The simulated SIM/USIM case uses a separate milenage cred parameter, so
this cred password parameter was unused for this credential type.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit d28f4e44f1 optimized Interworking
network selection in a case where the operation is run while already
connected to the selected network by skipping the reconnection. However,
this did not take into account that a higher priority network may have
shown up in the new scan results.
Fix this by checking whether network selection based on the latest scan
results (the ones from the interworking_select operation) would result
in a network with higher priority being selected. If so, skip the
optimization and force normal network connection (which will select this
newly found higher priority network). This fixes cases where a
non-Hotspot 2.0 network with higher priority (e.g., home network) shows
up while connected to a Hotspot 2.0 network with lower priority.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Scan operation is not that reliable, so try couple of times if no
OSU provider matches are found during fetch_osu command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This new parameter can be used to configure credentials to mandate use
of OCSP stapling for AAA server authentication.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This new priority parameter can be used to specify priorities between
credentials provisioned by the same SP. cred->priority is checked first
and if it is same and the provisioning_sp parameter matches, the new
sp_priority is used to order the credentials. It should be noted that
the order of priorities is different (higher 'priority' value indicates
higher priority of the credential, while higher 'sp_priority' indicates
lower priority of the credential).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need to keep the separate local variable for tracking the
highest selected priority since we track a pointer to the selected
credential with that information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Move excluded SSID filtering step to the end of credential validation
process and return list of BSSes that would otherwise have matching
credentials, but have an excluded SSID. Automatic network selection will
not select such a network, but interworking_connect command can be used
to pick excluded networks.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new credential parameter req_conn_capab can be used to specify
restrictions on roaming networks providing connectivity for a set of
protocols/ports.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new credential parameter max_bss_load can be used to specify
restrictions on BSS Load in the home network.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new credential parameters min_{dl,ul}_bandwidth_{home,roaming} can
be used to specify restrictions on available backhaul bandwidth.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new provisioning_sp cred field can now be used to track which SP
provisioned the credential. This makes it easier to find the matching
PPS MO from the management tree (./Wi-Fi/<provisioning_sp>).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new wpa_cli fetch_osu command can be used to fetch information about
all OSU providers and write that to a text file with the icons in
separate files. cancel_osu_fetch command can be used to stop ongoing OSU
provider list fetch.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new roaming_partner parameter within a cred block can be used to
configure priorities for roaming partners.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, any network block could be used to select the BSS to connect
to when processing scan results after Interworking network selection.
This can result in somewhat unexpected network selection in cases where
credential preferences indicated that a specific network was selected,
but another network ended up getting used for the connection. While the
older networks continue to be valid, add special processing for this
initial post-interworking-connect case to get more consistent network
selection to match with the Interworking network selection result.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, only the last response data was kept in memory. This
increases that to hold up to two last responses to allow some more
parallel operations to be requested. In addition, the response data is
now freed as soon as the external program has fetched it.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to limit which channels are scanned using the specified
list of frequency ranges in the same format that the SCAN command uses.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no need to parse the IE buffer again to find the SSID of the
BSS since that information is already stored in struct wpa_bss.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If a BSS is disallowed temporarily with disallow_aps, the network
connection is going to fail. As such, there is not much point in
allowing Interworking network selection to try to connect with such BSS.
As such, do not consider disallowed networks for automatic network
selection and reject requests to connect to them through
INTERWORKING_CONNECT.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Do not add multiple network blocks for the same network from a single
credential. INTERWORKING_CONNECT used to generate a new network block
for each instance regardless of what network blocks have already been
configured. While this allows the connection to go through, it is not
efficient to leave behind potentially large number of network blocks
with the same contents (or worse, changed contents). Address this by
removing an older network block for the same credential before adding a
new one.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If we are already connected to the selected AP with a network block
that was created based on the selected credential, do not force a
reconnection or network block update.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Try to read the IMSI values through the eap_proxy layer for Interworking
functionality again if the value was not available at startup.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows sp_type={home,roaming,unknown} to be used to determine
network type with SIM-based credentials even if the domain name
parameter is not configured explicitly.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This was forgotten from the previous commit which allowed some cases to
trigger single-channel scan incorrectly if an optimized WPS scan had not
yet been completed at the time network selection was started.
Signed-hostap: Jouni Malinen <j@w1.fi>
Make sure special optimized scans (like WPS-single-channel or
sched_scan) do not get used during the network selection scan. This
could have been hit in cases where a previous operation has been stopped
in a state where special scan parameters were going to be used.
Signed-hostap: Jouni Malinen <j@w1.fi>
It would be possible to issue another GAS query when a previous one is
still in progress and this could result in conflicting offchannel
operations. Prevent that by delaying GAS query initiation until the
previous operation has been completed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use similar mechanism to CONFIG_PCSC=y case to set the IMSI and MNC
length for eap_proxy. This allows automatic 3GPP realm comparison
against the domain list.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new configuration parameter external_sim=<0/1> can now be used to
configure wpa_supplicant to use external SIM/USIM processing (e.g., GSM
authentication for EAP-SIM or UMTS authentication for EAP-AKA). The
requests and responses for such operations are sent over the ctrl_iface
CTRL-REQ-SIM and CTRL-RSP-SIM commands similarly to the existing
password query mechanism.
Changes to the EAP methods to use this new mechanism will be added in
separate commits.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows credentials to be limited from being used to connect to a
network unless the AP advertises a matching roaming consortium OI.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allow domain_suffix_match to be specified for a cred block and then
get this copied for the network blocks generated from this credential as
part of Interworking network selection.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Credentials can now be configured with more than one FQDN ('domain'
field in the cred block) to perform Domain Name List matching against
multiple home domains.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
3GPP TS 24.232 Annex A.3 allows network operator to advertise only two
digits of MNC even if MNC has three digits. Allow such matches in
network selection. In addition, allow three digit matches of MNC even if
MNC length was assumed to be two to avoid missing networks if MNC length
cannot be determined reliably. Remove the '-' separator from simulated
SIM/USIM cases to allow the new matching rules to work.
Fix the PLMN List information element parsing loop to use the length of
the PLMN List instead of the length of the full 3GPP Cellular Info to
avoid unexpected matches should a new element ever be added by 3GPP.
Finally, add more debug prints from PLMN matching to make the logs
easier to understand.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There are quite a few places in the current implementation where a nul
terminated string is generated from binary data. Add a helper function
to simplify the code a bit.
Signed-hostap: Jouni Malinen <j@w1.fi>
There may be cases where multiple BSS entries for a single BSSID are in
the table. This is mostly in automated test cases due to the AP
configuration changes, but something similar could potentially happen as
a corner case in more realistic networks, too, e.g., when an AP changes
its operating channel. Make network selection more robust by trying to
find the exact BSS entry instead of any BSS entry with a matching BSSID
when storing GAS/ANQP response.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, the credential to use for a connection with a specific BSS
was picked arbitrary based on first found match of each matching
mechanism. While the credential priorities were used elsewhere, this did
not take into account that different mechanisms could find multiple
matching credentials. As such, the highest priority credential was not
always used in case more than one credential matched with the selected
BSS. Fix this by checking credential priorities again during connection
request.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If scan results are available when we perform a SelectNetwork, use
them to make an associate decision. This can save an entire scan
interval-worth of time in situations where something external to
wpa_supplicant (like a connection manager) has just previously
requested a scan before calling SelectNetwork.
Signed-hostap: Paul Stewart <pstew@chromium.org>
The GAS query compilation callback may happen after the wpa_supplicant
process has been requested to terminate. Avoid scheduling a new eloop
timeout for a scan in such a case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Verify that the other BSS has actually received some valid ANQP
information before sharing the results from it. This fixes potential
issues with cases where some of the APs with the same HESSID has invalid
ANQP configuration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the driver rejected any of the offchannel Action frame TX requests,
the previous implementation terminated ANQP fetch process. While the
driver should not really reject the request normally, it is possible
that a request gets rejected for some reason. Allow the fetch process to
continue with the next AP in such case to avoid breaking networking
selection. This could result, e.g., in auto_interworking=1 process
failing to connect if any the driver rejects requests to any of the APs
in the scan result even if some other APs provided suitable information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the NAI Realm list indicates that EAP-PEAP is used, use EAP-MSCHAPv2
as the Phase 2 method by default if the NAI Realm list does not specify
the tunneled method.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit e99b4f3a14 added functionality to
check whether the current association is with the home SP. This commit
did not take into account that the domain name ANQP information could be
NULL and that could result to a NULL pointer dereference. Fix that by
validation that domain_names != NULL before calling
domain_name_list_contains().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new excluded_ssid parameter within a cred block can be used to
excluded networks from matching with credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the AP does not advertize EAP parameters, default to TTLS/MSCHAPv2
when using username/password credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>