The new wpa_supplicant control interface parameter rsne_override_eapol
can be used similarly to the earlier rsnxe_override_eapol to override
the RSNE value added into EAPOL-Key msg 2/4.
Signed-off-by: Jouni Malinen <j@w1.fi>
Split multi_ap_process_assoc_resp() to set 4-address mode after network
selection. Previously, wpa_s->current_ssid might have been NULL in some
cases and that would have resulted in 4-address mode not getting enabled
properly.
Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
It is possible for the hidden OWE BSS to be found based on SSID-specific
scan (e.g., from the special OWE scan mechanism). In that sequence, the
previously used learning of OWE BSS was skipped since the SSID was
already present in the BSS entry. This could result in not being able to
find a matching BSS entry for the OWE BSS in transition mode.
Fix this by adding the BSS flag for transition mode based on SSID
matching against currently enabled OWE network profiles in addition to
the previous mechanism.
Signed-off-by: Jouni Malinen <j@w1.fi>
The "unexpected" change of SSID between the current network profile
(which uses the SSID from the open BSS in OWE transition mode) and the
association with the OWE BSS (which uses a random, hidden SSID) resulted
in wpa_supplicant incorrectly determining that this was a
driver-initiated BSS selection ("Driver-initiated BSS selection changed
the SSID to <the random SSID from OWE BSS>" in debug log).
This ended up with updating security parameters based on the network
profile inwpa_supplicant_set_suites() instead of using the already
discovered information from scan results. In particular, this cleared
the RSN supplicant state machine information of AP RSNE and resulted in
having to fetch the scan results for the current BSS when processing
EAPOL-Key msg 3/4.
Fix this by recognizing the special case for OWE transition mode where
the SSID for the associated AP does not actually match the SSID in the
network profile.
Signed-off-by: Jouni Malinen <j@w1.fi>
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
connection_vht flag was set to true when both Association Request and
Response frame IEs have VHT capability. Thus all devices that have
support for the vendor specific partial VHT support in the 2.4 GHz band
were also being reported as VHT capable. However, IEEE Std 802.11ac-2013
defines VHT STA to operate in frequency bands below 6 GHz excluding the
2.4 GHz band.
Do not set connection_vht when the operating band is 2.4 GHz. This
avoids reporting wifi_generation 5 on the 2.4 GHz band and reserves the
generation value 5 for full VHT as defined in the IEEE 802.11 standard.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This BSS membership selector has impact only for SAE functionality, so
ignore it when configured not to use SAE. This allows WPA-PSK connection
to and AP that advertises WPA-PSK and SAE while requiring H2E for SAE.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If a channel list changed event is received after a scan and before
selecting a BSS for connection, a BSS found on a now disabled channel
may get selected for connection. The connect request issued with the BSS
found on a disabled channel is rejected by cfg80211. Filter out the BSSs
found on disabled channels and select from the other BSSs found on
enabled channels to avoid unnecessary connection attempts that are bound
to fail.
The channel list information will be updated by the driver in cases like
country code update, disabling/enabling specific bands, etc. which can
occur between the scan and connection attempt.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Fix a rebasing issue in the signal difference calculation. The older
patch was not updated to use the new cur_level local variable to get the
possibly updated signal level for the current BSS.
Fixes: a2c1bebd43 ("Improve roaming logic")
Signed-off-by: Jouni Malinen <j@w1.fi>
This is targeting the case of MAC address change for an association
which may require the interface to be set down for a short moment.
Previously, this ended up flushing the BSS table that wpa_supplicant
maintained and that resulted in having to scan again if the MAC address
was changed between the previous scan and the connection attempt. This
is unnecessary extra latency, so maintain the BSS entries for 5 seconds
(i.e., the same time that the old scan results are consider valid for a
new connection attempt) after an interface goes down.
Signed-off-by: Jouni Malinen <j@w1.fi>
Currently, wpa_supplicant may roam too aggressively; the need_to_roam()
function will return early with a roaming decision if the difference in
signal level or throughput between the current and selected APs is
"sufficiently large." In particular, if the selected AP's estimated
throughput is more than 5k greater than the current AP's estimated
throughput, wpa_supplicant will decide to roam. Otherwise, if the
selected AP's signal level is less than the current AP's signal level,
or the selected AP's estimated throughput is at least 5k less than the
current AP's estimated throughput, wpa_supplicant will skip the roam.
These decisions are based only on one factor and can lead to poor
roaming choices (e.g., a roam should not happen if the selected AP's
estimated throughput meets the threshold but the current signal and
throughput are already good, whereas a roam should happen if the signal
is slightly worse but the estimated throughput is significantly better).
This change standardizes the roaming heuristic for signal strength
difference requirements and will hopefully improve user experience. The
change can be summarized as follows: based on the current signal level,
a certain roaming difficulty is assigned. Based on the selected AP's
estimated throughput relative to the current AP's estimated throughput,
the difficulty is adjusted up or down. If the difference in signal level
meets the threshold, a roam happens.
The hard-coded values were selected purely based on the previous version
of this function. They may eventually need to be fine-tuned for optimal
performance.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Do not prevent roam to a different BSS based only on the signal level
with the current BSS being higher than with the selected BSS. If the
estimated throughput is significantly higher (> 20%), allow roaming if
the following conditions are met.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the current SNR with the associated BSS is sufficiently good (better
than GREAT_SNR = 25), there is limited benefit from moving to another
BSS even if that BSS were to have a higher signal level. As such, skip
roaming based on the signal level difference between the selected BSS
from scan results and the current BSS for such cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using average signal strength from the driver and hardcoded noise floor
does not look like an ideal design since there can be significant
differences in the driver-reported noise floor values. Furthermore, even
though the current noise floor is a snapshot from the driver, it is
common for drivers to use a noise floor value from a longer calibration
step and that should not prevent the driver provided value from being
used. This makes the comparisons of the signal strengths between the
current AP (signal_poll) and other APs (scan) more accurate.
As an example, test runs in home environment showed 5 dB difference
between the driver reported noise floor and the hardcoded value and this
could result in significant differences in estimated throughput
calculation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some drivers (e.g. Marvell WiFi) don't report avg_beacon_signal, but
it's still useful to poll for the signal again when a roaming decision
needs to be made. Use si.avg_signal when si.avg_beacon_signal is not
available.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
We saw that on certain platforms in certain places we keep switching
between two APs and eventually get the same RSSI. Debugging showed that
we have a very big difference between the two antennas.
Ant A can hear AP A very well (-60) but AP B very bad (-80)
Ant B can hear AP B very well (-60) but AP A very bad (-80)
When the device associates to AP A, it'll learn to use Ant A. If the
device uses one single antenna to receive the scan results, it may hear
the AP it is currently associated to on the second antenna and get bad
results. Because of that, the wpa_supplicant will roam to the other AP
and the same scenario will repeat itself:
Association to AP A (Ant A reports -60).
Scan on Ant A: AP A: -60, AP B: -80
Scan on Ant B: AP A: -80, AP A: -60 ==> ROAM.
Association to AP B (Ant B reports -60)
Scan on Ant A: AP A: -60, AP B: -80 ==> ROAM
Etc...
Improve this by querying the signal level of the current AP using
drv_signal_poll() instead of relying on the signal level that we get
from the scan results. Also update the throughput estimate based on the
likely more accurate values for the current association.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
This is a step towards allowing these values to be determined based on
signal poll instead of scan results.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Field wpa_s->sme.ht_sec_chan keeps secondary channel for the 40 MHz
band. This field is used to prepare a list of channels for the STA OBSS
scan. Initially, the secondary channel is set to HT_SEC_CHAN_UNKNOWN.
Later on, in function wpa_obss_scan_freq_list() it is obtained from the
current BSS HT operation IE. However, the secondary channel information
is not updated after channel switch, which may lead to an incorrect list
of channels prepared for the STA OBSS scan.
Update ht_sec_chan according to the channel switch event data to fix
this.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
In the previous implementation connected STA performs OBSS scan
according to requests from its 20/40 MHz AP. However STA checks only 40
MHz intolerance subfield from HT Capabilities element in scan results.
Meanwhile, as per IEEE Std 802.11-2016, 11.16.12, STA should check
overlapping BSSs as well.
Note that all the required code to check overlapping BSSs did already
exist for AP mode since AP does those checks properly before operating
as 20/40 MHz BSS in the 2.4 GHz band. Use that existing code by replace
existing 40 MHz intolerance check in sme_proc_obss_scan() with the new
shared helper function check_bss_coex_40mhz().
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
When a PTK rekey fails it can't be caused by a PSK mismatch. Report a
possible PSK mismatch only during the initial 4-way handshake to avoid
incorrect reports.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
The previous implementation missed the case where EAPOL-Key frame may be
reported as having been received before the association event is
processed. This would have resulted in not using the RSNXE override for
EAPOL-Key msg 2/4 when the pending EAPOL-Key frame gets processed
immediately after processing the association event. Fix this by moving
the override case to be handled before that.
Fixes: 1325655397 ("SAE H2E: RSNXE override for testing purposes")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"SET rsnxe_override_{assoc,eapol} <hexdump>" can now be used to override
RSNXE in (Re)Association Request frames and EAPOL-Key msg 2/4 for
testing purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"SET ignore_sae_h2e_only 1" can now be used to configurate
wpa_supplicant to a test mode where it ignores AP's H2E-required
advertisement and try to connect with hunt-and-pecking loop instead.
This is used only for testing AP behavior with unexpected STA behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wpa_key_mgmt_wpa_psk() includes SAE AKMs. However, with SAE, there is no
way of reaching 4-way handshake without the password having already been
verified as part of SAE authentication. As such, a failure to complete
4-way handshake with SAE cannot indicate that the used password was
incorrect.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg
2/4 when using SAE with hash-to-element mechanism enabled. This allows
the AP to verify that there was no downgrade attack when both PWE
derivation mechanisms are enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the AP advertises RSN Extension element, it has to be advertised
consistently in the unprotected (Beacon and Probe Response) and
protected (EAPOL-Key msg 3/4) frames. Verify that this is the case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
After roaming to an AP, update disable_mbo_oce flag based on the current
BSS capabilities. This flag is used to check whether STA should support
MBO/OCE features and process BTM request received from the current
connected AP.
When a STA roams from a WPA2 MBO/OCE AP with PMF enabled to a
misbehaving WPA2 MBO/OCE AP without PMF, or if the driver chooses a BSS
in which PMF is not enabled for the initial connection, BTM requests
from such APs should not be processed by STA.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The MBO and OCE specification require the station to mandate use of PMF
when connecting to an MBO/OCE AP that uses WPA2. The earlier
implementation prevented such misbehaving APs from being selected for
connection completely. This looks like the safest approach to take, but
unfortunately, there are deployed APs that are not compliant with the
MBO/OCE requirements and this strict interpretation of the station
requirements results in interoperability issues by preventing the
association completely.
Relax the approach by allowing noncompliant MBO/OCE APs to be selected
for RSN connection without PMF to avoid the main impact of this
interoperability issue. However, disable MBO/OCE functionality when PMF
cannot be negotiated to try to be as compliant as practical with the
MBO/OCE tech spec requirements (i.e., stop being an MBO/OCE STA for the
duration of such workaround association). Also disable support for BTM
in this workaround state since MBO would expect all BTM frames to be
protected.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
An OCE AP with WPA2 enabled shall require PMF negotiation when
associating with an OCE STA. An OCE STA-CFON may negotiate PMF with a
STA when it is operating as an AP. Don't select an OCE AP for connection
if PMF is not enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The conditions for the eapol_sm_notify_eap_success(FALSE) calls did not
cover the case where eapol_sm_notify_eap_success(TRUE) had been called
based on offloaded 4-way handshake and driver notification of
authorization in wpa_supplicant_event_port_authorized(). This could
result in eapSuccess and altSuccess state machine variables being left
TRUE when roaming to another BSS and that results in EAP failure if the
following roaming case does not get fully authorized through the driver
offload.
Fix this by clearing eapSuccess/altSuccess when processing a new
association (including roaming) event and also when disconnecting from
the network.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, these default scan IEs were set only when parameter values
changed and during the interface initialization, which can get lost in
the driver on an interface restart. Hence, also set these IEs on an
interface restart notification even when there has been no change in the
values since the last update to the driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The ssid->mode is from type enum wpas_mode and all its constants start
with WPAS_MODE_*. Still some of the code sections used the
IEEE80211_MODE_* defines instead of WPAS_MODE_*.
This should have no impact on the actual code because the constants for
INFRA, IBSS, AP and MESH had the same values.
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
If an AP rejects association due to low RSSI, then RSSI of the BSS from
which association reject is received shall be used for calculating RSSI
threshold at which STA can try connecting back to that BSS later. In
case of SME offload, the current_bss might not have been set before
receiving association completion, so fetch the BSS entry based on the
BSSID provided in the driver event.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it easier to upper layer components to manage operating
channels in cases where the same radio is shared for both station and AP
mode virtual interfaces.
Signed-off-by: Omer Dagan <omer.dagan@tandemg.com>
Logs involving IEEE 802.11 Reason Codes output the Reason Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each Reason Code using the latter part
of the reason code #define names.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
When FILS authentication is used with ERP, no EAPOL frames are expected
after association. However, for drivers that set the
WPA_DRIVER_FLAGS_4WAY_HANDSHAKE_8021X capability flag, the EAP state
machine was not configured correctly and was waiting for EAPOL frames,
which leads to disconnection.
Fix this by reordering the if branches to set the EAPOL/EAP state
machines to success when FILS authentication was already completed.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Use Diffie-Hellman key exchange to derivate additional material for
PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element
(defined in OWE RFC 8110) is used in association frames to exchange the
DH public keys. For backwards compatibility, ignore missing
request/response DH parameter and fall back to no PFS in such cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some driver interfaces (e.g., wext) might not include the
data->scan_info information and data could be NULL here. Do not try to
call the RRM handler in this case since that would dereference the NULL
pointer when determining where scan_info is located and could
potentially result in trying to read from unexpected location if RRM is
enabled with a driver interface that does not support it.
events.c:1907:59: runtime error: member access within null pointer of type 'union wpa_event_data'
Signed-off-by: Jouni Malinen <j@w1.fi>
According to IEEE Std 802.11-2016, 9.4.2.25 when fields of an RSNE are
not included, the default values are used. The cipher suite defaults
were hardcoded to CCMP in the previous implementation, but the default
is actually different for DMG: GCMP (per 9.4.2.25.2).
It is not possible to find out from the RSNE if the network is non-DMG
or DMG, so callers of wpa_parse_wpa_ie_rsn() need to handle this case
based on context, which can be different for each caller.
In order to fix this issue, add flags to the wpa_ie_data indicating
whether pairwise/group ciphers were included in the RSNE. Callers can
check these flags and fill in the appropriate ciphers. The
wpa_parse_wpa_ie_rsn() function still initializes the ciphers to CCMP by
default so existing callers will not break. This change also fixes some
callers which need to handle the DMG network case.
Signed-off-by: Lior David <liord@codeaurora.org>