IEEE P802.11-REVmd/D2.0, 9.4.2.20.7 (Beacon request) and 9.4.2.21.7
(Beacon report) add the Last Beacon Report Indication subelement to
Beacon Request and Beacon Report elements.
Add the Last Beacon Report Indication subelement to all Beacon Report
elements if the Beacon Request indicated that this subelement is
requested.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When the frame body subelement would cause the measurement report
element to exceed the maximum element size, the frame body subelement
used to be truncated. In addition, some elements were always truncated
in order to keep the reported frame body short (e.g. RSN IE).
Alternatively, IEEE P802.11-REVmd/D2.0, 9.4.2.21.7 extension to Beacon
reporting can be used: The frame body subelement is fragmented across
multiple beacon report elements, and the reported frame body fragment ID
subelement is added.
Use beacon report fragmentation instead of truncating the frame body
as this method gives the AP a more complete information about the
reported APs.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Make vendor specific information elements (VSIE) available in peer
properties, so that VSIE of a specific peer can be retrieved using
peer's object path.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:
"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."
An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.
It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
An AP might refuse to connect a STA if it has a low RSSI. In such case,
the AP informs the STA with the desired RSSI delta and a retry timeout.
Any subsequent association attempt with that AP (BSS) should be avoided,
unless the RSSI level improved by the desired delta or the timeout has
expired.
Defined in Wi-Fi Alliance Optimized Connectivity Experience technical
specification v1.0, section 3.14 (RSSI-based association rejection
information).
Signed-off-by: Beni Lev <beni.lev@intel.com>
When a dedicated P2P device interface is used, the
global->p2p_group_formation was not set in wpas_p2p_join_start() if no
separate group interface is used. This would cause that in case of a
failure in group formation, the cleaning of p2p_in_provisioning is done
on the wrong interface. Furthermore, P2P_CANCEL command could not be
used to stop such a group-join operation. Fix this by setting the
global->p2p_group_formation correctly in case that the group interface
is reusing wpa_s->parent.
Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
Try to make sure the driver channel list state is synchronized with
wpa_supplicant whenever explicitly clearing state (e.g., between hwsim
test cases).
Signed-off-by: Jouni Malinen <j@w1.fi>
Old code would just re-connect to a particular interface, even if user
had started wpa_cli with the '-g' option. Refactor global control
interface connection routine to allow it to be used in
wpa_cli_reconnect().
Signed-off-by: Ben Greear <greearb@candelatech.com>
If the CONFIG_CTRL_IFACE_DBUS_NEW is enabled but CONFIG_AP is
disabled the build fails. This is because dbus getters try to
access ap_iface member of wpa_supplicant struct which is defined
if and only if CONFIG_AP is enabled.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This can be used to allow 256-bit key hierarchy to be derived from
EAP-based authentication. For now, the MSK length is hardcoded to 128
bits, so the previous behavior is maintained.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add new configuration parameters macsec_replay_protect and
macsec_replay_window to allow user to set up MACsec replay protection
feature. Note that according to IEEE Std 802.1X-2010 replay protection
and delay protection are different features: replay protection is
related only to SecY and does not appear on MKA level while delay
protection is something that KaY can use to manage SecY state.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
The purpose of the Lowest Acceptable PN (lpn) parameters in the MACsec
SAK Use parameter set is to enforce delay protection. Per IEEE Std
802.1X-2010, Clause 9, "Each SecY uses MKA to communicate the lowest PN
used for transmission with the SAK within the last two seconds, allowing
receivers to bound transmission delays."
When encoding the SAK Use parameter set the KaY should set llpn and olpn
to the lowest PN transmitted by the latest SAK and oldest SAK (if
active) within the last two seconds. Because MKPDUs are transmitted
every 2 seconds (MKA_HELLO_TIME), the solution implemented here
calculates lpn based on the txsc->next_pn read during the previous MKPDU
transmit.
Upon receiving and decoding a SAK Use parameter set with delay
protection enabled, the KaY will update the SecY's lpn if the delay
protect lpn is greater than the SecY's current lpn (which is a product
of last PN received and replay protection and window size).
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for CKN:
"MKA places no restriction on the format of the CKN, save that it comprise
an integral number of octets, between 1 and 32 (inclusive), and that all
potential members of the CA use the same CKN. No further constraints are
placed on the CKNs used with PSKs, ..."
Hence do not require a 32 octet long CKN but instead allow a shorter CKN
to be configured.
This fixes interoperability with some Aruba switches, that do not accept
a 32 octet long CKN (only support shorter ones).
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
These do not really get truncated in practice, but it looks like some
newer compilers warn about the prints, so silence those by checking the
result and do something a bit more useful if the output would actually
get truncated.
Signed-off-by: Jouni Malinen <j@w1.fi>
Addi a readme file for users for on-boarding devices with Device
Provisioning Protocol (DPP).
Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
Make it possible to list connected stations in AP mode over D-Bus, along
with some of their properties: rx/tx packets, bytes, capabilities, etc.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Rebased by Julian Andres Klode <juliank@ubuntu.com> and updated to use
the new getter API.
Further modified by Andrej Shadura to not error out when not in AP mode
and to send separate StationAdded/StationRemoved signals instead of
changing signatures of existing StaAuthorized/StaDeauthorized signals.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
Properties argument specifies whether to add object's properties
or not, hence it doesn't need to be int.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
Allow user to override STBC configuration for Rx and Tx spatial streams.
Add new configuration options to test for HT capability overrides.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Provide information about SAE AKM support in "GET_CAPABILITY key_mgmt"
for completeness. The "GET_CAPABILITY auth_alg" case is already
providing information about SAE support through user space SME.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The back-end support for DPP self configuration was already present in
hostapd and wpa_supplicant. However, the command to invoke DPP self
configuration was not available in hostapd_cli and wpa_cli. Add the
command "dpp_configurator_sign" in them.
Signed-off-by: Prasad, Jagadeesh <Jagadeesh_Prasad@comcast.com>
Make this command more convenient to use by not requiring two space
characters between the command and the first parameter.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Indicate whether the driver advertises support for Multi-BSS STA
functionality with "GET_CAPABILITY multibss" (returns "MULTIBSS-STA" if
supported).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Advertise vendor specific Multi-AP IE in (Re)Association Request frames
and process Multi-AP IE from (Re)Association Response frames if the user
enables Multi-AP fuctionality. If the (Re)Association Response frame
does not contain the Multi-AP IE, disassociate.
This adds a new configuration parameter 'multi_ap_backhaul_sta' to
enable/disable Multi-AP functionality.
Enable 4-address mode after association (if the Association Response
frame contains the Multi-AP IE). Also enable the bridge in that case.
This is necessary because wpa_supplicant only enables the bridge in
wpa_drv_if_add(), which only gets called when an interface is added
through the control interface, not when it is configured from the
command line.
Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Include and verify the OCI element in WNM-Sleep Exit Request and
Response frames. In case verification fails, the frame is silently
ignored.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Include and verify the OCI element in AMPE Open and Confirm frames. Note
that the OCI element is included even if the other STA didn't advertise
support of OCV. The OCI element is only required and verified if both
peers support OCV.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
This new wpa_supplicant control interface command can be used to
simplify testing SA Query with OCV.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
After the network changed to a new channel, perform an SA Query with the
AP after a random delay if OCV was negotiated for the association. This
is used to confirm that we are still operating on the real operating
channel of the network. This commit is adding only the station side
functionality for this, i.e., the AP behavior is not changed to
disconnect stations with OCV that do not go through SA Query.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Include an OCI element in SA Query Request and Response frames if OCV
has been negotiated.
On Linux, a kernel patch is needed to let clients correctly handle SA
Query Requests that contain an OCI element. Without this patch, the
kernel will reply to the SA Query Request itself, without verifying the
included OCI. Additionally, the SA Query Response sent by the kernel
will not include an OCI element. The correct operation of the AP does
not require a kernel patch.
Without the corresponding kernel patch, SA Query Requests sent by the
client are still valid, meaning they do include an OCI element.
Note that an AP does not require any kernel patches. In other words, SA
Query frames sent and received by the AP are properly handled, even
without a kernel patch.
As a result, the kernel patch is only required to make the client properly
process and respond to a SA Query Request from the AP. Without this
patch, the client will send a SA Query Response without an OCI element,
causing the AP to silently ignore the response and eventually disconnect
the client from the network if OCV has been negotiated to be used.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Set the OCV bit in RSN capabilities (RSNE) based on AP mode
configuration. Do the same for OSEN since it follows the RSNE field
definitions.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
APs and mesh peers use the VHT Operation element to advertise certain
channel properties (e.g., the bandwidth of the channel). Save this
information element so we can later access this information.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
This adds the necessary functions and callbacks to make the channel_info
driver API available to the supplicant state machine that implements the
4-way and group key handshake. This is needed for OCV.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
This adds driver API functions to get the current operating channel
parameters. This encompasses the center frequency, channel bandwidth,
frequency segment 1 index (for 80+80 channels), and so on.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
These two wpa_printf() calls with MSG_ERROR level could be reached when
connecting without (Re)Association Response frame elements being
available. That would be the case for wired connections and IBSS. Those
cases are not supposed to use WMM AC in the first place, so do not
confuse logs with ERROR messages in them for normal conditions.
Signed-off-by: Jouni Malinen <j@w1.fi>
key_mgmt=OWE did not have a config parameter writer and wpa_supplicant
was unable to save such a network profile correctly. Fix this by adding
the needed parameter writer.
Signed-off-by: Jouni Malinen <j@w1.fi>
In the existing code, there was no "DPP" string available to the DPP key
management type for configuration parser of wpa supplicant. When the
configuration is saved, the key management string was left out from the
config file. Fix this by adding support for writing key_mgmt=DPP option.
Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
The previous implementation did not check that we are associated with
the sender of the GAS response before checking for PMF status. This
could have accepted Venue URL when not in associated state. Fix this by
explicitly checking for association with the responder first.
This fixes an issue that was detected, e.g., with these hwsim test case
sequences:
gas_anqp_venue_url_pmf gas_anqp_venue_url
gas_prot_vs_not_prot gas_anqp_venue_url
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hotspot 2.0 Release 2 requires PMF to be negotiated, so enable this by
default in the network profiles created from cred blocks.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The HS 2.0 Indication element can be up to 9 octets in length, so add
two more octets to the minimum extra_ie buffer size for scanning.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hotspot 2.0 tech spec mandates mobile device to not indicate a release
number that is greater than the release number advertised by the AP. Add
this constraint to the HS 2.0 Indication element when adding this into
(Re)Association Request frame. The element in the Probe Request frame
continues to show the station's latest supported release number.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
