In case of drivers that don't use wpa_supplicant as SME, autoscan
feature was never disabled.
Signed-off-by: Wiktor Drewniak <wiktor.drewniak@gmail.com>
For reassociation with the same AP wpa_supplicant attempts to use cached
PMKSA. For this purpose PMKID is passed in RSNE in (Re)Association
Request frame. In the case of SAE AP, open authentication shall be used
during reassociation. Otherwise cached PMKID becomes invalid after full
SAE authentication.
The previous implementation correctly handles SME-in-wpa_supplicant
cases. However SME-in-driver cases, complete SAE authentication is
performed. As a result, first reassociation attempt fails.
Fix SME-in-driver behavior by reseting authentication algorithm to
WPA_AUTH_ALG_OPEN when reassociating with SAE AP with an existing PMKSA
cache entry.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
When FILS authentication is used with ERP, no EAPOL frames are expected
after association. However, for drivers that set the
WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X capability flag, the EAP state
machine was not configured correctly and was waiting for EAPOL frames,
which leads to disconnection.
Fix this by reordering the if branches to set the EAPOL/EAP state
machines to success when FILS authentication was already completed.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Remove FT IEs clearing from sme_deinit() as it is done twice. The
sme_clear_on_disassoc() call to sme_update_ft_ies() takes care of this.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
SA Query wasn't stopped after disconnection, which could potentially
result in an unexpected SA timeout firing later when already connected
to another AP. Fix that by stopping SA Query when an association is
terminated.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
pending_p2ps_group flag is not always cleaned, which may later result
in an unexpected GO bring up, after PD response is transmitted in
wpas_prov_disc_resp_cb().
This can be seen when running the following hwsim tests together:
- p2ps_channel_sta_connected_disallow_freq_mcc
- p2ps_channel_active_go_and_station_different_mcc
Fix this by clearing pending_p2ps_group flag also when processing new
PD requests. In addition, set this flag only when really needed.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
If os_get_random() fails, llid must not be read/used since it could be
uninitialized. Handle that special case by clearing llid explicitly to 0
to continue iteration.
Fixes: 5f92659d88 ("mesh: Add mesh peering manager")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not use the buf argument to wpas_ctrl_iface_get_pref_freq_list() in
the debug print since it points to the response buffer ("OK\n" without
null termination). This was supposed to print the cmd argument instead.
The previous version ended up using uninitialized heap memory from the
response buffer.
Fixes: 983422088f ("nl80211: Add means to query preferred channels")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wpas_p2p_completed() used wpa_sm_get_p2p_ip_addr() return value properly
for filling in the ip_addr[] string only if the IP addresses got
assigned, but the raw ip[] array was passed to
wpas_dbus_signal_p2p_group_started() regardless of whether the IP
addresses were assigned. This could result in using uninitialized stack
memory for constructing the GroupStarted signal values. Fix this by
filling those in only if the IP addressed are actually available.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The last beacon report indication was set in all the beacon report
elements in the last frame of the beacon report, while it should be
set only in the last beacon report element of the last frame.
Fixes: ecef0687dc ("RRM: Support for Last Beacon Report Indication subelement")
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Help the user be aware of the options to configure when
wpa_supplicant will remove a BSS due to expiration.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The external authentication command and event does not need to copy the
BSSID/SSID values into struct external_auth since those values are used
before returning from the call. Simplify this by using const u8 * to
external data instead of the array with a copy of the external data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These wpa_supplicant network profile parameters could be used to specify
a single match string that would be used against the dNSName items in
subjectAltName or CN. There may be use cases where more than one
alternative match string would be useful, so extend these to allow a
semicolon delimited list of values to be used (e.g.,
"example.org;example.com"). If any of the specified values matches any
of the dNSName/CN values in the server certificate, consider the
certificate as meeting this requirement.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In case of connection attempt failure, set 'normal_scans'
to zero, as otherwise it is possible that scheduled scan
would be used and not normal scan, which might delay the
next connection attempt.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Properly handle the case where OWE IE is allocated, but
there is no space left to add it in the WPA IE buffer.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
MBO attributes Non-preferred channel list and Cellular capabilities are
updated using WNM-Notification Request frame to the current connected
BSS. These same attributes need to be added in the (Re)Association
Request frame sent by the station when roaming, including the case where
the driver/firmware takes care of SME/MLME operations during roaming, so
we need to update the MBO IE to the driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Include the Non-preferred Channel Report attribute in (Re)Association
Request frames even when the MBO STA has no non-preferred channels in
any operating classes. In case of no non-preferred channels the
attribute length field shall be set to zero and the Operating Class,
Channel List, Preference and Reason Code fields shall not be included.
This indicates to the MBO AP that the MBO STA has no non-preferred
channels access all supported operating classes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Avoid duplicated code in each user of dpp_build_conf_req() by moving the
common encapsulation case into this helper function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not add duplicate Transaction Sequence and Status Code fields when
using test functionality to override SAE commit message.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
FT-SAE is considered stronger than FT-PSK, so prefer it over FT-PSK
similarly to how SAE is preferred over WPA-PSK.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it a bit easier to figure out why wpa_supplicant selects a
specific cipher/AKM for association.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If both of these AKMs are enabled in the wpa_supplicant network profile
and the target AP advertises support for both, prefer the FT version
over the non-FT version to allow FT to be used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, PMKSA cache entries were search for AKM=SAE and that did not
find an entry that was created with FT-SAE when trying to use FT-SAE
again. That resulted in having to use full SAE authentication instead of
the faster PMKSA caching alternative.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend the external authentication support to FT-SAE mode connections
also in addition to SAE mode connections.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If a network profile has both SAE and FT-SAE enabled, SAE was previously
picked (and used incorrectly as explained in the previous commit). This
is not ideal since use of FT protocol can speed up roaming within in
mobility domain. Reorder this checks so that FT-SAE is preferred over
SAE if both are enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not try to initialize FT reassociation if the selected AKM is for SAE
instead of FT-SAE when both of these are enabled in a network profile.
This fixes an issue with MDE being included in an (Re)Association
Request frame even when using a non-FT AKM (which is something that
results in hostapd rejecting the association).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Merge the practically copy-pasted implementations in wpa_supplicant and
hostapd into a single shared implementation in dpp.c for managing
configurator and boostrapping information. This avoid unnecessary code
duplication and provides a convenient location for adding new global DPP
data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use Diffie-Hellman key exchange to derivate additional material for
PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element
(defined in OWE RFC 8110) is used in association frames to exchange the
DH public keys. For backwards compatibility, ignore missing
request/response DH parameter and fall back to no PFS in such cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows devices supporting DPP protocol version 2 or newer to
provision networks that enable both the legacy (PSK/SAE) and DPP
credentials.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make both DPP and SAE code aware of the cases where the same network
profile is configured to enable both DPP and SAE. Prefer DPP over SAE in
such cases and start DPP/SAE exchanges based on what both the station
and the AP support.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Share a single parsing implementation for both hostapd and
wpa_supplicant to avoid code duplication. In addition, clean up the
implementation to be more easily extensible.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There was a race condition in a case where a new connection attempt was
scheduled as a pending radio work and that was followed by a DISCONNECT
command before the pending radio work is started. The pending radio work
would not have been deleted in that sequence and instead, it was
executed when the radio became available next. This could result in an
unexpected connection after an explicit request to disconnect.
Fix this by removing pending connect and sme-connect radio works on
disconnection request.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use this new message from Enrollee to Configurator to indicate result of
the config object provisioning if both devices support protocol version
2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"GET_CAPABILITY dpp" can now be used to determine which version number
of DPP is supported in the build.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wpa_s->p2p_go_do_acs was not cleared during P2P group deletion and that
resulted in the case of no separate group interface continuing to assume
ACS was to be used for consecutive GO starts even if they tried to
specify a frequency. Fix this by explicitly clearing
wpa_s->p2p_go_do_acs during P2P group deletion and also clear this when
processing the P2P_GROUP_ADD if the parameters do not request ACS to be
used.
Fixes: 37ed3254de ("P2P: ACS offload for the autonomous GO")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is
used to control whether new functionality defined after the DPP
specification v1.0 is included. All such functionality are considered
experimental and subject to change without notice and as such, not
suitable for production use.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.
This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).
Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
mesh_rsn_auth_sae_sta() might fail, so verify that sta->sae got
allocated before dereferencing it for a PMKID check.
Signed-off-by: Jouni Malinen <j@w1.fi>
Acquire the new name, along with introspection. This is generally useful
for other daemons to integrate with wpa_supplicant, notably
NetworkManager.
Debian and Fedora (and likely any other distro that configured wireless
via NetworkManager) enable this.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
This drops support for the fi.epitest.hostap.WPASupplicant D-Bus name
along with the associated CONFIG_CTRL_IFACE_DBUS option. Nothing should
really be using this since 2010.
This is a just a straightforward removal. Perhaps the dbus_common.c and
dbus_new.c can be merged now. Also, the "_NEW" suffix of the config
option seems to make even less sense than it used to.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
WPS was already doing this if update_config=1 was set and DPP should be
consistent with that behavior. Update the configuration file if
update_config=1 and dpp_config_processing is set to 1 or 2.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new wpa_supplicant configuration parameter wps_cred_add_sae=1 can be
used to request wpa_supplicant to add SAE configuration whenever WPS is
used to provision WPA2-PSK credentials and the credential includes a
passphrase (instead of PSK). This can be used to enable WPA3-Personal
transition mode with both SAE and PSK enabled and also with PMF enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not start SAE authentication from scratch when the AP requests
anti-clogging token to be used. Instead, use the previously generated
PWE as-is if the retry is for the same AP and the same group. This saves
unnecessary processing on the station side in case the AP is under heavy
SAE authentiation load.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP
Group) from the default SAE groups in station mode since those groups
are not as strong as the mandatory group 19 (NIST P-256).
In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
I guess there's no reason anyone with capable hardware wouldn't want to
enable these. Debian and Fedora aleady do.
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>