Commit graph

1497 commits

Author SHA1 Message Date
Jeffin Mammen
957bff83c4 FILS: Add driver-AP SME callback to set TK after association
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-23 17:47:15 +03:00
Jeffin Mammen
8acbf85fa2 FILS: Add FILS AEAD parameters for sta_auth() calls
This is used with partial AP SME in driver cases to enable FILS
association (AES-SIV) processing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-23 17:47:15 +03:00
Jeffin Mammen
6b128fb2af driver: Move sta_auth() arguments to a struct
This makes it easier to add more parameters without having to change the
callback function prototype.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-23 17:47:12 +03:00
Jeffin Mammen
d5444aac4c FILS: Add FILS Indication element into Beacon/Probe Response template
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-21 18:44:59 +03:00
Jouni Malinen
5db997e343 FILS: Add FTE into FILS Authentication frame from AP when using FILS+FT
MDE was already added with RSNE, but FTE needed to be added to the FILS
Authentication frame for the FT initial mobility domain association
using FILS authentication case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-04-02 22:38:48 +03:00
Jouni Malinen
5aa08153af FT: Add selection of FT+FILS AKMs
This is needed to enable use of FILS for the FT initial mobility domain
association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-04-02 12:57:32 +03:00
Michael Braun
c5fee1604b FT: Schedule wpa_ft_rrb_rx() through eloop in intra-process communication
With AP-AP communication, when hapd0 sends a packet, hapd1 can receive
it immediately and send a response. But hapd0 will only read and process
the response after it has returned from the sending context, that is
entered eloop again. So one does not need to consider the RX function of
the reply to run for the request sending hapd before the send calling
function has returned.

Previously, with intra-process communication, the packet is not
scheduled through eloop. Thus the RX handler of the reply might be run
while the sending context of the original request has not returned.
This might become problematic, e.g., when deferring a management frame
processing until an RRB response is received and then have the request
restarted and finished before the original request handling has been
stopped.

I'm not aware of any concrete bug this is currently triggering but came
across it while thinking of FT RRB AP-AP sequence numbering.

I think the non-eloop scheduling approach might be error-prone and thus
propose to model it more closely to the way the message would be
received from a socket. Additionally, this ensures that the tests model
AP-AP communication more closely to real world.

Solution: queue these packets through eloop.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-04-01 12:51:05 +03:00
Mohammed Shafi Shajakhan
775e986d5f hostapd: Fix crash on consecutive channel switch failures
With multiple interface like AP and station which is already
associated to some other AP, when we try to do channel switch
for the AP mode (different from the operation channel support of
station) and if the AP channel switch fails continously (including
the fallback channel switch), results in a crash due to NULL pointer
dereference. This is because hostapd_deinit_driver() assigns the
driver context (drv_priv) to NULL as we are not able to bring up
the interface with a new channel

Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
2017-03-29 15:03:16 +03:00
Vidyullatha Kanchanapally
4cc6574d00 FILS: Fix fils_cache_id check
This fixes the following compiler warning:
wpa_auth.c:4249:34: error: address of array 'a->conf.fils_cache_id'
 will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-26 21:13:21 +03:00
Jouni Malinen
1764559eef FILS: Add FILS SK auth PFS support in AP mode
This adds an option to configure hostapd to enable use of perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime configuration parameter fils_dh_group is used to enable this
by specifying which DH group to use. For example, fils_dh_group=19 would
allow FILS SK PFS to be used with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Jouni Malinen
07a5fe823e OWE: Use AKM 00-0F-AC:11 style parameters for EAPOL-Key frames
draft-harkins-owe-07.txt does not specify these parameters, so need to
pick something sensible to use for the experimental implementation. The
Suite B 128-bit level AKM 00-0F-AC:11 has reasonable parameters for the
DH group 19 case (i.e., SHA256 hash), so use it for now. This can be
updated if the OWE RFC becomes clearer on the appropriate parameters
(KEK/KCK/MIC length, PRF/KDF algorithm, and key-wrap algorithm).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
ef9627cbc7 Print the algorithms used for EAPOL-Key professing in log
This makes it easier to debug crypto algorithm selection for 4-way
handshake related functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
09368515d1 OWE: Process Diffie-Hellman Parameter element in AP mode
This adds AP side processing for OWE Diffie-Hellman Parameter element in
(Re)Association Request frame and adding it in (Re)Association Response
frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Jouni Malinen
a1ea1b4522 OWE: Define and parse OWE AKM selector
This adds a new RSN AKM "OWE".

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Jouni Malinen
941caed980 MBO: Add MBO ANQP-element processing on AP
This extends the GAS server to process MBO ANQP-elements and reply to a
query for the Cellular Data Connection Preference (if configured). The
new configuration parameter mbo_cell_data_conn_pref can be used to set
the value (0, 1, or 255) for the preference to indicate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-10 18:33:51 +02:00
Vasanthakumar Thiagarajan
7cbb5f1a44 DFS: Handle pre-CAC expired event
As FCC DFS requirement does not explicitly mention about the validity of
the (pre-)CAC when channel is switched, it is safe to assume that the
pre-CAC result will not be valid once the CAC completed channel is
switched or radar detection is not active on the (CAC completed) channel
within a time period which is allowed (10 seconds - channel switch time)
as per FCC DFS requirement.

Use the new driver event to allow the driver to notify expiry of the CAC
result on a channel. Move the DFS state of the channel to 'usable' when
processing pre-CAC expired event.  This means any future operation on
that channel will require a new CAC to be completed. This event is
applicable only when DFS is not offloaded to the kernel driver.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-03-09 17:01:50 +02:00
Vasanthakumar Thiagarajan
3dcd735c1e DFS: Handle CAC completion event from other radio
When DFS channel state is shared across multiple radios on the system it
is possible that a CAC completion event is propagated from other radio
to us. When in enabled state, do not proceed with setup completion upon
processing CAC completion event with devices where DFS is not offloaded,
when in state other than enabled make sure the configured DFS channel is
in available state before start the AP.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-03-09 16:46:30 +02:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
4c803dfcd7 ACS: Fix memory leak if interface is disabled during scan
The survey data was not freed if hostapd interface got disabled during
an ACS scan.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-04 17:30:15 +02:00
Jouni Malinen
29be2c090e ACS: Simplify code paths
This removes some unnecessarily duplicated return paths and simplifies
code paths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-04 17:30:10 +02:00
Jouni Malinen
d4359923e1 Fix DHCP/NDISC snoop deinit followed by failing re-init
It was possible to hit a double-free on the l2_packet socket if
initialization of DHCP/NDISC snoop failed on a hostapd interface that
had previously had those enabled successfully. Fix this by clearing the
l2_packet pointers during deinit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-04 11:42:15 +02:00
Jouni Malinen
ff936bc753 Make the third octet of Country String configurable
The new hostapd.conf parameter country3 can now be used to configure the
third octet of the Country String that was previously hardcoded to ' '
(= 0x20).

For example:

All environments of the current frequency band and country (default)
country3=0x20

Outdoor environment only
country3=0x4f

Indoor environment only
country3=0x49

Noncountry entity (country_code=XX)
country3=0x58

IEEE 802.11 standard Annex E table indication: 0x01 .. 0x1f
Annex E, Table E-4 (Global operating classes)
country3=0x04

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 10:58:15 +02:00
Peng Xu
5b9f46df0e hostapd: Get channel number from frequency based on other modes as well
When getting the channel number from a frequency, all supported modes
should be checked rather than just the current mode. This is needed when
hostapd switches to a channel in different band.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:24:03 +02:00
Jouni Malinen
4c8836f139 FILS: Fix fils_hlp.c build with older netinet/udp.h definitions
The __FAVOR_BSD macro was previously used in netinet/udp.h to select
between two different names of the variables in struct udphdr. Define
that to force the versions with the uh_ prefix. In addition, use the
same style consistently within fils_hlp.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:18:29 +02:00
Jouni Malinen
57a2aacabf Add option to disable broadcast deauth in hostapd on AP start/stop
The new broadcast_deauth parameter can be used to disable sending of the
Deauthentication frame whenever AP is started or stopped. The default
behavior remains identical to the past behavior (broadcast_deauth=1).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
21ed24f5ad hostapd: Fix potential mesh-related change from impacting non-mesh cases
Commit 01e2231fdc ('hostapd: Skip some
configuration steps for mesh cases') removed some operations based on
hapd->iface->mconf being NULL. This was within #ifdef CONFIG_MESH, so it
should not impact hostapd, but it can impact AP mode with
wpa_supplicant. That does not sound intentional, so make these
conditional on hapd->conf->mesh being enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
7eace3787c FILS: Find PMKSA cache entries on AP based on FILS Cache Identifier
This allows PMKSA cache entries to be shared between all the BSSs
operated by the same hostapd process when those BSSs use the same FILS
Cache Identifier value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 12:18:58 +02:00
Peng Xu
d512f406fc hostapd: Add IEEE 802.11ax HE IEs into Beacon/Probe Response frames
IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response
frames. These elements are using vendor specific forms for now since the
IEEE 802.11ax draft is not yet finalized and the element contents is
subject to change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:55 +02:00
Peng Xu
94380cb40a hostapd: Initial IEEE 802.11ax (HE) definitions
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:52 +02:00
Masashi Honma
5972dc73c1 mesh: Use correct rate in VHT and HT mixed environment
Let mesh STA A be a STA which has config disable_ht=0 and disable_vht=1.
Let mesh STA B be a STA which has config disable_ht=0 and disable_vht=0.
The mesh STA A and B was connected.

Previously, the mesh STA A sent frame with VHT rate even though its VHT
was disabled. This commit fixes the issue by checking the local BSS VHT
configuration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Masashi Honma
84ea61cffe mesh: Use correct rate in HT and legacy mixed environment
Let mesh STA A be a STA which has config disable_ht=1.
Let mesh STA B be a STA which has config disable_ht=0.
The mesh STA A and B was connected.

Previously, the mesh STA A sent frame with HT rate even though its HT
was disabled. This commit fixes the issue by checking the local BSS HT
configuration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Masashi Honma
a7a638c2c4 hw_features: Move VHT capabilities checks to common
This allows the previous AP-specific functions to be use for IBSS/mesh
setup in wpa_supplicant.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 15:53:05 +02:00
Jouni Malinen
a8e25deeb8 FT: Merge similar error paths to use common steps
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-19 12:23:21 +02:00
Jouni Malinen
834c5d6816 FILS: Fix PMK length for initial connection with FILS SHA384 AKM
While the FILS authentication cases were already using the proper PMK
length (48 octets instead of the old hardcoded 32 octet), the initial
association case had not yet been updated to cover the new FILS SHA384
AKM and ended up using only a 32-octet PMK. Fix that to use 48-octet PMK
when using FILS SHA384 AKM.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 22:15:29 +02:00
Jouni Malinen
364c064a41 FT: Check key derivation results explicitly in AP operations
Previously, any potential (even if very unlikely) local operation error
was ignored. Now these will result in aborting the negotiation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-14 16:33:01 +02:00
Jouni Malinen
885bbd4de3 WNM: Remove unused code from BSS TM Req generation
The url argument to ieee802_11_send_bss_trans_mgmt_request() was
hardcoded to NULL in the only caller, so this code cannot be reached.
wnm_send_bss_tm_req() construct the same frame with more generic
parameters, including option for including the URL, so
ieee802_11_send_bss_trans_mgmt_request() can be simplified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
e7ddd86a98 WNM: Use a common error path in ieee802_11_send_wnmsleep_resp()
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
d6d5970e23 WNM: Fix WNM-Sleep Mode Request parsing for WNM-Sleep element
The length of the WNM-Sleep element was not verified before using it.
This could result in reading the subfields in this element (total of
four octets) beyond the end of the buffer. Fix this by ignoring the
element if it is not long enough to contain all the subfields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
8492cc79c0 PeerKey: Remove dead code related to STSL negotiation state
The struct wpa_stsl_negotiation seemed to have been for some kind of
tracking of state of PeerKey negotiations within hostapd. However,
nothing is actually adding any entries to wpa_auth->stsl_negotiations or
using this state. Since PeerKey does not look like something that would
be deployed in practice, there is no justification to spend time on
making this any more complete. Remove the dead code now instead of
trying to figure out what it might be used for.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 11:15:49 +02:00
Jouni Malinen
0d60567030 WMM: Fix estimated medium time calculation for some corner cases
It was possible for the int medium_time variable to overflow, so use a
64-bit unsigned integer to get a large enough value for the
multiplication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 12:12:28 +02:00
Jouni Malinen
ae26d30213 Fix "IEEE 802.11: Ignored Action frame" debug message
The arguments to printf were in incorrect order which resulted in
incorrect STA address in the debug message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 12:08:12 +02:00
Jouni Malinen
4ead4c7ecd WMM: Remove obsolete TODO comments
These are more about kernel behavior than anything that hostapd would
implement.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:29:18 +02:00
Jouni Malinen
401243b73e RRM: Fix range request overriding
This was supposed to cancel the existing eloop timeout instead of
registering another one.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-09 13:26:06 +02:00
Jouni Malinen
fb81c0a3d1 RRM: Merge similar error returns to a single one
There is no need to maintain different return paths for STA being
completely not present and not authorized, so merge these into a single
case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-09 13:26:06 +02:00
Jouni Malinen
13b30052d9 RRM: Fix Range Request max age parsing
This 16-bit field uses little endian encoding and it must be read with
WPA_GET_LE16() instead of assuming host byte order is little endian. In
addition, this could be misaligned, so using a u16 pointer here was not
appropriate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-09 13:26:06 +02:00
Jouni Malinen
bd6ec7f7ca Fix MAC ACL query freeing on deinit
hapd->acl_cache and hapd->acl_queries were not reset back to NULL in
hostapd_acl_deinit() when cached results and pending ACL queries were
freed. This left stale pointers to freed memory in hapd. While this was
normally followed by freeing of the hapd data, it is possible to re-use
that hapd when disabling and re-enabling an interface. That sequence
could result in use of freed memory if done while there were cached
results or pending ACL operations with a RADIUS server (especially, if
that server did not reply).

Fix this by setting hapd->acl_queries to NULL when the pending entries
are freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-08 23:48:19 +02:00
Jouni Malinen
0d6dc6830c FILS: Clean up HLP resize check
The "!wpabuf_resize(...) == 0" condition does not make any sense. It
happens to work, but this is really supposed to simple check with
wpabuf_resize() returns non-zero and "wpabuf_resize(...)" is the
cleanest way of doing so.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 20:50:33 +02:00
Jouni Malinen
65ab7eb1fa GAS: Fix OSU Providers List response with invalid configuration
If the OSU Providers configuration was invalid (included osu_server_uri
but not osu_method_list), it was possible for the GAS response
generation to hit a NULL dereference. Fix this by checking for the
invalid configuration before trying to fill in the OSU methods.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 17:47:58 +02:00
Günther Kelleter
4bb9b674c8 Add a log message when GTK rekeying failed
It can happen if the station is unreachable or sleeping longer than
the actual total GTK rekey timeout. To fix the latter case
wpa_group_update_count may be increased.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Günther Kelleter
41f140d386 Add hostapd options wpa_group_update_count and wpa_pairwise_update_count
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).

Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Eduardo Abinader
276e936548 hw_features: Clean center freq for falling back HT40 channels
Some channels fail to be set, when falling back to 20 MHz, due to
remaining VHT info of center freq. As we are going to 20 MHz, reset the
VHT center frequency segment information as well.

Signed-off-by: Eduardo Abinader <eduardoabinader@gmail.com>
2017-02-06 19:26:07 +02:00
Jouni Malinen
84bb12aa6d FILS: Fix send_assoc_resp() HLP extension to cover sta == NULL
Commit 91d91abf6f ('FILS: DHCP relay for
HLP requests') added steps that are conditional on sta->fils_hlp_resp
being non-NULL. One of these cases within send_assoc_resp() was properly
protected from sta == NULL error case (that is now possible after a
recent DMG change), but the first one was not. A DMG error case in a
CONFIG_FILS=y build could have hit a NULL pointer dereference here. Fix
this by verifying sta != NULL more consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 16:40:15 +02:00
Jouni Malinen
caab23f192 Set EAPOL-Key Key Length field to 0 for group message 1/2 in RSN
P802.11i/D3.0 described the Key Length as having value 16 for the group
key handshake. However, this was changed to 0 in the published IEEE Std
802.11i-2004 amendment (and still remains 0 in the current standard IEEE
Std 802.11-2016). We need to maintain the non-zero value for WPA (v1)
cases, but the RSN case can be changed to 0 to be closer to the current
standard.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 13:52:43 +02:00
Jouni Malinen
b0fb2be77a Do not send GNonce in EAPOL-Key group message 1/2
While the IEEE Std 802.11-2016 is still indicating that GNonce would be
exchanged in EAPOL-Key messages (see, e.g., Figure 12-52 showing the
Send EAPOL-Key operation in the REKEYNEGOTIATING state or the sample
group key handshake in Figure 12-47), there are also examples of
describing this field as having value zero (e.g., 12.7.7.2 Group key
handshake message 1).

GNonce is used only with the Authenticator and the Supplicant does not
have any use for it, so it is better not to expose that internal value.
Hardcode the Key Nonce field to 0 in EAPOL-Key group message 1/2.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 13:39:57 +02:00
Jouni Malinen
3bbc470502 Fix EAPOL-Key Install bit in Group Key 1/2 with FT and FILS auth
sm->Pair needs to be initialized to TRUE since unicast cipher is
supported and this is an ESS. However, the normal place for setting this
(WPA_PTK::INITIALIZE) is skipped with using FT protocol or FILS
authentication, so need to do that separately when forcing PTKINITDONE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 13:28:42 +02:00
Jouni Malinen
db5e53cb06 mesh: Fix struct hostapd_data initialization
The local custom version of allocating and initializing struct
hostapd_data within wpa_supplicant_mesh_init() is problematic. This has
already missed couple of initialization steps that are required. Instead
of trying to remember to keep this up to date, use
hostapd_alloc_bss_data() so that there is only one place for this
initialization.

This is fixing a recent issue where FILS HLP started using
hapd->dhcp_server and expected that to be initialized to -1. For the
mesh case, that did not happen and when removing the interface, the FILS
HLP implementation ended up unregistering eloop socket for
hapd->dhcp_server (= 0). This could result in missing socket callbacks
for an arbitrary socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-04 22:17:54 +02:00
Jouni Malinen
d77f330418 FILS: Fix AES-SIV AAD for (Re)Association Request frame decryption
The hostapd processing of the AES-SIV AAD was incorrect. The design for
the AAD changed between P802.11ai/D7.0 and D8.0 from a single vector
with concatenated data to separate vectors. The change in the
implementation had missed the change in the aes_siv_decrypt() call for
the num_elem parameter. This happened to work with the mac80211
implementation due to a similar error there.

Fix this by using the correct numbers of vectors in the SIV AAD so that
all the vectors get checked. The last vector was also 14 octets too long
due to incorrect starting pointer, so fix that as well. The changes here
are not backwards compatible, i.e., a similar fix in the Linux mac80211
is needed to make things interoperate again.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-04 13:09:52 +02:00
Jouni Malinen
91d91abf6f FILS: DHCP relay for HLP requests
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.

The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-01 18:17:39 +02:00
Jouni Malinen
54b04d6f39 FILS: Move HLP request handling into a separate file
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:13 +02:00
Jouni Malinen
5a9d504938 ProxyARP: Use more robust DHCP option parsing
Do not depend on undefined behavior with pointer arithmetic when
checking whether there is sufficient room for an option.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:13 +02:00
Jouni Malinen
e64c13febb Move DHCP definitions into a common file
These can be reused for other purposes than just the DHCP snoofing for
Proxy ARP. In addition, use more complete definition of the parameters
based on the current IANA registry.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:11 +02:00
Dedy Lansky
53d171440f AP: Check ACL upon association request for 802.11ad
With device_ap_sme disabled, ACL was checked upon authentication
request. In 802.11ad there is no authentication phase so need to check
ACL upon association.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2017-01-30 22:22:40 +02:00
Daniel Kim
4cc61c3866 GAS: Set temporary session timeout bigger than gas_comeback_delay
Previously, the temporary STA session timeout was set to 5 seconds. If
gas_comeback_delay is configured to be longer than 5 seconds, GAS
Comeback Response frame can't include queried information as all pending
data has already been cleared due to session timeout. This commit
resolves the issue by setting session timeout to be larger than
gas_comeback_delay.

Signed-off-by: Daniel Kim <kimdan@qca.qualcomm.com>
2017-01-30 13:25:48 +02:00
Johannes Berg
cef8fac04b wpa_auth: Make struct wpa_auth_callbacks const
Instead of copying the struct wpa_auth_callbacks, just keep a pointer to
it, keep the context pointer separate, and let the user just provide a
static const structure. This reduces the attack surface of heap
overwrites, since the function pointers move elsewhere.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:41:26 +02:00
Johannes Berg
30eddf3529 Fix or supress various sparse warnings
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:33:10 +02:00
Jouni Malinen
5208160b4b FILS: Parse received FILS HLP requests
This adds parsing of received FILS HLP requests from (Re)Association
Request frames. The reassembled requests are verified to be in valid
format and are printed in debug output. However, actual processing or
forwarding of the packets is not yet implemented, i.e., the vendor
specific frame filtering logic is for now practically dropping all HLP
requests.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 14:32:17 +02:00
Masashi Honma
4d77d80edd mesh: Add MESH_PMKSA_GET/ADD commands
These commnds are mesh version of PMKSA_GET/ADD commands. So the usage
and security risk is similar to them. Refer to
commit 3459381dd2 ('External persistent
storage for PMKSA cache entries') also.

The MESH_PMKSA_GET command requires peer MAC address or "any" as an
argument and outputs appropriate stored PMKSA cache. And the
MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store
the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache,
wpa_supplicant can skip commit message creation which can use
significant CPU resources.

The output of the MESH_PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <expiration in seconds>

The example of MESH_PMKSA_ADD command is this.
MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930
MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180

This functionality is disabled by default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-14 18:07:46 +02:00
Jouni Malinen
fa67debf4c Fix duplicate Reassociation Request frame dropping
Relational operators (==) have higher precedence than the ternary
conditional in C. The last_subtype check for association/reassociation
was broken due to incorrect assumption about the precedence. Fix this by
adding parenthesis around the ternary conditional.

The previous implementation worked for Association Request frames by
accident since WLAN_FC_STYPE_ASSOC_REQ happens to have value 0 and when
the last receive frame was an Association Request frame, the
sta->last_subtype == reassoc check was true and non-zero
WLAN_FC_STYPE_REASSOC_REQ was interpreted as true. However, this was
broken for Reassociation Request frame. reassoc == 1 in that case could
have matched received Association Response frame (subtype == 1), but
those are not received in AP mode and as such, this did not break other
behavior apart from not being able to drop duplicated Reassociation
Request frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-14 01:04:31 +02:00
Jouni Malinen
fcd3d6ce32 FILS: Fix PMK and PMKID derivation from ERP
This adds helper functions for deriving PMK and PMKID from ERP exchange
in FILS shared key authentication as defined in IEEE Std 802.11ai-2016,
12.12.2.5.2 (PMKSA key derivation with FILS authentication). These
functions is used to fix PMK and PMKID derivation which were previously
using the rMSK directly as PMK instead of following the FILS protocol to
derive PMK with HMAC from nonces and rMSK.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 21:07:40 +02:00
Jouni Malinen
167f78a5e8 Send BEACON-REQ-TX-STATUS event only for beacon reports
Check the action TX status callback contents more thoroughly and report
the BEACON-REQ-TX-STATUS event only if the Measurement Type indicates
beacon report.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 22:23:13 +02:00
Dedy Lansky
05e5e615e6 AP: Skip authentication/deauthentication phase for DMG/IEEE 802.11ad
Authentication and Deauthentication frames are not used in DMG/IEEE
802.11ad networks. For DMG/IEEE 802.11ad the following was implemented:
Upon receiving association request, allocate the sta object and
initialize it as if authentication took place. Upon receiving
disassociation, deallocate the sta object.
ap_sta_disassociate/ap_sta_deauthenticate/ap_sta_disconnect all use
disassociation instead of deauthentication. In driver_nl80211,
i802_sta_deauth() is routed to i802_sta_disassoc().

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2017-01-05 17:28:23 +02:00
Dedy Lansky
0c4b9025c1 AP: Do not look for supported rates in DMG/IEEE 802.11ad
Supported Rates element is not present in DMG/IEEE 802.11ad frames. Make
copy_supp_rates() immediately return with success if hardware mode is
IEEE 802.11ad.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2017-01-05 17:05:00 +02:00
Jouni Malinen
ec45927b8a Report received beacon report with BEACON-RESP-RX event
The new hostapd control interface event "BEACON-RESP-RX <STA address>
<dialog token> <report mode> <beacon report>" is now used to report
received beacon reports as a reponse to the REQ_BEACON operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
f3383366aa Report beacon request TX status as control interface event
The new BEACON-REQ-TX-STATUS control interface event is now used to
report whether a beacon request (from REQ_BEACON command) was delivered
successfully. This event has the following parameters: <STA address>
<dialog token> <ack=0/1>.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
90d9d7c32a Beacon request through hostapd control interface
The new control interface command "REQ_BEACON <STA addr>
[req_mode=<mode>] <beacon request>" can now be used to request hostapd
to transmit a measurement request to request a beacon report from an
associated STA. This command returns the assigned dialog token (1-255)
or FAIL on failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
f56877414c Do not add own BSS in neighbor report with invalid op_class/channel
Verify that ieee80211_freq_to_channel_ext() succeeds before adding the
own BSS in the neighbor report.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 15:18:30 +02:00
Jouni Malinen
aeff0645d2 FILS: Fix FILS Realm Information ANQP-element construction
The loop to add hash values was supposed to be limited to at most 10000
values, but the count variable was not being decremented in the loop.
Fix this by decrementing counting for each iteration. This fixes
ANQP-element format in the unlikely case of there being more than 10000
configuration realms.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 15:18:30 +02:00
Jouni Malinen
2977f5193a GAS: Remove unnecessarily duplicate gas_frag_limit configuration
The actual BSS configuration parameter can be updated with the SET
control interface command, so there is no need to maintain a separate
per-BSS parameter and a separate control interface handling for this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-30 00:23:10 +02:00
Jouni Malinen
1940559ea4 FT: Drop FT Action frames if ft_over_ds=0
Previously, the hostapd ft_over_ds parameter was used to only advertise
whether FT-over-DS is enabled in MDE and leave it to the stations to
follow that advertisement. This commit extends this to explicitly reject
(silently drop) FT Action frames if a station does not follow the
advertised capabilities.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-29 01:13:59 +02:00
Jouni Malinen
78022c8366 Fix memory leak on hostapd eap_user_file parsing error paths
Need to free all the pending completed EAP users if a parsing error
prevents the file from being used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:47:00 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Jouni Malinen
9266d00bf9 hostapd: Reject invalid macaddr_acl value
Previously, this was noted in error log, but the invalid value was
stored in the configuration without rejecting it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-27 11:43:13 +02:00
Jouni Malinen
1dfd25a68a Fix hostapd SIGHUP processing before interface is enabled
It was possible to try to do driver operations before the driver
interface had been initialized when processing a SIGHUP signal. This
would result in NULL pointer dereference. Fix this by skipping the steps
when SIGHUP is issued before the interface is enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-27 11:16:51 +02:00
Jouni Malinen
34e29dfd4b Remove unnecessary NULL check from hostapd_config_read_wpa_psk() call
This function is already checking the fname argument against NULL, so
use that check on its own instead of duplicating the check in the only
caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-26 17:42:41 +02:00
Jouni Malinen
1f0fdaf0e4 Fix race condition between AssocResp callback and 4addr event
It is apparently possible for the NL80211_CMD_UNEXPECTED_4ADDR_FRAME
event to be delivered to hostapd before the NL80211_CMD_FRAME_TX_STATUS
event for (Re)Association Response frame. This resulted in the 4-address
WDS mode not getting enabled for a STA. This could occur in particular
when operating under heavy load and the STA is reconnecting to the same
AP in a sequence where Deauthentication frame is followed immediately by
Authentication frame and the driver event processing gets delayed due to
removal of the previous netdev taking time in the middle of this
sequence.

Fix this by recording a pending item for 4-address WDS enabling if the
NL80211_CMD_UNEXPECTED_4ADDR_FRAME event would have been dropped due to
incompleted association and then process this pending item if the TX
status for the (Re)Association Response frame is received and it shows
that the frame was acknowledged.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-20 01:30:09 +02:00
Jouni Malinen
8183aee6cc FILS: Add support for building FILS Realm Information ANQP-element
This allows full list of hashed realm names to be fetched from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:59 +02:00
Jouni Malinen
26bf70e3d2 FILS: Separate FILS realm configuration from ERP domain
The new hostapd configuration parameter fils_realm=<realm> can now be
used to configure one or more FILS realms to advertise for ERP domains
when using FILS. This replaces the use of erp_domain=<domain> parameter
for the FILS use case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:08:23 +02:00
Jouni Malinen
42b847ac1e FILS: Fix hashed realm name derivation
P802.11ai/D7.0 changed from CRC32 to SHA256 as the hash algorithm for
the FILS realm name. Update the implementation to match that change.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:07:57 +02:00
Jouni Malinen
cebda0e3e5 Make debug print clearer for AP/mesh mode secondary channel issues
If the secondary channel was not found at all, no debug print was shown
to indicate that the channel was rejected due to that problem. Print a
clearer message indicating which channel was behind the reason to reject
channel configuration as unsuitable for AP mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 15:09:15 +02:00
Daisuke Niwa
655dc4a432 Send "TERMINATING" event from hostapd
hostapd didn't send "TERMINATING" event when stopped by
SIGTERM. Android handles this event to stop monitor thread.

This commit adds "TERMINATING" event same as with wpa_supplicant.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
2016-12-12 20:32:28 +02:00
Jouni Malinen
0f5eb69f85 Use eloop timeout for post-EAP-Failure wait before disconnection
Previously, os_sleep() was used to block the hostapd (or wpa_supplicant
AP/P2P GO mode) processing between sending out EAP-Failure and
disconnecting the STA. This is not ideal for couple of reasons: it
blocks all other parallel operations in the process and it leaves a
window during which the station might deauthenticate and the AP would
have no option for reacting to that before forcing out its own
Deauthentication frame which could go out after the STA has already
started new connection attempt.

Improve this design by scheduling an eloop timeout of 10 ms instead of
the os_sleep() call and perform the delayed operations from the eloop
callback function. This eloop timeout is cancelled if the STA
disconnects or initiates a new connection attempt before the 10 ms time
is reached. This gets rid of the confusing extra Deauthentication frame
in cases where the STA reacts to EAP-Failure by an immediate
deauthentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-08 18:56:02 +02:00
Michael Braun
34f7c699a6 Add multicast to unicast support
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.

By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.

When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.

This also does not implement Directed Multicast Service (DMS).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-12-04 21:00:06 +02:00
Sam Tannous
08032c7418 Remove inactivity timeout for wired interfaces
We should unconditionally remove inactivity timers for wired network
cases. This commit checks for this after a new station association:

   hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED

and then cancels the timeout and does not register a new one.

It prints out a debug message like this:

1476740180.276286: IEEE 802.1X: 00:02:00:00:00:07 CTRL_DIR entering
state FORCE_BOTH
1476740180.276295: hostapd_new_assoc_sta: canceled wired ap_handle_timer
timeout for 00:02:00:00:00:07

This was tested on a debian jessie amd64 system with a configured 120
second inactivity timer and the session did not timeout.

Signed-off-by: Sam Tannous <stannous@cumulusnetworks.com>
2016-12-04 20:38:45 +02:00
Jouni Malinen
cb2b666670 Fix 4addr reassociation-without-deauthentication on AP
Data connection was lost if a station reassociated without the STA entry
being cleaned up on the AP side. Fix this by moving reconfiguration of
the STA WDS parameters in association response callback to happen only
after the STA flags have been updated to associated stated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-02 12:51:16 +02:00
Jouni Malinen
2ab09656ae AP: Do not drop STA entry if PMF is used with full AP client state
This fixes a regression from commit
bb598c3bdd ('AP: Add support for full
station state'). That commit added code to remove and re-add the kernel
STA entry when processing Authentication frames with a driver that
advertises support for full AP client state. That resulted in bypassing
PMF protections for unprotected Authentication frames with such drivers
since the TK was lost in this operation.

It is simplest to skip the STA entry clearing in this type of case
completely to leave the TK in place and to process the new
authentication exchange otherwise normally. This matches the behavior
used with the drivers that do not implement full AP client state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-29 16:26:00 +02:00
Will Glynn
209dad066e FT: Explicitly check for MDE not present in non-FT association
IEEE Std 802.11-2012, 12.4.2 states that if an MDE is present in an
(Re)Association Request frame but the RSNE uses a non-FT AKM suite, the
AP shall reject the association using status code 43 ("Invalid AKMP").

wpa_validate_wpa_ie() now explicitly checks for this condition to meet
this requirement instead of simply ignoring the MDE based on non-FT AKM.

Signed-off-by: Will Glynn <will@willglynn.com>
2016-11-26 11:39:44 +02:00
Purushottam Kushwaha
29483a5678 Add support for user configurable Beacon frame data rate for AP mode
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:

Legacy (CCK/OFDM rates):
	beacon_rate=<legacy rate in 100 kbps>
HT:
	beacon_rate=ht:<HT MCS>
VHT:
	beacon_rate=vht:<VHT MCS>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-25 23:12:30 +02:00
Jouni Malinen
4051dd8667 GAS: Add Capability List ANQP-element support for Info ID 270, 280..299
This extends the anqp_elem configuration parameter support for new Info
IDs (270 (TDLS Capability) was previously missed from the list of
defined values, 280 has already been assigned in REVmc/D8.0; 281..299
are yet to be assigned). No additional source code changes are needed to
allow hostapd to advertise support for these if the ANQP-element value
is set with the anqp_elem parameter.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-17 16:00:25 +02:00
Jouni Malinen
d50f518e95 Fix libap.a build
Add the new defines and files to allow src/ap/libap.a to be build with
all the needed functions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-16 13:26:23 +02:00
Ilan Peer
4ec1fd8e42 FT: Differentiate between FT for station and for AP in build
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.

Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 22:14:54 +03:00