My APs generate their configuration on their own using a different
number of (vlan-enabled) bss. Currently, all my vlan_file files consist
of a single line: the wildcard line. Configuration file generation would
be easier, if the hostapd configuration file would not depend on those
simple vlan_file files.
This patch removes the need for those one-line files by using the
<device>.<vlan> naming scheme if no vlan_file is given (or that file is
empty). This should not break any existing setup, as using dynamic_vlan
with no vlan configured does not make sense anyway.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
When a specific out-of-band Device Password is enabled, it can be useful
to be able to advertise that in the selected registrar information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
All P2P use cases are required to use the global operating table and
there is no need to need to try to maintain some backwards compatibility
with country code -specific values. Clean up the implementation by
removing the unnecessary country parameter.
Signed-hostap: Jouni Malinen <j@w1.fi>
Reset ft_completed if STA receives deauthentication
between FT reassoc success and the subsequent initial
mobility authentication and association.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit fb8984fd6f added a mechanism to
skip the Listen state when the peer is expected to be waiting for us to
initiate a new GO Negotiation. However, this flag was set when building
the GO Negotiation Response frame with status 1 regardless of whether we
managed to send that frame or peer receive it. This could result in GO
Negotiation failures in cases where the peer did not receive the
response and Listen channels of the devices were different. Fix this by
setting the flag only after TX status indicating success has been
received.
This fixes frequent failures shown for the test_grpform_pbc hwsim test
case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
We should not call getSessionID method if it's not provided. This fixes
a regression from commit 950c563076 where
EAP methods that did not implement getSessionId resulted in NULL pointer
dereference when deriving the key.
Signed-off-by: Shijie Zhang <shijiez@qca.qualcomm.com>
When Action frame TX is postponed until a pending p2p_scan completes,
there may be additional operations that need to be continued after the
postponed Action frame TX operation completes. Fix this by starting
pending operation (if any) from TX status event for after_scan_tx
frames.
This fixes common errors seen with the test_discovery hwsim test case.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add "EAPLogoff" and "EAPLogon" interface DBus commands which
parallel the "logoff" and "logon" wpa_ctrl commands which terminate
and restart EAP authentication. Slightly enhance the "logon" case
by expiring any running "startWhile" timer.
Signed-hostap: Paul Stewart <pstew@chromium.org>
In order to test clients in scenarios where APs may (randomly)
drop certain management frames, introduce some testing options
into the hostapd configuration that can make it ignore certain
frames. For now, these are probe requests, authentication and
(re)association frames.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This option can be used only for global parameters that are not going
to be changed from settings.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Iliyan Malchev <malchev@google.com>
Dmitry reported that the kernel could no longer parse the
scheduled scan attributes correctly after my patch to use
nla_nest_start/nla_nest_end. The reason is that the wrong
attribute is closed I accidentally made it close the full
scan config instead of just the SSID match set.
Reported-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Harmonize EAP status events over control interface to provide same
functionality as existing D-Bus callback.
Signed-hostap: Chris Hessing <chris.hessing@cloudpath.net>
A kernel commit ("mac80211: fix FT roaming") started validating that the
STA entry is marked associated when adding a key. While this is needed
to fix some FT use cases with hardware crypto, it has a side effect of
breaking TDLS key configuration. Work around this by trying to
re-configure the key for the direct link after the STA entry has been
set with all information. In addition, try to tear down the link if
anything goes wrong in key configuration (if both attempts fail) or
enabling the link in the driver.
Signed-hostap: Jouni Malinen <j@w1.fi>
"WPS_NFC_CONFIG_TOKEN <WPS/NDEF> <network id>" can now be used to build
an NFC configuration token from a locally configured network.
Signed-hostap: Jouni Malinen <j@w1.fi>
This extends the WPS ER commands that previously accepted only UUID as
an identifier for an AP to use either UUID or BSSID for this.
Signed-hostap: Jouni Malinen <j@w1.fi>
wps_build_public_key() takes the dh_ctx into use and another attempt to
use the same DH keys fails with wps->dh_ctx being set to NULL. Avoid
this by using the DH parameters only if dh_ctx is valid. This fixes
cases where a use of local pre-configured DH keys followed by an
operating using peer DH keys would faild due to unexpected attempt to
use local keys again.
Signed-hostap: Jouni Malinen <j@w1.fi>
Some extended capabilities (I'm currently interested in "Operating Mode
Notification" for VHT) are implemented by the kernel driver and exported
in nl80211. Use these in hostapd/wpa_supplicant.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The new wps_independent=1 configuration parameter can be used to remove
interfaces from the shared hostapd process WPS control (i.e., to apply
WPS operations only to a subset of interfaces instead of all).
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows WPS to update AP configuration in the case no hostapd
configuration file is used (i.e., dynamic configuration through the
control interface).
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of allocating a new message and then moving that into
the message being built, use nla_nest_start() and put the data
into the message directly.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
As per P2P specification v1.2: "The P2P Group Info attribute shall be
omitted if there are zero connected P2P Clients."
Do not add the attribute if there are not connected peers.
Signed-hostap: Chaitanya T K <chaitanya.mgit@gmail.com>
When the OS is out of random bytes in SM_STATE(WPA_PTK, AUTHENTICATION2)
in ap/wpa_auth.c, hostapd sends the sm to state DISCONNECT without
clearing ReAuthenticationRequest, resulting in an infinite loop.
Clearing sm->ReAuthenticationRequest using gdb fixes the running hostapd
instance for me. Also sm->Disconnect = TRUE should be used instead of
wpa_sta_disconnect() to make sure that the incomplete ANonce does not
get used.
Fix this issue by resetting sm->ReAuthenticationRequest even if the STA
gets disconnected and use sm->Disconnect instead of
wpa_sta_disconnect().
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
A non-HT capable AP on any channel could have triggered us to enable
protection regardless of own operating channel if the driver delivered
Beacon frames from other channels. The channel detection in ap_list is
not exactly ideal, but most cases can be handled by checking ap->channel
against the currently configured channel (or secondary channel in case
of HT40).
Signed-hostap: Jouni Malinen <j@w1.fi>
This iter_next/iter_prev pointers were not really used for anything, so
get rid of the unnecessary complexity in the AP list maintenance.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 6b56cc2d97 added a possible call to
p2p_reset_pending_pd() prior to checking config_methods match between
our request and peer response. That reset call could clear
dev->req_config_methods and as such, result in unexpected
P2P-PROV-DISC-FAILURE report here even in cases where the peer accepts
the provision discovery. Fix this by using a local copy of the
req_config_methods variable.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new -G<group> command line argument can now be used to set the group
for the control interfaces to enable cases where hostapd is used without
a configuration file and the controlling program is not running with
root user privileges.
Signed-hostap: Jouni Malinen <j@w1.fi>
Enhance TDLS Setup Request processing to support both external and
internal TDLS setup for the case where concurrent TDLS initialization
results in the TDLS Setup Request from the peer getting accepted.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_tdls_peer_free() ended up getting called after some of the
parameters from the TDLS Setup Request frame were copied into the struct
wpa_tdls_peer information. This could result in continuing with cleared
information in case the new exchange was the one that is used in
concurrent initialization case or if this is to re-negotiated an
existing TDLS link. The driver would not be provided with all the peer
capabilities correctly in such case.
Fix this by moving the existing_peer check to happen before the
information from the TDLS Setup Request frame is copied.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If we accept the peer TPK M1 after having sent our TPK M1, we need to
reject TPK M2 from the peer to avoid going through two TDLS setup
exchanges.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
In some cases where the ack for Invitation response is lost,
the device is stuck in invited state but the peer device starts
GO. In line with the implementation of Negotiation Confirm,
assume invitation response was actually received by the peer
even though ack was not reported.
Signed-hostap: Vivek Natarajan <nataraja@qca.qualcomm.com>
Commit b52f084cfa introduced a mechanism
for adding arbitrary vendor-specific elements into the Beacon and Probe
Response frames. However, this information was not added to the separate
buffers used for specifying Beacon and Probe Response IEs for drivers
that build the frames internally. Add vendor_elements to these values,
too, to support such drivers in addition to drivers that use the full
Beacon tail/head buffers.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When the wiphy information is split, there's no guarantee that the
channels are processed before the bitrates; in fact, with the current
kernel it happens the other way around. Therefore, the mode information
isn't set up correctly and there's no 11g mode.
Fix this by doing the 11b/11g determination as part of the
postprocessing.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Previously, P2P_PD_DURING_FIND state was scheduled for 200 ms and the
P2P state was not change until that timeout regardless of whether the PD
Response for recieved or not. There is no need to wait for that timeout
if the response is received, so allow the next operation to be performed
immediately after the response has been processed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to understand how scan operations and events occur
when multiple interfaces is being controlled by a single wpa_supplicant
process.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add a driver capability flag for drivers which support IBSS mode and set
it for nl80211 drivers which have set the NL80211_IFTYPE_ADHOC.
Add a new option "modes" to "get_capability" which will return "AP" and
"IBSS" if the corresponding capability flags are set.
The idea is that this can be used for UIs to find out if the driver
supports IBSS mode.
Signed-hostap: Bruno Randolf <br1@einfach.org>
Clear WLAN_STA_ASSOC_REQ_OK, otherwise no Class 3 frame will be sent to
the disconnected STA in response to data frames.
Signed-hostap: Felix Fietkau <nbd@openwrt.org>
If a peer replies to persistent group invitation with status code 8
(unknown group), remove the peer from the p2p_client_list if we are the
GO or remove the persistent group if we are the P2P client since it
looks like that the peer has dropped persistent group credentials and
the provisioning step needs to be executed again.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 50285f5ca8 changed number of rules
in channel selection and among other things, it broke the design where
the currently used operating channel on a virtual interface that is
shared by the same radio is preferred to avoid costs related to
multi-channel concurrency. Fix this regression by making the P2P module
aware of the shared channel and using that preference as the highest
priority when re-selecting the channel during negotiation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 50285f5ca8 ended up forcing channel
re-selection in number of cases where the peer would actually have
accepted our initial preference. Fix the parts related to best channel
information by using best_freq_overall as the highest priority and by
skipping the band changes if the peer supports the channel that we
picked since these were based on the assumption that
p2p_reselect_channel() is called only if the peer could not accept our
initial choice which is not the case anymore.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the previously started setup is terminated in case both peers
initiate TDLS link at more or less the same time, disable the old link
to allow the dummy station entry to be deleted from cfg80211 so that a
new entry can be added for the setup direction that will be allowed to
proceed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add NL80211_CMD_UPDATE_FT_IES to support update of FT IEs to the
WLAN driver. Add NL80211_CMD_FT_EVENT to send FT event from the
WLAN driver. This will carry the target AP's MAC address along
with the relevant Information Elements. This event is used to
report received FT IEs (MDIE, FTIE, RSN IE, TIE, RICIE).
Signed-off-by: Deepthi Gowri <deepthi@codeaurora.org>
It is possible for a P2P client to connect to an operating group without
exchanging any Probe Request/Response frames that would allow the GO to
discover the peer. To make sure there is a P2P peer entry at the GO, try
to add the peer information based on P2P IE in (Re)Association Request
frame.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add support for VHT capability overrides to allow testing connections
with a subset of the VHT capabilities that are actually supported by
the device. The only thing that isn't currently supported (by mac80211
and this code) is the RX/TX highest rate field.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This implements support for the new NL80211_ATTR_SPLIT_WIPHY_DUMP in
nl80211 to handle wiphy information that cannot fit in one message.
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-hostap: Dennis H Jensen <dennis.h.jensen@siemens.com>
The peer commit element needs to be validated to pass one of the steps
listed in IEEE 802.11, 11.3.5.4:
scalar-op(r, ELEMENT) = 1 modulo p
Similar step was present for ECC groups, but was missing for FFC groups.
This is needed to avoid dictionary attacks.
Thanks to Michael Roßberg and Sascha Grau for reporting this.
Signed-hostap: Jouni Malinen <j@w1.fi>
It is clearer to keep all the validation steps described in IEEE 802.11
11.3.5.4 in a single location instead of splitting this between the
parsing and processing functions.
Signed-hostap: Jouni Malinen <j@w1.fi>
Peer device includes its list of allowed operating channels in the
Invitation Response frame. When we are becoming the GO, use that list
from the peer to filter out acceptable channels to avoid selecting a
channel that the peer is unable to use.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When re-invoking a persistent group in P2P client role, the new
pref=<MHz> parameter can now be used with the p2p_invite command to
indicate a preferred operating frequency. Unlike the older freq=<MHz>
parameter, this leaves GO an option to select another channel (from our
supported channels) if the GO cannot accept the channel.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If multi channel concurrency is supported, we have to populate the
p2p_channels with list of channels that we support. Use the same design
that was previously added for GO Negotiation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The VHT IE struct just has an opaque 8-byte array for the MCS
set, make it more expressive by explicitly naming the pieces.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Commit fb8984fd6f cleared wps_method to
WPS_NOT_READY in p2p_stop_find_for_freq() as an attempt to clear
authorization when a group formation is cancelled. However, this code
path is hit also in cases where the user did not actually cancel
anything (e.g., from p2p_process_go_neg_req()). As such, it is not fine
to clear wps_method here even if it could be proper for some cases. For
now, revert that part to avoid regressions and consider clearing
wps_method on cancel separately.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
In case we have replied to a peer's GO Negotiation Request frame with a
GO Negotiation Response frame using status code
info-currently-unavailable (1), the peer is likely going to wait for us
to initiate GO Negotiation on its Listen channel. We were previously
using alternativing send-GO-Neg-Req and Listen phase when providing that
response after the user had authorized the connection. However, the
Listen phase here is unnecessary in this case and will make the
connection take longer time to go through. Skip the Listen phase and
make the wait-for-GO-Neg-Resp timeout random between 100 and 200 ms to
avoid getting in sync with the peer. In practice, this will make us
retry GO Negotiation Request frames more frequently and remain on the
peer's Listen channel for most of the time when initiating GO
Negotiation after status=1 response.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There may be environments in which large number of devices are operating
on the social channels. In such cases, it is possible for the Action
frame TX operation wait for quite long time before being able to get the
frame out. To avoid triggering GO Negotiation failures, increase the
timeouts for GO Neg Req (with TX ACK) and GO Neg Resp (with or without
TX ACK as long as status=0) to 500 ms.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This flag will add ==== delimiter between to separate bss results.
Unlike the other BSS command MASK values, this delimiter is not
included by default to avoid issues with existing users of the BSS
command.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
It is possible for the driver to indicate multiple Probe Request frames
that would be processed in a single loop. If those frames happen to be
from a peer which with we are trying to start GO Negotiation, multiple
timeouts to start GO Negotiation (p2p_go_neg_start) could end up being
scheduled. This would result in confusing burst of multiple GO
Negotiation Request frames being sent once the RX loop finally
concludes. Avoid this by scheduling only a single eloop timeout to
trigger GO Negotiation regardless of how many Probe Request frames from
the peer is received. In addition, make sure this timeout gets canceled
in p2p_deinit().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If we have already sent out GO Negotiation Response and are waiting for
the peer to reply with GO Negotiation Confirm, there is no point in
re-starting GO Negotiation based on Probe Request frame from the peer.
Doing that would just result in confusing GO Negotiation exchange with
multiple sessions running at the same time.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The device that is selected as the GO shall incode P2P Group ID
attribute in GO Negotiation Response/Confirm message. Previously we did
not reject a message without that attribute since it was possible to
continue operations even without knowing the SSID. However, this can
potentially result in confusing results since missing P2P Group ID
attribute can be a sign of conflicting GO role determination (both
devices assuming the peer is the GO). To get clearer end result for the
GO Negotiation, reject this as a fatal error. In addition, stop GO
Negotiation if GO Negotiation Confirm indicates non-zero status since
that is also a fatal error.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 624b4d5a64 changed GO Negotiation
to use the same Dialog Token value for all retransmissions of the GO
Negotiation Request within the same session. However, it did leave the
tie breaker bit changing for each frame. While this should not have
caused issues for most cases, it looks like there are possible sequences
where the peer may end up replying to two GO Negotiation Request frames
with different tie breaker values. If in such a case the different GO
Negotiation Response frames are used at each device, GO role
determination may result in conflicting results when same GO intent is
used.
Fix this by assigning the tie breaker value at the same time with the
dialog token (i.e., when processing the p2p_connect command instead of
for each transmitted GO Negotiation Request frame) to avoid issues with
GO selection.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The information of the peer's VHT capability is required for the
driver to establish a TDLS link in VHT mode with a compatible peer.
Pass this information to the driver when the peer station is
getting added.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
WSC specification 2.0 section 7.4 describes OOB password to be expressed
in ASCII format (upper case hexdump) instead of raw binary.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 2d9ffe1e85 broke GAS server
callback for receiving Public Action frames. The incorrect context
pointer was used in the public_action_cb2 case. Fix this to use the
correct context pointer.
Signed-hostap: Jouni Malinen <j@w1.fi>
Hostapd provides QoS info of the STA (Service Period & AC mask) to the
kernel during wpa_driver_nl80211_sta_add call. Bit 5 and Bit 6 of QoS
info represents the Max SP length. Fix an issue in the code to fetch the
Max SP by shifting right the QoS info by value WMM_QOSINFO_STA_SP_SHIFT.
(operator ">" is replaced with ">>" operator).
Signed-off-by: Srinivasan <srinivasanb@posedge.com>
"WPS_NFC_TOKEN <WPS/NDEF>" used to generate a new NFC password token
regardless of whether there was a pre-configured token in the
configuration. Change this to use the pre-configured value, if
available, instead. This allows the same command to be used to write the
password token to an NFC tag more conveniently.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The contents of the peer's capability and extended capability
information is required for the driver to perform TDLS P-UAPSD and Off
Channel operations. Pass this information to the driver when the peer
station is getting added.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The information of the peer's HT capability and the QOS information is
required for the driver to perform TDLS operations. Pass this
information to the driver when the peer station is getting added.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Registrar is allowed to propose another Device Password ID in M2. Make
Enrollee validate Device Password ID in M2 to check if this happened.
This commit adds support for changing from NFC password token to default
PIN for the case where the AP is the Enrollee and has both the NFC
password token and AP PIN enabled at the same time.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit ffdaa05a6b added support for using
NFC password token from an AP. However, it had a bug that prevented the
wpa_supplicant wps_reg command from being used with "nfc-pw" as the PIN
value. Fix string comparison to handle this correctly.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A TDLS Teardown frame with Reason Code 3 (Deauthenticated because
sending STA is leaving (or has left) IBSS or ESS) shall be transmitted
to all TDLS peer STAs (via the AP or via the direct path) prior to
transmitting a Disassociation frame or a Deauthentication frame to the
AP.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The driver may have cached (e.g., in cfg80211 BSS table) the scan
results for relatively long time. To avoid reporting stale information,
update P2P peers only based on results that have based on frames
received after the last p2p_find operation was started.
This helps especially in detecting when a previously operating GO stops
the group since the BSS entry for that could live for 30 seconds in the
cfg80211 cache. Running p2p_flush followed by p2p_find will now allow
wpa_supplicant to not add a P2P peer entry for that GO if the group had
been terminated just before that p2p_flush command. Previously, that GO
could have been indicated as a newly found device for up to 30 seconds
after it had stopped the group.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
For various P2P use cases, it is useful to have more accurate timestamp
for the peer information update. This commit improves scan result
handling by using a single timestamp that is taken immediately after
fetching the results from the driver and then using that value to
calculate the time when the driver last updated the BSS entry. In
addition, more debug information is added for P2P peer updates to be
able to clearly see how old information is being used here.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If we discover a P2P peer based on a Beacon frame from the GO role, we
do not get information about the supported configuration methods. This
can result in issues if the P2P managing entity above wpa_supplicant is
not prepared to handling config_methods=0x0. To avoid this, postpone
reporting of the P2P-DEVICE-FOUND event when this happens on one of the
social channels. It would be good to be able to this on all channels,
but that could result in issues of never indicating the event for a peer
that is operating a GO on a channel that requires passive scanning.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
It could be possible for the scan results to include two entries for a
peer, one from the Listen state and the second one from the GO role. The
latter could be based on a Beason frame. If that happens and the entry
from GO is processed last, the P2P peer config_methods value could
potentially get cleared since Beacon frames do not include this
information in either WPS or P2P element. Avoid this by allowing the
config_methods value for P2P peers to be updated only if the new value
is non-zero.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Since there could be multiple carrier records, it is cleaner to build
only the WPS carrier record instead of full NFC connection handover
request within wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
Control interface command "NFC_GET_HANDOVER_SEL NDEF WPS-CR" can now be
used to fetch WPS carrier record from hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
The capability itself isn't really affected by an OBSS
scan, only the HT operation must then be restricted to
20 MHz. Change this, and therefore use the secondary
channel configuration to determine the setting of the
OP_MODE_20MHZ_HT_STA_ASSOCED flag.
This shouldn't really change anything functionally,
it just makes the code a little less confusing and
is also needed to implement more dynamic bandwidth
changes if ever desired.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This adds a new getSessionId() callback for EAP peer methods to allow
EAP Session-Id to be derived. This commits implements this for EAP-FAST,
EAP-GPSK, EAP-IKEv2, EAP-PEAP, EAP-TLS, and EAP-TTLS.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
In addition to the offload mechanism, the Android configuration and
makefiles are extended to allow this to be configured for the build by
dropping in platform specific configuration files and makefile without
having to modify any existing files.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
ANDROID_SETGROUPS_OVERRIDE macro can now be used to override setgroups()
values based on build configuration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When pending p2p_find fails we need to send p2p_stop_find event to
indicate the previous p2p_find command has been processed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 1a9f6509b3 added support for
fragmenting the P2P IE in Probe Response frames from a GO. However, it
did not take into account the possibility of Wi-Fi Display IE being
included in the same buffer and caused a regression for the cases where
Wi-Fi Display is enabled. Fix this by building the possibly fragmented
P2P IE first and then concatenating the separate IEs together.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
On the DMG (60 GHz) band, capability bits defined differently from
non-DMG ones. Adjust capability matching to cover both cases.
Also, for non-DMG bands, check ESS bit is set.
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
When AP mode operation reject the client, nl80211 layer advertises the
connect failed event with the reason for failures (for example, max
client reached, etc.) using NL80211_CMD_CONN_FAILED.
This patch adds some debug messages whenever such an event is received
from the nl80211 layer and also the same event is posted to the upper
layer via wpa_msg().
Signed-off-by: Raja Mani <rmani@qca.qualcomm.com>
The reason code used for calculating the MIC should correspond to the
reason code with which the teardown frame is sent, as the receiver shall
use the one obtained in the frame for validating the MIC.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If an implicit TDLS set up request is obtained on an existing link or an
to be established link, the previous link was not removed. This commit
disables the existing link on a new set up request. Also,
wpa_tdls_reneg() function was invoking wpa_tdls_start() on an already
existing peer for the case of internal setup, which is incorrect. Thus
the invocation of wpa_tdls_start() is removed in wpa_tdls_reneg() and
also this function is renamed to wps_tdls_remove() as it does not
renegotiation rather shall remove the link (if any) for the case of
external setup.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need to have this check copied to each caller since this
needs to be done for every case when a new peer is being added.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Peer entries were getting added on every discover request from the peer,
thus resulting in multiple entries with the same MAC address. Ensures
that a check is done for the presence of the peer entry and reuse the
existing entry instead of adding a new one.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
GAS server used the same public_action_cb mechanism as P2P to process
Action frames. This ended up overriding P2P processing of Action frames
while running an AP/GO interface with a build that enables Interworking
(e.g., for Hotspot 2.0) and a driver that uses hostapd for AP mode
SME/MLME. Fix this by adding a separate callback registration for the
GAS server. This should really be cleaned up by supporting arbitrary
number of callback handlers, but for now, this addresses the regression
with a minimal change.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Very basic support for OpenBSD. No support for scanning yet, so this needs
ap_scan=0 and expects that the user has configured the interface manually
using ifconfig(8).
Signed-hostap: Mark Kettenis <kettenis@openbsd.org>
Commit 6aaac006af modified the
pmksa_cache_init() prototype, but forgot to update the empty wrapper
function which is used when PMKSA caching is not included in the build.
Signed-hostap: Jouni Malinen <j@w1.fi>
When scan failed, the wpa_driver_nl80211_scan method tried
to recursively call itself, but it passed in the wrong argument
for the void*, and so then it crashed accessing bad memory.
With this fix, hostapd still will not retry the scan later, but
at least it will exit cleanly and won't polute the file system
with core files.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The P2P-FIND-STOPPED event was sent only in the P2P_SEARCH state, but
this needs to be send also in the new continue-search-when-ready states
P2P_CONTINUE_SEARCH_WHEN_READY and P2P_SEARCH_WHEN_READY for consistent
behavior.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Signal the start of EAP authentication as well as when additional
credentials are required to complete.
Signed-hostap: Paul Stewart <pstew@chromium.org>
This was previously included only with NL80211_CMD_ASSOCIATE, but the
information is as useful (if not even more useful) for
NL80211_CMD_CONNECT. It should be noted that cfg80211 does not yet use
this attribute with NL80211_CMD_CONNECT, but that can be added easily.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Each GO Negotiation Request is (re)tried with an unique dialog token and
a GO Negotiation Response / Confirmation from the peer with a mismatched
dialog token is ignored which could result in a failure in this group
formation attempt. Thus, the P2P device would continue retrying the GO
Negotiation Request frames till the GO Negotiation Response frame with a
matching dialog token is received. To avoid the failures due to the
dialog token mismatch in retry cases if the peer is too slow to reply
within the timeout, the same dialog token value is used for every retry
in the same group formation handshake.
It should be noted that this can result in different contents of the GO
Negotiation Request frame being sent with the same dialog token value
since the tie breaker bit in GO Intent is still toggled for each
attempt. The specification is not very clear on what would be the
correct behavior here. Tie breaker bit is not updated on
"retransmissions", but that is more likely referring to the layer 2
retransmission and not the retry at higher layer using a new MMPDU.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows even more memory to be freed when the SAE instance enters
Accepted state. This leaves only the minimal needed memory allocated
during the association which is especially helpful for the AP
implementation where multiple stations may be associated concurrently.
Signed-hostap: Jouni Malinen <j@w1.fi>
Most of the variables are not needed anymore once the SAE instance
has entered Accepted state. Free these to save memory.
Signed-hostap: Jouni Malinen <j@w1.fi>
The rand/mask values and commit scalar are derived using the exact same
operations, so only use a separate function for deriving the commit
element.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no need to postpone this validation step to a separate
processing operation for the commit message, so move the minimal
validation tasks into the parsing functions.
Signed-hostap: Jouni Malinen <j@w1.fi>
Move the bignum comparison part into the bignum library to allow a
single implementation of rand generation for both ECC and FCC based
groups.
Signed-hostap: Jouni Malinen <j@w1.fi>
The groups 22, 23, and 24 are not based on a safe prime and generate a
prime order subgroup. As such, struct dh_group is also extended to
include the order for previously defined groups (q=(p-1)/2 since these
were based on a safe prime).
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows FFC groups to be used with SAE. Though, these groups are not
included in the default sae_groups value based on what is available
since the FFC groups have the additional requirement of using a safe
prime with the current implementation (or specification of the group
order).
Signed-hostap: Jouni Malinen <j@w1.fi>
The optional "reason=<reason code>" parameter to the ctrl_iface
deauthenticate and disassociate commands can now be used to change the
reason code used in the disconnection frame. This can be used, e.g., by
P2P GO to disconnect a single P2P client from the group by sending it an
indication of the group getting terminated (Deauthentication frame with
reason code 3). It needs to be noted that the peer device is still in
possession on the PSK, so it can still reconnect to the group after this
if it does not follow the group termination indication.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit increases the maximum buffer size for P2P Client Info
advertized by the Group Owner in the Probe Response frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use of two variables to track bounds checking seems to be a bit too much
for some static analyzers, so add an extra condition for buffer padding
to avoid incorrect warnings.
Signed-hostap: Jouni Malinen <j@w1.fi>
These verify that a proper pointer type is used and in addition, seems
to get rid of some false static analyzer warnings.
Signed-hostap: Jouni Malinen <j@w1.fi>
The code initializing GMK Counter uses the group pointer value as extra
entropy and to distinguish different group instances. Some static
analyzers complain about the sizeof(pointer) with memcpy, so use a more
explicit type casting to make it more obvious what the code is doing.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
In addition to the trivial change in adding the new group ientifier,
this required changes to KDF and random number generation to support
cases where the length of the prime in bits is not a multiple of eight.
The binary presentation of the value needs to be shifted so that the
unused most significant bits are the zero padding rather than the extra
bits in the end of the array.
Signed-hostap: Jouni Malinen <j@w1.fi>
In addition to the mandatory group 19 (256-bit random ECP group) add
support for groups 20 (384-bit), 25 (192-bit), and 26 (224-bit).
Signed-hostap: Jouni Malinen <j@w1.fi>
The counter>200 check needs to be done before the continue-on-not-found
case to be effective in stopping this loop.
Signed-hostap: Jouni Malinen <j@w1.fi>
The buffer is set based on maximum group prime length, but pwd-value
needs to be correct length for the negotiated group.
Signed-hostap: Jouni Malinen <j@w1.fi>
This makes the SAE implementation a bit simpler by not having to build
the bignum for group order during execution.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.
Signed-hostap: Jouni Malinen <j@w1.fi>
IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
the peer and it is in Authenticated state, the new Commit Message
shall be dropped if the peer-scalar is identical to the one used in
the existing protocol instance.
Signed-hostap: Jouni Malinen <j@w1.fi>
The enum values for struct sae_data::state now match the protocol
instance states as defined in IEEE Std 802.11-2012, 11.3.8.2.2
Signed-hostap: Jouni Malinen <j@w1.fi>
Even if the PAC file does not start with the proper header line, allow
the file to be used if it is empty. [Bug 423]
Signed-hostap: Jouni Malinen <j@w1.fi>
The PMKSA cache expiration timer was not actually ever initialized since
the only place for registering the timeout was in the timeout handler.
Fix this by initializing the timer whenever a new PMKSA cache entry is
added to the beginning of the list (i.e., when it was the first entry or
expires before the entry that was previously going to expire first).
[Bug 393]
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 4378fc14eb started using QoS Data
frames for QoS STAs. It used the correct flags value for WPA/RSN
EAPOL-Key frames, but wrong flags for IEEE 802.1X EAPOL frames. The
WPA_STA_WMM value used in driver_nl80211.c happens to be identical to
WLAN_STA_ASSOC in sta->flags and this makes driver_nl80211.c try to use
QoS header for all STAs. Fix this by properly converting the flags from
WLAN_STA_* to WPA_STA_*. [Bug 426]
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 68a41bbb44 broke fallback from
reauth id to fullauth id by not allowing a second AKA/Identity round to
be used after having received unrecognized reauth_id in the first round.
Fix this by allowing fullauth id to be requested in such a case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 175171ac6c ensured that the PD
requests are retried in join-a-running group case and the Enrollee is
started on either receiving the PD response or after the retries. Each
PD request is retried with an unique dialog token and a PD response from
the GO with a mismatched dialog token is ignored. Thus, the P2P client
would continue retrying the PD requests till the response with a
matching dialog token is obtained. This would result in the GO getting
multiple PD requests and a corresponding user notification (POP UP) in
implementations where each PD request results in a POP UP, resulting in
a bad user experience. To avoid such behavior, the same dialog token
value is used for every retry in the same PD exchange.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_driver_nl80211_ap() returned error if set_freq failed, but left the
previously set nlmode to GO/AP. While this should not be issue for most
purposes, it leaves the interface in somewhat unexpected state and could
potentially affect operations prior to next connection attempt. Address
this by restoring the previous nlmode if AP mode cannot be started for
some reason.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to read the code for the two possible cases
(forced/preferred channel and automatic channel selection).
Signed-hostap: Jouni Malinen <j@w1.fi>
Since the operating channel is randomly set to 1/6/11 on init, which is
commonly included in the channel intersection, we were effectively
ignoring the set of P2P preferred channels when trying to improve
channel selection after having received peer information. Fix this by
trying to get the best channel we can, unless the user hard coded the
operating channel in the configuration file or p2p_connect command. Fall
back to the initial randomly selected channel if a better one cannot be
chosen.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
Even if the peer does not accept the forced channel, we should not allow
the forced_freq parameter to be be overridden, i.e., such a case needs
to result in GO Negotiation failure.
Signed-hostap: Jouni Malinen <j@w1.fi>
Both p2p_connect and p2p_authorize use the same functionality to select
the channel preferences for GO Negotiation. The part of setting this
device flag was copied to each function, but it can also be handled by
the shared function after some reordering of code.
Signed-hostap: Jouni Malinen <j@w1.fi>
The exact same mechanism was used for determining the operating channel
at the device that becomes the GO regardless of whether this was
triggered by reception of GO Negotiation Request of Response frame. Use
a shared function to avoid duplicated implementation and potential
differences in the future.
Signed-hostap: Jouni Malinen <j@w1.fi>
When no other user preference is specified, opt to use an operating
channel that allows HT40 operation. This way, if driver capabilities
and regulatory constraints allow, we might enjoy increased bandwidth.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
cfg80211 caches the scan results according the channel number. Due to
the 15 sec aging this might cause the user mode to see more than one
scan result with the same BSSID, e.g. - one scan result for the
P2P Device and one for the P2P GO (once it's enabled).
Fix this by updating the device entry only if the new peer entry is
newer than the one previously stored.
Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com>
Signed-off-by: Victor Goldenshtein <victorg@ti.com>
Signed-off-by: Igal Chernobelsky <igalc@ti.com>
Signed-hostap: Arik Nemtsov <arik@wizery.com>
Add some more functionality for BSS Transition Management:
- advertise support for BSS Transition Management in extended
capabilities element
- add hostapd.conf parameter bss_transition=1 for enabling support
for BSS Transition Management
- add "hostapd_cli disassoc_imminent <STA> <num TBTTs>" for sending
disassociation imminent notifications for testing purposes
- wpa_supplicant: trigger a new scan to find another BSS if the
current AP indicates disassociation imminent (TODO: the old AP needs
to be marked to use lower priority to avoid re-selecting it)
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd can run with different VIF when using nl80211. Events about MIC
failures have to be processed in context of the VIF which received it
and not in context of the primary VIF. Otherwise the station belonging
to this VIF may not be found in the primary VIF station hash and
therefore no countermeasures are started or the countermeasures are
started for the wrong VIF.
Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
This optional attribute may make it easier to bind together the
Access-Request and Accounting-Request messages. The accounting session
identifier is now generated when the STA associates instead of waiting
for the actual session to start after successfull authentication.
Signed-hostap: Jouni Malinen <j@w1.fi>
Basic support for the 60 GHz band. Neither P2P nor WPS are yet taken
care off. Allows to start AP with very simple config:
network={
ssid="test"
mode=2
frequency=60480
key_mgmt=NONE
}
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The config says that the default for ap_table_max_size is 255 and the
default for ap_table_expiration_time is 60. But the code doesn't reflect
the default values mentioned in the sample config file.
These variables completely disable the code for Overlapping Legacy BSS
Condition by default when they are not correctly initialized. WFA
certification requires this feature and therefore an AP would have
failed the certification process unless they were initialized manually
using the configuration file.
Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
WSC IE in Beacon and Probe Response frames should behave consistently
as far as the RF Bands attribute is concerned. Use the same dualband
condition for adding this into Probe Response frames since the value
is not really needed if the AP is not a dualband AP.
Signed-hostap: Jouni Malinen <j@w1.fi>
If separate hostapd processes are used for different RF bands, the
dualband parameter for WPS was not set correctly. Allow dualband
indication (mainly, addition of RF bands attribute for PBC session
overlap detection) also based on wps_rf_bands value (if set to "ag").
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows Probe Request frame processing to compare the configured
SSID to the SSID List element in addition to the SSID element.
Signed-hostap: Jouni Malinen <j@w1.fi>
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. Previously it was possible to
define CONFIG_IEEE80211V without CONFIG_WNM which would break the build.
In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and
WNM is a better term to use for this new functionality anyway.
Signed-hostap: Jouni Malinen <j@w1.fi>
These fields do not use AES keywrap. Instead, they are protected with
management frame protection (and not included if PMF is disabled).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Expiry can always trigger a deauthentication, but otherwise,
deauthentication should only happen when the *current* cache entry is
removed and not being replaced. It should not happen when the current
PMK just happens to match the PMK of the entry being removed, since
multiple entries can have the same PMK when OKC is used and these
entries are often removed at different times.
This fixes an issue where eviction of the oldest inactive entry due to
adding a newer entry to a full cache caused a deauthentication when the
entry being removed had the same PMK as the current entry.
Signed-hostap: Dan Williams <dcbw@redhat.com>
pmksa_cache_free_entry() takes care of updated the list head pointer
(pmksa->pmksa), so no need to do this change in the caller.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use the shared_secret pointer from RADIUS client implementation instead
of getting this from hostapd configuration data.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds support for multiple PSKs per station when using a RADIUS
authentication server to fetch the PSKs during MAC address
authentication step. This can be useful if multiple users share a
device but each user has his or her own private passphrase.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF
was negotiated for the connect (1 = optional in this BSS, 2 = required
in this BSS).
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, PMF (protected management frames, IEEE 802.11w) could be
enabled only with a per-network parameter (ieee80211w). The new global
parameter (pmf) can now be used to change the default behavior to be PMF
enabled (pmf=1) or required (pmf=2) for network blocks that do not
override this with the ieee80211w parameter.
Signed-hostap: Jouni Malinen <j@w1.fi>
We enable this feature for non-SME drivers as well if
they explicitly indicate need for it.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Add the configuration option vht_oper_centr_freq_seg1_idx
for the second segment of an 80+80 MHz channel and use it
when building the VHT operation IE.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
If netlink_init() fails on socket create or bind the cfg struct
provided as parameter is freed by netlink_init(). Callers of
netlink_init() also free this struct on their error paths leading
to double free.
Signed-hostap: Pontus Fuchs <pontus.fuchs@gmail.com>
This allows the AP to figure out whether a station is a HS 2.0 STA
during the association and access any information that the STA may have
included in this element.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Change the maximum retry limit from 10 to 120 to match the behavior
used with GO Negotiation Request frames when trying to start GO
Negotiation with a peer that does not acknowledge frames (e.g., due
to being in sleep or on another channel most of the time).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The GO may be in sleep when we send a PD Request frame to indicate that
we are about to join a running group. Previously, this frame was not
retried more than normal low level retries. This can result in the GO
not getting the frame especially in cases where concurrent multi-channel
operations or aggressive sleep schedule is used since most drivers do
not yet synchronize with the GO's NoA before association.
Increase the likelihood of the GO receiving the PD Request frame by
retransmitting it similarly to the PD-for-GO-Negotiation case. Start
the actual join operation only after these retries have failed to get
an acknowledgment from the GO to give the connection attempt a chance
to succeed if the driver implements better NoA synchronization for it.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_prov_disc_req() used the join parameter to figure out whether the PD
request was a user initiated or not. This does not cover all use cases
of PD, so add a separate parameter to allow caller to indicate whether
the user requested the operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
CONFIG_SQLITE=y option can now be used to allow the eap_user_file text
file to be replaced with a SQLite database
(eap_user_file=sqlite:/path/to/sqlite.db). hostapd.eap_user_sqlite
shows an example of how the database tables can be created for this
purpose. This commit does not yet include full functionality of the
text file format, but at least basic EAP-TTLS/MSCHAPv2 style
authentication mechanisms with plaintext passwords can be used for
tests.
Signed-hostap: Jouni Malinen <j@w1.fi>
The NL80211_CMD_TDLS_OPER command can be used as an event based on a
recent cfg80211 commit, so add code to map that to internal
wpa_supplicant event to request TDLS link setup/teardown.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 296a34f0c1 changed hostapd to
remove the internal STA entry at the beginning of TKIP countermeasures.
However, this did not take into account the case where this is triggered
by an EAPOL-Key error report from a station. In such a case, WPA
authenticator state machine may continue processing after having
processed the error report. This could result in use of freed memory.
Fix this by stopping WPA processing if the STA entry got removed.
Signed-hostap: Jouni Malinen <j@w1.fi>
Some deployed station implementations implement WPS incorrectly and
end up causing PBC session overlap issues by indicating active PBC
mode in a scan after the WPS provisioning step. Work around this by
ignoring active PBC indication in a Probe Request from a station that
completed PBC provisioning during the last five seconds.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commits 07783eaaa0 and
3da372fae8 removed the only users of the
disassociate() driver operation, so these driver wrapper functions can
also be removed now.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Change the nl80211 driver in wpa_supplicant to correctly handle
connecting to a new AP through cfg80211 without SME capability. As
before, the driver will disconnect from the previously associated AP,
but now we attempt to immediately connect to our intended AP. This
prevents us from blacklisting the AP we were trying to connect to
because of a semantic mismatch between cfg80211 and wpa_supplicant. The
disconnect/connect patch generates a local disconnect nl80211 event
which we discard because we're already correctly tracking the pending
association request.
In detail:
cfg80211 does not support connecting to a new BSS while already
connected to another BSS, if the underlying driver doesn't support
separate authenticate and associate commands. wpa_supplicant is written
to expect that this is a supported operation, except for a little error
handling that disconnects from the current BSS when roaming fails and
relies on autoconnect logic to reconnect later. However, this failure to
connect is incorrectly attributed to the new AP we attempted to
associate with, rather than a local condition in cfg80211.
The combined effect of these two conditions is that full-mac drivers
accessible through cfg80211 but without SME capability take a long time
to roam across BSS's because wpa_supplicant will:
1) Fail to associate for local reasons
2) Disconnect and return that the association request failed
3) Blacklist the association target (incorrectly)
4) Do a scan
5) Pick a less desirable AP to associate with
Signed-hostap: Christoper Wiley <wiley@chromium.org>
Commit deca6eff74 added a redundant call
to l2_packet_get_own_addr. Use the information we already have in
atheros_init.
Signed-hostap: Baruch Siach <baruch@tkos.co.il>
If identity round limit is reached, EAP-SIM/AKA session is terminated.
This needs to free the allocated message.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no point in the hapd_iface == NULL validate after this pointer
has been dereferences, so move the code dereferencing hapd_iface after
the check.
Signed-hostap: Jouni Malinen <j@w1.fi>
The UFD (USB flash drive) configuration method was deprecated in WSC
2.0. Since this is not known to be used, remove the UFD implementation
from hostapd and wpa_supplicant to allow the WPS implementation to be
cleaned up. This removes the now unused OOB operations and ctrl_iface
commands that had already been deprecated by the new NFC operations.
Signed-hostap: Jouni Malinen <j@w1.fi>
The PSK generation done by pbkdf2_sha1() is one of the longest CPU time
users according to our profiling from boot to GO started.
So I have reduced some steps.
I could boot a GO by this command sequence.
-------------
add_net
set_network 0 ssid '"DIRECT-XX"'
set_network 0 psk
'"123456789012345678901234567890123456789012345678901234567890123"'
set_network 0 proto RSN
set_network 0 key_mgmt WPA-PSK
set_network 0 pairwise CCMP
set_network 0 auth_alg OPEN
set_network 0 mode 3
set_network 0 disabled 2
p2p_group_add persistent=0 freq=2412
-------------
By this sequence, pbkdf2_sha1() was called three times and the function
calculates the same value each time. Reduce number of calls to
pbkdf2_sha1() from 3 to 1 by caching the previous result.
Signed-hostap: Masashi Honma <masashi.honma at gmail.com>
This function is now unused after the last couple of commits that
removed the last uses, so remove this to keep code simpler since all
places that disassociate, can use deauthentication instead.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Even though the standard currently describes disassociation to be used
for RSN element mismatch between Beacon/Probe Response frames and
EAPOL-Key msg 3/4, this is unnecessary difference from other cases that
deauthenticate. In addition, there is no point in leaving the 802.11
Authentication in place in this case. To keep things simpler, use
deauthentication here to get rid of the only use of
wpa_sm_disassociate().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If WPS Registrar tries to provision a WPA/WPA2-Personal network without
including a valid Network Key, the network block cannot be used to
connect to the network. Reject such credential without adding the
network block. This makes wpa_supplicant send WSC_NACK as a response to
the invalid Credential and stop the provisioning process immediately
rather than only after trying unsuccessfully to connect to the network.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new P2P_SET parameter disc_int can now be used to configure
discoverable interval for p2p_find operations. The format of the command
for setting the values is "P2P_SET disc_int <minDiscoverableInterval>
<maxDiscoverableInterval> <max TUs for discoverable interval>". The
first two parameters are given in units of 100 TUs (102.4 ms). The third
parameter can be used to further limit the interval into a specific TU
amount. If it is set to -1, no such additional limitation is enforced.
It should be noted that the P2P specification describes the random
Listen state interval to be in units of 100 TUs, so setting the max TU
value to anything else than -1 is not compliant with the specification
and should not be used in normal cases. The default parameters can be
set with "P2P_SET disc_int 1 3 -1".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The old WPS interface for using NFC has no known deployments and even
the binary libraries referenced here are not easily available anymore.
Since the new interface for using NFC with WPS covers the same
functionality, remove the old implementation to clean up WPS
implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
When WPS is used with NFC connection handover, the AP may indicate its
operating channel within the credential information. Use this
informatiom, if present, to speed up the scan process.
Signed-hostap: Jouni Malinen <j@w1.fi>
This commit adds new wpa_supplicant ctrl_iface commands to allow
external programs to go through NFC connection handover mechanism
with wpa_supplicant taking care of the WPS processing. This version
includes only the case where wpa_supplicant is operating as a
station/Enrollee.
Signed-hostap: Jouni Malinen <j@w1.fi>
The previous eapol_sm_notify_cached() implementation forced the port
to be authorized when receiving EAPOL-Key msg 1/4 that included a
matching PMKID in cases when PMKSA caching is used. This is too early
since the port should really be authorized only after the PTK has been
configured which is the case when PMKSA caching is not used.
Fix this by using the EAPOL supplicant PAE state machine to go through
the AUTHENTICATING and AUTHENTICATED states instead of forcing a jump
to AUTHENTICATED without performing full state machine steps. This can
be achieved simply by marking eapSuccess TRUE at least with the current
version of EAP and EAPOL state machines (the earlier commits in this
function seemed to indicate that this may have not been that easy in
the older versions due to the hacks needed here).
This addresses an issue with nl80211-based driver interface when the
driver depends on the STA Authorized flag being used to prevent
unprotected frames from being accepted (both TX and RX) prior to PTK
configuration.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If the driver indicates support for multi-channel concurrency, change
the p2p_connect behavior to not force the current operating channel, but
instead, just mark it as preferred for GO Negotiation. This change
applies only for the case when the freq parameter is not used with the
p2p_connect command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There was an issue with EAPOL frame exchanges in a multi-BSS
configuration when a station switches between the BSSes controlled by
the same hostapd process. When processing the EAPOL packet, the array of
virtual APs (iface->bss) is searched looking for the station that sent
the packet in order to identify which signal context should be used
during processing. The first match of the station in its list gets used
in the ieee802_1x_receive() function. However, even after a station has
disassociated, it remains in the list of stations pending an inactivity
timeout. This leads to the wrong hapd context (one where the station had
already disassociated) being used in some cases (if the current/active
bss entry appears in the list after one where the station has just
disassociated from) for EAPOL processing.
Fix this by checking the WLAN_STA_ASSOC flag before assuming the right
hapd context was found for the given station.
Signed-hostap: David Bird <dbird@powercloudsystems.com>
intended-for: hostap-1
This uses the recent cfg80211 changes to allow SAE authentication to be
implemented with the nl80211 driver interface.
Signed-hostap: Jouni Malinen <j@w1.fi>
P2P includes two use cases where one of the devices is going to start a
group and likely change channels immediately after processing a frame.
This operation may be fast enough to make the device leave the current
channel before the peer has completed layer 2 retransmission of the
frame in case the ctrl::ack frame was lost. This can result in the peer
not getting TX status success notification.
For GO Negotiation Confirm frame, p2p_go_neg_conf_cb() has a workaround
that ignores the TX status failure and will continue with the group
formation with the assumption that the peer actually received the frame
even though we did not receive ctrl::ack. For Invitation Response frame
to re-invoke a persistent group, no such workaround is used in
p2p_invitation_resp_cb(). Consequently, TX status failure due to lost
ctrl::ack frame results in one of the peers not starting the group.
Increase the likelihood of layer 2 retransmission getting acknowledged
and ctrl::ack being received by waiting a short duration after having
processed the GO Negotiation Confirm and Invitation Response frames for
the re-invocation case. For the former, use 20 ms wait since this case
has been worked around in deployed devices. For the latter, use 50 ms
wait to get even higher likelihood of getting ctrl::ack through since
deployed devices (and the current wpa_supplicant implementation) do not
have a workaround to ignore TX status failure.
20 ms is long enough to include at least couple of retries and that
should increase likelihood of getting ctrl::ack through quite a bit. The
longer 50 ms wait is likely to include full set of layer 2 retries.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 458cb30191 broke LEAP since it
rejects EAP-Success packet that is used within LEAP and this frame does
not have a payload. Fix LEAP by relaxing the generic EAP packet
validation if LEAP has been negotiated.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, WPS Registrar allowed multiple wildcard PINs to be
configured. This can get confusing since these PINs get assigned to any
Enrollee that does not have a specific PIN and as such, cannot really be
used with different PIN values in reasonable ways. To avoid confusion
with multiple enabled PINs, invalidate any previously configured
wildcard PIN whenever adding a new one.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
While the existing code already addresses TLS Message Length validation
for both EAP-TLS peer and server side, this adds explicit checks and
rejection of invalid messages in the functions handling reassembly. This
does not change externally observable behavior in case of EAP server.
For EAP peer, this starts rejecting invalid messages instead of
addressing them by reallocating the buffer (i.e., ignoring TLS Message
Length in practice).
Signed-hostap: Jouni Malinen <j@w1.fi>
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
Message Length value properly and could end up trying to store more
information into the message buffer than the allocated size if the first
fragment is longer than the indicated size. This could result in hostapd
process terminating in wpabuf length validation. Fix this by rejecting
messages that have invalid TLS Message Length value.
This would affect cases that use the internal EAP authentication server
in hostapd either directly with IEEE 802.1X or when using hostapd as a
RADIUS authentication server and when receiving an incorrectly
constructed EAP-TLS message. Cases where hostapd uses an external
authentication are not affected.
Thanks to Timo Warns for finding and reporting this issue.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
This replaces the previously used bogus test data in SAE messages with
the first real field. The actual SAE authentication mechanism is still
missing and the Scaler, Element, and Confirm fields are not included.
Signed-hostap: Jouni Malinen <j@w1.fi>
Channel frequency for 60 GHz band do not fit into 'short int', as was
used. Expand it to 'int'
Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
These values are used with WAPI and CCX and reserving the definitions
here reduces the number of merge conflicts with repositories that
include these functions.
Signed-hostap: Jouni Malinen <j@w1.fi>
This introduces new AKM for SAE and FT-SAE and adds the initial parts
for going through the SAE Authentication frame exchange. The actual SAE
algorithm and new fields in Authentication frames are not yet included
in this commit and will be added separately. This version is able to
complete a dummy authentication with the correct authentication
algorithm and transaction values to allow cfg80211/mac80211 drivers to
be tested (all the missing parts can be handled with
hostapd/wpa_supplicant changes).
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows hostapd_cli and wpa_cli all_sta command to be used to
display connected time (in seconds) of each station in AP mode.
Signed-hostap: Raja Mani <rmani@qca.qualcomm.com>
Commit 6b56cc2d97 added clearing of the
p2p->pending_action_state too early in this function. This should not
be done if we are going to silently ignore the frame due to dialog
token mismatch. Fix this by moving the code around to check the dialog
token first.
This issue resulted in PD Request retries getting stopped too early if
the peer is sending out an unexpected PD Response (e.g., because of it
being excessively slow with the response so that the response is
received only after the next TX attempt with a new dialog token).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Make Invitation process for re-invoking a persistent group behave
similarly to GO Negotiation as far as channel negotiation is concerned.
The Operating Channel value (if present) is used as a starting point if
the local device does not have a forced operating channel (e.g., due to
concurrent use). Channel lists from devices are then compared to check
that the selected channel is in the intersection. If not, channel is
selected based on GO Negotiation channel rules (best channel preferences
etc.). Invitation Request is rejected if no common channel can be
selected.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
As long as WLAN_STA_ASSOC_REQ_OK is set in sta->flags, Class 3 frames do
not trigger a disassoc/deauth. If it is still set even after the assoc
response tx has already failed, it may take somewhat longer for clients
to realize that the connection wasn't fully established.
Signed-hostap: Felix Fietkau <nbd@openwrt.org>
This avoids extra latency caused by establishing an aggregation session
and makes the initial connection attempt more reliable
Signed-hostap: Felix Fietkau <nbd@openwrt.org>
This patch fixes an issue where removing a WDS VLAN interface also
removed the main AP interface from the same bridge.
Signed-hostap: Felix Fietkau <nbd@openwrt.org>
This is a generic AES CCM implementation that can be used for other
purposes than just implementing CCMP, so it fits better in a separate
file in src/crypto.
Signed-hostap: Jouni Malinen <j@w1.fi>
Now that the internal AES implementation supports 256-bit keys, enable
use of the TLS cipher suites that use AES-256 regardless of which crypto
implementation is used.
Signed-hostap: Jouni Malinen <j@w1.fi>
AES uses the same 128-bit block size with 128, 192, 256 bit keys, so use
the fixed block size definition instead of trying to dynamically set the
block size based on key length. This fixes use of 192-bit and 256-bit
AES keys with crypto_cipher_*() API when using the internal AES
implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is otherwise identical to aes_gcm_ae() but does not use the
plain/crypt pointers since no data is encrypted.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds 192-bit and 256-bit key support to the internal AES
implementation and extends the AES-GCM functions to accept key length to
enable longer AES key use.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is a generic AES GCM and GMAC implementation that can be used for
other purposes than just implementing GCMP, so it fits better in a
separate file in src/crypto.
Signed-hostap: Jouni Malinen <j@w1.fi>
The conf doesn't contain any basic rates in some cases. Most notably,
when starting a P2P GO in 5 GHz. Use the iface rates which are
initialized in hostapd_prepare_rates() to the conf rates or set to
default values if no conf values exist. This fixes a bug introduced in
commit e5693c4775.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
Commit e5693c4775 added a copy of the
determined basic rate set into struct hostapd_iface, but did not
actually copy the terminating -1 value. This could be problematic if
something were to actually try to use this list since would be no way to
know what is the last entry in the list. Fix this by copying the
terminating value.
Signed-hostap: Jouni Malinen <j@w1.fi>
This driver_op can now be used in station mode, too, to fetch
information about the connection with the AP, so allow this to be used
even if wpa_supplicant is built without AP mode support.
Signed-hostap: Jouni Malinen <j@w1.fi>
The group matching should be done by comparing the P2P Interface Address
(which the group_bssid here is) to the group's BSSID and not the group
ID (which uses P2P Device Address and would have also needed the SSID).
Though, it should be noted that this case cannot really happen since a
GO in an active group would never be invited to join another group in
its GO role (i.e., if it receives an Invitation Request, it will reply
in P2P Device role). As such, this fix does not really change any
observable behavior, but anyway, it is good to keep the implementation
here consistent with the Invitation Request case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When building the Invitation Request for WFD use cases, match the BSSID,
i.e., P2P Interface Address, of the group on the GO to avoid using
information from another group should the device be operating multiple
concurrent groups as GO.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.
Signed-hostap: Jouni Malinen <j@w1.fi>
The EAP-SIM/AKA code is already validating the prefix and the following
lookup would not find matches if the prefix is incorrect, so there is no
need for the extra checks here.
Signed-hostap: Jouni Malinen <j@w1.fi>
If EAP-Response/Identity includes a known pseudonym or re-auth username,
skip the AKA/Identity exchange since we already know the permanent
username of the peer.
Signed-hostap: Jouni Malinen <j@w1.fi>
RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after
Client-Error and Notification messages. Convert the direct jumps to the
FAILURE state with a notification round before sending out EAP-Failure.
Signed-hostap: Jouni Malinen <j@w1.fi>
The AT_NONCE_S value needs to be used in AT_MAC calculation for
SIM/Re-authentication response even if re-authentication is rejected
with AT_COUNTER_TOO_SMALL.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If the peer rejects re-authentication with AT_COUNTER_TOO_SMALL, fall
back to full authentication to allow the authentication session to be
completed.
Signed-hostap: Jouni Malinen <j@w1.fi>
These fields are used only as the search key, so the value is already
known and does not need to be copied from the database.
Signed-hostap: Jouni Malinen <j@w1.fi>
Store permanent username (i.e., including prefix character) instead of
IMSI in the SQLite DB. Convert the string to a string since the EAP-AKA
prefix can start with zero. This cleans up the field names since the
value was already with the prefix included instead of just IMSI. In
addition, this explicitly removes some theoretical cases where the
different identity types could have been mixed.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since the EAP-SIM/AKA identities are ASCII strings, there is no need to
use more complex way for storing and passing them. In addition, be more
strict about enforcing username (i.e., no realm part) to be used in the
EAP-SIM DB API. Similarly, require specific username type instead of any
of the types to be used as the key in the pseudonym and reauth
operations. This allows simpler lookup operations to be used.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since we always request an identity in the request, the response
has to include AT_IDENTITY. This allows the AKA/Identity response
processing to be simplified a bit.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no need to use eap_sim_db_identity_known() here since a new
AKA/Identity message is built only if the identity in the previous
response was not recognized. The first round is always used to request
AT_ANY_ID_REQ to meet the RFC 4187 recommendation on EAP method specific
identity request.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since we always request an identity in the request, the response
has to include AT_IDENTITY. This allows the SIM/Start response
processing to be simplified a bit.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no need to use eap_sim_db_identity_known() here since a new
SIM/Start message is built only if the identity in the previous response
was not recognized. The first round will always request AT_ANY_ID_REQ to
meet the RFC 4186 recommendation on EAP method specific identity request
being used.
Signed-hostap: Jouni Malinen <j@w1.fi>
The reauth_id prefix can be used to determine which AKA version is used,
so there is no need to store the aka_prime information in a separate
field.
Signed-hostap: Jouni Malinen <j@w1.fi>
If hostapd is built and configured to use SQLite database, store
EAP-SIM/AKA reauth data into the database to allow this to persist
over hostapd restarts.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd to use an SQLite database for storing EAP-SIM/AKA
pseudonyms over process restarts. CONFIG_SQLITE=y build option adds
support for this and the SQLite database file is specified in eap_sib_db
configuration parameter.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Try to share most of the cipher information like key and RSC lengths and
suite selector conversions, etc. in wpa_common.c to avoid having similar
code throughout the WPA implementation for handling cipher specific
behavior.
Signed-hostap: Jouni Malinen <j@w1.fi>
wpa_cli p2p_serv_disc_req command can now be used to request WSD
request to be sent to specified or all peers who support WSD.
format: wifi-display <list of roles> <list of subelements>
examples:
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source] 2,3,4,5
p2p_serv_disc_req 02:01:02:03:04:05 wifi-display [pri-sink] 3
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [sec-source] 2
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source+sink] 2,3,4,5
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source][pri-sink] 2,3,4,5
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit adds control interface commands and internal storage of
Wi-Fi Display related configuration. In addition, WFD IE is now added
to various P2P frames, Probe Request/Response, and (Re)Association
Request/Response frames. WFD subelements from peers are stored in the
P2P peer table.
Following control interface commands are now available:
SET wifi_display <0/1>
GET wifi_display
WFD_SUBELEM_SET <subelem> [hexdump of length+body]
WFD_SUBELEM_GET <subelem>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows both hostapd and wpa_supplicant to be used to derive and
configure keys for GCMP. This is quite similar to CCMP key
configuration, but a different cipher suite and somewhat different rules
are used in cipher selection. It should be noted that GCMP is not
included in default parameters at least for now, so explicit
pairwise/group configuration is needed to enable it. This may change in
the future to allow GCMP to be selected automatically in cases where
CCMP could have been used.
This commit does not included changes to WPS or P2P to allow GCMP to be
used.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use the NL80211_IFACE_COMB_NUM_CHANNELS value > 1 as a trigger for
enabling support for P2P multichannel channel concurrency. This does not
handle all possible details of enforcing driver capabilities, but it is
a good first step for allowing nl80211 drivers to enable multichannel
concurrency.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new gas_request and gas_response_get commands can be used to request
arbitary GAS queries to be performed. These can be used with ANQP or
with other (including vendor specific) advertisement protocols.
gas_request <BSSID> <AdvProtoID> [Query]
gas_response_get <addr> <dialog token> [offset,length]
For example, ANQP query for Capability list in interactive wpa_cli
session:
> gas_request 02:00:00:00:01:00 00 000102000101
<3>GAS-RESPONSE-INFO addr=02:00:00:00:01:00 dialog_token=0
status_code=0 resp_len=32
> gas_response_get 02:00:00:00:01:00 00
01011c00010102010501070108010c01dddd0c00506f9a110200020304050607
> gas_response_get 02:00:00:00:01:00 00 0,10
01011c00010102010501
> gas_response_get 02:00:00:00:01:00 00 10,10
070108010c01dddd0c00
> gas_response_get 02:00:00:00:01:00 00 20,10
506f9a11020002030405
> gas_response_get 02:00:00:00:01:00 00 30,2
0607
It should be noted that the maximum length of the response buffer is
currently 4096 bytes which allows about 2000 bytes of the response data
to be fetched with a single gas_response_get command. If the response is
longer, it can be fetched in pieces as shown in the example above.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new vendor_elements parameter in hostapd.conf can be used to add new
vendor specific element(s) into Beacon and Probe Response frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Maintain state of WPS APs during iteration to find the correct AP for
WPS PIN operation when no specific BSSID is specified. This information
can be used for optimizing the order in which the APs are tried. This
commit is only adding the collection of the information and more
detailed debug information to make debug logs more helpful in figuring
out how the AP selection order could be improved.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If 4-way handshake fails due to likely PSK failure or if EAP
authentication fails, disable the network block temporarily. Use longer
duration if multiple consecutive failures are seen.
Signed-hostap: Jouni Malinen <j@w1.fi>
Replace the Venue Name specific data structure and parser with a
generic mechanism that can be used with other fields that use the
same format.
Signed-hostap: Jouni Malinen <j@w1.fi>
The anqp_3gpp_cell_net parameter can be used to configure hostapd
to advertise 3GPP Cellular Network ANQP information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
These function pointers are going to be the same for each interface so
there is no need to keep them in struct hostapd_iface. Moving them to
struct hapd_interfaces makes it easier to add interfaces at run time.
Signed-hostap: Jouni Malinen <j@w1.fi>
The driver_test.c data structures had been changed to use a separate
BSS structure, but the P2P commands were not using the new design.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 488f4a7108 configures a timer
before p2p_send_action(). This may result in the timer getting fired
earlier to the off channel transmission of the frame and thus another PD
request being retransmitted. This shall lead to the new PD request with
an incremented dialog token being transmitted. For the cases where the
later PD request might not be transmitted as the host driver is busy
transmitting the earlier frame, the received PD response could be
dropped for the dialog token mismatch. Remove the timer configuration to
avoid this behavior.
Signed-hostap: Sunil Dutt Undekari <duttus@codeaurora.org>
intended-for: hostap-1
Previously, all station mode scan operations were either skipped or
delayed while any P2P operation was in progress. To make concurrent
operations easier to use, reduce this limitation by allowing a scan
operation to be completed in the middle of a p2p_find. In addition,
allow station mode association to be completed. When the station mode
operation is run to its completion (scan results not acted on,
connection to an AP completed, connection failed), resume the p2p_find
operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A new optional delay=<search delay in milliseconds> parameter can now be
used with p2p_find command to request an extra delay between search
iterations. This can be used, e.g., to make p2p_find friendlier to
concurrent operations by avoiding it from taking 100% of the radio
resources.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.
The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.
Signed-hostap: Jouni Malinen <j@w1.fi>
The previous implementation was able to re-open the connection to an
external program (e.g., hlr_auc_gw) when needed, but required the
connection to be available during startup. Extend this to allow the
initial failure, so that hlr_auc_gw can be started after hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
Explicitly validate seed_len to skip memset call with zero length of
copied data at the end of the buffer. This is not really needed, but it
makes the code a bit easier for static analyzers. This is identical to
the commit a9ea17491a but for the OpenSSL
version of the function.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit bfc62fe133 moved the code that
using crypto/random.h, but forgot to remove the inclusion of that header
file.
Signed-hostap: Jouni Malinen <j@w1.fi>
All the TNC base64 operations are within tncs.c, so there is no point in
including base64.h into eap_server_tnc.c.
Signed-hostap: Jouni Malinen <j@w1.fi>
All the other places processing EVENT_RX_MGMT events assume that the
event data is included, so not much point in verifying that here.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use an explicit pointer to the beginning of the buffer and a flag
to indicate whether that is to external data or not. This avoids
a branch whenever accessing the buffer and helps some static
analyzers to understand the wpabuf memory uses better.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Commit c9e08af24f removed the only user of
the special case MD5 use that would be allowed in FIPS mode in
tls_prf_sha1_md5(). Commit 271dbf1594
removed the file from the build, but left the implementation into the
repository. To clean things up even further, remove this functionality
completely since it is not expected to be needed for FIPS mode anymore.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows User-Name and Chargeable-User-Identity attributes to be
passed from Access-Accept into Accounting messages even when IEEE 802.1X
is not used.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
The mechanism to figure out key block size based on ssl->read_hash
does not seem to work with OpenSSL 1.0.1, so add an alternative
mechanism to figure out the NAC key size that seems to work at
least with the current OpenSSL 1.0.1 releases.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).
Signed-hostap: Jouni Malinen <j@w1.fi>
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to implement workaround for authentication servers that
do not handle TLS extensions in ClientHello properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
The PKCS5_PBKDF2_HMAC_SHA1() function in OpenSSL 0.9.7 did not mark
the salt parameter const even though it was not modified. Hide the
compiler warning with a type cast when an old OpenSSL version is
used.
Signed-hostap: Jouni Malinen <j@w1.fi>
When CONFIG_FIPS=y is used, do not include MD5 in the build and disable
EAPOL-Key frames that use MD5 (WPA/TKIP and dynamic WEP with IEEE
802.1X).
Signed-hostap: Jouni Malinen <j@w1.fi>
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use SSL_export_keying_material() if possible, i.e., if OpenSSL is
version 1.0.1 or newer and if client random value is used first. This
allows MSK derivation with TLS-based EAP methods (apart from EAP-FAST)
without exporting the master key from OpenSSL.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, CONFIG_EAP_MSCHAPV2=y was assumed to be set for
CONFIG_EAP_TTLS=y. Avoid this dependency by making including the
MSCHAPv2 parts in EAP-TTLS conditionally.
Signed-hostap: Jouni Malinen <j@w1.fi>
In theory, the SHA1 operation may fail (e.g., if SHA1 becomes disallowed
in some security policies), so better check the return code from
challenge_hash().
Signed-hostap: Jouni Malinen <j@w1.fi>
Do not leave the tls_global context allocated if the global OpenSSL
initialization fails. This was possible in case of FIPS builds if
the FIPS mode cannot be initialized.
Signed-hostap: Jouni Malinen <j@w1.fi>
Increase GO config timeout if HT40 is used since it takes some time
to scan channels for coex purposes before the BSS can be started.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add optional "ht40" argument for p2p_group_add command to enable 40 MHz
in 5GHz band. This configures the secondary channel, when HT support is
enabled and if the HW supports 40 MHz channel width.
Signed-hostap: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
This function can be used as a wrapper for os_realloc(ptr, nmemb * size)
when a reallocation is used for an array. The main benefit over
os_realloc() is in having an extra check to catch integer overflows in
multiplication. This is similar to the os_zalloc() to os_calloc() move.
Signed-hostap: Jouni Malinen <j@w1.fi>
This function can be used as a wrapper for os_zalloc(nmemb * size) when
an allocation is used for an array. The main benefit over os_zalloc() is
in having an extra check to catch integer overflows in multiplication.
Signed-hostap: Jouni Malinen <j@w1.fi>
Multiple memcmps of nonces were actually comparing only the first byte
instead of all 16 bytes. [Bug 462]
Signed-hostap: Eyal Shapira <eyal@wizery.com>
intended-for: hostap-1
There is no need to mandate admission control (ACM=1) by default, so
clear that flag in the case the configuration file does not specify
wmm_ac_{vo,vi}_acm value. This gets closer to the values mentioned
in the sample hostapd.conf file and reduces the need to specify WMM
parameters in the configuration file for most common use cases.
Signed-hostap: Jouni Malinen <j@w1.fi>
p2p_set_timeout() calls in GO Neg Req/Resp TX callbacks used timeout of
100 ms which is the value given in the P2P specification for GO
Negotiation, but this was actually shorter than the
wait-for-offchannel-TX value (200 ms) used for the driver call. In
addition, it looks like some devices (e.g., Galaxy Nexus with JB image)
can take longer time to reply to GO Negotiation Response (somewhere
between 200 and 250 ms has been observed).
Increase the wait-for-GO-Neg-Resp timeout from 100 ms to 200 ms if GO
Negotiation Request frame was acknowledged (this matches with the
offchannel wait timeout that used previously). The no-ack case is left
at 100 ms since we use GO Negotiation Request frame also to discover
whether the peer is on its Listen channel.
Increase the wait-for-GO-Neg-Conf timeout from 100 ms to 250 ms (and
increase the offchannel wait timeout to matching 250 ms) as a workaround
for devices that take over 200 ms to reply to GO Negotiation Response.
Signed-hostap: Jouni Malinen <j@w1.fi>
The commit b5fd8b1833
"VHT: Do not allow use of TKIP with VHT" introduced
an off-by-one regression: a WPA/RSN 11n AP would no
longer accept stations to connect, instead it would
produce a bogus error message:
... Station tried to use TKIP with HT association.
Signed-hostapd: Christian Lamparter <chunkeey@googlemail.com>
cur_pmksa was left to NULL during the initial association. This can
result in unexpected behavior, e.g., in expiring PMKSA cache entries
since the current entry is not locked in that case. Fix this by updated
cur_pmksa when adding the initial PMKSA entry during msg 1/4 processing.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If the PMKSA cache is full (i.e., 32 candidates have been seen in scan
results and have not yet expired) then any additional entries can
potentially evict the current/active entry (if it is the oldest entry),
which triggers a pointless local deauthentication. The supplicant
shouldn't replace the current/active entry if it is still valid, but
instead the oldest entry that is *not* the current/active one.
Signed-hostap: Dan Williams <dcbw@redhat.com>
intended-for: hostap-1
When using multiple VLANs, GKeyDoneStations counter is not updated
properly since wpa_auth_for_each_sta() call in wpa_group_setkeys() ends
up iterating through all STAs and not just the STAs of a specific
wpa_group (VLAN). Consequently, GTK rekeying gets initialized multiple
times if more than a single group state machine exists. Fix this by
iterating only through the STAs in the specific wpa_group.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
intended-for: hostap-1
CONFIG_VLAN_NETLINK=y build option can now be used to replace the
ioctl()-based interface for creating and removing VLAN interfaces
with netlink-based interface.
Signed-hostap: M. Braun <michael-dev@fami-braun.de>
Commit a11241fa11 removed the 802.11b rate
enabling/disabling code from wpa_driver_nl80211_set_mode() and while
doing that, removed the only place where drv->disabled_11b_rates was
set. Fix this by updating the flag in nl80211_disable_11b_rates(). In
addition, re-enable the 802.11b rates when changing to non-P2P mode.
Signed-hostap: Jouni Malinen <j@w1.fi>
Right now 11b rates are masked out while creating a P2P interface,
but this is always failing as the interface is down. Most drivers
allow to configure rates only when the interface is UP and running.
So let us disable 11b rates when interface type is changed into a
P2P type and it is UP and running.
Signed-hostap: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
These validation steps are already done in the EAP parsing code and in
the EAP methods, but the additional check is defensive programming and
can make the validation of received EAP messages more easier to
understand.
Signed-hostap: Jouni Malinen <j@w1.fi>
These checks would not really be needed since eapol_sm_rx_eapol()
validates the length fields. Anyway, these makes it more obvious to
anyone reviewing the code that there are no integer underflow issues in
processKey().
Signed-hostap: Jouni Malinen <j@w1.fi>
These checks would not really be needed since radius_msg_parse()
validates the attribute header fields. Anyway, these makes it more
obvious to anyone reviewing the code that there are no integer underflow
issues in the functions processing RADIUS attributes.
Signed-hostap: Jouni Malinen <j@w1.fi>
This simplifies the implementation by using the buffer type to which the
returned data will be converted anyway. This avoids one memory
allocation for each processed RADIUS message.
Signed-hostap: Jouni Malinen <j@w1.fi>
Couple of functions did not verify that nla_put_nested() succeeded. Fix
these by checking the return value and handling error cases cleanly.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new ssid2 parameter can be used as an alternative mechanism for
configuring SSID for hostapd. It uses the same formats that
wpa_supplicant uses in the configuration file for strings.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of masking out non-ASCII characters with underscores, espace the
SSID data using rules compatible with printf.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to build ASCII strings from binary data that is
more likely to use ASCII (i.e., text format is more natural
option than hexdump, but there is possibility of some non-ASCII
characters).
Signed-hostap: Jouni Malinen <j@w1.fi>
When CONFIG_CTRL_IFACE=udp-remote is used, print user frendly PS in
wpa_cli. E.g.,
localhost/wlan0>
192.168.1.1/p2p-wlan-0-0>
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
wpa_cli can be used now as a client for remote access to ctrl_interface
of wpa_supplicant when UDP and remote options are used.
You can simply run:
wpa_cli -i <hostname>:[port]
wpa_cli -i <IP>:[port]
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Add new option for ctrl iface: CONFIG_CTRL_IFACE=udp-remote. This
enables remote access to control interface via UDP port(s). This should
be used for testing purpose only since there is no authentication or
access control on the commands.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This bit is set in the code path that handles keys and certs from places
other than OpenSSL authentication engines. Setting this bit causes
authentication to fail when the server provides certificates that don't
match the client certificate authority.
Commit 05ab9712b9 added support for
fetching WPA PSK from an external RADIUS server and changed
hostapd_wpa_auth_get_psk() to always return the RADIUS supplied PSK (if
set) and ignore the prev_psk parameter for iteration. Fix this by
appending the RADIUS supplied PSK to the list iterated by
hostapd_get_psk and thus returning NULL when prev_psk == sta->psk
(RADIUS).
Signed-hostap: M. Braun <michael-dev@fami-braun.de>
This allows the password parameter for EAP methods to be fetched
from an external storage.
Following example can be used for developer testing:
ext_password_backend=test:pw1=password|pw2=testing
network={
key_mgmt=WPA-EAP
eap=TTLS
identity="user"
password=ext:pw1
ca_cert="ca.pem"
phase2="auth=PAP"
}
Signed-hostap: Jouni Malinen <j@w1.fi>
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows the SA Query mechanism in hostapd to be used with drivers
that implement authentication and association MLME/SME.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
disable_dgaf=1 in hostapd.conf can now be used to disable downstream
group-addressed forwarding (DGAF). In this configuration, a unique
GTK (and IGTK) is provided to each STA in the BSS to make sure the
keys do not match and no STA can forge group-addressed frames.
An additional mechanism in the AP needs to be provided to handle some
group-addressed frames, e.g., by converting DHCP packets to unicast
IEEE 802.11 frames regardless of their destination IP address and by
providing Proxy ARP functionality.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Allow the user to configure an RSSI threshold in dBm below which the
nl80211 driver won't report scan results. Currently only supported
during scheduled (PNO) scans.
Signed-off-by: Thomas Pedersen <c_tpeder@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 6b56cc2d97 added retries of
provision discovery request frames in IDLE state. However, it did not
make the p2p_find case behave consistently with the new limitied retry
behavior. This can result in way too many and frequent PD retries. Fix
this by extending the previous commit to address PD retries and maximum
retry limit consistently regardless of whether p2p_find is running.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Commit 1b487b8b1e added CH_SWITCH
event for nl80211, but ended up using hostapd_hw_get_channel()
regardless of build configuration for driver interfaces. This
function is not always available, so make its use conditional
on NEED_AP_MLME.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit d9cc4646eb added
crypto_hash_{init,update,finish}() wrappers for OpenSSL, but it
assumed the current HMAC API in OpenSSL. This was changed in 0.9.9
to return error codes from the functions while older versions used
void functions. Add support for the older versions, too.
Signed-hostap: Jouni Malinen <j@w1.fi>
This patch adds a check of the return value of wpabuf_dup() in a large
Service Discovery Response.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
This updates the license notification to use only the BSD license. The
changes were acknowledged by email (Gunter Burchardt, tmisu@gmx.de,
Mon, 02 Jul 2012 17:54:28 +0200).
Signed-hostap: Jouni Malinen <j@w1.fi>
This updates the license notification to use only the BSD license. The
changes were acknowledged by email (Jouke Witteveen
<j.witteveen@gmail.com>, Mon, 2 Jul 2012 11:38:34 +0200).
Signed-hostap: Jouni Malinen <j@w1.fi>
This functionality could be shared for other commands, too, so move
it to a common function. In addition, implement the validation in a
bit more strict way to avoid accepting values like '-123' as a valid
PIN.
Signed-hostap: Jouni Malinen <j@w1.fi>
There are separate states for these, so we can't really get into this
situation unless somebody tries to do multiple things at the same
time. p2p_connect stops find and CONNECT state is used to probe the peer
on its Listen channel with GO Negotiation Request frames. Similarly,
p2p_invite() stops find and INVITE state is used to probe the peer on
its Listen channel with Invitation Request frames. The older mechanism
of using Search state functionality to find the peer can be removed.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This updates these files to use the license notification that uses only
the BSD license. The changes were acknowledged by email (Sam Leffler
<sam@errno.com>, Sat, 30 Jun 2012 07:57:53 -0700).
Signed-hostap: Jouni Malinen <j@w1.fi>
At least some error paths (e.g., hitting the limit on hunt-and-peck
iterations) could have resulted in double-freeing of some memory
allocations. Avoid this by setting the pointers to NULL after they have
been freed instead of trying to free the data structure in a location
where some external references cannot be cleared. [Bug 453]
Signed-hostap: Jouni Malinen <j@w1.fi>
The previously used limit (10) is too small for practical purposes since
it can result in about 1 out of 1000 authentication attempts failing.
Increase the limit to 30 to avoid such issues. [Bug 453]
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
os_random() may not be seeded properly, so use stronger mechanism for
generating the password id for NFC password tokens.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new hostapd ctrl_iface command WPS_NFC_TOKEN can now be used to
manage AP-as-Enrollee operations with NFC password token. WPS/NDEF
parameters to this command can be used to generate a new NFC password
token. enable/disable parameters can be used to enable/disable use of
NFC password token (instead of AP PIN) for external Registrars.
A preconfigured NFS password token can be used by providing its
parameters with new hostapd.conf fields wps_nfc_dev_pw_id,
wps_nfc_dh_pubkey, wps_nfc_dh_privkey, and wps_nfc_dev_pw. This use
will also depend on WPS_NFC_TOKEN enable/disable commands, i.e., the
configured NFS password token is disabled by default.
Signed-hostap: Jouni Malinen <j@w1.fi>
The AP PIN on wps_reg command can now be replaced with special value
"nfc-pw" to use device password from a NFC password token from the AP.
Signed-hostap: Jouni Malinen <j@w1.fi>
WPS_ER_NFC_CONFIG_TOKEN command can now be used to build a NFC
configuration token based on AP Settings learnt with WPS_ER_LEARN
or set with WPS_ER_CONFIG.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new wpa_supplicant ctrl_iface command WPS_NFC_TAG_READ can now be
used to process NFC tags read by external programs to initiate
wpa_supplicant to use NFC Configuration Token to create a new network.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new hostapd ctrl_iface command WPS_NFC_CONFIG_TOKEN can now be used
to fetch payload for an NFC configuration token so that an external
program can be used to write this on an NFC tag.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds a cleaner mechanism for handling NFC Password Tokens in the
WPS Registrar. There could be more than one active NFC Password Token in
use and as such, a list of tokens needs to be maintained. The old
WPS_OOB interface is still using the old mechanism that supports only a
single active NFC Password Token.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd ctrl_iface can now be used to deliver payload from read
operation of an NFC tag. This allows operations without having to have
low-level NFC code within hostapd. For now, the new wps_nfc_tag_read
command can be used with NFC password tokens for the case where the AP
has an NFC device that is used to read an NFC tag from the station
Enrollee.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of requiring low-level access to an NFC device and synchronous
operations, the new WPS_NFC_TOKEN and WPS_NFC ctrl_iface commands can be
used to build a NFC password token and initiate WPS protocol run using
that token (or pre-configured values) as separate commands. The
WPS_NFC_TOKEN output can be written to a NFC tag using an external
program, i.e., wpa_supplicant does not need to have low-level code for
NFC operations for this.
Signed-hostap: Jouni Malinen <j@w1.fi>
The OOB Device Password is passed in as a hexdump of the real Device
Password (16..32 octets of arbitrary binary data). The hexdump needs to
be converted to binary form before passing it for WPS processing.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, only the maximum length 32 octets for OOB device password
was accepted. Since the specification allows a shorter password to be
used with limited OOB mechanism (e.g., small NFC tag), we should accept
lengths 16..32.
Signed-hostap: Jouni Malinen <j@w1.fi>
The earlier WPS 2.0 changes did not increase the wpabuf size when
adding a new attribute to the NFC password token. This could result
in aborting the application on wpabuf overflow if NFC out-of-band
mechanism is used with WPS 2.0 enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Some drivers may independently decide to switch channels. Handle this by
updating the hostapd and wpa_supplicant AP and GO configuration.
Signed-hostap: Thomas Pedersen <c_tpeder@qca.qualcomm.com>
Previously, the STA entry was removed only from the driver and the STA
entry within hostapd was just marked disassociated. However, this left
the WPA authenticator state machine with an entry and the session was
not terminated properly. In addition, the STA entry could have remaining
indefinitely if the STA did not reconnect after TKIP countermeasures.
Fix this by removing the STA entry from hostapd instead of just leaving
it disassociated.
Signed-hostap: Jouni Malinen <j@w1.fi>
In AP which supports WPSv2 with only virtual push button, when PBC is
called, the WSC IE should include Selected Registrar Configuration
Methods attribute with the bit of the physical push button not set.
Signed-hostap: Yoni Divinsky <yoni.divinsky@ti.com>
Without this, we can get into a tight loop because the
code in general doesn't add eloop exception handlers,
so socket reporting the POLLERR would never be read.
With this change, any socket with POLLERR or POLLHUP
asserted will be handled by the read logic.
Signed-hostap: Ben Greear <greearb@candelatech.com>
The control message received from the kernel needs some space, but
there's no need for the strange typing that breaks clang compilation.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Maintain a copy of Chargeable-User-Identity in the PMKSA cache to allow
it to be included in accounting messages even if full authentication was
not completed.
Signed-hostap: Jouni Malinen <j@w1.fi>
Calling-Station-Id, Acct-Session-Id, and User-Name attributes in a
Disconnect-Request message can now be used to indicate which station is
to be disconnected.
Signed-hostap: Jouni Malinen <j@w1.fi>
DAS will now validate Event-Timestamp value to be within an acceptable
time window (300 seconds by default; can be set using
radius_das_time_window parameter). In addition, Event-Timestamp can be
required in Disconnect-Request and CoA-Request messages with
radius_das_require_event_timestamp=1.
Signed-hostap: Jouni Malinen <j@w1.fi>
Currently, FullMAC Persistent GO can't use p2p_client_list because its
own hapd->p2p_group is NULL at ap_sta_set_authorized(). This patch
changes the processing to use sta->p2p_ie instead of
p2p_group_get_dev_addr() on FullMAC GO.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
The P2P Client Discoverability bit is reserved in most frames and its
value in the local P2P peer table should only be updated based on P2P
Group Info attribute from a GO. Fix this by avoiding changes to this
dev_capab bit based on other P2P frames. It would be more correct to
track this separately for each group in which the peer is a member, but
since we do not do that for the other group specific information either,
this can do for now.
It should be noted that prior to commit
18485b5469 wpa_supplicant set this bit in
all P2P frames. However, that commit changed this to match the
specification, i.e., the bit is not set in frames which are received
from P2P Device role. As such, this fix is needed to be able to figure
out that a peer supports client discoverability capability after that
commit.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
In the P2P specification v1.1, the P2P Client Discoverability bit is
described in Table 12 "Device Capability Bitmap definition". The table
says "Within a P2P Group Info attribute and a (Re)association request
frame the P2P Client Discoverability field shall be set to 1 when the
P2P Device supports P2P Client Discoverability, and is set to 0
otherwise. This field shall be reserved and set to 0 in all other frames
or uses.". To match with this, filter out P2P Client Discoverability bit
from frames where its use is reserved.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
If the peer uses an unknown reauth id, it would still be possible to use
pseudonym instead of permanent id. Allow this by changing the
AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is
used in EAP-Response/Identity.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There is a race condition in GO Negotiation Request frame sending and
processing that may end up with both devices sending GO Negotiation
Response. This response frame was previously accepted even if a response
had already been sent. This could result in two GO Negotiation Confirm
frames being exchanged and consequently, with two separate GO
Negotiations completing concurrently. These negotiations could result in
getting mismatching parameters (e.g., both device could believe it was
the GO).
Fix this by ignoring GO Negotiation Response from the peer if twe have
already sent a GO Negotiation Response frame and we have the higher P2P
Device Address. This is similar to the rule used to determine whether to
reply to GO Negotiation Request frame when Request was already sent,
i.e., the same direction of GO Negotiation is maintained here to enforce
that only the negotiation initiated by the device with smaller P2P
Device Address is completed.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If both peers initiate GO Negotiation at about the same time, it is
possible for the GO Negotiation Request frame from the peer to be
received between the local attempt to send the GO Negotiation Request
and TX status event for that. This could result in both devices sending
GO Negotiation Response frames even though one of them should have
skipped this based which device uses a higher MAC address.
Resolve this race by incrementing go_neg_req_sent when p2p_send_action()
returns success instead of doing this from the TX status callback. If
the frame is not acknowledged, go_neg_req_sent is cleared in TX status
handler.
Signed-off-by: Neeraj Garg <neerajkg@broadcom.com>
Stop the connection attempt if GO Negotiation Confirm is not received
within 100 ms of the GO Negotiation Response getting acknowledged.
Previously, we would have continued trying to connect to the peer even
in this case which could result in confusing second GO Negotiation
Request frame and unnecessarily long wait before indicating failure.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The GO Negotiation Confirm frame doesn't need to be sent with a wait
since we don't expect a response to it.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Concurrent Operation bit was not set for GO even if the device
supports concurrent operations. Make sure the Device Capability
value is consistent with other P2P use cases by using the value
determined in p2p_init().
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
Send an "EAP" signal via the new DBus interface under various
conditions during EAP authentication:
- During method selection (ACK and NAK)
- During certificate verification
- While sending and receiving TLS alert messages
- EAP success and failure messages
This provides DBus callers a number of new tools:
- The ability to probe an AP for available EAP methods
(given an identity).
- The ability to identify why the remote certificate was
not verified.
- The ability to identify why the remote peer refused
a TLS connection.
Signed-hostap: Paul Stewart <pstew@chromium.org>
In certain cases like PBC session overlap it appears to be possible that
an interface is removed due to an event handled on it, this leads to
list corruption. Use safe iteration to prevent this issue.
Reported-by: Nirav Shah <nirav.j2.shah@intel.com>
Reported-by: Neeraj Kumar Garg <neerajkg@broadcom.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
intended-for: hostap-1
When hostapd (or wpa_supplicant AP mode) limits the maximum number
of STA entries with a driver that implements SME, the driver needs
to be notified of the failed STA addition. Disassociate the STA if
the driver notifies of an association that would go beyond the
maximum number of STAs.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If WNM is enabled for the build (CONFIG_WNM=y), add BSS max idle period
information to the (Re)Association Response frame from the AP and parse
this information on the station. For SME-in-wpa_supplicant case, add a
timer to handle periodic transmission of the keep-alive frame. The
actual request for the driver to transmit a frame is not yet
implemented.
Signed-hostap: Jouni Malinen <j@w1.fi>
When sending an offchannel frame (mainly, P2P Invitation Request), the
wait_time parameter was hardcoded to 0 for drivers that implement AP
mode SME. This is not correct and can cause problems for drivers that
support offloading of off-channel operations with driver/firmware based
AP SME.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is a workaround for interoperability issues with some deployed P2P
implementations that require a Provision Discovery exchange to be used
before GO Negotiation. The new provdisc parameter for the p2p_connect
command can be used to request this behavior without having to run a
separate p2p_prov_disc command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The nl80211 driver interface does not allow 128-bit WEP to be used
without a vendor specific cipher suite and no such suite is defined for
this purpose. Do not accept WEP key length 16 for nl80211 driver
interface forn ow. wext-interface can still try to use these for
backwards compatibility.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the AP indicates support for Hotspot 2.0, show this in the
ctrl_iface commands for BSS table and status.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If PD Request includes P2P Group ID, verify that the specified
group matches with a group we are currently operating. If no match
is found, reject the PD Request for join-a-group case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This can be used with P2P management operations that need to verify
whether the local device is operating a specific group based on
P2P Group ID attribute from a peer.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 349b213cc8 added a separate
callback prov_disc_fail() for indicating PD failures, but it left the
Provision Discovery Response handler to call both callbacks in case the
peer rejected the PD. Commit f65a239ba4
added ctrl_iface event for PD failures. This combination can result in
two ctrl_iface events in the peer rejecting a PD case. Clean this up by
only indicating the failure event.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Some drivers may accept the remain-on-channel command, but instead of
indicating start event for remain-on-channel, just indicate that the
operation has been canceled immediately. This could result in continuous
loop of search/listen states with very limited time to do anything else
in wpa_supplicant if the scan command is also completed quickly (e.g.,
if the driver is unable to scan other channels than the current
operating channel).
As a workaround, do not start the next step (search) in P2P device
discovery if this type of rejection of listen operation is detected.
This gives some more time for wpa_supplicant to handle whatever else
may be needed at to be done at the same time and reduces the amount
of CPU used in a loop that does not really work correctly from the
view point of being discoverable.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
This adds the basic DAS mechanism to enable hostapd to be configured
to request dynamic authorization requests (Disconnect-Request and
CoA-Request). This commit does not add actual processing of the
requests, i.e., this will only receive and authenticate the requests
and NAK them regardless of what operation is requested.
Signed-hostap: Jouni Malinen <j@w1.fi>
New configuration parameters radius_auth_req_attr and
radius_acct_req_attr can now be used to add (or override) RADIUS
attributes in Access-Request and Accounting-Request packets.
Signed-hostap: Jouni Malinen <j@w1.fi>
radius_request_cui=1 configuration parameter can now be used to
configure hostapd to request CUI from the RADIUS server by including
Chargeable-User-Identity attribute into Access-Request packets.
Signed-hostap: Jouni Malinen <j@w1.fi>
If Access-Accept packet includes the Chargeable-User-Identity attribute,
copy this attribute as-is into accounting messages.
Signed-hostap: Jouni Malinen <j@w1.fi>
There was a technical change between the last IETF draft version
(draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters
used in the username (i.e., use unique characters for EAP-AKA' instead
of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and
peer implementations to use the leading characters based on the final
RFC.
Note: This will make EAP-AKA' not interoperate between the earlier
draft version and the new version.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Incorrect identity string could end up being used with EAP-AKA' when
the EAP client is using pseudonym. This code was supposed to use
sm->identity just like the EAP-AKA case.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
The misplaced parenthesis caused Device ID matching to check only the
first octet of the P2P Device Address, i.e., we could have replied to
Probe Request frames that was searching for another device if any of
the last five octets of the address were different.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
An existing persistent group information can now be used to force GO
Negotiation to use the previously used SSID/passphrase from a persistent
group if we become a GO. This can be used as an alternative to inviting
a new P2P peer to join the group (i.e., use GO Negotiation with GO
intent 15 instead of starting an autonomous GO and using invitation),
e.g., in case a GO Negotiation Request is received from a peer while we
are not running as a GO. The persistent group to use for parameters is
indicated with persistent=<network id> parameter to p2p_connect.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commits 17bef1e97a and
ffe98dfb88 started using p2p_add_device()
with other frames than just Probe Response frames from scan results.
However, these changes did not take into account that the PD Request
and Invitation Request frames are normally received on the our own
Listen channel, not on the Listen channel of the peer. As such, these
frames must not be used to update Listen channel information for the
peer.
Fix this by letting p2p_add_device() know whether the results are from
scan results and if not, skip the peer table updates that are specific
to Probe Response frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Add provisional discovery failure ctrl_iface event
(P2P-PROV-DISC-FAILURE) to indicate to the application layer in case of
PD failure.
Signed-off-by: Deepthi Gowri <deepthi@codeaurora.org>
Commit d9bdba9f86 was supposed to allow
p2p_listen to schedule new after scan operation only if a p2p_connect
operation was not pending. However, it used incorrect P2P_AFTER_SCAN_
value for this and did not actually prevent overriding of p2p_connect
and could have caused some p2p_listen operations to be skipped
unnecessarily.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Unlike the unicast SD queries, the queries directed to all peers depend
on P2P_DEV_SD_INFO flag being cleared to allow the query to be sent to
a peer that has previously replied to any SD query.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the timeout scheduled during the previous association was
used after reassociation if the STA entry had not yet been removed. The
next timeout does not need to happen that quickly, so reschedule it
during reassociation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to figure out what exactly was done with the
ap_handle_timer registration/cancellation based on a debug log.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The next ap_handle_timer action was already cleared when association
is handled with user space -based SME. However, this step was missing
from the driver callback for indicating new association. This could
result in the first ap_handle_timer timeout on the new association
removing the station unexpectedly. Fix this by resetting the timeout_next
in hostapd_notif_assoc().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
A station may move from EAP/WPS key_mgmt to PSK using re-association. In
practice, this can happen most likely with WPS when the station runs
through the provisioning step (EAP/WPS) followed by PSK authentication.
If a deauthentication event is missed from the station for whatever
reason, the EAPOL authenticator state machine could have been left
running.
This can result in various issues, including unexpected disconnection of
the station while both the 4-way handshake and EAPOL authenticator state
machines (EAP) are running at the same time when the supplicant is
trying to use PSK. Fix this by explicitly clearing EAPOL authenticator
state machine on (re)association if the new association does not use it.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
When starting an AP with HT40 on 2.4 GHz, limit the set of channels
to scan for based on the affected frequency range to speed up the
AP setup.
Signed-hostap: Jouni Malinen <j@w1.fi>
Mark the debug print excessive and print it only in case the entropy
collection is used since this function can get called pretty frequently.
Signed-hostap: Jouni Malinen <j@w1.fi>
OpenSSL wrapper was using the same certificate store for both Phase 1
and Phase 2 TLS exchange in case of EAP-PEAP/TLS, EAP-TTLS/TLS, and
EAP-FAST/TLS. This would be fine if the same CA certificates were used
in both phases, but does not work properly if different CA certificates
are used. Enforce full separation of TLS state between the phases by
using a separate TLS library context in EAP peer implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
This was never really completed and is of not much use at this point,
so clean up the repository by removing the Symbian-specific changes.
Signed-hostap: Jouni Malinen <j@w1.fi>
This optional parameter to the BSS command can be used to select which
fields are included in the output to avoid having to parse through
unneeded information and to reduce the buffer size.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
There is no need to subscribe to event messages during deinit process,
so skip this to avoid unnecessary operations and to keep the debug logs
a bit cleaner.
Signed-hostap: Jouni Malinen <j@w1.fi>
This should keep us from getting into a state where we bounce large
numbers of stations all at once. Spreading out the bounce should cause
less stress on the network as the idle stations won't all be trying to
reconnect at once.
Signed-hostap: Ben Greear <greearb@candelatech.com>
wps_vendor_ext_m1 configuration parameter can now be used to add a
vendor specific attribute into the WPS M1 message, e.g., for
Windows Vertical Pairing.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This was previously indicated as disassociation, but the P2P group
session ending case expect a deauthentication notification. Since the
cfg80211 disconnection event does not really indicate which frame was
used, the easiest approach for now seems to be to just indicate these
as deauthentication events.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use reason code 3 (Deauthenticated because sending STA is leaving)
instead of reason code 2 (Previous authentication ot valid) in the
Deauthentication frame sent at the time a BSS is terminated. This is
more accurate reason for the message and allows the stations to get
better understand on why they were disconnected. This can be useful
especially for P2P clients that can use this as a signal that the
P2P group session was ended per P2P specification section 3.2.9.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
On P2P group removal, the GO is deinitialized correctly (and the vif
mode is set back to sta in case of nl80211), but the P2P client mode
wasn't deinitialized, and the nl80211 vif stays in P2P client mode.
Add a new deinit_p2p_cli op (similar to deinit_ap), which currently only
sets the interface back to station mode.
Signed-hostap: Eliad Peller <eliad@wizery.com>
intended-for: hostap-1
Some applications require knowing about probe requests to identify
devices. This can be the case in AP mode to see the devices before they
connect, or even in P2P mode when operating as a P2P device to identify
non-P2P peers (P2P peers are identified via PeerFound signals).
As there are typically a lot of probe requests, require that an
interested application subscribes to this signal so the bus isn't always
flooded with these notifications. The notifications in DBus are then
unicast only to that application.
A small test script is also included.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The signal strength is currently never used as the only driver reporting
it is nl80211 which uses IEEE80211_RADIOTAP_DB_ANTSIGNAL which is never
populated by the kernel. The kernel will (soon) populate
IEEE80211_RADIOTAP_DBM_ANTSIGNAL instead though, so use that.
Also, since it was never really populated, we can redefine the signal
field to be in dBm units only.
My next patch will also require knowing the signal strength of probe
requests throughout the code (where available), so add it to the
necessary APIs.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When hostapd is about to start an AP using HT40, it starts a scan to
check whether it is allowed or not. If OLBC is detected before the
scan has completed, it sets the beacons prematurely.
To fix this, instead of setting all beacons when OLBC is detected,
only update the ones that have already been started.
Signed-off-by: Luciano Coelho <coelho@ti.com>
ieee802_1x_encapsulate_radius() frees the RADIUS message if
radius_client_send() returns error. This could have resulted in use of
freed memory and double freeing of the RADIUS message if send() fails
since the message is also left in the retransmit list. Avoid this by not
returning error to the caller in such a case.
Signed-off-by: Alexander Couzens <lynxis@c-base.org>
Add the option (-T) to wpa_supplicant to log all debug messages into the
kernel tracing, allowing to aggregate kernel debugging with
wpa_supplicant debugging and recording all with trace-cmd.
Since tracing has relatively low overhead and can be filtered
afterwards, record all messages regardless of log level. However, it
will honor the -K option and not record key material by default.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The "BSS p2p_dev_addr=address" command uses p2p_parse_dev_addr() to
figure out the P2P Device Address of the GO from scan results. This used
to work only if the P2P IE was received from Probe Response frames since
only those include the P2P Device Info attribute. Make this work with
Beacon frames, too, by using P2P Device ID attribute if the P2P Device
Info attribute is not present.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A network block specific background scan period can now be configured
for drivers that implement internal background scan mechanism for
roaming and BSS selection.
Signed-hostap: Bala Shanmugam <bkamatch@qca.qualcomm.com>
Implement wps_cancel for hostapd similarly to how it was already
supported in wpa_supplicant AP mode.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_pref_chan configuration parameter can now be used to set the
list of preferred channel for P2P GO Negotiation. This will be used
in the priority order if the peer does not support the channel we
are trying to use as the GO (configured operating channel or the
best 2.4 GHz/5 GHz channel) for the case where a forced channel is
not used.
p2p_pref_chan=<op class:channel>,...
For example:
p2p_pref_chan=81:1,81:2,81:3,81:4,81:5,81:6
This would configure 2.4 GHz channels 1-6 as the preferred ones with
channel 1 the most preferred option.
These configuration parameters can be set in wpa_supplicant.conf and
dynamically updated with "wpa_cli set <param> <value>".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When drivers advertise their capability to free up inactive
stations based on ap_max_inactivity, send the inactivity period
timeout to driver in NL80211_ATTR_INACTIVITY_TIMEOUT. This
introduces a WPA_DRIVER_FLAGS (WPA_DRIVER_FLAGS_INACTIVITY_TIMER)
so that the inactivity period will be sent only when this capability
bit is set.
Signed-hostap: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
When the driver (or firmware) implements AP mode SME, the use of raw
management frame TX functions is not working properly at the moment. As
an initial step, convert these AP mode operations to use
NL80211_CMD_DEL_STATION and do not claim that driver provides TX status
for deauth/disassoc frames. While this does not address all use cases
(e.g., reason code is not specified in the command), this fixes number
of issues where the station does not get disconnected properly.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 30680e9332 changed the length
of the implicit challenge result to match with the exact length used
in TTLS. However, it failed to update the peer_challenge generation
to use a separate random value. Previously, this was generated as
part of the implicit challenge, but more correct way would have been
to generate a random value for it separately. Do this now to fix the
read after the allocated buffer (16 bytes after the implicit
challenge).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
This DO has a maximum length of 127 bytes (TS 102 221), so better use
large enough buffer when reading the record.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, this provisioning info was cleared using the P2P Interface
Address of the GO as the key. That did not always work in the case the
where we joined an already running group. This could result in the next
connection to that same GO skipping provision discovery. Fix this by
finding the peer entry based on its P2P Device Address instead of the
P2P Interface Address which may not always be set.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
If a wildcard PIN is used on any of the radios that hostapd is
controlling, invalidate the matching PIN on all the other radios
to avoid multiple uses of the same PIN.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use Device Password ID in WSC IE of Probe Request and Probe Response
frames to advertise immediate availability of WPS credentials per P2P
specification sections 3.1.2.1.1 (Listen State), 3.1.2.1.2 (Scan Phase),
and 3.1.2.1.3 (Find Phase).
For now, the Device Password ID is set only for the case where we are
active GO Negotiation with a specific peer. In practice, this means that
the Probe Response frames during pending GO Negotiation (whenever in
Listen state) indicate availability of the credential.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_flush did not explicit stop all P2P operations, i.e., the exact
behavior depended on the P2P module state at the time the p2p_flush
command was issued. Make this more consistent by explicitly calling
p2p_stop_find() from p2p_flush().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If Listen state was in progress on another channel when a request to
send an Action frame (e.g., Provision Discovery Request or Invitation
Request to a peer on the peer's Listen channel that is different from
our Listenc hannel) is issued, wpa_supplicant tried to use concurrent
remain-on-channel operations. While some drivers can handle this
cleanly, there are drivers that don't and wpa_supplicant is not expected
to request concurrent remain-on-channel operations.
Fix this by cancelling the ongoing remain-on-channel with stop_listen
prior to sending the Action frame on another channel. If a P2P search
was in progress, it will be continued after the timeout on the new
operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new venue_name configuration parameter can now be used to configure
the ANQP Venue Name values that stations can request through GAS.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds GAS/ANQP implementation into hostapd. This commit brings in
the basic GAS/ANQP functionality, but only the ANQP Capability List
element is supported.
For testing purposes, hostapd control interface SET command can be used
to set the gas_frag_limit parameter dynamically.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
New global configuration parameters pcsc_reader and pcsc_pin can now be
used to initialize PC/SC reader context at start of wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
ambiguous. The Authenticator state machine uses a counter that is
incremented by one for each 4-way handshake. However, the security
analysis of 4-way handshake points out that unpredictable nonces help in
preventing precomputation attacks. Instead of the state machine
definition, use an unpredictable nonce value here to provide stronger
protection against potential precomputation attacks.
Signed-hostap: Jouni Malinen <j@w1.fi>
Move disassociate and deauthenticate commands to ctrl_iface_ap.c, so
that they ares accessible for wpa_supplicant AP mode and wpa_cli (with
CONFIG_AP option enabled).
Signed-hostap: Jithu Jance <jithu@broadcom.com>
Remove unnecessary second copy of the URL and too long memory
allocation. In addition, avoid use of strcpy() to keep static analyzers
happier.
Signed-hostap: Jouni Malinen <j@w1.fi>
It looks like a RTM_NEWLINK event claiming the interface to be UP is
delivered just before removing an interface after having first indicated
that the interface was going down/removed. Ignore this event if the
interface is not present anymore at the moment the event is processed.
This fixes issues where an interface that was re-added after being
removed did not get reconfigured properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
It looks like a RTM_NEWLINK event claiming the interface to be UP is
delivered just before removing an interface after having first indicated
that the interface was going down/removed. Ignore this event if the
interface is not present anymore at the moment the event is processed.
This fixes issues where an interface that was re-added after being
removed did not get reconfigured properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
AT_NEXT_PSEUDONYM is supposed to be included only in the Challenge
messages, not in the Re-authentication messages. This attribute was
incorrectly included in the Re-authentication messages and could have
been used to update the pseudonym state on the server without the peer
updating its state.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Add support to send Action frames to the driver.
Add support for TSPEC req and adding STA node to the driver.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
"wpa_cli set radio_disabled 1/0" can be used to disable/enable
radio to simulate out-of-radio-range condition in a testbed
device.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit d9a38716cc did this for
hostapd_eapol_tx_status() but missed the older hostapd_tx_status()
path. Address that case, too.
The TX status event may be received after a station has been
disassociated in cases where the disassociation is following a
transmission of a Data frame. Ignore such events if the STA is not
associated at the moment the event is being processed. This avoids
confusing debug entries and rescheduling of the EAPOL TX timeouts for
STAs that are still in the STA table, but are not really in active EAPOL
session.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
The SetSelectedRegistrar timeout was registered for each registrar
instance, but the only context pointer (struct subscription *) was
shared with each registrar which resulted in the timeout getting
cancelled for some of the registrar instances before the selected
registrar (ER) information was cleared.
In addition, when an ER unsubscribed from receiving events, the
selected registrar information got cleared only from a single
registrar.
Fix these issues by registering a pointer to the registrar
instance in the timeout and by iterating over all UPnP interfaces
when removing a subscription.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
eloop_sock_table_add_sock() needs to fail if pollfd array allocation
fails instead of returning success and leaving behind no buffer.
Signed-hostap: Jouni Malinen <j@w1.fi>
In IBSS RSN cfg80211/mac80211 now waits for userspace to authorize new
stations. This patch makes wpa_supplicant notify the driver when a
station can be considered authorized.
Signed-hostap: Antonio Quartulli <ordex@autistici.org>
When using more than around 200 virtual stations, we start hitting the
max number of file descriptors supported by select(). This patch adds
support for poll(), which has no hard upper limit.
Signed-hostap: Ben Greear <greearb@candelatech.com>
Remove the GPL notification text from files that were initially
contributed by Atheros Communications or Qualcomm Atheros.
Signed-hostap: Jouni Malinen <j@w1.fi>
Remove the GPL notification text from EAP-pwd implementation per
approval from Dan Harkins who contributed these files.
(email from Dan Harkins <dharkins@lounge.org> dated
Wed, 4 Jan 2012 16:25:48 -0800)
Signed-hostap: Jouni Malinen <j@w1.fi>
In case of !defined(IEEE8021X_EAPOL) the definition of the stub
pmksa_cache_get() in rsn_supp/pmksa_cache.h is not correct. This patch
adds the missing argument to the function definition to fix a
regression from commit 96efeeb66b.
Signed-hostap: Antonio Quartulli <ordex@autistici.org>
Search (p2p_scan) could already have been started at the point
remain-on-channel end event is being processed, e.g., if an Action frame
TX is reported immediately aftet the end of an earlier remain-on-channel
operation and the response frame is sent using an offchannel operation
while p2p_find is still in progress. Avoid trying to re-run p2p_scan
while the previous one is still running.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 39185dfa54 changed the p2p_scan()
callback to return 1 in some cases, but forgot to change this p2p_scan()
call to handle that properly. Fix this by processing any non-zero value
as an error. This regression could leave the P2P module in state where
it believed a P2P scan was still running and refused to start some
operations until that scan gets completed (which would never happen
since it was not really started).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, PINs that are added with a wildcard UUID were allowed to
be used only by a single Enrollee. However, there may be more than one
Enrollee trying to connect when an AP indicates that active Registrar
is present. As a minimal workaround, allow two Enrollees to try to use
the wildcard PIN. More complete extension could use timeout and allow
larger set of Enrollees to try to connect (while still keeping in mind
PIN disabling requirement after 10 failed attempts).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
"BSS p2p_dev_addr=<P2P Device Address>" can now be used to fetch a
specific BSS entry based on the P2P Device Address of the GO to avoid
having to iterate through the full BSS table when an external program
needs to figure out whether a specific peer is currently operating as
a GO.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When the GO negotiation peer is assigned, the state also cannot be IDLE,
SEARCH, or LISTEN_ONLY.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When looking for PMKSA cache entries to use with a new association, only
accept entries created with the same network block that was used to
create the cache entry.
Signed-hostap: Jouni Malinen <j@w1.fi>
This fixes a corner case where a STA that has PMKSA cache entry (or
valid FT keys) could try to use full EAPOL/EAP authentication and fail.
If the STA will then try to use the still valid PMKSA cache entry (or
FT) before the STA entry has been cleared, authFail could have been left
to TRUE. That will make EAPOL authenticator PAE state machine enter HELD
state even though authSuccess was already forced to TRUE. This results
in the STA getting disconnected even though it should be allowed to
continue with 4-way handshake. While this is unlikely to happen in
practice, it is better to get this fixed by clearing authFail when
setting authSuccess.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
The TX status event may be received after a stations has been
disassociated in cases where the disassociation is following a
transmission of a Data frame. Ignore such events if the STA is not
associated at the moment the event is being processed. This avoids
confusing debug entries and rescheduling of the EAPOL TX timeouts for
STAs that are still in the STA table, but are not really in active EAPOL
session.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
While the exponential increase in the lockout period provides an
efficient mitigation mechanism against brute force attacks, this
additional trigger to enter indefinite lockout period (cleared by
restarting hostapd) will limit attacks even further by giving maximum of
10 attempts (without authorized user action) even in a very long term
attack.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows HT capabilities overrides on kernels that
support these features.
MCS Rates can be disabled to force to slower speeds when using HT.
Rates cannot be forced higher.
HT can be disabled, forcing an 802.11a/b/g/n station to act like
an 802.11a/b/g station.
HT40 can be disabled.
MAX A-MSDU can be disabled.
A-MPDU Factor and A-MPDU Density can be modified.
Please note that these are suggestions to the kernel. Only mac80211
drivers will work at all. The A-MPDU Factor can only be decreased and
the A-MPDU Density can only be increased currently.
Signed-hostap: Ben Greear <greearb@candelatech.com>
When there is not enough entropy and there are two station associating
at the same time, one of the stations will be rejected, but during
that rejection, the "reject_4way_hs_for_entropy" flag gets cleared. This
may allow the second station to avoid rejection and complete a 4-Way
Handshake with a GTK that will be cleared as soon as more entropy is
available and another station connects.
This reworks the logic to ban all 4-way handshakes until enough entropy
is available.
Signed-hostap: Nicolas Cavallari <cavallar@lri.fr>
In multiple BSSes scenario for the drivers that do not use
monitor interface and do not implement AP SME, RX MGMT
frame subscription happens only for the default bss (first_bss).
Subscribe for RX MGMT frames for such BSSes.
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Commit e4fb216769 moved frequency
storage from driver struct to bss struct and is assigned in
wpa_driver_nl80211_set_freq. As this wpa_driver_nl80211_set_freq is
triggered only on the first_bss, bss->freq for other BSSes is never
being set to the correct value. This sends MLME frames on frequency zero
(initialized value of freq) for BSSes other than the first.
To fix this derive frequency value from first_bss.
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
This patch allows to log hexdumps into syslog.
This is useful when testing, as syslog's network logging
helps to collect debug outputs from several machines.
Signed-hostapd: Nicolas Cavallari <cavallar@lri.fr>
The pseudonym identity should use a realm in environments where a realm is
used. Thus, the realm of the permanent identity is added to the pseudonym
username sent by the server.
Signed-hostap: Simon Baatz <gmbnomis@gmail.com>
The pseudonym identity should use a realm in environments where a realm is
used. Thus, the realm of the permanent identity is added to the pseudonym
username sent by the server.
Signed-hostap: Simon Baatz <gmbnomis@gmail.com>
When the "bssid=" option is set for an IBSS network and ap_scan = 2,
ask the driver to fix this BSSID, if possible.
Previously, any "bssid=" option were ignored in IBSS mode when ap_scan=2.
Signed-hostap: Nicolas Cavallari <cavallar@lri.fr>
It looks like Windows 7 WPS implementation does not like multiple
Authentication/Encryption Type bits to be set in M7 AP Settings
attributes, i.e., it refused to add a network profile if the AP
was configured for WPA/WPA2 mixed mode and AP PIN was used to
enroll the network.
Leave only a single bit set in the Authentication/Encryption Type
attributes in M7 when the AP is acting as an Enrollee to avoid this
issue.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A P2P Action frame may need to be sent on another channel than the GO's
operating channel. This information was lost in
wpa_driver_nl80211_send_action() in the case the interface was in AP
mode. Pass the frequence and related parameters to send_mlme mechanism
to allow the correct frequence to be used with the send frame command in
AP (P2P GO) mode.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Number of places in hostapd use ap_sta_disconnect() instead of
ap_sta_disassociate() or ap_sta_deauthenticate(). There are some
differences between these functions, e.g., in the area how quickly
the EAPOL state machines get deinitialized. This can result in
somewhat unexpected events since the EAPOL/WPA authenticator
state machines could remain running after deauthentication.
Address this by forcing EAPOL/WPA authenticator state machines
to disabled state whenever ap_sta_disconnect() is called instead
of waiting for the deauthentication callback or other timeout
to clear the STA.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Even though we may not update P2P peer entry while connected to the
peer as a P2P client, we should not be expiring a P2P peer entry while
that peer is the GO in a group where we are connected as a P2P client.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Even though we may not receive a Probe Response from the peer during
the connection, we should not be expiring a P2P peer entry while that
peer is connected to a group where we are the GO.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The cookie value needs to be fetched in GO mode, too, to be able to
indicate TX status callbacks with drivers that handle AP mode SME
functionality internally. This fixes issues with client discoverability
where TX status callback for GO Discoverability Request is needed to
trigger the GO to send Device Discoverability Response.
Some SIM cards do not include MNC length with in EF_AD. Try to figure
out the MNC length based on the MCC/MNC values in the beginning of the
IMSI. This covers a prepaid Elisa/Kolumbus card that would have ended
up using incorrect MNC length based on the 3-digit default.
Signed-hostap: Jouni Malinen <j@w1.fi>
The temporary IMSI buffer can be used for this without needing the
extra memory allocation. In addition, the implementation is easier
to understand when the extra identity prefix value for EAP-SIM/AKA
is not included while fetching MCC/MNC from the IMSI.
Signed-hostap: Jouni Malinen <j@w1.fi>
The EF-AD (administrative data) file may contain information about the
length of the MNC (2 or 3 digits) in the IMSI. This can be used to
construct the realm according to 3GPP TS 23.003 during EAP-SIM or
EAP-AKA authentication.
Signed-hostap: Simon Baatz <gmbnomis@gmail.com>
This patch notifies the upper framework that an on-going discovery has
been stopped. This is useful in cases where a p2p_find with a timeout
value initiated by the upper framework has been finished or when the
framework initiated "p2p_find" is stopped by a "p2p_connect".
Signed-hostap: Jithu Jance <jithu@broadcom.com>
Some deployed station implementations seem to send msg 4/4 with
incorrect type value in WPA2 mode. Add a workaround to ignore that issue
so that such stations can interoperate with hostapd authenticator. The
validation checks were added in commit
f8e96eb6fd.
Signed-hostap: Jouni Malinen <j@w1.fi>
The Device ID attribute was already used in Listen state, but it was
ignored in GO role. Verify that there is a match with Device ID in
GO rule, too, before replying to the Probe Request frame.
Signed-hostap: Jouni Malinen <j@w1.fi>
dev_id=<P2P Device Addr> can now be specified as an argument to
p2p_find to request P2P find for a specific P2P device.
Signed-hostap: Jouni Malinen <j@w1.fi>
Some supplicant implementations (e.g., Windows XP WZC) update SNonce for
each EAPOL-Key 2/4. This breaks the workaround on accepting any of the
pending requests, so allow the SNonce to be updated even if we have
already sent out EAPOL-Key 3/4.
While the issue was made less likely to occur when the retransmit
timeout for the initial EAPOL-Key msg 1/4 was increased to 1000 ms,
this fixes the problem even if that timeout is not long enough.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Now that we can use driver_nl80211.c with non-mac80211 drivers that
implement SME/MLME internally, we may not get inactivity time from the
driver. If that is the case, we need to skip disconnection based on
maximum inactivity timeout. This fixes some unexpected disconnection
cases with ath6kl in AP mode.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The deauthentication and disassociation events from nl80211 were being
processed identically regardless of whether the frame was generated by
the local STA or the AP. This resulted in fast reconnection mechanism
getting triggered even in the case where the disconnection was detected
locally (e.g., due to beacon loss) while this was supposed to happen
only in the case where the AP is sending an explicit Deauthentication
or Disassociation frame with a specific reason code.
Fix this by adding a new deauth/disassoc event variable to indicate
whether the event was generated locally.
Signed-hostap: Jouni Malinen <j@w1.fi>
IEEE Std 802.1X-2004 does not clear authWhile and heldWhile in this
case, but doing so allows the timer tick to be stopped more quickly when
the port is not enabled. Since these variables are used only within HELD
and RECEIVE states, clearing them on initialization does not change
actual state machine behavior. This reduces some unnecessary operations
in port disabled state and cleans up the wpa_supplicant debug log after
disconnection.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since wps_registrar_pbc_timeout is called to stop PBC, previously
registered wps_registrar_pbc_timeout must be canceled when canceling
the WPS operation.
Signed-off-by: Spencer Chang <jungwalk@gmail.com>
The offchanok parameter is hardcoded to one in number of paths and that
added NL80211_ATTR_OFFCHANNEL_TX_OK attribute to NL80211_CMD_FRAME
unconditional. cfg80211 rejects this with EINVAL if the driver does not
indicate support for offchannel TX. Fix this by not requesting
offchannel TX depending on driver capabilities. Remain-on-channel
operation was used for those cases anyway, so the additional attribute
was not really needed for these in the first place.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When nl80211_setup_ap() has enabled Probe Request reporting, this must
not be disabled when P2P Listen state is stopped to avoid breaking AP
mode operations. This could happen, e.g., if a Probe Request frame was
received from a P2P device that the we are trying to invite to our group
(i.e., when operating in GO role). p2p_probe_req_rx() calls
p2p_invite_start() in this case and that ends up calling
p2p->cfg->stop_listen() which calls probe_req_report() driver op.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd uses the poll method to check if the station is alive
after the station has been inactive for ap_max_inactivity seconds.
Make the poll mechanism configurable so that user can choose to
disconnect idle clients.
This can be especially useful when some devices/firmwares have
restrictions on the number of clients that can connect to the AP
and that limit is smaller than the total number of stations trying
to use the AP.
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Nishant Sarmukadam <nishants@marvell.com>
The 100 ms timeout on retransmitting group key message can be too short
for stations that are in power save mode or if there is a large number
of association stations. While the retransmission of the EAPOL-Key frame
should allow this to be recovered from, it is useful to avoid
unnecessary frames to save soem CPU and power.
Signed-hostap: Jouni Malinen <j@w1.fi>
Drivers that use device SME in AP mode may still need to be
subscribed for Action frame RX when monitor interface is not used.
This fixes number of P2P GO operations with ath6kl.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Poll command may be enough for mac80211 to figure out whether monitor
interface is to be used, but this change did not take into account
non-mac80211 drivers that support AP mode without monitor interface.
For example, ath6kl needs to get use_monitor disabled.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Add a new persistent group network block field, p2p_client_list, to
maintain a list of P2P Clients that have connected to a persistent
group. This allows GO of a persistent group to figure out more easily
whether re-invocation of a persistent group can be used with a specific
peer device.
Signed-hostap: Jouni Malinen <j@w1.fi>
The P2P module provides access to public peer data in struct
p2p_peer_info. Use this to build the P2P_PEER information in
ctrl_iface.c instead of providing such text format data from the P2P
module.
The internal data that was previously built in p2p_get_peer_info() as
part of the text format peer data is now available through a separate
p2p_get_peer_info_txt() function. This is still included in P2P_PEER
output to maintain backwards compatibility with external programs that
could have started to use this. However, it should be noted that this
data is not really supposed to be used for anything else apart from
debugging purposes and its format is subject to change.
Signed-hostap: Jouni Malinen <j@w1.fi>
p2p_get_peer_info() was used in multiple places just to check whether a
specific peer is known. This was not the designed use for the function,
so introduce a simpler function for that purpose to make it obvious that
the p2p_get_peer_info() function is actually used only in ctrl_iface.c.
Signed-hostap: Jouni Malinen <j@w1.fi>
If p2p_listen is issued during a p2p_scan, a pending after-scan operation
is scheduled. However, since there is support for only a single pending
operation, this was able to override a previously scheduled pending
connect command. This can break some command sequences, so give higher
priority to pending connect operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Android ICS system/core/libnl_2 has very limited genl_ctrl_resolve()
implementation that cannot handle names other than nlctrl. Work
around that by implementing more complete genl_ctrl_resolve()
functionality within driver_nl80211.c for Android builds.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This event can be very frequent in AP mode when Beacon frames from
neighboring BSSes are delivered to user space. Drop the debug
message priority from DEBUG to EXCESSIVE for Beacon frames.
Signed-hostap: Jouni Malinen <j@w1.fi>
I needed this patch to compile against the latest
libnl code. I added this to my config file:
CONFIG_LIBNL32=y
Signed-hostap: Ben Greear <greearb@candelatech.com>
When waiting for go_neg frame from the peer in WAIT_PEER_CONNECT state,
I have observed that sometimes it takes 20 to 30 secs for successful GO
negotiation. I also found out that it is because of 1 second idle time,
in WAIT_PEER_CONNECT state. While it is good to have 1 second idle time
[for doing power-save or doing some other legacy STA Scan or some other
useful stuff], this makes GO Negotiation process slow.
We wait for 1 second idle and then listen for a random time between
100(min)-300(max) ms. Assume P1 is in WAIT_PEER_CONNECT state and P2 is
the one which is now to send go_neg frame. If P2 sends GO Negotiation
frame just at the boundary of 300 ms of P1 and assume that P2 takes
close to 600-800 ms for one iteration of sending go_neg request (one
iteration is GO Negotiation Request frame time + dwell time +
listen_time), P2 needs to transmit at least 16-18 Action frames for
hitting the listen time of P1.
Following patch reduces the idle time to 500 ms. Alternatively we can
increase the listen time interval to 500 ms just for WAIT_PEER_CONNECT
state.
Provision discovery from a known peer should actually check for
dev->flags & P2P_DEV_PROBE_REQ_ONLY. This is creating an issue of
updating the listen frequency of peer with the PD request frame
frequency. PD request frame will be sent by the peer on our local listen
frequency. This patch fixes that error. Suggested check has already been
implemented in the invitation req receive path.
The Provision Discovery Request needs to be sent on the operating
channel of the GO and as such, the frequency from the BSS table
(scan results) need to override the frequency in the P2P peer
table that could be based on the Listen channel of the GO.
Signed-hostap: Jouni Malinen <j@w1.fi>
The GO negotiation response is very cryptic at the moment. For a success
message we only know on which interface the negotiation succeeded, not
which peer. For a failure we know the interface also and a status code
(number).
It will be very useful for clients to know upon receipt of such a message
which peer the negotiation occurred with.
Now that the peer information is available and the API is changed
already, the function composing the D-Bus message might as well include
all GO negotiation information. This is done with a dict to make things
easier on clients if this result information changes down the line.
Signed-hostap: Reinette Chatre <reinette.chatre@intel.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When the station is connected to P2P GO after calling p2p_find command
the device sees itself. It is related to lack of filtering itself from
clients connected to P2P GO.
Step by step:
1. dev1: p2p_group_add
2. dev2: p2p_connect <MAC1> pbc join
3. dev1: wps_pbc
4. dev2: p2p_find
Skip P2P client information for our own device from a GO with which
we are connected.
It looks like some USIM cards respond with 0x67 (Wrong length) instead
of 0x6c to 00 b2 01 04 ff. This was getting rejected in
scard_get_record_len(). ETSI TS 102 221 is not very clear on this
detail, but it looks fine to accept the 0x67 error value, too, to learn
the record length.
Signed-hostap: Jouni Malinen <j@w1.fi>
Return 1/0 instead 0/-1 to indicate valid/invalid element so that
the if statement makes more sense with !wmm_valid().
Signed-hostap: Jouni Malinen <j@w1.fi>
This updates a previous patch did more or less the same thing by
providing the qosinfo as a single variable to the driver wrappers.
Signed-hostap: Jason Young <jason.young@dspg.com>
Add uapsd_queues and max_sp fields to sta_info struct,
and pass them to the sta_add callback.
These values are determined by the WMM IE in the (Re)Association Request.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Check whether the driver advertises support for U-APSD
in AP mode, and evaluate wmm_uapsd only in this case.
Signed-off-by: Eliad Peller <eliad@wizery.com>
The wpa_hexdump_ascii() call did not get converted properly and this
was missed becaused of it getting defined out from the build. Anyway,
this better use the correct variable names should that debug print
ever be enabled for Android.
Signed-hostap: Jouni Malinen <j@w1.fi>
A Pending Provision Discovery Request was sent in SEARCH phase after a
previous provision discovery timeout. Fix this by resetting the config
method of P2P device in the pending PD reset function. This avoids the
sending of a pending Provision Discovery Request during the next P2P
search.
Signed-off-by: Jean-Michel.Bachot <jean-michelx.bachot@intel.com>
Some debug messages used incorrect name for Provision Discovery.
Replace "Provisioning Discovery" with "Provision Discovery".
Signed-hostap: Jouni Malinen <j@w1.fi>
It is safer to assume that the driver could be using NoA and reject
any Presence Request unless we are sure that noa NoA is in use.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows per-device PSK to be configured for WPA-Personal using a
RADIUS authentication server. This uses RADIUS-based MAC address ACL
(macaddr_acl=2), i.e., Access-Request uses the MAC address of the
station as the User-Name and User-Password. The WPA passphrase is
returned in Tunnel-Password attribute in Access-Accept. This
functionality can be enabled with the new hostapd.conf parameter,
wpa_psk_radius.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
WPS overlap detection can detect false overlap if a P2P peer
changes UUID while authentication is ongoing. Changing UUID
is of course wrong but this is what some popular devices do
so we need to work around it in order to keep compatibility
with these devices. There already is a mechanism in WPS
registrar to skip overlap detection if P2P addresses of two
sessions match but it wasn't really triggered because the
address wasn't filled in in the caller function.
Let's fill in this address and also clean up WPS PBC sessions
on WSC process completion if UUID was changed.
Signed-hostap: Vitaly Wool<vitalywool@gmail.com>
Pass the raw Probe Response template to kernel via netlink using the
set_ap() driver callback. The data is sent as one of the Beacon
attributes.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Configure a Probe Response template for drivers that support it. The
template is updated when the Beacon template is updated.
The Probe Response template is propagated to the driver via the set_ap()
callback.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Arik Nemtsov <arik@wizery.com>
This is needed for Probe Response template, so move the code into a
separate function that can be shared.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Translate nl80211 flags to wpa_supplicant flags for Probe Response
offload support. The existence of the nl80211 PROBE_RESP_OFFLOAD_SUPPORT
attribute means Probe Response offload is supported. The value of the
attribute is a bitmap of supported protocols.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Arik Nemtsov <arik@wizery.com>
This previously helped when debugging some auth issues when hitting the
AP with 128 association attempts all at once.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Append "p2p_dev_addr" parameter to AP-STA-DISCONNECTED event for P2P
connections. In addition, for AP-STA-CONNECTED event during P2P
connection, the "dev_addr=" print is replaced with "p2p_dev_addr=" to
be more consistent with other events.
Signed-hostap: Jithu Jance <jithu@broadcom.com>
Storing the address in the BSS instead of the DRV struct makes it usable
for hostapd and thus gets rid of the linux_get_ifhwaddr() call when
receiving a spurious frame.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Testing code can now be enabled in the hostapd RADIUS server to dump
each derived MSK into a text file (e.g., to be used as an input to
wlantest). This functionality is not included in the default build
and can be enabled by adding the following line to hostapd/.config:
CFLAGS += -DCONFIG_RADIUS_TEST
The MSK dump file is specified with dump_msk_file parameter in
hostapd.conf (path to the dump file). If this variable is not set,
MSK dump mechanism is not enabled at run time.
Signed-hostap: Jouni Malinen <j@w1.fi>
If Provision Discovery Request is sent for GO role (i.e., P2P Group ID
attribute is included), add the group interface name to the control
interface event on the GO. This makes it easier to figure out which
ctrl_iface needs to be used for wps_pbc/wps_pin command to authorize
the joining P2P client.
Signed-hostap: Jouni Malinen <j@w1.fi>
If p2p_prov_disc join command is used prior to p2p_connect join,
skip the duplicated provision discovery exchange.
Signed-hostap: Jithu Jance <jithu@broadcom.com>
This can be used to request Provision Discovery Request to be sent
for the purpose of joining a running group, e.g., to request the GO
to display a PIN that we can then use with p2p_connect join command.
Signed-hostap: Jithu Jance <jithu@broadcom.com>
Since the nl_cache is not used anymore, there is no need for maintaining
the struct nl80211_handles wrapper for struct nl_handle. Clean this up
by using nl_handle directly.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is a rewrite of Ben Greear's patch, making the
nl80211 code use just a single multicast event socket.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When running AP mode, we need to receive beacons over overlapping BSSes
to handle protection. Use the new nl80211 command for this. As the
command works per wiphy (and we don't want to receive the Beacon frames
multiple times) add an abstraction that keeps track of per-wiphy data.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
These events are necessary to send deauth frames to
stations sending spurious data frames. Subscribe to
them on the per-BSS event socket.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
To achieve this, multiple things are needed:
1) since hostapd needs to handle *all* action frames,
make the normal registration only when in a non-AP
mode, to be able to do this use the new socket
2) store the frequency in each BSS to be able to give
the right frequency to nl80211's mgmt-tx operation
3) make TX status processing reject non-matched cookie
only in non-AP mode
The whole thing depends on having station-poll support
in the kernel. That's currently a good indicator since
the kernel patches are added together.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Fix start of reauthentication after failed authentication with
passthrough (external AAA server) to use internal EAP Identity method.
Signed-hostap: Jouni Malinen <j@w1.fi>
This reverts commit 204dd3f420.
start_reauth was not supposed to be used in this way and setting it
to TRUE in INITIALIZE breaks internal EAP server.
Signed-hostap: Jouni Malinen <j@w1.fi>
When using authentication retry within driver_nl80211.c, a failure on the
second attempt has to be indicated with a driver event since the return
code from wpa_driver_nl80211_authenticate() is not actually delivered to
the core code in that case.
Signed-hostap: Jouni Malinen <j@w1.fi>
cfg80211 rejects NL80211_CMD_AUTHENTICATE with ENOENT if the BSS entry
for the target BSS is not available. This can happen if the cfg80211
entry has expired before wpa_supplicant entry (e.g., during a suspend).
To recover from this quickly, run a single channel scan to get the
cfg80211 entry back and then retry authentication command again. This
is handled within driver_nl80211.c to keep the core wpa_supplicant
implementation cleaner.
Signed-hostap: Jouni Malinen <j@w1.fi>
The pseudonym is a temporary identity, but is no one-time identifier (like
the fast re-authentication identity). Thus, do not forget it if the server
does not include it in every challenge. There are servers that include the
pseudonym identity only at full-auth. [Bug 424]
Make sure sign extension does not end up getting used here by
explicitly type casting the variables to correct size.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 34445d12ee forgot to convert
the hostapd_prepare_rates() inline wrapper for builds that do not
define NEED_AP_MLME.
Signed-hostap: Jouni Malinen <j@w1.fi>
P2P invitation responses are transmitted with the BSSID set to the peer
address. Pass these action frames up to allow the GO to receive the
Invitation Response (and avoid sending the Invitation Request multiple
times).
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Set the NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT flag for nl80211 to tell
drivers (mac80211) to not encrypt the EAPOL frames for WEP IEEE 802.1X.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
In preparation for things that receive on a BSS-specific handle,
allocate a CB for it and hook it up to receive functions.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The next patch will add process_bss_event, rename process_event to
process_drv_event to differentiate between them.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
By passing the nl_cb as the context to the eloop function we can
(in the next patch) use the same eloop function for BSS events.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Storing the frequency in the bss struct allows using it for frame
commands in AP mode and not relying on the driver struct as much, which
is good for hostapd mode.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This will allow getting TX status for EAPOL frames
sent as data frames if the driver supports it.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Previously, sm->start_reauth was set to TRUE in SUCCESS2 state to force
reauthentication to start with EAP identity request. This works fine for
the case of EAP success through the AAA passthrough authentication, but
is not enough to handle passthrough authentication failure. sm->identity
is set in that case and getDecision would return PASSTHROUGH instead of
CONTINUE (to Identity method).
Signed-hostap: Jouni Malinen <j@w1.fi>
The RTM_NEWLINK even can have IFF_UP flag even if the interface is
down. Do not generate EVENT_INTERFACE_ENABLED event based on such a
message.
Signed-hostap: Jouni Malinen <j@w1.fi>
A new hostapd.conf parameter, wps_rf_bands, can now be used to fix the
RF Bands value in cases where hw_mode is not set or when operating a
dual band dual concurrent AP.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When hostapd controls multiple radios, WPS operations are started on
all interfaces. However, when the provisioning run had been completed
successfully, actiove WPS mode was stopped only a single interface. Fix
this to iterate through all interfaces so that this is handled
consistently with the starting of WPS operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 628d54639a introduced number
of new WPS related ctrl_iface messages to hostapd. Some of these
were for ER events which do not make any sense to hostapd that
cannot operate as an ER. The WPS_EV_ER_SET_SELECTED_REGISTRAR one
from wps_registrar_sel_registrar_changed_event() was especially
problematic since it can cause wpa_supplicant ER code segfault due
to missing event data.
Revert all the ER specific changes from commit
628d54639a to get rid of the segfault
and undesired extra code in hostapd.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is based on the Android driver_cmd changes that are converted to
use the sched_scan/stop_sched_scan driver_ops for the case where the
driver does not support the new nl80211 commands.
Change-Id: Iaedc340f84650af422bd2ea57d2a8b0a9d4a5330
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
(jm: This is based on the Android change that used driver_cmd. The same
implementation is used for the actual driver interface, but the commands
are now accessed through sched_scan/stop_sched_scan driver_ops instead
of driver_cmd)
While the copy is not used as a null terminated string, this can prevent
some static analyzers from complaining about non-issue.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add support for generating and verifying RFC 3447 RSASSA-PKCS1-v1_5
style DigestInfo for TLS v1.2 CertificateVerify. For now, this is
hardcoded to only support SHA256-based digest.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows the internal TLS implementation to be built for TLS v1.2
support. In addition to the build option, this changes the TLS PRF
based on the negotiated version number. Though, this commit does not
yet complete support for TLS v1.2.
Signed-hostap: Jouni Malinen <j@w1.fi>
Prepare for multiple TLS PRF functions by renaming the SHA1+MD5 based
TLS PRF function to more specific name and add tls_prf() within the
internal TLS implementation as a wrapper for this for now.
Signed-hostap: Jouni Malinen <j@w1.fi>
IW_ENCODE_ALG_PMK and IW_ENC_CAPA_4WAY_HANDSHAKE are not defined in the
Android tree, so add compatibility defines for these.
Signed-hostap: Jouni Malinen <j@w1.fi>
Send the connection events from P2P group to both the group interface
and parent interface ctrl_ifaces to make it easier for external monitor
programs to see these events without having to listen to all group
interfaces when virtual group interfaces are used.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
cfg80211 will reject the NL80211_CMD_START_SCHED_SCAN if too many
match sets are requested. To avoid being completely unable to start
any scheduled scans, skip setting these filters if the driver did
not advertise support for large enough number of match sets.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds initial implementation of set_p2p_powersave to allow legacy PS
mode to be configured. P2P PS parameters are not yet supported.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up the source code and makes it less likely that new AKM
addition misses some needed changes in the future.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the station is indicating use of WPS, WSC IE should be added into the
(Re)Association Response frame. This is clear for the case when WSC IE
was included in the (Re)Association Request frame. However, even the
WLAN_STA_MAYBE_WPS case may actually indicate use of WPS. Assume that to
be the case when WPA/WPA2 is enabled (i.e., when the STA does not
include WPA/RSN/WSC IE while AP has WPA/RSN enabled).
Signed-hostap: Jouni Malinen <j@w1.fi>
This makes it clearer that the PMKSA caching entry gets removed from
the driver regardless of how the internal entry from wpa_supplicant
gets cleared. In practice, this call was skipped only for the case
when the entry for the current AP was being updated, so the previous
version was likely to work with all drivers. Anyway, it is cleaner
to explicitly remove the old entry even in that case before the new
entry gets added.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 940a0ce970 moved the STA associated
check from driver_*.c into ieee802_1x_receive(), but failed to take into
account that wired networks and driver_wired.c do not mark the STA entry
associated. Fix this by skipping the check if the driver wrapper is
using a wired network.
Signed-hostap: Jouni Malinen <j@w1.fi>
It's not really valid to send off-channel in all cases,
so pass whether it should be allowed or not and don't
set it in the AP case.
Also, to get the right ifindex for hostapd, pass a bss
pointer instead of the drv pointer.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Some client implementations only wait a few ms after sending a probe
request while scanning. Since probe responses are always sent at a low
rate this can eat quite some airtime and it might be impossible to get
the frame out before the client leaves the channel again. If the client
leaves before all probe reponses where acked this can cause the probe
reponse to be retried quite often consuming even more airtime.
Hence, add a new noack flag to the driver's send_mlme callback that
allows hostapd to request whether the driver should expect an ACK for
this frame or not.
Use the new noack-policy only for broadcast probe requests that contain
a wildcard SSID.
Signed-hostap: Helmut Schaa <helmut.schaa@googlemail.com>
In some situations it might be benefical to send a unicast frame without
the need for getting it ACKed (probe responses for example). In order to
achieve this add a new noack parameter to the drivers send_mlme callback
that can be used to advise the driver to not wait for an ACK for this
frame.
Signed-hostap: Helmut Schaa <helmut.schaa@googlemail.com>
This structure was not really used for anything apart from figuring out
length of the EAP-pwd header (and even that in a way that would not work
with fragmentation). Since the bitfields in the structure could have
been problematic depending on target endianness, remove this unnecessary
structure.
Signed-hostap: Jouni Malinen <j@w1.fi>
Another niceness of OpenSSL is that if the high-order bit of a 521-bit
big num is not set then BN_bn2bin() will just return 65 bytes instead of
66 bytes with the 1st (big endian, after all) being all zero. When this
happens the wrong number of octets are mixed into function H(). So
there's a whole bunch of "offset" computations and BN_bn2bin() dumps the
big number into a buffer + offset. That should be obvious in the patch
too.
The previous EAP-pwd KDF implemented has an issue with group 21, that is
an elliptic curve group based on a 521 bit prime. 521 is not an even
multiple of 8, and therein lies the problem.
OpenSSL's BN library interprets a string of bits as in big-endian format
so all the calls of BN_bin2bn() will take the binary blob of bits and
turn it into a big number in big-endian format. In the EAP-pwd KDF, I am
stretching the key to "primebitlen". When that is not an even multiple
of 8 I have to mask off the excess. But I was masking off the excess
bits in the 1st octet (big endian after all) but that isn't right. The
KDF produces a string of endian-less bits. The 521st bit is the first
bit in the last octet, not the 7th bit in the first octet. So that has
been fixed and you can see in the attached diff what I'm doing.
If the kernel supports this, don't use manual null
data frame transmissions. This is one thing to get
rid of cooked monitor interfaces.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The non-monitor TX currently uses a normal L2 abstraction
socket, but that will also receive frames we don't want,
so use a plain socket that isn't bound for RX. This might
be possible using the L2 abstraction, but we need a plain
socket later for getting TX status events here.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This changes the auto-detection of whether or not the device contains
the AP SME away from monitor interface addition failing to the explicit
attribute in nl80211. Keep the old auto-detection for a little while so
that ath6kl isn't broken right away.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The new event can be used when EAPOL TX status can't be reported as a
complete 802.11 frame but is instead reported as just the EAPOL data as
originally passed to hapd_send_eapol().
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Currently OpenSSL implementation of TLS in hostapd loads only top
certificate in server certificate file. Change this to try to the
whole chain first and only if that fails, revert to old behavior.
Signed-off-by: Maciej Szmigiero <mhej@o2.pl>
This patch implements shared_freq handler for driver_nl80211.c. If a
"p2p_group_add" happens after legacy STA association, then this patch
will help to start the GO on the same frequency. This is useful when
supplicant is started on multiple interface running over a singly "PHY"
and the station interface is not used for the P2P device operations.
For example, wpa_supplicant -iwlan0 .. -N -iwlan1 ... and wlan0 is used
for station connection and wlan1 as the P2P device interface.
Signed-hostap: Jithu Jance <jithu@broadcom.com>
Without this, it is impossible to tell exactly which
MLME code returned the error.
Also, convert to wpa_dbg so that we get device names
in the messages.
Signed-hostap: Ben Greear <greearb@candelatech.com>
When GO negotation fails the WPS method is currently not cleared, which
can result in GO negotiation being resumed when a GO negotiation request
frame is received from the peer. That is unexpected as locally we
already gave up.
This manifests itself in getting
1319574733.955685: wlan0: P2P-GO-NEG-FAILURE status=-1
1319574733.955723: P2P: Removing pending group interface p2p-wlan0-0
...
1319574736.648378: wlan0: P2P: Starting GO Negotiation with previously
authorized peer
...
1319574736.650115: wlan0: P2P: Sending GO Negotiation Response
...
1319574736.988038: wlan0: P2P-GO-NEG-SUCCESS
1319574736.988233: P2P: No pending group interface
1319574736.988268: P2P: Create a new interface p2p-wlan0-1 for the group
Clear the WPS method to avoid this situation. I wasn't
able to test this though, but given the log I can only
assume this is how the situation happened.
Reported-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
If P2P device expires while a GO Negotiation is in progress, currently
p2p->go_neg_peer is cleared without indicating GO Nego failure. This
will result in pending group interfaces to be left over. This patch will
indicate GO Negotiation failure and will remove any pending group
interfaces.
This patch addresses a corner case in GO-Negotiation case. Consider the
scenario where two devices A and B are in discovery stage and Device B
vanishes [moves out of range] when a connect is issued on the Device A.
Then Device A keeps on retrying the GO Negotiation Request till the
retry limit is reached. On reaching retry limit, the pending group
interface is removed. But suppose if the peer entry in the device list
expires before the retry limit is reached, then pending group interface
was not removed.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
Invalid use of memcpy instead of memcmp in comparison resulted in the
GO interface address getting set incorrectly if the GO did not show up
in scan results anymore.
Signed-hostap: Jouni Malinen <j@w1.fi>
trace.h may end up including system header files that define offsetof,
so include the compatibility definition from list.h only after this.
Signed-hostap: Jouni Malinen <j@w1.fi>
HT_INFO_OPERATION_MODE_OP_MODE_MASK is used with variables in host
byte order, so it should not be claimed as le16.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is a workaround for Windows 7 supplicant rejecting WPA msg 3/4
in case it used Secure=1 in msg 2/4. This can happen, e.g., when
rekeying PTK after EAPOL-Key Error Request (Michael MIC failure)
from the supplicant.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This cleans up the code a bit by not having to deal with theoretical
possibility of maximum number of EAP methods to be different between
various components in hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
Some static analyzers complain about memset with '0' value. This was
used correctly here, but since use of strdup is about as good an option,
use that to silence the invalid warnings.
Signed-hostap: Jouni Malinen <j@w1.fi>
This avoid incorrect errors from some static analyzers that do not like
memmove with pointers just after the end of a buffer even if the number
of bytes to move is zero.
Signed-hostap: Jouni Malinen <j@w1.fi>
All we really need is the family ID, and we can
get that with genl_ctrl_resolve() and then don't
need to worry about family/cache objects.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
If a P2P client associates with the group while it is
already associated, two member entries may be added to
the group which also confuses num_members counting.
Deal with this by removing the existing entry first
before adding a new one.
I think the way Reinette ran into this was due to our
tx_sync implementation in iwlagn, mac80211 might have
queued two association frames thinking the first one
just failed, but both only went out after the sync was
really successful (which tx_sync doesn't wait for).
Reported-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The P2P_FIND command was failing if it was issued at the moment when
a scan operation was in progress. Avoid returning failure in this
case by scheduling the P2P find to start once the ongoing scan is
completed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
WEXT is not really changing anymore and more or less all Linux
distros come with linux/wireless.h that is recent enough to
allow the driver wrappers to be build.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit c2ff13c533 broke this with a
copy-paste typo that ended up adding the Probe Request P2P IE into the
Beacon frame (i.e., Beacon frame had two P2P IEs while Probe Response
had none).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Avoid zero-length memset at the end of the buffer. This is not really
needed, but it makes the code a bit easier for static analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
Avoid zero-length memset at the end of the buffer. This is not really
needed, but it makes the code a bit easier for static analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
Explicitly validate data_len so that static analyzers do not get
confused about the padlen validation. This is not really needed, but it
makes the code a bit easier for static analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
Explicitly validate seed_len to skip memset call with zero length
of copied data at the end of the buffer. This is not really needed,
but it makes the code a bit easier for static analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
data->phase2_method cannot really be NULL if
eap_fast_init_phase2_method() returns success, but this construction
seems to be too difficult for some static analyzers. While this change
is not really needed in practice, it makes it easier to go through
warnings from such analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
hapd->time_adv cannot really be NULL if hostapd_update_time_adv()
returns success, but this construction seems to be too difficult
for some static analyzers. While this change is not really needed
in practice, it makes it easier to go through warnings from such
analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
md->curlen cannot indicate full buffer size here since the buffered
data is processed whenever the full block size of data is available.
Avoid invalid warnings from static analyzers on memcpy() outside the
buffer length by verifying that curlen is smaller than block size.
Signed-hostap: Jouni Malinen <j@w1.fi>
This function can fail in theory since the SHA-1 functions are
allowed to return an error. While this does not really happen in
practice (we would not get this far if SHA-1 does not work), it is
cleaner to include the error handling here to keep static analyzers
happier. [Bug 421]
Signed-hostap: Jouni Malinen <j@w1.fi>
This has been obsoleted by the more generic Linux WEXT (driver_wext.c)
support. The hostap and madwifi driver wrappers can now be used only
with hostapd. The old station interface remains available in releases up
to 1.x.
Signed-hostap: Jouni Malinen <j@w1.fi>
The driver wrappers broadcom, iphone, osx, and ralink have not been
maintained for a while and it does not look like they will be in the
future either. As such, remove them from the development branch. The
previous versions will be included in older releases up to 1.x.
Signed-hostap: Jouni Malinen <j@w1.fi>
Reassemble partial TLS records to make the internal TLS client
implementation more convenient for stream sockets.
Signed-hostap: Jouni Malinen <j@w1.fi>
The padding validation was done on the last padding-length octets in the
buffer which misses the first padding octet (the last octet is the
padding length). Fix the starting offset for the comparison loop to get
the first octet verified. [Bug 420]
Signed-hostap: Jouni Malinen <j@w1.fi>
Return number of user input bytes from tlsv1_record_receive() to
move this detail into the proper record layer processing. In addition,
ignore unknown content types at record layer and allow processing to
continue after warning level TLS alerts to provide minimal workaround
for closure alerts.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of trying to remember to add wpa_msg() calls for every possible
path where a STA becomes authorized or unauthorized, use
ap_sta_set_authorized() to send these events more consistently.
Signed-hostap: Jouni Malinen <j@w1.fi>
wpa_msg() has to use hapd->msg_ctx instead of hapd as the context
pointer to work properly in wpa_supplicant AP mode.
Signed-hostap: Jouni Malinen <j@w1.fi>
Currently, there is no events over the control interface
when a AP disconnects a station due to inactivity. With
this patch, an "AP-STA-DISCONNECTED" event will be sent.
Signed-hostap: Nicolas Cavallari <nicolas.cavallari@lri.fr>
Use a driver_ndis.c specific initialization function to fill in the
wpa_driver_ops information to make it easier to modify struct
wpa_driver_ops in the future. Being able to build driver_ndis.c
with MSVC was the only reason for having to maintain the same order
of function pointers in struct wpa_driver_ops and for having to
update driver_ndis.c for all changes in that structure.
Signed-hostap: Jouni Malinen <j@w1.fi>
The GTK is renewed in the hostapd after a MIC attack dissassociation
without informing the driver, causing decryption failures. This patch
sends the new GTK/IGTK to the driver after it is updated by the hostapd.
Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com>
When the supplicant acts as a registrar to learn the access point
parameters send the credentials to the wpa_cli interface after
receiving the 7th message. This is needed for proper behavior with
wps_cred_processing set to 1 or 2.
Without this patch, after the 7th message you got the WPS-CRED-RECEIVED
notification without the credentials. This was because the cred_attr and
cred_attr_len were not filled in in the wps structure.
Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
In scan.c, merge a channel's noise value into the scan results. When
comparing scan results, compute the signal-to-noise ratio and use it
when available. Prefer a 5 GHz network if its SNR is really big (> 30)
or if its SNR is relatively close to the other network's.
Some stations have been reported to send EAPOL-Key Error Reports
indicating Michael MIC failures even when the cipher is not TKIP
(e.g., when the network is using only CCMP). Ignore such reports
to avoid starting TKIP countermeasures unnecessarily. This can
prevent certaint types of denial of service attacks by insiders,
but mostly this is to work around invalid station implementations.
Signed-hostap: Jouni Malinen <j@w1.fi>
The eloop timeout to stop TKIP countermeasures has to be canceled
on deinit path to avoid leaving bogus timeouts behind.
Signed-hostap: Jouni Malinen <j@w1.fi>
Converts from a string to a control request enum when input
from a control interface is received. Will be used by a
subsequent patch.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Control requests will be extended for non-EAP uses later, so it makes
sense to have them be generic. Furthermore, having them defined as an
enum is easier for processing internally, and more generic for control
interfaces that may not use field names. The public ctrl_req_type /
field_name conversion function will be used later by the D-Bus control
interface too.
Signed-off-by: Dan Williams <dcbw@redhat.com>
Special processing is needed to handle EAP user request for
identity or password at the beginning of Phase 2 when the implicit
identity request is used. data->pending_phase2_req needs to be set
to an empty buffer in that case to avoid re-processing the previous
part of TLS negotiation when the user enters the needed information.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of hardcoding IEEE 802.11b rates to be disabled whenever
P2P support is built in and supported by the driver, do this only
when an interface is set to P2P mode (both when adding a new
interface and when changing the interface mode). This re-enables
use of IEEE 802.11b APs with CONFIG_P2P=y builds.
Signed-hostap: Jouni Malinen <j@w1.fi>
This function was used unconditionally if wpa_supplicant build
includes CONFIG_P2P=y. Adding a separate driver_ops for such use
is not really useful since the driver wrappers can do the same
internally. Remove this driver_ops and move matching functionality
into driver_nl80211.c which was the only driver wrapper using
this driver_ops callback.
Signed-hostap: Jouni Malinen <j@w1.fi>
nl80211_disable_11b_rates() function was supposed to use the 'disabled'
parameter to figure out whether to disable or re-enable 802.11b rates.
In addition, the driver deinit path was now ending up re-disabling the
enabled rates at the end of the deinit operations when the interface
type was forced back to station. Both of these issues are now fixed
and the 2.4 GHz band TX rate index is cleared properly when
wpa_supplicant is stopped.
Signed-hostap: Jouni Malinen <j@w1.fi>
disable_11b_rates() is called on interface addition,
but not on interface type change, resulting in 11b rates
enabled on p2p interfaces.
Signed-off-by: Eliad Peller <eliad@wizery.com>
This can be used to apply the no-CCK rule conditionally depending on
which frame is being sent. The no-CCK rule applies only for P2P
management frames while SA Query and FT use cases do not have similar
restrictions.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add a new attribute to specify whether to use CCK rate or not during
scan and sending management frames. This helps to send P2P probes
at non-CCK rate. This ensures that P2P probe request/response/action
frames are always sent at non-CCK rates.
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
This was included in the AP configuration parameters, but there has
been no way to set it to anything else than the default automatic
mode. Remove this parameter and just hardcode ERP determination to
follow the automatic mode.
The MS-CHAPv1 and MS-CHAPv2 RFCs specify that the password is a string
of "Unicode characters", which for Windows means UCS-2; thus the
password could be any even-length string of up to 512 bytes.
Instead of making the incompatible change of requiring the incoming
password to be UCS-2 encoded, assume the password is UTF-8 encoded and
convert it before using it in NtPasswordHash and
EncryptPwBlockWithPasswordHash.
Signed-off-by: Evan Broder <ebroder@mokafive.com>
The netlink event processing is delayed since they are only returned
after control returns to eloop. This can result in netlink down events
being processed at a point when the interface has is actually still
there (the first event on new interface is down) and that can result in
odd behavior especially when the resulting interface-disabled event is
delivered to AP mode interface with wpa_supplicant.
Work around this by filtering netlink down events if the matching
interface is up at the time the netlink event is processed. This fixes
an issue brought up by commit 36d84860bb.
hostapd_wpa_auth_conf() is called on uninitialized memory and the
conditional blocks in this function may leave some fields into
uninitialized state. This can result in unexpected behavior elsewhere
since some of the variables may be used without matching #ifdef
blocks. Fix this by zeroing the memory.
TPK will be needed to be able to generate FTIE MIC for the
teardown message, so maintain peer data for a bit longer in
case the teardown FTIE request comes back from the driver.
The Query Response Length Limit is not allowed to be zero when
this is sent by the AP. Use 0x7F to indicate that the limit is
based on maximum number of GAS fragments.
For P2P, the p2p_connect takes in device address argument to make a
connection. However the connected event AP-STA-CONNECTED comes with
interface address. The application listening on events would find it
difficult to map interface address to the p2p device address which is
provided for connection.
Append P2P Device Address to AP-STA-CONNECTED event for P2P Client
connection. This will help applications to easily map the P2P Interface
Address to P2P Device Address on CONNECTED event. For non-P2P case, it
will just print the usual STA MAC address alone.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
The persistent_reconnect configuration parameter was used to decide
whether to accept invitation to re-establish a persistent group.
However, this was not being advertised in the Group Capability bitmap.
Add the Persistent Reconnect bit based on this configuration to GO
Negotiation frames and Beacon/Probe Response frames from the GO.
Use the wpa_tdls_add_peer function to allocate TDLS peer structures.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Use capability information to decide whether to perform a given TDLS
operation internally or through mgmt-frame Tx.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Before commencing setup, add a new STA entry to the driver representing
the peer. Later during setup, update the STA entry using information
received from the peer.
Extend sta_add() callback for adding/modifying a TDLS peer entry and
connect it to the TDLS state machine. Implement this callback for the
nl80211 driver and send peer information to kernel.
Mark TDLS peer entries with a new flag and translate it to a
corresponding nl80211 flag in the nl80211 driver.
In addition, correct TDLS related documentation in the wpa_driver_ops
structure.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Record the capabilities and supported rates of the TDLS peer during
link setup. These are given in the IEs passed in Setup Request and
Setup Response frames.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Disable the direct connection when a TDLS peer stops responding
to packets, as indicated by the "LOW ACK" event coming from a driver.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Allow sending a TDLS discovery request as a frame through the driver.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
When a driver does not implement the TDLS_TEARDOWN operation internally,
send an explicit TDLS link teardown frame to the driver.
Change all teardown calls to use these calling semantics.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Register for the TDLS discovery response public action frame in nl80211.
Print out a debug message when a Discovery Resp frame is received and
validated.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
When a discovery request is received, add the peer to the TDLS peer
cache and send a response containing minimal data. Mandatory IEs in
the discovery response frame will be filled out by the driver.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Put glue code in place to propagate TDLS related driver capabilities to
the TDLS state machine.
If the driver doesn't support capabilities, assume TDLS is supported
internally.
When TDLS is explicitly not supported, disable all user facing TDLS
operations.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
Allow passing high-level TDLS commands and TDLS frames to kernel
via new nl80211 commands.
Propagate TDLS related nl80211 capability flags from kernel and add them
as driver capability flags.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
A zero dialog-token is considered invalid by IEEE Std 802.11z-2010.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: Kalyan C Gaddam <chakkal@iit.edu>
This function is actually needed for quite a bit more than just
user space MLME implementation. The old comment here has not been
accurate for a long time, so get rid of it.
These driver_ops functions set_channel, set_ssid, set_bssid,
mlme_add_sta, and mlme_remove_sta were used with the user space
MLME implementation in wpa_supplicant. That was only for testing
purposes and was removed, but these driver_ops were forgotten.
Remove them now to remove confusing driver_ops definitions.
This code was used only with driver_test.c to allow MLME operations
in hostapd to be tested without having to use a real radio. There
are no plans on extending this to any other use than testing and
mac80211_hwsim has now obsoled the need for this type of testing.
As such, we can drop this code from wpa_supplicant to clean up the
implementation of unnecessary complexity.
Netlink sockets can be shared among all driver instances, saving lots
of sockets, spurious log messages, memory, and CPU usage when using
multiple interfaces in a single process.
This offloads the station polling to driver wrappers, which may offload
it again to the driver. The hostap driver wrapper uses "real" data
frames while nl80211 uses null data frames.
Also add a specific event to indicate that a poll was successful for
future use with the nl80211 driver.
Some dualband cards can use more than five seconds to run through
a full scan, so increase the timeout to avoid hitting the missing
scan completed event workaround.
This fixes an issue where WPS run leaves a small ClientTimeout
value (2) configured and the next EAPOL authentication is started
with that small value even for Identity exchange. This can cause
problems when an EAPOL packet gets dropped immediately after
association and a retry of that packet is needed (which may take
more than two seconds).
This function can be used to clean up local UNIX domain socket files
that may be left over from clients that were previously connected to
wpa_supplicant. At least for now, this is only available for Android
builds.
Remove the separate driver_ops functions set_cts_protect(),
set_preamble(), set_short_slot_time(), and set_ht_params(). These
belong into same set of operations as set_ap(), so there is no need
to maintain separate functions that just make the driver wrapper
more complex.
Since these have only been used with driver_nl80211.c, the driver_ops
can be removed immediately instead of maintaining backwards
compatibility period with the old functions.
The AP client isolation parameter is now available through set_ap().
driver_nl80211.c was the only driver wrapper using the set_intra_bss()
call in hostap.git, but some external trees may have used this. Once
those are cleared, the set_infra_bss() driver_ops can be removed
completely. The only remaining use case for it currently is in P2P
GO mode with wpa_supplicant.
AP mode operations were used for P2P device discovery Listen state
only during early experiments. This has now been cleaned up and
ieee802_11_set_beacon() is not called for P2P device discovery.
As such, this hack to skip Beacon configuration can be removed.
This is the first step in allowing SA Query mechanism in hostapd to be
used with drivers that implement authentication and association MLME/SME
(i.e., do not use ieee802_11.c).
This adds the basic mechanism for running through network selection:
scan, ANQP fetch, network selection, and connection. Actual rules for
network selection and the creation of the network block are still
missing, but will be added in separate commits.
"hostapd_cli ess_disassoc (STA addr) (URL)" can now be used to send
an ESS Dissassociation Imminent notification to the STA. This event
is shown in wpa_supplicant ctrl_iface monitors (e.g., wpa_cli):
"WNM: ESS Disassociation Imminent - session_info_url=http://example.com/session/"
The new wpa_supplicant.conf file global parameters interworking and
hessid can be used to configure wpa_supplicant to include
Interworking element in Probe Request frames.
Commit 17f6b90056 moved the concatenation
of WPS IEs, but did not include the validation that the IE buffer is not
NULL. In addition, the concatenation needs to be done based on the full
IE buffer instead of the parsed pointer that includes only a single
WPS IE.
The base64 encoded data cannot included pad characters in the middle, so
we can stop the loop at the first sequence of pad characters. If the
sequence includes more than two pad characters, the encoding is invalid
and we can indicate failure.
Use the SSID filter list passed in the scheduled scan request down to
the kernel driver, so it can use the list to return only the wanted
SSIDs. Some kernel drivers can use this information to offload the
SSID filter to the hardware, helping with reducing the power
consumption.
Signed-off-by: Luciano Coelho <coelho@ti.com>
Pass SSIDs to be matched in scheduled scan results. Only the SSIDs
that are included in the match lists will be reported by the driver,
so the filtering can be offloaded to the hardware and the power
consumption can be reduced.
Signed-off-by: Luciano Coelho <coelho@ti.com>
With scheduled scan support, we may need to pass more than 10 SSIDs in
a single scan request. Some drivers (e.g., wl12xx) support up to 16
SSIDs at once.
Change WPAS_MAX_SCAN_SSIDS from 10 to 16.
Signed-off-by: Luciano Coelho <coelho@ti.com>
In new Linux kernel versions (>=3.0), nl80211 adds scheduled scan
capability. In order to use this feature to its full extent, we need
to support it in the wpa_supplicant core, so that it can also be used
by other drivers.
This commit adds initial scheduled scan support operations and events.
Signed-off-by: Luciano Coelho <coelho@ti.com>
Commit 19ec1f262e tried to fix some
cases for history prev selection, but it broke others. Fix this
properly by using a separate entry for the current edit line that
is not yet in history buffer.
Currently the P2P Interface name[p2p-%s-%d] is reset when the P2P
Interface name reaches the "IFNAMSIZ" limit. Monitor interface name is
derived from p2p interface name with the addition of few characters
[mon.p2p-%s-%d] and hence Monitor interface name hits IFNAMSIZ limit
before P2P Interface name. Rename the monitor interface name to
mon-%s-%d to reduce the length to same with p2p-%s-%d.
Data path for stations that get successfully associated to the
hostapd but fail to get added in the driver/firmware, will not
work. In such cases, hostapd should deauth and disconnect such
stations. In such scenario, hostapd should disconnect the STAs.
Sample output with following patch
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: authenticated
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED 0c:74:c2:9a:4c:59
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: Could not add STA to kernel driver
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: deauthenticated due to local deauth request
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Nishant Sarmukadam <nishants@marvell.com>
The password_hash parameter was not copied in case of the integrated
authentication server (but was for RADIUS server). This broke EAP
authentication when the user entry used NT-hash.
This currently unused function would have triggered wpabuf overflows
due to incorrect variable being reset to zero in the case the old
NoA wpabuf was large enough for the new data.
The EAPOL authenticator was previously forcing disconnection in the WPS
use case. However, this can be benefitial operation with any IEEE 802.1X
authentication mechanism and need not be limited to WPS. This helps some
use cases like EAP-FAST where provisioning may require two
authentication runs if the authentication server does not allow the PAC
provisioning step to be used for normal data connection. While the
station would be free to decide to re-associate in such a case, not all
stations do and as such, it helps if the AP does that instead of leaving
the association up with EAPOL state machine in HELD state for 60
seconds.
While EAP-FAST uses protected success notification, RFC 5422, Section
3.5 points out a possibility of EAP-Failure being sent out even after
protected success notification in case of provisioning. Change the
EAP-FAST peer implementation to accept that exception to the protected
success notification. This allows the station to re-connect more quickly
to complete EAP-FAST connection in the case the server rejects the
initial attempt by only allowing it to use to provision a new PAC.
If GO Negotiation Request (or in theory, also GO Negotiation Response)
frame is delivered multiple time for processing, the SSID of the group
could end up getting changed. This could result in possible issues if
the peer ended up using different SSID. To avoid this, make sure the
SSID does not get changed unless the negotiation is for a new group.
Whenever PMK gets changed (e.g., due to re-authentication), all PMKSA
caching entries that were created using the previous PMK needs to be
replaced. Previously, only the entry for the current AP was cleared.
Flush the other entries based on network_ctx matches to get rid of the
OKC entries. These entries can then be re-creating using OKC with the
new PMK.
When polling a station that has been inactive for a while, hostapd currently
always uses a null data frame. This is a bit strange with uAPSD clients
(though it seems to mostly work) since the EOSP bit can never be set in a
non-QoS frame. Make hostapd use QoS null data frames for probing when the
station is a QoS STA.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Wrap self-generated WPS credential for new AP settings and send that to
control interface to provide the needed information in
WPS-NEW-AP-SETTINGS for external processing.
GAS/ANQP is a generic protocol and in no way specific to P2P, so move
routines used to build GAS/ANQP frames to a separate file that can be
shared for other uses than just P2P service discovery.
The new function, p2p_scan_ie_buf_len(), can be used to figure out
how large a buffer needs to be allocated for p2p_scan_ie() use. This
makes it easier to add new data into the buffer without forcing all
callers to be updated to use a larger buffer.
The P2P search mechanism depends on the same scan functionality that
is used for station mode scans. If these operations are being used
at the same time, scan result processing is not handled properly.
Avoid unexpected behavior by delaying station mode scan requests
if a P2P operation is in progress.
Among other things, this allows the station mode connection attempt
to be continued after a P2P find or group formation has been completed
if the interface is available (i.e., when the P2P group uses a
separate virtual interface).
If the initial attempt to start a scan for p2p_find fails, an error
is reported. However, the P2P scan handler and search state was
left behind. That can result in unexpected behavior when the next
non-P2P scan results are indicated. Avoid this by clearing the
P2P search state on failure.
This new flag can be used to change wpa_supplicant behavior in the
default ap_scan=1 mode to move BSS selection into the driver (likely
firmware). This commit is only adding the flag; separate commits
will be used to change the actual connection/roaming behavior.
These protocols seem to be abandoned: latest IETF drafts have expired
years ago and it does not seem likely that EAP-TTLSv1 would be
deployed. The implementation in hostapd/wpa_supplicant was not complete
and not fully tested. In addition, the TLS/IA functionality was only
available when GnuTLS was used. Since GnuTLS removed this functionality
in 3.0.0, there is no available TLS/IA implementation in the latest
version of any supported TLS library.
Remove the EAP-TTLSv1 and TLS/IA implementation to clean up unwanted
complexity from hostapd and wpa_supplicant. In addition, this removes
any potential use of the GnuTLS extra library.
This fixes some build issues in GnuTLS wrapper to be compatible with
at least following GnuTLS versions: 2.2.5, 2.4.3, 2.6.6, 2.8.6,
2.10.5, 2.12.11, 3.0.3.
Instead of using separate bad_record_mac and decryption_failed alerts,
use only bad_record_mac alert regardless of how the CBC decryption
failed. This provides less information to attackers that could modify
packets. In addition, instead of returning immediately on error, run
through the MAC check to make timing attacks more difficult.
When the received data will be decrypted, there is no need to first
copy it and then handle decryption in-place when decryption step can
take care of both operations.
TLS v1.0 and v1.1 RFCs were not exactly clear on the use of the
protocol version in record later. As such, accept any {03,xx} value
to remain compatible with existing implementations and new protocol
versions.
The p2p->drv_in_listen variable is used to track Listen state operations
in the driver. This is cleared when the driver reports that the Listen
state has ended (p2p_listen_end() gets called). However, it is possible
that the driver does not indicate that if the Listen state is canceled.
This can apparently happen in some cases where p2p_connect command is
issues while the Listen state is in progress.
Work around this issue by clearing p2p->drv_in_listen when Listen state
is stopped as part of p2p_stop operation. This allows the P2P module to
process CONNECT_LISTEN timeout in p2p_timeout_connect_listen() to move
to CONNECT state, e.g., when starting GO Negotiation after Device
Discoverability mechanism.
The "too long" buffer (32+1 octets) prevented AP from starting up with
32 octet SSID with WE-21 and newer. Fix this by reducing the
SIOCGIWESSID buffer length.
This adds support for RSN pre-authentication with nl80211 interface and
drivers that handle roaming internally (i.e., wpa_supplicant is not
responsible for requesting scan results that provide the needed
information without these events).
cfg80211 does not currently allow NL80211_CMD_CONNECT when there
is already an association. This can result in wpa_supplicant being
unable to request a connection if the interface is already in
connected state. Work around this by requesting disconnection if
the connect command fails with EALREADY error. This allows
wpa_supplicant to recover from the unexpected state and complete
the connect request on next attempt.
eapol_test command line argument -o<file> can now be used to request
the received server certificate chain to be written to the specified
file. The certificates will be written in PEM format. [Bug 391]
Make the WPS processing of (Re)Association Request frame IEs conditional
on WPS support. This fixes a build issue with wps_is_20() not being
defined and makes the non-WPS build a bit smaller.
os_*() wrappers should be used instead of functions from time.h.
Removing the header from includes.h enforces this. os_unix.c can
include this its uses are valid wrapper calls. wps_upnp.c uses
gmtime() for which there is no os_*() wrapper available yet, so
allow it to use time.h, too. Similarly, allow dump_state.c to
use time.h for ctime().
Currently, the following can happen:
1) P2P state machine requests R-O-C
2) user changes their mind and aborts
3) P2P state machine aborts R-O-C
4) driver_nl80211 rejects abort since there
was no notification about the start yet
5) R-O-C period start notification from kernel
6) P2P state machine requests new R-O-C
7) this overlaps with old R-O-C -- iwlwifi driver
can't handle that and returns -EBUSY
8) state machine stops dead in its tracks
The reason is that the abort isn't going through properly. Instead of
tracking whether a R-O-C is active in driver_nl80211, track whether one
was requested to avoid this scenario.
Reported-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This allows drivers to disable CCK rates from Probe Request frames.
For nl80211, this is currently applying only to the supported rates
element(s), but this mechanism could be extended to address TX rate
control masking, too, to lessen need for global rate disabling.
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Since the kernel can now advertise P2P concurrent support by advertising
interface combinations, we can take advantage of that and automatically
use P2P_CONCURRENT / P2P_MGMT_AND_NON_P2P for drivers that advertise
support.
Keep driver_param=use_p2p_group_interface=1 for anyone not advertising
interface combinations in their drivers yet.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The default config methods was hardcoded to claim support for
PushButton, Display, and Keypad. While these are supported by
most P2P devices, there may be some cases where it is convenient
to be able to disable a specific config method. Use config_methods
configuration parameter to set the default values for Config Methods
in the P2P Device Info attribute.
The P2P specification (3.1.4.3) disallows use of the Label configuration
method between two P2P devices. This was previously enforced at upper
level, but the obsolete code can be removed from wpa_supplicant. This
adds a bit more strict enforcement of the policy, but should not result
in practical differences since no known P2P implementation uses Label
config method.
If a network configuration block is removed or modified, flush
all PMKSA cache entries that were created using that network
configuration. Similarly, invalidate EAP state (fast re-auth).
The special case for OKC on wpa_supplicant reconfiguration
(network_ctx pointer change) is now addressed as part of the
PMKSA cache flushing, so it does not need a separate mechanism
for clearing the network_ctx values in the PMKSA cache.
If the driver maintains its own copy of the PMKSA cache, we need to
clear an entry from the driver whenever wpa_supplicant is dropping
an old PMKSA cache entry.
The Deauth/Disassoc TX status callbacks were ending up kicking the
station entry from kernel driver when test functionality was used to
inject Deauth/Disassoc frames from the AP with the purpose of leaving
the local association in place. Fix this by using STA flags to figure
out whether there was a pending callback for the frame that we need
to act on.
In addition, add forgotten functionality for the Disassoc TX status
callback to match the behavior with Deauth.
The previous code was trying to figure out which WPA version is
used based on the extra IEs requested for Association Request. That
did not work properly in cases where non-WPA networks are used with
some extra IEs. Fix this by using more robust mechanism for passing
the WPA versions from core wpa_supplicant to the driver_ops
associate().
Instead of hardcoding the Config Methods attribute value in Probe
Request frames, set this based on the configured parameter
config_methods to allow correct set of methods to be advertised.
The device description file may include multiple devices. Improve the
simplistic parser by first trying to find the WFADevice:1 device before
fetching the device parameters. While this is still far from complete
XML parsing, this should address the most common root device
specifications.
This allows non-mac80211 drivers to report received Probe Request
frames to user space and Probe Response and Action frames to be sent
from user space when using AP/P2P GO mode.
This allows the driver to use PS buffering of Deauthentication and
Disassociation frames when the STA is in power save sleep. The STA
entry (and PTK) will be removed from the kernel only after the
Deauth/Disassoc has been transmitted (e.g., when the STA wakes up).
A hardcoded two second timeout is used to limit the length of this
window should the driver fail to deliver the frame (e.g., the STA
is out of range and does not wake up). The kernel STA entry is
marked unauthorized during the wait to avoid accepting Data
frames from the STA that we have decided to disconnect.
This behavior is available only with drivers that provide TX status
events for Deauth/Disassoc frames (nl80211 at this point). Other
drivers continue to use the previous behavior where the STA entry
is removed immediately.
Extend the code that waits for the station to send EAPOL-Start before
initiating EAPOL authenticator operations to cover the case where the
station includes WPS IE in (Re)Association Request frame if that IE
does not include support for WPS 2.0. While this should not really
be needed, this may help with some deployed WPS 1.0 stations that do
not support EAPOL operations correctly and may get confused of the
EAP-Request/Identity packets that would show up twice if EAPOL-Start
is transmitted.
If an ER tries to send a message to a STA that is not in the middle
of WPS protocol, do not try to deliver that. This can help with issues
where an ER takes long time to reply to M1 and another Registrar has
already completed negotiation.
It is possible to get a response for a pending EAP callback after the
EAP state machine has already completed its work or has timed out. For
those cases, make sure that the callback function is not delivered since
it could result in NULL pointer dereferences.
The Config Methods attribute in M2 and M2D messages is supposed to
indicate which configuration methods are supported by the Registrar. As
such, it should not depend on whether PBC mode is currently active or
not. That will only affect the Selected Registrar Config Methods and
Device Password ID attributes.
This change is a first step in better supporting different driver
architectures for AP mode operations with nl80211. This commit in
itself does not add new functionality, but it makes it easier to add
new AP mode parameters to address needs of drivers that have more of
the MLME/SME in firmware or kernel.
Split WPA initialization into two parts so that the Beacon frames can be
configured fully before the initial keys (GTK/IGTK) are configured. This
makes it easier for drivers that depend on the AP security mode being
fully set before the keys are configured.
This avoids a request to the driver to first start beaconing before
the WPA/RSN IE has been generated and then immediately changing the
beacon IEs once the WPA/RSN IE is ready.
Such using params->wpa_ie to figure out whether the connection is for
WPA/WPA2 is not correct since that buffer is used also to add WPS IE. In
case of WPS, do not add NL80211_ATTR_WPA_VERSIONS to avoid confusing
drivers.
Some compilers complain about fwrite calls if the return value is
not checked, so check the value even if it does not really make
much of a difference in this particular case.
The internal TLS implementation assumes that the certificate chain
is ordered by issuer certificate following the certificate that it
signed. Add the certificates to the chain in suitable order when
loading multiple certificates.
Commit e1d526293b added code for verifying
whether the receive Probe Request frame was indicating support for only
802.11b rates, but it missed the for loop for the extended supported
rates element. Add that to fix the validation code for cases where
non-802.11b rates are in the extended supported rates element.
Currently, wpa_driver_nl80211_authenticate() changes the interface type
to station. However, in case of P2P, we need to change the interface
type to P2P_CLI.
Add p2p field to the authentication params, and consider it for choosing
the correct interface type.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Commit 9f51b11395 added support for P2P
interfaces when adding a new interface. However, it didn't handle the
case in which the same interface is being used and its type is being
changed. Add support for this case.
Consequently, when doing "ap_scan_as_station" we now need to save the
actual AP interface type (AP/P2P GO) in order to restore it properly.
For that, change ap_scan_as_station type from int to nl80211_iftype, and
set it to NL80211_IFTYPE_UNSPECIFED when not used.
Signed-off-by: Eliad Peller <eliad@wizery.com>
When driver_nl80211.c has to set the netdev down to change iftype, an
RTM_NEWLINK event is generated. Do not generate
EVENT_INTERFACE_DISABLED event based on that.
Reassociation Request/Response frame validation need to count all IEs in
the RIC. In addition, TIE is not protected, so it should not be included
in the count.
Signed-off-by: Hong Wu <hong.wu@dspg.com>
Only accept Probe Request frames that have a Wildcard BSSID and a
destination address that matches with our P2P Device Address or is the
broadcast address per P2P specification 3.1.2.1.1.
When a new interface is created and already has a separate MAC address
assigned by the kernel, then we need to use that address, not just when
we've created a locally administered address.
This fixes use_p2p_group_interface=1 for iwlagn as it already makes
mac80211 assign an address for a second interface since the hardware has
two addresses assigned.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Add support to wpa_supplicant for device-based GTK rekeying. In order to
support that, pass the KEK, KCK, and replay counter to the driver, and
handle rekey events that update the latter.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Send STA flags to kernel when adding a new station. This ensures
stations are added with up to date flags by kernel drivers.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
When adding a new station, set the STA flags as part of the sta_add()
command. This ensures the flags are up to date when the station is added
by lower level drivers.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
A new hostapd configuration parameter, disable_pmksa_caching=1, can now
be used to disable PMKSA caching on the Authenticator. This forces the
stations to complete EAP authentication on every association when WPA2
is being used.
In general, this patch attemps to extend commit
00468b4650 with dbus support.
This can be used by dbus client to implement subject match text
entry with preset value probed from server. This preset value, if
user accepts it, is remembered and passed to subject_match config
for any future authentication.
Signed-off-by: Michael Chang <mchang@novell.com>
Data path is broken when hostapd reloads its configuration
disabling the security which was previously enabled (WEP/WPA),
using kill -1, as old keys were not cleared.
The patch clears the keys configured when hostapd reloads
its configuration.
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
Fix a bug with the current dev_found()/dev_lost() usage. Previously
in p2p_device_free() dev_lost() was invoked for devices that had
not been dev_found(). This caused dbus related msgs to stderr like:
"Attempted to unregister path (path[0] = fi path[1] = w1) which isn't
registered"
Signed-off-by: Angie Chinchilla <angie.v.chinchilla@intel.com>
Some P2PDevice properties were not updated in p2p->cfg structure:
reg_class, channel, op_reg_class, and op_channel. Hence, update p2p->cfg
parameters through p2p core calls in wpas_p2p_update_config().
Signed-off-by: Jean-Michel.Bachot <jean-michelx.bachot@intel.com>
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Move level parameter from p2p_device to p2p_device_info in order to
expose this information and modify D-Bus P2P handler to return this new
parameter through the P2P device properties.
Signed-off-by: Fabien Marotte <fabienx.marotte@intel.com>
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Previously hostapd just masked the STAs HT caps with its own. However,
some HT caps are not symmetric and as such need to be handled
different.
hostapd shouldn't overwrite the STAs SMPS mode as otherwise the driver
cannot know it has to use RTS/CTS to wake the receiver from dynamic
SMPS for MCS rates > 7.
hostapd shouldn't mask the RX and TX STBC caps with it's own. They are
already handled in a special case below.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
This file is a part of the radiotap parser that Andy Green agreed to
relicense under the BSD license (per email, 11 Aug 2007 07:42:05
+0100). The copyright/license statement was updated in radiotap.c,
but this radiotap_iter.h file was forgotten at that point.
In set_key handler, the seq[8] is in little endian order defined by
WPA. BSD kernel uses a u_int64_t value ik_keyrsc to represent it
internally. The kernel expects the native endian order for the value.
Thus, we need to detect the endian order and swap bytes when
necessary.
This fixes an issue with SA Query Response frames not being processed
anymore after wpa_supplicant started registering a handler for those.
This handler registration is in generic driver_nl80211.c code, so
hostapd uses it, too.
Implement PMKSA cache operations add, remove, and flush using nl80211
commands NL80211_CMD_{SET,DEL,FLUSH}_PMKSA to support PMKSA caching
with drivers that select the AP and generate the RSN IE internally.
When provision discovery fails, this new callback will be called
so P2P users can react to the failure.
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Since the peer may not be in Listen state when the provision discovery
request is sent, try to send the request again number of times when in
IDLE state. This was already done when p2p_find is in progress, but this
commit adds retries to the case where no other P2P operations are in
progress.
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This can be used to avoid rejection of first two 4-way handshakes every
time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new
command line parameter, -e, can now be used to specify an entropy file
that will be used to maintain the needed state.
Some of these are required for proper functionality (like
get_seqnum); others may not be needed yet, but including them
allows some extra ifdef/endif blocks to be removed.
.set_rate_sets is not defined for non-hostapd, which prevents
configuring basic_rates when working as P2P GO.
Signed-off-by: Eliad Peller <eliad@wizery.com>
If the driver wrapper is setting up the interface up only at commit(),
UPnP initialization fails. Fix that by moving UPnP setup to happen after
the driver commit() call.
Windows 7 uses incorrect way of figuring out AP's WPS capabilities by
acting as a Registrar and using M1 from the AP. The config methods
attribute in that message is supposed to indicate only the configuration
method supported by the AP in Enrollee role, i.e., to add an external
Registrar. For that case, PBC shall not be used and as such, the
PushButton config method is removed from M1 by default. If pbc_in_m1=1
is included in the configuration file, the PushButton config method is
left in M1 (if included in config_methods parameter) to allow Windows 7
to use PBC instead of PIN (e.g., from a label in the AP).
cfg80211 maintains separate BSS table entries for APs if the same
BSSID,SSID pair is seen on multiple channels. wpa_supplicant does
not use frequency as a separate key in the BSS table, so filter out
duplicated entries. Prefer associated BSS entry in such a case in
order to get the correct frequency into the BSS table.
It may take some time for the TX status to be delivered for a
(Re)Association Response frame and if any Data frames are received
during that time, they may end up getting dropped as Class 3 frames in
not-associated state. This results in a Disassociation frame being sent
to the station and it assuming that the association has been lost.
Work around the issue by remembering that the (Re)Association Request
has already been accepted and skip the Deauth/Disassoc sending because
of the possible Class 3 frames before the TX status callback is
received.
In theory, these calls could fail, but it is not really likely to
happen in practice in the use case here. Anyway, check that they do
not return an error before accepting the length of the file.
This function does not get called with in_data == NULL in practice, but
it seems to be at least partly prepared for that case, so better make it
consistent by handling the NULL value throughout the function.
Both the SA and IEs from the received Probe Request frames must be
included and the Probe Request RX callback functions may assume that
these are not NULL.
The change to use wpa_dbg() in wpa_sm_parse_own_wpa_ie() could result
in a NULL pointer dereference if the function were called when WPA
state machine has not been initialized. While this cannot really
happen in practice, it is better to be prepared for that since that
was the case before the wpa_dbg() change.
The size_t value here can be 64-bit and result in implicit sign
extension. In this particular case, that gets masked out by
host_to_be32(), so there is no practical difference, but it is better
to get rid of the 64-bit variable explicitly.
The supportedTypes parameter is a list of TNC_MessageType values
and the buffer to be copied should use size of TNC_MessageType, not
TNC_MessageTypeList. In practice, these are of same length on most
platforms, so this is not a critical issue, but anyway, the correct
type should be used.
This avoids reading past the end of the IE buffer should the FTIE
be too short. In addition, one debug hexdump was using uninitialized
pointer to the FTIE buffer, so fixed it to use the pointer from the
parse data.
AF_INET6 is not always enabled by default, so use AF_INET instead. In
addition, use the old fixed length, 2048, as a failover value if the
sysctl fails for any reason.
Commit 03d3f28a69 broke initialization of
EAPOL authenticator state machines since an error value from
wpa_auth_sta_key_mgmt() (-1) was not handled properly and the fixed
wpa_key_mgmt_wpa_psk() identified the value as a PSK-based AKM because
of all bits being set to 1. The special error value needs to handled
separately to avoid skipping EAPOL state machine initialization.
These can be used in some cases with a bitfield having multiple
AKMs enabled (e.g., WPA-PSK and WPA-PSK-SHA256). Address those
cases by checking whether any of the matching AKM are included.
When the SME is in the driver or cfg80211, the automatic selection
of auth_alg is done by leaving out the NL80211_ATTR_AUTH_TYPE
attribute from the NL80211_CMD_CONNECT command.
This should fix EAPOL reauthentication and rekeying timeout issues
with Intel clients when using WMM (e.g., with IEEE 802.11n). These
stations do not seem to be able to handle EAPOL data frames as
non-QoS Data frames after the initial setup.
This adds STA flags to hapd_send_eapol() driver op to allow
driver_nl80211.c to mark the EAPOL frames as QoS Data frame
when injecting it through the monitor interface.
This provides a means for the supplicant to directly request signal
quality metrics from the driver. This is useful, for example for
background scan algorithms that might ask desire this information
out-of-band with CQM events.
Signed-off-by: Paul Stewart <pstew@google.com>
When building IE from an empty string and CONFIG_WPS_STRICT is
not defined, redundant 2 bytes are being added to the string.
We have to return right after building the "dummy" string.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Some deployed supplicants update their SNonce for every receive
EAPOL-Key message 1/4 even when these messages happen during the
same 4-way handshake. Furthermore, some of these supplicants fail
to use the first SNonce that they sent and derive an incorrect PTK
using another SNonce that does not match with what the authenticator
is using from the first received message 2/4. This results in
failed 4-way handshake whenever the EAPOL-Key 1/4 retransmission
timeout is reached. The timeout for the first retry is fixed to
100 ms in the IEEE 802.11 standard and that seems to be short
enough to make it difficult for some stations to get the response
out before retransmission.
Work around this issue by increasing the initial EAPOL-Key 1/4
timeout by 1000 ms (i.e., total timeout of 1100 ms) if the station
acknowledges reception of the EAPOL-Key frame. If the driver does
not indicate TX status for EAPOL frames, use longer initial
timeout (1000 ms) unconditionally.
Store Manufacturer, Model Name, Model Number, and Serial Number
attributes for P2P peers and expose these through the existing
peer information mechanisms.
Previously, a bug in GKeyDoneStations count would remain in effect
until the authenticator is restarted. Make this more robust by
clearing the station count before each rekeying setup. While this
is not really supposed to be needed, there has been bugs in this
area in the past and it is safer to make the implementation recover
from such an issue automatically.
If the STA to be freed is still included in GKeyDoneStations count,
decrement the count when the STA is freed. This does not happen in
AP mode since there is enough time to go through the authenticator
state machine to clear the STA. However, in the current RSN IBSS
implementation, the authenticator state for the STA is freed in a
way that does not allow the state machine to go through the clearing.
To address this, make sure that wpa_free_sta_sm() decrements the
GKeyDoneStations count if the STA happened to be in the process of
GTK rekeying.
CFLAGS += -DCONFIG_RSN_TESTING in .config and rsn_testing=1 in
hostapd.conf can now be used to enable a testing mode that adds
extensions to RSN element. This can be used to check whether
station implementations are incompatible with future extensions
to the RSN element.
The AP code might, currently only in the case of HT40, defer actual
enabling to after a scan. In this case, the wpa_s AP code gets confused.
Add a callback for it to use and make it use it to finish only when the
setup has actually completed.
With appropriate hacks in place this allows using HT40 in P2P mode.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Make the P2P code keep track of WPS vendor extensions received from
peers so they can be exposed via DBus later.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This adds the ability to add WPS vendor extension attributes in P2P
frames, like GO Negotiation and Probe Response frames.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This adds the ability to add WPS vendor extensions to an AP (or GO).
They will be added to the WSC IE(s) in Beacon and Probe Response frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Instead of converting back and forth from the string representation,
always use the binary representation internally.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Use only the UUID-E to remove active PBC session(s) at the completion of
successful PBC protocol run. This fixes potential issues with Enrollees
that use multiple MAC addresses and as such, can get multiple entries in
the PBC session list.
Add Secondary Device Type List attribute in WSC IE for P2P
Probe Response frames if one or more secondary device types
are configured.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The secondary device type list is an optional attribute in the WSC IE.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Currently hostapd will force HT Mixed Mode if at least one non-GF STA is
associated. This will force _all_ HT transmissions to be protected.
802.11n-2009 doesn't require HT Mixed Mode to be used in case of non-GF
STAs but instead the HT information element contains a flag if non-GF
STAs are present. All STAs are required to protect GF transmissions in
that case. Hence, setting HT Mixed mode if non-GF STAs are present is
superfluous.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Use a specific return value, WPS-PBC-OVERLAP, to indicate a reason
for rejecting a wps_pbc command in wpa_supplicant AP mode if the
PBC mode cannot be started due to PBC session overlap having been
detected during monitor time.
This allows the user to complete WPS provisioning using PBC by
selected a specific Enrollee even if there are other Enrollees
in active PBC mode at the same time. The other Enrollees will be
rejected should they try to connect at the same time.
Ignore possible mismatches in the source address of the frame and only
use UUID-E to check whether a Probe Request or M1 is from the same
Enrollee when figuring out whether there is PBC session overlap. This
is needed to avoid potential issues with Enrollee devices that may have
multiple interfaces indicating active PBC state.
If there is already a link the requested peer, request start of
renegotiation instead of completely new link. This seems to be needed
to allow some driver to accept the trigger for a new negotiation.
tdls_testing 0x80 can now be used to request wpa_supplicant to send
a TDLS Setup Request frame (i.e., try to initiate TDLS setup)
whenever a TDLS Setup Request frame has been received from a peer.
Blindly clearing all struct wpa_tdls_peer members is a risky
operation since it could easily clear pointers to allocated
memory, etc. information that really should not be removed.
Instead of hoping that new code gets added here to restore
the important variables, reverse the approach and only clear
structure members one by one when needed.
This allows the same code path to be used for both protected and
unprotected configurations to limit need for duplicated code in
both the driver and wpa_supplicant.
This adds code for validating that the same Key Lifetime is used
throughout TPK handshake and enables TPK lifetime expiration and
renewal/teardown. These part seem to be working, but the actual
handling of TDLS Setup Confirm and renewal are not fully
functional yet.
tdls_testing bits:
bit 3 = use short TPK lifetime (301 seconds)
bit 4 = use wrong TPK lifetime in TDLS Setup Response
bit 5 = use wrong TPK lifetime in TDLS Setup Confirm
These special test cases can be configured at run time with "wpa_cli
tdls_testing <value>" where <value> is an integer (either as a decimal
or as a hex value with 0x prefix) bitmap of special features with
following bits available at this point:
bit 0 = long frame (add dummy subelement to make FTIE very long)
bit 1 = use alternative RSN IE (different RSN capab value and no extra
replay counters)
bit 2 = send incorrect BSSID in Link Identifier of TDLS Setup Request
(e.g., 1 = long FTIE, 2 = different RSN IE, 3 = both of those)
This is disabled by default and can be enabled for the build by
adding the following line to .config:
CFLAGS += -DCONFIG_TDLS_TESTING
This allows driver wrappers to indicate whether the association was
done using Association Request/Response or with Reassociation
Request/Response frames.
CFLAGS += -DCONFIG_VALGRIND can now be used to enable support for
Valgrind client requests to help in removing some non-issues from
Valgrind reports. This is mainly aimed at allowing unknown ioctl
results to be marked as defined data.
If the os_time_t variable used for the expiration time (seconds)
overflows when the registered timeout value is being added,
assume that the event would happen after an infinite time, i.e.,
would not really happen in practice. This fixes issues with
long key timeouts getting converted to immediate expiration due
to the overflow.
os_snprintf() can be a preprocessor macro and according to
C99 (6.10.3 clause 11) the results of having preprocessor directives
inside the macro arguments is undefined.
Build options can now be used to replace the location of client
sockets for UNIX domain socket control interface:
CFLAGS += -DCONFIG_CTRL_IFACE_CLIENT_DIR=\"/tmp\"
CFLAGS += -DCONFIG_CTRL_IFACE_CLIENT_PREFIX=\"wpa_ctrl_\"
The buffer size for routing socket is fixed to 2048.
This patch fix it to obtain the size from OS.
This patch worked on x86 platform with NetBSD 5.0.2.
This allows keystore:// prefix to be used with client_cert and
private_key configuration parameters.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This will only retrieve information about peers that have been fully
discovered, not peers that are only half-discovered based on their Probe
Request frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The DBus code will want to have perfect matching of dev_found and the
dev_lost it adds so it doesn't need to keep track internally. Enable
that with a new flag in the core that tracks whether we have already
notified about this -- the existing users can ignore it.
The part where this is always set to 1 if the new device is discovered
by a driver that has P2P in the driver is buggy -- the driver should
feed the P2P peer database and then that should feed the notification
here instead.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This embeds some information about each P2P peer that will be publically
visible in a struct that is shared.
The dev_found notification function is also passed the new struct, which
requires some work for the driver-based P2P management.
Signed-off-by: Konguraj(Raj) Kulanthaivel <konguraj.kulanthaivel@intel.com>
Signed-off-by: Fabien Marotte <fabienx.marotte@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When using multiple vifs and dynamic vlan tagging is enabled on any
interface, the created AP VLAN interfaces get the BSSID of the first
AP mode interface instead of the BSSID of the corresponding AP mode
interface.
Example:
wlan0 - xx:xx:xx:xx:x0
wlan1 - xx:xx:xx:xx:x1
Assume a STA connects to the AP interface wlan1 and gets a dynamic
VLAN tag 100 assigned by the RADIUS server. Hostapd will create an AP
VLAN interface wlan1.100 but doesn't set an address for this interface
which results in wlan1.100 getting the same address as wlan0:
wlan1.100 - xx:xx:xx:xx:x0
As a result the STA that was moved to wlan1.100 isn't able to finish its
4-way handshake since mac80211 won't pass its frames to wlan1.100 due to
the different address.
To fix this issue make use of the address of the AP interface when
creating an AP VLAN interface.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Add MAC addresses for stations and use wpa_msg instead of printf
methods to make it easier to grep logs and find messages for the
station in question.
Signed-off-by: Ben Greear <greearb@candelatech.com>
If parsing of the certificate or private key succeeds using any of
the tried encoding types, clear the OpenSSL error queue without
showing the pending errors in debug log since they do not really
provide any useful output and can be confusing.
This patch fixes a problem I had when I tried to connect
an embedded system [wpa_supplicant, CONFIG_TLS=internal]
to my TLS secured network.
TLSv1: Send CertificateVerify
TLSv1: CertificateVerify hash - hexdump(len=36): ha .. ha
PKCS #1: pkcs1_generate_encryption_block - Invalid buffer lengths \
(modlen=512 outlen=454 inlen=36)
It turned out that a fixed 1000 byte message buffer was just
a little bit too small for the 4096 bit RSA certificates
I'm using.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
In multi BSS setups it wasn't possible to set up an HT BSS in
conjunction with a WEP/TKIP BSS. HT needed to be turned off entirely
to allow WEP/TKIP BSSes to be used.
In order to allow HT BSSes to coexist with non-HT WEP/TKIP BSSes add a
new BSS conf attribute "disable_11n" which disables HT capabilities on a
single BSS by suppressing HT IEs in the beacon and probe response
frames. Furthermore, mark all STAs associated to a WEP/TKIP BSS as
non-HT STAs. The disable_11n parameter is used internally; no new entry
is parsed from hostapd.conf.
This allows a non-HT WEP/TKIP BSS to coexist with a HT BSS without
having to disable HT mode entirely. Nevertheless, all STAs associated to
the WEP/TKIP BSS will only be served as if they were non-HT STAs.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Use l2_packet with Ethernet header included so that the source
address for RRB packets can be forced to be the local BSSID. This
fixes problems where unexpected bridge interface address may end
up getting used and the recipient of the frame dropping it as
unknown R0KH/R1KH.
This is needed to keep kernel and hostapd in sync. In addition,
the obsolete entry in hostapd prevented use of Deauthentication
or Disassociation frame with reason code 6/7 mechanism to indicate
to the STA that there is no association if the STA missed the
broadcast Deauthentication frame for any reason.
The internal pointer to RADIUS client configuration needs to be
updated whenever a new hostapd configuration is loaded. Without
this, freed memory may be dereferenced and this can result in
segmentation faults.
This converts number of debugging messages to use wpa_msg() in order
to allow the interface name to be shown with the messages.
A new function, wpa_dbg(), is introduced to allow
CONFIG_NO_STDOUT_DEBUG=y builds to remove the debug strings. This is
otherwise identical with wpa_msg(), but it gets compiled out if stdout
debugging is disabled.
This is needed to allows WPS PBC session overlap detection to work
with drivers that process Probe Request frames internally. This
code is is run in hostapd, but the wpa_supplicant AP mode did not
have call to the hostapd_probe_req_rx() function even though it
registered handlers for hostapd Probe Request RX callbacks.
An optional parameter, p2p_dev_addr, can now be given to WPS_PBC
command on P2P GO to indicate that only the P2P device with the
specified P2P Device Address is allowed to connect using PBC. If
any other device tries to use PBC, a session overlap is indicated
and the negotiation is rejected with M2D. The command format for
specifying the address is "WPS_PBC p2p_dev_addr=<address>", e.g.,
WPS_PBC p2p_dev_addr=02:03:04:05:06:07
In addition, show the PBC session overlap indication as a WPS failure
event on an AP/GO interface. This particular new case shows up as
"WPS-FAIL msg=4 config_error=12".
This makes log files much more readable if multiple interfaces
are being controlled by the same process. The interface name is
added to stdout/file/syslog entries, but not to the messages
sent to control interface monitors to avoid issues with parsing
in external programs.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Add a callback for station's authorized transitions
to allow wpa_supplicant to emit events in DBus.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
To enable making state change notifications on the WLAN_STA_AUTHORIZED
flag, introduce ap_sta_set_authorized(), and to reduce use of the flag
itself also add a wrapper for testing the flag: ap_sta_is_authorized().
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If the driver advertises max_remain_on_chan data, use it instead of
the hardcoded value of 5000. Keep the default at 5000 since that is the
value used by earlier versions of cfg80211/mac80211 and not advertised
in nl80211 for those.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When authenticating, and the interface type is not already
NL80211_IFTYPE_STATION, we need to call wpa_driver_nl80211_set_mode()
only once. Remove the excessive call.
Signed-off-by: Eliad Peller <eliad@wizery.com>
We need to call this function after having completed the neighboring
channel scan to figure out whether HT40 can be used and if so, which
channel is the secondary channel.
ieee80211n_supported_ht_capab is called after ieee80211n_check_40mhz in
function hostapd_check_ht_capab. ieee80211n_check_40mhz can return 1 in
a valid scenario where the initialization is completed in a callback. In
this case ieee80211n_supported_ht_capab is skipped and hostapd does not
check the ht capabilities reported by the driver. Fix this issue making
sure ieee80211n_supported_ht_capab gets called.
Signed-off-by: Nishant Sarmukadam <nishants@marvell.com>
If WMM is not disabled explicitly (wmm_enabled=0 in hostapd.conf),
enable WMM automatically whenever HT (ieee80211n) is enabled. Use
the default WMM parameters for AP TX queues and the EDCA parameters
advertised for stations in WMM IE if no overriding values are
included in the configuration.
We can use the P2P interface types to check if the driver supports P2P
and to tell the kernel that a given interface is going to be used for
P2P (when it is created).
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
There is no real reason to maintain these in the current development
branch anymore. If someone really needs support for the obsolete
driver interfaces, these can be found in older wpa_supplicant
branches.
driver_atmel.c
- vendor-specific interface for ATMEL AT76C5XXx cards
- for some old out-of-tree driver; not for the upstream atmel*
drivers
driver_ndiswrapper.c
- vendor-specific interface for an out-of-tree driver
- ndiswrapper should work with driver_wext.c, too
driver_ipw.c
- vendor-specific interface for old ipw2100/2200 driver
- the upstream driver works with driver_wext.c (and does not work
with the old interface)
driver_hermes.c
- vendor driver that was not even included in the main wpa_supplicant
releases
In order to enable protection mechanisms for different HT opmodes the
driver needs to be aware of the current HT opmode that is calculated by
hostapd. Hence, pass the current opmode to the nl80211 driver via
the bss attribute NL80211_ATTR_BSS_HT_OPMODE.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
tdls_prohibit=1 and tdls_prohibit_chan_switch=1 and now be used to
disable use of TDLS or TDLS channel switching in the BSS using
extended cabilities IE as defined in IEEE 802.11z.
Make sure that received management frames are long enough before
processing them. This avoids a potential segmentation fault if a
driver delivers an invalid frame all the way to hostapd.
The changes are:
1. the word "and" in the hunting-and-pecking string passed to the KDF
should be capitalized.
2. the primebitlen used in the KDF should be a short not an int.
3. the computation of MK in hostap is based on an older version of the
draft and is not the way it's specified in the RFC.
4. the group being passed into computation of the Commit was not in
network order.
Previously, only the Configuration Error values were indicated in
WPS-FAIL events. Since those values are defined in the specification
it is not feasible to extend them for indicating other errors. Add
a new error indication value that is internal to wpa_supplicant and
hostapd to allow other errors to be indicated.
Use the new mechanism to indicate if negotiation fails because of
WEP or TKIP-only configurations being disallows by WPS 2.0.
This needs to be done both in the more normal location in
p2p_timeout_connect_listen() (internal timeout after driver event) and
in p2p_listen_end() as a workaround for the case where the driver event
is delayed to happen after the internal timeout.
Previously, both NULL and ff:ff:ff:ff:ff:ff addr were used in various
places to indicate default/broadcast keys. Make this more consistent
and useful by defining NULL to mean default key (i.e., used both for
unicast and broadcast) and ff:ff:ff:ff:ff:ff to indicate broadcast
key (i.e., used only with broadcast).
When hostapd is removing a virtual BSS interface, the loop here was
incorrectly not updating the iterator during list traversal and
ended up in an infinite loop in some cases.
Use NULL instead of (u8 *) "" as the seq value and make sure the
driver wrapper implementations can handle NULL value. This was
previously already done in number of places, but not everywhere.
wpa_supplicant seems to crash from time to time on a NetBSD 4.0 MIPS
platform. The root cause turned out to be a MIPS alignment issue.
In my wpa_supplicant crash case, in function
wpa_driver_bsd_event_receive (from driver_bsd.c), the buf[2048] address
is started from i.e. 0x7fffd546, which is not 4 bytes aligned. Later
when it is casted to (struct if_msghdr *), and rtm->rtm_flags is used.
rtm->rtm_flags is "int" type, but its address is not 4 bytes aligned.
This is because the start address of rtm is not 4 bytes aligned.
Unfortunately in NetBSD MIPS kernel (unlike Linux MIPS kernel emulates
unaligned access in its exception handler), the default behavior is to
generate a memory fault to the application that accesses unaligned
memory address. Thus comes the early mentioned wpa_supplicant crash. An
interesting note is when I'm using the wpa_supplicant version 0.4.9, I
never saw this problem. Maybe the stack layout is different. But I
didn't look into details.
I used below patch to resolve this problem. Now it runs correctly for at
least several hours. But you might have a better fix (maybe we can use
malloc/free so that it is at least cache line aligned?). I'm also not
sure if other drivers should have the same problem.
This adds partial callbacks and events to allow P2P management to be
implemented in a driver/firmware. This is not yet complete and is
very much subject to change in the future.
CONFIG_WPS_REG_DISABLE_OPEN=y can be used to configure wpa_supplicant
to disable open networks by default when wps_reg command is used to
learn the current AP settings. When this is enabled, there will be a
WPS-OPEN-NETWORK ctrl_iface event and the user will need to explicitly
enable the network (e.g., with "select_network <id>") to connect to
the open network.
If the underlying driver supports off-channel TX, it will now be used by
the nl80211 driver wrapper, setting WPA_DRIVER_FLAGS_OFFCHANNEL_TX
accordingly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
With the new kernel functionality coming to Linux to allow off-channel
TX, we can take advantage of that in the P2P code that currently uses
remain-on-channel. If a driver advertises support for it, it will be
asked to handle off-channel TX by itself.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The nl80211 driver can report low ACK condition (in fact it reports
complete loss right now only). Use that, along with a config option, to
disconnect stations when the data connection is not working properly,
e.g., due to the STA having went outside the range of the AP. This is
disabled by default and can be enabled with disassoc_low_ack=1 in
hostapd or wpa_supplicant configuration file.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
ClientTimeout changes from EAP peer methods were not supposed to
change behavior for other EAP peer methods or even other sessions
of the same method. Re-initialize ClientTimeout whenever an EAP
peer method is initialized to avoid this. This addresses problems
where WPS (EAP-WSC) reduces the timeout and consecutive EAP runs
may fail due to too small timeout.
If the peer you want to connect to is no longer available (does not
acknowledge frames) when wpa_supplicant sends GO Negotition Request
frames, retransmission of this frame is done until the associated
p2p_device structure is removed on timeout. In that case, no signal
is emitted to inform the GO Negotiation has failed.
When sending an Invitation Request frame, the same retransmission
mechanism is in place but limit the transmission to 100 and hitting
the limit generates an event.
This patch adds the same mechanism as the one in place for Invitation
Request, but with limit of 120 to match the existing wait_count for
for GO Negotiation.
If a station received unprotected Deauthentication or Disassociation
frame with reason code 6 or 7 from the current AP, there may be a
mismatch in association state between the AP and STA. Verify whether
this is the case by using SA Query procedure. If not response is
received from the AP, deauthenticate.
This implementation is only for user space SME with
driver_nl80211.c.
Some new code will require access to P2P group members, so add API to
retrieve the number of members and iterate the members themselves.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If there is a pending GO Negotiation when p2p_cancel is used,
unauthorize the peer to avoid immediate reconnection from being
accepted without a new p2p_connect command.
This can be used by external programs (e.g., wlantest_cli) to inject
raw frames (hex dump of the frame header and body). The data can be
requested to be sent as-is or protected with the current key.
Previously, pairwise and group cipher suites were configured only
when kernel SME (nl80211 connect API) was used. However, mac80211
needs this information even in the user space SME case for one
thing: to disable HT when TKIP/WEP is used. Add
NL80211_ATTR_CIPHER_SUITES_PAIRWISE to fix this special case with
user space SME. This allows mac80211 to disable HT properly when
the AP is configured with configuration that is not allowed.
This add preliminary code for setting the per-STA RX GTK for
RSN IBSS when nl80211 drivers. For some reason, this does not
seem to fully work, but at least driver_nl80211.c is now aware of
what kind of key is being set and the whatever is missing from
making this key configuration go through should be specific to
nl80211/cfg80211.
The frame needs to be sent from an individual (non-group) address,
so drop invalid frames before sending Deauth/Disassoc frames to
not associated STAs.
One of the pointers to the PAC buffer was not updated after realloc
and if the realloc ended up returning new pointer, the *pos pointer
was still pointing at the old location (i.e., freed memory at
this point).
When controlling multiple virtual interfaces on the same physical
radio, share the scan results events with sibling interfaces. This
decreases the time it takes to connect many virtual interfaces.
This is currently only supported on Linux with cfg80211-based
drivers when using nl80211 or wext driver interface.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Some drivers are not providing exactly reliable error codes (e.g.,
with WEXT), but others may actually indicate reliable information.
Allow driver wrappers to indicate if that is the case and use
optimizations if so. For now, this improves nl80211 with
NL80211_CMD_CONNECT for a case where connection request fails.
driver_param=use_p2p_group_interface=1 can now be used to test
nl80211-drivers with separate P2P group interface. In other words,
the main interface (e.g., wlan0) is reserved for P2P management
operations and non-P2P connections and a new group interface (e.g.,
p2p-wlan0-0) is created for the P2P group.
This implementation is very minimal, i.e., it only support address
allocation for a single P2P group interface (if the driver does not
handle this internally). In addition, not all functionality has yet
been tested, so for now, this is disabled by default and needs that
special driver_param to enable.
WPA_DRIVER_FLAGS_P2P_MGMT_AND_NON_P2P flag can now be used to
indicate that the initial interface (e.g., wlan0) is used for
P2P management operations and potentially non-P2P connections.
This is otherwise identical to
WPA_DRIVER_FLAGS_P2P_DEDICATED_INTERFACE, but the possibility of
non-P2P connections makes some operations differ.
Getting rid of these inline functions seems to reduce the code size
quite a bit, so convert the most commonly used hostapd driver ops to
function calls.
This is not needed anymore and just makes things more difficult
to understand, so move the remaining function pointers to direct
function calls and get rid of the struct hostapd_driver_ops.
send_eapol, set_key, read_sta_data, sta_clear_stats,
set_radius_acl_auth, set_radius_acl_expire, and set_beacon
to use inline functions instead of extra abstraction.
Commit bf65bc638f started the path to
add this new abstraction for driver operations in AP mode to allow
wpa_supplicant to control AP mode operations. At that point, the
extra abstraction was needed, but it is not needed anymore since
hostapd and wpa_supplicant share the same struct wpa_driver_ops.
Start removing the unneeded abstraction by converting
send_mgmt_frame() to an inline function, hostapd_drv_send_mlme().
This is similar to the design that is used in wpa_supplicant and
that was used in hostapd in the past (hostapd_send_mgmt_frame()
inline function).
driver.h defines these functions to return 0 on success, not
number of bytes transmitted. Most callers are checking "< 0" for
error condition, but not all. Address this by following the driver
API specification on 0 meaning success.
On Linux, verify that the kernel entropy pool is capable of providing
strong random data before allowing WPA/WPA2 connection to be
established. If 20 bytes of data cannot be read from /dev/random,
force first two 4-way handshakes to fail while collecting entropy
into the internal pool in hostapd. After that, give up on /dev/random
and allow the AP to function based on the combination of /dev/urandom
and whatever data has been collected into the internal entropy pool.
wlan0: RADIUS No authentication server configured
MEMLEAK[0x999feb8]: len 1040
WPA_TRACE: memleak - START
[3]: ./hostapd(radius_msg_new+0x33) [0x8074f43]
radius_msg_new() ../src/radius/radius.c:117
[4]: ./hostapd() [0x806095e]
ieee802_1x_encapsulate_radius() ../src/ap/ieee802_1x.c:439
ieee802_1x_aaa_send() ../src/ap/ieee802_1x.c:1496
For example, this error occured when I used WPS hostapd without
"eap_server=1" definition in configuration file.
By default, make hostapd and wpa_supplicant maintain an internal
entropy pool that is fed with following information:
hostapd:
- Probe Request frames (timing, RSSI)
- Association events (timing)
- SNonce from Supplicants
wpa_supplicant:
- Scan results (timing, signal/noise)
- Association events (timing)
The internal pool is used to augment the random numbers generated
with the OS mechanism (os_get_random()). While the internal
implementation is not expected to be very strong due to limited
amount of generic (non-platform specific) information to feed the
pool, this may strengthen key derivation on some devices that are
not configured to provide strong random numbers through
os_get_random() (e.g., /dev/urandom on Linux/BSD).
This new mechanism is not supposed to replace proper OS provided
random number generation mechanism. The OS mechanism needs to be
initialized properly (e.g., hw random number generator,
maintaining entropy pool over reboots, etc.) for any of the
security assumptions to hold.
If the os_get_random() is known to provide strong ramdom data (e.g., on
Linux/BSD, the board in question is known to have reliable source of
random data from /dev/urandom), the internal hostapd random pool can be
disabled. This will save some in binary size and CPU use. However, this
should only be considered for builds that are known to be used on
devices that meet the requirements described above. The internal pool
is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
This commit adds a new wrapper, random_get_bytes(), that is currently
defined to use os_get_random() as is. The places using
random_get_bytes() depend on the returned value being strong random
number, i.e., something that is infeasible for external device to
figure out. These values are used either directly as a key or as
nonces/challenges that are used as input for key derivation or
authentication.
The remaining direct uses of os_get_random() do not need as strong
random numbers to function correctly.
This adds more time for the system entropy pool to be filled before
requesting random data for generating the WPA/WPA2 encryption keys.
This can be helpful especially on embedded devices that do not have
hardware random number generator and may lack good sources of
randomness especially early in the bootup sequence when hostapd is
likely to be started.
GMK and Key Counter are still initialized once in the beginning to
match the RSN Authenticator state machine behavior and to make sure
that the driver does not transmit broadcast frames unencrypted.
However, both GMK (and GTK derived from it) and Key Counter will be
re-initialized when the first station connects and is about to
enter 4-way handshake.
The example GMK-to-GTK derivation described in the IEEE 802.11 standard
is marked informative and there is no protocol reason for following it
since this derivation is done only on the AP/Authenticator and does not
need to match with the Supplicant. Mix in more data into the derivation
process to get more separation from GMK.
The previous commit broke completion in various places. The proper
way of handling the completion of full word is to verify whether
there are more than one possible match at that point.
Completion needs to be done even if the full word has been entered.
In addition, fix the space-after-full-word to properly allocate room
for the extra character when completion is used in the middle of the
string.
This adds new commands for wlantest_cli to request wlantest to
inject frames. This version can only send out Authentication
frames and unprotected SA Query Request frames, but there is
now place to add more frames and encryption with future commits.
ap_setup_locked=2 can now be used to enable a special mode where
WPS ER can learn the current AP settings, but cannot change then.
In other words, the protocol is allowed to continue past M2, but
is stopped at M7 when AP is in this mode. WPS IE does not
advertise AP Setup Locked in this case to avoid interoperability
issues.
In wpa_supplicant, use ap_setup_locked=2 by default. Since the AP PIN
is disabled by default, this does not enable any new functionality
automatically. To allow the read-only ER to go through the protocol,
wps_ap_pin command needs to be used to enable the AP PIN.
There is no point in maintaining two almost identical versions
of this parser. Move WPA IE parser into wpa_common.c similarly
to what was already the case with RSN IE parse.
When multiple wireless interfaces are used with WPS, the UPnP
subscriptions need to be removed whenever a matching Registrar
instance gets removed. This avoids a segfault due to access to
freed memory during hostapd shutdown.
In addition, the UPnP interface instance structure needs to be
freed to avoid memory leak.
WPS external Registrars can get confused about multiple UPnP
instances (one per radio) on a dual-concurrent APs. Simplify the
design by sharing a single UPnP state machine for all wireless
interfaces controlled by hostapd. This matches with the previous
changes that made a single command enable WPS functionality on
all interfaces.
This is relatively minimal change to address the sharing of the
state among multiple struct hostapd_data instances. More cleanup
can be done separately to remove unnecessary copies of information.
When the peer does not include our initial preference in the Channel
List attribute during GO Negotiation, try to use the best channel of
the other band as the new preference instead of falling back to the
first channel in the intersection.
The driver wrapper may now indicate the preferred channel (e.g., based
on scan results) on both 2.4 GHz and 5 GHz bands (and an overall best
frequency). When setting up a GO, this preference information is used
to select the operating channel if configuration does not include
hardcoded channel. Similarly, this information can be used during
GO Negotiation to indicate preference for a specific channel based
on current channel conditions.
p2p_group_add command can now use special values (freq=2 and freq=5)
to indicate that the GO is to be started on the specified band.
Commit d8d940b746 introduced a regression
that prevented TSN APs from being used with WEP since the AP was
rejected if it advertised WPA or RSN IE when we were configured to use
WEP. Resolve this by checking whether the AP is advertising a TSN, i.e.,
whether the AP allows WEP to be used as a group cipher. If so, allow
the AP to be selected if we are configured to use static WEP or
IEEE 802.1X (non-WPA).
It should be noted that this is still somewhat more restricted in AP
selection than earlier wpa_supplicant branches (0.7.x or older) that
ignore the WPA/RSN IE completely when configured for non-WPA.
This tool can be used to capture IEEE 802.11 frames either from a
monitor interface for realtime capturing or from pcap files for
offline analysis. This version is only adding basic infrastructure for
going through the frames and parsing their headers.
Commit c3fc47ea8e fixed EAP passthrough
server to allow Logoff/Re-authentication to be used. However, it
broke EAP standalone server while doing that. Fix this by reverting
the earlier fix and by clearing the EAP Identity information in the
EAP server code whenever an EAPOL-Start or EAPOL-Logoff packet is
received.
We need to drop the pending frame to avoid issues with the new GO
Negotiation, e.g., when the pending frame was from a previous attempt at
starting a GO Negotiation.
These are not used by any driver wrapper, i.e., only the four
data queues (BK, BE, VI, VO) are configurable. Better remove these
so that there is no confusion about being able to configure
something additional.
Pass data frames from unknown STAs to hostapd in order to reply with
a Deauthentication or Disassociation frame. This fixes compliance
with IEEE Std 802.11-2007, 11.3.
Furthermore, this does not cause a lot of overhead (at least with
mac80211 drivers) since mac80211 does not pass all data frames (but
at least from unauthenticated and unassociated STAs) to cooked monitor
interfaces.
Tested with rt2800pci on a MIPS board.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
drivers.mak is shared between hostapd and wpa_supplicant and
compiling them together may create "wrong" flags.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
We are not actually interested in the PD Response in join-a-group
case, so there is no point in trying to send PD Request until the
response is received. This avoids an extra PD getting started after
a join-a-group operation in some cases.
This is needed to avoid problems with other applications setting and
leaving the interface to IF_OPER_DORMANT state. In AP mode, the interface
is ready immediately after the keys are set, so we better make sure the
DORMANT state does not prevent normal operations after that.
This is needed to avoid issues with APs that restart their UPnP,
e.g., when ER reconfigures them. The previously known settings are
now cached and taken into use if an AP is detected to leave
(ssdp:byebye) and then return.
Verify that the UUID given to wps_er_pbc command is known and only
activate PBC mode on the matching AP. The UUID can be that of the
AP or the station/Enrollee.
Add a new driver event, EVENT_INTERFACE_UNAVAILABLE, for indicating
that the driver is not able to continue operating the virtual
interface in its current mode anymore, e.g., due to operating
channel for GO interface forced to a DFS channel by another virtual
interface.
When this happens for a P2P group interface, the P2P group will
be terminated and P2P-GROUP-REMOVED event shows the reason for
this as follows:
P2P-GROUP-REMOVED wlan0 GO reason=UNAVAILABLE
A new configuration parameter, p2p_group_idle, can now be used to set
idle timeout value for P2P groups in seconds (0 = no timeout). If set,
this values is used to remove P2P group (both GO and P2P client)
interfaces after the group has been idle (no clients/GO seen) for the
configuration duration.
The P2P-GROUP-REMOVED event is now indicating the reason for group
removal when known. For example:
P2P-GROUP-REMOVED wlan0 GO reason=REQUESTED
P2P-GROUP-REMOVED wlan1 client reason=IDLE
Some driver wrappers may end up indicating a disassociation or
deauthentication event without the address of the station, e.g.,
based on a previous non-AP mode event. Avoid crashing hostapd
by verifying that the require address parameter is available in
the event before processing it.
In order to avoid confusing the driver with a new remain-on-channel
request, delay sending of a new Action frame if the driver indicates
Action frame RX diromg a scan.
This is needed to optimize response to GO Negotiation Request frames.
The extra remain-on-channel cancel followed by new remain-on-channel for
the same channel takes too much time with some driver/firmware
designs for the response to go out quickly enough to avoid peer
timing out while waiting for our response.
This command can be used to enroll a network based on a local
network configuration block instead of having to (re-)learn the
current AP settings with wps_er_learn.
This test command is supposed to change the WPS version number in all
places immediately, so make sure that the IEs used in management
frames get updated immediately.
The P2P group component is now tracking of associated stations
in the group and the Group Limit bit in the Group Capabilities
is updated based on whether there is room for new clients in
the group.
The workaround to ignore no ctrl::ack received for GO Negotiation
Confirmation frame was only supposed to be used when the frame was
actually transmitted and just the ack was not received. However, due
to the way the driver failure on transmitting the frame were reported,
this ended up getting applied for all failures in sending the GO
Negotiation Confirmation frame.
Improve this by providing a mechanism to indicate whether send_action
operations fail locally before the frame was actually transmitted or
because of not receiving ack frame after having transmitted the frame.
UPnP event subscriptions are not supposed to be dropped based on
whether events can be delivered quickly enough. Leave dropping to
happen only based on failed deliveries to avoid issues with a burst
of events kicking out still active subscribers.
Do not send more than five Probe Request WLANEvent notifications
per second. Even though the limit should in theory apply to all
WLANEvents, it is better not to drop EAP notifications because
of Probe Request frames and really, the only real reason for
event bursts is Probe Request frames.
Instead of queuing all events for a subscriber, only queue more
important events if delivery of event notifications starts failing.
This allows more time for the subscriber to recover since the maximum
queue length if not reached because of Probe Request frames only.
Instead of dropping the subscription on first failure, allow up to
10 failures before dropping. In addition, drop the callback URLs
one by one instead of full subscription if only one URL is failing.
If CONFIG_DRIVER_WEXT=y is not used in .config, but driver_wext.c
gets pull in to help another driver wrapper, rfkill code needs to
included to fix the build.
Listen to regulatory event messages from kernel and convert them to
internal driver event notifications indicated that the channel list
may have changed.
The AP operation with wpa_supplicant requires an additional callback
to get the needed event information from hostapd side so that
wpa_msg() can be called for wpa_s->parent if needed.
This makes it easier to figure out what could have failed in the
WPS protocol and potentially provide more information for the
user on how to resolve the issue.
The driver wrapper can now indicate whether the driver supports
concurrent operations on multiple channels (e.g., infra STA connection
on 5 GHz channel 36 and P2P group on 2.4 GHz channel 1). If not,
P2P_CONNECT commands will be rejected if they would require
multi-channel concurrency.
The new failure codes for P2P_CONNECT:
FAIL-CHANNEL-UNAVAILABLE:
The requested/needed channel is not currently available (i.e., user has
an option of disconnecting another interface to make the channel
available).
FAIL-CHANNEL-UNSUPPORTED:
The request channel is not available for P2P.
At least D-Link DIR-600 and DIR-825 have been reported to include
an extra octet after the Network Key attribute within a Credential
attribute. This can happen at least when they are provisioning an
open network.
Add a workaround to detect this incorrectly encoded attribute and
to skip the extra octet when parsing such a Credential.
The new nl80211 API means we don't need to use monitor interfaces. This
means that the P2P implementation now requires a kernel that has support
for generic management frame (not just Action frame) transmission.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This is backward compatible since older kernels will ignore the extra
attribute and only allow registration for Action frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
libnl has a bug, when binding more than two sockets and releasing one,
it will release the wrong address and then try to reuse it, which fails.
Therefore, we need to reimplement the socket address assignment logic
locally for libnl 1.1.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Some sequencies of EAPOL logoff/logon/start messages seem to be
able to get the previous implementation into state where hostapd
would not be able to start reauthentication when external
authentication server is used. The EAP server code would bypass
the initial Identity Request generation and EAPOL code would not
be able to send anything to the authentication server or supplicant
at that point. Work around this by forcing EAP server code to
start with Identity Request after INITIALIZE state even if the
Identity is known.
When a single hostapd process is controlling multiple interfaces,
apply the received or auto-generated configuration changes to all
interfaces that have enabled WPS.
When the same hostapd process is controlling multiple interfaces,
apply WPS commands (push button, add PIN, change AP PIN) to all
interfaces that are configured to use WPS.
A separate build number (etc.) version number postfix can now be
added to the build without having to modify source code files by
defining VERSION_STR_POSTFIX. This can be done, e.g., by adding
following line to .config:
CFLAGS += -DVERSION_STR_POSTFIX=\"-foo\"
Commit 3379a3a795 added a direct
iface->for_each_interface use without verification whether the
function is available. This works with hostapd, but not
wpa_supplicant (which crashes on segfault).
The previous implementation ended up incorrectly assuming that all
40 MHz use cases have secondary channel above the primary one. Fix this
by properly masking the secondary channel offset field and checking its
value.
wpa_supplicant showed signal levels incorrectly with some drivers:
Jun 6 16:29:36 rupert wpa_supplicant[18945]: Current BSS: 00:0d:97:11:40:d6
level=190
Jun 6 16:29:36 rupert wpa_supplicant[18945]: Selected BSS: 00:0d:97:11:50:09
level=192
Judging from output from other tools (iwlist) and the min_diff block
at the end of wpa_supplicant_need_to_roam, it seems these values
should actually be negative. Specifically, if one treats that number
as a signed char instead of unsigned, everything matches up.
To be honest, I've little to no understanding of wireless, but looking
at the source code for wireless-tools (iw_print_stats in iwlib.c), it
seems that the fields of the iw_quality struct need to be decoded
differently depending on various flags. I guess
src/drivers/driver_wext.c should have similar logic in
wext_get_scan_qual.
I wrote a patch that attempts to replicate some of that logic,
although it may be more complicated than is necessary; I think some of
the complexity is for backwards-compatibility, which might not be
necessary depending on wpa_supplicant's dependencies? In any case, it
is attached. Again, I don't know how any of this works, so it's likely
the patch is a bit off. But I think at least the logic to determine
min_diff in wpa_supplicant_need_to_roam would be more accurate if
level were determined correctly.
We need to clear the selected registrar timeout from wps_er_learn
when stopping the protocol run at M7 (previously, this was done only
when WSC_Done was being processed). In addition, we need to cancel
the timeout when a new PBC operation is started.
This is needed to update the pointers maintained within WPS code
to use the new configuration data instead of maintaining pointers
to the old configuration which will be freed. This fixes strings in
UPnP discovery after reconfig (they used to be random freed memory..).
Need to figure out whether the message is from a WSC 2.0 -based
device based on the unencrypted attributes, not the contents of the
encrypted data since the Version2 subelement is only included in the
unencrypted area.
This seems to be the easiest way of making sure the Config Methods
value is compliant with the WSC 2.0 specification without having
to modify the configuration file. However, this will only add the
virtual flag, so the configuration files should really be updated
to specify values that match the AP design.
WPS 2.0 mandates the AP to include WPS IE in (Re)Association Response
if the matching (Re)Association Request included WPS IE. Provide the
needed WPS IE information to the driver_ops API for drivers that
process association frames internally.
Note: This modifies the driver_ops API by adding a new argument to
set_ap_wps_ie().
Instead of build time options (CONFIG_WPS_TESTING_EXTRA_CRED and
CONFIG_WPS_EXTENSIBILITY_TESTING), use a single build option
(CONFIG_WPS_TESTING) and runtime configuration of which testing
operations are enabled. This allows a single binary to be used
for various tests.
The runtime configuration can be done through control interface
with wpa_cli/hostapd_cli commands:
Enable extensibility tests:
set wps_version_number 0x57
Disable extensibility tests (WPS2 build):
set wps_version_number 0x20
Enable extra credential tests:
set wps_testing_dummy_cred 1
Disable extra credential tests:
set wps_testing_dummy_cred 0
If the peer is not authorized for GO Negotiation, wps_method is not
actually set. In that case, it is better to fill in our default
config methods rather than end up leaving the field to be zero.
The Beacon frame must include UUID-E and RF Bands attributes when
in active PBC mode to allow stations to figure out that two BSSes in
PBC mode is not a PBC session overlap.
When generating the UUID based on MAC address, share the same UUID
with all interfaces. This fixes a potential issue with concurrent
dualband APs where the UUID needs to be same for PBC to work properly.
If the msg->device_name buffer is filled from two different sources,
the copy from the P2P Device Info attribute needs to make sure that
the values gets null terminated to match the length of the correct
string should the other place use another string (which is not really
allowed by the spec, but could happen).
A new ctrl_interface command, WPS_CANCEL, can now be used to cancel
a pending or ongoing WPS operation. For now, this is only available
with wpa_supplicant (either in station or AP mode). Similar
functionality should be added for hostapd, too.
If an authorized (p2p_connect used locally) GO Negotiation is
rejected when receiving GO Negotiation Request from the peer,
indicate the failure with a ctrl_interface P2P-GO-NEG-FAILURE
event. Previously, this event was only shown on the peer (i.e.,
the device receiving the GO Negotiation Response with non-zero
Status code).
Since this message now includes P2P Device Info attribute, it is
reasonable to learn the peer data and process the message instead of
rejecting the message.
Add (or complete Probe Request only) P2P peer entry when receiving
Provision Discovery Request from a previously unknown peer. This is
especially of use for a GO when a P2P client is requesting to join
a running group.
The scan operation before Provision Discovery Request may not include
the GO. However, we are likely to have the GO in our P2P peer table,
so use that information to figure out the operating channel if BSS
table entry is not available.
This should not really happen, but it looks like the Listen command
may fail is something else (e.g., a scan) was running at an
inconvenient time. As a workaround, allow new Extended Listen
operation to be started if this state is detected.
The previous version had a bug that could result in NULL pointer
dereference if the P2P IE included Manageability attribute, but no
Capability attribute.
This can happen, e.g., when a P2P client connects to a P2P group
using the infrastructure WLAN interface instead of P2P group
interface. In that case, the P2P client may behave as if the GO
would be a P2P Manager WLAN AP.
This is needed to be able to change parameters for dynamically
created interfaces between the creation of the interface and
association/start AP commands.
Following ctrl_interface commands can now be used:
P2P_SET client_apsd disable
- disable configuration (i.e., use driver default) in client mode
P2P_SET client_apsd <BE>,<BK>,<VI>,<VO>;<max SP Length>
- enable UASPD with specific trigger configuration (0/1) per AC
(max SP Length is currently ignored)
P2P_SET go_apsd disable
- disable configuration (i.e., use driver default) in AP mode
P2P_SET go_apsd <0/1>
- disable/enable APSD in AP mode
P2P specification v1.15 fixed the description of the GAS fragmentation
to not duplicate NQP Query Response Field header in all fragments. This
change makes the fragmentation match with the description in IEEE
802.11u. The change is not backwards compatible with previous P2P
specification versions as far as fragmented SD responses are concerned.
This event indicates the Device Password ID that the peer tried
to use in GO Negotiation. For example:
P2P-GO-NEG-REQUEST 02:40:61:c2:f3:b7 dev_passwd_id=4
If enabled, cross connection allows GO to forward IPv4 packets
using masquerading NAT from the P2P clients in the group to an
uplink WLAN connection. This is disabled by default and can be
enabled with "wpa_cli p2p_set cross_connect 1" on the P2P device
interface.
When we receive Device Discoverability Response, we need to initiate
new GO Negotiation as quickly as possible to avoid the target client
from going back to sleep. Make sure we do not end up in
P2P_CONNECT_LISTEN state (short Listen mode) in this case.
For now, this applies to the test command that can be used to set
periodic NoA (p2p_set noa). The value are stored and periodic NoA
is enabled whenever there are no non-P2P STAs connected to the GO.
While this is not strictly speaking required by the P2P specification
for a not-P2P Managed Device, this can provide useful information for
the P2P manager AP and may be needed to pass certification tests.
While there is no real value in this, the spec seems to mark this
attribute as mandatory from GO, so better included it regardless
of whether we have clients or not (the attribute is empty in case
no clients are connected).
"wpa_cli p2p_set peer_filter <MAC address>" can now be used to
only allow a single P2P Device (based on P2P Device Address) to be
discovered for testing. Setting the address to 00:00:00:00:00:00
disables the filter.
The WSC 2.0 specification moved to use another design for the new
attributes to avoid backwards compatibility issues with some
deployed implementations.
If CONFIG_WPS_STRICT is set, validate WPS IE(s) in management frames and
reject the frames if any of the mandatory attributes is missing or if an
included attribute uses an invalid value. In addition, verify that all
mandatory attributes are included and have valid values in the WSC
messages.
If all the device information attributes use their maximum lengths,
a single WPS IE is not enough to fit in all the data and as such,
we must be able to fragment the data. In addition, the wpabuf needs
to be allocated larger to fit in maximum data.
Instead of using 0x00 as the extra character, use space (' ') to
avoid failing tests that verify that the variable length string
attributes are not null terminated. In addition, this workaround
can now be disabled by defining CONFIG_WPS_STRICT for the build.
This can be done by adding following line to .config:
CFLAGS += -DCONFIG_WPS_STRICT
However, it should be noted that such a build may not interoperate
with some deployed WPS 1.0 -based implementations and as such, is
mainly designed for testing.
Whenever wpa_supplication is using Request Type Enrollee, it is trying
to enroll into a network. Indicate this with the explicit inclusion of
Request to Enroll attribute with value TRUE.
Advertize list of authorized enrollee MAC addresses in Beacon and
Probe Response frames and use these when selecting the AP. In order
to provide the list, the enrollee MAC address should be specified
whenever adding a new PIN. In addition, add UUID-R into
SetSelectedRegistrar action to make it potentially easier for an AP
to figure out which ER sent the action should there be multiple ERs
using the same IP address.
This adds definitions and parsing of the new attributes that were added
in WPS 2.0. In addition, the version negotiation is updated to use the
new mechanism, i.e., accept everything received and use the new Version2
attribute in transmitted messages.
While this is not strictly speaking required based on dynamic
configuration (i.e., dot11ShortPreambleOptionImplemented is static
value based on implementation, not runtime configuration), it is better
to follow local configuration parameter for short preamble in addition
to the associated station capabilities.
This function is not really needed in case of drivers that build the
HT IEs internally. However, since this can get called if ieee80211n=1
is set in hostapd.conf, we better not segfault even if the driver
does not provide hw info (hapd->iface->current_mode == NULL).
Commit 5a1cc30f1a added code that was
assuming CONFIG_WPS_UPNP is enabled whenever CONFIG_WPS is. Fix this
by making the UPnP calls conditional on CONFIG_WPS_UPNP define.
Prior to commit 6195adda9b the sm->user
dereference did not exist here. While this is in practice non-NULL,
better use more defensive construction here to avoid NULL pointer
dereference should this ever change.
Some NDIS drivers require a workaround to allow them to associate
with a WPS AP that is already using protection (Privacy field = 1).
Let driver_ndis.c know if the AP is already using Privacy and if so,
configure a dummy WEP key to force the driver to associate.
When using overlapped write, we must have the provided memory
areas available during the operation and cannot just use stack
unless we wait for the completion within the function. In the case
of TX here, we can easily wait for the completion since it is likely
to happen immediately. In addition, this provides more reliable
success/failure return value for l2_packet_send(). [Bug 328]
hostapd simply used its own STBC configuration in the STA's HT caps. This
resulted in TX STBC being used for STAs not supporting RX STBC, which in
turn resulted in the STA not receiving anything.
Fix this by handling the STBC flags in the same way mac80211 does. Mask
out RX STBC if we don't support TX STBC and vice versa.
Tested only with the nl80211 driver and a STBC incapable STA.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
This patch adds support for wired IEEE 802.1X client on the Solaris.
I have tested with these:
OS : OpenSolaris 2009.06
EAP : EAP-MD5
Switch : Cisco Catalyst 2950
The arithmetic on void pointer exists in trace routine. On GNU C, it
works because void pointer size is 1, but not all compilers behave like
this. So this patch specifies the size of the pointer.
There is no need to process the public key and generate keys if
the AP is going to reject this M2 anyway. This limits effect of
potential CPU DoS attacks in cases where AP PIN is disabled.
A new hostapd_cli command, wps_ap_pin, can now be used to manage
AP PIN at runtime. This can be used to generate a random AP PIN and
to only enable the AP PIN for short period (e.g., based on user
action on the AP device). Use of random AP PIN that is only enabled
for short duration is highly recommended to avoid security issues
with a static AP PIN.
As a compromise between usability and security, do not disable
AP PIN permanently based on failed PIN validations. Instead, go to
AP Setup Locked state for increasing amount of time between each
failure to slow down brute force attacks against the AP PIN.
This avoids problems with some external Registrars that may try
to use the same PIN multiple times without user input. Now, the
user will still be able to fix the PIN and try again later while
a real attack is delayed enough to make it impractical.
This can happen on the AP if the AP PIN is not configured and
the client tries to go through the protocol instead of just using
Registrar mode to receive M1 from the AP. It is cleaner to send
out the WSC_NACK instead of just stopping the protocol.
This indicates that the peer identity is associated with the
credential and will be required to match with the identity used
during authentication when the PAC is used (RFC 5422, 4.2.4).
When passing several authentication algorithms through auth_alg, we
should try all of them when the first one fails. The wext driver goes
through the connect nl80211 command and the retries are then handled by
the kernel. The nl80211 doesn't and we have to handle that from
userspace.
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
DEAUTH messages can come from a number of different sources. The one
that's hurting us currently is DEAUTH netlink messages coming to us
from compat-wireless in response to local_state_change DEAUTH messages
we sent as a part of cleaning up state in driver_nl80211's
clear_state_mismatch() function. However, DEAUTH messages can come
from a variety of unwanted sources, including directed denial-of-service
attacks (although MAC verification doesn't place that high a barrier),
so this validation is actually generically useful, I think.
The downside to this method is that without a kernel based approach
"iw dev wlan0 link" no longer works correctly after clear_state_mismatch()
is done. This will be pursued with the kernel folks.
cfg80211/mac80211 seems to be unwilling to change interface mode in
some cases. Make these less likely to cause problems by trying the
changes up to 10 times with 100 msec intervals.
In theory, this should not really be needed, but Windows 7 uses
Registrar mode to probe AP's WPS capabilities before trying to use
Enrollee and fails if the AP does not allow that probing to happen.
This allows the AP to start as an Enrollee and send M1, but refuse
to continue beyond that (M3 will not be sent if AP PIN is not known).
This makes it easier (and a bit faster) to handle multiple local
radios with FT. There is no need to depend on l2_packet in that
case since the frame can be delivered as a direct function call.
If the station does not include WSC IE in Association Request, it
is marked with WLAN_STA_MAYBE_WPS flag. We can update that to
WLAN_STA_WPS if the station uses either of the WPS identity strings.
This enables some workarounds for WPS stations.
This works around issues with EAP-Failure getting lost for some reason.
Instead of waiting up to 60 seconds on a timeout, 30 second timeout is
now used and whenever the provisioning step has been completed (either
successfully or unsuccessfully), this timeout is reduced to 2 seconds.
The pairwise cipher field is supposed to be little endian, but the
message building functions did not swap the bytes on big endian
hosts while the message processing functions did. Fix this by using
little endian byte order in both places.
It looks like 10.6.3 and 10.6.4 do not like to receive Network Key
with WPA passphrase while PSK format still works. Use peer information
from M1 to figure out whether the Enrollee is likely to be OS X and
if so, force PSK format to be used for Network Key.
Some frequent debug prints are of limited use and make debug output
difficult to read. Make them use a new debug level so that -dd
provides more readable output (-ddd can now be used to enable
the excessive debug prints).
The length of the prime was used incorrectly and this resulted
in WPS DH operation failing whenever the public key ended up having
leading zeros (i.e., about every 1/256th time).
The AP configuration may change after provisioning, so it is better
not to use the current security policy to prioritize results. Instead,
use WPS Selected Registrar attribute as the main sorting key and use
signal strength next without considering security policy or rate sets.
The non-WPS provisioning case remains as-is, i.e., this change applies
only when trying to find an AP for WPS provisioning.
Some deployed implementations do not include the mandatory Network
Key attribute when a WPS Credential is for an open network. Allow
this to improve interoperability since the actual key value is not
really needed for open networks.
Replace use of rfkill block event with rtnetlink ifdown. This makes
the design more robust since the rfkill event could have been for
another interface while the rtnetlink events are already filtered
based of ifindex. In addition, the new design handles other than
rfkill-triggered ifdown/ifup events, too. rfkill unblocked event
is still needed to try to set the interface back up. If the unblock
was for another interface, ifup will fail and the driver state is
not changed.
Some of the driver wrappers need to get set_ieee8021x() call before
they can configure keys. Reorder the operations in the reloading
of configuration case to match with that expectation.
Setting IEEE80211_PARAM_AUTHMODE to IEEE80211_AUTH_AUTO ends up enabling
Privacy mode in the driver. We need to clear that to allow hostapd to be
reconfigured into open mode.
wps_er_config can now be used to configure an AP. It is similar to
wps_er_learn, but instead of only learning the current AP settings,
it continues to send M8 with the new settings for the AP.
wps_er_start command now takes an optional parameter that can be used
to configure a filter to only allow UPnP SSDP messages from the
specified IP address. In practice, this limits the WPS ER operations
to a single AP and filters out all other devices in the network.
When starting the protocol run with an Enrollee, clone the AP Settings
and replace the AP MAC Address with the Enrollee MAC Address so that the
correct value is then used in the Credential attribute in M8.
If the associating station indicates that it is intents to use WPS
by including WPS IE in (Re)Association Request frame, include WPS IE
in (Re)Association Response frame.
There may be more than one attribute of same type (e.g., multiple DC
attributes), so the code needs to be able to handle that. Replace the
fixed structure with an array of attributes.
Previous version driver_bsd.c switches the channel in
wpa_driver_bsd_associate(). This patch changes it to use set_freq().
I have tested this patch on FreeBSD 8.0/NetBSD 5.0.2 with hostapd,
wpa_supplicant(AP) and wpa_supplicant(STA).
Add a new wpa_supplicant state: interface disabled. This can be used
to allow wpa_supplicant to be running with the network interface even
when the driver does not actually allow any radio operations (e.g.,
due to rfkill).
Allow driver_nl80211.c and driver_wext.c to start while rfkill is in
blocked state (i.e., when ifconfig up fails) and process rfkill
events to block/unblock WLAN.
Vendor-specific IEs are supposed to be in the end of the frame, so move
WMM into the end of Beacon, Probe Response, and (Re)Association Response
frames. In addition, move HT IEs to be later in (Re)Association
Response to match the correct order.
hostapd_eid_wpa() adds multiple IEs and the end result may not always be
correct. If WPA is enabled, WPA IE (vendor-specific) gets added in the
middle of the frame and not in the end. This would require a larger
change to spliut the IEs from WPA module into separate locations when
constructing Beacon and Probe Response frames. This is not yet addressed.
Commit 83935317a7 added forced
disconnection in case of 4-way handshake failures. However, it should
not have changed the case where the supplicant is requesting fallback
to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is
not know. This case needs to send an EAPOL-Start frame instead of
EAPOL-Key message 2/4.
This works around a problem with APs that try to force PMKSA caching
even when the client does not include PMKID in (re)association request
frame to request it. [Bug 355]
Commit c02d52b405 removed direct calls
to the WPA authenticator, but the change here was incorrect.
EAPOL_SM_USES_WPA was supposed to be set based on sta->wpa_sm being
set, i.e., no need to check for PMKSA entries for that.
While this could potentially change EAPOL Key TX state machine behavior,
no clear problems have been identified so far. Anyway, better fix this
to get the correct flags set for EAPOL authenticator state machine.
When using WPS, we may end up here if the STA manages to re-associate
without the previous STA entry getting removed. Consequently, we need to
make sure that the WPA state machines gets initialized properly at this
point.
62477841a1 tried to address fragmentation
issues, but it did not address the case where the final EAP-TNC
message gets fragmented. Move the state update to the correct place
to address this case, too.
There are no subdirectories in any of these directories or plans
for adding ones. As such, there is no point in running the loop
that does not do anything and can cause problems with some shells.
Both the wildcard VLAN entry and the statically configured VLAN
interfaces should behave in the same way. Initializing the
full dynamic VLAN code before adding the statically configured VLAN
interfaces allows the same processing to be applied to both statically
and dynamically added VLAN interface (i.e., also the statically
configured ones will be added to a bridge).
The WPS IE was overriding the WPA/RSN IE in driver based MLME case
(hostapd_notif_assoc), but the MLME code here was not using WPS IE
correctly, i.e., it allowed the WPA/RSN IE override the operation.
The returned buffer length was hardcoded to be the prime length
which resulted in shorter results being padded in the end. However,
the results from DH code are supposed to be unpadded (and when used
with WPS, the padding is done in WPS code and it is added to the
beginning of the buffer). This fixes WPS key derivation errors
in about 1/256 of runs ("WPS: Incorrect Authenticator") when using
the internal crypto code.
This adds more details into the CTRL-EVENT-DISCONNECTED event to
make it easier to figure out which network was disconnected in some
race conditions and to what could have been the reason for
disconnection. The reason code is currently only available with
the nl80211 driver wrapper.
There is no absolute requirement for separating address allocation
into separate functions, so simplify the driver wrapper interface
to use just if_add and if_remove instead of adding the new
alloc_interface_addr() and release_interface_addr() functions.
if_add() can now indicate if the driver forced a different interface
name or address on the virtual interface.
The server may still reject authentication at this point, so better
use conditional success decision. This allows the potentially
following EAP-Failure message to be processed properly. [Bug 354]
hostapd does not implement UAPSD functionality. However, if U-APSD
functionality is implemented outside hostapd, add support to advertise
the functionality in beacon.
Signed-off-by: yogeshp@marvell.com
Instead of parsing the IEs in the callers, use the already existing
parser in wpa_ft.c to handle MDIE and FTIE from initial MD association
response. In addition, this provides more complete access to association
response IEs to FT code which will be needed to fix FT 4-way handshake
message 2/4.
ANonce, SNonce, R0KH-ID, and R1KH-ID must match with the values
used in the previous FT authentication sequence message per
IEEE Std 802.11r-2008, 11A.8.4.
This sets the FT Capability and Policy field in the MDIE to the values
received from the target AP (if available). This fixes the MDIE contents
during FT Protocol, but the correct value may not yet be used in initial
mobility domain association.
We do not have any keys set at this point so there is no point in
adding the MIC. In addition, IEEE Std 802.11r-2008, 11A.4.2
describes this frame to have MIC IE count of 0 and MIC of 0.
This removes transmission of some unnecessary Deauthentication
frames in cases where we only need to clear the local state. In
addition, this resolves issues for 802.11r FT-over-DS by allowing
authentication state to be set locally even when no actual
Authentication frame is to be transmitted.
IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain
association in an RSN to include PMKR1Name in the PMKID-List field
in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be
bitwise identical with the values used in Beacon, Probe Response,
(Re)association Request frames.
The previous versions of wpa_supplicant and hostapd did not add the
PMKR1Name value in EAPOL-Key frame and did not accept it if added
(due to bitwise comparison of RSN IEs). This commit fixes the
implementation to be compliant with the standard by adding the
PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and
by verifying that the received value matches with the value derived
locally.
This breaks interoperability with previous wpa_supplicant/hostapd
versions.
Running hostapd and wpa_supplicant on the same interface at the same
time is not expected to work, but it should not cause hostapd to crash.
Ignore station mode association events (no addr field) to avoid this.
IF WPA/RSN parameters were changed or WPA/RSN was disabled, the
WPA/RSN IE in Beacon/Probe Response frames was only update with
set_beacon(). We need to do this with set_generic_elem(), too, to
work with all driver wrappers.
Call ieee802_11_set_beacon() in addition to set_ap_wps_ie() when
processing WPS IE updates. This is needed with drivers that use
set_beacon() instead of set_ap_wps_ie() (i.e., nl80211).
Some ER implementation (e.g., some versions of Intel PROSet) seem to
use incorrect format for WLANEventMAC variable in PutWLANResponse.
Work around this by allowing various MAC address formats to be used
in this variable (debug message will be shown if the colon-deliminated
format specified in WFA WLANConfig 1.0 is not used).
This version of the MAC address parser allows number of different
string formats for the address (e.g., 00:11:22:33:44:55, 0011.2233.4455,
001122334455, 00-11-22-33-44-55). It returns the number of characters
used from the input string in case of success.
It turns out that this is needed for both FT-over-DS and FT-over-air
when using mac80211, so it looks easiest to just unconditionally
re-configure the keys after reassociation when FT is used.
This is needed to allow reassociation processing to skip 4-way handshake
when FT-over-DS is used with an AP that has a previous association state
with the STA.
This seems to be needed at least with mac80211 when a STA is using
FT-over-DS to reassociate back to the AP when the AP still has the
previous association state.
This makes the call simpler for driver wrappers since there is no need
to parse the IEs anymore before indicating association. In addition,
this allows association processing to be extended to use other IEs
in the future.
This avoids conflict with both Label and Display being included at
the same time (which would make it difficult to figure out which
PIN was actually used).
IGTK get_seqnum needs to be skipped in the same way as GTK one when
rekeying group keys. Previously, the old PN value (the one from the
previous key) was indicated and that resulted in MMIE replay detection
at the station.
This can be used to test 802.11w by sending a protected or unprotected
deauth/disassoc frame.
hostapd_cli deauth <dst addr> test=<0/1>
hostapd_cli disassoc <dst addr> test=<0/1>
test=0: unprotected
test=1: protected
Must update sm->pairwise when fetching PMK-R1 SA.
Add a workaround for drivers that cannot set keys before association
(e.g., cfg80211/mac80211): retry PTK configuration after association.
If the PTK configuration prior to association fails, allow reassociation
attempt to continue and configure PTK after association. This is a
workaround for drivers that do not allow PTK to be configured before
association (e.g., current cfg80211/mac80211).
This attribute is supposed to indicate which methods the AP supports as
an Enrollee for adding external Registrars. It was left to 0 when the
AP code did not yet support external Registrars and was forgotten when
the ER support was added.
On NetBSD 5.0.2, wpa_supplicant build results in messages below.
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_get_ssid':
../src/drivers/driver_bsd.c:876: warning: passing argument 2 of 'bsd_get_ssid'
from incompatible pointer type
../src/drivers/driver_bsd.c:876: warning: passing argument 3 of 'bsd_get_ssid'
makes integer from pointer without a cast
../src/drivers/driver_bsd.c:876: error: too many arguments to function
'bsd_get_ssid'
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_scan':
../src/drivers/driver_bsd.c:1125: warning: passing argument 2 of 'bsd_set_ssid'
from incompatible pointer type
../src/drivers/driver_bsd.c:1125: warning: passing argument 3 of 'bsd_set_ssid'
makes integer from pointer without a cast
../src/drivers/driver_bsd.c:1125: error: too many arguments to function
'bsd_set_ssid'
gmake: *** [../src/drivers/driver_bsd.o] Error 1
This patch solves this issue.
This is a step in adding FT support with nl80211-based drivers.
driver_nl80211.c is now registering to handle the FT Action frames
and is able to transmit FT Request frame. Received FT Action frames
are not yet indicated as driver events.
This is needed to fix PTK derivation to use correct length. Previously,
64-octet PTK may have been derived if the authenticator did not already
have a STA entry. Now, the correct pairwise cipher suite is learned when
then PMK-R1 SA is received.
This was not supposed to have duplicate value with WPA_AUTH_ALG_LEAP.
The previous version was unable to set FT as the authentication
algorithm with nl80211.
With this patch, a client gets kicked out of the last BSS it was
attached to, when it is associating to a different one.
While mac80211 does allow a station to be present on multiple bss
interfaces, this does seem to cause problems both for the stack
and for hostapd.
This patch allows the nl80211 driver to create its own per-bss context
and pass it to the drv_priv pointer of the hostapd bss state.
With this and the following patch, stations can associate to and switch
between multiple BSS interfaces of a single wiphy.
This obsoletes a few instances of passing ifname to a callback, those
can be removed in a separate patch.
It might also be useful to move more fields from the driver data to the
per-bss data structure in the future.
This patch allows wpa_supplicant to compile on Debian's kfreebsd
architectures.
Patch by Stefan Lippers-Hollmann based on work done by Petr Salinger
and Emmanuel Bouthenot for 0.6.X (http://bugs.debian.org/480572).