path: root/wpa_supplicant/sme.c
Commit message (Collapse)AuthorAgeFilesLines
* SME: Postpone current BSSID clearing until IEs are preparedJouni Malinen2020-01-031-6/+6
| | | | | | | | | | | | | sme_send_authentication() could fail before actually requesting the driver to authenticate with a new AP. This could happen after wpa_s->bssid got cleared even though in such a case, the old association is maintained and still valid. This can result in unexpected behavior since wpa_s->bssid would not match the current BSSID anymore. Fix this by postponing clearing of wpa_s->bssid until the IE preparation has been completed successfully. Signed-off-by: Jouni Malinen <j@w1.fi>
* STA OBSS: Add check for overlapping BSSsSergey Matyukevich2019-12-261-13/+29
| | | | | | | | | | | | | | | | In the previous implementation connected STA performs OBSS scan according to requests from its 20/40 MHz AP. However STA checks only 40 MHz intolerance subfield from HT Capabilities element in scan results. Meanwhile, as per IEEE Std 802.11-2016, 11.16.12, STA should check overlapping BSSs as well. Note that all the required code to check overlapping BSSs did already exist for AP mode since AP does those checks properly before operating as 20/40 MHz BSS in the 2.4 GHz band. Use that existing code by replace existing 40 MHz intolerance check in sme_proc_obss_scan() with the new shared helper function check_bss_coex_40mhz(). Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* SAE H2E: RSNXE override for testing purposesJouni Malinen2019-12-071-0/+12
| | | | | | | | "SET rsnxe_override_{assoc,eapol} <hexdump>" can now be used to override RSNXE in (Re)Association Request frames and EAPOL-Key msg 2/4 for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE H2E: Fix validation of rejected groups listJouni Malinen2019-12-061-1/+1
| | | | | | | check_sae_rejected_groups() returns 1, not -1, in case an enabled group is rejected. The previous check for < 0 could not have ever triggered. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Ignore commit message when waiting for confirm in STA modeJouni Malinen2019-10-271-2/+5
| | | | | | | | | | | Previously, an unexpected SAE commit message resulted in forcing disconnection. While that allowed recovery by starting from scratch, this is not really necessary. Ignore such unexpected SAE commit message instead and allow SAE confirm message to be processed after this. This is somewhat more robust way of handling the cases where SAE commit message might be retransmitted either in STA->AP or AP->STA direction. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Add RSNXE in Association Request and EAPOL-Key msg 2/4Jouni Malinen2019-10-171-0/+15
| | | | | | | | | Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg 2/4 when using SAE with hash-to-element mechanism enabled. This allows the AP to verify that there was no downgrade attack when both PWE derivation mechanisms are enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Check that peer's rejected groups are not enabledJouni Malinen2019-10-151-0/+52
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: H2E version of SAE commit message handling for STAJouni Malinen2019-10-151-10/+51
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Collect list of rejected groups for H2E in STAJouni Malinen2019-10-151-0/+6
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Tell sae_parse_commit() whether H2E is usedJouni Malinen2019-10-141-1/+2
| | | | | | This will be needed to help parsing the received SAE commit. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* MBO/OCE: Work around misbehaving MBO/OCE APs that use RSN without PMFVamsi Krishna2019-09-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | The MBO and OCE specification require the station to mandate use of PMF when connecting to an MBO/OCE AP that uses WPA2. The earlier implementation prevented such misbehaving APs from being selected for connection completely. This looks like the safest approach to take, but unfortunately, there are deployed APs that are not compliant with the MBO/OCE requirements and this strict interpretation of the station requirements results in interoperability issues by preventing the association completely. Relax the approach by allowing noncompliant MBO/OCE APs to be selected for RSN connection without PMF to avoid the main impact of this interoperability issue. However, disable MBO/OCE functionality when PMF cannot be negotiated to try to be as compliant as practical with the MBO/OCE tech spec requirements (i.e., stop being an MBO/OCE STA for the duration of such workaround association). Also disable support for BTM in this workaround state since MBO would expect all BTM frames to be protected. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-081-10/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Conditionally set PMKID while notifying the external auth statusSunil Dutt2019-08-161-0/+2
| | | | | | | | | | | This is needed for the drivers implementing SME to include the PMKID in the Association Request frame directly following SAE authentication. This commit extends the commit d2b208384391 ("SAE: Allow PMKID to be added into Association Request frame following SAE") for drivers with internal SME that use the external authentication mechanism. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Use BSSID stored in ext_auth_bssid for set_pmkSunil Dutt2019-08-161-4/+4
| | | | | | | | | | | pending_bssid is cleared in the connected state and thus is not valid if SAE authentication is done to a new BSSID when in the connected state. Hence use the BSSID from ext_auth_bssid while configuring the PMK for the external authentication case. This is required for roaming to a new BSSID with driver-based-SME while the SAE processing happens with wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Allow PMKID to be added into Association Request frame following SAEJouni Malinen2019-08-141-8/+35
| | | | | | | | | | | IEEE Std 802.11-2016 does not require this behavior from a SAE STA, but it is not disallowed either, so it is useful to have an option to identify the derived PMKSA in the immediately following Association Request frames. This is disabled by default (i.e., no change to previous behavior) and can be enabled with a global wpa_supplicant configuration parameter sae_pmkid_in_assoc=1. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* wpa_supplicant: Fix type for ssid->mode comparisonsSven Eckelmann2019-06-231-1/+1
| | | | | | | | | | | The ssid->mode is from type enum wpas_mode and all its constants start with WPAS_MODE_*. Still some of the code sections used the IEEE80211_MODE_* defines instead of WPAS_MODE_*. This should have no impact on the actual code because the constants for INFRA, IBSS, AP and MESH had the same values. Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
* SAE: Send external auth failure status to driverSrinivas Dasari2019-05-311-16/+21
| | | | | | | | | | | wpa_supplicant prepares auth commit request as part of the external authentication (first SAE authentication frame), but it fails to get prepared when wpa_supplicant is started without mentioning the SAE password in configuration. Send this failure status to the driver to make it aware that the external authentication has been aborted by wpa_supplicant. Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
* Fix a regression in storing of external_auth SSID/BSSIDJouni Malinen2019-04-281-7/+12
| | | | | | | | | | | | | An earlier change in drivers_ops API for struct external_auth broke the way SSID and BSSID for an external authentication request were stored. The implementation depended on the memory array being available in the API struct with a use of memcpy() to copy the full structure even though when only SSID and BSSID was needed. Fix this by replacing that easy-to-break storing mechanism with explicit arrays for the exact set of needed information. Fixes: dd1a8cef4c05 ("Remove unnecessary copying of SSID and BSSID for external_auth") Signed-off-by: Jouni Malinen <j@w1.fi>
* Do not clear FT IEs twice in sme_deinit()Andrei Otcheretianski2019-04-151-3/+0
| | | | | | | Remove FT IEs clearing from sme_deinit() as it is done twice. The sme_clear_on_disassoc() call to sme_update_ft_ies() takes care of this. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* Stop SA Query on disconnectionAndrei Otcheretianski2019-04-151-3/+3
| | | | | | | | | SA Query wasn't stopped after disconnection, which could potentially result in an unexpected SA timeout firing later when already connected to another AP. Fix that by stopping SA Query when an association is terminated. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* Add debug print on stopping SA Query procedureJouni Malinen2019-04-151-0/+2
| | | | | | This makes it easier to debug SA Query behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove unnecessary copying of SSID and BSSID for external_authJouni Malinen2019-04-121-4/+3
| | | | | | | | | The external authentication command and event does not need to copy the BSSID/SSID values into struct external_auth since those values are used before returning from the call. Simplify this by using const u8 * to external data instead of the array with a copy of the external data. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Fix commit message override with external authenticationJouni Malinen2019-04-011-2/+4
| | | | | | | Do not add duplicate Transaction Sequence and Status Code fields when using test functionality to override SAE commit message. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Fix PMKSA cache entry search for FT-SAE caseJouni Malinen2019-03-271-1/+4
| | | | | | | | | Previously, PMKSA cache entries were search for AKM=SAE and that did not find an entry that was created with FT-SAE when trying to use FT-SAE again. That resulted in having to use full SAE authentication instead of the faster PMKSA caching alternative. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT-SAE: Enable external auth support for FT-SAE alsovamsi krishna2019-03-271-1/+1
| | | | | | | Extend the external authentication support to FT-SAE mode connections also in addition to SAE mode connections. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Fix SAE + FT-SAE behavior in association parameter selectionJouni Malinen2019-03-261-2/+3
| | | | | | | | | | Do not try to initialize FT reassociation if the selected AKM is for SAE instead of FT-SAE when both of these are enabled in a network profile. This fixes an issue with MDE being included in an (Re)Association Request frame even when using a non-FT AKM (which is something that results in hostapd rejecting the association). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: PFS for PTK derivationJouni Malinen2019-03-181-0/+31
| | | | | | | | | | Use Diffie-Hellman key exchange to derivate additional material for PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element (defined in OWE RFC 8110) is used in association frames to exchange the DH public keys. For backwards compatibility, ignore missing request/response DH parameter and fall back to no PFS in such cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Support DPP and SAE in the same network profileJouni Malinen2019-03-161-0/+6
| | | | | | | | | Make both DPP and SAE code aware of the cases where the same network profile is configured to enable both DPP and SAE. Prefer DPP over SAE in such cases and start DPP/SAE exchanges based on what both the station and the AP support. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Reuse previously generated PWE on a retry with the same APJouni Malinen2019-03-061-4/+15
| | | | | | | | | | Do not start SAE authentication from scratch when the AP requests anti-clogging token to be used. Instead, use the previously generated PWE as-is if the retry is for the same AP and the same group. This saves unnecessary processing on the station side in case the AP is under heavy SAE authentiation load. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Enable only groups 19, 20, and 21 in station modeJouni Malinen2019-03-051-2/+2
| | | | | | | | | | | | | Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP Group) from the default SAE groups in station mode since those groups are not as strong as the mandatory group 19 (NIST P-256). In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24 based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the MODP groups were already disabled by default and would have needed explicit configuration to be allowed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Use disable_ht/vht to constrain supported operating class informationBen Greear2019-01-071-1/+1
| | | | | | | If user has disabled HT or VHT, those related operating classes should not be advertised as supported. Signed-off-by: Ben Greear <greearb@candelatech.com>
* FT: Do not try to use FT-over-air if reassociation cannot be usedJouni Malinen2019-01-041-1/+1
| | | | | | | | | There is no point in going through FT authentication if the next step would have to use association exchange which will be rejected by the AP for FT, so only allow FT-over-air if previous BSSID is set, i.e., if reassociation can be used. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Add Multi-AP backhaul STA supportVenkateswara Naralasetty2018-12-201-0/+16
| | | | | | | | | | | | | | | | | | | | | Advertise vendor specific Multi-AP IE in (Re)Association Request frames and process Multi-AP IE from (Re)Association Response frames if the user enables Multi-AP fuctionality. If the (Re)Association Response frame does not contain the Multi-AP IE, disassociate. This adds a new configuration parameter 'multi_ap_backhaul_sta' to enable/disable Multi-AP functionality. Enable 4-address mode after association (if the Association Response frame contains the Multi-AP IE). Also enable the bridge in that case. This is necessary because wpa_supplicant only enables the bridge in wpa_drv_if_add(), which only gets called when an interface is added through the control interface, not when it is configured from the command line. Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* OCV: Perform an SA Query after a channel switchMathy Vanhoef2018-12-171-0/+21
| | | | | | | | | | | After the network changed to a new channel, perform an SA Query with the AP after a random delay if OCV was negotiated for the association. This is used to confirm that we are still operating on the real operating channel of the network. This commit is adding only the station side functionality for this, i.e., the AP behavior is not changed to disconnect stations with OCV that do not go through SA Query. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Include and verify OCI in SA Query framesMathy Vanhoef2018-12-171-7/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | Include an OCI element in SA Query Request and Response frames if OCV has been negotiated. On Linux, a kernel patch is needed to let clients correctly handle SA Query Requests that contain an OCI element. Without this patch, the kernel will reply to the SA Query Request itself, without verifying the included OCI. Additionally, the SA Query Response sent by the kernel will not include an OCI element. The correct operation of the AP does not require a kernel patch. Without the corresponding kernel patch, SA Query Requests sent by the client are still valid, meaning they do include an OCI element. Note that an AP does not require any kernel patches. In other words, SA Query frames sent and received by the AP are properly handled, even without a kernel patch. As a result, the kernel patch is only required to make the client properly process and respond to a SA Query Request from the AP. Without this patch, the client will send a SA Query Response without an OCI element, causing the AP to silently ignore the response and eventually disconnect the client from the network if OCV has been negotiated to be used. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* HS 2.0: As a STA, do not indicate release number greater than the APJouni Malinen2018-12-081-1/+2
| | | | | | | | | | Hotspot 2.0 tech spec mandates mobile device to not indicate a release number that is greater than the release number advertised by the AP. Add this constraint to the HS 2.0 Indication element when adding this into (Re)Association Request frame. The element in the Probe Request frame continues to show the station's latest supported release number. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Fix CONFIG_IEEE80211X=y build without CONFIG_FILS=yJouni Malinen2018-12-031-2/+0
| | | | | | | | | remove_ie() was defined within an ifdef CONFIG_FILS block while it is now needed even without CONFIG_FILS=y. Remove the CONFIG_FILS condition there. Fixes 8c41734e5de1 ("FT: Fix Reassociation Request IEs during FT protocol") Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Try another group only on association rejection with status 77Ashok Kumar2018-12-021-1/+5
| | | | | | | | | Do not change the OWE group if association is rejected for any other reason than WLAN_STATUS_FINITE_CYCLIC_GROUP_NOT_SUPPORTED to avoid unnecessary latency in cases where the APs reject association, e.g., for load balancing reasons. Signed-off-by: Ashok Kumar <aponnaia@codeaurora.org>
* FT: Fix Reassociation Request IEs during FT protocolJouni Malinen2018-12-011-1/+79
| | | | | | | | | | | | | | | The previous implementation ended up replacing all pending IEs prepared for Association Request frame with the FT specific IEs (RSNE, MDE, FTE) when going through FT protocol reassociation with the wpa_supplicant SME. This resulted in dropping all other IEs that might have been prepared for the association (e.g., Extended Capabilities, RM Enabled Capabilities, Supported Operating Classes, vendor specific additions). Fix this by replacing only the known FT specific IEs with the appropriate values for FT protocol while maintaining other already prepared elements. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix indentation levelJouni Malinen2018-11-301-1/+1
| | | | | | This gets rid of smatch warnings about inconsistent indenting. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Fix external authentication on big endian platformsAshok Ponnaiah2018-11-301-9/+10
| | | | | | | | Need to handle the little endian 16-bit fields properly when building and parsing Authentication frames. Fixes: 5ff39c1380d9 ("SAE: Support external authentication offload for driver-SME cases") Signed-off-by: Ashok Ponnaiah <aponnaia@codeaurora.org>
* external-auth: Check key_mgmt when selecting SSIDCedric Izoard2018-11-261-1/+2
| | | | | | | | | When selecting SSID to start external authentication procedure also check the key_mgmt field as several network configuration may be defined for the same SSID/BSSID pair. The external authentication mechanism is only available for SAE. Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
* HS 2.0: Generate AssocReq OSEN IE based on AP advertisementJouni Malinen2018-11-091-0/+14
| | | | | | | | | | | Parse the OSEN IE from the AP to determine values used in the AssocReq instead of using hardcoded cipher suites. This is needed to be able to set the group cipher based on AP advertisement now that two possible options exists for this (GTK_NOT_USED in separate OSEN BSS; CCMP or GTK_NOT_USED in shared BSS case). Furthermore, this is a step towards allowing other ciphers than CCMP to be used with OSEN. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SME: Fix order of WPA IE in association requestIlan Peer2018-10-201-0/+44
| | | | | | | | | | | | | In case that the protocol used for association is WPA the WPA IE was inserted before other (non vendor specific) IEs. This is not in accordance to the standard that states that vendor IEs should be placed after all the non vendor IEs are placed. In addition, this would cause the low layers to fail to properly order information elements. To fix this, if the protocol used is WPA, store the WPA IE and reinsert it after all the non vendor specific IEs were placed. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* OCE: Add OCE capability attribute only when associating to an OCE APBeni Lev2018-09-021-2/+8
| | | | Signed-off-by: Beni Lev <beni.lev@intel.com>
* FILS: Fix FILS connect failures after ERP key invalidationAnkita Bajaj2018-08-241-0/+22
| | | | | | | | | | | | | | | | If the RADIUS authentication server dropped the cached ERP keys for any reason, FILS authentication attempts with ERP fails and the previous wpa_supplicant implementation ended up trying to use the same keys for all consecutive attempts as well. This did not allow recovery from state mismatch between the ERP server and peer using full EAP authentication. Address this by trying to use full (non-FILS) authentication when trying to connect to an AP using the same ERP realm with FILS-enabled network profile if the previous authentication attempt had failed. This allows new ERP keys to be established and FILS authentication to be used again for the consecutive connections. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-191-1/+15
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Clear SME FT data on disassocAhmad Masri2018-05-041-1/+1
| | | | | | | | | | | | | | SME ft_used flag is sometimes not cleared on disassoc. For example, after initial FT connection, ft_used is set while ft_ies stays NULL. Later on, upon disassoc, sme_update_ft_ies() is not invoked and ft_used is not cleared. Fix this by invoking sme_update_ft_ies() also in case ft_used is set. This is needed to fix an issue with drivers that use nl80211 Connect API with FT and expect to the NL80211_AUTHTYPE_OPEN specified in the Connect command for the initial mobility domain association. Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
* HS 2.0: Add Roaming Consortium Selection element into AssocReqJouni Malinen2018-04-171-1/+2
| | | | | | | | This makes wpa_supplicant add Hotspot 2.0 Roaming Consortium Selection element into (Re)Association Request frames if the network profile includes roaming_consortium_selection parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Only allow SAE AKMP for PMKSA caching attemptsJouni Malinen2018-04-091-4/+5
| | | | | | | | | | Explicitly check the PMKSA cache entry to have matching SAE AKMP for the case where determining whether to use PMKSA caching instead of new SAE authentication. Previously, only the network context was checked, but a single network configuration profile could be used with both WPA2-PSK and SAE, so should check the AKMP as well. Signed-off-by: Jouni Malinen <j@w1.fi>