Commit graph

4531 commits

Author SHA1 Message Date
Jouni Malinen
46c3befe24 tests: Add eapol-fuzzer
This program can be used to run fuzzing tests for areas related to EAPOL
frame parsing and processing on the supplicant side.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:19 +03:00
Jouni Malinen
a65d7495b5 tests: Add p2p-fuzzer
This program can be used to run fuzzing tests for areas related to P2P
message parsing and processing. p2p-fuzzer allows data files to be used
to inject Probe Response and Action frames for processing by the P2P
module.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:19 +03:00
Jouni Malinen
632931c3ce P2P: Use WPS_SEC_DEV_TYPE_MAX_LEN in P2P array definition
This makes it more obvious that the wps_parse_msg() bounds checking is
used to verify that there is sufficient space in the P2P buffer for the
secondary device types.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:19 +03:00
Jouni Malinen
6ca8a74cd0 tests: Add a module test for wpa_ssid_txt() with too long SSID
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com
2015-04-22 11:44:19 +03:00
Jouni Malinen
0f5acfba06 Use common is_ctrl_char() helper function
This modifies couple of code segments that replaced control characters
in strings with '_' to use a common helper function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:19 +03:00
Jouni Malinen
5a041acc0a WPS: Ignore too long SSID attribute
While it looks like all the users of this parsed attribute were able to
handle longer SSID values, there is no valid use case for these and to
avoid any potential future issues, enforce maximum length (32 bytes) on
the SSID during parsing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:19 +03:00
Jouni Malinen
d6c3067d32 Replace SSID_LEN with SSID_MAX_LEN
This makes source code more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:19 +03:00
Jouni Malinen
81847c22ba Replace HOSTAPD_MAX_SSID_LEN with SSID_MAX_LEN
This makes source code more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
6fb761c690 Replace WPA_MAX_SSID_LEN with SSID_MAX_LEN
This makes the source code more consistent.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:18 +03:00
Jouni Malinen
d9d1b9527a Use SSID_MAX_LEN define instead of value 32 when comparing SSID length
This makes the implementation easier to understand.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
65b10253d6 WPS: Ignore too long Device Name attribute
While it looks like all the users of this parsed attribute were able to
handle longer Device Name values, there is no valid use case for these
and to avoid any potential issues in upper layer components, enforce
maximum length (32 bytes) on the Device Name during parsing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
cc6f24380c Add WPS_DEV_NAME_MAX_LEN define and use it when comparing length
This make code easier to understand.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
dd3d8578d0 P2PS: Check for maximum SSID length in Persistent Group Info
While none of the current users of msg.persistent_ssid{,_len} would have
issues with too long SSID value, it is safer to enforce bounds checking
on the SSID while parsing the attribute to avoid any potential issues in
the future.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
05e46a944a Ignore too long SSID element value in parser
The SSID element is defined to have a valid length range of 0-32. While
this length was supposed to validated by the users of the element
parser, there are not really any valid cases where the maximum length of
32 octet SSID would be exceeded and as such, the parser itself can
enforce the limit as an additional protection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
9ed4eee345 P2P: Validate SSID element length before copying it (CVE-2015-1863)
This fixes a possible memcpy overflow for P2P dev->oper_ssid in
p2p_add_device(). The length provided by the peer device (0..255 bytes)
was used without proper bounds checking and that could have resulted in
arbitrary data of up to 223 bytes being written beyond the end of the
dev->oper_ssid[] array (of which about 150 bytes would be beyond the
heap allocation) when processing a corrupted management frame for P2P
peer discovery purposes.

This could result in corrupted state in heap, unexpected program
behavior due to corrupted P2P peer device information, denial of service
due to process crash, exposure of memory contents during GO Negotiation,
and potentially arbitrary code execution.

Thanks to Google security team for reporting this issue and smart
hardware research group of Alibaba security team for discovering it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
90758f09ec Mark QCA vendor command id 53 reserved, but not used anymore
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:21:18 +03:00
Jouni Malinen
f41ded6fa4 Remove unused leftover from multi-SSID design
The multi-SSID design that used a single beaconing BSSID with multiple
SSIDs was never completed in this repository, so there is no need to
maintain the per-STA ssid/ssid_probe pointers that could only point to
&hapd->conf->ssid. Save some memory and reduce code complexity by
removing this unused partial capability.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:17:32 +03:00
Jouni Malinen
cb71a8342d OpenSSL: Clean up TLS PRF implementation
Commit fa0e715100 ('Use
tls_connection_prf() for all EAP TLS-based key derivation') copied some
pointer checks from the generic implementation to tls_openssl.c.
However, these are arrays and cannot be NULL in OpenSSL data. Remove the
unnecessary checks and add master_key_length check for completeness.
(CID 109619).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:17:26 +03:00
Jouni Malinen
7f90a234b6 Add QCA vendor subcmd for OCB
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 01:05:52 +03:00
Jouni Malinen
1acf38f1a5 Add ifname to vlan_remove_dynamic() debug print
This makes it easier to interpret debug logs for cases where hostapd
control multiple interfaces.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-13 17:08:10 +03:00
Jouni Malinen
2e192bd08f Print debug entry on STA pruning from other interfaces
This makes it easier to interpret debug logs in case hostapd controls
multiple interfaces and a STA roams between them.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-13 17:08:10 +03:00
Michael Braun
c8e6beabb6 Remove VLAN interface on STA free
Currently, vlan_remove_dynamic() is only called when the station VLAN ID
is changed (ap_sta_bind_vlan), but not when the station is freed. So
dynamic VLAN interfaces are not removed actually except within 1x
reauthentification VLAN ID change, although most of the code is already
there.

This patch fixes this by calling vlan_remove_dynamic() in ap_free_sta().

It cannot just use sta->vlan_id for this, as this might have been
changed without calling ap_sta_bind_vlan() (ap/ieee802_11.c:handle_auth
fetches from RADIUS cache for WPA-PSK), thus reference counting might
not have been updated. Additionally, reference counting might get wrong
due to old_vlanid = 0 being passed unconditionally, thus increasing the
reference counter multiple times.

So tracking the currently assigned (i.e., dynamic_vlan counter
increased) VLAN is done in a new variable sta->vlan_id_bound. Therefore,
the old_vlan_id argument of ap_sta_bind_vlan() is no longer needed and
setting the VLAN for the sta in driver happens unconditionally.

Additionally, vlan->dynamic_vlan is only incremented when it actually
is a dynamic VLAN.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 17:08:10 +03:00
Michael Braun
de31fb052c vlan: Ignore multiple NEWLINK messages
hostapd receives NEWLINK messages multiple times and thus does
configuration of the the vlan interface multiple times.

This is not required and leads to the following during cleanup in
test pmksa_cache_preauth_vlan_used:
 1. run-test.py does: brctl delif brvlan1 wlan3.1
 2. hostapd processes NEWLINK and does: brctl addif brvlan1 wlan3.1
 3. run-test.py does: brctl delbr brvlan1
    -> fails as wlan3.1 is still in the bridge

This patch fixes this by ignoring repeated NEWLINK messages.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:34:33 +03:00
Michael Braun
371205dd0c vlan: Ignore DELLINK on interfaces that exists
When hitting
> Failed to create interface wlan3.1: -23 (Too many open files in system)
> Try to remove and re-create wlan3.1
hostapd deletes the AP_VLAN interface and then recreates it. Thus the
kernel assigns the same ifidx to the new interfaces and sends DELLINK
and NEWLINK mesages.

As the DELLINK messages are processed after the struct hostapd_vlan is
added, hostapd deletes the struct hostapd_vlan entry, deconfigures the
AP_VLAN interface and leaves vlan_newlink nothing to find afterwards.

So this patch makes DELLINK messages to be ignored when the interface
exists.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:31:56 +03:00
Michael Braun
a5e81ba9eb Fix STA VLAN bind for RSN pre-authentication case
Previously, during RSN preauthentication, ap_sta_bind_vlan() was called,
which fails for non-zero sta->vlan_id as the station is not known to the
kernel driver.

Fix this by binding the station only if it is associated. If it is not
associated, ap_sta_bind_vlan() will be done later during association.

In addition, reject Access-Accept if the returned VLAN ID is not valid
in the current hostapd configuration.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:26:40 +03:00
Michael Braun
3ffdeb7ac8 Fix RSN preauthentication with dynamic_vlan enabled but unused
sta->vlan_id == -1 means no VLAN, as does vlan_id = 0.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:26:40 +03:00
Nick Kralevich
d447cd596f Updates for stricter automatic memcpy bounds checking
Both Android's libc and glibc support _FORTIFY_SOURCE, a compiler
and libc feature which inserts automatic bounds checking into
common C functions such as memcpy() and strcpy(). If a buffer
overflow occurs when calling a hardened libc function, the
automatic bounds checking will safely shutdown the program and
prevent memory corruption.

Android is experimenting with _FORTIFY_SOURCE=3, a new fortify
level which enhances memcpy() to prevent overflowing an element
of a struct. Under the enhancements, code such as

  struct foo {
    char empty[0];
    char one[1];
    char a[10];
    char b[10];
  };

  int main() {
    foo myfoo;
    int n = atoi("11");
    memcpy(myfoo.a, "01234567890123456789", n);
    return 0;
  }

will cleanly crash when the memcpy() call is made.

Fixup hostap code to support the new level. Specifically:

* Fixup sha1_transform so it works with the enhanced bounds checking.
The old memcpy() code was attempting to write to context.h0, but that
structure element is too small and the write was extending (by design)
into h1, h2, h3, and h4. Use explicit assignments instead of
overflowing the struct element.

* Modify most of the structures in ieee802_11_defs.h to use ISO C99
flexible array members (https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html)
instead of a zero length array. Zero length arrays have zero length,
and any attempt to call memcpy() on such elements will always overflow.
Flexible array members have no such limitation. The only element not
adjusted is probe_req, since doing so will generate a compile time error,
and it's not obvious to me how to fix it.

Signed-off-by: Nick Kralevich <nnk@google.com>
2015-04-13 14:01:40 +03:00
Jouni Malinen
60eb9e173e AP: Enable multicast snooping on bridge if ProxyARP IPv6 is in use
This is needed to allow correct ProxyARP behavior for IPv6.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-13 14:00:32 +03:00
Mark Salyzyn
0144ecb8c8 Android: wpa_ctrl missing include for sys/stat.h
wpa_ctrl.c gets sys/stat.h inherited from
private/android_filesystem_config.h it should
not rely on this in the future. The intent is
to move fs_config function into libcutils and
thus deprecate any need for sys/stat.h in this
include file.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2015-04-03 10:47:36 +03:00
Jouni Malinen
80fd9c3576 EAP-PEAP server: Add support for negotiating vendor for Phase 2
This is a step towards enabling support of expanded EAP header in Phase
2.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:57:11 +03:00
Jouni Malinen
a867082cb8 EAP peer: Use 32-bit EAP method type for Phase 2 processing
This is a step towards enabling expanded EAP header within Phase 2 EAP
methods.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:57:11 +03:00
Jouni Malinen
c4b45c60ad TLS: Fix memory leaks on tls_connection_set_params() error paths
The internal TLS implementation started rejecting number of unsupported
configuration parameters recently, but those new error paths did not
free the allocated tlsv1_credentials buffer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:57:11 +03:00
Jouni Malinen
af851914f8 Make tls_connection_get_keyblock_size() internal to tls_*.c
This function exposes internal state of the TLS negotiated parameters
for the sole purpose of being able to implement PRF for EAP-FAST. Since
tls_connection_prf() is now taking care of all TLS-based key derivation
cases, it is cleaner to keep this detail internal to each tls_*.c
wrapper implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-01 12:56:54 +03:00
Jouni Malinen
94f1fe6f63 Remove master key extraction from tls_connection_get_keys()
This is not needed anymore with the tls_connection_prf() being used to
handle all key derivation needs. tls_connection_get_keys() is a bit
misnamed for now, but it is only used to fetch the client and server
random for Session-Id derivation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:52:40 +03:00
Jouni Malinen
fa0e715100 Use tls_connection_prf() for all EAP TLS-based key derivation
tls_openssl.c is the only remaining TLS/crypto wrapper that needs the
internal PRF implementation for EAP-FAST (since
SSL_export_keying_material() is not available in older versions and does
not support server-random-before-client case). As such, it is cleaner to
assume that TLS libraries support tls_connection_prf() and move the
additional support code for the otherwise unsupported cases into
tls_openssl.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-31 15:47:32 +03:00
Jouni Malinen
df8191d0b8 Rename HT 20/40 coex variable to be more descriptive
is_ht_allowed is a confusing name since this variable is used to track
whether 40 MHz channel bandwidth is allowed instead of whether HT is
allowed in general.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-30 12:59:43 +03:00
Jouni Malinen
1d0f42a073 EAP server: Add debug prints to help asleap testing
This adds hexdumps of MSCHAP/MSCHAPv2 Challenge and Response in format
used by asleap. This is only enabled for CONFIG_TESTING_OPTIONS=y
builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 22:49:16 +03:00
Jouni Malinen
2c1cf90376 Add wpa_snprintf_hex_sep()
This can be used to print a hexdump with the specified separator between
octets.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 22:27:43 +03:00
Jouni Malinen
5955cfaacd ms_funcs: Make challenge_hash() non-static
This function can be of use outside ms_funcs.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 22:27:00 +03:00
Eliad Peller
154a1d5f7f hostapd: Fix some compilation errors
If NEED_AP_MLME=y is not defined, compilation might
fail under some configurations:

src/ap/drv_callbacks.c:594:2: warning: implicit declaration of
function ‘hostapd_acs_completed’ [-Wimplicit-function-declaration]

src/ap/sta_info.c:253: undefined reference to `sae_clear_retransmit_timer'

Fix these errors by adding the missing hostapd_acs_completed() stub,
and defining NEED_AP_MLME in case of CONFIG_SAE.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2015-03-29 20:51:14 +03:00
Jouni Malinen
65a7b21f5e OpenSSL: Implement AES-128 CBC using EVP API
This replaces the internal CBC mode implementation in
aes_128_cbc_encrypt() and aes_128_cbc_decrypt() with the OpenSSL
implementation for CONFIG_TLS=openssl builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 20:30:58 +03:00
Jouni Malinen
22ba05c09e Explicitly clear temporary stack buffers in tls_prf_sha1_md5()
The local buffers may contain information used to generate parts of the
derived key, so clear these explicitly to minimize amount of unnecessary
private key-related material in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:43:03 +03:00
Jouni Malinen
940a4dbf66 Explicitly clear temporary stack buffer in sha1_t_prf()
The local hash[] buffer may contain parts of the derived key, so clear
it explicitly to minimize number of unnecessary copies of key material
in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:40:55 +03:00
Jouni Malinen
eccca102bf Explicitly clear temporary stack buffer in hmac_sha256_kdf()
The local T[] buffer may contain parts of the derived key, so clear it
explicitly to minimize number of unnecessary copies of key material in
memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 16:38:37 +03:00
Jouni Malinen
e8e365def6 wext: Add support for renamed Host AP driver ifname
Previous workaround for WEXT events from the Host AP driver required
wlan# and wifi# interfaces to have fixed names with the same number.
While that used to be the common case ten years ago, it is less common
nowadays. Extend this to use sysfs (if available) to figure out the
wifi# interface name if the specified interface is detected to be using
the Host AP driver.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-29 11:42:02 +03:00
Ben Greear
fc48d33b0d Improve error messages related to EAP DB
Add SQLite error message and DB name to the DB related errors. Add
enough tracing so that users can know exactly where users are failing to
be found.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 13:16:26 +02:00
Ben Greear
23dd15a992 http-curl: Improve log messages
Helps to track down why some problems relating to certs can happen.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 11:23:16 +02:00
Jouni Malinen
a52410c29f Allow PSK/passphrase to be set only when needed
The new network profile parameter mem_only_psk=1 can be used to specify
that the PSK/passphrase for that network is requested over the control
interface (ctrl_iface or D-Bus) similarly to the EAP network parameter
requests. The PSK/passphrase can then be configured temporarily in a way
that prevents it from getting stored to the configuration file.

For example:

Event:
CTRL-REQ-PSK_PASSPHRASE-0:PSK or passphrase needed for SSID test-wpa2-psk

Response:
CTRL-RSP-PSK_PASSPHRASE-0:"qwertyuiop"

Note: The response value uses the same encoding as the psk network
profile parameter, i.e., passphrase is within double quotation marks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 11:05:13 +02:00
Jouni Malinen
3e808b831c EAP-pwd peer: Add support for hashed password
This extends EAP-pwd peer support to allow NtHash version of password
storage in addition to full plaintext password. In addition, this allows
the server to request hashed version even if the plaintext password is
available on the client. Furthermore, unsupported password preparation
requests are now rejected rather than allowing the authentication
attempt to continue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:43:33 +02:00
Jouni Malinen
e4840b381c EAP-pwd server: Add support for hashed password
This extends EAP-pwd server support to allow NtHash version of password
storage in addition to full plaintext password.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:42:31 +02:00
Jouni Malinen
2bd2ed2006 EAP-pwd: Mark helper function arguments const when appropriate
These variables are not modified during PWE or key computation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-28 09:34:30 +02:00
Ben Greear
0f8385e6fa Show OSEN key management properly in scan results
Old code defaulted to WEP for an AP advertising OSEN. Show as OSEN
instead. Re-use most of the RSN parsing logic since all but the header
is the same.

Example output:

[root@ath9k-f lanforge]# ./local/bin/wpa_cli -i sta0 scan_results
bssid / frequency / signal level / flags / ssid
00:0e:8e:6f:40:49	2462	-23	[OSEN-OSEN-CCMP][ESS]	ben-138

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-25 16:04:03 +02:00
Ilan Peer
54d3dc9184 AP: Unset HT capabilities for an HT association request without WMM
HT requires QoS/WMM, so unset HT capabilities for a station
whose association request does not include a valid WMM IE.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-03-25 15:02:58 +02:00
Krishna Vamsi
c41d0840a1 nl80211: Allow driver-based roam to change ESS
This extends NL80211_CMD_ROAM event processing to allow the driver to
roam to another ESS (different SSID) when using offloaded BSS selection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-24 21:13:28 +02:00
Ashok Kumar Ponnaiah
1de071007e atheros: Clear WPS appie during deinit
The WPS IE(s) need to be cleared from the driver explicitly.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-24 15:05:43 +02:00
Manikandan Mohan
857d94225a Extend offloaded ACS QCA vendor command to support VHT
Update ACS driver offload feature for VHT configuration. In addition,
this allows the chanlist parameter to be used to specify which channels
are included as options for the offloaded ACS case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-23 12:18:05 +02:00
Max Stepanov
c40a8918ec P2PS: Delete ASP advertisements on wpas_p2p_service_flush
Delete all ASP serice advertisement on wpas_p2p_service_flush similarly
to Bonjour and UPnP services.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-03-20 15:56:59 +02:00
Eliad Peller
030a3e12da DFS: Fix range availability check
There's off-by-one in the range availability check - the case of
first_chan_idx + num_chans == num_channels should be allowed (e.g., 0 +
1 == 1, for the case of a single 20 MHz channel).

Signed-off-by: Maital Hahn <maitalm@ti.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
2015-03-20 15:56:59 +02:00
Eliad Peller
56ef99255c DFS: Consider non-contiguous channels
When looking for a new operating channel, consider the case of
non-contiguous channels when checking all the needed channels (e.g., the
driver might support channels 36, 38, 40, so look for channels 36+40
explicitly, instead of failing when encountering channel 38).

Signed-off-by: Eliad Peller <eliad@wizery.com>
2015-03-20 15:56:59 +02:00
Eliad Peller
e7a296ba13 Remove unused shared_freq driver op
This driver op is not used anymore

Signed-off-by: Eliad Peller <eliad@wizery.com>
2015-03-20 15:56:59 +02:00
Zefir Kurtisi
5f9c92f8f7 nl80211: Fix vendor command handling
In wiphy_info_handler(), vendor specific commands were
interpreted as QCA specific without checking for the OUI,
which caused incorrect setting of driver flags with
commands from other vendors. As a result, that could
prevent proper operation (e.g., inability to process CSA).

This patch ensures that QCA vendor specific commands are
checked against QCA OUI before related flags are set.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2015-03-20 15:56:59 +02:00
Jouni Malinen
2c50246078 Add a AP mode event message for possible PSK/passphrase mismatch
If the AP/Authenticator receives an EAPOL-Key msg 2/4 for an association
that negotiated use of PSK and the EAPOL-Key MIC does not match, it is
likely that the station is trying to use incorrect PSK/passphrase.
Report this with "AP-STA-POSSIBLE-PSK-MISMATCH <STA addr>" control
interface event.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-19 13:14:21 +02:00
Jouni Malinen
6784168d07 Remove SChannel support
SChannel/CryptoAPI as a TLS/crypto library alternative was never
completed. Critical functionality is missing and there are bugs in this
implementation. Since there are no known plans of completing this
support, it is better to remove this code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-18 22:31:36 +02:00
Peter Oh
6128a90979 hostapd: Add channel 140 to allowed HT40 channel pairs
Channel 140 is needed as allowed HT40 channel pair to use
channel 144 introduced in 802.11ac for VHT40 and VHT80.

Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
2015-03-16 12:03:36 +02:00
Jouni Malinen
74fa78b281 Add AVG_BEACON_RSSI to SIGNAL_POLL output
If the driver reports separate signal strength average for Beacon
frames, report that in SIGNAL_POLL output.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-15 20:45:20 +02:00
Janusz Dziedzic
4acdc48a43 nl80211: Handle NL80211_ATTR_EXT_FEATURES attribute
Handle NL80211_ATTR_EXT_FEATURES attribute and
NL80211_EXT_FEATURE_VHT_IBSS to determine whether
the driver supports VHT with IBSS.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-03-15 20:36:49 +02:00
Jouni Malinen
a0563ac626 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2015-03-04.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-15 20:35:21 +02:00
Jouni Malinen
8b949804b3 FT: Avoid unnecessary allocation for MIC calculation
Use the vector version of omac1_aes_128() to avoid unnecessary memory
allocation for each FTIE MIC calculation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-15 20:18:14 +02:00
Jouni Malinen
18da814be7 The master branch is now used for v2.5 development
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-15 19:38:15 +02:00
Jouni Malinen
bc04db9b06 Change version information for the 2.4 release
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-15 19:30:39 +02:00
Jouni Malinen
319d9daab9 Fix bitfield_get_first_zero() to not read beyond buffer
It was possible for bitfield_get_first_zero() to read one octet beyond
the allocated bit buffer in case the first zero bit was not within
size-1 first octets.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-14 13:50:12 +02:00
Jouni Malinen
39c3bfcde3 Indicate AP-DISABLED on main AP mode deinit path
This event was previously used only when disabling AP mode operation
through hostapd control interface. Make this more consistent by
providing same indication when disabling hostapd interface through the
interface deinit path. This adds the event to the case where a full
hostapd radio instance is removed which also applies for the
wpa_supplicant AP mode operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-14 10:14:22 +02:00
Rohit Agrawal
00033a0903 OpenSSL: Always accept pinned certificates
If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.

Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
2015-03-07 21:26:26 +02:00
Sunil Dutt
b2329e4ad5 Add QCA vendor subcmd for Data Offload
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-07 19:19:30 +02:00
Jouni Malinen
761396e4be Reject Group Key message 1/2 prior to completion of 4-way handshake
Previously, it would have been possible to complete RSN connection by
skipping the msg 3/4 and 4/4 completely. This would have resulted in
pairwise key not being configured. This is obviously not supposed to
happen in practice and could result in unexpected behavior, so reject
group key message before the initial 4-way handshake has been completed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-07 13:00:06 +02:00
Sunil Dutt
3f0e6ec4f3 nl80211: Extend NL80211_CMD_TDLS_OPER to support discovery
ML80211_ATTR_TDLS_OPERATION can now set to NL80211_TDLS_DISCOVERY_REQ to
allow the driver to request wpa_supplicant to initiate TDLS Discovery
Request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-06 21:13:21 +02:00
Sunil Dutt
c10ca2a66f TDLS: Allow driver to request TDLS Discovery Request initiation
This extends the TDLS operation request mechanism to allow TDLS
Discovery Request to be initiated by the driver similarly to the
existing Setup and Teardown requests.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-06 21:08:54 +02:00
Jouni Malinen
ac8e074ec1 Clear RSN timers for preauth and PTK rekeying on disassociation
Previously, it was possible for the wpa_sm_start_preauth() and
wpa_sm_rekey_ptk() eloop callbacks to remain active after disconnection
and potentially continue to be used for the next association. This is
not correct behavior, so explicitly cancel these timeouts to avoid
unexpected attempts to complete RSN preauthentication or to request PTK
to be rekeyed.

It was possible to trigger this issue, e.g., by running the following
hwsim test case sequence: ap_wpa2_ptk_rekey ap_ft_sae_over_ds

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-06 18:43:03 +02:00
Jouni Malinen
f2f65dd685 Reserve QCA vendor specific nl80211 commands 61..90
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-06 15:46:49 +02:00
Jouni Malinen
bea8d9a39a nl80211: Use the new bridge port option proxyarp_wifi
The initial IEEE 802.11 ProxyARP functionality in the kernel needed
changes in behavior and that ended up requiring an independent
configuration parameter to be used. Update hostapd to use that new
proxyarp_wifi parameter instead of the earlier proxyarp.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-06 11:32:16 +02:00
Jouni Malinen
6e9023ea49 DFS: Allow wpa_supplicant AP mode to use non-offloaded DFS
This extends the hostapd-like setup of DFS-in-userspace for
wpa_supplicant AP mode operations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 17:25:13 +02:00
Ahmad Kholaif
02e42ab75b nl80211: Add vendor event parsing for DFS offload events
This converts the QCA vendor event to EVENT_DFS_* events for the case
of DFS offloaded to the driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 17:24:32 +02:00
Ahmad Kholaif
1e2aaffbc8 DFS offload: Indicate AP-CSA-FINISHED for DFS offloaded case
Modify the string for AP-CSA-FINISHED event indication to include a flag
which tells the framework whether the new channel is a DFS channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 17:22:03 +02:00
Ahmad Kholaif
c13578c339 DFS offload: Add main DFS handler for offloaded case
Add handling logic for DFS offloaded case, and add a helper function
that takes the frequency (MHz) as a param and returns 1 if given channel
requires DFS, or 0 otherwise.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 17:21:30 +02:00
Ahmad Kholaif
5de81d7a7a DFS offload: Skip user space processing for CAC operations
If DFS is offloaded to the driver, hostapd should not be performing
these operations. Send the relevant control interface events to provide
information to upper layer software that may use such events to track
DFS/CAC state. This makes the offloaded DFS implementation more
consistent with the DFS-in-hostapd behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 16:24:39 +02:00
Sunil Dutt
dd5c155e2e eap_proxy: Callback to notify any updates from eap_proxy
This commit introduces a callback to notify any configuration updates
from the eap_proxy layer. This is used to trigger re-reading of IMSI and
MNC length.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-02 12:47:20 +02:00
Vivek Natarajan
9a05d98bf9 atheros: Add a new flag for OSEN support
Signed-off-by: Vivek Natarajan <nataraja@qti.qualcomm.com>
2015-03-02 12:40:41 +02:00
Jouni Malinen
b4a9292cfb RADIUS client: Fix server failover on return-to-primary on error case
If a connection with the primary server cannot be established, restore
connection to the previously used server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-01 22:36:52 +02:00
Jouni Malinen
1a7ed38670 RADIUS client: Fix a copy-paste error in accounting server failover
Commit 347c55e216 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a new option for
initialing RADIUS server failover from radius_client_retransmit(), but
ended up trying to change authentication servers when accounting server
was supposed to be changed due to a copy-paste issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-01 22:36:52 +02:00
Jouni Malinen
de7c06ee17 P2P: Continue find in GO-Neg-Resp-fail status corner cases
It was possible for the GO Negotiation Response (failure) TX status to
be processed at a point where there is no P2P timeout to continue
search. Avoid stopping the ongoing search operation by explicitly
restarting it from this callback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-01 22:36:52 +02:00
Daisuke Niwa
fa9f381f20 P2P: Allow a specific channel to be specified in P2P_FIND
The optional freq=<MHz> can now be used with the P2P_FIND command to
specify a single channel to scan during the first round of P2P search.
For example, this can be used to replace the full initial scan with a
single channel scan of a known operation channel.

Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
2015-02-28 21:52:56 +02:00
Daichi Ueura
eb78a8d5e3 P2P: Restore P2P_SCAN_SPECIFIC
This reverts commit 3df2f4fe99 ('P2P:
Remove unused P2P_SCAN_SPECIFIC') with a modification to fit the current
code base.

Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
2015-02-28 21:41:38 +02:00
Rajkumar Manoharan
d988ff76bf hostapd: Disable VHT caps for STAs when no valid VHT MCS found
Disable VHT caps for STAs for which there is not even a single
allowed MCS in any supported number of streams. i.e STA is
advertising 3 (not supported) as VHT MCS rates for all supported
streams.

Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
2015-02-28 21:00:00 +02:00
Jouni Malinen
70fd8287eb RADIUS client: Fix previous failover change
Commit 347c55e216 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a possibility of
executing RADIUS server failover change within
radius_client_retransmit() without taking into account that this
operation may end up freeing the pending message that is being
processed. This could result in use of freed memory. Avoid this by
checking whether any pending messages have been removed and if so, do
not try to retransmit the potentially freed message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 20:52:08 +02:00
Jouni Malinen
347c55e216 RADIUS client: Re-try connection if socket is closed on retransmit
Previously, send() was called with invalid fd = -1 in some error cases
for retransmission and this could even result in a loop of multiple such
attempts. This is obviously not going to work, so drop such attempts and
instead, try to reconnect a socket to the server if the current socket
is not valid.

In addition, initiate server failover immediately if the current socket
is not valid instead of waiting for a timeout.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 16:40:58 +02:00
Jouni Malinen
94b39e5927 RADIUS client: Fix server connection recovery after initial failure
If the initial attempt at opening the socket connection to the RADIUS
server failed due to missing IP connectivity during startup, e.g., with
"connect[radius]: Network is unreachable", hostapd did not try to
reconnect when RADIUS messages were sent. Instead, it only reported "No
authentication server configured" even if the configuration did have a
server entry.

This was broken by commit 9ed4076673
('RADIUS client: Do not try to send message without socket') for the
initial case and the more recent fixes in RADIUS server failover cases
did not cover the initial failure case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 15:45:17 +02:00
Jouni Malinen
efb40081ab TLS: Remove placeholders for SIGN_ALG_DSA support
It does not look likely that the old DSA design would be added into the
internal TLS implement, so remove this otherwise dead code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 15:45:16 +02:00
Jouni Malinen
2eb64ea437 tests: Module tests for common.c
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 12:20:56 +02:00
Jouni Malinen
56a1180153 tests: Increase bitfield module test coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 11:46:29 +02:00
Jouni Malinen
38ff21931d tests: Add module tests for base64
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 11:39:41 +02:00
Jouni Malinen
f51f54a007 nl80211: Resubscribe to nl80211 events on global nl_event socket
This allows wpa_supplicant to recover from some of the cases where
cfg80211 is unloaded and reloaded without restarting wpa_supplicant. The
netlink socket used for nl80211 events (global->nl_event) seemed to end
up in otherwise functionality state, but with all the event memberships
lost when cfg80211 gets reloaded.

There does not seem to be any clear way of determining when this has
happened, so it looks simplest to just try to re-subscribe to all the
events whenever an interface is re-enabled or added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-22 18:03:42 +02:00
Jouni Malinen
48ec6942cb Fix Linux packet socket workaround to not close the socket too easily
Commit e6dd8196e5 ('Work around Linux
packet socket regression') closed the workaround socket on the first
received EAPOL frame from the main packet socket. This can result in
closing the socket in cases where the kernel does not really work in the
expected way during the following initial association since
reauthentication/rekeying using EAPOL frames happens while operstate is
not dormant and as such, the frames can get delivered through the main
packet socket.

Fix this by closing the workaround socket only in case the first EAPOL
frame is received through the main packet socket. This case happens
while the interface is in dormant state and as such, is more likely to
show the more restricted case of kernel functionality.

In order to avoid processing the received EAPOL frames twice, verify a
checksum of the frame contents when receiving frames alternatively from
the main packet socket and the workaround socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-22 16:06:13 +02:00
Jouni Malinen
1d747e2a98 Add snr and est_throughput to the BSS entries
These values were previously used only for sorting the scan results, but
it may be useful to provide access to the used values through the BSS
entries.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-22 11:09:54 +02:00
Jouni Malinen
a1b790eb9d Select AP based on estimated maximum throughput
This modifies the BSS selection routines to calculate SNR and estimated
throughput for each scan result and then use the estimated throughput as
a criteria for sorting the results. This extends the earlier design by
taking into account higher throughput rates if both the AP and local
device supports HT20, HT40, or VHT80. In addition, the maximum rate is
restricted based on SNR.

In practice, this gives significantly higher probability of selecting
HT/VHT APs when there are multiple BSSes in the same ESS and SNR is not
low enough to prevent higher MCS use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-22 11:09:54 +02:00
Jouni Malinen
abae2d1a3c trace: Initialize alloc_list even without os_program_init() call
This makes it somewhat easier to use CONFIG_WPA_TRACE=y build with
external programs that might not be aware of the initialization
requirement, e.g., when linking wpa_ctrl.c with a program that does not
use the os_*() wrappers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-21 17:34:37 +02:00
Stefan Tomanek
891dfb3336 Add helper function to clear and free wpa_psk list
This change adds the function hostapd_config_clear_wpa_psk() that
deletes an entire wpa_psk structure, making sure to follow the linked
list and to free the allocated memory of each PSK node. This helps to
prevent memory leaks when using PSKs from multiple sources and
reconfiguring the AP during runtime.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
2015-02-21 17:11:15 +02:00
Eliad Peller
abb8d08b8a nl80211: Add support for configuring P2P GO CTWindow
Configure the GO CTWindow on APstart if the driver supports it and this
parameter is set in wpa_supplicant configuration.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2015-02-21 16:07:53 +02:00
Eliad Peller
0b8bcaa50f P2P: Allow configuring CTWindow when working as GO
Read p2p_go_ctwindow (0-127 TUs) from the config file, and pass it to
the driver on GO start.

Use p2p_go_ctwindow=0 (no CTWindow) by default.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2015-02-21 16:07:53 +02:00
Arik Nemtsov
c77ffc6daf TDLS: Ignore extra padding in all packets
Some APs (e.g., Cisco 1260) sometimes add padding to the end of short
TDLS management packets and that can look like invalid IEs. This was
allowed on M3 and discovery packets, but not in others. Allow it for the
other packets as well, since required IEs are verified in the code
anyway.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2015-02-21 16:07:53 +02:00
Janusz Dziedzic
563ee1832b IBSS: Add support for VHT80 configuration
Configure VHT80 based on driver capabilities.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-02-21 16:07:53 +02:00
Janusz Dziedzic
ada157f3b0 Make hostapd_set_freq_params() common
Now this function can also be used from wpa_supplicant.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-02-21 16:07:53 +02:00
Janusz Dziedzic
4d9e6fba2a IBSS: Add fixed_freq network parameter
Add fixed_freq=<0/1> network block parameter and pass it to the driver
when starting or joining an IBSS. If this flag is set, IBSS should not
try to look for other IBSS networks to merge with on different channels.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-02-21 16:07:53 +02:00
Romain Naour
97fc2dc612 Allow libnl-3.0 include path be specified
The '/usr/include/libnl3' header path is unsafe for cross-compilation.
Use pkg-config to find libnl-3.0 headers by default and alternatively,
allow LIBNL_INC=<path> to be used in .config to override.

Signed-off-by: Romain Naour <romain.naour@openwide.fr>
2015-02-21 11:36:53 +02:00
Jouni Malinen
58d405fcdb Fix OCSP debug messages
These were not supposed to include a newline at the end of the message
text since such formatting gets handled by tls_show_errors(). In
addition, change the message about the issuer's issuer to be more
accurate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:33:33 +02:00
Jouni Malinen
710dfb4e32 OpenSSL: Fix OCSP error path
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:32:05 +02:00
Subhani Shaik
bd7bb43784 HTTP: Fix OCSP error path
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-19 13:29:55 +02:00
Ahmad Kholaif
480994dafb nl80211: Allocate QCA vendor subcmds for DFS radar detected and CAC events
When DFS offloading capability is supported by the driver, the driver
should use these events to indicate when a radar pattern has been
detected, channel availability check (CAC) has been completed, aborted
or finished after the non-occupancy period is over on a DFS channel.

Also, add a new driver.h event to be used by NL80211 to indicate CAC
Started event on a DFS channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-11 16:51:33 +02:00
Jouni Malinen
c165cb400c Drop all hostapd STA entries on interface disabled event
If the driver indicates that the interface has been disabled, assume
that all associations have been lost and remove the hostapd STA entries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-11 10:31:12 +02:00
Jouni Malinen
106fa1e97e nl80211: Indicate interface-down event only for the main netdev
RTM_NEWLINK event without IFF_UP were processed for all related
interfaces (including VLANs and bridge). While these events may need to
be processed for other purposes, they should not end up claiming that
the main interface has been disabled, so indicate
EVENT_INTERFACE_DISABLED only if the ifname matches the first BSS ifname
for the interface. In addition, fix some of the ifup/down checks from
if_indextoname() cases to actually use the resolved ifname (namebuf)
rather than hardcoding the first configured ifname to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-11 10:31:12 +02:00
Jouni Malinen
eeb1cb28a2 VLAN: Clean up RTM_NEW/DELLINK processing
This uses couple of additional helper macros and prints more debug
information to make the VLAN events easier to analyze.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-11 10:31:12 +02:00
Peter Oh
47e5fbde44 hostapd: Avoid sending client probe on removed client
Sending client probe on already removed client from kernel driver does
not have any benefit and may lead unintended behavior among variable
drivers (mac80211 has a WARN_ON() that could have been triggered after
ifconfig down+up earlier when hostapd did not re-enable beaconing on
ifup). Skip this step in discussion when the kernel driver reports that
client entry is removed.

Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
2015-02-10 22:21:03 +02:00
Jouni Malinen
34782730c0 Re-configure WPA2 group keys on hostapd interface re-enable
This allows WPA2 mode AP to be re-enabled automatically after external
ifconfig down + up on a netdev used by hostapd.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-10 20:27:00 +02:00
Jouni Malinen
f33c8606f4 Re-enable beaconing on interface disable+enable
This is a step towards enabling hostapd to restart AP mode functionality
if the interface is disabled and re-enabled, e.g., with ifconfig down
and up. This commit takes care of beaconining only which may be
sufficient for open mode connection, but not for WPA2 cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-10 20:27:00 +02:00
Jouni Malinen
fc99fab7e5 nl80211: Print a debug log entry on NL80211_CMD_PROBE_CLIENT failures
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-10 20:27:00 +02:00
Jouni Malinen
0d2f324d67 P2P: Fix send_action_in_progress clearing in corner cases
It is possible for an Action frame TX operation to be stopped in a way
that results in the TX status callback function not being called. This
could happen, e.g., when P2P_STOP_FIND was issued while waiting for PD
Response TX status. This specific case ended in leaving
p2p->send_action_in_progress set to 1 and that ending up stopping a
future TX operation when p2p_send_action_cb() gets called with
p2p->pending_action_state == P2P_NO_PENDING_ACTION.

This could result in reception of a fragmented service discovery
response failing due to the GAS sequence getting stopped when receiving
TX callback for the first GAS comeback request. That sequence could be
hit in mac80211_hwsim tests when p2p_listen_and_offchannel_tx was
followed by p2p_service_discovery_fragmentation (even after a long time
since this was on dev1 and there could be even 10 minutes between these
test cases).

Fix this issue by clearing send_action_in_progress whenever stopping
pending P2P operation with p2p_stop_find (or P2P_FLUSH for that matter).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-10 00:41:27 +02:00
Ahmad Kholaif
e0761c5b4a nl80211: Allocate QCA vendor subcmd for DFS CAC Start event
When DFS offloading capability is supported by the driver, the driver
should use this event to indicate when channel availability check (CAC)
is started on a DFS channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-09 18:48:36 +02:00
Jouni Malinen
1db718b3ce nl80211: Test vendor command and event
This adds testing code (for CONFIG_TESTING_OPTIONS=y builds only) to
send an nl80211 vendor command and report a test vendor event in case
the driver supports this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-09 18:07:29 +02:00
Ilan Peer
c612ae97a4 AP: Do not reply to Probe Request frames with DS Params mismatch
Do not reply to a Probe Request frame with a DSSS Parameter Set element
in which the channel is different than the operating channel of the AP,
as the sending station is not found on the AP's operating channel.

IEEE Std 802.11-2012 describes this as a requirement for an AP with
dot11RadioMeasurementActivated set to true, but strictly speaking does
not allow such ignoring of Probe Request frames if
dot11RadioMeasurementActivated is false. Anyway, this can help reduce
number of unnecessary Probe Response frames for cases where the STA is
less likely to see them (Probe Request frame sent on a neighboring, but
partially overlapping, channel).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-02-08 22:49:41 +02:00
Jouni Malinen
99650cadc9 Add STOP_AP control interface command
This is mainly for testing purposes to allow beaconing to be stopped
without clearing AP state in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-08 13:35:49 +02:00
Jouni Malinen
6b00512164 P2P: Add event messages for P2P_CONNECT-fallback-to-GO-Neg
This makes it easier for upper layer programs to follow progress of
P2P_CONNECT-auto operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-08 13:35:48 +02:00
Masashi Honma
79ddb2062e mesh: Add a monitor event on SAE authentication getting blocked
Send MESH-SAE-AUTH-BLOCKED event if SAE authentication is blocked. The
BLOCK state will finish when a new peer notification event is sent for
the same MAC address.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-02-07 22:33:23 +02:00
Masashi Honma
dd2cbafc89 mesh: Add a monitor event for SAE authentication failure
SAE authentication fails likely with wrong password. This commit adds a
notification of the failure to the upper application (UI) so that the
application can notify suspection of a wrong password to the user. The
control interface monitor even for this is "MESH-SAE-AUTH-FAILURE
addr=<peer>".

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-02-07 22:23:34 +02:00
Masashi Honma
0cb5f8d945 mesh: Fix inactivity timer for 32 bit system
Commit 5a2a6de6a5 ('mesh: Make inactivity
timer configurable') has a problem on 32 bit systems. Setting
NL80211_MESHCONF_PLINK_TIMEOUT to 0xffffffff causes expiration of STA in
a minute by NL80211_CMD_DEL_STATION event. this is the kernel rule for
STA expiration:

(current jiffies) > (frame Rx jiffies + NL80211_MESHCONF_PLINK_TIMEOUT * 250)

On a 32 bit system, the right side could overflow and be unexpected
small value if NL80211_MESHCONF_PLINK_TIMEOUT is sufficiently large. STA
expiration occurs by this reason.

This patch solves the problem by disabling the STA expiration
functionality in mac80211. However, old kernel does not support
disabling it. If so, this patch sets mac80211 inactivity timer 60
seconds into future from the wpa_supplicant inactivity timer.

And I mis-understood that mesh_max_inactivity=0 disables inactivity
timer in wpa_supplicant. This commit fixes it also.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-02-07 22:20:45 +02:00
Jouni Malinen
4fada1215d Fix HT40 co-ex scanning issue on hostapd error path
If HT40 co-ex scan fails due to the driver rejecting scan triggers
multiple times, it was possible for the ap_ht40_scan_retry() timeout
being left behind and it getting run after hapd->drv_priv has been
cleared. This would result in NULL pointer dereference in
driver_nl80211_scan.c. Fix this by canceling the timeout when disabling
the interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-07 15:37:13 +02:00
Jouni Malinen
23ed011bea Fix Linux packat socket regression work around
Commit e6dd8196e5 ('Work around Linux
packet socket regression') added a mechanism to close the workaround
bridge socket in l2_packet_receive(). However, it did not take into
account the possibility of the l2->rx_callback() closing the l2_packet
socket altogether. This could result in use of freed memory when usin
RSN pre-authentication. Fix this by reordering the calls to clear the
workaround socket before calling the rx_callback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-07 15:37:13 +02:00
Jouni Malinen
0d7eb4344f ACS: Accept channel if any (rather than all) survey results are valid
Previously, a channel with even a single scan/survey result missing
information was skipped in ACS. This may not be desirable in cases when
multiple scan iterations are used (which is the case by default in
hostapd). Instead, use all channels that provided at least one complete
set of results. Calculate the average interference factor as an average
of the iterations that did provide complete values.

This seems to help with some cases, e.g., when ath9k may not be able to
report the noise floor for all channels from the first scan iteration
immediately after the driver has been loaded, but then returns it for
all other scan iterations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 21:26:32 +02:00
Jouni Malinen
68fa00c341 ACS: Allow specific channels to be preferred
The new acs_chan_bias configuration parameter is a space-separated list
of <channel>:<bias> pairs. It can be used to increase (or decrease) the
likelihood of a specific channel to be selected by the ACS algorithm.
The total interference factor for each channel gets multiplied by the
specified bias value before finding the channel with the lowest value.
In other words, values between 0.0 and 1.0 can be used to make a channel
more likely to be picked while values larger than 1.0 make the specified
channel less likely to be picked. This can be used, e.g., to prefer the
commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default
behavior on 2.4 GHz band if no acs_chan_bias parameter is specified).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 17:59:57 +02:00
Jouni Malinen
6f41a25805 ACS: Use weighted average for 2.4 GHz adjacent channel interference
The interference factors for adjacent 2.4 GHz channels were summed
together without doing any kind of weighted average on them. This
resulted in the channels at the band edges getting undue preference due
to only including interference factors from three channels vs. five for
the channels in the middle of the band.

While it is somewhat unclear whether the design here was supposed to
count overlapping channels together in this way or whether that is
already covered in channel survey results, it is clear that this summing
of three to five values together and then comparing the sum rather than
average of some kind gives too much preference to the channels at the
edges of the band by assuming that there is no interference whatsoever
outside the band.

Use weighted average of the interference factors rather than a sum from
different number of values. For now, the adjacent 2.4 GHz channels get
weight of 0.85 (1.0 for the main channel itself) and the neighboring
channels to those adjacent ones get 0.55 weight. Band-edge channels are
handled in a way that takes average over the channels that were actually
considered instead of assuming zero interference from neighboring bands.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 17:21:17 +02:00
Krishna Vamsi
2c0efd9e49 P2P: Fix stopping on search after SD callback
If p2p_find_timeout triggers after starting SD but before getting TX
status for send action, unwanted search could get triggered again when
TX status arrives though p2p_find_timeout moved the state to P2P_IDLE by
then. p2p_continue_find() would then move the state to P2P_SEARCH again.
Do not trigger the find operation from this context if state is
P2P_IDLE to avoid this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-04 20:46:47 +02:00
Jouni Malinen
db3168d414 OpenSSL: Use SSL_cache_hit() when available
This is going to be required for OpenSSL 1.1.0 which makes the SSL
structure opaque. Older versions starting from OpenSSL 1.0.1 include
this function, so start using it now based on OPENSSL_VERSION_NUMBER.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-04 02:04:35 +02:00
Jouni Malinen
68ae4773a4 OpenSSL: Use library wrapper functions to access cert store
OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-04 01:58:37 +02:00
Jouni Malinen
abe96d0605 P2P: Clean up Listen channel optimization debug prints
Do not claim to change the Listen channel in a debug message when
previously configured channel prevents this. In addition, fix a typo in
another related debug print.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 16:13:35 +02:00
Jouni Malinen
d027c7b118 Fix 20/40 MHz co-ex report processing with obss_interval=0
If OBSS scan interval is not set, the AP must not schedule a timeout to
restore 40 MHz operation immediately after having moved to a 20 MHz
channel based on an unsolicited co-ex report. Fix this by scheduling the
timeout only if obss_interval is non-zero.

Since we do not currently support AP doing OBSS scans after the initial
BSS setup, this means practically that 40-to-20 MHz transition is
allowed, but 20-to-40 MHz is not with obss_interval=0. The latter gets
enabled if obss_interval is set to a non-zero value so that associated
STAs can take care of OBSS scanning.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 12:29:37 +02:00
Krishna Vamsi
ae2dd835be P2PS: Allow PD retry in SEARCH and LISTEN_ONLY also
p2p_timeout_prov_disc_req is getting triggered in P2P_IDLE,
P2P_SEARCH and P2P_LISTEN_ONLY states. Retry logic should not be
limited to only P2P_IDLE state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 01:35:07 +02:00
Krishna Vamsi
0cf12b322d P2PS: Send P2P_FIND_STOPPED event during P2P SD also
During service discovery if P2P_FIND times out, P2P_FIND_STOPPED event
is sent to upper layers to allow follow up P2P_FIND commands. This needs
to be done also in case an SD was in progress during the find operation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 01:35:07 +02:00
Krishna Vamsi
9e96e46456 P2PS: PD Response processing
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 01:35:07 +02:00
Krishna Vamsi
ab8ee776b9 P2PS: Provision Discovery fail event
This extends P2P-PROV-DISC-FAILURE with adv_id and deferred_session_resp
in P2PS cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 01:35:07 +02:00
Krishna Vamsi
1300cc8e8f P2PS: PD Request processing and PD Response building
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 01:35:07 +02:00
Krishna Vamsi
5fefce2747 P2PS: Callback to send P2PS provisioning events
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 01:35:07 +02:00
Krishna Vamsi
9a58e521ac P2PS: Callback to create pending group after sending PD Response
This introduces a P2P module callback function that will be used to
create the pending P2PS group after sending PD Response and receiving
ACK status for it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 01:35:07 +02:00