When the driver SME is used, offloaded RSN handshakes like SA Query, GTK
rekeying, FT authentication, etc. would fail if wpa_supplicant enables
OCV in initial connection based on configuration but the driver doesn't
support OCV. To avoid such failures check the driver's capability for
enabling OCV when the driver SME used.
This commit also adds a capability flag for indicating OCV support
by the driver.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Set conf.force_kdk_derivation within the same if block as all the other
parameters. This is used only if ssid is not NULL, so no need to have
any special handling for this parameter.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Enabling beacon protection will cause STA connection/AP setup failures
if the driver doesn't support beacon protection. To avoid this, check
the driver capability before enabling beacon protection.
This commit also adds a capability flag to indicate beacon protection
support in client mode only.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Prior to this patch, we failed to recreate bit-by-bit identical
copies of wpa_supplicant because it doesn't generate reproducible manpages.
Since the latest version(0.6.14-3 or new) of docbook-utils have already
support getting the date from sgml file [1], it is possible to make some
progress on the "reproducible builds" effort [2].
[1]: https://sources.debian.org/patches/docbook-utils/0.6.14-3
[2]: https://reproducible-builds.org
Signed-off-by: Hu Keping <hukeping@huawei.com>
It was not easily possible to separate configuration of an interface and
credentials when using the configuration file instead of the control
interface or D-Bus interface for setting up the network profiles. This
makes it hard to distribute configuration across a set of nodes which
use wpa_supplicant without also having to store credentials in the same
file. While this can be solved via scripting, having a native way to
achieve this would be preferable.
Turns out there already is a framework to have external password
storages. It only had a single "test" backend though, which is kind of
an in-memory store which gets initialized with all passwords up front
and is mainly for testing purposes. This isn't really suitable for the
above use case: the backend cannot be initialized as part of the central
configuration given that it needs the credentials, and we want to avoid
scripting.
This commit thus extends the infrastructure to implement a new backend,
which instead uses a simple configuration file containing key-value
pairs. The file follows the format which wpa_supplicant.conf(5) uses:
empty lines and comments are ignored, while passwords can be specified
with simple `password-name=password-value` assignments.
With this new backend, splitting up credentials and configuration
becomes trivial:
# /etc/wpa_supplicant/wpa_supplicant.conf
ext_password_backend=file:/etc/wpa_supplicant/psk.conf
network={
ssid="foobar"
psk=ext:foobar
}
# /etc/wpa_supplicant/psk.conf
foobar=ecdabff9c80632ec6fcffc4a8875e95d45cf93376d3b99da6881298853dc686b
Alternative approaches would be to support including other configuration
files in the main configuration, such that common configuration and
network declarations including credentials are split up into separate
files. But the implementation would probably have been more complex
compared to reusing the already-existing framework for external password
backends.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
The function wpa_config_get_line() is used by the wpa_supplicant config
file parser to retrieve the next non-comment non-blank line. We'll need
the same kind of functionality to implement the file-based external
password backend, so as a preparatory step this commit extracts the
function into its own standalone file in the utils package.
No functional changes are expected from this commit.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
Number of the P2P+NFC test cases have been failing every now and then
and those failures seemed to be because of having somehow managed to
select the GO's operating channel as HT40+ on the channel 11 in the 2.4
GHz band, i.e., something that is clearly incorrect. The P2P check for
HT40 secondary channel is supported only on the 5 GHz band, so drop HT40
configuration if it shows up unexpectedly on the 2.4 GHz band to avoid
issues in GO being able to start.
Signed-off-by: Jouni Malinen <j@w1.fi>
There's a chance that prior to config reload being requested a scan work
was started. As such forcing wpa_supplicant to WPA_DISCONNECTED was
removing any hints that the actual driver is busy with work. That led to
wpa_supplicant reporting "Failed to initialize AP scan" over and over
again for a few seconds (depending on driver/capabilities) until the
untracked scan finished.
Cancelling a scan isn't really a solution because there's a bunch of
scanning state bits sprinkled across wpa_supplicant structure and they
get updated as driver events actually flow in in async manner.
As far as I can tell this is only preventing unnecessary warning
messages. This doesn't seem like it was crippling any logic per se.
Signed-off-by: Michal Kazior <michal@plume.com>
The chirp scan could override the scan_res_handler. This could lead to
wpa_supplicant getting stuck in a scanning state while not scanning at
all until forced to, e.g., via an explicit SCAN control command.
The condition for trigerring this problem in my testing was when
(interface_count % 3) == 2. This introduced a two second delay before
actual scan was triggered after starting the wpa_supplicant instance up.
If DPP chirping was requested fast enough, in between the queueing and
triggering, it would punt the scan request, never to be resumed again.
Chirp scan handler wouldn't resume it leaving wpa_supplicant
inadvertently idle.
Signed-off-by: Michal Kazior <michal@plume.com>
Previously, the channel number was set in hostapd_freq_params only with
the presence of HT capabilities. Set the channel number before the check
for HT mode to accommodate the 6 GHz band cases.
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
hostapd was already exposing this. There's no reason not to expose it in
wpa_supplicant. This allows 3rd party apps interacting with the control
interface to handle DPP events to get configs instead of needing to
dance around with update_config=1 and SAVE_CONFIG.
Signed-off-by: Michal Kazior <michal@plume.com>
hostapd was already exposing this. There's no reason not to expose it in
wpa_supplicant. This allows 3rd party apps interacting with the control
interface to handle DPP events to get configs instead of needing to
dance around with update_config=1 and SAVE_CONFIG.
Signed-off-by: Michal Kazior <michal@plume.com>
The Authentication Request frames triggered by the reception of a
Presence Announcement frame were sent to the broadcast address. This is
not correct behavior since the source MAC address of the Presence
Announcement frame was supposed to override the Responder MAC address.
Fix this by using that source MAC address to avoid unnecessary use of
broadcast frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The static function is_chanwidth160_supported() is called only within
CONFIG_P2P block so the function itself needs to have matching condition
for build.
Fixes: ed24bad1d9 ("AP: Check driver support while auto-selecting bandwidth for AP/P2P GO")
Signed-off-by: Jouni Malinen <j@w1.fi>
Use more accurate INTERWORKING_EXCLUDED for this. The actual event
prefix is not changed to remains compatible with external components
using this control interface event message.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use a more specific name for the control interface command used for
managing the list of BSSIDs that are temporarily ignored.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rename the network profile parameters bssid_blacklist and
bssid_whitelist to bssid_ignore and bssid_accept to use more specific
names for the configuration of which BSSs are ignored/accepted during
BSS selection. The old parameter names are maintained as aliases for the
new names to avoid breaking compatibility with previously used
configurations.
Signed-off-by: Jouni Malinen <j@w1.fi>
For Android the default value of 5 seconds is usually too short for
scan results from last scan initiated from settings app to be
considered for fast-associate. Make the fast-associate timer value
configurable so that a suitable value can be set based on a systems
regular scan interval.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
wpa_supplicant does not send a D-Bus notification of the BSS frequency
change when a CSA happens. Sending a PropertyChanged signal with the
updated frequency will notify the network manager quickly, instead of
waiting for the next scan results.
Signed-off-by: Arowa Suliman <arowa@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Add option 2 to the p2p_device_random_mac_addr configuration option to
support device drivers which use by default random MAC adresses when
creating a new P2P Device interface (for instance, the BCM2711 80211
wireless device driver included in Raspberry Pi 4 Model B). In such
case, this option allows to create the P2P Device interface correctly
when using P2P permanent groups, enabling wpa_supplicant to reuse the
same MAC address when re-invoking a P2P permanent group.
update_config=1 is required.
Signed-off-by: Ircama <amacri@tiscali.it>
Use the helper instead of open-coding the check. Since the
helper doesn't handle a NULL BSS, keep that extra check.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The wpa_bss structure's last element is an empty array. The forgotten
code here assumed that the array of IEs was contiguous to the wpa_bss
structure. This is not always the case anymore. Update this missed case
to use the new wpa_bss_ie_ptr() wrapper to send the correct array of IEs
over DBus.
Fixes: be7ee264f6 ("BSS: Use wrapper function for getting a pointer to the IE buffer")
Signed-off-by: Brad Kemp <brad at beechwoods.com>
Currently, the external_scan_running flag is not reset when an interface
is removed. Thus, if a connection attempt is made on another iface, it
will fail due to wpa_supplicant incorrectly assuming the radio is still
busy due to the ongoing scan.
To fix this, convert external_scan_running to a pointer to the interface
that started the scan. If this interface is removed, also reset the
pointer to NULL so that other operations may continue on this radio.
Test:
1. Start scan on wlan0
2. Remove wlan0
3. Can connect to a network on wlan1
Signed-off-by: David Su <dysu@google.com>
Derive the KDK as part of PMK to PTK derivation if forced by
configuration or in case both the local station and the AP declare
support for secure LTF.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
IEEE P802.11az/D2.6 added definitions to include RSNXE in the PASN
negotiation. Implement the new functionality in both wpa_supplicant and
hostapd.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add support for PASN authentication with FT key derivation:
- As IEEE P802.11az/D2.6 states that wrapped data is optional and
is only needed for further validation of the FT security parameters,
do not include them in the first PASN frame.
- PASN with FT key derivation requires knowledge of the PMK-R1 and
PMK-R1-Name for the target AP. As the WPA state machine stores PMK-R1,
etc. only for the currently associated AP, store the mapping of
BSSID to R1KH-ID for each previous association, so the R1KH-ID
could be used to derive PMK-R1 and PMK-R1-Name. Do so instead
of storing the PMK-R1 to avoid maintaining keys that might not
be used.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
As the PASN FILS authentication is only defined for FILS SK without PFS,
and to support PASN authentication with FILS, implement the PASN with
FILS processing as part of the PASN handling and not as part of the WPA
state machine.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add PASN implementation to wpa_supplicant
1. Add functions to initialize and clear PASN data.
2. Add functions to construct PASN Authentication frames.
3. Add function to process PASN Authentication frame.
4. Add function to handle PASN frame TX status.
5. Implement the station side flow processing for PASN.
The implementation is missing support for wrapped data and PMKSA
establishment for base AKMs, and only supports PASN authentication or
base AKM with PMKSA caching.
The missing parts will be added in later patches.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
PASN requires to store the PTK derived during PASN authentication
so it can later be used for secure LTF etc. This is also true
for a PTK derived during regular connection.
Add an instance of a PTKSA cache for each wpa_supplicant
interface when PASN is enabled in build configuration.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
1. Add a function to derive the PTK from a PMK and additional data.
2. Add a function to calculate the MIC for a PASN frames.
3. Add a function to compute the hash of an authentication frame body.
The above are built only in case that CONFIG_PASN is enabled at build
time.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Extend the wpa_pmk_to_ptk() to also derive Key Derivation
Key (KDK), which can later be used for secure LTF measurements.
Update the wpa_supplicant and hostapd configuration and the
corresponding WPA and WPA Auth state machine, to allow enabling of KDK
derivation. For now, use a testing parameter to control whether KDK is
derived.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add support for new channels 173 and 177 in the operating classes 125 to
130 as defined in draft IEEE P802.11ax/D8.0.
Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
After sending DPP Auth Response, the Responder might not receive the
Auth Confirm either due to the Initiator not sending it or the reception
of the frame failing for some reason (e.g., Responder having already
left the negotiation channel). If this happens, following initiation
attempts would fail since the consecutive Auth Request would get
discarded since the previous authentication is still in progress.
Terminate DPP authentication on Responder, if no Auth Confirm is
received within one second of successfully sending Auth Response. This
allows the Responder to accept start of a new exchange.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 02c21c02d0 ("wpa_supplicant: Do not disconnect on deinit if
WoWLAN is enabled") prevents the disconnection on deinit if the driver
indicates that WoWLAN is enabled. This is not the expected behavior in
some earlier use cases where the wpa_supplicant process is left running
when going to sleep and killing of the wpa_supplicant process is used
only when there is an expectation of Wi-Fi connection being disabled.
To support the use cases which require the WLAN to disconnect on deinit
even if WoWLAN is enabled, introduce a configuration parameter
wowlan_disconnect_on_deinit. This is set to 0 by default thereby not
impacting the functionality in the above mentioned commit. Setting it to
1 restores the old behavior before the commit identified above.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Export a new 'suiteb192' capability to indicate that wpa_supplicant was
built with WPA-EAP-SUITE-B-192 support and accepts
'key_mgmt=WPA-EAP-SUITE-B-192'.
Signed-off-by: Antonio Cardace <acardace@redhat.com>
WPS_EVENT_OVERLAP case was missing on wpa_cli_action_process function in
wpa_cli.c, so when the overlap event occurs, there was no event message
sent to the action script. Add this event case to the function.
Signed-off-by: Berkay Ercan <berkay.ercan@airties.com>
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
When STA is performing roam from WPA3 AP to WPA2 AP, the STA was
including key mgmt FT-SAE instead of FT-PSK in FT Authentication request
RSNE when using driver-based SME. This is because the RSNE/MDE/FTE were
updated and forwarded to the driver using the NL80211_CMD_UPDATE_FT_IES
command before updating key mgmt properly. Because of this, the AP is
rejecting FT Authentication request with WLAN_REASON_UNSPECIFIED reason
code which is due to the invalid keymgmt in RSNE.
Fix this by reordering IE population to happen earlier in the sequence
so that the updated key mgmt information can be provided when using
NL80211_CMD_UPDATE_FT_IES.
Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
Add user configured vendor IEs for Probe Request frames to default scan
IEs so that these IEs will be included in the Probe Request frames for
the scans issued also by components other than wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Android has a mechanism to extend the driver interface in vendor
specific ways. This implementation of the vendor interface is done in
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB). Extend this to allow the vendor
events to be provided to this library to facilitate the event
processing.
Introduce a new board configuration via
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB_EVENT) rather than reusing
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB) to enable this event handling in the
private library. This is to avoid compilation issues for
wpa_driver_nl80211_driver_event() with the already existing private
library implementations defined with
$(BOARD_WPA_SUPPLICANT_PRIVATE_LIB).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When an external scan is in progress on the same radio, delay the P2P
search operation based on configuration parameter p2p_search_delay. The
"search_delay" configuration done through p2p_find always takes
precedence over this delay value set due to an external scan trigger.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a handler to notify failures to fetch the scan results and provide
an option to override default behavior of requesting a new scan in one
second in such an error condition. Use this new handler mechanism to
continue the p2p_find operation (by invoking p2p_scan_res_handled) for
an interim scenario where the p2p_scan attempt fails to get the scan
results from the driver which can happen, e.g., if there are parallel
updates to the cfg80211 scan results.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>