Commit graph

5305 commits

Author SHA1 Message Date
Jouni Malinen
663e190b72 SAE: Remove now unused password identifier argument from non-H2E case
IEEE Std 802.11-2020 mandates H2E to be used whenever an SAE password
identifier is used. While this was already covered in the
implementation, the sae_prepare_commit() function still included an
argument for specifying the password identifier since that was used in
an old test vector. Now that that test vector has been updated, there is
no more need for this argument anymore. Simplify the older non-H2E case
to not pass through a pointer to the (not really used) password
identifier.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-10 12:12:54 +03:00
Ilan Peer
79f87f4734 PASN: Change PASN flows to use SAE H2E only
Do so for both wpa_supplicant and hostapd. While this was not explicitly
required in IEEE P802.11az/D3.0, likely direction for the draft is to
start requiring use of H2E for all cases where SAE is used with PASN.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 12:12:22 +03:00
Ilan Peer
8c786e0687 PASN: Derive KDK only when required
When a PTK derivation is done as part of PASN authentication flow, a KDK
derivation should be done if and only if the higher layer protocol is
supported by both parties.

Fix the code accordingly, so KDK would be derived if and only if both
sides support Secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 11:55:55 +03:00
Sunil Dutt
0bae161229 Set last_eapol_matches_bssid=1 on a roam+auth indication from driver
Commit 3ab35a6603 ("Extend EAPOL frames processing workaround for
roaming cases") added a work around to address the issue of EAPOL frame
reception after reassociation replied to with an incorrect destination
address (the BSSID of the old AP). This is due to association events and
EAPOL RX events being reordered for the roaming cases with drivers that
perform BSS selection internally.

This mechanism relies on the fact that the driver always forwards the
EAPOL handshake to wpa_supplicant after the roaming (sets
last_eapol_matches_bssid during the EAPOL processing and resets on the
assoc/reassoc indication).

The above approach does not address the case where the driver does the
EAPOL handshake on the roam, indicating the authorized status to
wpa_supplicant but also forwards the EAPOL handshake to wpa_supplicant
for few other roam attempts. This is because the flag
last_eapol_matches_bssid is not set with the roam+authorized event from
the driver. Thus, the next reorder of roam and EAPOL RX events would
miss this workaround.

Address this by setting last_eapol_matches_bssid=1 on a roam+authorized
event from the driver.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-09 21:51:46 +03:00
Jouni Malinen
2445e18b6f tests: assoc+auth driver event
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 13:33:40 +03:00
Jouni Malinen
00bec7b5be tests: IEEE 802.1X and FORCE_UNAUTH state
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-28 12:36:18 +03:00
Jouni Malinen
8ca330bd70 Flush pending control interface message for an interface to be removed
wpa_supplicant_ctrl_iface_deinit() was executed only if the
per-interface control interface initialization had been completed. This
is not the case if driver initialization fails and that could result in
leaving behind references to the freed wpa_s instance in a corner case
where control interface messages ended up getting queued.

Fix this by calling wpa_supplicant_ctrl_iface_deinit() in all cases to
cancel the potential eloop timeout for wpas_ctrl_msg_queue_timeout with
the reference to the wpa_s pointer. In addition, flush any pending
message from the global queue for this interface since such a message
cannot be of use after this and there is no need to leave them in the
queue until the global control interface gets deinitialized.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-26 00:21:18 +02:00
Jouni Malinen
354f87e2e3 MSCS: Fix MSCS Response frame Status field parsing
This is a 2 octet field, so need to use WPA_GET_LE16() here instead of
using only the first octet of the value.

Fixes: bbd3178af4 ("MSCS: Add support to process MSCS Response frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-23 00:42:06 +02:00
Jouni Malinen
37306a0042 PASN: Use a helper function to free radio work data
This is safer in avoiding memory leaks now that there is a dynamically
allocated member within the data struct.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 18:33:17 +02:00
Jouni Malinen
349e9eafbb PASN: Mark pubkey/comeback arguments constant for frame construction
These parameters are only copied to the frame, so mark them as constant.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 18:30:52 +02:00
Ilan Peer
67014b3f74 PASN: Add support for comeback flow to wpa_supplicant
Process the received comeback cookie and retry automatically if the AP
allows this. Otherwise, provide the cookie to upper layers to allow a
later attempt with the cookie.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-21 18:28:34 +02:00
Ilan Peer
eaeec4da2d PASN: Add support for deauthentication flow in station
The new wpa_supplicant control interface command "PASN_DEAUTH
bssid=<BSSID>" can now be used to flush the local PTKSA cache for the
specified BSS and to notify the AP to request it to drop its PTKSA as
well.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 22:49:28 +02:00
Ilan Peer
b866786338 PASN: For testing purposes allow to corrupt MIC
For testing purposes, add support for corrupting the MIC in PASN
Authentication frames for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 17:19:12 +02:00
Ilan Peer
2efa60344e PASN: Encode the public key properly
When a public key is included in the PASN Parameters element, it should
be encoded using the RFC 5480 conventions, and thus the first octet of
the Ephemeral Public Key field should indicate whether the public key is
compressed and the actual key part starts from the second octet.

Fix the implementation to properly adhere to the convention
requirements for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 12:31:31 +02:00
Ben Greear
a746393dcf TWT: Allow specifying Control field value in TWT Request
See IEEE P802.11ax/D8.0, Figure 9-687 (Control field format) for
details.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-12 10:53:02 +02:00
Andrei Otcheretianski
82a348eda4 wpa_supplicant: Don't process EAPOL frames while disconnecting
An EAPOL frame may be pending when wpa_supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL frame is
processed and results in a crash due to NULL dereference.

This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in commit
ab89291928 exposing this race.

Fix it by ignoring EAPOL frames while the deauthentication is in
progress.

Fixes: ab89291928 ("nl80211: Use process_bss_event() for the nl_connect handler")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-03-12 09:57:23 +02:00
Stefan Paetow
e80e6a2f17 eapol_test: Add address family for IPv4 in Windows build
Add the address family when manually constructing IPv4 addresses in
eapol_test on Windows. Otherwise other functions, like hostapd_ip_txt()
in src/utils/ip_addr.c, that rely on addr->af being set fail miserably.
The non-Windows option uses hostapd_parse_ip_addr() which does this as
part of the helper function.

Signed-off-by: Stefan Paetow <oss@eons.net>
2021-03-12 09:49:20 +02:00
Ben Greear
7fd2f24962 TWT: Support sending TWT Setup and Teardown Action frames
This adds new control interface commands TWT_SETUP and TWT_TEARDOWN. For
now, these are only for testing purposes to be able to trigger
transmission of the TWT Action frames without configuring any local
behavior for TWT in the driver.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-07 22:07:37 +02:00
Matthew Wang
5ac977758d Reject authentication start during explicit roam requests
The roam D-Bus and ROAM control itnerface commands flip the reassociate
bit before calling wpa_supplicant_connect(). wpa_supplicant connect
eventually aborts ongoing scans (if any), which causes scan results to
be reported. Since the reassociate bit is set, this will trigger a
connection attempt based on the aborted scan's scan results and cancel
the initial connetion request. This often causes wpa_supplicant to
reassociate to the same AP it is currently associated to instead of the
explicitly requested roaming target.

Add a roam_in_progress flag to indicate that we're currently attempting
to roam via an explicitly request to a specific BSS so that we don't
initiate another connection attempt based on the possibly received scan
results from a scan that was in progress at the time the roam command
was received.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2021-03-06 10:59:05 +02:00
Jouni Malinen
40551a15c1 Fix a memory leak in WPS with ap_scan=2
The wpa_ie buffer is now allocated here and needs to be freed before
returning from the function.

Fixes: d2ba0d719e ("Move assoc param setting into a helper function")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:46:32 +02:00
Jouni Malinen
900adb3c9f FILS: Simplify code paths
Use a shared code path for freeing the wpa_ie buffer to avoid
unnecessary complexity with a separate return for the non-FILS case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:42:06 +02:00
Jouni Malinen
6035969e0e Fix dynamic EAP library building
Build eap_*.so into the wpa_supplicant similarly with the wpa_supplicant
binary and include the shared helper functions from additional files
into the builds. This got broken at some point with the build system
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 23:42:21 +02:00
Jouni Malinen
a826ff2d95 Ignore group-addressed SA Query frames
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:00 +02:00
Jimmy Chen
d314213f6c P2P: Pick a 5 GHz channel from more possible channels
For an autonomous P2P group on the 5 GHz band, a channel was picked only
from the operating class 115 which is not available in the EU region
anymore. As a result, an autonomous group creation would always fail in
this generic 5 GHz channel case.

There are more possible available channels for the 5 GHz currently.
Especially in the EU region, the operating class 115 channels are no
longer available, but SRD channels (the operating class 124) are
available. Allow them to be used here if they are marked as allowed for
P2P GO use.

In addition, iterate through all the potential options instead of just
checking the first randomly picked channel. Start this iteration from
random position to maintain some randomness in this process.

Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
2021-02-27 19:19:35 +02:00
Sreeramya Soratkal
50baf345b4 TDLS: Support TDLS operations in HE mode
Determine if the TDLS peer is HE capable based on HE Capability element
received in the TDLS Setup Response frame. Indicate the peer's HE
capabilities to the driver through sta_add().

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-02-26 20:16:48 +02:00
Jouni Malinen
f03580e319 Restore permanent MAC address on the FLUSH command
Clear previously used random MAC address on the FLUSH command if
mac_addr setting has been disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 17:22:37 +02:00
Jouni Malinen
976c3c161f DPP2: Accept Config Result before GAS response TX status
The TX event for the next frame in the sequence might be received before
the TX status for the final GAS response frame is processed. This used
to result in the Config Result getting discarded and the negotiation not
completing successfully on the Configurator side.

Accept the Config Result message as an indication of the final GAS
response frame having went through fine even if the TX status has not
yet been processed to avoid this issue from a potential race condition
on kernel events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 16:44:33 +02:00
Jouni Malinen
1ba8a315cd Avoid use of C++ keyword in a header file
Don't use 'protected' as the name of the variable in bss.h since this
might be used in control interfaces that use C++.

Fixes: 1c77f3d3f9 ("Indicate whether additional ANQP elements were protected")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 12:48:13 +02:00
Ilan Peer
85eb47e3a9 PASN: Correctly set RSNXE bits from STA
These defines are for the capability bit number, not the binary value
from the bit index. As such, need to use BIT() here to set the bitmap
appropriately.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:25:10 +02:00
Andrei Otcheretianski
be5f7f3746 wpa_supplicant: Fix potential memleak on an error path
extra_buf allocation was missed in one of the error cases.

Fixes: 170775232d ("ANQP: Add support to specify frequency in ANQP_GET command")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:18:45 +02:00
Veerendranath Jakkam
8f204f69ac Show OCV and beacon protection capabilities in control interface
Indicate local support for Operating Channel Validation (OCV) and beacon
protection.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
73ebd58fc8 STA: Check driver capability to enable OCV when driver SME is used
When the driver SME is used, offloaded RSN handshakes like SA Query, GTK
rekeying, FT authentication, etc. would fail if wpa_supplicant enables
OCV in initial connection based on configuration but the driver doesn't
support OCV. To avoid such failures check the driver's capability for
enabling OCV when the driver SME used.

This commit also adds a capability flag for indicating OCV support
by the driver.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Jouni Malinen
f3dfe42c7e Clean up RSN parameter setting for PASN
Set conf.force_kdk_derivation within the same if block as all the other
parameters. This is used only if ssid is not NULL, so no need to have
any special handling for this parameter.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
d36d4209fd Enable beacon protection only when driver indicates support
Enabling beacon protection will cause STA connection/AP setup failures
if the driver doesn't support beacon protection. To avoid this, check
the driver capability before enabling beacon protection.

This commit also adds a capability flag to indicate beacon protection
support in client mode only.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Hu Keping
9d99814e22 Update sgml to generate reproducible manpages
Prior to this patch, we failed to recreate bit-by-bit identical
copies of wpa_supplicant because it doesn't generate reproducible manpages.

Since the latest version(0.6.14-3 or new) of docbook-utils have already
support getting the date from sgml file [1], it is possible to make some
progress on the "reproducible builds" effort [2].

[1]: https://sources.debian.org/patches/docbook-utils/0.6.14-3
[2]: https://reproducible-builds.org

Signed-off-by: Hu Keping <hukeping@huawei.com>
2021-02-16 00:47:43 +02:00
Patrick Steinhardt
e680a51e94 ext_password: Implement new file-based backend
It was not easily possible to separate configuration of an interface and
credentials when using the configuration file instead of the control
interface or D-Bus interface for setting up the network profiles. This
makes it hard to distribute configuration across a set of nodes which
use wpa_supplicant without also having to store credentials in the same
file. While this can be solved via scripting, having a native way to
achieve this would be preferable.

Turns out there already is a framework to have external password
storages. It only had a single "test" backend though, which is kind of
an in-memory store which gets initialized with all passwords up front
and is mainly for testing purposes. This isn't really suitable for the
above use case: the backend cannot be initialized as part of the central
configuration given that it needs the credentials, and we want to avoid
scripting.

This commit thus extends the infrastructure to implement a new backend,
which instead uses a simple configuration file containing key-value
pairs. The file follows the format which wpa_supplicant.conf(5) uses:
empty lines and comments are ignored, while passwords can be specified
with simple `password-name=password-value` assignments.

With this new backend, splitting up credentials and configuration
becomes trivial:

    # /etc/wpa_supplicant/wpa_supplicant.conf
    ext_password_backend=file:/etc/wpa_supplicant/psk.conf

    network={
        ssid="foobar"
        psk=ext:foobar
    }

    # /etc/wpa_supplicant/psk.conf
    foobar=ecdabff9c80632ec6fcffc4a8875e95d45cf93376d3b99da6881298853dc686b

Alternative approaches would be to support including other configuration
files in the main configuration, such that common configuration and
network declarations including credentials are split up into separate
files. But the implementation would probably have been more complex
compared to reusing the already-existing framework for external password
backends.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2021-02-16 00:47:43 +02:00
Patrick Steinhardt
e9f449ba59 wpa_supplicant: Move wpa_config_get_line() into utils
The function wpa_config_get_line() is used by the wpa_supplicant config
file parser to retrieve the next non-comment non-blank line. We'll need
the same kind of functionality to implement the file-based external
password backend, so as a preparatory step this commit extracts the
function into its own standalone file in the utils package.

No functional changes are expected from this commit.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2021-02-16 00:47:43 +02:00
Jouni Malinen
6fb6264129 P2P: Clear unexpected HT40 configuration on 2.4 GHz band
Number of the P2P+NFC test cases have been failing every now and then
and those failures seemed to be because of having somehow managed to
select the GO's operating channel as HT40+ on the channel 11 in the 2.4
GHz band, i.e., something that is clearly incorrect. The P2P check for
HT40 secondary channel is supported only on the 5 GHz band, so drop HT40
configuration if it shows up unexpectedly on the 2.4 GHz band to avoid
issues in GO being able to start.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-14 19:32:23 +02:00
Michal Kazior
1b45b8d3f6 wpa_supplicant: Don't exit scanning state on config reload
There's a chance that prior to config reload being requested a scan work
was started. As such forcing wpa_supplicant to WPA_DISCONNECTED was
removing any hints that the actual driver is busy with work. That led to
wpa_supplicant reporting "Failed to initialize AP scan" over and over
again for a few seconds (depending on driver/capabilities) until the
untracked scan finished.

Cancelling a scan isn't really a solution because there's a bunch of
scanning state bits sprinkled across wpa_supplicant structure and they
get updated as driver events actually flow in in async manner.

As far as I can tell this is only preventing unnecessary warning
messages. This doesn't seem like it was crippling any logic per se.

Signed-off-by: Michal Kazior <michal@plume.com>
2021-02-13 23:12:38 +02:00
Michal Kazior
581df2d524 DPP2: Defer chirp scan if other scan is queued up
The chirp scan could override the scan_res_handler. This could lead to
wpa_supplicant getting stuck in a scanning state while not scanning at
all until forced to, e.g., via an explicit SCAN control command.

The condition for trigerring this problem in my testing was when
(interface_count % 3) == 2. This introduced a two second delay before
actual scan was triggered after starting the wpa_supplicant instance up.
If DPP chirping was requested fast enough, in between the queueing and
triggering, it would punt the scan request, never to be resumed again.
Chirp scan handler wouldn't resume it leaving wpa_supplicant
inadvertently idle.

Signed-off-by: Michal Kazior <michal@plume.com>
2021-02-13 23:12:07 +02:00
Pradeep Kumar Chitrapu
35756c02ea mesh: Assign channel in frequency params in all bands
Previously, the channel number was set in hostapd_freq_params only with
the presence of HT capabilities. Set the channel number before the check
for HT mode to accommodate the 6 GHz band cases.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-02-10 00:25:36 +02:00
Michal Kazior
7e823d4df2 DPP: Expose config object PSK/passphrase in wpa_supplicant
hostapd was already exposing this. There's no reason not to expose it in
wpa_supplicant. This allows 3rd party apps interacting with the control
interface to handle DPP events to get configs instead of needing to
dance around with update_config=1 and SAVE_CONFIG.

Signed-off-by: Michal Kazior <michal@plume.com>
2021-02-09 20:46:36 +02:00
Michal Kazior
1029f16a9f DPP: Expose config object AKM in wpa_supplicant control interface
hostapd was already exposing this. There's no reason not to expose it in
wpa_supplicant. This allows 3rd party apps interacting with the control
interface to handle DPP events to get configs instead of needing to
dance around with update_config=1 and SAVE_CONFIG.

Signed-off-by: Michal Kazior <michal@plume.com>
2021-02-09 20:45:15 +02:00
Jouni Malinen
ad59639ed8 DPP2: Fix Authentication Request destination in the chirping case
The Authentication Request frames triggered by the reception of a
Presence Announcement frame were sent to the broadcast address. This is
not correct behavior since the source MAC address of the Presence
Announcement frame was supposed to override the Responder MAC address.
Fix this by using that source MAC address to avoid unnecessary use of
broadcast frames.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-09 20:41:08 +02:00
Jouni Malinen
e781f7c860 Fix compiler warning on CONFIG_AP without CONFIG_P2P builds
The static function is_chanwidth160_supported() is called only within
CONFIG_P2P block so the function itself needs to have matching condition
for build.

Fixes: ed24bad1d9 ("AP: Check driver support while auto-selecting bandwidth for AP/P2P GO")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 19:12:24 +02:00
Jouni Malinen
4c9b16602d Update Visual Studio projects to match file renaming
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 18:21:04 +02:00
Jouni Malinen
48cfb52b7e Rename blacklist.[ch] to bssid_ignore.[ch]
This completes renaming of this functionality for a list of temporarily
ignored BSSIDs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 17:28:45 +02:00
Jouni Malinen
626fc0dcd0 Rename wpa_blacklist to wpa_bssid_ignore
This is more accurate name for this functionality of temporarily
ignoring BSSIDs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 17:28:45 +02:00
Jouni Malinen
b58ac90c38 Rename INTERWORKING_BLACKLISTED define
Use more accurate INTERWORKING_EXCLUDED for this. The actual event
prefix is not changed to remains compatible with external components
using this control interface event message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 16:43:54 +02:00
Jouni Malinen
72cd4293fb Rename the control interface BLACKLIST command to BSSID_IGNORE
Use a more specific name for the control interface command used for
managing the list of BSSIDs that are temporarily ignored.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 16:29:53 +02:00
Jouni Malinen
752b1c6081 Rename network profiles parameters for ignoring/accepted BSSIDs
Rename the network profile parameters bssid_blacklist and
bssid_whitelist to bssid_ignore and bssid_accept to use more specific
names for the configuration of which BSSs are ignored/accepted during
BSS selection. The old parameter names are maintained as aliases for the
new names to avoid breaking compatibility with previously used
configurations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-07 16:18:26 +02:00
Mikael Kanstrup
f7bbad5768 wpa_supplicant: Configurable fast-associate timer threshold
For Android the default value of 5 seconds is usually too short for
scan results from last scan initiated from settings app to be
considered for fast-associate. Make the fast-associate timer value
configurable so that a suitable value can be set based on a systems
regular scan interval.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
2021-02-06 16:56:30 +02:00
Arowa Suliman
b829b7003a wpa_supplicant: Notify freq change on CH_SWITCH
wpa_supplicant does not send a D-Bus notification of the BSS frequency
change when a CSA happens. Sending a PropertyChanged signal with the
updated frequency will notify the network manager quickly, instead of
waiting for the next scan results.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
2021-02-06 16:50:19 +02:00
Ircama
e79febb3f5 P2P: Adding option to manage device drivers creating random MAC addresses
Add option 2 to the p2p_device_random_mac_addr configuration option to
support device drivers which use by default random MAC adresses when
creating a new P2P Device interface (for instance, the BCM2711 80211
wireless device driver included in Raspberry Pi 4 Model B). In such
case, this option allows to create the P2P Device interface correctly
when using P2P permanent groups, enabling wpa_supplicant to reuse the
same MAC address when re-invoking a P2P permanent group.

update_config=1 is required.

Signed-off-by: Ircama <amacri@tiscali.it>
2021-02-06 13:40:29 +02:00
Jouni Malinen
8f557d2047 Make wpa_bss_ext_capab() handle NULL bss argument
This simplifies the callers that use wpa_s->current_bss (which could be
NULL).

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-06 12:09:30 +02:00
Johannes Berg
2cadb60abd robust_av: Use wpa_bss_ext_capab() helper
Use the helper instead of open-coding the check. Since the
helper doesn't handle a NULL BSS, keep that extra check.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2021-02-06 12:09:30 +02:00
Brad Kemp
2b916c9fd5 dbus: Fix IEs getter to use wpa_bss_ie_ptr()
The wpa_bss structure's last element is an empty array. The forgotten
code here assumed that the array of IEs was contiguous to the wpa_bss
structure. This is not always the case anymore. Update this missed case
to use the new wpa_bss_ie_ptr() wrapper to send the correct array of IEs
over DBus.

Fixes: be7ee264f6 ("BSS: Use wrapper function for getting a pointer to the IE buffer")
Signed-off-by: Brad Kemp <brad at beechwoods.com>
2021-02-06 11:41:09 +02:00
David Su
11355a122d Reset external_scan_running on interface deletion
Currently, the external_scan_running flag is not reset when an interface
is removed. Thus, if a connection attempt is made on another iface, it
will fail due to wpa_supplicant incorrectly assuming the radio is still
busy due to the ongoing scan.

To fix this, convert external_scan_running to a pointer to the interface
that started the scan. If this interface is removed, also reset the
pointer to NULL so that other operations may continue on this radio.

Test:
  1. Start scan on wlan0
  2. Remove wlan0
  3. Can connect to a network on wlan1

Signed-off-by: David Su <dysu@google.com>
2021-02-02 23:48:14 +02:00
Abinaya Kalaiselvan
df0bfe4759 mesh: Fix for leaving mesh
Avoid multiple execution of wpa_drv_leave_mesh().

Fixes: 0896c442dc ("mesh: Fix for mesh init/deinit")
Signed-off-by: Abinaya Kalaiselvan <akalaise@codeaurora.org>
2021-02-02 22:58:49 +02:00
Ilan Peer
dccb6cde03 WPA: Support deriving KDK based on capabilities
Derive the KDK as part of PMK to PTK derivation if forced by
configuration or in case both the local station and the AP declare
support for secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 23:09:39 +02:00
Ilan Peer
9e7b980d65 PASN: Include RSNXE in the PASN negotiation
IEEE P802.11az/D2.6 added definitions to include RSNXE in the PASN
negotiation. Implement the new functionality in both wpa_supplicant and
hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 23:09:36 +02:00
Ilan Peer
5c65ad6c0b PASN: Support PASN with FT key derivation
Add support for PASN authentication with FT key derivation:

- As IEEE P802.11az/D2.6 states that wrapped data is optional and
  is only needed for further validation of the FT security parameters,
  do not include them in the first PASN frame.

- PASN with FT key derivation requires knowledge of the PMK-R1 and
  PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1,
  etc. only for the currently associated AP, store the mapping of
  BSSID to R1KH-ID for each previous association, so the R1KH-ID
  could be used to derive PMK-R1 and PMK-R1-Name. Do so instead
  of storing the PMK-R1 to avoid maintaining keys that might not
  be used.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-26 17:38:30 +02:00
Ilan Peer
8c6d2e2527 PASN: Support PASN with FILS key derivation
As the PASN FILS authentication is only defined for FILS SK without PFS,
and to support PASN authentication with FILS, implement the PASN with
FILS processing as part of the PASN handling and not as part of the WPA
state machine.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 20:27:14 +02:00
Ilan Peer
a93ec28d10 PASN: Support PASN with SAE key derivation
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 20:27:14 +02:00
Ilan Peer
ad338cfe58 ctrl_iface: Add support for PASN authentication
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 19:15:47 +02:00
Ilan Peer
363768c8ac PASN: Add support for PASN processing to wpa_supplicant
Add PASN implementation to wpa_supplicant

1. Add functions to initialize and clear PASN data.
2. Add functions to construct PASN Authentication frames.
3. Add function to process PASN Authentication frame.
4. Add function to handle PASN frame TX status.
5. Implement the station side flow processing for PASN.

The implementation is missing support for wrapped data and PMKSA
establishment for base AKMs, and only supports PASN authentication or
base AKM with PMKSA caching.

The missing parts will be added in later patches.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 19:15:44 +02:00
Ilan Peer
d70060f966 WPA: Add PTKSA cache to wpa_supplicant for PASN
PASN requires to store the PTK derived during PASN authentication
so it can later be used for secure LTF etc. This is also true
for a PTK derived during regular connection.

Add an instance of a PTKSA cache for each wpa_supplicant
interface when PASN is enabled in build configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
c6d1a33bb0 PASN: Add functions to compute PTK, MIC and hash
1. Add a function to derive the PTK from a PMK and additional data.
2. Add a function to calculate the MIC for a PASN frames.
3. Add a function to compute the hash of an authentication frame body.

The above are built only in case that CONFIG_PASN is enabled at build
time.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Ilan Peer
46c232eb76 WPA: Extend the wpa_pmk_to_ptk() function to also derive KDK
Extend the wpa_pmk_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.

Update the wpa_supplicant and hostapd configuration and the
corresponding WPA and WPA Auth state machine, to allow enabling of KDK
derivation. For now, use a testing parameter to control whether KDK is
derived.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 18:36:40 +02:00
Sreeramya Soratkal
833cdbe97d Add support for new 5 GHz channels 173 and 177
Add support for new channels 173 and 177 in the operating classes 125 to
130 as defined in draft IEEE P802.11ax/D8.0.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-01-22 19:18:10 +02:00
Purushottam Kushwaha
959af4f576 DPP: Abort authentication if no Auth Confirm is received within a second
After sending DPP Auth Response, the Responder might not receive the
Auth Confirm either due to the Initiator not sending it or the reception
of the frame failing for some reason (e.g., Responder having already
left the negotiation channel). If this happens, following initiation
attempts would fail since the consecutive Auth Request would get
discarded since the previous authentication is still in progress.

Terminate DPP authentication on Responder, if no Auth Confirm is
received within one second of successfully sending Auth Response. This
allows the Responder to accept start of a new exchange.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-01-22 19:18:10 +02:00
Sunil Dutt
62657365f8 Add a configuration to disconnect on deinit if WoWLAN is enabled
Commit 02c21c02d0 ("wpa_supplicant: Do not disconnect on deinit if
WoWLAN is enabled") prevents the disconnection on deinit if the driver
indicates that WoWLAN is enabled. This is not the expected behavior in
some earlier use cases where the wpa_supplicant process is left running
when going to sleep and killing of the wpa_supplicant process is used
only when there is an expectation of Wi-Fi connection being disabled.

To support the use cases which require the WLAN to disconnect on deinit
even if WoWLAN is enabled, introduce a configuration parameter
wowlan_disconnect_on_deinit. This is set to 0 by default thereby not
impacting the functionality in the above mentioned commit. Setting it to
1 restores the old behavior before the commit identified above.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-01-21 18:21:30 +02:00
Antonio Cardace
8f58972942 dbus: Export new 'suiteb192' capability
Export a new 'suiteb192' capability to indicate that wpa_supplicant was
built with WPA-EAP-SUITE-B-192 support and accepts
'key_mgmt=WPA-EAP-SUITE-B-192'.

Signed-off-by: Antonio Cardace <acardace@redhat.com>
2021-01-15 12:24:26 +02:00
Brian Norris
9cdcc88238 DBus: Add 'owe' to interface Capabilities
Signed-off-by: Brian Norris <briannorris@chromium.org>
2021-01-15 12:22:47 +02:00
Berkay Ercan
8e8406469e wpa_cli: Add WPS_EVENT_OVERLAP to action scripts
WPS_EVENT_OVERLAP case was missing on wpa_cli_action_process function in
wpa_cli.c, so when the overlap event occurs, there was no event message
sent to the action script. Add this event case to the function.

Signed-off-by: Berkay Ercan <berkay.ercan@airties.com>
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
2021-01-15 12:18:37 +02:00
Shiva Sankar Gajula
71718b628b FT: Update key mgmt properly in RSNE during roaming
When STA is performing roam from WPA3 AP to WPA2 AP, the STA was
including key mgmt FT-SAE instead of FT-PSK in FT Authentication request
RSNE when using driver-based SME. This is because the RSNE/MDE/FTE were
updated and forwarded to the driver using the NL80211_CMD_UPDATE_FT_IES
command before updating key mgmt properly. Because of this, the AP is
rejecting FT Authentication request with WLAN_REASON_UNSPECIFIED reason
code which is due to the invalid keymgmt in RSNE.

Fix this by reordering IE population to happen earlier in the sequence
so that the updated key mgmt information can be provided when using
NL80211_CMD_UPDATE_FT_IES.

Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
2021-01-15 12:10:10 +02:00
Vinita S. Maloo
ea77568d8f Add user configured vendor IEs to default scan IEs
Add user configured vendor IEs for Probe Request frames to default scan
IEs so that these IEs will be included in the Probe Request frames for
the scans issued also by components other than wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-01-15 11:45:13 +02:00
Sunil Dutt
b6947f01a1 Android: Pass the vendor events to $(BOARD_WPA_SUPPLICANT_PRIVATE_LIB)
Android has a mechanism to extend the driver interface in vendor
specific ways. This implementation of the vendor interface is done in
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB). Extend this to allow the vendor
events to be provided to this library to facilitate the event
processing.

Introduce a new board configuration via
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB_EVENT) rather than reusing
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB) to enable this event handling in the
private library. This is to avoid compilation issues for
wpa_driver_nl80211_driver_event() with the already existing private
library implementations defined with
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 23:22:56 +02:00
Purushottam Kushwaha
7b121af26a P2P: Delay P2P scan when an external scan is in progress
When an external scan is in progress on the same radio, delay the P2P
search operation based on configuration parameter p2p_search_delay. The
"search_delay" configuration done through p2p_find always takes
precedence over this delay value set due to an external scan trigger.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 23:22:51 +02:00
Sunil Dutt
f39d6aacbb P2P: Recover p2p_find operation in case of failure to fetch scan results
Add a handler to notify failures to fetch the scan results and provide
an option to override default behavior of requesting a new scan in one
second in such an error condition. Use this new handler mechanism to
continue the p2p_find operation (by invoking p2p_scan_res_handled) for
an interim scenario where the p2p_scan attempt fails to get the scan
results from the driver which can happen, e.g., if there are parallel
updates to the cfg80211 scan results.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 23:04:54 +02:00
Vamsi Krishna
084b3d2f8a Drop unexpected connection event while disconnected
If there is a disconnect command from wpa_supplicant immediately after
the driver sends a connection event to userspace but before that event
is received and processed by wpa_supplicant, wpa_supplicant processes
the disconnect command and a self-generated disconnected event first
followed by the connected event received from the driver. As a result
wpa_supplicant moves to the WPA_COMPLETED state.  Whereas the driver
processes the disconnect command received from wpa_supplicant after it
sends the connected event and moves to the disconnected state. Due to
this race between the disconnect command from wpa_supplicant and the
connected event from the driver, wpa_supplicant is moving to the
connected state though the driver is moving to the disconnected state
which results in abnormal functionality.

Ignore the connection event coming from the driver when wpa_supplicant
is not trying to connect after a disconnect command is issued but before
the next connect command is issued to fix the above mentioned race
condition.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-21 14:06:52 +02:00
Disha Das
b709bb40fd DPP2: Add DPP_CONTROLLER commands to hostapd_cli and wpa_cli
Add the DPP control interface DPP_CONTROLLER_START and
DPP_CONTROLLER_STOP commands to the CLIs.

Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-12-16 18:04:15 +02:00
Jouni Malinen
6ead8b897f Use bool for is_6ghz variables and functions
Replace the implicit boolean checks that used int variables with use of
a more explicit bool variable type.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-12-11 19:56:14 +02:00
Veerendranath Jakkam
7131fede34 Extend the setband support for 6 GHz and band combinations
Support possible band combinations of 2.4 GHz, 5 GHz, and 6 GHz with
QCA_WLAN_VENDOR_ATTR_SETBAND_MASK attribute. Ensure backwards
compatibility with old drivers that are using
QCA_WLAN_VENDOR_ATTR_SETBAND_VALUE attribute and supporting only 2.4 GHz
and 5 GHz bands.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-12-11 19:56:14 +02:00
Veerendranath Jakkam
2a37cda747 scan: Add a helper function to append supported freqs from a given band
This functionality was repeated for couple of times. Use a shared helper
function to avoid code duplication.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2020-12-11 16:47:43 +02:00
Avraham Stern
297050b460 nl80211: Report invalid signal and noise when info is unavailable
When the driver sends a CQM RSSI threshold event, wpa_supplicant queries
the driver for the signal and noise values. However, it is possible that
by that time the station has already disconnected from the AP, so these
values are no longer valid. In this case, indicate that these values are
invalid by setting them to WPA_INVALID_NOISE.

Previously a value of 0 would be reported, which may be confusing as
this is a valid value.

Since nl80211_get_link_signal() and nl80211_get_link_noise() already set
invalid values for a case of failure, just use the value set by these
functions even if they fail.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
2020-12-04 12:42:15 +02:00
Frederik Juul
f2a0101401 wpa_supplicant: Initial connection speedup
Add initial_freq_list to wpa_supplicant configuration. This option
allows wpa_supplicant to scan a smaller list of frequencies when it
starts. This in turn allows for a faster connection to an already known
network. This limit applies only for the initial scan operation and does
not restrict other channels from being used in consecutive scans.

Tests have shown this to reduce the amount of time for connecting to a
network from roughly 3 seconds to roughly 0.1 second.

Signed-off-by: Frederik Juul <frederik.juul@3shape.com>
2020-12-02 17:05:07 +02:00
Markus Theil
89ad24379d mesh: Move mesh frequency setting to its own function
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-12-01 00:44:38 +02:00
Markus Theil
7c2cad969a mesh: Fix DFS deinit/init
The hostapd DFS code deinitializes and initializes the AP interface, if
a clean channel switch is not possible. In this case the AP code paths
would deinit the driver, for example nl80211, without wpa_supplicant
code paths getting notice of this.

Therefore add callbacks for wpa_supplicant mesh methods, which are
called on init/deinit of the AP BSS. These callbacks are then used to
handle the reset in the mesh code.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-12-01 00:31:56 +02:00
Markus Theil
0896c442dc mesh: Fix for mesh init/deinit
Send mesh group started notification after join completion
callback is called.

Implement outstanding TODO, to leave the mesh network on deinit.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-12-01 00:23:15 +02:00
Markus Theil
06161d4f10 mesh: Fix mesh_oom test
Only change freq params, if ifmsh->freq is set initially, which only
happens if hostapd_get_hw_features in setup_interface2 succeeds.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-12-01 00:22:59 +02:00
Peter Oh
12ae3e3dba mesh: Inform kernel driver about DFS handler in userspace
The kernel requires indication of DFS handler residing in user space
(NL80211_ATTR_HANDLE_DFS) to enable DFS channels.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2020-12-01 00:14:07 +02:00
Peter Oh
a27faf2c9a mesh: Fix channel switch error during CAC
Mesh interface would have used its channel parameters that were
configured during initialization even after channel switch due to DFS
radar detection during CAC which could result in a channel switch error.
Fix the error by updating the channel parameters when channel has been
changed from the initial one.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2020-12-01 00:09:22 +02:00
Peter Oh
e3608040c4 mesh: Update ssid->frequency as pri/sec channels switch
ssid->frequency is one of the variables used to get the channel number
from a given frequency. Leaving it as unchanged when pri/sec channel
switch will cause picking up a wrong channel number after applying the
secondary channel offset for HT40 and leads to failing interface
bring-up.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2020-11-30 12:01:39 +02:00
Peter Oh
f1df4fbfc7 mesh: Use setup completion callback to complete mesh join
Mesh join function is the last function to be called during mesh join
process, but it's been called a bit earlier than it's supposed to be, so
that some mesh parameter values such as VHT capabilities were not
applied correct when mesh join is in process. Moreover, the current
design of mesh join that is called directly after mesh initialization
isn't suitable for DFS channels to use, since mesh join process should
be paused until DFS CAC is done and resumed after it's done.

The callback will be called by hostapd_setup_interface_complete_sync().
There is a possibility that completing mesh init fails, so add error
handling codes for that.

Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
2020-11-30 11:57:37 +02:00
Sreeramya Soratkal
ed24bad1d9 AP: Check driver support while auto-selecting bandwidth for AP/P2P GO
If the maximum operating channel width for AP/P2P GO is not specified,
it is auto-selected during configuration. While selecting the channel
width, if VHT is supported and 160 MHz channels are available, 160 MHz
channel width is preferred to 80 MHz.

During the selection of the channel width, the corresponding driver
capabilities were not checked. As a result, the AP/P2P GO configuration
was set to use the available 160 MHz channels even if the driver did not
have capability to support the 160 MHz channel width causing failure to
start the AP/P2P GO.

Fix this by checking the driver support for the 160 MHz channel width
while selecting the channel width for AP/P2P GO.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2020-11-23 20:45:31 +02:00
Jouni Malinen
1c77f3d3f9 Indicate whether additional ANQP elements were protected
Store information on whether extra ANQP elements were received using the
protection alternative (protected GAS during an association using PMF)
and make this available through the control interface BSS command.

For example:
anqp[277]=<hexdump>
protected-anqp-info[277]=1

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-23 20:32:26 +02:00
Jouni Malinen
454ebb504c BSS: Use variable length array for IEs at the end of struct wpa_bss
Replace the previously used design "(u8 *) (bss + 1)" with a variable
length array at the end of struct wpa_bss bss->ies[] in hopes of making
this easier to understand for static analyzers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:25:17 +02:00
Jouni Malinen
be7ee264f6 BSS: Use wrapper function for getting a pointer to the IE buffer
This makes it easier to change the internal struct wpa_bss design for
storing the variable length IE buffers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:21:56 +02:00
Jouni Malinen
95edd81441 BSS: Add wpa_bss_get_ie_ext() wrapper
This removes need from the callers to know the struct wpa_bss details
for the location of the memory area for storing the IEs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-11-16 16:00:21 +02:00