Add UDP support for ctrl_iface:
New config option could be set:
CONFIG_CTRL_IFACE=udp
CONFIG_CTRL_IFACE=udp-remote
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote
And hostapd_cli usage:
hostapd_cli -i localhost:8877
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
In case vendor ACS command returns invalid channel or hardware mode,
complete the interface setup with an error code instead of simply
return, so that hostapd can properly clean up the interface setup.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This tells to the server how long we have been trying to transmit the
message so that the actual time of the message generation can be
determined from receive time (ignoring network delays and only at
accuracy of one second).
For interim updates, only value 0 is used since there are no
retransmissions of the same message. For other accounting messages, the
initial attempt goes out with value 0 and the retransmissions, if
needed, show the number of seconds the message has been waiting in the
queue.
Update the Identifier and Authenticator in the messages whenever
updating the Acct-Delay-Time per RFC 2866, 4.1 requirements.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of using the RADIUS client retransmission design with the old
RADIUS message contents for each retry, trigger a completely new interim
accounting update instance more quickly (using the same schedule as
RADIUS message retransmissions) to improve accounting updates in cases
where RADIUS message delivery fails. This allows the server to get up to
date information from the time the "retry" message was sent instead of
the old information from the time the first failed attempt was sent.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to maintain two implementations of the functionality.
is_zero_ether_addr() is easier to understand, so use it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using rtnl_link_alloc_cache() is expensive as it fills in all configured
links. Using rtnl_link_get_kernel() is much more lightweight.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
As the Linux variant of l2_packet_init() does not use its own_addr
argument and l2_packet_receive() does not filter on destination MAC
address, this needs to be checked in the callback.
If there are multiple BSSes listening for FT RRB packets, all their
BSSIDs need to be local to the bridge interface. As l2_packet_init() is
going to receive all of them going for any local address, those RRB
messages started turning up on BSSes that were not destinated for and
cluttering logs.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.
This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Instead of copying the full struct hostapd_sta_wpa_psk_short, share the
existing entry and use reference counting to check when it needs to be
freed. This allows caching of PSKs derived from passphrases to avoid
having to perform the heavy hashing operation multiple times.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Hashing takes quite some time (can be about one second on a low-power
CPU for each passphrase provided), so hostapd can easily hit the 900 ms
Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can
be fixed by storing the passphrase instead of PSK with the STA and defer
the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs.
This applies for the case where a RADIUS server is used to store the
per-STA passphrases and this passphrase is delivered as part of the MAC
ACL check during IEEE 802.11 Authentication frame processing.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The VLAN ifname is limited to the maximum length of IFNAMSIZ, so there
is no need to use heap allocation for it.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
r1_key_holder is an identifier that was always set to zero if unless
configured before.
See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
"R1KH-ID is a MAC address of the holder of the PMK-R1 in the
Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
"Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
identifier within the mobility domain."
"The R1KH-ID shall be set to a MAC address of the physical entity
that stores the PMK-R1 ..."
Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.
Fix this by checking hapd->wpa_auth before delivery.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The FT RRB hostapd packets have a length field. For PULL frames, it
counted the bytes starting with nonce and up to the last before pad. For
RESP frames, it counted the bytes starting with nonce and up to the last
before pad except for 2 bytes. For PUSH frames, it counted the bytes
starting with nonce and up to including pad.
As rounding is done with AES encryption, including pad does not make
sense. Not including the last field before pad does not make sense
either. These were broken in the earlier addition of the 2 octet
pairwise field in commit 1b484d60e5 ('FT:
Include pairwise cipher suite in PMK-R0 SA and PMK-R1 SA').
AES encryption is not affected, as rounding hides the differences. The
packets data_length field is not used, so the differences have no effect
there.
This patch changes the constants to match the bytes used, thus excluding
the pad. To validate the changes, look at remainder modulo 8 of the sum
of the size constants and the padding sizes.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This makes hostapd track Supported Operating Classes information from
the associated STAs. The stored information is available through the STA
control interface command (supp_op_classes row) as a hexdump of the
Supported Operating Classes element starting from the Length field. This
information can be used as input to BSS transition management and
channel switching decisions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Inside management frame TX status callback, print the TX result where it
was missing. This is useful for debugging management frame drops.
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
This adds parsing of non-preferred channel list on an MBO AP. The
information in (Re)Association Request and WNM Notification Request
frames is parsed to get the initial value and updates from each
associated MBO STA. The parsed information is available through the STA
control interface command non_pref_chan[i] rows.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the second memory allocation in ieee802_11_send_wnmsleep_resp() were
to fail and ieee80211_11_get_tfs_ie() succeed, the wnmtfs_ie allocation
would not have been freed on the error path.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While refactoring VLAN comparison into vlan_compare(), it was overlooked
that modifications are needed for tagged VLAN support.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If WPA2 and MBO are enabled, PMF needs to be enabled in hostapd
configuration. If PMF is optional in the configuration, an MBO STA is
required to negotiate use of PMF.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes hostapd parse a received WNM Notification Request frame
subelements and if a WFA MBO cellular data capability subelement is
seen, update the cellular data capability for the STA.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes hostapd parse the MBO attribute in (Re)Association Request
frame and track the cellular data capability (mbo_cell_capa=<val> in STA
control interface command).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This removes multiple copies of wpabuf_resize() following by
wpabuf_put_{buf,data}() with the help of two simple helper functions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add an option to add MBO IE to BSS Transition Management Request frame.
The MBO IE includes the transition reason code, cellular data connection
preference, and, if the disassoc imminent bit is set, it may also
include re-association retry delay. Otherwise, the re-association retry
delay should be set to zero.
The additional BSS_TM_REQ argument uses the following format:
mbo=<reason>:<reassoc delay>:<cell pref>
reason: 0-9
reassoc delay: 0-65535 (seconds; 0 = disabled)
cell pref: 0, 1, 255
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Add MBO IE with AP capability attribute to Beacon, Probe Response, and
(Re)Association Response frames to indicate the AP supports MBO.
Add option to add Association Disallowed attribute to Beacon, Probe
Response, and (Re)Association Response frames. Usage:
SET mbo_assoc_disallow <reason code>
Valid reason code values are between 1-5. Setting the reason code to
0 will remove the Association Disallowed attribute from the MBO IE
and will allow new associations.
MBO functionality is enabled by setting "mbo=1" in the config file.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
The recent VLAN changes added an explicit code path that sets vlan_desc
= NULL within ap_sta_set_vlan(). This makes some code analyzers warn
about the debug print that could potentially dereference this pointer.
Silence that warning by verifying the pointer more consistently within
this function.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the driver supports 64-bit TX/RX byte counters, use them directly.
The old 32-bit counter extension is maintained for backwards
compatibility with older drivers.
For nl80211 driver interface, the newer NL80211_STA_INFO_RX_BYTES64 and
NL80211_STA_INFO_TX_BYTES64 attributes are used when available. This
resolves the race vulnerable 32-bit value wrap/overflow. Rework RADIUS
accounting to use these for Acct-Input-Octets, Acct-Input-Gigawords,
Acct-Output-Octets, and Acct-Output-Gigawords, these values are often
used for billing purposes.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Previously, stations were added to the driver only after the
(Re)Association Response frame was acked. In the time period between the
station has acked the (Re)Association Response frame and the time the
station was added to the kernel, the station can already start sending
Data frames, which will be dropped by the hardware/driver. In addition
to the data loss, the driver may ignore NDPs with PM bit set from this
STA.
Fix this by setting/adding the STA with associated flag set to the
driver before the AP sends the (Re)Association Response frame with
status success. If the (Re)Association Response frame wasn't acked,
remove the station from the driver.
Note that setting a station to associated state before the non-AP
station acknowledges the (Re)Association Response frame is not compliant
with the IEEE 802.11 standard that specifically states that a non-AP
station should transition to authenticated/associated state only after
it acknowledged the (Re)Association Response frame. However, this is a
justifiable simplification to work around the issue described above since
1. The station will be removed in case it does not acknowledge the
(Re)Association Response frame.
2. All Data frames would be dropped until the station is set to
authorized state and there are no known issues with processing the
other Class 3 frames during the short window before the
acknowledgement is seen.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support for drivers that support full AP client state, i.e., can
handle adding stations that are not associated yet. For such drivers,
add a station after processing the authentication request, instead of
adding it in the association response callback.
Doing so is beneficial in cases where the driver cannot handle the add
station request, in which case it is useless to perform the complete
connection establishment.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Remove the fallback dependency on os_random() from the code that gets a
valid DFS channel. This is exceptionally unlikely to ever be called as
the call to os_get_random() is unlikely to fail. The intention is to
facilitate future removal of os_random() as it uses a low quality PRNG.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Remove the fallback dependency on os_random() when generating a WPS pin.
This is exceptionally unlikely to ever be called as the call to
os_get_random() is unlikely to fail. The intention is to facilitate
future removal of os_random() as it uses a low quality PRNG.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Do not use the system clock or os_random() that uses a low quality PRNG
as part of the pseudo-random challenge in auth_shared_key(). The
construction can be improved upon by replacing it with a call to
os_get_random(), which uses a high quality PRNG.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Previously, only mesh Action frames from BLOCKED STA were dropped.
Extend that to drop Authentication frames as well.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the
PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix
this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Shuffle includes above system ones so to fix a compile issue
on NetBSD where the if_type #define from <net/if.h>
conflicts with the wpa_driver_if_type enum.
Signed-off-by: Roy Marples <roy@marples.name>
This allows the stations to be assigned to their own vif. It does not
need dynamic_vlan to be set. Make hostapd call ap_sta_set_vlan even if
!vlan_desc.notempty, so vlan_id can be assigned regardless.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This makes vlan_newlink() and vlan_dellink() add tagged VLANs to AP_VLAN
interfaces as given by struct vlan_description.
hostapd_vlan_if_remove() is done in vlan_dellink() as tagged interfaces
need to be removed before the interface can be deleted and a DELLINK
message can be generated.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
To prepare for adding tagged VLAN support in vlan_init.c, vlan_newlink()
and vlan_dellink() are split into multiple functions. This reduces
indention and eases adding tagged VLANs as well.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
1. Add tagged VLAN to struct vlan_description
(compile limited number of tagged VLANs per description)
For k tagged VLANs, the first k entries in vlan_description.tagged
are used. They are sorted in ascending order. All other entries are
zero. This way os_memcmp() can find identical configurations.
2. Let tagged VLANs be parsed from RADIUS Access-Accept
3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set
4. Select an unused vlan_id > 4096 for new tagged VLAN configurations
5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Separate uplink configuration (IEEE 802.1q VID) and grouping of stations
into AP_VLAN interfaces.
The int vlan_id will continue to identify the AP_VLAN interface the
station should be assigned to. Each AP_VLAN interface corresponds to an
instance of struct hostapd_vlan that is uniquely identified by int
vlan_id within an BSS.
New: Each station and struct hostapd_vlan holds a struct
vlan_description vlan_desc member that describes the uplink
configuration requested. Currently this is just an int untagged IEEE
802.1q VID, but can be extended to tagged VLANs and other settings
easily.
When the station was about to be assigned its vlan_id, vlan_desc and
vlan_id will now be set simultaneously by ap_sta_set_vlan(). So
sta->vlan_id can still be tested for whether the station needs to be
moved to an AP_VLAN interface.
To ease addition of tagged VLAN support, a member notempty is added to
struct vlan_description. Is is set to 1 if an untagged or tagged VLAN
assignment is requested and needs to be validated. The inverted form
allows os_zalloc() to initialize an empty description.
Though not depended on by the code, vlan_id assignment ensures:
* vlan_id = 0 will continue to mean no AP_VLAN interface
* vlan_id < 4096 will continue to mean vlan_id = untagged vlan id
with no per_sta_vif and no extra tagged vlan.
* vlan_id > 4096 will be used for per_sta_vif and/or tagged vlans.
This way struct wpa_group and drivers API do not need to be changed in
order to implement tagged VLANs or per_sta_vif support.
DYNAMIC_VLAN_* will refer to (struct vlan_description).notempty only,
thus grouping of the stations for per_sta_vif can be used with
DYNAMIC_VLAN_DISABLED, but not with CONFIG_NO_VLAN, as struct
hostapd_vlan is still used to manage AP_VLAN interfaces.
MAX_VLAN_ID will be checked in hostapd_vlan_valid and during setup of
VLAN interfaces and refer to IEEE 802.1q VID. VLAN_ID_WILDCARD will
continue to refer to int vlan_id.
Renaming vlan_id to vlan_desc when type changed from int to struct
vlan_description was avoided when vlan_id was also used in a way that
did not depend on its type (for example, when passed to another
function).
Output of "VLAN ID %d" continues to refer to int vlan_id, while "VLAN
%d" will refer to untagged IEEE 802.1q VID.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
PBSS (Personal Basic Service Set) is a new BSS type for DMG
networks. It is similar to infrastructure BSS, having an AP-like
entity called PCP (PBSS Control Point), but it has few differences.
PBSS support is mandatory for IEEE 802.11ad devices.
Add a new "pbss" argument to network block. The argument is used
in the following scenarios:
1. When network has mode=2 (AP), when pbss flag is set will start
as a PCP instead of an AP.
2. When network has mode=0 (station), when pbss flag is set will
connect to PCP instead of AP.
The function wpa_scan_res_match() was modified to match BSS according to
the pbss flag in the network block (wpa_ssid structure). When pbss flag
is set it will match only PCPs, and when it is clear it will match only
APs.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
When a mesh point reconnects by starting from Authentication frame
sequence, the plink count was not decremented from its last connection.
This resulted in leaking peer link count and causing wpa_supplicant to
reject the connection after max_peer_links (default: 99) reconnects.
This was reproduced by pre-configuring 2 mesh points with mesh
credentials. Boot both mesh points and make sure they connect to each
other. Then in a loop reboot one of the mesh points after it
successfully connects while leaving the other mesh point up and running.
After 99 iterations the supplicant on mesh point that is not rebooting
will reject the connection request from the other mesh point.
Fix this by decrementing num_plinks when freeing a STA entry that is
still in PLINK_ESTAB state.
Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
There is no need to maintain three copies of this functionality even if
it is currently implemented as a single function call.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to
give better global and temporal uniqueness. Previously, only 32-bits of
the Acct-Session-Id would contain random data, the other 32-bits would
be incremented. Previously, the Acct-Multi-Session-Id would not use
random data. Switch from two u32 variables to a single u64 for the
Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves
no legitimate purpose. Exclusively use os_get_random() to get quality
random numbers, do not use or mix in the time. Inherently take a
dependency on /dev/urandom working properly therefore. Remove the global
Acct-Session-Id and Acct-Multi-Session-Id values that serve no
legitimate purpose.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
These can get allocated within eapol_auth_alloc(), so it is more logical
to free them in eapol_auth_free() instead of ieee802_1x_free_station()
that ends up calling eapol_auth_free().
Signed-off-by: Jouni Malinen <j@w1.fi>
Event-Timestamp should be sent for all Accounting-Request packets and
only after the system clock has a sane value, not where there's a value
close to the Unix time epoch.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Calculate the required length needed for the extra ANQP elements added
to GAS response buffer instead of using fixed size and truncating the
response if there was not sufficient space.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Acct-Authentic is used to indicate how the user was authenticated and as
such, should not be sent in Accounting-On and Accounting-Off.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Per RFC 2866, 5.10, it is invalid to send Acct-Terminate-Cause in
Accounting-On and Accounting-Off (this is included only when
Acct-Status-Type is set to Stop).
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Ensure that if it is not possible to configure an allowed 20 MHz
channel pair, hostapd falls back to a single 20 MHz channel.
Signed-off-by: Eduardo Abinader <eabinader@ocedo.com>
Number of deployed 80 MHz capable VHT stations that do not support 80+80
and 160 MHz bandwidths seem to misbehave when trying to connect to an AP
that advertises 80+80 or 160 MHz channel bandwidth in the VHT Operation
element. To avoid such issues with deployed devices, modify the design
based on newly proposed IEEE 802.11 standard changes.
This allows poorly implemented VHT 80 MHz stations to connect with the
AP in 80 MHz mode. 80+80 and 160 MHz capable stations need to support
the new workaround mechanism to allow full bandwidth to be used.
However, there are more or less no impacted station with 80+80/160
capability deployed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to follow a debug log from a hostapd process that
manages multiple interfaces.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ap_sta_deauth_cb and ap_sta_disassoc_cb eloop timeouts are used to
clear a disconnecting STA from the kernel driver if the STA did not ACK
the Deauthentication/Disassociation frame from the AP within two
seconds. However, it was possible for a STA to not ACK such a frame,
e.g., when the disconnection happened due to hostapd pruning old
associations from other BSSes and the STA was not on the old channel
anymore. If that same STA then started a new authentication/association
with the BSS, the two second timeout could trigger during this new
association and result in the STA entry getting removed from the kernel.
Fix this by canceling these eloop timeouts when receiving an indication
of a new authentication or association.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
n_chans can have only values 1, 2, or 4 in this function, so the -1 case
could never be reached. Remove the unreachable case to get rid of static
analyzer warnings.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
chan is set to the result of pointer arithmetic (pointer to an entry in
an array) that can never be NULL. As such, there is no need to check for
it to be non-NULL before deference. Remove this check to avoid
complaints from static analyzers.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Offloading of ACS to the driver changed the design a bit in a way that
iface->current_mode could actually be NULL when the offloaded ACS
mechanism supports band selection in addition to channel selection. This
resulted in a combination that is too complex for static analyzers to
notice. While acs_init() can be called with iface->current_mode == NULL
that is only in the case where WPA_DRIVER_FLAGS_ACS_OFFLOAD is in use.
In other words, the actual ACS functions like acs_cleanup() that would
dereference iface->current_mode are not used in such a case.
Get rid of static analyzer warnings by explicitly checking
iface->current_mode in acs_init() for the case where ACS offloading is
not used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If P2P support is included in wpa_supplicant build (CONFIG_P2P=y), but
P2P functionality is explicitly disabled (e.g., "P2P_SET disabled 1"),
couple of AP management frame processing steps did not check against
hapd->p2p_group being NULL and could end up dereferencing a NULL pointer
if a Probe Request frame or (Re)Association Request frame was received
with a P2P IE in it. Fix this by skipping these steps if hapd->p2p_group
is NULL.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the Registrar code to generate a Credential with
auth type WPAPSK (i.e., WPA v1) with encr type AES if the Enrollee
claimed support for WPAPSK and not WPA2PSK while the AP was configured
in mixed mode WPAPSK+WPA2PSK regardless of how wpa_pairwise (vs.
rsn_pairwise) was set since encr type was selected from the union of
wpa_pairwise and rsn_pairwise. This could result in the Enrollee
receiving a Credential that it could then not use with the AP.
Fix this by masking the encryption types separately on AP based on the
wpa_pairwise/rsn_pairwise configuration. In the example case described
above, the Credential would get auth=WPAPSK encr=TKIP instead of
auth=WPAPSK encr=AES.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it somewhat easier for the station to be able to receive and
process the encrypted WNM-Notification frames that the AP previously
sentt immediately after receiving EAPOL-Key msg 4/4. While the station
is supposed to have the TK configured for receive before sending out
EAPOL-Key msg 4/4, not many actual implementations do that. As such,
there is a race condition in being able to configure the key at the
station and the AP sending out the first encrypted frame after EAPOL-Key
4/4. The extra 100 ms time here makes it more likely for the station to
have managed to configure the key in time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Since hostapd supports ACS now, let's enable its support in
wpa_supplicant as well when starting AP mode.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
[u.oelmann@pengutronix.de: adjusted added text in defconfig]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Let's reuse hostapd code for such handling. This will be useful to get
ACS support into wpa_supplicant where this one needs to handle the
survey event so it fills in the result ACS subsystem will require.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Commit 986de33d5c ('Convert remaining SSID
routines from char* to u8*') started using wpa_ssid_txt() to print out
the SSID for the Called-Station-Id attribute in RADIUS messages. This
was further modified by commit 6bc1f95613
('Use printf escaping in SSID-to-printable-string conversion') to use
printf escaping (though, even without this, wpa_ssid_txt() would have
masked characters).
This is not desired for Called-Station-Id attribute. While it is defined
as a "String", RFC 2865 indicates that "a robust implementation SHOULD
support the field as undistinguished octets.".
Copy the SSID as an array of arbitrary octets into Called-Station-Id to
avoid any kind of masking or escaping behavior. This goes a step further
from the initial implementation by allowing even the possible (but
unlikely in practical use cases) 0x00 octet in the middle of an SSID.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the five second timeout was added at the beginning of the
full GAS query and it was not replenished during fragmented exchanges.
This could result in timing out a query if it takes significant time to
go through the possibly multiple fragments and long comeback delay.
Signed-off-by: Jouni Malinen <j@w1.fi>
This FTIE needs to be an exact copy of the one in (Re)Association
Response frame. Copy the stored element rather than building a new copy
that would not have the correct MIC value. This is needed to fix PTK
rekeying after FT protocol run.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The FTIE from (Re)Association Response frame was copied before
calculating the MIC. This resulted in incorrect value being used when
comparing the EAPOL-Key msg 2/4 value in case PTK rekeying was used
after FT protocol run. Fix this by storing the element after the MIC
field has been filled in.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_insert_pmkid() did not support cases where the original RSN IE
included any PMKIDs. That case can happen when PTK rekeying through
4-way handshake is used after FT protocol run. Such a 4-way handshake
used to fail with wpa_supplicant being unable to build the EAPOL-Key msg
2/4.
Fix this by extending wpa_insert_pmkid() to support removal of the old
PMKIDs, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When an AP interface it created, it is also setup and subscribes
for management frames etc. However, when the interface is added by
wpa_supplicant, setting up for AP operations is redundant because
it will be done by wpa_supplicant on wpa_drv_init() when setting
the interface mode to AP.
In addition, it may cause wpa_supplicant to fail initializing the
interface as it will try to subscribe for management frames on this
interface but the interface is already registered.
Change this, so when adding an AP interface, make setting up the AP
optional, and use it only when the interface is added by hostapd but not
when it is added by wpa_supplicant.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When an AP is started on the 5.2 GHz band with 40 MHz bandwidth, a
scan is issued in order to handle 20/40 MHz coexistence. However,
the scan is issued even if iface->conf->no_pri_sec_switch is set,
which is redundant.
Fix this by checking iface->conf->no_pri_sec_switch before starting
the scan.
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
The EAPOL AUTH_PAE state machine was left in incomplete state at the
completion of FT protocol. Set portValid = TRUE to allow the state
machine to proceed from AUTHENTICATING to AUTHENTICATED state, so that a
new EAPOL reauthentication can be triggered.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Now hostapd will use station MAC-based permissions according to the
macaddr_acl policy also for drivers which use AP SME offload, but do not
support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It
should be noted that in this type of case the association goes through
and the station gets disconnected immediately after that.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Expire pending DB request for EAP-SIM/AKA/AKA'. Timeout defaults to 1
second and is user configurable in hostapd.conf (eap_sim_db_timeout).
Signed-off-by: Frederic Leroy <frederic.leroy@b-com.com>
When multiple interfaces across mutiple radios are started using a
single instance of hostapd, they all come up at different times
depending upon how long the ACS and HT scan take on each radio. This
will result in stations (that already have the AP profile) associating
with the first interfaces that comes up. For example in a dual band
radio case (2G and 5G) with ACS enabled, 2G always comes up first
because the ACS scan takes less time on 2G and this results in all
stations associating with the 2G interface first.
This feature brings up all the interfaces at the same time. The list of
interfaces specified via hostapd.conf files on the command line are all
marked as sync interfaces. All the interfaces are synchronized in
hostapd_setup_interface_complete().
This feature is turned on with '-S' commmand line option.
Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
The recently added ProxyARP support (proxy_arp=1) in hostapd allows a
STA IPv4 address to be learned from DHCP or ARP messages. If that
information is available, add it to Account-Request messages in
Framed-IP-Address attribute.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter no_probe_resp_if_max_sta=1 can
be used to request hostapd not to reply to broadcast Probe Request
frames from unassociated STA if there is no room for additional stations
(max_num_sta). This can be used to discourage a STA from trying to
associate with this AP if the association would be rejected due to
maximum STA limit.
Signed-off-by: Jouni Malinen <j@w1.fi>
In addition to the PTK length increasing, the length of the PMK was
increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was
missing from the initial implementation and a fixed length (256-bit) PMK
was used for all AKMs.
Fix this by adding more complete support for variable length PMK and use
384 bits from MSK instead of 256 bits when using this AKM. This is not
backwards compatible with the earlier implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous implementation used an obsolete sm->eapol_key_crypt pointer
which was not set anywhere (i.e., was always NULL). In addition, the
condition of sm->eap_if->eapKeyAvailable was not valid here since this
is the case of MSK from an external authentication server and not the
internal EAP server. Consequently, the wpa_auth_pmksa_add() call here
was never used.
The PMKSA cache was still added, but it happened at the completion of
the 4-way handshake rather than at the completion of EAP authentication.
That later location looks better, so delete the unreachable code in
Access-Accept handling. In addition, remove the now complete unused
struct eapol_state_machine eapol_key_* variables.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
With driver wrappers that implement set_privacy(), set_generic_elem(),
set_ieee8021x(), or set_ap_wps_ie(), it was possible to hit a NULL
pointer dereference in error cases where interface setup failed and
the network configuration used WPA/WPA2, IEEE 802.1X, or WPS.
Fix this by skipping the driver operations in case the driver interface
is not initialized.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new hostapd configuration parameter anqp_elem can now be used to
configure arbitrary ANQP-elements for the GAS/ANQP server. In addition
to supporting new elements, this can be used to override previously
supported elements if some special values are needed (mainly for testing
purposes).
The parameter uses following format:
anqp_elem=<InfoID>:<hexdump of payload>
For example, AP Geospatial Location ANQP-element with unknown location:
anqp_elem=265:0000
and AP Civic Location ANQP-element with unknown location:
anqp_elem=266:000000
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some devices cannot respond to inactive client probe (empty data frame)
within one second. For example, iPhone may take up to 3 secs. This
becomes a significant problem when ap_max_inactivity is set to lower
value such as 10 secs. iPhone can lose Wi-Fi connection after ~1 min
of user inactivity.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
IEEE Std 802.11-2012 13.3.1 states that the AID should be generated on
the local node for each peer. Previously, we were using the peer link ID
(generated by the peer) which may not be unique among all peers. Correct
this by reusing the AP AID generation code.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Commit d66dcb0d0b ('WEP: Remove VLAN
support from hostapd') already removed VLAN support for WEP encryption,
so vlan_setup_encryption_dyn() is no longer needed.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This ensures that group key is set as long as the interface exists.
Additionally, ifconfig_up is needed as wpa_group will enter
FATAL_FAILURE if the interface is still down. Also vlan_remove_dynamic()
is moved after wpa_auth_sta_deinit() so vlan_remove_dynamic() can check
it was the last user of the wpa_group.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Some APs don't include a CSA IE when an ECSA IE is generated,
and mac80211 used to fail following their channel switch. Add
a testing option to hostapd to allow reproducing the behavior.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fix and extend the ieee80211_freq_to_channel_ext() function to deal
correctly with VHT operating classes (128, 129, 130).
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The CSA channel and operating class values need to be set for all types
of channel switch (i.e., either if it's triggered by the control
interfaces or due to the GO-follows-STA flow). To do so, move the code
that sets them from the GO-follows-STA flow to the more generic
hostapd_fill_csa_settings() function.
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
The hostapd_hw_get_channel() function can't be used to convert center
frequencies to channel numbers, because the hw mode lists don't have all
the center frequencies. The hw mode lists have the main channel
frequencies and flags to indicate the channel topography.
For instance, channel 5805 with VHT80- has the channel center frequency
segment 0 at 5775. This segment is only indicated indirectly in the hw
mode list by the HOSTAPD_CHAN_VHT_50_30 flag. The hw mode list doesn't
have any elements with frequency 5775 to allow the conversion to a
channel number. Thus, we need to use ieee80211_freq_to_chan() instead.
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Pass to the driver a list of CSA counter offsets when sending Probe
Response frames during a CSA period. This allows the kernel to correctly
update the CSA/eCSA elements.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Some management frames contain CSA counters which should be updated by
kernel. Change driver op send_mlme() allowing to send a frame,
specifying an array of offsets to the CSA counters which should be
updated. For example, CSA offsets parameters should be specified when
sending Probe Response frames during CSA period.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Advertise current operating class in Beacon and Probe Response frames.
This Supported Operating Classes element is required by the standard
when extended channel switch is supported. However, since this element
doesn't reflect correctly the sub-band spectrum breakdown and can't be
effectively used by clients, publish only the minimal required part
which is the current operating class.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Fix the order of CSA, eCSA, Secondary Channel Offset, and Wide Bandwidth
Channel Switch Wrapper elements in Beacon and Probe Response frames.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add new GO frequency move policy. The P2P_GO_FREQ_MOVE_SCM_ECSA prefers
SCM if all the clients advertise eCSA support and the candidate
frequency is one of the group common frequencies.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Extended channel switch provides an ability to switch between operating
classes and is required for P2P Devices by the P2P specification when
switching in 5 GHz.
When the operating class is provided for channel switch, the AP/P2P GO
will use eCSA IE in addition to the regular CSA IE both on 2.4 GHz and 5
GHz bands.
Transitions between different hw_modes are not supported.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Channel switch may be performed using both CSA and eCSA IEs together.
This may happen, for example with a P2P GO on band A with legacy
clients. Extend driver API to support up to 2 CSA counters.
This patch also includes the required implementation for nl80211.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When building Beacon and Probe Response frames for the target channel,
consider bandwidth parameter for VHT channels. In addition, add support
for updating vht_oper_centr_freq_seg0_idx and
vht_oper_centr_freq_seg1_idx.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When switching to a VHT channel with width greater than 20 MHz, add Wide
Bandwidth Channel Switch element. This element is added in Beacon and
Probe Response frames inside Channel Switch Wrapper element.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When CSA is started, hostapd_change_config_freq() computes the channel
from the provided frequency. Use this stored channel to add CSA IE in
Beacon frames, instead of recomputing the channel each time.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This fixes an issue where hostapd SET command is used to configure RSN
parameters and the wpa parameter is sent after the other parameters.
Previously, the default case here ended up clearing rsn_pairwise and
wpa_pairwise values and once wpa=2 was finally set, the cipher
configuration had already been lost.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, station's VHT information elements were copied and passed
regardless of the AP's VHT configuration. As a result, AP with VHT
disabled in configuration could have ended up transmitting packets in
VHT rates though AP is not advertising VHT support. Fix this by copying
the station's VHT capabilities only when AP supports VHT (both hardware
and configuration).
Signed-off-by: Ashok Raj Nagarajan <arnagara@qti.qualcomm.com>
Reset hapd->num_probereq_cb to 0 on an interface deinit to avoid
unexpected behavior if the same interface is enabled again without fully
freeing the data structures. hostapd_register_probereq_cb() increments
hapd->num_probereq_cb by one and leaves all old values unchanged. In
this deinit+init case, that would result in the first entry in the list
having an uninitialized pointer and the next Probe Request frame
processing would likely cause the process to terminate on segmentation
fault.
This issue could be hit when hostapd was used with WPS enabled (non-zero
wps_state configuration parameter) and control interface command DISABLE
and ENABLE were used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the previous tracking design to add a station entry based
on other management frames than Probe Request frames. For example, this
covers a case where the station is using passive scanning.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new no_auth_if_seen_on=<ifname> parameter can now be used to
configure hostapd to reject authentication from a station that was seen
on another radio.
This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to reject
authentication attempts from a station that has been detected to be
capable of operating on another band, e.g., to try to reduce likelihood
of the station selecting a 2.4 GHz BSS when the AP operates both a 2.4
GHz and 5 GHz BSS concurrently.
Note: Enabling this can cause connectivity issues and increase latency for
connecting with the AP.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new no_probe_resp_if_seen_on=<ifname> parameter can now be used to
configure hostapd to not reply to group-addressed Probe Request from a
station that was seen on another radio.
This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to restrict Probe
Request frame handling from replying to group-addressed Probe Request
frames from a station that has been detected to be capable of operating
on another band, e.g., to try to reduce likelihood of the station
selecting a 2.4 GHz BSS when the AP operates both a 2.4 GHz and 5 GHz
BSS concurrently.
Note: Enabling this can cause connectivity issues and increase latency
for discovering the AP.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd can now be configured to track unconnected stations based on
Probe Request frames seen from them. This can be used, e.g., to detect
dualband capable station before they have associated. Such information
could then be used to provide guidance on which colocated BSS to use in
case of a dualband AP that operates concurrently on multiple bands under
the control of a single hostapd process.
Signed-off-by: Jouni Malinen <j@w1.fi>
DSSS/CCK rate support in 40 MHz has to be set to 0 for 5 GHz band since
this mechanism is designed only for the 2.4 GHz band. Clear
HT_CAP_INFO_DSSS_CCK40MHZ in ht_capab when the configured mode is
neither 11b nor 11g.
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
It was possible for wpa_auth_sm_event(WPA_DEAUTH) to be called from
wpa_sm_step() iteration in the case the EAPOL authenticator state
machine ended up requesting the station to be disconnected. This
resulted in unnecessary recursive call to wpa_sm_step(). Avoid this by
using the already running call to process the state change.
It was possible to hit this sequence in the hwsim test case
ap_wpa2_eap_eke_server_oom.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 6959145b86 ('FST: Integration into
hostapd') introduced this duplicated call due to an incorrect merge
conflict resolution in ap_sta_set_authorized(). An earlier commit
61fc90483f ('P2P: Handle improper WPS
termination on GO during group formation') had moved this call to an
earlier location in the function and there is no point in re-introducing
another copy of the call at the end of the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
Couple of the for-each-interface loops used incorrect return value when
skipping over non-WPS interfaces. This could result in skipping some WPS
interfaces in the loop and returning error. Setting AP PIN did not check
for WPS being enabled at all and trigger a NULL pointer dereference if
non-WPS interface was enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows the new own_ie_override=<hexdump> configuration parameter to
be used to replace the normally generated WPA/RSN IE(s) for testing
purposes in CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <j@w1.fi>
The PMKIDCount, PMKID List, and Group Management Cipher Suite fields are
optional to include in the RSNE in cases where these would not have
values that are different from the default values. In practice,
PMKIDCount is always 0 in Beacon and Probe Response frames, so the only
field of these that could have a non-default value is Group Management
Cipher Suite. When BIP is used, that field is not needed either due to
BIP being the default cipher when PMF is enabled.
Remove these fields from RSNE when BIP is used to save six octets in
Beacon and Probe Response frames. In addition to reduced frame length,
this is a workaround for interoperability issues with iOS 8.4 in cases
where FT and PMF are enabled. iOS seems to be rejecting EAPOL-Key msg
3/4 during FT initial mobility domain association if the RSNE includes
the PMKIDCount field.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is similar to the earlier commit
b363121a20 ('WPS: Reject invalid
credential more cleanly'), but for the AP cases where AP settings are
being replaced. Previously, the new settings were taken into use even if
the invalid PSK/passphrase had to be removed. Now, the settings are
rejected with such an invalid configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This buffer is owned by the FST module, so mark it const in the
set_ies() callback to make it clearer which component is responsible for
modifying and freeing this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The mesh SAE auth often fails with master branch. By bisect I found
commit eb5fee0bf5 ('SAE: Add side-channel
protection to PWE derivation with ECC') causes this issue. This does not
mean the commit has a bug. This is just a CPU resource issue.
After the commit, sae_derive_pwe_ecc() spends 101(msec) on my PC (Intel
Atom N270 1.6GHz). But dot11RSNASAERetransPeriod is 40(msec). So
auth_sae_retransmit_timer() is always called and it can causes
continuous frame exchanges. Before the commit, it was 23(msec).
On the IEEE 802.11 spec, the default value of dot11RSNASAERetransPeriod
is defined as 40(msec). But it looks short because generally mesh
functionality will be used on low spec devices. Indeed Raspberry Pi B+
(ARM ARM1176JZF-S 700MHz) requires 287(msec) for new
sae_derive_pwe_ecc().
So this patch makes the default to 1000(msec) and makes it configurable.
This issue does not occur on infrastructure SAE because the
dot11RSNASAERetransPeriod is not used on it.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.
This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
This avoids a call to hmac_md5() to fix the build. The EAPOL-Key frame
TX code is not applicable for any FIPS mode operation, so the simplest
approach is to remove this from the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
When ACS is offloaded to device driver and the hw_mode parameter is set
to any, the current_mode structure is NULL which fails the ACS command.
Fix this by populating the ACS channel list with channels from all bands
when current_mode is NULL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the previous PMF (CONFIG_IEEE80211W=y) design that used
functionality from the FT (CONFIG_IEEE80211R=y) changes to work without
requiring CONFIG_IEEE80211R=y build option to be included.
Signed-off-by: Ashok Ponnaiah <aponnaia@qti.qualcomm.com>
This new mechanism can be used to combine multiple periodic AP
(including P2P GO) task into a single eloop timeout to minimize number
of wakeups for the process. hostapd gets its own periodic caller and
wpa_supplicant uses the previously added timer to trigger these calls.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The caller is not expected to free or modify the value since this is
returning a reference to a buffer maintained by the upper layer.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the hostapd global control interface ADD command to allow
driver wrapper to be specified ("ADD <ifname> <ctrl_iface> <driver>").
Previously, this case that did not use a configuration file allowed only
the default driver wrapper to be used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need to waste resources for this packet socket if FT-over-DS
is disabled or when operating P2P GO or AP mode in wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds the FST IEs received from the FST module into Beacon, Probe
Response, and (Re)Association Response frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit implements hostapd global control interface notifications
infrastructure. hostapd global control interface clients issue
ATTACH/DETACH commands to register and deregister with hostapd
correspondingly - the same way as for any other hostapd/wpa_supplicant
control interface.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The IPv6 address in the frame buffer may not be 32-bit aligned, so use a
local copy to align this before reading the address with 32-bit reads
(s6_addr32[]).
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not allow 40 MHz co-ex PRI/SEC switch to force us to change our PRI
channel if we have an existing connection on the selected PRI channel
since doing multi-channel concurrency is likely to cause more harm than
using different PRI/SEC selection in environment with multiple BSSes on
these two channels with mixed 20 MHz or PRI channel selection.
Signed-off-by: Jouni Malinen <j@w1.fi>
This check explicitly for reflection attack and stops authentication
immediately if that is detected instead of continuing to the following
4-way handshake that would fail due to the attacker not knowing the key
from the SAE exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
The eap argument to this function is never NULL and the earlier
ieee802_1x_learn_identity() call is dereferencing it anyway, so there is
no point in checking whether it is NULL later in the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
This needs to find the PRI channel also in cases where the affected
channel is the SEC channel of a 40 MHz BSS, so need to include the
scanning coverage here to be 40 MHz from the center frequency. Without
this, it was possible to miss a neighboring 40 MHz BSS that was at the
other end of the 2.4 GHz band and had its PRI channel further away from
the local BSS.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the common WLAN-* RADIUS attributes were added only when WPA
or WPA2 was used. These can be of use for OSEN as well, so include them
in that case, too.
Signed-off-by: Jouni Malinen <j@w1.fi>
Change send_mlme() API to allow sending management frames on a specific
channel, overriding the internal driver decision.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Currently, if multiple bss share are bridge and tagged vlan interface,
only the first instance of struct hostapd_vlan for this vlanid will have
the DVLAN_CLEAN_VLAN flag added. Thus, when this instance is removed,
the tagged vlan interface will be removed from bridge, thought other bss
might still need it. Similarily, the bridge will be left over, as the
does not have zero ports when the first instance of a struct
hostapd_vlan is freed.
This patch fixes this by having a global (per process) reference counter
for dynamic tagged vlan and dynamically created bridge interfaces, so
they are only removed after all local users are freed. (struct
hapd_interfaces *)->vlan_priv is used to hold src/ap/vlan_init.c global
per-process data like drv_priv does; right now this is only used for the
interface reference counting, but could get extended when needed. Then
possibly some vlan_global_init / vlan_global_deinit should be added, but
this is not required right now.
Additionally, vlan->configured is checked to avoid reference counter
decreasing before vlan_newlink increased them.
In order to avoid race conditions, vlan_dellink is called explicitly
after hostapd_vlan_if_remove. Otherwise there would be a short timeframe
between hostapd_vlan_if_remove and vlan_dellink during which the struct
hostapd_vlan still exists, so ap_sta_bind_vlan would try to attach
stations to it.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Commit 95b6bca66d ('Add rsn_pairwise bits
to set_ieee8021x() driver_ops') modified cipher configuration to use
unconditionally wpa_pairwise | rsn_pairwise. While that works for many
cases, it does not handle the case of dynamic configuration changes over
the control interface where wpa_pairwise or rsn_pairwise values may not
get cleared when the wpa parameter is modified. Fix this inconsistency
by configuring the driver with only the bits that are valid for the
currently enabled WPA/WPA2 version(s).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
So that systems with bad clocks will send random session IDs,
instead of always ones starting at the same second.
If os_get_random() isn't available, use os_get_time(). But also
mix in now.tv_usec, so that the accounting session ID is more
likely to be globally and temporally unique.
Signed-off-by: Alan DeKok <aland@freeradius.org>
Explicitly check for iface->current_mode before dereferencing it. While
this case may not happen in practice, it is better for the setup
functions to be more careful when doing the initial band selection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When device supports dual band operations with offloaded ACS, hw_mode
can now be set to any band (hw_mode=any) in order to allow ACS to select
the best channel from any band. After a channel is selected, the hw_mode
is updated for hostapd.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ACS code part of hostapd scans all the channels even if the channel
list is specified in the hostapd.conf. Limit the ACS scan channels to
the list specified in the config file.
Signed-off-by: Srinivasa Duvvuri<sduvvuri@chromium.org>
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
In theory, the previous version could have resulted in reading one byte
beyond the end of the management frame RX buffer if the local driver
were to deliver a truncated Public Action frame for processing. In
practice, this did not seem to happen with mac80211-based drivers and
even if it were, the extra octet would be an uninitialized value in a
buffer rather than read beyond the end of the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Handling of WPS RF band for 60 GHz was missing. Add it in all relevant
places and also map "AES" as the cipher to GCMP instead of CCMP when
operating on the 60 GHz band.
Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
This can be used with Proxy ARP to allow multicast NAs to be forwarded
to associated STAs using link layer unicast delivery. This used to be
hardcoded to be enabled, but it is now disabled by default and can be
enabled with na_mcast_to_ucast=1. This functionality may not be desired
in all networks and most cases work without it, so the new
default-to-disabled is more appropriate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, struct wpa_group was created when the first station enters
the group and the struct wpa_group was not freed when all station left
the group. This causes a problem because wpa_group will enter
FATAL_FAILURE when a wpa_group is running while the AP_VLAN interface
has already been removed.
Fix this by adding a reference counter to struct wpa_group and free a
group if it is unused.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If hostapd has bound a STA into a specific VLAN, the new vlan_id
parameter in the control interface STA command can now be used to check
which VLAN ID is in use.
Signed-off-by: Jouni Malinen <j@w1.fi>
All the system header files are supposed to be included before any other
internal header file apart from utils/includes.h.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, mesh state machine transmits updated Commit Message when
receiving a Confirm Message in Committed state. According to the
standard, it should (re)send the latest Commit Message previously sent.
IEEE Std 802.11-2012, 11.3.8.6.4 Protocol instance behavior - Committed
state:
"Upon receipt of a Con event, ... If Sync is not greater than
dot11RSNASAESync, the protocol instance shall increment Sync, transmit
the last Commit Message sent to the peer, and set the t0
(retransmission) timer."
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This extends dynamic_vlan=required checks to apply for WPA-PSK with
macaddr_acl=2 (RADIUS) case.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 88b32a99d3 ('FT: Add FT AP support
for drivers that manage MLME internally') added an alternative way of
processing the WMM TSPEC from RIC. However, that change did not seem to
include the same checks for WMM TSPEC element length that were used in
the original implementation for MLME-in-hostapd case. Fix this by
sharing the older implementation of copying the WMM TSPEC from RIC for
both cases.
It looks like the destination buffer for the response is sufficiently
long for the fixed length copy, but it may have been possible to trigger
a read beyond the end of the FTIE by about 50 bytes. Though, that seems
to be within the buffer received for RX buffer in the case that uses
this driver-based AP MLME design for FT.
Signed-off-by: Jouni Malinen <j@w1.fi>
The multi-SSID design that used a single beaconing BSSID with multiple
SSIDs was never completed in this repository, so there is no need to
maintain the per-STA ssid/ssid_probe pointers that could only point to
&hapd->conf->ssid. Save some memory and reduce code complexity by
removing this unused partial capability.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to interpret debug logs for cases where hostapd
control multiple interfaces.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to interpret debug logs in case hostapd controls
multiple interfaces and a STA roams between them.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Currently, vlan_remove_dynamic() is only called when the station VLAN ID
is changed (ap_sta_bind_vlan), but not when the station is freed. So
dynamic VLAN interfaces are not removed actually except within 1x
reauthentification VLAN ID change, although most of the code is already
there.
This patch fixes this by calling vlan_remove_dynamic() in ap_free_sta().
It cannot just use sta->vlan_id for this, as this might have been
changed without calling ap_sta_bind_vlan() (ap/ieee802_11.c:handle_auth
fetches from RADIUS cache for WPA-PSK), thus reference counting might
not have been updated. Additionally, reference counting might get wrong
due to old_vlanid = 0 being passed unconditionally, thus increasing the
reference counter multiple times.
So tracking the currently assigned (i.e., dynamic_vlan counter
increased) VLAN is done in a new variable sta->vlan_id_bound. Therefore,
the old_vlan_id argument of ap_sta_bind_vlan() is no longer needed and
setting the VLAN for the sta in driver happens unconditionally.
Additionally, vlan->dynamic_vlan is only incremented when it actually
is a dynamic VLAN.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
hostapd receives NEWLINK messages multiple times and thus does
configuration of the the vlan interface multiple times.
This is not required and leads to the following during cleanup in
test pmksa_cache_preauth_vlan_used:
1. run-test.py does: brctl delif brvlan1 wlan3.1
2. hostapd processes NEWLINK and does: brctl addif brvlan1 wlan3.1
3. run-test.py does: brctl delbr brvlan1
-> fails as wlan3.1 is still in the bridge
This patch fixes this by ignoring repeated NEWLINK messages.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
When hitting
> Failed to create interface wlan3.1: -23 (Too many open files in system)
> Try to remove and re-create wlan3.1
hostapd deletes the AP_VLAN interface and then recreates it. Thus the
kernel assigns the same ifidx to the new interfaces and sends DELLINK
and NEWLINK mesages.
As the DELLINK messages are processed after the struct hostapd_vlan is
added, hostapd deletes the struct hostapd_vlan entry, deconfigures the
AP_VLAN interface and leaves vlan_newlink nothing to find afterwards.
So this patch makes DELLINK messages to be ignored when the interface
exists.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Previously, during RSN preauthentication, ap_sta_bind_vlan() was called,
which fails for non-zero sta->vlan_id as the station is not known to the
kernel driver.
Fix this by binding the station only if it is associated. If it is not
associated, ap_sta_bind_vlan() will be done later during association.
In addition, reject Access-Accept if the returned VLAN ID is not valid
in the current hostapd configuration.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
is_ht_allowed is a confusing name since this variable is used to track
whether 40 MHz channel bandwidth is allowed instead of whether HT is
allowed in general.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If NEED_AP_MLME=y is not defined, compilation might
fail under some configurations:
src/ap/drv_callbacks.c:594:2: warning: implicit declaration of
function ‘hostapd_acs_completed’ [-Wimplicit-function-declaration]
src/ap/sta_info.c:253: undefined reference to `sae_clear_retransmit_timer'
Fix these errors by adding the missing hostapd_acs_completed() stub,
and defining NEED_AP_MLME in case of CONFIG_SAE.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Add SQLite error message and DB name to the DB related errors. Add
enough tracing so that users can know exactly where users are failing to
be found.
Signed-off-by: Ben Greear <greearb@candelatech.com>
HT requires QoS/WMM, so unset HT capabilities for a station
whose association request does not include a valid WMM IE.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Update ACS driver offload feature for VHT configuration. In addition,
this allows the chanlist parameter to be used to specify which channels
are included as options for the offloaded ACS case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There's off-by-one in the range availability check - the case of
first_chan_idx + num_chans == num_channels should be allowed (e.g., 0 +
1 == 1, for the case of a single 20 MHz channel).
Signed-off-by: Maital Hahn <maitalm@ti.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
When looking for a new operating channel, consider the case of
non-contiguous channels when checking all the needed channels (e.g., the
driver might support channels 36, 38, 40, so look for channels 36+40
explicitly, instead of failing when encountering channel 38).
Signed-off-by: Eliad Peller <eliad@wizery.com>
If the AP/Authenticator receives an EAPOL-Key msg 2/4 for an association
that negotiated use of PSK and the EAPOL-Key MIC does not match, it is
likely that the station is trying to use incorrect PSK/passphrase.
Report this with "AP-STA-POSSIBLE-PSK-MISMATCH <STA addr>" control
interface event.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This event was previously used only when disabling AP mode operation
through hostapd control interface. Make this more consistent by
providing same indication when disabling hostapd interface through the
interface deinit path. This adds the event to the case where a full
hostapd radio instance is removed which also applies for the
wpa_supplicant AP mode operations.
Signed-off-by: Jouni Malinen <j@w1.fi>
Modify the string for AP-CSA-FINISHED event indication to include a flag
which tells the framework whether the new channel is a DFS channel.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add handling logic for DFS offloaded case, and add a helper function
that takes the frequency (MHz) as a param and returns 1 if given channel
requires DFS, or 0 otherwise.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If DFS is offloaded to the driver, hostapd should not be performing
these operations. Send the relevant control interface events to provide
information to upper layer software that may use such events to track
DFS/CAC state. This makes the offloaded DFS implementation more
consistent with the DFS-in-hostapd behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Disable VHT caps for STAs for which there is not even a single
allowed MCS in any supported number of streams. i.e STA is
advertising 3 (not supported) as VHT MCS rates for all supported
streams.
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
This change adds the function hostapd_config_clear_wpa_psk() that
deletes an entire wpa_psk structure, making sure to follow the linked
list and to free the allocated memory of each PSK node. This helps to
prevent memory leaks when using PSKs from multiple sources and
reconfiguring the AP during runtime.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Read p2p_go_ctwindow (0-127 TUs) from the config file, and pass it to
the driver on GO start.
Use p2p_go_ctwindow=0 (no CTWindow) by default.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
If the driver indicates that the interface has been disabled, assume
that all associations have been lost and remove the hostapd STA entries.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This uses couple of additional helper macros and prints more debug
information to make the VLAN events easier to analyze.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Sending client probe on already removed client from kernel driver does
not have any benefit and may lead unintended behavior among variable
drivers (mac80211 has a WARN_ON() that could have been triggered after
ifconfig down+up earlier when hostapd did not re-enable beaconing on
ifup). Skip this step in discussion when the kernel driver reports that
client entry is removed.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
This allows WPA2 mode AP to be re-enabled automatically after external
ifconfig down + up on a netdev used by hostapd.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is a step towards enabling hostapd to restart AP mode functionality
if the interface is disabled and re-enabled, e.g., with ifconfig down
and up. This commit takes care of beaconining only which may be
sufficient for open mode connection, but not for WPA2 cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Do not reply to a Probe Request frame with a DSSS Parameter Set element
in which the channel is different than the operating channel of the AP,
as the sending station is not found on the AP's operating channel.
IEEE Std 802.11-2012 describes this as a requirement for an AP with
dot11RadioMeasurementActivated set to true, but strictly speaking does
not allow such ignoring of Probe Request frames if
dot11RadioMeasurementActivated is false. Anyway, this can help reduce
number of unnecessary Probe Response frames for cases where the STA is
less likely to see them (Probe Request frame sent on a neighboring, but
partially overlapping, channel).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If HT40 co-ex scan fails due to the driver rejecting scan triggers
multiple times, it was possible for the ap_ht40_scan_retry() timeout
being left behind and it getting run after hapd->drv_priv has been
cleared. This would result in NULL pointer dereference in
driver_nl80211_scan.c. Fix this by canceling the timeout when disabling
the interface.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, a channel with even a single scan/survey result missing
information was skipped in ACS. This may not be desirable in cases when
multiple scan iterations are used (which is the case by default in
hostapd). Instead, use all channels that provided at least one complete
set of results. Calculate the average interference factor as an average
of the iterations that did provide complete values.
This seems to help with some cases, e.g., when ath9k may not be able to
report the noise floor for all channels from the first scan iteration
immediately after the driver has been loaded, but then returns it for
all other scan iterations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new acs_chan_bias configuration parameter is a space-separated list
of <channel>:<bias> pairs. It can be used to increase (or decrease) the
likelihood of a specific channel to be selected by the ACS algorithm.
The total interference factor for each channel gets multiplied by the
specified bias value before finding the channel with the lowest value.
In other words, values between 0.0 and 1.0 can be used to make a channel
more likely to be picked while values larger than 1.0 make the specified
channel less likely to be picked. This can be used, e.g., to prefer the
commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default
behavior on 2.4 GHz band if no acs_chan_bias parameter is specified).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The interference factors for adjacent 2.4 GHz channels were summed
together without doing any kind of weighted average on them. This
resulted in the channels at the band edges getting undue preference due
to only including interference factors from three channels vs. five for
the channels in the middle of the band.
While it is somewhat unclear whether the design here was supposed to
count overlapping channels together in this way or whether that is
already covered in channel survey results, it is clear that this summing
of three to five values together and then comparing the sum rather than
average of some kind gives too much preference to the channels at the
edges of the band by assuming that there is no interference whatsoever
outside the band.
Use weighted average of the interference factors rather than a sum from
different number of values. For now, the adjacent 2.4 GHz channels get
weight of 0.85 (1.0 for the main channel itself) and the neighboring
channels to those adjacent ones get 0.55 weight. Band-edge channels are
handled in a way that takes average over the channels that were actually
considered instead of assuming zero interference from neighboring bands.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If OBSS scan interval is not set, the AP must not schedule a timeout to
restore 40 MHz operation immediately after having moved to a 20 MHz
channel based on an unsolicited co-ex report. Fix this by scheduling the
timeout only if obss_interval is non-zero.
Since we do not currently support AP doing OBSS scans after the initial
BSS setup, this means practically that 40-to-20 MHz transition is
allowed, but 20-to-40 MHz is not with obss_interval=0. The latter gets
enabled if obss_interval is set to a non-zero value so that associated
STAs can take care of OBSS scanning.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use standard numbers-and-dots format for IPv4 in debug logs instead
of hexdump in two different byte orders.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the old VLAN ID could have been deleted before the STA was
bound to the new VLAN in case the RADIUS server changed the VLAN ID
during an association. This did not exactly work well with mac80211, so
reorder the operations in a way that first binds the STA to the new VLAN
ID and only after that, removes the old VLAN interface if no STAs remain
in it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, it was possible for some corner cases to leave the WPA
authenticator state machine running if PMK could not be derived. Change
this to forcefully disconnect the STA to get more consistent behavior
and faster notification of the error.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This type of error reporting cases should use wpa_printf() to get
consistent debug logging behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.
Signed-off-by: Jouni Malinen <j@w1.fi>
In ieee802_1x_decapsulate_radius(), eap_server_get_name() may return
NULL, and it could be dereferenced depending on printf implementation.
Change it to return "unknown" instead for the case of no matching EAP
method found. This makes it easier for the callers to simply print this
in logs (which is the only use for this function).
Signed-off-by: Eytan Lifshitz <eytan.lifshitz@intel.com>
Add the possibility to define a subset of channels used by the ACS
engine when not operating on DFS channels.
Signed-off-by: Adrien Decostre <ad.decostre@gmail.com>
If the inactivity check returns that there is no entry remaining for the
STA in the kernel, drop the STA in hostapd as well.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit e7d0e97bdb ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.
This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.
Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
Add the t0 retransmission timer as specified by IEEE Std 802.11-2012,
11.3.8.4. This makes SAE much more likely to succeed in the case of lost
frames.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
When performing SAE authentication in mesh, one station may
initiate authentication by sending a COMMIT as soon as a peer
candidate is discovered. Previously we did this in mesh_rsn.c,
but this left some of the state initialization in a different
part of the code from the rest of the state machine, and we may
need to add other initializations here in the future, so move
that to a more central function.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
The local conf pointer needs to be cleared once it gets assigned to
hapd_iface to avoid double-free of the configuration data on error path.
Signed-off-by: Jouni Malinen <j@w1.fi>
The per-BSS configuration information needs to be freed if hostapd fails
to add a new interface for a BSS added with "ADD bss_config=..."
command.
Signed-off-by: Jouni Malinen <j@w1.fi>
If hostapd_alloc_bss_data() failed to allocate the struct hostapd_data
instance, dynamic interface addition path ended up trying to dereference
freed memory due to incorrect cleanup steps. Fix this by decrementing
the interface count when the newly added interface is removed. In
addition, make the setup more robust by clearing all changes within
hostapd_data_alloc() if any of the allocations fails.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to add WPS vendor extensions through the D-Bus
WPSVendorExtensions setter, but these extensions were not freed when the
P2P GO was stopped or when replacing previously configured extensions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some of the struct hostapd_data variables get initialized with allocated
memory in the P2P GO case even before hapd->started has been set to 1.
As such, hostapd_free_hapd_data() needs to free these even if
!hapd->stated.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is a possible race condition between receiving the
NEW_PEER_CANDIDATE event and the Authentication frame from the peer.
Previously, if the Authentication frame RX event was indicated first,
that frame got dropped silently. Now, this frame is still dropped, but a
copy of it is stored and the frame gets processed on the following
NEW_PEER_CANDIDATE event if that is received for the same peer within
two seconds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 587d60d2b7 ('Add AP mode support
for HT 20/40 co-ex Action frame') added processing of co-ex report, but
did not include proper bounds checking or IE type checking for the
payload. Furthermore, this was not ready for the possible extensibility
of the 20/40 BSS Coexistence element.
Fix these by checking IE ids for both elements and doing more
apprioriate bounds checking for the element lengths to avoid potentially
reading beyond the frame buffer. Though, the event receive buffer in
both libnl and driver_nl80211_monitor.c is sufficiently large to make it
very unlikely that the maximum read of about 260 bytes beyond the end of
the Action frame would really have any chances of hitting the end of the
memory buffer, so the practical effect of missing bounds checking would
have been possibly accepting an invalid report frame and moving to 20
MHz channel unnecessarily.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 5ce3ae4c8f tried to clean up
fetching a pointer to the action code field, but it forgot to add
IEEE80211_HDRLEN to the pointer. This resulted in the coex report
elements being read from too early in the frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
These hostapd configuration parameter was left at the default values
(WPA-PSK/TKIP) even for cases where WPA was disabled. While these
parameters are not really used much in non-WPA cases, they do get used
for one corner case in nl80211 configuration to disable encryption of
EAPOL frames in IEEE 802.1X WEP case.
Signed-off-by: Jouni Malinen <j@w1.fi>
While other authentication algorithms mark Status Code as being Reserved
in the case of the transaction number 1, SAE does not. Check that the
Status Code indicates success before creating SAE state. In addition,
fix the mesh anti-clogging token request parsing on big endian CPUs.
Transaction number 2 (confirm) can also have non-zero Status Code to
report an error. Those should be processed, but not replied to with yet
another error message. This could happen in mesh case. Avoid a loop of
error messages by dropping the non-success case without additional
response.
In addition, don't reply to unknown transaction numbers if the status
code is non-zero. This avoids a loop of error messages if an invalid
frame where to be injected (or unlikely corruption were to occur).
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be used to drop any pending ERP key from both the internal AP
authentication server and RADIUS server use of hostapd.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd.conf radio_measurements parameter can now be used to
configure a test build to advertise support for radio measurements with
neighbor report enabled. There is no real functionality that would
actually process the request, i.e., this only for the purpose of minimal
STA side testing for now.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, only WPA + WPA2 was covered. If FT is enabled in addition to
WPA, MDIE is included in the buffer between RSN and WPA elements. The
previous version ended up leaving only the MDIE after having skipped RSN
element. Fix this to skip MDIE as well to leave only WPA IE regardless
of whether FT is enabled in AP configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This converts os_snprintf() result validation cases to use
os_snprintf_error() in cases where success condition was used to execute
a step. These changes were done automatically with spatch using the
following semantic patch:
@@
expression E1,E2,E3;
statement S1;
@@
E1 = os_snprintf(E2, E3, ...);
- if (\( E1 >= 0 \| E1 > 0 \) && \( (size_t) E1 < E3 \| E1 < (int) E3 \| E1 < E3 \))
+ if (!os_snprintf_error(E3, E1))
S1
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the immediate EAPOL authenticator startup was scheduled
without having received EAPOL-Start only for the case where WPA/WPA2 was
enabled. This can be extended to speed up non-WPA/WPA2 cases as well if
the STA includes WPS IE in Association Request frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
If "ADD bss_config=" command failed in driver_init() or
hostapd_setup_interface(), some of the allocated resources were not
freed properly.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using aes_wrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is not just the single struct member. (CID 68111)
Signed-off-by: Jouni Malinen <j@w1.fi>
Using aes_unwrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is initialized and that the target is not just the single struct member.
In addition, clean up the design to avoid removal of const with a
typecast. (CID 68112, CID 68134, CID 68135, CID 68136)
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 16689c7cfc ('hostapd: Allow ACS to
be offloaded to the driver') used incorrect operator to determine
whether HT40 was configured. Fix that to mask the ht_capab bit
correctly. (CID 77286)
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.
The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using QCA vendor command, allow ACS function to be offloaded to the
driver. Once channels are selected, hostapd is notified to perform OBSS
operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This flag was left in the STA entry for the short duration after the STA
gets deauthenticated. If the STA sends a Class 2 or 3 frame during that
short time, the AP would not have replied with Deauthentication frame
indicating no association is present.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.
Signed-off-by: Jouni Malinen <j@w1.fi>
This field needs to be validated in addition to validating the total
length of the received frame to avoid reading beyond the frame buffer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Only the NS frames should be checked to be long enough to cover all the
fields used in the NS data structure. This allows shorter RA and NA
frames to be processed for multicast-to-unicast rules.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
l2_packet_send() returns >= 0 on success, i.e., non-zero value does not
mean failure. Fix this debug print to show up only on negative return
values.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to debug operations. The debug message is marked
EXCESSIVE, though, to avoid filling the logs with too much information
in default debugging cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no point in trying to send the unicast converted version to a
STA that is not in authorized state since the driver would be expected
to drop normal TX Data frames in such state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These need to be marked packed to avoid issues with compilers
potentially adding padding between the fields (e.g., gcc on 64-bit
seemed to make struct icmpv6_ndmsg two octets too long which broke IPv6
address discovery).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The mesh anti-clogging functionality is implemented partially. This
patch fixes to parse anti-clogging request frame and use anti-clogging
token.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd control interface can now be used to request transmission of a
BSS Transition Management Request frame to a specified station.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the 4-way handshake ends up having to retransmit the EAPOL-Key
message 1/4 due to a timeout on waiting for the response, it is possible
for the Supplicant to change SNonce between the first and second
EAPOL-Key message 2/4. This is not really desirable due to extra
complexities it causes on the Authenticator side, but some deployed
stations are doing this.
This message sequence looks like this:
AP->STA: EAPOL-Key 1/4 (replay counter 1, ANonce)
AP->STA: EAPOL-Key 1/4 (replay counter 2, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 1, SNonce 1)
AP->STA: EAPOL-Key 3/4 (replay counter 3, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 2, SNonce 2)
followed by either:
STA->AP: EAPOL-Key 4/4 (replay counter 3 using PTK from SNonce 1)
or:
AP->STA: EAPOL-Key 3/4 (replay counter 4, ANonce)
STA->AP: EAPOL-Key 4/4 (replay counter 4, using PTK from SNonce 2)
Previously, Authenticator implementation was able to handle the cases
where SNonce 1 and SNonce 2 were identifical (i.e., Supplicant did not
update SNonce which is the wpa_supplicant behavior) and where PTK
derived using SNonce 2 was used in EAPOL-Key 4/4. However, the case of
using PTK from SNonce 1 was rejected ("WPA: received EAPOL-Key 4/4
Pairwise with unexpected replay counter" since EAPOL-Key 3/4 TX and
following second EAPOL-Key 2/4 invalidated the Replay Counter that was
used previously with the first SNonce).
This commit extends the AP/Authenticator workaround to keep both SNonce
values in memory if two EAPOL-Key 2/4 messages are received with
different SNonce values. The following EAPOL-Key 4/4 message is then
accepted whether the MIC has been calculated with the latest SNonce (the
previously existing behavior) or with the earlier SNonce (the new
extension). This makes 4-way handshake more robust with stations that
update SNonce for each transmitted EAPOL-Key 2/4 message in cases where
EAPOL-Key message 1/4 needs to be retransmitted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When DGAF Disable is on, perform multicast-to-unicast for DHCP packets
and Router Advertisement packets. This is a requirement for Hotspot 2.0.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
This commit establishes the infrastructure, and handles the Neighbor
Solicitation and Neighbor Advertisement frames. This will be extended
in the future to handle other frames.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
Multicast-to-unicast conversion send will be needed in various part of
Proxy ARP and DGAF Disable.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
This allows adding/deleting an IPv6 neighbor entry to/from the bridge,
to which the BSS belongs. This commit adds the needed functionality in
driver_nl80211.c for the Linux bridge implementation. In theory, this
could be shared with multiple Linux driver interfaces, but for now, only
the main nl80211 interface is supported.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
It is possible that a station device might miss an ACK for an
authentication, association, or action frame, and thus retransmit the
same frame although the frame is already being processed in the stack.
While the duplicated frame should really be dropped in the kernel or
firmware code where duplicate detection is implemented for data frames,
it is possible that pre-association cases are not fully addressed (which
is the case at least with mac80211 today) and the frame may be delivered
to upper layer stack.
In such a case, the local AP will process the retransmitted frame although
it has already handled the request, which might cause the station to get
confused and as a result disconnect from the AP, blacklist it, etc.
To avoid such a case, save the sequence control of the last processed
management frame and in case of retransmissions drop them.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If DFS implementation was built in, some configurations with drivers
that do not provide mode information could end up dereferencing a NULL
pointer. Fix this by skipping DFS operations in such cases since not
having information about modes and channels means that hostapd could not
perform DFS anyway (i.e., either this is not a wireless driver or the
driver takes care of DFS internally).
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 7f0303d5b0 ('hostapd: Verify VHT
160/80+80 MHz driver support') added couple of hapd->iface->current_mode
dereferences of which the one in hostapd_set_freq() can be hit with some
configuration files when using driver wrappers that do not have hw_mode
data, i.e., when current_mode is NULL. This could result in segmentation
fault when trying to use driver=wired. Fix this by checking that
current_mode is not NULL before dereferencing it to get vht_capab.
Signed-off-by: Jouni Malinen <j@w1.fi>
This patch makes four MIB variables for plink configurable and sets the
correct default values based on IEEE Std 802.11s-2011.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Add timer to do SAE re-authentication with number of tries defined
by MESH_AUTH_RETRY and timeout defined by MESH_AUTH_TIMEOUT.
Ignoring the sending of reply message on "SAE confirm before commit"
to avoid "ping-pong" issues with other mesh nodes. This is obvious when
number of mesh nodes in MBSS reaching 6.
Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Add state transition logic to the SAE frame handling in order to more
fully implement the state machine from the IEEE 802.11 standard. Special
cases are needed for infrastructure BSS case to avoid unexpected
Authentication frame sequence by postponing transmission of the second
Authentication frame untile the STA sends its Confirm.
[original patch by: Thomas Pedersen <thomas@noack.us>]
Signed-off-by: Bob Copeland <me@bobcopeland.com>
New kernels in wiphy_suspend() will call cfg80211_leave_all() that will
eventually end up in cfg80211_stop_ap() unless wowlan_triggers were set.
For now, use the parameters from the station mode as-is. It may be
desirable to extend (or constraint) this in the future for specific AP
mode needs.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This adds support for AKM 00-0F-AC:11 to specify the integrity and
key-wrap algorithms for EAPOL-Key frames using the new design where
descriptor version is set to 0 and algorithms are determined based on
AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new AKM uses a different mechanism of deriving the PMKID based on
KCK instead of PMK. hostapd was already doing this after the KCK had
been derived, but wpa_supplicant functionality needs to be moved from
processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds definitions for the 128-bit level Suite B AKM 00-0F-AC:11. The
functionality itself is not yet complete, i.e., this commit only
includes parts to negotiate the new AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some flag already using a bit larger than 32, so extend the hostapd
drv_flags type similarly to the earlier wpa_supplicant change to get the
full flag content.
Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
This was used in hostapd driver_test.c, but that driver wrapper has been
removed and there are no remaining or expected users for
EVENT_FT_RRB_RX.
Signed-off-by: Jouni Malinen <j@w1.fi>
Proxy ARP allows the AP devices to keep track of the hardware address to
IP address mapping of the STA devices within the BSS. When a request for
such information is made (i.e., ARP request, Neighbor Solicitation), the
AP will respond on behalf of the STA device within the BSS. Such
requests could originate from a device within the BSS or also from the
bridge. In the process of the AP replying to the request (i.e., ARP
reply, Neighbor Advertisement), the AP will drop the original request
frame. The relevant STA will not even know that such information was
ever requested.
This feature is a requirement for Hotspot 2.0, and is defined in IEEE
Std 802.11-2012, 10.23.13. While the Proxy ARP support code mainly
resides in the kernel bridge code, in order to optimize the performance
and simplify kernel implementation, the DHCP snooping code was added to
the hostapd.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
This allows setting a network parameter on the bridge that the BSS
belongs to.
This commit adds the needed functionality in driver_nl80211.c for the
Linux bridge implementation. In theory, this could be shared with
multiple Linux driver interfaces, but for now, only the main nl80211
interface is supported.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
This allows setting a bridge port attribute. Specifically, the bridge
port in this context is the port to which the BSS belongs.
This commit adds the needed functionality in driver_nl80211.c for the
Linux bridge implementation. In theory, this could be shared with
multiple Linux driver interfaces, but for now, only the main nl80211
interface is supported.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
This allows adding/deleting an IPv4 neighbor entry to/from the bridge,
to which the BSS belongs. This commit adds the needed functionality in
driver_nl80211.c for the Linux bridge implementation. In theory, this
could be shared with multiple Linux driver interfaces, but for now, only
the main nl80211 interface is supported.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
These can be convenient for upper layer programs to determine if the
hostapd interface gets disabled/re-enabled, e.g., due to rfkill
block/unblock.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use the 'no_ir' notation instead of the 'passive scan' and
'no_ibss' notations to match the earlier change in nl80211.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Modify hostapd.c logic to add checks for valid mconf data structure:
- For hostapd_setup_bss we don't need to flush old stations in case
we're rejoining a mesh network.
- In hostapd_setup_interface_complete, we don't need to setup the
interface until we join the mesh (same reasoning for
hostapd_tx_queue_params).
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
The mesh peering manager establishes and maintains links among
mesh peers, tracking each peer link via a finite state machine.
This implementation supports open mesh peerings.
[assorted fixes from Yu Niiro <yu.niiro@gmail.com>]
[more fixes from Masashi Honma <masashi.honma@gmail.com>]
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Ashok Nagarajan <ashok.dragon@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-hostap: Bob Copeland <me@bobcopeland.com>
Add routines to (de)initialize mesh interface data structures and
join and leave mesh networks.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
If both HT and VHT was enabled on AP and channel switch event from the
driver indicated that HT was disabled, VHT was left enabled. This
resulted in the following channel configuration failing. Fix this by
disabling VHT if HT gets disabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add smps_modes field, and let the driver fill it with its supported SMPS
modes (static/dynamic). This will let us start an AP with specific SMPS
mode (e.g., dynamic) that will allow it to reduce its power usage.
Signed-off-by: Eliad Peller <eliad@wizery.com>
This avoids an issue where a wpa_supplicant build with CONFIG_P2P=y and
CONFIG_HS20=y ended up processing a P2P SD query twice when operating as
a GO and sending out two replies. Only the P2P SD implementation should
reply to P2P SD query in such a case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new "bss_load_update_period" parameter can be used to configure
hostapd to advertise its BSS Load element in Beacon and Probe Response
frames. This parameter is in the units of BUs (Beacon Units).
When enabled, the STA Count and the Channel Utilization value will be
updated periodically in the BSS Load element. The AAC is set to 0 sinze
explicit admission control is not supported. Channel Utilization is
calculated based on the channel survey information from the driver and
as such, requires a driver that supports providing that information for
the current operating channel.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
It is now possible to run hwsim_test like data connectivity test through
wpa_supplicant/hostapd control interface if CONFIG_TESTING_OPTIONS=y is
used for the build. Test functionality is enabled/disabled at runtime
with "DATA_TEST_CONFIG <1/0>". The "DATA_TEST_TX <dst> <src> <tos>"
command can be used to request a test frame to be transmitted.
"DATA-TEST-RX <dst> <src>" event is generated when the test frame is
received.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes hostapd create PMKSA cache entries from SAE authentication
and allow PMKSA caching to be used with the SAE AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows multiple sessions using the same PMKSA cache entry to be
combined more easily at the server side. Acct-Session-Id is still a
unique identifier for each association, while Acct-Multi-Session-Id will
maintain its value for all associations that use the same PMKSA.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 8b24861154 ('Add Acct-Session-Id
into Access-Request messages') added Acct-Session-Id building into the
helper function shared between authentication and accounting messages.
However, it forgot to remove the same code from the generation of
accounting messages and as such, ended up with Accounting-Request
messages containing two copies of this attribute. Fix this by removing
the addition of this attribute from the accounting specific function.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled when hostapd is used as an EAP
server with OpenSSL as the TLS library.
Signed-off-by: Jouni Malinen <j@w1.fi>
This use does not really need a strong random number, so fall back to
os_random() if a theoretical error case occurs. (CID 72682)
Signed-off-by: Jouni Malinen <j@w1.fi>
While this specific case does not really care what value is used, the
the theoretical error case can be handled more consistently. (CID 72684)
Signed-off-by: Jouni Malinen <j@w1.fi>
The hlen and len variables are identical here, but only the hlen was
used in the end. Change this to use the len variable to avoid
unnecessary static analyzer warnings about unused writes.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like the use of sm->wpa == WPA_VERSION_WPA2 in two locations
within the function was a bit too much for clang static analyzer to
understand. Use a separate variable for storing the allocated memory so
that it can be freed unconditionally. The kde variable can point to
either stack memory or temporary allocation, but that is now const
pointer to make the design clearer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new ext_eapol_frame_io parameter can be used to configure hostapd
and wpa_supplicant to use control interface for receiving and
transmitting EAPOL frames. This makes it easier to implement automated
test cases for protocol testing. This functionality is included only in
CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
A P2P Client may be able to connect to the GO even if the WPS
provisioning step has not terminated cleanly (e.g., P2P Client does not
send WSC_Done). Such group formation attempt missed the event
notification about started group on the GO and also did not set the
internal state corresponding to the successful group formation.
This commit addresses the missing part by completing GO side group
formation on a successful first data connection if WPS does not complete
cleanly. Also, this commit reorders the STA authorization indications to
ensure that the group formation success notification is given prior to
the first STA connection to handle such scenarios.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows cases where neither 80 MHz segment requires DFS to be
configured. DFS CAC operation itself does not yet support 80+80, though,
so if either segment requires DFS, the AP cannot be brought up.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds kek_len argument to aes_wrap() and aes_unwrap() functions and
allows AES to be initialized with 192 and 256 bit KEK in addition to
the previously supported 128 bit KEK.
The test vectors in test-aes.c are extended to cover all the test
vectors from RFC 3394.
Signed-off-by: Jouni Malinen <j@w1.fi>
_pmksa_cache_free_entry() is a static function that is never called with
entry == NULL, so there is no need to check for that.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the first entry in the PMKSA cache did not match the station's MAC
address, an infinite loop could be reached in pmksa_cache_get_okc() when
trying to find a PMKSA cache entry for opportunistic key caching cases.
This would only happen if OKC is enabled (okc=1 included in the
configuration file).
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, WPA/WPA2 case ended up using the hardcoded
dot11RSNAConfigPMKLifetime (43200 seconds) for PMKSA cache entries
instead of using the Session-Timeout value from the RADIUS server (if
included in Access-Accept). Store a copy of the Session-Timeout value
and use it instead of the default value so that WPA/WPA2 cases get the
proper timeout similarly to non-WPA/WPA2 cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
In case P2P is not enabled the if (dev_addr) is always ignored as
dev_addr will be NULL. As this code is relevant only to P2P, it can be
moved to be the ifdef to avoid static analyzer warnings. (CID 72907)
Signed-off-by: Philippe De Swert <philippe.deswert@jollamobile.com>
This fixes couple of code paths where the WPA_DRIVER_FLAGS_DFS_OFFLOAD
flag was not checked properly and unexpected DFS operations were
initiated (and failed) in case the driver handles all these steps.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The driver-based SME case did not set STA flags properly to the kernel
in the way that hostapd-SME did in ieee802_11.c. This resulted in the FT
protocol case not marking the STA entry authorized. Fix that by handling
the special WLAN_AUTH_FT case in hostapd_notif_assoc() and also add the
forgotten hostapd_set_sta_flags() call to synchronize these flag to the
driver.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While hostapd should not really receive the EVENT_ASSOC message for
IBSS, driver_nl80211.c could potentially generate that if something
external forces the interface into IBSS mode and the IBSS case does not
provide the struct assoc_info data. Avoid the potential NULL pointer
dereference by explicitly verifying for the event data to be present.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds hostapd support for the new WLAN-Pairwise-Cipher,
WLAN-Group-Cipher, WLAN-AKM-Suite, and WLAN-Group-Mgmt-Pairwise-Cipher
attributes defined in RFC 7268. These attributes are added to RADIUS
messages when the station negotiates use of WPA/RSN.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hostapd support for the new WLAN-HESSID attribute defined in
RFC 7268. This attribute contains the HESSID and it is added whenever
Interworking is enabled and HESSID is configured.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hostapd support for the new Mobility-Domain-Id attribute
defined in RFC 7268. This attribute contains the mobility domain id and
it is added whenever the station negotiates use of FT.
Signed-off-by: Jouni Malinen <j@w1.fi>
set_dfs_state() return value is not currently checked anywhere, so
remove the dead assignment to avoid static analyzer complaints.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use an explicit memset call to clear any hostapd configuration parameter
that contains private information like keys or identity. This brings in
an additional layer of protection by reducing the length of time this
type of private data is kept in memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
It's worth giving a try to fallback to re-starting BSSes at least once
hoping it works out instead of just leaving BSSes disabled.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Currently hostapd data structures aren't ready for multi-channel BSSes,
so make DFS work now at least with single-channel multi-BSS channel
switching.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
This was added by commit 8a45811638
('hostapd: Add Operating Mode Notification support'), but the validation
steps cannot be true either for the channel width (which is a two-bit
subfield that cannot encode more than the list four values) or Rx NSS
(which cannot encode a value larger 7). Furthermore, the VHT_CHANWIDTH_*
defines do not match the definition of the Channel Width subfield
values.
Since this check cannot ever match, it is better to remove it to make
the code easier to understand and to avoid getting complaints about dead
code from static analyzers.
Signed-off-by: Jouni Malinen <j@w1.fi>
Earlier commit related to MAC address based access control list
offloaded to the driver was not sending ACL configuration to the driver
if the MAC address list was empty. Remove this check as empty access
control list is a valid use case and sending ACL parameters should not
be dependent on whether the list is empty.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
There seemed to be an off-by-one error in the validation of GAS request
frames. If a Public Action frame without the Action code field would
have reached this function, the length could have been passed as
(size_t) -1 which would likely have resulted in a crash due to reading
beyond the buffer. However, it looks like such frame would not be
delivered to hostapd at least with mac80211-based drivers. Anyway, this
function better be more careful with length validation should some other
driver end up reporting invalid Action frames.
In addition, the Action code field is in a fixed location, so the
IEEE80211_HDRLEN can be used here to clean up bounds checking to avoid
false reports from static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
prev cannot be NULL here in the hostapd_eid_country_add() call since
prev is set whenever start becomes non-NULL. That seems to be a bit too
difficult for some static analyzers, so check the prev pointer
explicitly to avoid false warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
This fixes an issue where a driver using the deprecated set_ieee8021x()
callback did not include rsn_pairwise bits in the driver configuration
even if mixed WPA+WPA2 configuration was used. This could result, e.g.,
in CCMP not being enabled properly when wpa_pairwise=TKIP and
rsn_pairwise=CCMP was used in the configuration. Fix this by using
bitwise OR of the wpa_pairwise and rsn_pairwise values to allow the
driver to enable all pairwise ciphers.
In addition, make the newer set_ap() driver_ops use the same bitwise OR
design instead of picking between rsn_pairwise and wpa_pairwise. This
makes the code paths consistent and can also fix issues with mixed mode
configuration with set_ap().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Move to PTKINITDONE state and mark PTK valid after successful completion
of FT protocol. This allows the AP/Authenticator to start GTK rekeying
when FT protocol is used. Previously, the station using FT protocol did
not get the new GTK which would break delivery of group addressed
frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
Couple of code paths in hostapd.c could have left hapd->drv_priv
pointing to memory that was freed in driver_nl80211.c when a secondary
BSS interface is removed. This could result in use of freed memory and
segfault when the next driver operation (likely during interface
deinit/removal). Fix this by clearing hapd->drv_priv when there is
reason to believe that the old value is not valid within the driver
wrapper anymore.
Signed-off-by: Jouni Malinen <j@w1.fi>
These three calls were used already in three different paths. Use a
helper function to avoid adding even more copies of this.
Signed-off-by: Jouni Malinen <j@w1.fi>
If for some reason interface setup fails mid-way when setting up
multi-BSS AP it was possible to get segmentation fault because driver
was not properly cleaned up.
One possible trigger, when using nl80211 driver, was udev renaming an
interface created by hostapd causing, e.g., linux_set_iface_flags() to
fail.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
This variable is updated when calling hostapd_if_add(), so it makes
sense to do the same thing when calling hostapd_if_remove().
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Performing, e.g. `wpa_cli -p /var/run/hostapd raw DISABLE` twice led to
hostapd segmentation fault if multiple BSSes were configured. Fix this
by checking if there is anything to disable at all before trying.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
The current RADIUS server pointer was updated after each SET command
which broke parsing of multiple RADIUS servers over the control
interface. Fix this by doing the final RADIUS server pointer updates
only once the full configuration is available.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of silently dropping the response that requires fragmentation,
send an error response to the station to make it aware that no full
response will be available.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, hostapd had to be started with at least one of the
configuration files enabling TNC for TNC to be usable. Change this to
allow TNC to be enabled when the first interface with TNC enabled gets
added during runtime.
Signed-off-by: Jouni Malinen <j@w1.fi>
Before starting a 20/40 MHz BSS on the 2.4 GHz band, a 40-MHz-capable HT
AP is required by the rules defined in IEEE Std 802.11-2012 10.15.5 to
examine the channels of the current operational regulatory domain to
determine whether the operation of a 20/40 MHz BSS might unfairly
interfere with the operation of existing 20 MHz BSSs. The AP (or some of
its associated HT STAs) is required to scan all of the channels of the
current regulatory domain in order to ascertain the operating channels
of any existing 20 MHz BSSs and 20/40 MHz BSSs. (IEEE 802.11-2012 S.5.2
Establishing a 20/40 MHz BSS).
Add the check for an overlapping 20 MHz BSS to the initial AP scan for
the P == OT_i case in 10.15.3.2.
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
If WPS isn't enabled, hostapd_cli returns 'OK' even though WPS doesn't
get activated because WPS context is not valid:
$ hostapd_cli wps_pbc
Selected interface 'wlan0'
OK
$ hostapd_cli wps_cancel
Selected interface 'wlan0'
OK
Fix this by returning appropriate error when WPS fails to activate:
$ hostapd_cli wps_pbc
Selected interface 'wlan0'
FAIL
$ hostapd_cli wps_cancel
Selected interface 'wlan0'
FAIL
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
CC: Luka Perkov <luka.perkov@sartura.hr>
If a driver wrapper misbehaves and does not indicate a frame body in the
event, core hostapd code should handle this consistently since that case
was already checked for in one location.
Signed-off-by: Jouni Malinen <j@w1.fi>
sta == NULL check is already done above based on category !=
WLAN_ACTION_PUBLIC, but that seems to be too complex for some static
analyzers, so avoid invalid reports by explicitly checking for this
again in the WLAN_ACTION_FT case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Checking sm->pmksa is sufficient here, but that seems to be too
difficult for static analyzers to follow, so avoid false reports by
explicitly checking pmkid as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
clang scan-build does not seem to like the 'd' suffix on floating
constants and ends up reporting analyzer failures. Since this suffix
does not seem to be needed, get rid of it to clear such warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the initial OBSS scans in AP mode before starting 40 MHz BSS
more robust. In addition, HT20 can be used as a backup option if none of
the scans succeed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a 2.4 GHz band AP receives a 20/40 Coexistence management frame from
a connected station with 20/40 BSS Intolerant Channel Report element
containing the channel list in which any legacy AP are detected or AP
with 40 MHz intolerant bit set in HT Cap IE is detected in the affected
range of the BSS, the BSS will be moved from 40 to 20 MHz channel width.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend the minimal HT 20/40 co-ex support to include dynamic changes
during the lifetime of the BSS. If any STA connects to a 2.4 GHz AP with
40 MHz intolerant bit set then the AP will switch to 20 MHz operating
mode.
If for a period of time specified by OBSS delay factor and OBSS scan
interval AP does not have any information about 40 MHz intolerant STAs,
the BSS is switched from HT20 to HT40 mode.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This provides information to allow the driver to be configured for
updated channel parameters, e.g., when dynamically changing HT20/HT40
bandwidth.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
With hidden SSID (ignore_broadcast_ssid), an IOS device trying to
connect to the AP will send a probe request with ANT == 2. If
interworking support is just compiled (not enabled), we will drop the
probe request since default ANT is 0.
Check that interworking is enabled before filtering based on ANT or
HESSID to match the behavior of code without CONFIG_INTERWORKING.
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
Sometimes function hostapd_is_dfs_required() returns -1 which indicates
that it was not possible to check if DFS was required. This happens for
channels from the 2.4 GHz band where DFS checking should not happen.
This can be fixed by returning DFS-not-required for mode different from
IEEE80211A and when DFS support is not available (ieee80211h not set).
Signed-off-by: Marek Puzyniak <marek.puzyniak@tieto.com>
This makes the definitions match the terminology used in IEEE Std
802.11-2012 and makes it easier to understand how the HT Operation
element subfields are used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.
Signed-off-by: Jouni Malinen <j@w1.fi>
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.
Signed-off-by: Jouni Malinen <j@w1.fi>
p2p_dev_addr was not NULL, so the all zeros case was printed as well.
Clean this up by printing p2p_dev_addr in debug prints only if it is a
real P2P Device Address.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support of vendor command to hostapd ctrl_iface.
Vendor command's format:
VENDOR <vendor id> <sub command id> [<hex formatted data>]
The 3rd argument will be converted to binary data and then passed as
argument to the sub command.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When primary and secondary channel were switched and config was
reloaded, secondary channel was incorrectly overwritten.
Proceed as for other settings that should not be changed and don't
allow to overwrite.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Especially when multiple BSSes are used with ACS, number of the error
paths were not cleaning up driver initialization properly. This could
result in using freed memory and crashing the process if ACS failed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the PMK-R1 needs to be pulled for the R0KH, the previous
implementation ended up rejecting the over-the-air authentication and
over-the-DS action frame unnecessarily while waiting for the RRB
response. Improve this by postponing the Authentication/Action frame
response until the pull response is received.
Signed-off-by: Jouni Malinen <j@w1.fi>
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds. This is similar to the earlier
commit that commented out in-memory update.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the driver supports full offloading of DFS operations, do not disable
a channel marked for radar detection. The driver will handle the needed
operations for such channels.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds.
Signed-off-by: Jouni Malinen <j@w1.fi>
There was possibility that the current channel in Beacon information
element was incorrectly set. This problem was easily observed when
primary and secondary channel were switched and then some of hostapd
settings (for example password) were changed using WPS External
Registrar. This caused hostapd_reload_config() function overwrite the
current channel information from config file.
This patch prevents this situation and does not allow to overwrite
channel and some other settings when config is reloaded.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
It was possible for hapd->wps_beacon_ie and hapd->wps_probe_resp_ie to
be set if WPS initialization in hostapd failed after having set these
parameters (e.g., during UPnP configuration). In addition, many of the
other WPS configuration parameters that were allocated during the first
part of the initialization were not properly freed on error paths.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These were previous set to 3.0 and 1.5 ms which ended up using values 93
and 46 in 36 usec inits. However, the default values for these are
actually defined as 3.008 ms and 1.504 ms (94/47) and those values are
also listed in the hostapd.conf example.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The center segment0 calculation for VHT20 ACS was incorrect. This caused
ACS to fail with: "Could not set channel for kernel driver".
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Secondary channel was compared incorrectly (-4/4 vs. actual channel
number) which broke matching neighboring 40 MHz BSSes and only the
no-beacons-on-secondary-channel rule was applied in practice. Once
sec_chan was fixed, this triggered another issue in this function where
both rules to switch pri/sec channels could end up getting applied in a
way that effectively canceled the switch.
Signed-off-by: Jouni Malinen <j@w1.fi>
previous_ap and last_assoc_req were not really used for anything
meaninful, so get rid of them to reduce the size of per-STA memory
allocation.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the control interface and some of the BSS setup to
be left partially initialized in failure cases while the BSS structures
were still freed. Fix this by properly cleaning up anything that may
have passed initialization successfully before freeing memory.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd to set a different management group cipher than the
previously hardcoded default BIP (AES-128-CMAC). The new configuration
file parameter group_mgmt_cipher can be set to BIP-GMAC-128,
BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in
IEEE Std 802.11ac-2013.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
For some client OBSS implementations that are performed in
firmware, all OBSS parameters need to be set to valid values.
Do this, as well as supplying the "20/40 Coex Mgmt Support"
flag in the extended capabilities IE.
Signed-hostap: Paul Stewart <pstew@chromium.org>
The 802.11ac amendment specifies that that the center segment 0 field
is reserved, so it should be zero. Hostapd previously required it to
be set, which is likely a good idea for interoperability, but allow it
to be unset. However, don't allow it to be set to a random value, only
allow zero and the correct channel.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Some of the remote ANQP server concepts were introduces into gas_serv.c,
but these were not completed. Remote the unused implementation for now.
It can be added back if support for remote ANQP server is added at some
point.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd DEAUTHENTICATE and DISASSOCIATE control interface commands
accepted both a test=<0/1> and reason=<val> parameters, but these were
not supported in the same command as a combination. Move the code around
a bit to allow that as well since it can be helpful for automated test
scripts.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, some of the last initialization steps could fail without
clearly marking the interface disabled. For example, configuring the
channel to the driver could fail, but hostapd would not clearly identify
as the interface not being in functional state apart from not moving it
to the ENABLED state. Send an AP-DISABLED event and mark interface state
DISABLED if such a setup operation fails.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
At least in nl80211, broadcast management frames like Probe Request
frames, may be processed multiple times per BSS if multi-BSS is active
and NL80211_CMD_FRAME event is used to deliver them. In the case of
Probe Request frames, hostapd will create multiple redundant Probe
Response frames which are problematic when many BSS are on one channel.
This problem is caused by driver_nl80211 generating an event for
wpa_supplicant_event() for each BSS, and hostapd_mgmt_rx() calls
ieee802_11_mgmt() for each BSS, too.
Fix this by processing broadcast events only for the BSS the driver
intended to. The behavior is not changed for drivers not setting a BSS.
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
If channels are "available", change to "usable" DFS channels as a
fallback, too. This requires CAC, but it is still better to do that
instead of stopping service completely.
Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
If DFS channels are marked as "available", an AP can switch to them
immediately without performing CAC. Therefore, the channel selection
function should consider these channels even though these are radar
channels.
Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
Different channels allow different transmission power, at least in ETSI
countries. Also, ETSI requires a "channel plan" for DFS operation, and
channels should be randomly choosen from these channels.
Add a channel list configuration option for users to add channels
hostapd may pick from.
Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
Incorrect PTK length was used in PMK-to-PTK derivation and the Michael
MIC TX/RX key swapping code was incorrectly executed for these ciphers
on supplicant side.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If eap_user_file is configured to point to an SQLite database, RADIUS
server code can use that database for log information.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, this was enabled only at msgdump verbosity level, but any
level that is more verbose than it should also be included.
Signed-off-by: Jouni Malinen <j@w1.fi>
This reverts commit 4345fe963e. That
introduced number of memory leaks and since the rest of the VLAN changes
did not yet go in, it is easier to revert this for now and bring back
the changes after fixes if there is sufficient interest for them in the
future.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the design already available for Access-Request packets to
the RADIUS server and Access-Accept messages. Each user entry can be
configured to add arbitrary RADIUS attributes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Request the driver to send a Deauthentication frame before doing
any other disconnection steps on the session timeout path. This is
needed when PMF is negotiated for the association since the driver
will need to find the STA entry and the PTK for it to be able to
protect the robust Deauthentication frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In case of Automatic Channel Selection (ACS) failure, we do not have a
real fallback path. Interface still remains in ACS state. To reflect we
did not succeed with ACS, simply disable the interface and indicate this
to user/upper layer entity so that a suitable recovery or error
notification can be performed.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
handle_assoc_cb() got this addition, but the check in
hostapd_new_assoc_sta() was not modified to be aware of the OSEN special
case for EAPOL state machines to be used for marking a STA authorized.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was done in handle_assoc_cb() in ieee802_11.c for drivers that use
hostapd SME/MLME. However, drivers that include SME/MLME implementation
do not use that function and the STA flag needs to be set when
processing the association notification. This is needed to get the STA
entry into showing the proper authorized state and to get the
AP-STA-CONNECTED/DISCONNECTED events on the control interface.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
As per IEEE Std 802.11ac-2013, 'Maximum A-MPDU Length Exponent' field
value is in the range of 0 to 7. Previous implementation assumed EXP0 to
be the maximum length (bits 23, 24 and 25 set) what is incorrect.
This patch adds options to set it up within the 0 to 7 range.
Signed-off-by: Bartosz Markowski <bartosz.markowski@tieto.com>
For example, the previous implementation considered [44, 48, 52, 56] to
be a valid VHT80 channel -- which it is not. This resulted in, e.g.,
failure to start CAC when channels on overlapped segments included DFS
channels.
Add a check similar to the HT40 one to prevent that. The check is
performed this way as the ACS implementation assumes the primary channel
to be the first channel in a given segment.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Previously, we printed this message as a debug one, which was confusing
in case verbose debug messages were disabled. User could think CAC
started but never ended. Add more parameterss to DFS_EVENT_CAC_START, so
external programs can more easily check what was wrong in case of
errors.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This commit adds an option to optimize AP teardown by leaving the
deletion of keys (including group keys) and stations to the driver.
This optimization option should be used if the driver supports stations
and keys removal when stopping an AP.
For example, the optimization option will always be used for cfg80211
drivers since cfg80211 shall always remove stations and keys when
stopping an AP (in order to support cases where the AP is disabled
without the knowledge of wpa_supplicant/hostapd).
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Previously, both this and combination of OUI_WFA and P2P_OUI_TYPE were
used. Using the full 32-bit value as a single operation saves a bit in
code size, so start moving towards using it more consistently when
writing or finding the P2P vendor specific element.
Signed-off-by: Rahul Jain <rahul.jain@samsung.com>
The following if statements set the new_op_mode value in all cases,
so there is no need to initialize this to 0 first. This removes a
static analyzer warning.
Signed-off-by: Jouni Malinen <j@w1.fi>
The pos variable was not used between its first and second assignment.
Clean this up by using the pos variables instead of the buf (start of
the buffer).
Signed-off-by: Jouni Malinen <j@w1.fi>
If hapd_iface->bss[i] == NULL, this could have resulted in NULL pointer
dereference in the debug print. Avoid this by skipping the message in
case of NULL pointer. In addition, clear iface->bss[i] to NULL for
additional robustness even though this array gets freed immediately.
Signed-off-by: Jouni Malinen <j@w1.fi>
This seemed to be fine on most code paths, but the code was complex
enough to make the analysis difficult (and a bit too much for static
analyzers). There is no harm in forcing these parameters to be
initialized, so do that to make sure they cannot be left uninitialized.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like leaving behind the freed pointed at the end of the array
could end up in a crash triggered by double free in some cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd.conf parameter subscr_remediation_url can be used to
define the URL of the Subscription Remediation Server that will be added
in a WFA VSA to Access-Accept message if the SQLite user database
indicates that the user need subscription remediation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd can now be configured to advertise OSU Providers with the
new osu_* confgiuration parameters.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd can now be configured to provide access for icon files
(hs20_icon config file parameter) for OSU. The hs20_icon data contains
additional meta data about the icon that is not yet used, but it will be
needed for the OSU Providers list ANQP element.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the authentication server includes the WFA HS 2.0 Session Info URL
AVP in Access-Accept, schedule ESS Disassociation Imminent frame to be
transmitted specified warning time prior to session timeout.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the RADIUS server includes deauthentication request in Access-Accept,
send a WNM-Notification frame to the station after 4-way handshake and
disconnect the station after configurable timeout.
A new control interface command, WNM_DEAUTH_REQ, is added for testing
purposes to allow the notification frame to sent based on local request.
This case does not disconnect the station automatically, i.e., a
separate control interface command would be needed for that.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the RADIUS server includes the WFA RADIUS VSA in Access-Accept to
indicate need for subscription remediation, copy the server URL from
the message and send it to the station after successfully completed
4-way handshake (i.e., after PTK is set to allow PMF to work) in a
WNM-Notification.
AP must not allow PMKSA caching to be used after subscription
remediation association, so do not add the PMKSA cache entry whenever
the authentication server is indicating need for subscription
remediation. This allows station reassociation to use EAP authentication
to move to non-remediation connection.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the station indicated support for Hotspot 2.0, send its release
number and PPS MO ID in Access-Request messages using the WFA RADIUS
VSA.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The Access-Request frames are used to inform the RADIUS server about the
Hotspot 2.0 release number supported by the AP.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Subscription remediation notification can now be sent from hostapd with:
hostapd_cli hs20_wnm_notif 02:00:00:00:00:00 http://example.com/foo/
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The HS 2.0 Indication element from hostapd now includes the release
number field and the new ANQP Domain ID field. This ID can be configured
with anqp_domain_id parameter in hostapd.conf.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Allow mixed DFS and non-DFS channels, e.g., VHT160 on channels 36-64.
This is useful for testing VHT160 with mac80211_hwsim.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
The regulatory rules in Japan do not allow OFDM to be used on channel
14. While this was to some extend assumed to be enforced by drivers
(many of which apparently don't), it is safer to make hostapd enforce
this by disabling any OFDM-related functionality. This tries to avoid
backwards compatibility issues by downgrading the mode rather than
rejecting the invalid configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add configuration of Spectrum Management subfield in the Capability
Information of Beacon, Probe Response, and Association Response frames.
Spectrum Management bit is set when directly requested by new
configuration option spectrum_mgmt_required=1 or when AP is running on
DFS channels. In the future, also TPC shall require this bit to be set.
Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
Add Power Constraint information element to Beacon and Probe Response
frames when hostapd is configured on 5 GHz band and Country information
element is also added. According to IEEE Std 802.11-2012 a STA shall
determine a local maximum transmit power for the current channel based
on information derived from Country and Power Constraint elements.
In order to add Power Constraint element ieee80211d option need to be
enabled and new local_pwr_constraint config option need to be set to
unsigned value in units of decibels. For now this value is statically
configured but the future goal is to implement dynamic TPC algorithm
to control local power constraint.
Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
This allows NAS-IP-Address, NAS-Identifier, and NAS-IPv6-Address to be
included in the Disconnect-Request packets.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When a station is disconnected based on Disconnect-Request, it is better
to force the station to go through full EAP authentication if it tries
to reconnect.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It is possible for an ER to send an unexpected PutWLANResponse action
when the destination STA is in disassociated, but not fully
deauthenticated state. sta->eapol_sm can be NULL in such state and as
such, it would be possible to hit a NULL pointer dereference in the
eapol_auth_eap_pending_cb() call at the end of the
hostapd_wps_probe_req_rx() when trying to proxy the WPS message to the
station. Fix this by validating that sta->eapol_sm is set before
processing the message.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In function ieee802_1x_get_mib_sta(), eap_server_get_name() may return
NULL, and it could be dereferenced immidiately by os_snprintf() (if the
snprintf implementation does not handle NULL pointer).
Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
Initialize variables explicitly to avoid [-Wmaybeuninitialized] compiler
warning in hostapd_handle_dfs() and
hostapd_dfs_start_channel_switch_cac() functions.
Signed-hostap: Max Stepanov <Max.Stepanov@intel.com>
Confirm-before-commit validation step allowed execution to continue on
error case. This could result in segfault in sae_check_confirm() if the
temporary SAE data was not available (as it would not be, e.g., in case
of an extra SAE confirm message being received after successful
exchange). Fix this by stopping SAE processing immediately after
detecting unexpected state for confirm message. In addition, make the
public sae.c functions verify sae->tmp before dereferencing it to make
this type of bugs less likely to result in critical issues.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, unconfigured state was forcing the best supported
authentication and encryption state to be shown in WPS messages,
including AP Settings in M7 in case the AP acts as an Enrollee. This is
not really correct for the AP Settings case, so change that one to
indicate the currently configured state.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
It is possible for the driver to report Beacon RX prior to hostapd
having completed AP mode setup, e.g., when changing country code. Beacon
frame processing for OLBC was not prepared for this and could trigger
segfault due to NULL pointer dereference. Fix this by ignoring the
Beacon frames received prior to completing interface setup when
determining OLBC updates.
Signed-hostap: Jouni Malinen <j@w1.fi>
Before this patch, 1 second timeout was used for regulatory updates. In
some cases, specially when we reload driver modules on some slower
platforms this could take more than 1 second (about 2 seconds). This is
important specially for DFS case, where we have to have correct DFS
region before we will start CAC. In other case (unknown DFS region), CAC
will fail. 5 seconds should be enough for all cases.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
1. In wpa_config_process_bgscan() fix memory leak after
calling wpa_config_parse_string()
2. In hostapd_config_defaults(), on failure to allocate bss->radius,
conf->bss was not freed.
3. In p2p_deauth_nofif(), memory allocated in p2p_parse_ies() was not
freed in case of NULL minor_reason_code.
4. In p2p_disassoc_nofif(), memory allocated in p2p_parse_ies() was
not freed in case of NULL minor_reason_code.
5. In p2p_process_go_neg_conf(), memory allocated was not freed in
case that the P2P Device interface was not waiting for a
GO Negotiation Confirm.
6. In wpa_set_pkcs11_engine_and_module_path(), the wrong pointer was
checked.
Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
This new mechanism allows P2P Client to request an IPv4 address from the
GO as part of the 4-way handshake to avoid use of DHCP exchange after
4-way handshake. If the new mechanism is used, the assigned IP address
is shown in the P2P-GROUP-STARTED event on the client side with
following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP
address is included in the AP-STA-CONNECTED event on the GO side as a
new ip_addr parameter. The IP address is valid for the duration of the
association.
The IP address pool for this new mechanism is configured as global
wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask,
ip_addr_star, ip_addr_end. For example:
ip_addr_go=192.168.42.1
ip_addr_mask=255.255.255.0
ip_addr_start=192.168.42.2
ip_addr_end=192.168.42.100
DHCP mechanism is expected to be enabled at the same time to support P2P
Devices that do not use the new mechanism. The easiest way of managing
the IP addresses is by splitting the IP address range into two parts and
assign a separate range for wpa_supplicant and DHCP server.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The contents of the WPS connection handover select message was modified
to include the Registrar public key hash instead of the credential.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new NFC connection handover design requires the AP/Registrar to
process the connection handover request message received from the
Enrollee. Add control interface commands for handling this.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When GAS is used with PMF negotiated, Protected Dual of Public Action
frames are expected to be used instead of Public Action frames, i.e.,
the GAS/ANQP frames are expected to be encrypted. Add support for this
different category of Action frames being used for GAS. The payload
after the Category field is identical, so the only change is in using
the Category field based on what was received in the request frames. For
backwards compatibility, do not enforce protected dual to be used on the
AP side, i.e., follow what the station does.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Due to misplaced parenthesis, unprotected not-Robust Action frames
(e.g., Public Action frames) were dropped in handle_assoc() when such
frames were received during an association that had negotiated use of
PMF. This is not correct since only unprotected Robust Action frames
were supposed to be handled in this way.
This would have broken any Public Action frame use during PMF
association, but such frames were not really supposed to be used
currently (ANQP as the only possible use case should really use
protected dual option in such case).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
While iterating over the stations hostapd_ctrl_iface_sta_mib()
might be called with sta == NULL. Fix this.
Signed-hostap: Ilan Peer <ilan.peer@intel.com>
It is possible for the configuration to be temporarily invalid when
adding a new AP through SET commands followed by ENABLE. Avoid this
issue by using less strict validation on SET commands and perform full
configuration validation only on ENABLE. Use cases with configuration
file maintain their previous behavior, i.e., full validation after the
file has been read.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is just like the same command in wpa_supplicant, i.e., "hostapd_cli
status driver" can be used to fetch information about the driver status
and capabilities.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit e2f5a9889a was supposed to prevent
new scan request from pushing out the old one. However, it did not
really do that since eloop_deplete_timeout() returned 0 both for the
case where the old timeout existed (and was sooner) and if the old
timeout did not exist. It returned 1 only for the case where an old
timeout did exist and was larger than the new requested value. That case
used to result in wpa_supplicant_req_scan() rescheduling the timeout,
but hew code in eloop_deplete_timeout() did the exact same thing and as
such, did not really change anything apart from the debug log message.
Extend the eloop_deplete_timeout() (and eloop_replenish_timeout() for
that matter since it is very similar) to return three different values
based on whether the timeout existed or not and if yes, whether it was
modified. This allows wpa_supplicant_req_scan() to schedule a new
timeout only in the case there was no old timeout.
Signed-hostap: Jouni Malinen <j@w1.fi>
This debugging mechanism has now been deprecated by the control
interface commands that can be used to fetch same internal information
from hostapd in a more convenient way. Leave the empty USR1 signal
handler and configuration file parameter for backwards compatibility.
They can be removed in future versions of hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
The per-STA/Supplicant state information from the EAPOL authenticator
is now available through "STA <MAC Address> eapol" command.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds TX/RX statistics and information about association into the
per-STA data that is available through the hostapd control interface. In
addition, information about the EAP method is now included with the IEEE
802.1X data.
Signed-hostap: Jouni Malinen <j@w1.fi>
intval is marked le16 and should be used through proper byte order
conversion functions even if it ended up getting set correctly due to
the two operations cancelling each other.
Signed-hostap: Jouni Malinen <j@w1.fi>
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.
Signed-hostap: Jouni Malinen <j@w1.fi>
This driver event was used separately for some Action frames, but all
the driver wrappers converted to this from information that would have
been enough to indicate an EVENT_RX_MGMT event. In addition, the
received event was then converted back to a full IEEE 802.11 management
frame for processing in most cases. This is unnecessary complexity, so
get rid of the extra path and use EVENT_RX_MGMT for Action frames as
well as other management frame subtypes.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 88b32a99d3 added support for using
some Action frame processing in hostapd for drivers that handle most of
SME/MLME internally (it added FT, this has since be extended for SA
Query and WNM). However, this was added in a way that ended up getting
both the hostapd_rx_action() and hostapd_action_rx() called for Action
frames. This could result in an attempt to process FT, SA Query, and WNM
Action frames twice.
There is need for more significant cleanup in Action frame processing in
hostapd depending on the driver type, but as a simple step to avoid
issues, skip the hostapd_action_rx() call if hostapd_rx_action()
processed the frame.
Signed-hostap: Jouni Malinen <j@w1.fi>
Even though this is a short timeout, it is at least theoretically
possible for the interface to be removed while waiting for
reconfiguration to start. Avoid issues with this by cancelling the
timeout on any WPS interface deinit. In theory, this should be postponed
until interface removal, but that does not fit very nicely to the
current wps_hostapd.c style.
Signed-hostap: Jouni Malinen <j@w1.fi>
It was already possible to configure hostapd and wpa_supplicant to use
FT-SAE for the key management, but number of places were missing proper
AKM checks to allow FT to be used with the new AKM.
Signed-hostap: Jouni Malinen <j@w1.fi>
Action frame RX report through EVENT_RX_ACTION did not indicate whether
the frame was protected or not even though that information is available
in mlme_event_mgmt(). hostapd_rx_action() has a workaround for setting
the protected flag for SA Query frames, but that did not apply for other
frames, like FT Action. This broke FT-over-DS when PMF is enabled with
newer kernel versions (i.e., the ones that do not use monitor interface
for receiving management frames).
Signed-hostap: Jouni Malinen <j@w1.fi>
This is not really needed for anything and the standard does not require
such validation step to be made for Authentication frame transmission.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be useful for displaying the current STA state and also for
determining whether some operations are likely to fail or need
additional delay.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd_drv_wnm_oper() needs to indicate an error if the driver callback
function is not implemented. Without this, the buf_len argument could
have been left uninitialized which could result in crashing the process.
Signed-hostap: Jouni Malinen <j@w1.fi>
This makes it easier to trigger the ESS Disassociation Imminent
operation from different sources.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds first steps at processing a BSS Transition Management Query on
the AP side. Mainly, the message is parsed and printed out in the debug
log and a minimal BSS Transition Management Request frame is sent as a
response. BSS Transition Management Response frame is also parsed and
details printed out in the debug log.
Signed-hostap: Jouni Malinen <j@w1.fi>
The previous version could end up calling WPA authenticator routines
even though the authenticator had not been initialized and this could
result in NULL pointer dereference.
Signed-hostap: Jouni Malinen <j@w1.fi>
Reduce race condition of the station trying to reconnect immediately
after AP reconfiguration through WPS by rescheduling the reload
timeout to happen after EAP completion rather than the originally
scheduled 100 ms after new configuration became known.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This enables more convenient protocol testing of station side
functionality in various error cases and unexpected sequences without
having to implement each test scenario within hostapd.
ext_mgmt_frame_handle parameter can be set to 1 to move all management
frame processing into an external program through control interface
events (MGMT-RX and MGMT-TX-STATUS) and command (MGMT_TX).
Signed-hostap: Jouni Malinen <j@w1.fi>
These files have been distributed only under the BSD license option
since February 2012. Clarify the license statements in the files to
match that to avoid confusion.
Signed-hostap: Jouni Malinen <j@w1.fi>
If configuration of the group key to the driver fails, move the WPA
group into failed state and indication group setup error to avoid cases
where AP could look like it is working even through the keys are not set
correctly.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds initial parts for supporting the new GCMP-256, CCMP-256,
BIP-GMAC-128, BIP-GMAC-256, and BIP-CMAC-256 cipher suites.
Signed-hostap: Jouni Malinen <j@w1.fi>
If secondary channel is provided for CSA, advertise it in the Secondary
Channel Offset element in Beacon and Probe Response frames.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When CSA flow starts, store the entire struct hostapd_freq_params and
not only CS frequency as it was before. The additional freq_params are
required to advertise CS supplementary IEs such as secondary channel,
wide bandwidth CS, etc.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This allows use of structs (and not only pointers) defined in drivers.h.
Remove also some not needed forward declarations and redundant includes.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Wall time jumps shouldn't affect MMIC failure/TKIP countermeasures,
so use monotonic time. Change the michael_mic_failure variable to
struct os_reltime for type-safety.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Since the PMKSA cache only uses relative time, use the monotonic time
functions instead of wall time to be correct when the clock jumps.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
For type-safety, make sta->acct_session_start a struct os_reltime
and then use monotonic time for accounting. For RADIUS reporting,
continue to use wall clock time as specified by RFC 2869, but for
the session time use monotonic time.
Interestingly, RFC 2869 doesn't specify a timezone, so the value
is somewhat arbitrary.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
If more BSSes are added in config file than are supported by the driver,
segmentation fault can appear. For this case, the interface_added flag
needs to be cleared if adding a new BSS fails.
Signed-hostap: Marek Kwaczynski <marek.kwaczynski@tieto.com>
Until now DFS was simply restarting the AP when radar was detected. Now
CSA is used to perform smooth switch to the new channel. Stations not
supporting CSA will behave as before.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
This is needed for AP CSA. Since CSA must happen immediately after radar
is detected there's no time to perform CAC. Thus, radar channels must be
disabled when looking for a new channel to escape to after a radar is
detected.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
Adds support for VHT by parsing bandwidth and center_freq{1,2}.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Just the usual, with a new function os_reltime_initialized()
thrown in that checks whether time has ever been retrieved
(time can't be completely zero).
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
It is possible for the authentication server to be configured with a
PKCS #12 file that includes a private key, a server certificate, and a
CA certificate. This combination could result in server_cert and ca_cert
parameters not being present and that should still result in TLS context
getting initialized.
Signed-hostap: Jouni Malinen <j@w1.fi>
Some non-mac80211 drivers, such as ath6kl, support STA inactivity timer
in firmware and may not provide connected stations' idle time to the
userspace. If the driver indicates support for offloaded operation, do
not start the inactivity timer in the hostapd.
Signed-hostap: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
struct beacon_data contains a lot of pointers. Make sure it gets cleared
to zero if hostapd_build_beacon_data() gets called from a path that does
not clear the structure first.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Check if the BSS interface has started before setting beacon.
Lack of this condition can cause segmantation fault.
Signed-hostap: Marek Kwaczynski <marek.kwaczynski@tieto.com>
Commit de3cdf354a adding copying of the
STA's VHT capabilities into the STA entry on the AP. This was done in
allocated memory, but that new memory allocation was not freed anywhere.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The 'started' state was tracked incorrectly. It also broke DFS
as it was using hostapd_enable/disable_iface() functions.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
Add chan_switch to the control interface of wpa_supplicant and hostapd,
and also to wpa_cli and hostapd_cli.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Build CSA settings and call the driver to perform the switch. Construct
Beacon, Probe Response, and (Re)Association Response frames both for CSA
period and for the new channel. These frames are built based on the
current configuration. Add CSA IE in Beacon and Probe Response frames.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
We were not filtering the EVENT_CHANNEL_LIST_CHANGED events based on the
regulatory hint initiator. So wait for EVENT_CHANNEL_LIST_CHANGED event
after our own change was triggered even when regulatory hint initiator
was the driver. This could result in the wait for the channel list to be
updated to be terminated before the real change has occurred and as
such, old channel list remaining in use when configuring
hostapd/wpa_supplicant country parameter. Fix this by filtering the
hints according to the initiator and only regulatory hints initiated by
user will be used to stop the wait.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If remaining AP session timeout is less than 5 seconds
for an existing station, replenish the timeout to 5 seconds.
This allows stations to be able to recycle a dialog token
value beyond 5 seconds for GAS exchange.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add a parameter to send the overlapping BSS scan parameter
information element. This will require clients to perform
background scans to check for neigbors overlapping this
HT40 BSS. Since the implementation is incomplete it should
only be used for testing.
Signed-hostap: Paul Stewart <pstew@chromium.org>
It is possible for additional BSSs to be added while the primary
interface is still in the process of determining channel parameters (HT
co-ex scan, ACS, DFS). Do not enable secondary interfaces in such state
immediately, but instead, wait for the pending operation on the primary
interface to complete. Once that's done, the added extra BSSs will also
be enabled in hostapd_setup_interface_complete().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Reject multiple calls to hostapd_setup_bss() for any specific interface.
hostapd_cleanup() must have been called first before trying to restart a
BSS.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd_bss_deinit() takes care of freeing the associated stations and
calling hostapd_cleanup() to deinit per-BSS services.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This reverts parts of commit 390e489c0d
that tried to enable removal of the first BSS. Since that operation is
now forced to remove all BSSs, these changes are not needed. The
hostapd_if_remove() operation in hostapd_free_hapd_data() is problematic
for the first BSS since it ends up freeing driver wrapper information
that is needed later when deinitializing the driver wrapper.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Since the control interface is now initialized as part of
hostapd_setup_interface(), it needs to be deinitialized on the error
path.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If a secondary BSS is removed while it is waiting for the primary BSS to
complete channel setup (e.g., due to HT co-ex scan, ACS, or DFS), the
hostapd_data instance has not yet been initialized. Fix the BSS removal
code to take this special case into account and not try to deinitialize
the hostapd_data instance that has not yet been started.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The changes in commit 5592065850 to allow
any BSS to be removed were a bit too early since there are still number
of areas that use the first BSS as a special case. Especially the
driver_ops API is going to require quite a bit of cleanup before removal
of the first BSS without the other BSSes of the same radio can be done
safely.
For now, force all BSSs to be removed in case the first one is removed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Limit the calls to eloop_terminate() to happen only for the
initialization failure from the interfaces that we specified on the
command line. This allows hostapd process to continue operating even if
a dynamically added interface fails to start up. This allows the upper
layer software to fix a configuration error and retry.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd_set_freq_param() rejected the 20 MHz channel case with
vht_enabled due to the existing validation step including only 5 GHz (to
be more exact, only >= 5000 MHz). While the behavior may not be fully
defined for 2.4 GHz, we can enable this based on driver capability
advertisement to fix automatic VHT selection for P2P use cases.
mac80211_hwsim advertises VHT for 2.4 GHz band and that resulted in
failures when trying to start GO on that band with vht=1 parameter.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
NL80211_ATTR_CENTER_FREQ1 is defined to be used for anything but 20 MHz
bandwidth, so it could be unset for 20 MHz channels. Do not use it to
override center frequency from NL80211_ATTR_WIPHY_FREQ (if available)
for 20 MHz channels to avoid clearing frequency.
Signed-hostap: Jouni Malinen <j@w1.fi>
Better share the same function for initializing control interface from
the two possible paths that can add a new interface to hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is a per-BSS configuration parameter and as such, needs to be
configured to the driver from hostapd_setup_bss() instead of
hostapd_driver_init().
Signed-hostap: Jouni Malinen <j@w1.fi>
DFS operations are specific to the interface (radio/wiphy), not BSS
(netdev/vif), so hostapd_iface is the appropriate element to use in
them.
Signed-hostap: Jouni Malinen <j@w1.fi>
If per-BSS configuration enabling did not provide a phy name, iface->phy
was left empty. It can be helpful to set this up automatically, so fill
that when initializing the interface.
Signed-hostap: Jouni Malinen <j@w1.fi>
Only scan the affected channels instead of all enabled channels when
determining whether the primary and secondary channel for HT40 needs to
be swapped. This speed up HT40 setup considerably on 5 GHz band.
Signed-hostap: Jouni Malinen <j@w1.fi>
If hostapd is requested to set the country code and the previous country
code differs from the new one, the channel list information from the
driver may change. This change may not be instant, so wait for an
EVENT_CHANNEL_LIST_CHANGED event before continuing interface setup with
fetching of the channel list information. This fixes issues where the
selected channel is not available based on the previous regulatory data
and update through CRDA takes some time.
Signed-hostap: Jouni Malinen <j@w1.fi>
Channel determination may take considerable time when ACS or DFS is
used, so it is useful to be able to observe this process through the
control interface. Move the initialization of the control interfaces to
happen before channel determination so that this can be achieved.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use hostapd_interface_init2() for all interfaces instead of the
previously used different paths for per-interface-config and
per-BSS-config cases. This moves the calls to hostapd_driver_init() and
hostapd_setup_interface() to happen after all configuration files have
been read.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, ENABLE command ended up freeing the hostapd_iface context on
initialization failures, but did not even remove the interface from the
list of available interfaces. This resulted in use of freed memory with
any following operation on the same interface. In addition, removing the
interface on initialization failure does not seem like the best
approach. Fix both of these issues by leaving the interface instance in
memory, but in disabled state so that the configuration can be fixed and
ENABLE used again to enable the interface or REMOVE used to remove the
interface.
Signed-hostap: Jouni Malinen <j@w1.fi>
When removing and re-adding the first wlan# netdev to hostapd
dynamically, the netdev is already present and should not be removed and
re-added to maintain its state as not-added-by-hostapd so that it does
not get removed automatically.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The global control interface command "REMOVE <ifname>" can now be used
to remove a single virtual interface (BSS) without affecting other
virtual interfaces on the same radio.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The global control interface command "ADD
bss_config=<phyname>:<config file>" can now be used to add a single
virtual interface (BSS) to an interface.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This moves the vif added check from core hostapd to the driver wrapper
(only driver_nl80211.c uses this) and reorders operations a bit to allow
the first BSS (vif) to be removed from a multi-BSS setup.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Return control flow to hostapd by calling hostapd_acs_completed()
if requesting a scan from the underlying device fails.
Signed-hostapd: Helmut Schaa <helmut.schaa@googlemail.com>
If radar was detected single BSS is notified about it. This caused only
that single BSS to be stopped and restarted. However, due to nl80211
interface combinations the BSS was not started on a new channel and
other BSSes remained operating on the old channel.
The downside is that hostapd_disable_iface() causes deauth frames to be
sent. This is undesired but on the other hand it doesn't make sense to
create workarounds that imitate CSA's 'block tx'. For proper Tx
quiescing CSA should be properly implemented.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Decouple HT/VHT offset/center-freq calculations from channel lookup.
This will be necessary for further improvements on the DFS codebase.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
Reject RELOAD control interface command if the dynamic configuration
changes have resulted into a state where the configuration is invalid.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows the configuration validation routines to be called from
src/ap/*.c for runtime updates of configuration without reprocessing the
full configuration file.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This provides a new option for configuring multiple virtual interfaces
(BSS) that share a single radio. The new command line parameter
-b<phyname>:<config file name> is used to define one or more virtual
interfaces for each PHY. The first such entry for a new PHY is used to
initialize the interface structure and all consecutive parameters that
have the same PHY name will be added as virtual BSS entries to that
interface. The radio parameters in the configuration files have to be
identical.
This can be used as an alternative for the bss=<ifname> separator and
multiple BSSes in a single configuration file design while still
allowing hostapd to control the PHY (struct hostapd_iface) as a group of
virtual interfaces (struct hostapd_data) so that common radio operations
like OLBC detection and HT40 co-ex scans can be done only once per real
radio.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it more convenient to move BSS configuration entries between
struct hostapd_config instances to clean up per-BSS configuration file
design.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This may be needed if the wpa_psk information for previously derived
from passphrase and either the SSID or the passphrase has changed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of duplicating the functionality and missing changes (like the
hostapd_broadcast_wep_clear() call), use the hostapd_clear_old()
function that was already used for the similar case with configuration
file reload.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Mask the remote VHT capabilities with our own capabilities, similarly
to what is done for HT capabilities.
Signed-hostap: Eliad Peller <eliadx.peller@intel.com>
Make sure the driver supports 160/80+80 MHz VHT capabilities
before trying to configure these channels.
Signed-hostap: Eliad Peller <eliadx.peller@intel.com>
When we have CAC active and receive a radar event, we should ignore
CAC_ABORT event and handle channel switch in the radar event handler.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This fixes a problem when operating on non-DFS channel and receiving a
radar event for that channel. Previously, we would have decided to
switch channels.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Add a table of available VHT80 channels. This table contains the first
available channel. We will also choose this first channel as the control
one.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Some driver wrappers may implement this by writing eight octets even
though IPN is only six octets. Use a separate WPA_KEY_RSC_LEN (8) octet
buffer in the call to make sure there is enough buffer room available
for the full returned value and then copy it to IPN field.
The previous implementation used the following igtk field as the extra
buffer and then initialized that field afterwards, so this change does
not fix any real issue in behavior, but it is cleaner to use an explicit
buffer of the maximum length for get_seqnum().
Signed-hostap: Jouni Malinen <j@w1.fi>
The VHT_CHANWIDTH_160MHZ case fell through to the default case and
printed out a debug message that was not supposed to be shown here.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously ACS required valid survey data on all available channels.
This can however not be guaranteed. Instead of just failing, fall back
to the subset of channels that have valid ACS data.
Signed-hostap: Helmut Schaa <helmut.schaa@googlemail.com>
Otherwise hostapd might hang doing nothing anymore. Propagate ACS
errors so we can fail gracefully.
Signed-hostap: Helmut Schaa <helmut.schaa@googlemail.com>
If ACS fails we still need to call hostapd_setup_interface_complete.
Otherwise hostapd will just hang doing nothing anymore. However, pass
an error to hostapd_setup_interface_complete to allow a graceful fail.
Signed-hostap: Helmut Schaa <helmut.schaa@googlemail.com>
The new bss_load_test parameter can be used to configure hostapd to
advertise a fixed BSS Load element in Beacon and Probe Response frames
for testing purposes. This functionality is disabled in the build by
default and can be enabled with CONFIG_TESTING_OPTIONS=y.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows QoS Map Set element to be added to (Re)Association Response
frames and in QoS Map Configure frame. The QoS Mapping parameters are
also made available for the driver interface.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add DFS structures/events handlers, CAC handling, and radar detection.
By default, after radar is detected or the channel became unavailable, a
random channel will be chosen.
This patches are based on the original work by Boris Presman and
Victor Goldenshtein. Most of the DFS code is moved to a new dfs.c/dfs.h
files.
Cc: Boris Presman <boris.presman@ti.com>
Cc: Victor Goldenshtein <victorg@ti.com>
Signed-hostap: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
When hostapd receives an auth frame during ACS the transmission of
the according auth response will always fail:
ACS: Automatic channel selection started, this may take a bit
[..]
send_auth_reply: send: Resource temporarily unavailable
[..]
However, a station info entry was created. Once ACS is finished
it will flush all stations even though hapd was not yet fully
initialized. This results in a segfault when trying to access
hapd->radius:
0 0x0042c1c0 in radius_client_flush_auth ()
1 0x00416a94 in ap_free_sta ()
2 0x00416cc0 in hostapd_free_stas ()
3 0x0040bce8 in hostapd_flush_old_stations ()
4 0x0040c790 in hostapd_setup_interface_complete ()
5 0x0046347c in acs_scan_complete ()
6 0x0040f834 in hostapd_wpa_event ()
7 0x0043af08 in send_scan_event.part.46 ()
8 0x00443a64 in send_scan_event ()
9 0x00443c24 in do_process_drv_event ()
10 0x004449e8 in process_global_event ()
11 0x7767d7d0 in ?? ()
Fix this by not presuming anything about the initialization state of
hapd and checking ->radius before accessing.
Signed-off-hostapd: Helmut Schaa <helmut.schaa@googlemail.com>
There is no need to use the bss variable which is used only within a
wpa_printf() call that can be conditionally removed from the build.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This extends hostapd global control interface command "ADD" to use a
configuration file instead of requiring configuration to be built using
SET command.
The command format is now following:
ADD <ifname> <control path|config=<path to config>>
For example:
ADD wlan0 /var/run/hostapd
ADD wlan0 config=/tmp/hostapd.conf
When using the configuration file option, ctrl_interface parameter in
the file needs to be set to allow ENABLE command to be issued on the new
interface.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There was a comment about the the cleanup steps being from
hostapd_cleanup_iface(). However, the operations that cleared some
security parameters do not seem to exist elsewhere and do not make sense
here. Remove them to avoid changing configuration with DISABLE followed
by ENABLE.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This fixes some issues where dynamic interface enable/disable cycles
could end up trying to free resources twice and crash the process while
doing so.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new control interface command P2P_REMOVE_CLIENT <P2P Device
Address|iface=Address> can now be used to remove the specified client
from all groups (ongoing and persistent) in which the local device is a
GO. This will remove any per-client PSK entries and deauthenticate the
device.
Signed-hostap: Jouni Malinen <j@w1.fi>
Record all generated per-client PSKs in the persistent group network
block and configure these for the GO Authenticator whenever re-starting
the persistent group. This completes per-client PSK support for
persistent groups.
Signed-hostap: Jouni Malinen <j@w1.fi>
When using per-device PSKs, select the PSK based on the P2P Device
Address of the connecting client if that client is a P2P Device. This
allows the P2P Interface Address to be changed between P2P group
connections which may happen especially when using persistent groups.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to implement per-device PSK selection based on the
peer's P2P Device Address instead of P2P Interface Address.
Signed-hostap: Jouni Malinen <j@w1.fi>
This makes the P2P Device Address of the Enrollee available with the PSK
records to allow P2P Device Address instead of P2P Interface Address to
be used for finding the correct PSK.
Signed-hostap: Jouni Malinen <j@w1.fi>
"wpa_cli p2p_set per_sta_psk <0/1>" can now be used to disable/enable
use of per-device PSKs in P2P groups. This is disabled by default.
When enabled, a default passphrase is still generated by the GO for
legacy stations, but all P2P and non-P2P devices using WPS will get
a unique PSK.
This gives more protection for the P2P group by preventing clients from
being able to derive the unicast keys used by other clients. This is
also a step towards allowing specific clients to be removed from a group
reliably without having to tear down the full group to do so.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds ACS support to hostapd. Currently only survey-based
algorithm is available.
To use ACS you need to enable CONFIG_ACS=y in .config and use
channel=0 (or channel=acs_survey) in hostapd.conf.
For more details see wiki page [1] or comments in src/ap/acs.c.
[1]: http://wireless.kernel.org/en/users/Documentation/acs
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
This adds survey dump support for all frequencies
and for specific desired frequencies. This will later
be used by ACS code for spectrum heuristics.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
This splits up the channel checking upon initialization into a few
helpers. This should make this a bit easier to follow. This also paves
the way for some initial ACS entry code.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
According to WSC specification (Ver 2.0.2, section 8.3), RF Bands
attribute should be set to the specific RF band used for the current
message. Add an option to set wanted band in wps_build_rf_bands() and
add a callback to get the current band from wpa_supplicant and hostapd.
Signed-hostap: David Spinadel <david.spinadel@intel.com>
The pad field in the RRB messages is unused, but it should be
initialized to avoid sending out arbitrary data from stack. This was
also generating number of valgrind complaints about uninitialized memory
accesses in local FT tests.
Signed-hostap: Jouni Malinen <j@w1.fi>
The static WEP keys have to be configured for the new VLAN
interface that is created for a 4addr WDS peer, not doing so
breaks WEP functionality in nl80211/4addr based WDS links.
Signed-hostap: Sujith Manoharan <c_manoha@qca.qualcomm.com>
In a AP/STA concurrent setup, if the STA interface is continually
scanning, trying to connect to a network, the AP interface
is basically broken since beaconing would be erratic.
This option can be used in a WDS setup where one AP acts as a
Client/AP-Repeater. The Repeater AP interface has to start beaconing
only after the Client interface has established a WDS link with the
"Root AP".
Signed-hostap: Sujith Manoharan <c_manoha@qca.qualcomm.com>
The new server_id parameter in hostapd.conf can now be used to specify
which identity is delivered to the EAP peer with EAP methods that
support authenticated server identity.
Signed-hostap: Jouni Malinen <j@w1.fi>
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.
hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).
This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).
Signed-hostap: Jouni Malinen <j@w1.fi>
Currently, hostapd_get_vlan_id_ifname() is used to determine if a given
vlan is valid *and* to actually determine the interface. This leads to
wpa_set_keys() sometimes setting the key on the wildcard interface name,
which does not make sense.
This patch therefore adds hostapd_vlan_id_valid() and makes
hostapd_get_vlan_id_ifname() not return a wildcard interface.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently, struct hostapd_vlan is a per-BSS data structure which
also contains informations about whether to remove the bridge
or clear wlan / tagged-vlan interface from the bridge.
In a multi-interface multi-BSS setup, this can lead to the following
race condition:
1. wlan0 creates VLAN A, sets DVLAN_CLEAN_BR and DVLAN_CLEAN_VLAN_PORT
2. wlan1 creates VLAN A, does not set DVLAN_CLEAN_BR and
DVLAN_CLEAN_VLAN_PORT as already there
3. wlan0 removes VLAN A, removes tagged-interface from the bridge
but not the bridge.
Now wlan1 VLAN A is unusable due to the missing uplink.
4. wlan1 removes VLAN A, does not cleanup
Solution:
This requires an inter-BSS inter-interface data structure to track the
bridge / bridge port usage within hostapd. This data structure could
also be used to track any other device-has-been-created-by-hostapd
information or when regarding interface freeing.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently by default, all BSS share the bridge brvlan%d.
While this is sane when no tagged-interface is given, this
is insane when different tagged interfaces are given, as
it would result in bridging those tagged interfaces.
This patch therefore uses br%s%d with %s=tagged_interface
and %d=VLAN ID as bridge name when a tagged-interface is given.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently, when different BSS using different tagged vlan
interfaces, they are forced to share the bridge brvlan#,
which is not desirable.
This patch fixes this by making the bridge name configurable.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
If AP mode SME/MLME within wpa_supplicant is used for processing Probe
Request frames in GO mode, drop Probe Request frames that include only
802.11b rates per P2P spec section 2.4.1.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Upon association, disable the timer that removes the dummy STA. This
timer caused the STA that associates within 5 seconds of doing an ANQP
query to disassociate, thinking it's a dummy STA. Similar call was
already there for the SME/MLME-in-hostapd case in handle_auth(), but the
SME-in-driver case was not previously addressed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up debug log by not including comments about failed
operations in case the operation is known to fail due to not being
supported by the driver.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Enable MAC address based ACL for the drivers which advertise
this capabilty with NL80211_ATTR_MAC_ACL_MAX. Either of blacklist
or whitelist is supported, though, not simultaneously.
Signed-hostap: Vivek Natarajan <nataraja@qca.qualcomm.com>
This is needed to avoid allowing the STA to reconnect using a cached
PMKSA. ESS disassoc imminent notification is normally used to indicate
that the STA session will be terminated and as such, requiring full
authentication through the authentication server after this is needed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The hostapd_cli ess_disassoc command now takes three arguments (STA MAC
address, timeout in ms, URL) and the STA is disconnected after the
specified timeout.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
These events are sent as a special case to both the group interface and
"parent interface" (i.e., the interface that was used for managing P2P
negotiation). The latter is not really correct event, so get rid of it
with the new global control interface design where there is no need to
support legacy upper layer implementations.
Signed-hostap: Jouni Malinen <j@w1.fi>
This patch is based on the original work by Boris Presman and
Victor Goldenshtein. Channel Switch Announcement support has been
removed and event handling as well as channel set handling was
changed, among various other changes.
Cc: Boris Presman <boris.presman@ti.com>
Cc: Victor Goldenshtein <victorg@ti.com>
Signed-hostap: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Since "pairwise" is defined as an integer, the current assignment leads
to it having the value 0 or 8, which is a bit strange in debug output:
WPA: Send EAPOL(version=2 secure=1 mic=1 ack=1 install=1 pairwise=8
kde_len=46 keyidx=2 encr=1)
Use !!(...) to normalize it to 0 or 1.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
For some testing it can be useful to force the Key MIC in group
EAPOL-Key frames to be corrupt. Add an option to allow setting a
probability for corrupting the Key MIC and use it in the WPA code,
increasing the first byte of the MIC by one to corrupt it if desired.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
There are quite a few places in the current implementation where a nul
terminated string is generated from binary data. Add a helper function
to simplify the code a bit.
Signed-hostap: Jouni Malinen <j@w1.fi>
My APs generate their configuration on their own using a different
number of (vlan-enabled) bss. Currently, all my vlan_file files consist
of a single line: the wildcard line. Configuration file generation would
be easier, if the hostapd configuration file would not depend on those
simple vlan_file files.
This patch removes the need for those one-line files by using the
<device>.<vlan> naming scheme if no vlan_file is given (or that file is
empty). This should not break any existing setup, as using dynamic_vlan
with no vlan configured does not make sense anyway.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
In order to test clients in scenarios where APs may (randomly)
drop certain management frames, introduce some testing options
into the hostapd configuration that can make it ignore certain
frames. For now, these are probe requests, authentication and
(re)association frames.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Some extended capabilities (I'm currently interested in "Operating Mode
Notification" for VHT) are implemented by the kernel driver and exported
in nl80211. Use these in hostapd/wpa_supplicant.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The new wps_independent=1 configuration parameter can be used to remove
interfaces from the shared hostapd process WPS control (i.e., to apply
WPS operations only to a subset of interfaces instead of all).
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows WPS to update AP configuration in the case no hostapd
configuration file is used (i.e., dynamic configuration through the
control interface).
Signed-hostap: Jouni Malinen <j@w1.fi>
When the OS is out of random bytes in SM_STATE(WPA_PTK, AUTHENTICATION2)
in ap/wpa_auth.c, hostapd sends the sm to state DISCONNECT without
clearing ReAuthenticationRequest, resulting in an infinite loop.
Clearing sm->ReAuthenticationRequest using gdb fixes the running hostapd
instance for me. Also sm->Disconnect = TRUE should be used instead of
wpa_sta_disconnect() to make sure that the incomplete ANonce does not
get used.
Fix this issue by resetting sm->ReAuthenticationRequest even if the STA
gets disconnected and use sm->Disconnect instead of
wpa_sta_disconnect().
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
A non-HT capable AP on any channel could have triggered us to enable
protection regardless of own operating channel if the driver delivered
Beacon frames from other channels. The channel detection in ap_list is
not exactly ideal, but most cases can be handled by checking ap->channel
against the currently configured channel (or secondary channel in case
of HT40).
Signed-hostap: Jouni Malinen <j@w1.fi>
This iter_next/iter_prev pointers were not really used for anything, so
get rid of the unnecessary complexity in the AP list maintenance.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new -G<group> command line argument can now be used to set the group
for the control interfaces to enable cases where hostapd is used without
a configuration file and the controlling program is not running with
root user privileges.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit b52f084cfa introduced a mechanism
for adding arbitrary vendor-specific elements into the Beacon and Probe
Response frames. However, this information was not added to the separate
buffers used for specifying Beacon and Probe Response IEs for drivers
that build the frames internally. Add vendor_elements to these values,
too, to support such drivers in addition to drivers that use the full
Beacon tail/head buffers.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Clear WLAN_STA_ASSOC_REQ_OK, otherwise no Class 3 frame will be sent to
the disconnected STA in response to data frames.
Signed-hostap: Felix Fietkau <nbd@openwrt.org>
The VHT IE struct just has an opaque 8-byte array for the MCS
set, make it more expressive by explicitly naming the pieces.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
WSC specification 2.0 section 7.4 describes OOB password to be expressed
in ASCII format (upper case hexdump) instead of raw binary.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 2d9ffe1e85 broke GAS server
callback for receiving Public Action frames. The incorrect context
pointer was used in the public_action_cb2 case. Fix this to use the
correct context pointer.
Signed-hostap: Jouni Malinen <j@w1.fi>
"WPS_NFC_TOKEN <WPS/NDEF>" used to generate a new NFC password token
regardless of whether there was a pre-configured token in the
configuration. Change this to use the pre-configured value, if
available, instead. This allows the same command to be used to write the
password token to an NFC tag more conveniently.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Control interface command "NFC_GET_HANDOVER_SEL NDEF WPS-CR" can now be
used to fetch WPS carrier record from hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
The capability itself isn't really affected by an OBSS
scan, only the HT operation must then be restricted to
20 MHz. Change this, and therefore use the secondary
channel configuration to determine the setting of the
OP_MODE_20MHZ_HT_STA_ASSOCED flag.
This shouldn't really change anything functionally,
it just makes the code a little less confusing and
is also needed to implement more dynamic bandwidth
changes if ever desired.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When AP mode operation reject the client, nl80211 layer advertises the
connect failed event with the reason for failures (for example, max
client reached, etc.) using NL80211_CMD_CONN_FAILED.
This patch adds some debug messages whenever such an event is received
from the nl80211 layer and also the same event is posted to the upper
layer via wpa_msg().
Signed-off-by: Raja Mani <rmani@qca.qualcomm.com>
GAS server used the same public_action_cb mechanism as P2P to process
Action frames. This ended up overriding P2P processing of Action frames
while running an AP/GO interface with a build that enables Interworking
(e.g., for Hotspot 2.0) and a driver that uses hostapd for AP mode
SME/MLME. Fix this by adding a separate callback registration for the
GAS server. This should really be cleaned up by supporting arbitrary
number of callback handlers, but for now, this addresses the regression
with a minimal change.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Most of the variables are not needed anymore once the SAE instance
has entered Accepted state. Free these to save memory.
Signed-hostap: Jouni Malinen <j@w1.fi>
The optional "reason=<reason code>" parameter to the ctrl_iface
deauthenticate and disassociate commands can now be used to change the
reason code used in the disconnection frame. This can be used, e.g., by
P2P GO to disconnect a single P2P client from the group by sending it an
indication of the group getting terminated (Deauthentication frame with
reason code 3). It needs to be noted that the peer device is still in
possession on the PSK, so it can still reconnect to the group after this
if it does not follow the group termination indication.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use of two variables to track bounds checking seems to be a bit too much
for some static analyzers, so add an extra condition for buffer padding
to avoid incorrect warnings.
Signed-hostap: Jouni Malinen <j@w1.fi>
The code initializing GMK Counter uses the group pointer value as extra
entropy and to distinguish different group instances. Some static
analyzers complain about the sizeof(pointer) with memcpy, so use a more
explicit type casting to make it more obvious what the code is doing.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.
Signed-hostap: Jouni Malinen <j@w1.fi>
The enum values for struct sae_data::state now match the protocol
instance states as defined in IEEE Std 802.11-2012, 11.3.8.2.2
Signed-hostap: Jouni Malinen <j@w1.fi>
The PMKSA cache expiration timer was not actually ever initialized since
the only place for registering the timeout was in the timeout handler.
Fix this by initializing the timer whenever a new PMKSA cache entry is
added to the beginning of the list (i.e., when it was the first entry or
expires before the entry that was previously going to expire first).
[Bug 393]
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 4378fc14eb started using QoS Data
frames for QoS STAs. It used the correct flags value for WPA/RSN
EAPOL-Key frames, but wrong flags for IEEE 802.1X EAPOL frames. The
WPA_STA_WMM value used in driver_nl80211.c happens to be identical to
WLAN_STA_ASSOC in sta->flags and this makes driver_nl80211.c try to use
QoS header for all STAs. Fix this by properly converting the flags from
WLAN_STA_* to WPA_STA_*. [Bug 426]
Signed-hostap: Jouni Malinen <j@w1.fi>
Add some more functionality for BSS Transition Management:
- advertise support for BSS Transition Management in extended
capabilities element
- add hostapd.conf parameter bss_transition=1 for enabling support
for BSS Transition Management
- add "hostapd_cli disassoc_imminent <STA> <num TBTTs>" for sending
disassociation imminent notifications for testing purposes
- wpa_supplicant: trigger a new scan to find another BSS if the
current AP indicates disassociation imminent (TODO: the old AP needs
to be marked to use lower priority to avoid re-selecting it)
Signed-hostap: Jouni Malinen <j@w1.fi>
This optional attribute may make it easier to bind together the
Access-Request and Accounting-Request messages. The accounting session
identifier is now generated when the STA associates instead of waiting
for the actual session to start after successfull authentication.
Signed-hostap: Jouni Malinen <j@w1.fi>
Basic support for the 60 GHz band. Neither P2P nor WPS are yet taken
care off. Allows to start AP with very simple config:
network={
ssid="test"
mode=2
frequency=60480
key_mgmt=NONE
}
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The config says that the default for ap_table_max_size is 255 and the
default for ap_table_expiration_time is 60. But the code doesn't reflect
the default values mentioned in the sample config file.
These variables completely disable the code for Overlapping Legacy BSS
Condition by default when they are not correctly initialized. WFA
certification requires this feature and therefore an AP would have
failed the certification process unless they were initialized manually
using the configuration file.
Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
If separate hostapd processes are used for different RF bands, the
dualband parameter for WPS was not set correctly. Allow dualband
indication (mainly, addition of RF bands attribute for PBC session
overlap detection) also based on wps_rf_bands value (if set to "ag").
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows Probe Request frame processing to compare the configured
SSID to the SSID List element in addition to the SSID element.
Signed-hostap: Jouni Malinen <j@w1.fi>
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. Previously it was possible to
define CONFIG_IEEE80211V without CONFIG_WNM which would break the build.
In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and
WNM is a better term to use for this new functionality anyway.
Signed-hostap: Jouni Malinen <j@w1.fi>
pmksa_cache_free_entry() takes care of updated the list head pointer
(pmksa->pmksa), so no need to do this change in the caller.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use the shared_secret pointer from RADIUS client implementation instead
of getting this from hostapd configuration data.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds support for multiple PSKs per station when using a RADIUS
authentication server to fetch the PSKs during MAC address
authentication step. This can be useful if multiple users share a
device but each user has his or her own private passphrase.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Add the configuration option vht_oper_centr_freq_seg1_idx
for the second segment of an 80+80 MHz channel and use it
when building the VHT operation IE.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>