As the Linux variant of l2_packet_init() does not use its own_addr
argument and l2_packet_receive() does not filter on destination MAC
address, this needs to be checked in the callback.
If there are multiple BSSes listening for FT RRB packets, all their
BSSIDs need to be local to the bridge interface. As l2_packet_init() is
going to receive all of them going for any local address, those RRB
messages started turning up on BSSes that were not destinated for and
cluttering logs.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.
This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Instead of copying the full struct hostapd_sta_wpa_psk_short, share the
existing entry and use reference counting to check when it needs to be
freed. This allows caching of PSKs derived from passphrases to avoid
having to perform the heavy hashing operation multiple times.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Hashing takes quite some time (can be about one second on a low-power
CPU for each passphrase provided), so hostapd can easily hit the 900 ms
Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can
be fixed by storing the passphrase instead of PSK with the STA and defer
the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs.
This applies for the case where a RADIUS server is used to store the
per-STA passphrases and this passphrase is delivered as part of the MAC
ACL check during IEEE 802.11 Authentication frame processing.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The VLAN ifname is limited to the maximum length of IFNAMSIZ, so there
is no need to use heap allocation for it.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
r1_key_holder is an identifier that was always set to zero if unless
configured before.
See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
"R1KH-ID is a MAC address of the holder of the PMK-R1 in the
Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
"Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
identifier within the mobility domain."
"The R1KH-ID shall be set to a MAC address of the physical entity
that stores the PMK-R1 ..."
Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL.
This test implements such a malicious request for regression testing.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.
Fix this by checking hapd->wpa_auth before delivery.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The FT RRB hostapd packets have a length field. For PULL frames, it
counted the bytes starting with nonce and up to the last before pad. For
RESP frames, it counted the bytes starting with nonce and up to the last
before pad except for 2 bytes. For PUSH frames, it counted the bytes
starting with nonce and up to including pad.
As rounding is done with AES encryption, including pad does not make
sense. Not including the last field before pad does not make sense
either. These were broken in the earlier addition of the 2 octet
pairwise field in commit 1b484d60e5 ('FT:
Include pairwise cipher suite in PMK-R0 SA and PMK-R1 SA').
AES encryption is not affected, as rounding hides the differences. The
packets data_length field is not used, so the differences have no effect
there.
This patch changes the constants to match the bytes used, thus excluding
the pad. To validate the changes, look at remainder modulo 8 of the sum
of the size constants and the padding sizes.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This adds new tests to verify pmksa_cache_preauth when
used with per_sta_vif and possibly vlans.
While at it it refactors the code such that the tests
pmksa_cache_preauth
pmksa_cache_preauth_vlan_enabled
pmksa_cache_preauth_vlan_used
pmksa_cache_preauth_per_sta_vif
pmksa_cache_preauth_vlan_enabled_per_sta_vif
pmksa_cache_preauth_vlan_used_per_sta_vif
share code where possible.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This adds a test case ap_vlan_reconnect. It connects, disconnects, and
reconnects a station in a VLAN. This tests for a regression with
wpa_group entering the FATAL_FAILURE state as the AP_VLAN interface is
removed before the group was stopped.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This extends the P2P Device testing coverage to include the newly
enabled option of using the primary interface (e.g., wlan0) for P2P
group operation instead of always forcing a separate group interface to
be created dynamically.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add support for drivers with dedicated P2P_DEVICE interface, but without
group interface concurrency (only a single netdev is used). With such
devices, wpa_supplicant tried to use the p2p_dev interface instead of
the group interface and most P2P operations failed. Extend
wpa_supplicant to use the primary interface instead of a separate group
interface in such cases.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
In many places in the code there was a reference to wpa_s->parent to get
from group interface to p2p_dev interface. These places can break if
P2P_DEVICE interface would need to be used with the primary interface as
the group interface, since the parent of the primary interface points to
itself and not the p2p_dev interface.
Fix this by adding a separate "p2pdev" pointer to wpa_supplicant,
it will be the same as parent pointer in most cases but whenever
the primary interface is used as a group interface, change it to
point to the correct p2p_dev interface.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Use the SA field instead of BSSID in the received Action frame to
determine whether PMF has been negotiated with the transmitter. While
these fields are supposed to be same for Public Action frames from an
AP, it would be possible that a frame is received with different values.
The following operations in gas_query_rx() use SA, so do the same for
the PMF check.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the BSS Transition Management Request frame includes only a single
candidate and we need to scan for the BSS to get up-to-date information,
use a scan for the known BSSID instead of wildcard BSSID. In addition,
set the SSID in the scan if it is known based on old scan results in the
BSS table. This removes unnecessary Probe Response frames when we are
interested in results from only a single BSS.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes hostapd track Supported Operating Classes information from
the associated STAs. The stored information is available through the STA
control interface command (supp_op_classes row) as a hexdump of the
Supported Operating Classes element starting from the Length field. This
information can be used as input to BSS transition management and
channel switching decisions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Inside management frame TX status callback, print the TX result where it
was missing. This is useful for debugging management frame drops.
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
This adds parsing of non-preferred channel list on an MBO AP. The
information in (Re)Association Request and WNM Notification Request
frames is parsed to get the initial value and updates from each
associated MBO STA. The parsed information is available through the STA
control interface command non_pref_chan[i] rows.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the second memory allocation in ieee802_11_send_wnmsleep_resp() were
to fail and ieee80211_11_get_tfs_ie() succeed, the wnmtfs_ie allocation
would not have been freed on the error path.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While refactoring VLAN comparison into vlan_compare(), it was overlooked
that modifications are needed for tagged VLAN support.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If WPA2 is used, MBO AP must enable PMF. Refuse to select a BSS that has
MBO and WPA2 enabled without PMF.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If WPA2 and MBO are enabled, PMF needs to be enabled in hostapd
configuration. If PMF is optional in the configuration, an MBO STA is
required to negotiate use of PMF.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes hostapd parse a received WNM Notification Request frame
subelements and if a WFA MBO cellular data capability subelement is
seen, update the cellular data capability for the STA.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes hostapd parse the MBO attribute in (Re)Association Request
frame and track the cellular data capability (mbo_cell_capa=<val> in STA
control interface command).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This removes multiple copies of wpabuf_resize() following by
wpabuf_put_{buf,data}() with the help of two simple helper functions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This tests BSS Transition Management Query frame generation with
candidate list and transmission of the following request and response
frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes wpa_is_bss_tmp_disallowed() expire old entries from the
bss_tmp_disallowed list even if they do not match the BSSID that is
being searched for. This allows the list to be kept at shorter length to
speed up operations and minimize memory use in cases where the
previously disabled BSS is not in radio range anymore.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a test that verifies that no Association Request frame is sent to
APs that include the MBO IE with association disallowed attribute in
Beacon and Probe Response frames.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>