Benjamin Berg [Mon, 20 Nov 2023 23:51:47 +0000 (01:51 +0200)]
tests: Fix some incorrect failure waiting calls
These were either sending the command to the wrong
hostapd/wpa_supplicant instance or using the wrong command. This
currently causes the wait to just immediately stop, but with future
commits it would start failing.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Ilan Peer [Mon, 20 Nov 2023 23:51:42 +0000 (01:51 +0200)]
AP: Handle re-association from a non-AP MLD
When processing a (Re)Association Request frame and no corresponding
station is found, try to find the station using the station MLD MAC
address from the Basic ML element, as it is possible that the station
is trying to re-associate but with a different link address (in such
a case the underlying driver would not perform address translations).
When sending the (Re)Association Response frame, use the addresses from
the (Re)Association Request frame and not the AP MLD MAC address, again,
to avoid the address translation done in the driver.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:40 +0000 (01:51 +0200)]
MLD: Use MLD MAC address for deauthentication
When connecting, pending_bssid is set to the main link that we are
authenticating/associating on. Later on, the MLD MAC address will be
stored in the bssid, but we may also try to deauthenticate before we are
connected and in that case, pending_bssid is not yet set to the MLD MAC
address.
As such, use the ap_mld_addr instead of pending_bssid if n_mld_links is
non-zero. This is the sensible thing to do and expected behavior on
nl80211.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
For AP MLD, when BSSID configuration is specified without mld_addr, the
first link address is used as the MLD MAC address as well. Though IEEE
P802.11be allows this, the current implementation and the kernel aren't
happy about it. Better avoid this.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Mon, 20 Nov 2023 23:51:37 +0000 (01:51 +0200)]
scan: Include AP MLD ID in ML probe request if needed
According to IEEE P802.11be/D4.0, 35.3.4.2, the AP MLD ID must be
included in the Probe Request ML element in case it is sent to a
transmitted BSS in which case it should be set to 0. If it is sent to an
non-transmitted BSSID, the AP MLD ID should not be included.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
IEEE P802.11be/D4.0, 9.4.2.312.2.3 states that the AP MLD ID should only
be included in some ML probe responses. Beacon frames shouldn't include
AP MLD ID.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:35 +0000 (01:51 +0200)]
ML: Add basic handling of ML probe requests
This responds by simply embedding most of the IEs from the other links
into the ML element. This is not correct really, as inheritance rules
should be applied and an inheritance element may need to be added.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:34 +0000 (01:51 +0200)]
AP: MLO: Add helper to iterate all links of an AP MLD
Add a simple for_each_mld_link helper that sets first variable to the
hapd data for every link. It takes the interfaces and MLD ID as
arguments and two extra integers as scratch variables (for the interface
and bss offsets).
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:32 +0000 (01:51 +0200)]
AP: Split Probe Response frame IE generation into a separate function
To support ML probe request we will need to include IEs from the other
hapd instances in the response. Split the function to allow just
generating the per-instance IEs separately.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:28 +0000 (01:51 +0200)]
MLD: Ignore failed links from association attempt
If for some reason association fails and a link which has an error is
reported, add that specific link to the ignore list. After that,
immediately retrigger the connection code. In the usual case, we are
then going to reconnect to the same AP MLD but with that particular link
not being included in the connection.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:29 +0000 (01:51 +0200)]
nl80211: Add support to parse out link from error reply
The kernel may report the link that caused an error by setting
NLMSGERR_ATTR_OFFS pointing to the NL80211_ATTR_MLO_LINKS element
that was the reason for the error.
Parse this information if the optional struct nl80211_err_info is
passed to send_and_recv_msgs().
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:27 +0000 (01:51 +0200)]
MLD: Do not consider ignored BSSs for links when parsing RNR info
This avoids, e.g., trying to use a BSS that is rejected by mac80211 as a
link, which could fail the connection as a whole.
Note that this is not perfect. Ideally, the internal state would have a
more context sensitive ignore flag so that one could still use a BSS as
a link in some situation.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:26 +0000 (01:51 +0200)]
MLD: Return status code for links when rejecting association
When the TX link rejects the association, return a status code for all
requested links. For simplicity, just return "TX link not accepted" so
that clients may try to connect to other links. This could be improved
to explicitly reject each link if directly associating to the link will
not work either.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:25 +0000 (01:51 +0200)]
MLD: Also mark links as failed after association failure
Parse the link status values out of Multi-Link association response. If
the AP rejects ML association and marks the links as failed with a
reason code other than TX_LINK_NOT_ACCEPTED, also report these links to
wpas_connection_failed() and ignore them.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Mon, 20 Nov 2023 23:51:23 +0000 (01:51 +0200)]
AP: Add support for testing ML link removal
Add support for testing ML link removal to hostapd. While such support
should inherently be integrated with the underlining driver, simulate
the inclusion of the ML reconfiguration element in hostapd.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
wpa_supplicant: Remove duplicate logic in wpas_ml_element()
Parsing multiple RNR elements already exists in
wpa_bss_parse_basic_ml_element(), so wpas_ml_element() just duplicates
the same code. Combine the functionality of both these functions and
remove the duplicate.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Sat, 25 Nov 2023 09:13:42 +0000 (11:13 +0200)]
dbus: Increase XML buffer size for an interface introspection data
The current set of global configuration fields is getting close to the
previously used 15000 byte limit, so increase this size to 16000 and add
a note about the potential need to change this size when adding new
fields.
Benjamin Berg [Mon, 20 Nov 2023 23:51:18 +0000 (01:51 +0200)]
common: Simplify and avoid confusing defragmentation API
Three functions were provided for defragmentation. First
ieee802_11_defrag(), ieee802_11_defrag_mle() and then
ieee802_11_defrag_data() which would do the actual job. With
ieee802_11_defrag() picking the member in the elements struct for an
EID. The problem with this is, that for the Multi-Link element, there
are multiple entries in the elems struct depending on its type. As such,
remove the intermediate function and simply pass the correct members
directly.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This Presence Bitmap field is B4..B15 of the Multi-Link Control field
and the value used here is for that full 16-bit field, not just within
the Presence Bitmap field.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:16 +0000 (01:51 +0200)]
SME: Drop old disassoc_while_authenticating workaround
This workaround from commit 6d6f4bb87f33 ("nl80211: Work around mac80211
limitation on (re)auth when authenticated") pre-dates the code that
supresses the deauth or disconnect event from nl80211. Should this code
be called it would not actually work at this point, as important
internal state for the authentication attempt has already been lost.
Simply drop the code. This might also fix issues where we could get
into a bad state if a proper deauth/disconnect event happens while we
are authenticating or associating.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Mon, 20 Nov 2023 23:51:15 +0000 (01:51 +0200)]
nl80211: Do a roundtrip to reset event supressions
With nl80211 we need to supress the kernel generated event for any
disconnect and deauthenticate. This code is a bit fragile, as it
assumes that an event will happen. Commit b898b655824a ("nl80211: Do
not ignore disconnect event in case of !drv->associated") changed this
to only disconnect when the driver knows it is associated (apparently
required for P2P), however, deauthentication may also occur without
being associated yet.
Looking at the issue, what we are really interested in is whether the
event belongs to a disconnect/deauth command that we have send
ourselves. Any event happening after the disconnect/deauth completes
should not be suppressed (or after the next connect/auth as that would
be sufficient). We therefore need to know from the event stream
whether events were generated before or after disconnect/deauth
command completion.
To do so, send a simple command on the nl_event socket. As this will
be returned back to us in the correct order with regard to the events.
We can therefore use it to safely reset our internal
ignore_next_local_{deauth,disconnect} variables.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jouni Malinen [Fri, 24 Nov 2023 18:59:37 +0000 (20:59 +0200)]
tests: Set wpa_s->global for module tests
This is needed to avoid NULL pointer deferencing in
wpa_supplicant_ctrl_iface_msg_cb() if any of the functions called from
wpas_bssid_ignore_module_tests_() ends up using wpa_msg().
Vinayak Yadawad [Mon, 20 Nov 2023 12:39:33 +0000 (18:09 +0530)]
nl80211: Update port authorized indication for MLO address
Handling of port authorized event for STA currently handles the
connected BSSID. This needs additional handling to support the AP MLD
address in case of MLO connection. The connected_addr expected by
cfg80211_port_authorized() is mld_addr for ML connection case.
Nicolas Escande [Mon, 13 Nov 2023 08:55:55 +0000 (09:55 +0100)]
ACS: Add 320 MHz support for EHT
Enable support for ACS in the IEEE 802.11be/320 MHz case. To do so we
just:
- add channel definitions for the 320 MHz blocks of the 6 GHz band
- handle CONF_OPER_CHWIDTH_320MHZ in the different cases
- restrict 320 MHz to ieee80211be=1 only
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
EHT: Fix HE Channel Center Freq Seg0/Seg1 for 6 GHz 320 MHz cases
Fix for the HE Channel Center Freq Seg0/Seg1 within the HE 6GHz
Operation Information field. As downgrade of bandwidths for VHT and HE
when using puncturing is TODO for 320 MHz and/or if puncturing is
disabled and bandwidth is 320 MHz, the same rules as for 160 MHz should
be applied for Channel Center Freq Seg0/Seg1 within 6 GHz Operation
Information field.
EHT: Fix conditions for including EHT Operation Information field
Include EHT Operation Information field only if the operating bandwidth
is 320 MHz or there is at least one punctured 20 MHz subchannel. This
behavior is defined in IEEE P802.11be/D4.0, 35.15.1 (Basic EHT BSS
operation).
Jouni Malinen [Fri, 24 Nov 2023 10:53:09 +0000 (12:53 +0200)]
MBSSID: Use BIGTK from the transmitted BSS for beacon protection
MBSSID shares a single Beacon frame with multiple BSSs. This implies
that the key used for beacon protection (BIGTK) needs to be shared. The
nontransmitted BSSs managed their own BIGTK previously and that resulted
in providing incorrect value to the stations associated with those BSSs.
Use the BIGTK from the transmitted BSS to fix this.
Jouni Malinen [Thu, 23 Nov 2023 21:13:51 +0000 (23:13 +0200)]
Prefer SAE over PSK in WPA3-Personal transition mode cases
Order scan results in a manner that prefers BSSs that support SAE over
ones that support PSK without SAE if the SNR of the SAE BSS is good or
at least at the same level as the SNR for the PSK BSS. This improves
likelihood of using SAE when the local network profile allows
WPA3-Personal transition mode and the ESS uses a mix BSSs with different
sets of AKMs.
Jouni Malinen [Thu, 23 Nov 2023 18:41:35 +0000 (20:41 +0200)]
OWE: Optimize transition mode AP scan with owe_only=1 STA configuration
Extend the optimization from commit 9c97126576b7 ("OWE: Optimize
transition mode scan to use known channels") to cover cases where the
STA is configued with OWE transition mode disabled, but the AP uses OWE
transition mode.
Ainy Kumari [Thu, 16 Nov 2023 02:47:10 +0000 (08:17 +0530)]
P2P: Do not skip updating BSS table when frequency is changed
BSS table is not updated when a non-P2P station runs a scan without P2P
IE in Probe Response frame, since that would remove P2P IE information.
However, this results also in not updating mandatory rates in Supported
Rates and BSS Membership Selectors element even though AP/GO changes
frequency from 2.4 GHz to 5 GHz band.
This is causing connection failure since BSS table has 1 Mbps as
mandatory rate for AP connection but minimum supported rate in 5 GHz
band is 6 Mbps.
To avoid connection failures in such cases, don't skip updating BSS
table when the BSS frequency is changed. This covers the most important
case addressed in commit ff57398fcab8 ("P2P: Do not drop P2P IEs from
BSS table on non-P2P scans") while still allowing other changes to be
taken into account if the GO were to actually change channels (or band,
which would be the most likely case needing the update).
Vinayak Yadawad [Wed, 22 Nov 2023 09:19:52 +0000 (14:49 +0530)]
Fix references to correct driver capability flag for PSK/OWE offloads
Fix references to the appropriate driver capability drv_flags2. The
initial version used the incorrect drv_flags value and by doing so,
ended up using incorrect driver capabilities (DEAUTH_TX_STATUS,
BSS_SELECT, TDLS_SUPPORT) which could result in incorrect OWE
functionality for both AP and STA cases.
Fixes: d984c7b29801 ("hostapd: Add support for OWE offload for STA/AP interface") Fixes: da364180fba6 ("hostapd: Support 4-way handshake offload for AP/P2P GO") Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
Jouni Malinen [Wed, 22 Nov 2023 17:39:45 +0000 (19:39 +0200)]
OpenSSL: Allow openssl_ciphers override with Suite B config on server
The openssl_ciphers parameter is a global data entry on the server
instead of the per-connection design on client. As such, hostapd needs
to make a local copy of the global value and use that whenever setting
per-connection parameters. This is needed particularly when testing
Suite B functionality where the Suite B specific parameters might end up
overriding the cipher list.
Define new command in qca_tsf_cmd to get AP channel switch TSF time
Define a new command QCA_TSF_SYNC_GET_CSA_TIMESTAMP in qca_tsf_cmd to
retrieve the TSF time value at which the AP will move and starts
beaconing on a new channel. Userspace queries this TSF after receiving
NL80211_CMD_CH_SWITCH_STARTED_NOTIFY event on the AP interface. This TSF
can be communicated via an OOB mechanism to connected STAs which may
fail to receive the CSA frames due to channel congestion.
Jouni Malinen [Sat, 11 Nov 2023 21:20:32 +0000 (23:20 +0200)]
WNM: Do not start scan on disassociation imminent if BSSID is set
If the local network profile specifies a specific BSSID, there will not
be an acceptable alternative AP for the current one. As such, there is
not much point in trying to scan and wait for the results to make this
conclusion. Skip the scan and reject the BSS transition management
request even if that ends up getting disassociated from the BSS that
happens the be the only one that the local configuration allows to be
used.
Vinayak Yadawad [Fri, 10 Nov 2023 14:23:06 +0000 (19:53 +0530)]
hostapd: Add support for SAE offload for AP interface
The driver advertising SAE AP offload support would take care of SAE
authentication and PMK generation at the driver/firmware. This feature
requires the driver to be supporting 4-way handshake offload to process
the generated PMK at the driver level for 4-way handshake.
Vinayak Yadawad [Thu, 9 Nov 2023 05:02:23 +0000 (10:32 +0530)]
hostapd: Add support for OWE offload for STA/AP interface
The driver advertising OWE offload support would take care of
Diffie-Hellman Parameter element generation and processing part. The
driver would be responsible for OWE PMK generation in this case.
Avoid the Diffie-Hellman Parameter element handling in
wpa_supplicant/hostapd for drivers advertising OWE offload support. This
change is applicable only for drivers supporting 4-way handshake
offload.
Vinayak Yadawad [Wed, 8 Nov 2023 12:56:09 +0000 (18:26 +0530)]
hostapd: Support 4-way handshake offload for AP/P2P GO
Add support for offloaded 4-way handshake in AP/P2P GO mode. For drivers
supporting the AP PSK offload, wpa_supplicant/hostapd passes down the
PSK for the driver to handle the 4-way handshake. The driver is expected
to indicate port authorized event to indicate that the 4-way handshake
is completed successfully.
Kaidong Wang [Wed, 8 Nov 2023 03:58:06 +0000 (03:58 +0000)]
Adjust the RSSI and throughput estimate in roaming algorithm
The max transmit power of Standard Power (SP) Access Points (AP) on
6 GHz band and APs on 2.4 GHz and 5 GHz bands is limited by effective
isotropic radiated power (EIRP), while the max transmit power of Low
Power Indoor (LPI) APs on 6 GHz Band is limited by power spectral
density (PSD). Therefore the max transmit power of LPI APs grows as the
channel width increases, similar to the noise power which has constant
PSD.
Adjust the RSSI, SNR and throughput estimate based on max transmit power
config and max channel width in the roaming algorithm.
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
Kaidong Wang [Wed, 8 Nov 2023 03:58:05 +0000 (03:58 +0000)]
Adjust the SNR when comparing BSSes based on Tx power config
The max transmit power of Standard Power (SP) Access Points (AP) on
6 GHz band and APs on 2.4 GHz and 5 GHz bands is limited by effective
isotropic radiated power (EIRP), while the max transmit power of Low
Power Indoor (LPI) APs on 6 GHz Band is limited by power spectral
density (PSD). Therefore the max transmit power of LPI APs grows as the
channel width increases, similar to the noise power which has constant
PSD.
Adjust the SNR of BSSes based on the transmit power config and max
channel width. EIRP limited APs usually have constant max transmit power
on different channel widths, their SNR decreases on larger channel width
because the noise power is higher, while PSD limited APs have constant
SNR over all channel widths.
Signed-off-by: Kaidong Wang <kaidong@chromium.org>
Jouni Malinen [Wed, 8 Nov 2023 11:38:38 +0000 (13:38 +0200)]
OWE: Remove now unnecessary attempt to update transition mode BSS
With the SSID updating of a BSS entry removed from owe_trans_ssid(),
this call to owe_trans_ssid() is not really doing anything, so remove
it. This reverts 6972b0fa2bb8 ("OWE: Update transition mode information
on selecting a new BSS").
OWE: Do not update the BSS entry with zero length SSID for transition
Overwriting of SSID for the hidden OWE BSS entry has some side effects:
- first the entry is notified over DBus with empty SSID and the update
of SSID is never signaled (it is not even possible at the moment to
notify the SSID change - see wpas_dbus_bss_signal_prop_changed()),
- during (and after) association there will be multiple entries
referring to the same BSSID/SSID pair.
Stop overwriting the SSID in an existing BSS entry based on OWE
transition mode information. Instead, depend on a new BSS entry getting
added for the hidden OWE BSS based on active scans for the SSID learned
from the open BSS. This would not have been sufficient for the initial
OWE design, but with the optimized scanning behavior from commit c04562e67edd ("OWE: Improve discovery of OWE transition mode AP"), this
can now depend on the exact same mechanism as other uses of hidden
SSIDs. This helps in keeping the D-Bus interface in sync with the BSS
parameters.
Signed-off-by: Andrzej Ostruszka <andrzejo@chromium.org>
Jouni Malinen [Wed, 8 Nov 2023 12:19:03 +0000 (14:19 +0200)]
OWE: Optimize transition mode scan to use known channels
If the currently available scan results include OWE transition mode BSS
with an unknown SSID, optimize the following scan for OWE to use only
the channels on which a known transition mode BSS has been seen.
This is needed to be able to remove the design that updates BSS entries
with the learned OWE SSID in manner that does not result in regression
to scanning latencies.
Jouni Malinen [Wed, 8 Nov 2023 09:56:03 +0000 (11:56 +0200)]
Use SSID from driver when finding the current BSS entry
The local network profile may not have matching SSID (it could be either
the wildcard 0-length SSID or visible SSID in case of OWE transition
mode), so check whether an exact match with a BSS entry can be made
using the current SSID information from the driver (i.e., the SSID of
the current association) when picking the BSS entry to use as the
current one for an association.
Ben Greear [Sat, 28 Oct 2023 23:24:35 +0000 (16:24 -0700)]
MLD: Support multiple TBTT Information fields in RNR elements
The Reduced Neighbor Report element can include one or more TBTT
Information fields. Only the first one was parsed previously. Extend
this to use a loop to go through all included TBTT Information fields.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Ben Greear [Sat, 28 Oct 2023 23:24:35 +0000 (16:24 -0700)]
MLD: Support multiple RNR elements
Beacon frames are allowed to optionally include one more more Reduced
Neighbor Report elements. Only the first one was parsed previously.
Extend this to use a loop to go through all included RNR elements.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Jouni Malinen [Tue, 7 Nov 2023 08:44:28 +0000 (10:44 +0200)]
MBSSID: Use DTIM Count 0 in the Beacon template for nontransmitted BSSID
The driver is expected to update the DTIM Count field for each BSS that
corresponds to a nontransmitted BSSID. Initialized this value to 0 in
the Beacon frame template so that the DTIM count would be somewhat
functional even if the driver were not to update this.
Chaitanya Tata [Mon, 6 Nov 2023 17:19:15 +0000 (22:49 +0530)]
dragonfly: Fix legendre symbol calculation failure handling
In case of low-memory conditions, the computation for legendre symbol
can fail and return -2 as per documentation, but the check for that
was missed here. And this can can cause an infinite loop searching for
qr and qnr if the error repeats for each attempt.
Break the loop if calculation fails, we can leave retry to the callers
or user. This is similar to the way allocation and generation of a new
random number was handled in this loop.
Currently the documentation for QCA_WLAN_VENDOR_ATTR_CONFIG_MLO_LINK_ID
indicates it is only for use inside nest attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_MLO_LINKS. Update the documentation to
allow it to be used outside that nest as well.
Signed-off-by: Mohan Prabu <quic_mprabub@quicinc.com>
Leverage the already available control socket cmd "DRIVER_FLAGS2" and
dump the driver capab "flags2" bitmask on triggering the new CLI CMD
"driver_flags2", similar to the already existing CLI CMD "driver_flags".
Set WPA_DRIVER_FLAGS2_SAE_OFFLOAD flag if the driver indicates SAE
authentication offload support for STA mode. Allow SAE password to be
provided to the driver in such cases when using the CONNECT command.
Ze Gan [Sun, 23 Apr 2023 16:50:09 +0000 (00:50 +0800)]
mka: Fix re-establishment by resetting MI
The key server may be removed due to the ingress packets delay. In this
situation, the endpoint of the key server may not be aware of this
participant who has removed the key server from the peer list. Because
the egress traffic is normal, the key server will not remove this
participant from the peer list of the key server. So in the next MKA
message, the key server will not dispatch a new SAK to this participant.
And this participant cannot be aware of that that is a new round of
communication so that it will not update its MI at re-adding the key
server to its peer list. So we need to update MI to avoid the failure of
re-establishment MKA session.
Ze Gan [Sun, 23 Apr 2023 16:50:46 +0000 (00:50 +0800)]
mka: Fix unexpected cleanup on missing MKA_LIFE_TIME while installing SC/SA
The key server may not include dist sak and use sak in one packet.
Meanwhile, after dist sak, the current participant (non-key server) will
install SC or SA(s) after decoding the dist sak which may take few
seconds in real physical platforms. Meanwhile, the peer expire time is
always initialized at adding the key server to peer list. The gap
between adding the key server to peer list and processing next use sak
packet may exceed the threshold of MKA_LIFE_TIME (6 s). It will cause an
unexpected cleanup (delete SC and SA(s)), so update the expire timeout
at dist sak also.
David Ruth [Tue, 4 Apr 2023 23:35:35 +0000 (23:35 +0000)]
Compile-time config for dynamically loading libraries in wpa_supplicant
Prevent loading arbitrary executable code based on config at runtime,
while allowing libraries to be specified at compile time when they are
known in advance.
Add the ability to configure libraries to load at compile time.
* CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location.
* CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location.
* CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location.
Add flags with the ability to set each of the libraries to NULL and
prevent loading them at runtime.
* CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine
library.
* CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module
library.
* CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opensc_engine
library.
* CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading EAP libraries at
runtime.
projects / thirdparty / hostap.git / log
