It was possible for the BTM Request with no matching BSSIDs to cause
wpa_supplicant-initated roam to a better BSS (5 GHz band preferred) when
finding the second AP in a scan started by that BTM Request. This could
make the following step in the test case fail. Fix this by asking
another channel to be scanned to postpone discovery of the other AP.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to synchronize log entries in the kernel log
(seconds from boot) and wpa_supplicant/hostapd (UNIX timestamp).
Signed-off-by: Jouni Malinen <j@w1.fi>
Add NULL checking for EAP name. If it is NULL, do not add the phase2
parameter autheap. This should not happen in practice due to earlier
checks for credential matching, but if there is a code path that would
allow this to be set, it is better to skip setting of the invalid value
and allow automatic selection of the Phase 2 parameters.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit renames the vendor attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_DISABLE_OFFCHANNEL to
QCA_WLAN_VENDOR_ATTR_CONFIG_RESTRICT_OFFCHANNEL as intended by the
original commit d506c35efc ('Set Wi-Fi
Configuration attribute to restrict offchannel operations').
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit defines an attribute to
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION -
QCA_WLAN_VENDOR_ATTR_CONFIG_RESTRICT_OFFCHANNEL which can be used to
restrict offchannel operations on the AP/GO interface.
The goal is to restrict any operations which would cause the AP/GO to
leave its operating channel.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit adds changes to not generate ERP information if the domain
name is not specified in the EAP identity. keyName-NAI needs the realm
part and as such, it is reasonable to require the main EAP configuration
to provide that realm.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These test cases depend on ERP processing to reach the get_emsk handler
function. Since ERP really needs the realm to derive a proper
keyName-NAI, modify these test cases to pass the realm part in the
identity to allow error checking to be introduced for rejecting ERP
cases where the realm is not available.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Change in any network configuration at runtime will cause flush to
PMKSA cache. For most of the network parameters if there is no change
in value, PMKSA flush is not performed except 'bssid' and 'priority'.
Add 'bssid_hint' to exemption list of avoiding PMKSA flush on change.
This is needed to complete change in commit
43a356b268 ('Provide option to configure
BSSID hint for a network').
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 3e0272ca00 ('nl80211: Re-read MAC
address on RTM_NEWLINK') added the detection of external changes to MAC
address when the interface is brought up.
If the interface state is changed quickly enough, wpa_supplicant may
receive the netlink message for the !IFF_UP event when the interface
has already been brought up and would ignore the next netlink IFF_UP
message, missing the MAC change.
Fix this by also reloading the MAC address when a !IFF_UP event is
received with the interface up, because this implies that the
interface went down and up again, possibly changing the address.
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
This is to comply with uniform spreading requirement for ETSI domain
(section 4.7.2.7 in EN 301 893 - V1.8.1). ETSI uniform spreading
requires equal probability for the usable channels. The previous channel
selection logic after a radar detection did not fully comply with the
uniform spreading requirement for the domain by ignoring DFS channels.
Consider DFS channels also during channel selection when the current DFS
domain is ETSI.
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
Current DFS domain information of the driver can be used in ap/dfs
to comply with DFS domain specific requirements like uniform spreading
for ETSI domain.
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
This commit introduces the following two attributes to
QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH events:
QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_STATUS - Indicates the status of
re-association requested by user space
QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_RETAIN_CONNECTION - Indicates whether
the old association was maintained when a re-association
is requested by user space and that re-association attempt
fails (i.e., cannot connect to the requested BSS, but can
remain associated with the BSS with which the association was
in place when being requested to roam).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This exposes user configurable option to set bssid_hint for a network.
bssid_hint indicates which BSS has been found a suitable candidate for
initial association for drivers that use driver/firmware-based BSS
selection. Unlike the bssid parameter, bssid_hint does not limit the
driver from selecting other BSSs in the ESS.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit defines an attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_LISTEN_INTERVAL which allows the currently
used listen interval to be updated using
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION. This update applies
only during the association and is done without updating the AP about
the change.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous fix to the OCSP request construction ended up finally
moving from SHA-1 -based hash to SHA-256 for OCSP test cases. To
maintain coverage for SHA-1, add cloned versions of the two test cases
so that both SHA-256 and SHA-1 cases get covered.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Fix the openssl ocsp command line and check if it returns an error - so
that instead of having something unusable later we error out
immediately. Moving the -sha256 argument earlier fixes hash function use
for the OCSP request generation (the old version used SHA-1).
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Addition of remove_ies() handled the CONFIG_IEEE80211R dependency, but
missed the caller being within CONFIG_FILS as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When reducing the configuration for MACsec/MKA to the bare minimum, so
no EAP authentication, just MACsec/MKA SA use with preshared key/name,
the EAPOL engine is still needed to run the protocol for MKA. Without
any EAP authentication options the IEEE8021X_EAPOL option is not set,
resulting in a non-working Key Agreement Entity.
Therefore the CONFIG_MACSEC block needs to move up and set the
IEEE8021X_EAPOL option.
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
In some practical cases, it is useful to suppress joining to node in the
distance. The new field mesh_rssi_threshold could be used as RSSI
threshold for joining.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This needs to allow all 20 MHz channel numbers to be converted even
though the Annex E table lists only channel _center_ frequencies 50 and
114. Neighbor Report (see IEEE Std 802.11-2016, 9.4.2.37 Neighbor Report
element) uses Channel Number field with "last known primary channel of
the AP" which refers to the 20 MHz channel and not the channel center
frequency.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This patch adds "TDLSCancelChannelSwitch" dbus method on
"fi.w1.wpa_supplicant1.Interface" interface to disable channel switching
with a TDLS peer.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
This patch adds "TDLSChannelSwitch" dbus method on
"fi.w1.wpa_supplicant1.Interface" interface to enable channel switching
with a TDLS peer.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
Derive PMK-R0 and the relevant key names when using FILS authentication
for initial FT mobility domain association.
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive PMK-R0 and the relevant key names when using FILS authentication
for initial FT mobility domain association. Fill in the FT IEs in
(Re)Association Request frame for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends fils_pmk_to_ptk() to allow FILS-FT to be derived. The
callers do not yet use that capability; i.e., actual use will be added
in separate commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
The conditional gSTA and gAP (DH public keys) were not previously
included in Key-Auth derivation, but they are needed for the PFS case.
Signed-off-by: Jouni Malinen <j@w1.fi>
The conditional gSTA and gAP (DH public keys) were not previously
included in Key-Auth derivation, but they are needed for the PFS case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support to set ignore assoc disallow to the driver so that the
driver ignores assoc disallowed bit set by APs while connecting. This is
used by drivers that handle BSS selection and roaming internally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Enable use of FT RRB without configuring each other AP locally. Instead,
broadcast messages are exchanged to discover APs within the local
network.
When an R0KH or R1KH is discovered, it is cached for one day.
When a station uses an invalid or offline r0kh_id, requests are always
broadcast. In order to avoid this, if r0kh does not reply, a temporary
blacklist entry is added to r0kh_list.
To avoid blocking a valid r0kh when a non-existing pmk_r0_name is
requested, r0kh is required to always reply using a NAK. Resend requests
a few times to ensure blacklisting does not happen due to small packet
loss.
To free newly created stations later, the r*kh_list start pointer in
conf needs to be updateable from wpa_auth_ft.c, where only wconf is
accessed.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This adds a counter and adds sequence numbering to FT RRB packets. The
sequence number is checked against r0kh/r1kh sequence number cache.
Special attention is needed in case the remote AP reboots and thus loses
its state. I prefer it to recover automatically even without synchronized
clocks. Therefore an identifier called dom is generated randomly along the
initial sequence number. If the dom transmitted does not match or the
sequence number is not in the range currently expected, the sender is asked
for a fresh confirmation of its currently used sequence numbers. The packet
that triggered this is cached and processed again later.
Additionally, in order to ensure freshness, the remote AP includes an
timestamp with its messages. It is then verified that the received
messages are indeed fresh by comparing it to the older timestamps
received and the time elapsed since then. Therefore FT_RRB_TIMESTAMP is
no longer needed.
This assigns new OUI 00:13:74 vendor-specific subtype 0x0001 subtypes:
4 (SEQ_REQ) and 5 (SEQ_RESP).
This breaks backward compatibility, i.e., hostapd needs to be updated
on all APs at the same time to allow FT to remain functional.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This updates the AP-to-AP keys to the longer form and OOM test case
functions to match the new implementation.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher
to protect the messages.
This needs at least 32 byte long keys. These can be provided either
by a config file change or letting a KDF derive the 32 byte key used
from the 16 byte key given.
This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Replace the previously used extension of IEEE 802.11 managed Ethertype
89-0d (originally added for Remote Request/Response in IEEE 802.11r)
with Ethertype 88-b7 (OUI Extended EtherType) for FT inter-AP
communication. The new design uses a more properly assigned identifier
for the messages.
This assigns the OUI 00:13:74 vendor-specific subtype 0x0001 for the new
hostapd AP-to-AP communication purposes. Subtypes 1 (PULL), 2 (RESP),
and 3 (PUSH) are also assigned in this commit for the R0KH-R1KH
protocol.
This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>