Previously, the credential to use for a connection with a specific BSS
was picked arbitrary based on first found match of each matching
mechanism. While the credential priorities were used elsewhere, this did
not take into account that different mechanisms could find multiple
matching credentials. As such, the highest priority credential was not
always used in case more than one credential matched with the selected
BSS. Fix this by checking credential priorities again during connection
request.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If scan results are available when we perform a SelectNetwork, use
them to make an associate decision. This can save an entire scan
interval-worth of time in situations where something external to
wpa_supplicant (like a connection manager) has just previously
requested a scan before calling SelectNetwork.
Signed-hostap: Paul Stewart <pstew@chromium.org>
The GAS query compilation callback may happen after the wpa_supplicant
process has been requested to terminate. Avoid scheduling a new eloop
timeout for a scan in such a case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Verify that the other BSS has actually received some valid ANQP
information before sharing the results from it. This fixes potential
issues with cases where some of the APs with the same HESSID has invalid
ANQP configuration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the driver rejected any of the offchannel Action frame TX requests,
the previous implementation terminated ANQP fetch process. While the
driver should not really reject the request normally, it is possible
that a request gets rejected for some reason. Allow the fetch process to
continue with the next AP in such case to avoid breaking networking
selection. This could result, e.g., in auto_interworking=1 process
failing to connect if any the driver rejects requests to any of the APs
in the scan result even if some other APs provided suitable information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the NAI Realm list indicates that EAP-PEAP is used, use EAP-MSCHAPv2
as the Phase 2 method by default if the NAI Realm list does not specify
the tunneled method.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit e99b4f3a14 added functionality to
check whether the current association is with the home SP. This commit
did not take into account that the domain name ANQP information could be
NULL and that could result to a NULL pointer dereference. Fix that by
validation that domain_names != NULL before calling
domain_name_list_contains().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new excluded_ssid parameter within a cred block can be used to
excluded networks from matching with credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the AP does not advertize EAP parameters, default to TTLS/MSCHAPv2
when using username/password credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the global pmf=1/2 parameter is used to enable PMF for Interworking
networks, add WPA-EAP-SHA256 to the temporary network block to allow
connection to PMF required APs.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows the ctrl_iface STATUS information to be used to determine
which Home SP credential (domain in the cred block) was used and whether
the network is operated by the home SP.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the credential that was used to create a temporary HS 2.0 network
block is removed, remove the network block, too.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When ANQP_GET or HS20_ANQP_GET is used to request ANQP information,
unshare the ANQP information (i.e., create a per-BSS copy of it) to
make sure the information from the specified BSS is available in case
the APs provide different information within HESSID.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the keystore:// prefix is used in the private_key entry, convert that
to the OpenSSL engine style configuration used for Android JB keystore.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If a connection operation is started on an interface based on scan
results, other virtual interfaces should not be information about the
results to avoid potential concurrent operations during the association
steps. Since the sibling notification of scan results received was added
as an optimization, skipping it for this type of cases is the simplest
way of avoiding unnecessary concurrent operations.
Signed-hostap: Jouni Malinen <j@w1.fi>
If two BSS entries have the same HESSID and SSID, share the fetched ANQP
information between these BSS entries to save memory and GAS/ANQP
operations.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The eap parameter in the cred block can now be used to override
automatic EAP-SIM/AKA/AKA' selection.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is an initial step in allowing the ANQP responses to be shared
among multiple BSSes if the BSSes are determined to be operating under
identical configuration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use configured credentials to figure out which ANQP information needs to
be fetched and only fetch those when using Interworking network
selection. The fetch_anqp command is still fetching all ANQP
information.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the scan results from before ANQP fetch are fresh (less than five
seconds old), do not run a new scan when selecting the BSS after having
used Interworking network selection.
Signed-hostap: Jouni Malinen <j@w1.fi>
auto_interworking=1 configuration parameter can be used to request
wpa_supplicant to use Interworking network selection automatically as a
part of the normal (non-Interworking) network selection if the scan
results do not match with enabled networks. This makes scanning work
similarly to the "interworking_select auto" command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new gas_request and gas_response_get commands can be used to request
arbitary GAS queries to be performed. These can be used with ANQP or
with other (including vendor specific) advertisement protocols.
gas_request <BSSID> <AdvProtoID> [Query]
gas_response_get <addr> <dialog token> [offset,length]
For example, ANQP query for Capability list in interactive wpa_cli
session:
> gas_request 02:00:00:00:01:00 00 000102000101
<3>GAS-RESPONSE-INFO addr=02:00:00:00:01:00 dialog_token=0
status_code=0 resp_len=32
> gas_response_get 02:00:00:00:01:00 00
01011c00010102010501070108010c01dddd0c00506f9a110200020304050607
> gas_response_get 02:00:00:00:01:00 00 0,10
01011c00010102010501
> gas_response_get 02:00:00:00:01:00 00 10,10
070108010c01dddd0c00
> gas_response_get 02:00:00:00:01:00 00 20,10
506f9a11020002030405
> gas_response_get 02:00:00:00:01:00 00 30,2
0607
It should be noted that the maximum length of the response buffer is
currently 4096 bytes which allows about 2000 bytes of the response data
to be fetched with a single gas_response_get command. If the response is
longer, it can be fetched in pieces as shown in the example above.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The NAI building routine assumed that the credential included the IMSI,
but that is not the case when using a real SIM card. Build the NAI based
on the IMSI read for the card in such a case.
Signed-hostap: Jouni Malinen <j@w1.fi>
The pos variable was not advanced when comparing PLMN entries in
3GPP Cellular Network information and as such, only the first
entry was really used.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Since we currently support only HS 2.0 networks with Interworking
network selection, do not indicate credential match unless the
network uses WPA2-Enterprise.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since we currently support only HS 2.0 networks with Interworking
network selection, enforce that WPA2-Enterprise/CCMP is used on the
AP instead of allowing any WPA-Enterprise combination.
Signed-hostap: Jouni Malinen <j@w1.fi>
When there was no credential match, but an enabled network block matched
with a scan result, wpa_supplicant reconnected at the end of
interworking_select command even if "auto" parameter was not used. Fix
this by running the reconnect only if requested to automatically select
a network.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, this was left to the default (WPA-EAP WPA-PSK) value which
could potentially result in unexpected behavior if an AP were to enable
both WPA2-Enterprise and WPA2-Personal in the same BSS. While this is
not really that likely for APs supporting Interworking, it is good to
get the PSK option removed to avoid any issues with missing
passphrase/PSK configuration parameter.
Signed-hostap: Jouni Malinen <j@w1.fi>
Each cred block can now be matched based on Roaming Consortium OI as an
alternative mechanism to using NAI Realm information. This may be
optimized for efficiency in the future since Roaming Consortium
information is available in scan results without having to go through
ANQP queries. In addition, this is easier to support in case there is a
large number of realms that can be used for authentication.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new cred block parameters eap, phase1, and phase2 can be used to
select which EAP method is used with network selection instead of using
the value specified in ANQP information (e.g., NAI Realm).
Signed-hostap: Jouni Malinen <j@w1.fi>
The nl80211 driver interface does not allow 128-bit WEP to be used
without a vendor specific cipher suite and no such suite is defined for
this purpose. Do not accept WEP key length 16 for nl80211 driver
interface forn ow. wext-interface can still try to use these for
backwards compatibility.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Do not try to associate with a network that has an invalid or incomplete
configuration because the association or at least data connection would
fail anyway. This commits adds a common function for checking whether a
network block is disabled to make it easier to check network blocks
without having to reject them during configuration file parsing (which
would prevent wpa_supplicant from starting). The only additional check
added in this commit is to verify the WEP key length. Similar checks for
other parameters can be added in future commits.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the username part in the credential does not include a realm,
generate one automatically based on the configured realm information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Make the connection change on Interworking network selection cases
clearer by forcing the previous association to be dropped before trying
to start a new one.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use separate mnc_len parameter instead of expecting the imsi parameter
to be in special MCC|MNC|-|<MSIN> format to make this function more
generic.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows Interworking network selection to be used with EAP-TLS
(client certificate/private key based credential).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 9914c96feb moved sizeof(nai) to a
helper function and broke the determination of maximum buffer length.
Fix this by moving the sizeof() to the functions that define the buffer.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, network block -based connection could have been used to
override ANQP-based selection. However, if no ANQP-based matches were
present, no connection was started. Fix this by trying to connect if
any enabled network block has a match in the BSS table.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows credentials to be set with a specific priority to allow
the automatic network selection behavior to be controlled with user
preferences. The priority values are configured to the network block
and BSS selection will select the network based on priorities from
both pre-configured network blocks and credentials.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This replaces the global home_* parameters with a list of credentials
that can be configured similarly to network blocks. For example:
cred={
realm="example.com"
username="user@example.com"
password="password"
ca_cert="/etc/wpa_supplicant/ca.pem"
domain="example.com"
}
cred={
imsi="310026-000000000"
milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123"
}
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>