STA is not able to connect to 11be non-WPA3 mode AP.
STA need to decide whether to connect in EHT or not at
the time of connection to AP based on security configuration.
Change-Id: I812f5c322d36ba44f63d4e27b5ec65a2846b3265
CRs-Fixed: 3404747
Change few static crypto API's to global.
Add support to add new crypto entry based on passing the entire
entry structure itself.
Change-Id: Id2e0a46bb8b44a834d17d2a04b0dc28fc881b4e3
CRs-Fixed: 3571796
Currently crypto module is using vdev to get
and delete the crypto key, However there is a need to get
and delete the crypto key based on psoc level.
The change is to use psoc handler for retrieving and deleting
the key.
Change-Id: I4fcf0fd5c7d9d5a579c092c43117594f7d9fc6a3
CRs-Fixed: 3561978
The current implementation of the crypto module utilizes
the vdev object for saving and retrieving crypto keys.
However, there is a need to store keys for individual
links in the n-link MLO. To address this requirement,
a proposal has been made to leverage the hashing
framework and store/retrieve keys from the PSoC level.
The change involves leveraging the hashing framework
to save and retrieve keys from the PSoC level.
Change-Id: I9c93545869b0c1d42b2c0e31bc672aa78573be2a
CRs-Fixed: 3549390
Include WLAN_CRYPTO_KEY_MGMT_FT_SAE_EXT_KEY as an
WPA3 AKM in WLAN_CRYPTO_IS_WPA3()
Change-Id: I3a7fcaf95ad2e132d8c650c3ffce9ba4b9849705
CRs-Fixed: 3512592
The wlan_crypto_reset_vdev_params() stub function, used when the
CRYPTO_SET_KEY_CONVERGED feature is not enabled, is misnamed, so
correct the naming.
Change-Id: Iff7db65f61dbec15529832c9db4430f908442645
CRs-Fixed: 3421947
Fix improper naming convention for store_def_keyix_peer
Avoid qdf_export since the function is defined and called
from the same file
Change-Id: I488267eccf521071038958fe85e9c1be90df27b2
CRs-Fixed: 3384714
The kernel-doc script identified some documentation issues in the
umac/cmn_services/crypto folder, so fix them. In addition there are
multiple instances of both the interface and the implementation being
documented, so remove the duplicates, keeping just the interface
documentation.
Change-Id: Ied5bfcdff185d0b144f8c41affb5adcb3b8a5b88
CRs-Fixed: 3394398
RSNXE bits are modified in the recent draft. Rename
WLAN_RSNX_CAPAB_PROT_RANGE_NEG to WLAN_RSNX_CAPAB_URNM_MFPR
and the bit position is changed to 15 instead of 10.
Change-Id: Iebca652a952b338f0533023581ebe45bc0aae452
CRs-Fixed: 3387173
For STA MLO connection, the AP can send M1 right after assoc
response on assoc link, which will trigger sending keys to FW
for mlo links, but it can happen that wmi_peer_assoc is not
sent for mlo link until this time.
Current code does not have handling for this case.
To solve this, store the link vdev keys and send them once
link vdev is connected.
Change-Id: I882da96280711ca9cfa4d6ba852fda4a8b6d7a77
CRs-Fixed: 3293692
Currently, RSNXE capability indexes are defined incorrect.
It seems BIT index is misinterpreted. Correct the same as defined
below in spec(IEEE Std 802.11-2020, 9.4.2.241, Table 9-780).
The Extended RSN Capabilities field, except its first 4 bits, is a
bit field indicating the extended RSN capabilities being advertised
by the STA transmitting the element. The length of the Extended
RSN Capabilities field is a variable n, in octets, as indicated by
the first 4 bits in the field.
Also, add a macro to check if the given akm
is WPA/WPA2 i.e. legacy than WPA3.
Change-Id: I3d8eee15f6734b2364628f699b7829a1edb246f0
CRs-Fixed: 3257715
Supplicant compares AKM(s) in RSN IE of Beacon/Probe response and
AKM on third EAPOL frame received by AP. In the case of multi AKM,
previously Host converts all adaptive 11r AKM(s), if any, present
in RSN IE of Beacon/Probe response to corresponding FT AKM but the
AP(s) which support adaptive 11r (ADAPTIVE_11R_OUI: 0x964000) only
converts first AKM to corresponding FT AKM and sends third EAPOL
frame to DUT. This results in failure in a 4-way handshake in
supplicant due to RSN IE miss-match between RSNIE sent by host
and RSNIE present in third EAPOL frame. Now like AP, the host is
converting only the first AKM to corresponding FT AKM to avoid
RSNIE mismatch in supplicant.
Change-Id: I522c6e313df50c1ef2952ec2e464a107ae739dad
CRs-Fixed: 3230622
Assume AP1 and AP2 are SPMK APs. For SPMK AP(s), Host
should add an entry of an AP in PMK cache table like below in
two cases only:
Case 1. When DUT successfully associated with SPMK supported AP
In this case host update “is_spmk_ap” flag in PMK
table by parsing beacon of associated AP after
successful connection.
Case 2. When DUT successfully roamed to SPMK supported AP
In this case host update “is_spmk_ap” flag in PMK
table by parsing roam sync indication event.
In case of connection with SPMK AP, Host selectively deletes PMK
entry for other SPMK supported AP(s) on basis of “is_spmk_ap”
flag and maintains only one entry for all SPMK AP(s). And host
sends the same single PMK in RSO for further roaming to SPMK AP.
Initially, DUT is connected with AP2. Then Disconnection happens with
AP2 due to NUD failure. After disconnection, the upper layer sends
flush PMK requests for AP1 and AP2. Host deletes old PMK entries for
both APs. Now upper layer sends a set PMK request for AP2. Host adds
AP2 entry in PMK cache table but host does not set "is_spmk_ap" flag
in PMK table for this entry as DUT is not connected to AP2. Now host
receives a connect request for AP1 from the upper layer. DUT
successfully associated with AP1 by performing full SAE authentication.
Host adds an entry for AP1 in the PMK cache table and sets "is_spmk_ap"
flag for AP1 but fails to delete the entry for other SPMK AP(s), here
AP2, from PMK cache table. This is because of "is_spmk_ap" flag is not
set for AP2. At this point of time below is the PMK cache table entry
for SPMK AP(s): The Host PMK cache table has two entries for two SPMK
APs.
BSSID PMK is_spmk_ap flag
AP2 PMK2 0
AP1 PMK1 1
Now FW roams to AP2 using PMK1. Host process roam sync indication for
AP2 and updates "is_spmk_ap" flag for AP2 in the PMK cache table. As
Host has a stale entry for AP2 in the PMK cache table, Host sends AP2’s
PMK (here PMK2) in RSO command which firmware will use for further
roaming but roaming fails due to invalid PMK, as target SPMK AP expects
PMK1 in reassociation request.
To handle these scenarios, FW should send PMK info of roamed AP and
host override stale entry for roamed AP (if any) with roamed AP's PMK
in PMK cache table.
Change-Id: I3c6a49be065e4744e438c2762c103eb3095a2253
CRs-Fixed: 3168078
Add support to update key management with higher security
after BSS create response.
Also, Currenlty if there are multiple AKM and ucast cipher.
Host overwrites AKM and ucast cipher value with the new one.
Instead of overwrite, add support to do ORing to keep all values.
Change-Id: I679a86debef649efbce1a08b60512d127f7fbbee
CRs-Fixed: 3113222
Add parameter 'bool sync' for wlan_cfg80211_crypto_add_key()
to indicate whether or not to add key synchronously.
If it's set to true, wait until install key complete event
is received.
Change-Id: I9a69d486665fb3f65a5720ccfbfb638c09329418
CRs-Fixed: 2865832
Removed unused API for open and WEP check, as the logic, to check
open and WEP mode is not valid. If required proper API can
be added later.
Change-Id: Ia57bc28d40a70c8bd3b908400126c9741080a5fd
CRs-Fixed: 2949965
Add logic to
- Check if connect req freq is 6Ghz and security
is not allowed for 6Ghz, reject connect.
- Ignore 6Ghz APs if connect req security is invalid
for 6Ghz
Also added user config key_mgmt_mask_6ghz mask
to allow specific AKMs, by default all are allowed.
Add added user config check_6Ghz_security to enable
security checks as per spec.
Change-Id: I37518731faa4de67a49853e5ac544efa3b3ce1d6
CRs-Fixed: 2813013
In FT roam when STA connects to AP1 then PMK1 gets cached. And
then STA disconnects from AP1 and connects to AP2 then PMK2
gets cached. Now if STA roams to AP1 then FW uses PMK2 from mlme
session to create the PMKID. But the corresponding RSO command
from driver sends the PMK1 to FW and the same gets updated in
mlme session of FW. This results in failure of next roams, as the
invalid PMKID gets created using PMK1.
This fix helps in deleting the old/stale PMK cache entries for
the same mobility domain as of the newly added entry.
Also the FT-SuiteB AKM is enabled in crypto using this change.
Change-Id: Id147ec40b8e0deacc4c427d396ec973cec483904
CRs-Fixed: 2796105
Currently connection manager does not update crypto params
of connect request based on RSN/WPA/WAPI IEs.
Add logic to update the connect params based on IEs.
Change-Id: I74aba3c061ed5fc203be7270dcc244f14718c781
CRs-Fixed: 2777574
Move RSNXE IE parsing to crypto module and add entry of RSNXE IE in
util_scan_copy_beacon_data() so that a copy of RSNXE IE remains in
scan entry cache and doesn't get free on scan result update.
Change-Id: I792c8636d7e1f21c6291158188ab2c1d241151ec
CRs-Fixed: 2780832
WLAN_CRYPTO_RSN_CAP_OCV_SUPPORTED i.e. 0x4000 bit in RSN capability
is set to 1 to indicate that the STA supports operating channel
validation by including Operating Channel Information (OCI) in RSNA
exchanges and validates the information when received from another
STA that indicated this capability.
Change-Id: I8cbe640772c95573461ef2ef54c9e86778fe970f
CRs-Fixed: 2765802
Replace the lim_default_hmac_sha256_kdf() & lim_create_fils_rik()
API with crypto API since both these API are primarily for
cryptographic derivation of re-authentication integrity key(rIK)
Use the new crypto APIs qdf_default_hmac_sha256_kdf(),
wlan_crypto_create_fils_rik() for this.
Change-Id: I1c8f38ee0124b8b3eb527d4b01d39add134e181b
CRs-Fixed: 2752635
Currently only atmost 3 PMK Cache entries are allowed in Host,
which is not equivalent to that of Firmware, as upto 16 max PMK
cache entries are allowed in Firmware.
This change is to support upto 16 PMKID entries in driver as well
Change-Id: I383ca79e284de4913197ca4afec317e8669edd86
CRs-Fixed: 2689482
For WLAN_CRYPTO_OMAC1_OS_DERIVATIVE and
WLAN_CRYPTO_GCM_OS_DERIVATIVE set use QDF API to calculate MIC
Change-Id: I5971eb39414a292534981753805df6d9beb54be0
CRs-Fixed: 2664275
Add new crypto API to set the single PMK AP flag in
crypto pmksa entry and to clear the BSSID entries in the
crypto pmk cache with the SAE single pmk flag set.
Clear the entries with Sae single pmk flag on connection
and roaming success case. Mark the BSS as Sae pmk capable
after initial connection and roaming if the AP advertises
the VSIE
Change-Id: I42ca0c3a70945f974eec1065661ac0b781096126
CRs-Fixed: 2652936
Changes to support Beacon protection. Additional key ix 6 and 7
support BIGTK. Update beacon template for Beacon protection support.
CRs-Fixed: 2632290
Change-Id: Ic37d17f5076bb28d2e1f2430da039cc8b9f759b6
As softap, send assoc failure if HT supported client try to associate
as WEP/TKIP pairwise key.
Change-Id: Ie33e5d83ec18e10aae51a4cc3515f754bd24774e
CRs-Fixed: 2623660
For FILS pmksa cache, the pmksa add/del/query is based on SSID
and cache id. The current crypto pmksa cache API dosn't support
SSID and cache ID.
1. Add SSID/Cache ID support to pmksa API
2. Add RSN IE pmkid field based on SSID/cache ID
Change-Id: I1577c6293b75d6f8e6210f314dd83462e06d8190
CRs-Fixed: 2621860
On rekey, the STA resets it’s PN to 0 but, the
AP sends out pending traffic with old PN values
before it resets the PN as well.
This causes traffic to stall and hence, TSC (transmit
sequence counter) should not be set to zero during rekey.
Instead, obtain last PN number for a non-bss peer while
configuring new key and pass the values to hostap.
Change-Id: I4a604f23944c941c6ade2f57ab03781bc78f7b40
VLAN group keyix is greater than WLAN_CRYPTO_MAXKEYIDX
Each VLAN will have separate group key in single VAP.
CRs-Fixed: 2490599
Change-Id: I585b2deaa13da337c5df7b55ec8e4672221e4edb
In wlan_crypto_rsn_info, only need to reject STA with PMF disabled
when PMF is required.
Change-Id: I7a7d4b2d1a2d44a95d08eb6bfac14540940f0be3
CRs-Fixed: 2424932
MCL code will need to find the supported mgmt cipher
type from crypto component. Add two api for vdev and
peer for it.
Change-Id: Ic33d4f18a04b48ce4699617569585fd1c2ae6f61
CRs-Fixed: 2421463
