server_write.c both pass in a large enough hash (hash[64]
or hash[100]) that this does not appear to have an impact, though it is
still wrong.
Glenn Strauss [Tue, 8 Nov 2022 05:05:52 +0000 (00:05 -0500)]
DPP: Fix memory leak of intro.peer_key in station handling
Fix memory leak of intro.peer_key in wpas_dpp_rx_peer_disc_resp(). The
other code paths were updated to use dpp_peer_intro_deinit(), but this
non-privacy-protection version of the station implementation was missed.
Jouni Malinen [Sun, 20 Nov 2022 10:08:47 +0000 (12:08 +0200)]
WPS: Check NDEF record length fields separately
Try to make the bounds checking easier for static analyzers by checking
each length field separately in addition to checking them all in the end
against the total buffer length.
Jouni Malinen [Sun, 20 Nov 2022 11:07:21 +0000 (13:07 +0200)]
TDLS: Use stored FTE length in MIC calculation
Try to avoid static analyzer warnings due to use of the FTE length
field instead of the separately stored and validated length field value
when deriving FTE MIC.
projects / thirdparty / hostap.git / log
