When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.
hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).
This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).
Signed-hostap: Jouni Malinen <j@w1.fi>
In wpa_supplicant_deinit(), the function wpas_p2p_deinit_global()
was called. Remove it as it will be called from wpas_deinit_iface()
upon removal of the P2P management interface.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
When P2P Device is used as P2P management interface the creation of the
P2P group interface fails because MAC address retrieval fails for the
P2P Device interface.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
For P2P an interface may be created for the P2P client/group. The
create request is done on the P2P management interface, which may
be a P2P Device interface. In that case it needs to use the wdev_id.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
In order to get a P2P-DEVICE-FOUND event the supplicant needs to
see a peer device during SEARCH and LISTEN phase. The SEARCH
phase does a scan so obtaining the scan results for the P2P Device
interface needs to be supported, i.e., use the wdev_id.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
For P2P Device the MAC address is determined upon .init2(). The
wpa_s for this interface retrieves this address in
wpa_supplicant_update_mac_addr() using the .get_mac_addr() callback.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
The function setting the interface mode also handles management
frame subscription. Rework it so subscription is done for the
P2P Device interface.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
The driver uses linux_set_iface_flags() in several places. Introduce and
use i802_set_iface_flags() which also works for P2P Device interface.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
The .deinit() closes netlink for P2P Device. Before doing that remove
the P2P Device interface that was created by wpa_supplicant.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Add specific handler for creating the P2P Device to store the wdev_id as
this type of interface does not have an interface index.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
To support Android the kernel may have a "p2p0" netdev for a P2P Device
even though this isn't very useful, but Android requires a netdev. To
support this in the supplicant, if the interface mode is P2P_DEVICE,
re-set it to the same instead of STATION mode.
Note that this is only possible with a kernel that creates a
netdev for the P2P Device wdev.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Add an option to pass a handler to nl80211_create_iface() and
nl80211_create_interface_once() that will be called after receiving the
message from the kernel. This handler will add the option to process the
message in different ways for different interfaces.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Add wdev_id to i802_bss. wdev_id_set indicates whether this id is
available. Use wdev_id if assigned, instead of ifindex. Use wdev_id for
events that come from the kernel to identify the relevant interface.
This commit does not assign wdev_id value for the BSS yet, i.e., this is
only preparation for the value to be used in a future commit.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Check the supported interfaces attribute to identify support for
a dedicated P2P Device interface type. If set, update the driver
capabilities flag to notify the supplicant.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Rename is_p2p_interface() to is_p2p_net_interface() since it used to
identify network P2P interfaces to disable 802.11b rates on them.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Sometimes an interface name that cannot be resolved is given to the
set_key function, so print the ifname in addition to the ifidx.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently, hostapd_get_vlan_id_ifname() is used to determine if a given
vlan is valid *and* to actually determine the interface. This leads to
wpa_set_keys() sometimes setting the key on the wildcard interface name,
which does not make sense.
This patch therefore adds hostapd_vlan_id_valid() and makes
hostapd_get_vlan_id_ifname() not return a wildcard interface.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently, struct hostapd_vlan is a per-BSS data structure which
also contains informations about whether to remove the bridge
or clear wlan / tagged-vlan interface from the bridge.
In a multi-interface multi-BSS setup, this can lead to the following
race condition:
1. wlan0 creates VLAN A, sets DVLAN_CLEAN_BR and DVLAN_CLEAN_VLAN_PORT
2. wlan1 creates VLAN A, does not set DVLAN_CLEAN_BR and
DVLAN_CLEAN_VLAN_PORT as already there
3. wlan0 removes VLAN A, removes tagged-interface from the bridge
but not the bridge.
Now wlan1 VLAN A is unusable due to the missing uplink.
4. wlan1 removes VLAN A, does not cleanup
Solution:
This requires an inter-BSS inter-interface data structure to track the
bridge / bridge port usage within hostapd. This data structure could
also be used to track any other device-has-been-created-by-hostapd
information or when regarding interface freeing.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently by default, all BSS share the bridge brvlan%d.
While this is sane when no tagged-interface is given, this
is insane when different tagged interfaces are given, as
it would result in bridging those tagged interfaces.
This patch therefore uses br%s%d with %s=tagged_interface
and %d=VLAN ID as bridge name when a tagged-interface is given.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently, when different BSS using different tagged vlan
interfaces, they are forced to share the bridge brvlan#,
which is not desirable.
This patch fixes this by making the bridge name configurable.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
When writing pcap-ng files, always include a radiotap
header even if there wasn't one in the input. For now
just drop prism headers, I don't have any to test.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Add "StaAuthorized" and "StaDeauthorized" D-Bus interface in AP mode.
After enabling the AP mode of wpa_supplicant, the other process need to
get the MAC address and authorization status of every station, so
wpa_supplicant emits signal when the station is authorized or
deauthorized.
Signed-hostap: Chengyi Zhao <chengyix.zhao@gmail.com>
Add AVG_RSSI report to the signal_poll command if it is reported by
the kernel.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-hostap: Ilan Peer <ilan.peer@intel.com>
11b rates removal have had impact on SoftAP functionality in
wpa_supplicant. This patch verifies that only in case of P2P group
operation 11b rates will be eliminated. Refer also to commit
4c2c302893.
Signed-hostap: Alexander Bondar <alexander.bondar@intel.com>
Signed-hostap: Ilan Peer <ilan.peer@intel.com>
Add prints for kernel event, including the event ID and event string.
Signed-hostap: David Spinadel <david.spinadel@intel.com>
Signed-hostap: Ilan Peer <ilan.peer@intel.com>
The ext_supp_rates passed to merge_byte_arrays would be invalid if not
advertized by the TDLS peer. Thus, validate the argument to avoid
crashes in such cases.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If AP mode SME/MLME within wpa_supplicant is used for processing Probe
Request frames in GO mode, drop Probe Request frames that include only
802.11b rates per P2P spec section 2.4.1.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Upon association, disable the timer that removes the dummy STA. This
timer caused the STA that associates within 5 seconds of doing an ANQP
query to disassociate, thinking it's a dummy STA. Similar call was
already there for the SME/MLME-in-hostapd case in handle_auth(), but the
SME-in-driver case was not previously addressed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There is not much use for enabling WPA without WPA2 nowadays since most
networks have been upgraded to WPA2. Furthermore, the code size savings
from disabling just WPA2 are pretty small, so there is not much
justification for maintaining this build option. Remove it to get rid of
undesired complexity.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit ae8535b6e1 added a new function
wpa_sm_pmf_enabled() which is called from WNM code without ifdefs.
Define a dummy wrapper for this function to fix build if WPA2 is
disabled.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 4033935dd9 updated
pmksa_cache_flush() function arguments, but forgot to update the wrapper
function for cases where WPA2 or EAP has been disabled in the build.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the driver wrapper supports best operation channel indication, the
p2p_group_add command can now use special values (freq=2 and freq=5) to
indicate that the re-invoked persistent GO is to be started on the
specified band.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
In a noisy enviromment, some peers can be slow to respond to the
invitation request frames which may lead to unnecessary state timeout.
Increase this timeout to 350 ms to improve the probabilty of
successfully receiving the invitation response frames.
Signed-hostap: Vivek Natarajan <nataraja@qca.qualcomm.com>
This is needed for TDLS with VHT to allow partial AID to be set
correctly for the direct link frames. cfg80211 validation rules
prevented NL80211_ATTR_STA_AID from being used for this in set_station
case, so the new attribute is used instead.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit b4a17a6ea7 added support for the
WPS Registrar to change the Device Password based on WSC specification
design. However, this added validation for Registrar behavior which
resulted in preventing a common P2P use case from working. Relax the
validation rules for builds with P2P enabled to allow the Enrollee (P2P
client) accepting M1/M2 changes in Device Password Id between Default
and Registrar-specified PIN.
Signed-hostap: Jouni Malinen <j@w1.fi>
It looks like cfg80211 can deliver a deauth/disassoc event during some
roaming cases while we are already in progress with a new
authentication/association. This happens at least with FT protocol.
Avoid issues with such disconnection event resulting in core
wpa_supplicant stopping the new connection attempt by tracking
auth/assoc BSSID more carefully within driver_nl80211.c and filtering
out events that do not apply for the current AP.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Some corner cases may result in both directions of TDLS tracking context
existing. If that is the case, the incorrect one may end up getting
picked when figuring out which TK to use for decryption or fix
statistics counter to increment. Fix this by preferring the context that
has TDLS link up.
Signed-hostap: Jouni Malinen <j@w1.fi>
