Now that hostapd wpa_psk_file has a new tag for identifying PSKs that
can be used with WPS, add that tag to new entries for PSKs from WPS.
This makes it clearer where the PSK came from and in addition, this
allows the same PSK to be assigned if the same Enrollee goes through WPS
provisioning again.
Signed-off-by: Jouni Malinen <j@w1.fi>
By default, when configuration file set wpa_psk_file, hostapd generated
a random PSK for each Enrollee provisioned using WPS and appended that
PSK to wpa_psk_file.
Changes that behavior by adding a new step. WPS will first try to use a
PSK from wpa_psk_file. It will only try PSKs with wps=1 tag.
Additionally it'll try to match enrollee's MAC address (if provided). If
it fails to find an appropriate PSK, it falls back to generating a new
PSK.
Signed-off-by: Tomasz Jankowski <tomasz.jankowski@plume.com>
In the function owe_assoc_req_process(), values assigned to the reason
argument imply that it should be renamed to status. Rename 'reason' to
'status' and modify the uses of owe_assoc_req_process() accordingly.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
This commit adds new attributes for getting the Probe Response frame
IEs, Beacon frame IEs and the disconnection reason codes through
get_sta_info vendor command.
The host driver shall give this driver specific reason code through
the disconnection reason code attribute
QCA_WLAN_VENDOR_ATTR_GET_STA_DRIVER_DISCONNECT_REASON.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This acts as an event from the host driver to the user space to notify
the driver specific reason for a disconnection. The host driver
initiates the disconnection for various scenarios (beacon miss, Tx
Failures, gateway unreachability, etc.) and the reason codes from
cfg80211_disconnected() do not carry these driver specific reason codes.
Host drivers should trigger this event immediately prior to triggering
cfg80211_disconnected() to allow the user space to correlate the driver
specific reason code with the disconnect indication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This acts as a vendor event and is used to update the information
of a station from the driver to userspace.
Add an attribute for the driver to update the channels scanned in
the last connect/roam attempt.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some of the operating classes added in the 6 GHz band have a larger
number of channels included in them (e.g., operating class 131 has 59
channels). Increase the maximum number of channels per operating class
so that all channels will get populated.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This attribute aims to configure the STA to send the Beacon Report
Response with failure reason for the scenarios where the Beacon Report
Request cannot be handled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This ugly hack for being able to search for optional arguments with
space before them was quite inconvenient and unexpected. Clean this up
by handling this mess internally with a memory allocation and string
duplication if needed so that the users of wpa_supplicant control
interface do not need to care about such details.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
As qca_vendor.h alone can be included by other applications, define
macro BIT() in qca_vendor.h itself if not yet defined, e.g., by
including utils/common.h before qca_vendor.h.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wlantest build did not define build options to determine key management
values for SAE, OWE, and DPP. Add those and the needed SHA512 functions
to be able to decrypt sniffer captures with PMK available from an
external source.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
(Re)Association Response frames should include radio measurement
capabilities in order to let stations know if they can, e.g., use
neighbor requests.
I tested this commit with a Samsung S8, which does not send neighbor
requests without this commit and sends them afterwards.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
A driver supports FT if it either supports SME or the
NL80211_CMD_UPDATE_FT_IES command. When selecting AKM suites,
wpa_supplicant currently doesn't take into account whether or not either
of those conditions are met. This can cause association failures, e.g.,
when an AP supports both WPA-EAP and FT-EAP but the driver doesn't
support FT (wpa_supplicant will decide to do FT-EAP since it is unaware
the driver doesn't support it). This change allows an FT suite to be
selected only when the driver also supports FT.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was not supposed to set the constructed bit in the header. Fix this
to avoid parsing issues with other ASN.1 DER parsers.
Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make Configurator provisioning require explicit conf parameter enabling
similarly to the previously used conf=ap-* and conf=sta-* cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This avoids unexpected behavior if GAS query fails and the Config
Response does not get processed at all. Previously, this could result in
configuration being assumed to be successful instead of failure when
Config Response object was not received at all. That could result in
undesired Config Result frame transmission with DPP Rel 2 and not
clearing the ongoing DPP session.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, unexpected Authentication Confirm messages were ignored in
cases where no Authentication Confirm message was expected at all, but
if this message was received twice in a state where it was expected, the
duplicated version was also processed. This resulted in unexpected
behavior when authentication result was processed multiple times (e.g.,
two instances of GAS client could have been started).
Fix this by checking auth->waiting_auth_conf before processing
Authetication Confirm. That boolean was already tracked, but it was used
only for other purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Only one peer-commit-scalar value was stored for a specific STA (i.e.,
one per MAC address) and that value got replaced when the next SAE
Authentication exchange was started. This ended up breaking the check
against re-use of peer-commit-scalar from an Accepted instance when
anti-clogging token was requested. The first SAE commit message (the one
without anti-clogging token) ended up overwriting the cached
peer-commit-scalar value while leaving that instance in Accepted state.
The second SAE commit message (with anti-clogging token) added ended up
getting rejected if it used the same value again (and re-use is expected
in this particular case where the value was not used in Accepted
instance).
Fix this by using a separate pointer for storing the peer-commit-scalar
value that was used in an Accepted instance. There is no need to
allocate memory for two values, i.e., it is sufficient to maintain
separate pointers to the value and move the stored value to the special
Accepted state pointer when moving to the Accepted state.
This fixes issues where a peer STA ends up running back-to-back SAE
authentication within couple of seconds, i.e., without hostapd timing
out the STA entry for a case where anti-clogging token is required.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, hostapd ignored the secondary channel provided by ACS if
both HT40+ and HT40- are set in hostapd.conf. This change selects such
channel for HT40 if it's valid, which is more reasonable.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The internal WMM AC parameters use just the exponent of the CW value,
while nl80211 reports the full CW value. This led to completely bogus
CWmin/CWmax values in the WMM IE when a regulatory limit was present.
Fix this by converting the value to the exponent before passing it on.
Fixes: 636c02c6e9 ("nl80211: Add regulatory wmm_limit to hostapd_channel_data")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
nl80211 uses a different queue mapping from hostap, so AC indexes need
to be converted.
Fixes: 636c02c6e9 ("nl80211: Add regulatory wmm_limit to hostapd_channel_data")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The size of a single route(4) message cannot be derived from
either the size of the AF_INET or AF_INET6 routing tables.
Both could be empty or very large.
As such revert back to a buffer size of 2048 which mirrors
other programs which parse the routing socket.
Signed-off-by: Roy Marples <roy@marples.name>
Now that both hostapd and wpa_supplicant react to interface flag
changes, there is no need to set or remove IFF_UP.
It should be an administrative flag only.
Signed-off-by: Roy Marples <roy@marples.name>
There is little point in having both and it brings interface
addition/removal and IFF_UP notifications to hostapd.
Signed-off-by: Roy Marples <roy@marples.name>
When external authentication is used, the station send mlme frame (auth)
to the driver may not be able to get the frequency (bss->freq) after
hostap.git commit b6f8b5a9 ("nl80211: Update freq only when CSA
completes"). Use the assoc_freq to send the MLME frame when SAE external
authentication is used to avoid this issue.
Signed-off-by: Ouden <Ouden.Biz@gmail.com>
This commit introduces additional stats to query through
QCA_NL80211_VENDOR_SUBCMD_UPDATE_STA_INFO.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds support for generating an encrypted backup of the local
Configurator information for the purpose of enrolling a new
Configurator. This includes all ASN.1 construction and data encryption,
but the configuration and connector template values in
dpp_build_conf_params() are not yet complete.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process the received DPPEnvelopedData when going through Configurator
provisioning as the Enrollee (the new Configurator). This parses the
message, derives the needed keys, and decrypts the Configurator
parameters. This commit stores the received information in
auth->conf_key_pkg, but the actually use of that information to create a
new Configurator instance will be handled in a separate commit.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
