The PMKSA_GET and PMKSA_ADD commands can now use an optional extra
parameter to fetch and add PMKSA cache entries with the FILS Cache
Identifier.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows PMKSA cache entries for FILS-enabled BSSs to be shared
within an ESS when the BSSs advertise the same FILS Cache Identifier
value.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ft_completed for FILS authentication case in
wpa_supplicant_event_assoc() depends on something having cleared
portValid so that setting it TRUE ends up authorizing the port. This
clearing part did not happen when using FILS authentication during a
reassociation within an ESS. Fix this by clearing portValid in
sme_send_authentication() just before the keys are cleared (i.e., the
old connection would not be usable anyway).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The RSN supplicant implementation needs to be updated to use the new
BSSID whenever doing FILS authentication. Previously, this was only done
when notifying association and that was too late for the case of
reassociation. Fix this by providing the new BSSID when calling
fils_process_auth(). This makes PTK derivation use the correct BSSID.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows PMKSA cache entries to be shared between all the BSSs
operated by the same hostapd process when those BSSs use the same FILS
Cache Identifier value.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The correct order of deleting a secure channel is to purge all the
secure associations in the channel before actually deleting the secure
channel.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
The RSN pre-authentication case ended up ignoring the initial
startPeriod value and delayed EAPOL-Start message by two seconds. Fix
this by forcing the first EAPOL-Start message to be sent when running
pre-authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds reason for timeout in event CTRL-EVENT-ASSOC-REJECT whenever
connection failure happens because of timeout. This extends the
"timeout" parameter in the event to include the reason, if available:
timeout=scan, timeout=auth, timeout=assoc.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response
frames. These elements are using vendor specific forms for now since the
IEEE 802.11ax draft is not yet finalized and the element contents is
subject to change.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Let mesh STA A be a STA which has config disable_ht=0 and disable_vht=1.
Let mesh STA B be a STA which has config disable_ht=0 and disable_vht=0.
The mesh STA A and B was connected.
Previously, the mesh STA A sent frame with VHT rate even though its VHT
was disabled. This commit fixes the issue by checking the local BSS VHT
configuration.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Let mesh STA A be a STA which has config disable_ht=1.
Let mesh STA B be a STA which has config disable_ht=0.
The mesh STA A and B was connected.
Previously, the mesh STA A sent frame with HT rate even though its HT
was disabled. This commit fixes the issue by checking the local BSS HT
configuration.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This function is called only from locations within ifdef
CONFIG_EAP_PROXY, so there is no need to try to cover the not-defined
case here and the function can simply be removed completely if
CONFIG_EAP_PROXY=y is not used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new "SET ric_ies <hexdump>" control interface command can now be
used to request wpa_supplicant to add the specified RIC elements into
Reassociation Request frame when using FT protocol. This is mainly for
testing purposes.
Signed-off-by: Jouni Malinen <j@w1.fi>
This debug print can include GTK and IGTK, so use wpa_hexdump_key()
instead of wpa_hexdump() for it to avoid undesired exposure of keys in
debug log.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While the FILS authentication cases were already using the proper PMK
length (48 octets instead of the old hardcoded 32 octet), the initial
association case had not yet been updated to cover the new FILS SHA384
AKM and ended up using only a 32-octet PMK. Fix that to use 48-octet PMK
when using FILS SHA384 AKM.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
sha384_prf() is used both with Suite B and FILS, so add CONFIG_FILS as
another alternative to building in this functionality.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is a copy of the internal HMAC-SHA256 implementation with the hash
block size and output length updated to match SHA384 parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
The output length was incorrect (32 from the copy-pasted SHA256
version). Fix this to return the correct number of octets (48) for
SHA384. This fixes incorrect key derivation in FILS when using the
SHA384-based AKM.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
HTTP response was previously sent as a plaintext without the HTTP header
on port 12345. By default Android webview/Chrome assumes plaintext as
HTTP/0.9 data. Android webview/Chrome has removed support of HTTP/0.9
request/response on non-standard ports, i.e., other than port 80. This
results in error while opening URL 'http://localhost:12345/'.
Fix this by prefixing the HTTP response with the HTTP/1.1 header.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously the peer operating channel preference was accepted if the
indicated frequency was listed in the local preference list from the
driver. This was assuming that the driver included only channels that
are currently enabled for GO operation. Since that might not be the
case, filter the local preference list by doing an explicit validation
of the indicated channels for P2P support.
This moves the similar validation steps from two other code paths in
p2p_check_pref_chan_recv() and p2p_check_pref_chan_no_recv() into a
common filtering step in p2p_check_pref_chan() for all three cases.
This avoids issues to start the GO in cases where the preferred
frequency list from the driver may include channels that are not
currently enabled for P2P GO use (e.g., 5 GHz band in world roaming
configuration).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This new P2P_SET parameter uses <op_class>:<channel> format and is used
mainly for testing purposes to allow overriding the value of the GO
Negotiation Response frame Operating Channel attribute.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This can be used to override driver get_pref_freq_list() operation for
more convenient testing of preferred frequency list functionality.
Override string format:
<if_type1>:<freq1>,<freq2>,... <if_type2>:...
if_type: 0=STATION, 2=AP, 3=P2P_GO, 4=P2P_CLIENT, 8=TDLS, 9=IBSS
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the est_throughput comparison was done only when SNR
difference was less than 5 dB. Since the throughput estimation take into
account SNR, this can be done in more cases. For now, add a conservative
2 dB more to the difference so that any SNR difference below 7 dB
results in BSS selection based on throughput estimates.
In addition, the throughput estimates require SNR values to be
available, so separate this from the 5 GHz preference that can be done
based on either SNR or qual values.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows throughput estimates and 5 GHz preference over 2.4 GHz band
to be used in more cases. The previously used value of 30 was
significantly more conservative than the SNR limits used for the highest
rate in scan_est_throughput() and this resulted in cases where 5 GHz AP
was ignored while SNR with it would have been close to reaching the
maximum TX rate.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, any potential (even if very unlikely) local operation error
was ignored. Now these will result in aborting the negotiation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The published P802.11ai version does not use CRC32 anymore, so remove
inclusion of crc32.o into wpa_supplicant and hostapd builds based on
CONFIG_FILS=y.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>