Commit graph

2632 commits

Author SHA1 Message Date
Jouni Malinen
ce46ec8df0 SAE: Store the group order in EC context data
This makes the SAE implementation a bit simpler by not having to build
the bignum for group order during execution.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
4925b303db SAE: Use defines for key lengths
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
7babd2539c SAE: Add a define for maximum supported prime length
This can be used to increase buffer sizes when adding support for new
groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
12e06dc228 SAE: Use sae->prime_len instead of hardcoded 32
This is needed to allow multiple groups to be supported.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
19a5bd0a25 SAE: Use the EC context from struct sae_data
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
a46d72d7d7 SAE: Maintain EC group context in struct sae_data
This can be used to share same EC group context through the SAE
exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
aadabe7045 SAE: Use crypto wrappers instead of direct OpenSSL calls
This makes the SAE implementation independent of the crypto/bignum
library.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
619c70a0b2 crypto: Add wrappers for OpenSSL BIGNUM and EC_POINT
These new crypto wrappers can be used to implement bignum and EC
operations using various crypto libraries.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
d136c376f2 SAE: Add support for Anti-Clogging mechanism
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
4838ff3ef4 SAE: Do not allow re-use of peer-scalar in a new protocol instance
IEEE Std 802.11-2012, 11.3.8.6.1: If there is a protocol instance for
the peer and it is in Authenticated state, the new Commit Message
shall be dropped if the peer-scalar is identical to the one used in
the existing protocol instance.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
dd43026a19 SAE: Rename state variables to match IEEE 802.11 standard
The enum values for struct sae_data::state now match the protocol
instance states as defined in IEEE Std 802.11-2012, 11.3.8.2.2

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
47b55a3ef5 SAE: Use PMK in 4-way handshake
Use the PMK that is derived as part of the SAE authentication in the
4-way handshake instead of the PSK.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
f2e9818f73 SAE: Add processing of the confirm message
This adds validation of the received confirm messages for SAE.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
fb8fcc2950 SAE: Add generation of the confirm message fields
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
146f6c9a00 SAE: Add processing of the commit message
This adds validation of the received commit messages and key derivation
for SAE.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
8e31e9550a SAE: Add generation of the commit message fields
This adds derivation of PWE and the needed commit values so that the
full SAE commit message can be built.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
750efe6ea6 SAE: Move related operations next to each other
There is no need to keep the two SAE steps separated from each other.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
98efcc4176 SAE: Use a shared data structure for AP and station
This makes it easier to share common functions for both roles.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Johannes Berg
05a8d4221d nl80211: Pass station VHT capabilities to kernel
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-01-12 17:51:52 +02:00
Johannes Berg
a9a1d0f08a hostapd: Pass VHT capabilities to driver wrapper
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-01-12 17:51:52 +02:00
Johannes Berg
89b800d726 nl80211: Support VHT configuration
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-01-12 17:51:52 +02:00
Jouni Malinen
ebeca8e3d1 Sync with linux/nl80211.h in wireless-testing.git
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Johannes Berg
fa4763369a hostapd: Allow configuring driver to VHT
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-01-12 17:51:52 +02:00
Jouni Malinen
7ab5441262 The hostap.git master branch is now used for 2.1 development
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:10 +02:00
Jouni Malinen
22760dd947 Prepare for hostapd/wpa_supplicant v2.0 release
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:42:53 +02:00
Jouni Malinen
34d18540fc EAP-FAST: Allow empty PAC file to be used
Even if the PAC file does not start with the proper header line, allow
the file to be used if it is empty. [Bug 423]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:33:22 +02:00
Jouni Malinen
2e8483bf12 Fix authenticator PMKSA cache expiration timer setup
The PMKSA cache expiration timer was not actually ever initialized since
the only place for registering the timeout was in the timeout handler.
Fix this by initializing the timer whenever a new PMKSA cache entry is
added to the beginning of the list (i.e., when it was the first entry or
expires before the entry that was previously going to expire first).
[Bug 393]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:21:50 +02:00
Jouni Malinen
af220315e6 Fix EAPOL frame sending to non-QoS STAs
Commit 4378fc14eb started using QoS Data
frames for QoS STAs. It used the correct flags value for WPA/RSN
EAPOL-Key frames, but wrong flags for IEEE 802.1X EAPOL frames. The
WPA_STA_WMM value used in driver_nl80211.c happens to be identical to
WLAN_STA_ASSOC in sta->flags and this makes driver_nl80211.c try to use
QoS header for all STAs. Fix this by properly converting the flags from
WLAN_STA_* to WPA_STA_*. [Bug 426]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:01:54 +02:00
Masashi Honma
f96c1d76fd P2P: Fix some memory leaks in p2p_add_device()
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
2013-01-12 10:30:07 +02:00
Jouni Malinen
9bb1025a2e EAP-AKA server: Fix fallback to full auth
Commit 68a41bbb44 broke fallback from
reauth id to fullauth id by not allowing a second AKA/Identity round to
be used after having received unrecognized reauth_id in the first round.
Fix this by allowing fullauth id to be requested in such a case.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-08 15:45:05 +02:00
Sunil Dutt
c0810ddb3c P2P: Use the same Dialog Token value for every PD retry
Commit 175171ac6c ensured that the PD
requests are retried in join-a-running group case and the Enrollee is
started on either receiving the PD response or after the retries. Each
PD request is retried with an unique dialog token and a PD response from
the GO with a mismatched dialog token is ignored. Thus, the P2P client
would continue retrying the PD requests till the response with a
matching dialog token is obtained. This would result in the GO getting
multiple PD requests and a corresponding user notification (POP UP) in
implementations where each PD request results in a POP UP, resulting in
a bad user experience. To avoid such behavior, the same dialog token
value is used for every retry in the same PD exchange.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-08 13:12:34 +02:00
Jouni Malinen
708bc8e0e4 nl80211: Restore previous nlmode if set_freq for AP mode fails
wpa_driver_nl80211_ap() returned error if set_freq failed, but left the
previously set nlmode to GO/AP. While this should not be issue for most
purposes, it leaves the interface in somewhat unexpected state and could
potentially affect operations prior to next connection attempt. Address
this by restoring the previous nlmode if AP mode cannot be started for
some reason.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-08 00:34:08 +02:00
Jouni Malinen
e28c226df0 Split p2p_prepare_channel() into multiple functions
This makes it easier to read the code for the two possible cases
(forced/preferred channel and automatic channel selection).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 08:37:13 +02:00
Jouni Malinen
a5830ede8e P2P: Document operating channel selection functions
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 08:27:11 +02:00
Arik Nemtsov
50285f5ca8 P2P: Always re-select operating channel if not hard coded
Since the operating channel is randomly set to 1/6/11 on init, which is
commonly included in the channel intersection, we were effectively
ignoring the set of P2P preferred channels when trying to improve
channel selection after having received peer information. Fix this by
trying to get the best channel we can, unless the user hard coded the
operating channel in the configuration file or p2p_connect command. Fall
back to the initial randomly selected channel if a better one cannot be
chosen.

Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-12-27 08:16:42 +02:00
Jouni Malinen
bd594ea0da P2P: Do not allow re-selection of GO channel if forced_freq in use
Even if the peer does not accept the forced channel, we should not allow
the forced_freq parameter to be be overridden, i.e., such a case needs
to result in GO Negotiation failure.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 08:06:55 +02:00
Jouni Malinen
92ac756c84 P2P: Set FORCE_FREQ flag as part of p2p_prepare_channel()
Both p2p_connect and p2p_authorize use the same functionality to select
the channel preferences for GO Negotiation. The part of setting this
device flag was copied to each function, but it can also be handled by
the shared function after some reordering of code.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 07:58:04 +02:00
Jouni Malinen
b1129f657c P2P: Share a single function for GO channel selection
The exact same mechanism was used for determining the operating channel
at the device that becomes the GO regardless of whether this was
triggered by reception of GO Negotiation Request of Response frame. Use
a shared function to avoid duplicated implementation and potential
differences in the future.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 07:39:57 +02:00
Arik Nemtsov
62120d59b4 P2P: Prefer operating channels where HT40 is possible
When no other user preference is specified, opt to use an operating
channel that allows HT40 operation. This way, if driver capabilities
and regulatory constraints allow, we might enjoy increased bandwidth.

Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-12-25 19:59:04 +02:00
Baruch Siach
50d405ec87 atheros: Release sock_raw and reset appfilter on hapd_init failure
Signed-hostap: Baruch Siach <baruch@tkos.co.il>
2012-12-25 13:50:41 +02:00
Yoni Divinsky
3dfd0484fc P2P: Consider age for the P2P scan results
cfg80211 caches the scan results according the channel number. Due to
the 15 sec aging this might cause the user mode to see more than one
scan result with the same BSSID, e.g. - one scan result for the
P2P Device and one for the P2P GO (once it's enabled).

Fix this by updating the device entry only if the new peer entry is
newer than the one previously stored.

Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com>
Signed-off-by: Victor Goldenshtein <victorg@ti.com>
Signed-off-by: Igal Chernobelsky <igalc@ti.com>
Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-12-25 11:22:42 +02:00
Jouni Malinen
2049a875bc WNM: Additional BSS Transition Management capability
Add some more functionality for BSS Transition Management:
- advertise support for BSS Transition Management in extended
  capabilities element
- add hostapd.conf parameter bss_transition=1 for enabling support
  for BSS Transition Management
- add "hostapd_cli disassoc_imminent <STA> <num TBTTs>" for sending
  disassociation imminent notifications for testing purposes
- wpa_supplicant: trigger a new scan to find another BSS if the
  current AP indicates disassociation imminent (TODO: the old AP needs
  to be marked to use lower priority to avoid re-selecting it)

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-22 20:27:30 +02:00
Sven Eckelmann
a5e1eb2092 nl80211: Run TKIP countermeasures in correct hostapd_data context
hostapd can run with different VIF when using nl80211. Events about MIC
failures have to be processed in context of the VIF which received it
and not in context of the primary VIF. Otherwise the station belonging
to this VIF may not be found in the primary VIF station hash and
therefore no countermeasures are started or the countermeasures are
started for the wrong VIF.

Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
2012-12-22 16:19:52 +02:00
Jouni Malinen
8b24861154 Add Acct-Session-Id into Access-Request messages
This optional attribute may make it easier to bind together the
Access-Request and Accounting-Request messages. The accounting session
identifier is now generated when the STA associates instead of waiting
for the actual session to start after successfull authentication.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-18 18:13:31 +02:00
Vladimir Kondratiev
7829894c21 Introduce 60 GHz band
Basic support for the 60 GHz band. Neither P2P nor WPS are yet taken
care off. Allows to start AP with very simple config:

network={
        ssid="test"
        mode=2
        frequency=60480
        key_mgmt=NONE
}

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-18 11:50:35 +02:00
Sven Eckelmann
f1b44874c2 Fix initialization of ap_table_{max_size,expiration_time}
The config says that the default for ap_table_max_size is 255 and the
default for ap_table_expiration_time is 60. But the code doesn't reflect
the default values mentioned in the sample config file.

These variables completely disable the code for Overlapping Legacy BSS
Condition by default when they are not correctly initialized. WFA
certification requires this feature and therefore an AP would have
failed the certification process unless they were initialized manually
using the configuration file.

Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
2012-12-17 17:54:21 +02:00
Jouni Malinen
9904ff876a WPS: Add RF bands attribute conditionally to Probe Response frame
WSC IE in Beacon and Probe Response frames should behave consistently
as far as the RF Bands attribute is concerned. Use the same dualband
condition for adding this into Probe Response frames since the value
is not really needed if the AP is not a dualband AP.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-17 16:08:23 +02:00
Jouni Malinen
cd6be5c246 WPS: Use wps_rf_bands parameter to determine dualband functionality
If separate hostapd processes are used for different RF bands, the
dualband parameter for WPS was not set correctly. Allow dualband
indication (mainly, addition of RF bands attribute for PBC session
overlap detection) also based on wps_rf_bands value (if set to "ag").

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-17 16:06:10 +02:00
Jouni Malinen
0a66ce3c49 WNM: Add support for SSID List element matching
This allows Probe Request frame processing to compare the configured
SSID to the SSID List element in addition to the SSID element.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 21:22:24 +02:00
Jouni Malinen
b93c8509cc Add support for advertising UTF-8 SSID extended capability
This field can be used to indicate that UTF-8 encoding is used in the
SSID field.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 20:46:51 +02:00
Jouni Malinen
a8e93a1a01 WNM: Skip os_memcpy in wnmtfs_ie is NULL
It is cleaner to skip the memcpy call instead of trusting on the
length parameter being 0 in this case.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:48:39 +02:00
Jouni Malinen
835822d404 WNM: Fix GTK/IGTK encoding in WNM-Sleep Mode Exit frame
These subelements do not use AES key wrap (MFP is used instead).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:46:10 +02:00
Jouni Malinen
4da10640a7 WNM: Fix AP logic on when to include GTK/IGTK in WNM-Sleep Mode exit
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:27:09 +02:00
Jouni Malinen
615a5d559d WNM: Use defined macros for WNM-Sleep Mode Action Type values (AP)
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:24:06 +02:00
Jouni Malinen
c79938a584 WNM: Enable WNM-Sleep Mode configuration with hostapd SME/MLME
This allows hostapd to process WNM-Sleep Mode Request when using the
internal SME/MLME.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:16:17 +02:00
Jouni Malinen
ad3872a372 WNM: Use CONFIG_WNM more consistently
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. Previously it was possible to
define CONFIG_IEEE80211V without CONFIG_WNM which would break the build.
In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and
WNM is a better term to use for this new functionality anyway.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 18:22:54 +02:00
Jouni Malinen
df80a0ccff WNM: Use defined macros for WNM-Sleep Mode Action Type values
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 12:57:38 +02:00
Jouni Malinen
68db9ab047 WNM: Fix GTK/IGTK parsing for WNM-Sleep Mode Response frame
These fields do not use AES keywrap. Instead, they are protected with
management frame protection (and not included if PMF is disabled).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:48:34 +02:00
Jouni Malinen
bd896433af nl80211: Register to process WNM-Sleep Mode Response frames
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:42:26 +02:00
Dan Williams
0639970d89 PMKSA: Clear current cache entry on disassociation
Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 21:53:55 +02:00
Dan Williams
6aaac006af PMKSA: Make deauthentication due to cache entry removal more granular
Expiry can always trigger a deauthentication, but otherwise,
deauthentication should only happen when the *current* cache entry is
removed and not being replaced. It should not happen when the current
PMK just happens to match the PMK of the entry being removed, since
multiple entries can have the same PMK when OKC is used and these
entries are often removed at different times.

This fixes an issue where eviction of the oldest inactive entry due to
adding a newer entry to a full cache caused a deauthentication when the
entry being removed had the same PMK as the current entry.

Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 21:39:19 +02:00
Jouni Malinen
b7593d35c1 Remove unnecessary PMKSA cache list modification
pmksa_cache_free_entry() takes care of updated the list head pointer
(pmksa->pmksa), so no need to do this change in the caller.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 19:45:54 +02:00
Jouni Malinen
f2a14be798 Use a shared function for freeing PSK list
There is no need to duplicate this code in multiple locations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 18:01:55 +02:00
Jouni Malinen
fc5550a1c2 Use RADIUS shared secret consistently in RX handler
Use the shared_secret pointer from RADIUS client implementation instead
of getting this from hostapd configuration data.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:57:16 +02:00
Michael Braun
5ee56c4e19 Keep and use list of PSKs per station for RADIUS-based PSK
This adds support for multiple PSKs per station when using a RADIUS
authentication server to fetch the PSKs during MAC address
authentication step. This can be useful if multiple users share a
device but each user has his or her own private passphrase.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
2ad3e6c858 Cache a list of PSK entries for RADIUS-based PSK delivery
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
14e919478e Extend radius_msg_get_tunnel_password() to support multiple passwords
The new function parameter can now be used to specify which password to
return.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:19:04 +02:00
Jouni Malinen
1a2d22a242 Remove unneeded header file inclusion
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:06:38 +02:00
Jouni Malinen
13e1d2e292 Indicate if PMF was negotiated for the connection
Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF
was negotiated for the connect (1 = optional in this BSS, 2 = required
in this BSS).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:45:17 +02:00
Jouni Malinen
62d4980331 Allow PMF to be enabled by default
Previously, PMF (protected management frames, IEEE 802.11w) could be
enabled only with a per-network parameter (ieee80211w). The new global
parameter (pmf) can now be used to change the default behavior to be PMF
enabled (pmf=1) or required (pmf=2) for network blocks that do not
override this with the ieee80211w parameter.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:21:29 +02:00
Amitkumar Karwar
368b1957a6 Allow OBSS scan and 20/40 coex reports to non-SME drivers
We enable this feature for non-SME drivers as well if
they explicitly indicate need for it.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
2012-11-24 18:08:48 +02:00
Jouni Malinen
3d83a6b9b6 Sync with linux/nl80211.h in wireless-testing.git
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 18:04:55 +02:00
Johannes Berg
3117ad4283 hostapd: Add second VHT frequency segment config
Add the configuration option vht_oper_centr_freq_seg1_idx
for the second segment of an 80+80 MHz channel and use it
when building the VHT operation IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 18:02:29 +02:00
Johannes Berg
202d97d477 hostapd: Add VHT PHY selector if VHT is required
If VHT is required, add the VHT PHY selector to
the (extended) supported rates IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 17:27:16 +02:00
Pontus Fuchs
fb660a9431 Do not double free cfg struct if netlink_init() fails
If netlink_init() fails on socket create or bind the cfg struct
provided as parameter is freed by netlink_init(). Callers of
netlink_init() also free this struct on their error paths leading
to double free.

Signed-hostap: Pontus Fuchs <pontus.fuchs@gmail.com>
2012-11-24 16:47:20 +02:00
Jouni Malinen
f403dcd648 HS 2.0: Maintain a copy of HS 2.0 Indication from Association Request
This allows the AP to figure out whether a station is a HS 2.0 STA
during the association and access any information that the STA may have
included in this element.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-24 12:24:31 +02:00
Sunil Dutt
ffa45a1343 P2P: Increase the maximum number of PD Request retries
Change the maximum retry limit from 10 to 120 to match the behavior
used with GO Negotiation Request frames when trying to start GO
Negotiation with a peer that does not acknowledge frames (e.g., due
to being in sleep or on another channel most of the time).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 01:15:51 +02:00
Jouni Malinen
175171ac6c P2P: Retry PD Request in join-a-running-group case
The GO may be in sleep when we send a PD Request frame to indicate that
we are about to join a running group. Previously, this frame was not
retried more than normal low level retries. This can result in the GO
not getting the frame especially in cases where concurrent multi-channel
operations or aggressive sleep schedule is used since most drivers do
not yet synchronize with the GO's NoA before association.

Increase the likelihood of the GO receiving the PD Request frame by
retransmitting it similarly to the PD-for-GO-Negotiation case. Start
the actual join operation only after these retries have failed to get
an acknowledgment from the GO to give the connection attempt a chance
to succeed if the driver implements better NoA synchronization for it.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 00:53:42 +02:00
Sunil Dutt
6752716663 P2P: Set user_initiated_pd separately from the join parameter
p2p_prov_disc_req() used the join parameter to figure out whether the PD
request was a user initiated or not. This does not cover all use cases
of PD, so add a separate parameter to allow caller to indicate whether
the user requested the operation.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 00:48:58 +02:00
Jouni Malinen
ee431d77a5 Add preliminary support for using SQLite for eap_user database
CONFIG_SQLITE=y option can now be used to allow the eap_user_file text
file to be replaced with a SQLite database
(eap_user_file=sqlite:/path/to/sqlite.db). hostapd.eap_user_sqlite
shows an example of how the database tables can be created for this
purpose. This commit does not yet include full functionality of the
text file format, but at least basic EAP-TTLS/MSCHAPv2 style
authentication mechanisms with plaintext passwords can be used for
tests.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-21 00:47:47 +02:00
Jouni Malinen
6201b052c8 nl80211: Add support for TDLS request event from the driver
The NL80211_CMD_TDLS_OPER command can be used as an event based on a
recent cfg80211 commit, so add code to map that to internal
wpa_supplicant event to request TDLS link setup/teardown.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-19 17:00:07 +02:00
Jouni Malinen
c772d054c2 hostapd: Fix a regression in TKIP countermeasures processing
Commit 296a34f0c1 changed hostapd to
remove the internal STA entry at the beginning of TKIP countermeasures.
However, this did not take into account the case where this is triggered
by an EAPOL-Key error report from a station. In such a case, WPA
authenticator state machine may continue processing after having
processed the error report. This could result in use of freed memory.
Fix this by stopping WPA processing if the STA entry got removed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-18 13:06:03 +02:00
Jouni Malinen
6366a17ce3 WPS: Add a workaround for PBC session overlap detection
Some deployed station implementations implement WPS incorrectly and
end up causing PBC session overlap issues by indicating active PBC
mode in a scan after the WPS provisioning step. Work around this by
ignoring active PBC indication in a Probe Request from a station that
completed PBC provisioning during the last five seconds.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-15 19:59:04 +02:00
Jouni Malinen
1ce0aa044c Remove unused disassociate() driver_ops
Commits 07783eaaa0 and
3da372fae8 removed the only users of the
disassociate() driver operation, so these driver wrapper functions can
also be removed now.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-15 00:06:12 +02:00
Jouni Malinen
0779c227af Hide strict-aliasing warning with gcc 4.7
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 20:29:20 +02:00
Jouni Malinen
9d7a63dc20 nl80211: Avoid strict-aliasing warning with gcc 4.7
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 20:28:27 +02:00
Christopher Wiley
a8c5b43ad3 nl80211: Roam correctly through cfg80211 without SME
Change the nl80211 driver in wpa_supplicant to correctly handle
connecting to a new AP through cfg80211 without SME capability. As
before, the driver will disconnect from the previously associated AP,
but now we attempt to immediately connect to our intended AP. This
prevents us from blacklisting the AP we were trying to connect to
because of a semantic mismatch between cfg80211 and wpa_supplicant. The
disconnect/connect patch generates a local disconnect nl80211 event
which we discard because we're already correctly tracking the pending
association request.

In detail:

cfg80211 does not support connecting to a new BSS while already
connected to another BSS, if the underlying driver doesn't support
separate authenticate and associate commands. wpa_supplicant is written
to expect that this is a supported operation, except for a little error
handling that disconnects from the current BSS when roaming fails and
relies on autoconnect logic to reconnect later. However, this failure to
connect is incorrectly attributed to the new AP we attempted to
associate with, rather than a local condition in cfg80211.

The combined effect of these two conditions is that full-mac drivers
accessible through cfg80211 but without SME capability take a long time
to roam across BSS's because wpa_supplicant will:
1) Fail to associate for local reasons
2) Disconnect and return that the association request failed
3) Blacklist the association target (incorrectly)
4) Do a scan
5) Pick a less desirable AP to associate with

Signed-hostap: Christoper Wiley <wiley@chromium.org>
2012-11-11 16:15:29 +02:00
Baruch Siach
b49019dd3d atheros: Remove redundant l2_packet_get_own_addr call
Commit deca6eff74 added a redundant call
to l2_packet_get_own_addr. Use the information we already have in
atheros_init.

Signed-hostap: Baruch Siach <baruch@tkos.co.il>
2012-11-11 16:07:28 +02:00
Jouni Malinen
58fd49c05d EAP-SIM/AKA server: Fix memory leak in error path
If identity round limit is reached, EAP-SIM/AKA session is terminated.
This needs to free the allocated message.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:15:49 +02:00
Jouni Malinen
8cd93a01a9 Check hapd_iface more consistently in hostapd_disable_iface()
There is no point in the hapd_iface == NULL validate after this pointer
has been dereferences, so move the code dereferencing hapd_iface after
the check.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:11:15 +02:00
Jouni Malinen
207fb86411 WPS: Remove deprecated UFD config method and OOB ctrl_iface
The UFD (USB flash drive) configuration method was deprecated in WSC
2.0. Since this is not known to be used, remove the UFD implementation
from hostapd and wpa_supplicant to allow the WPS implementation to be
cleaned up. This removes the now unused OOB operations and ctrl_iface
commands that had already been deprecated by the new NFC operations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:01:06 +02:00
Masashi Honma
30c371e8a5 P2P: Reduce redundant PSK generation for GO
The PSK generation done by pbkdf2_sha1() is one of the longest CPU time
users according to our profiling from boot to GO started.

So I have reduced some steps.

I could boot a GO by this command sequence.
-------------
add_net
set_network 0 ssid '"DIRECT-XX"'
set_network 0 psk
'"123456789012345678901234567890123456789012345678901234567890123"'
set_network 0 proto RSN
set_network 0 key_mgmt WPA-PSK
set_network 0 pairwise CCMP
set_network 0 auth_alg OPEN
set_network 0 mode 3
set_network 0 disabled 2
p2p_group_add persistent=0 freq=2412
-------------

By this sequence, pbkdf2_sha1() was called three times and the function
calculates the same value each time. Reduce number of calls to
pbkdf2_sha1() from 3 to 1 by caching the previous result.

Signed-hostap: Masashi Honma <masashi.honma at gmail.com>
2012-11-11 11:39:24 +02:00
Jouni Malinen
1e8a6e7553 Remove unused wpa_supplicant_disassociate()
This function is now unused after the last couple of commits that
removed the last uses, so remove this to keep code simpler since all
places that disassociate, can use deauthentication instead.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-05 17:05:37 +02:00
Jouni Malinen
3da372fae8 Use deauthentication instead of disassociation on RSN element mismatch
Even though the standard currently describes disassociation to be used
for RSN element mismatch between Beacon/Probe Response frames and
EAPOL-Key msg 3/4, this is unnecessary difference from other cases that
deauthenticate. In addition, there is no point in leaving the 802.11
Authentication in place in this case. To keep things simpler, use
deauthentication here to get rid of the only use of
wpa_sm_disassociate().

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-05 17:01:07 +02:00
Jouni Malinen
7d81932d27 nl80211: Make debug log more readable for driver events
Print the full name of the nl80211 event message in the debug log to
make it easier to parse the debug log.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-03 13:54:43 +02:00
Jouni Malinen
b363121a20 WPS: Reject invalid credential more cleanly
If WPS Registrar tries to provision a WPA/WPA2-Personal network without
including a valid Network Key, the network block cannot be used to
connect to the network. Reject such credential without adding the
network block. This makes wpa_supplicant send WSC_NACK as a response to
the invalid Credential and stop the provisioning process immediately
rather than only after trying unsuccessfully to connect to the network.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-01 16:30:35 +02:00
Jouni Malinen
96beff11d1 P2P: Allow discoverable interval for p2p_find to be configured
The new P2P_SET parameter disc_int can now be used to configure
discoverable interval for p2p_find operations. The format of the command
for setting the values is "P2P_SET disc_int <minDiscoverableInterval>
<maxDiscoverableInterval> <max TUs for discoverable interval>". The
first two parameters are given in units of 100 TUs (102.4 ms). The third
parameter can be used to further limit the interval into a specific TU
amount. If it is set to -1, no such additional limitation is enforced.
It should be noted that the P2P specification describes the random
Listen state interval to be in units of 100 TUs, so setting the max TU
value to anything else than -1 is not compliant with the specification
and should not be used in normal cases. The default parameters can be
set with "P2P_SET disc_int 1 3 -1".

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-30 15:12:04 +02:00
Jouni Malinen
9f36eac6e5 WPS: Remove old OOB NFC interface
The old WPS interface for using NFC has no known deployments and even
the binary libraries referenced here are not easily available anymore.
Since the new interface for using NFC with WPS covers the same
functionality, remove the old implementation to clean up WPS
implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-28 18:20:03 +02:00
Jouni Malinen
bd3a373767 WPS: Use AP Channel attribute in credential to speed up scan
When WPS is used with NFC connection handover, the AP may indicate its
operating channel within the credential information. Use this
informatiom, if present, to speed up the scan process.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-28 18:02:04 +02:00
Jouni Malinen
e65552ddf2 WPS: Add preliminary NFC connection handover support for Enrollee
This commit adds new wpa_supplicant ctrl_iface commands to allow
external programs to go through NFC connection handover mechanism
with wpa_supplicant taking care of the WPS processing. This version
includes only the case where wpa_supplicant is operating as a
station/Enrollee.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-28 17:39:46 +02:00