Commit graph

4433 commits

Author SHA1 Message Date
Jouni Malinen
68db9ab047 WNM: Fix GTK/IGTK parsing for WNM-Sleep Mode Response frame
These fields do not use AES keywrap. Instead, they are protected with
management frame protection (and not included if PMF is disabled).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:48:34 +02:00
Jouni Malinen
e6955ba9f9 WNM: Add WNM-Sleep Mode into Extended Capabilities element
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:45:59 +02:00
Jouni Malinen
bd896433af nl80211: Register to process WNM-Sleep Mode Response frames
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:42:26 +02:00
Jouni Malinen
44f6d554ee wlantest: Process TX status frames as RX frames too
This is needed to allow capture files from the mac80211 cooked monitor
mode interface to be processed properly. Without this, the locally
generated frames may not get processed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 12:35:07 +02:00
Jouni Malinen
62f6fbb480 WNM: Accept GTK update version of WNM-Sleep Response status
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:33:55 +02:00
Jouni Malinen
e0c54a159b WNM: Use Dialog Token value 1 in WNM-Sleep Mode Request
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:32:53 +02:00
Jouni Malinen
cd0ef65784 WNM: Add option for passing TFS request from external programs
The optional tfs_req=<hex dump> parameter can be added for the wnm_sleep
command to specify the TFS request element to use in the WNM-Sleep Mode
Request frame.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:31:16 +02:00
Jouni Malinen
61c54976f5 WNM: Remove unnecessary path component from includes
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:29:44 +02:00
Jouni Malinen
e9199e3149 WNM: Add ctrl_iface command for sending WNM-Sleep Mode Request
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:29:10 +02:00
Jouni Malinen
2dfb9a447c WNM: Fix CONFIG_WNM use in Makefile
This code was within ifdef CONFIG_AP and did not get included unless
AP mode support was also enabled.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:28:19 +02:00
Jouni Malinen
9af431035f WNM: Remove unused variable
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:27:38 +02:00
Jouni Malinen
dbea8ac7ab Interworking: Allow SSID-based network exclusion for credentials
The new excluded_ssid parameter within a cred block can be used to
excluded networks from matching with credentials.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:01:50 +02:00
Jouni Malinen
9aae09f196 Interworking: Fix cred saving
Number of cred block fields were not saved when wpa_supplicant is
writing the configuration file.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:00:52 +02:00
Jouni Malinen
2047e596ec Interworking: Default to TTLS/MSCHAPv2 for NAI Realm list matching
If the AP does not advertize EAP parameters, default to TTLS/MSCHAPv2
when using username/password credentials.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:00:06 +02:00
Jouni Malinen
f5f37d3a4f Fix REAUTHENTICATE command after PMKSA caching
The current PMKSA cache entry needs to be clear to allow EAPOL
reauthentication to be started in case this association used PMKSA
caching.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 22:05:32 +02:00
Dan Williams
0639970d89 PMKSA: Clear current cache entry on disassociation
Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 21:53:55 +02:00
Dan Williams
6aaac006af PMKSA: Make deauthentication due to cache entry removal more granular
Expiry can always trigger a deauthentication, but otherwise,
deauthentication should only happen when the *current* cache entry is
removed and not being replaced. It should not happen when the current
PMK just happens to match the PMK of the entry being removed, since
multiple entries can have the same PMK when OKC is used and these
entries are often removed at different times.

This fixes an issue where eviction of the oldest inactive entry due to
adding a newer entry to a full cache caused a deauthentication when the
entry being removed had the same PMK as the current entry.

Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 21:39:19 +02:00
Jouni Malinen
b7593d35c1 Remove unnecessary PMKSA cache list modification
pmksa_cache_free_entry() takes care of updated the list head pointer
(pmksa->pmksa), so no need to do this change in the caller.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 19:45:54 +02:00
Jouni Malinen
f2a14be798 Use a shared function for freeing PSK list
There is no need to duplicate this code in multiple locations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 18:01:55 +02:00
Jouni Malinen
fc5550a1c2 Use RADIUS shared secret consistently in RX handler
Use the shared_secret pointer from RADIUS client implementation instead
of getting this from hostapd configuration data.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:57:16 +02:00
Michael Braun
5ee56c4e19 Keep and use list of PSKs per station for RADIUS-based PSK
This adds support for multiple PSKs per station when using a RADIUS
authentication server to fetch the PSKs during MAC address
authentication step. This can be useful if multiple users share a
device but each user has his or her own private passphrase.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
2ad3e6c858 Cache a list of PSK entries for RADIUS-based PSK delivery
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
14e919478e Extend radius_msg_get_tunnel_password() to support multiple passwords
The new function parameter can now be used to specify which password to
return.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:19:04 +02:00
Jouni Malinen
1a2d22a242 Remove unneeded header file inclusion
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:06:38 +02:00
Jouni Malinen
9796a86c23 Use a shared function for requesting a new connection
Both the ctrl_iface and D-Bus interface use similar functionality to
request a new connection. Combine these to a single function to avoid
need to maintain duplicated implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 16:30:30 +02:00
Jouni Malinen
c27a94f765 Remove unused function prototype
This function was not added, so the prototype should not have been here
either.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 16:27:19 +02:00
Jouni Malinen
f1a5263389 Maintain maximum blacklist count over list clear operations
wpas_connection_failed() uses the blacklist count to figure out a
suitable time to wait for the next scan. This mechanism did not work
properly in cases where the temporary blacklist gets cleared due to no
other BSSes being available. Address this by maintaining an additional
count of blacklisting values over wpa_blacklist_clear() calls. In
addition, add one more step in the count to timeout mapping to go to 10
second interval if more than four failures are seen.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 16:20:44 +02:00
Jouni Malinen
4115303bbe Document wpa_s->scan_req
Use an enum with documented values to make it easier to understand how
wpa_s->scan_req is used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 15:55:32 +02:00
Jouni Malinen
215ae884d6 Mark sme_send_authentication() static
This function is not used outside sme.c.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 15:47:43 +02:00
Jouni Malinen
5cc7032239 P2P: Avoid multi-channel scans when they are not needed
If the driver does not support multi-channel concurrency and a virtual
interface that shares the same radio with the current interface is
operating there may not be need to scan other channels apart from the
current operating channel on the other virtual interface. Filter out
other channels in case we are trying to find a connection for a station
interface when we are not configured to prefer station connection and a
concurrent operation is already in process.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 12:47:43 +02:00
Jouni Malinen
13e1d2e292 Indicate if PMF was negotiated for the connection
Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF
was negotiated for the connect (1 = optional in this BSS, 2 = required
in this BSS).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:45:17 +02:00
Jouni Malinen
3c8e4ec012 Interworking: Enable key_mgmt WPA-EAP-SHA256 if PMF is enabled
If the global pmf=1/2 parameter is used to enable PMF for Interworking
networks, add WPA-EAP-SHA256 to the temporary network block to allow
connection to PMF required APs.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:31:17 +02:00
Jouni Malinen
62d4980331 Allow PMF to be enabled by default
Previously, PMF (protected management frames, IEEE 802.11w) could be
enabled only with a per-network parameter (ieee80211w). The new global
parameter (pmf) can now be used to change the default behavior to be PMF
enabled (pmf=1) or required (pmf=2) for network blocks that do not
override this with the ieee80211w parameter.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:21:29 +02:00
Amitkumar Karwar
368b1957a6 Allow OBSS scan and 20/40 coex reports to non-SME drivers
We enable this feature for non-SME drivers as well if
they explicitly indicate need for it.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
2012-11-24 18:08:48 +02:00
Jouni Malinen
3d83a6b9b6 Sync with linux/nl80211.h in wireless-testing.git
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 18:04:55 +02:00
Johannes Berg
3117ad4283 hostapd: Add second VHT frequency segment config
Add the configuration option vht_oper_centr_freq_seg1_idx
for the second segment of an 80+80 MHz channel and use it
when building the VHT operation IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 18:02:29 +02:00
Johannes Berg
202d97d477 hostapd: Add VHT PHY selector if VHT is required
If VHT is required, add the VHT PHY selector to
the (extended) supported rates IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 17:27:16 +02:00
Robert Shade
bff954e9a2 Verify that the selected BSS has a better signal level before roaming
This prevents situations like the following where we roam to a
lesser quality BSS just because the signal level delta is over our
threshold.

wlan0: Considering within-ESS reassociation
wlan0: Current BSS: 00:24:6c:74:0a:40 level=-51
wlan0: Selected BSS: 00:24:6c:74:0a:e0 level=-64
wlan0: Request association: reassociate: 0  selected: 00:24:6c:74:0a:e0
    bssid: 00:24:6c:74:0a:40  pending: 00:00:00:00:00:00  wpa_state: COMPLETED

Signed-hostap: Robert Shade <robert.shade@gmail.com>
2012-11-24 17:17:50 +02:00
Pontus Fuchs
fb660a9431 Do not double free cfg struct if netlink_init() fails
If netlink_init() fails on socket create or bind the cfg struct
provided as parameter is freed by netlink_init(). Callers of
netlink_init() also free this struct on their error paths leading
to double free.

Signed-hostap: Pontus Fuchs <pontus.fuchs@gmail.com>
2012-11-24 16:47:20 +02:00
Jouni Malinen
e99b4f3a14 HS 2.0: Add Home SP FQDN and roaming/home to status command
This allows the ctrl_iface STATUS information to be used to determine
which Home SP credential (domain in the cred block) was used and whether
the network is operated by the home SP.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-24 12:24:40 +02:00
Jouni Malinen
9afe52eb92 HS 2.0: Add REMOVE_CRED sp_fqdn=<FQDN> command
This allows credential entries to be removed based on SP FQDN without
having to iterate through the configured entries from an external
program to figure out which credentials should be removed for a specific
SP.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-24 12:24:37 +02:00
Jouni Malinen
736d4f2d77 HS 2.0: Remove temporary network block on cred block removal
If the credential that was used to create a temporary HS 2.0 network
block is removed, remove the network block, too.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-24 12:24:34 +02:00
Jouni Malinen
f403dcd648 HS 2.0: Maintain a copy of HS 2.0 Indication from Association Request
This allows the AP to figure out whether a station is a HS 2.0 STA
during the association and access any information that the STA may have
included in this element.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-24 12:24:31 +02:00
Jouni Malinen
d49ea68284 Android: Force group access to ctrl_iface directory
wpa_supplicant is started from /init.*.rc on Android and that seems
to be using umask 0077 which would leave the control interface
directory without group access. This breaks things since Wi-Fi
framework assumes that this directory can be accessed by other
applications in the wifi group. Fix this by adding group access even
if umask value would prevent this.

In most cases, this issue was not hit since the control interface
directory is normally created by that same init.*.rc file with suitable
mode and wpa_supplicant is killed in the way that does not allow it to
remove the file. However, if wpa_supplicant is allowed stop cleanly, it
will remove the directory and the next start could result with the Wi-Fi
framework not being able to use Wi-Fi (and GUI not showing Wi-Fi getting
enabled).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 17:06:36 +02:00
Sunil Dutt
ffa45a1343 P2P: Increase the maximum number of PD Request retries
Change the maximum retry limit from 10 to 120 to match the behavior
used with GO Negotiation Request frames when trying to start GO
Negotiation with a peer that does not acknowledge frames (e.g., due
to being in sleep or on another channel most of the time).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 01:15:51 +02:00
Sunil Dutt
6b947db103 P2P: Remove PD-before-join-timeout mechanism
The PD Request retry limit can be used to achieve the same behavior,
so drop this duplicated timeout mechanism and control the timeout
based on MAX_PROV_DISC_REQ_RETRIES.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 01:15:51 +02:00
Jouni Malinen
175171ac6c P2P: Retry PD Request in join-a-running-group case
The GO may be in sleep when we send a PD Request frame to indicate that
we are about to join a running group. Previously, this frame was not
retried more than normal low level retries. This can result in the GO
not getting the frame especially in cases where concurrent multi-channel
operations or aggressive sleep schedule is used since most drivers do
not yet synchronize with the GO's NoA before association.

Increase the likelihood of the GO receiving the PD Request frame by
retransmitting it similarly to the PD-for-GO-Negotiation case. Start
the actual join operation only after these retries have failed to get
an acknowledgment from the GO to give the connection attempt a chance
to succeed if the driver implements better NoA synchronization for it.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 00:53:42 +02:00
Sunil Dutt
6752716663 P2P: Set user_initiated_pd separately from the join parameter
p2p_prov_disc_req() used the join parameter to figure out whether the PD
request was a user initiated or not. This does not cover all use cases
of PD, so add a separate parameter to allow caller to indicate whether
the user requested the operation.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 00:48:58 +02:00
Jouni Malinen
16e38f2e34 Android: Fix AP builds to include the new eap_user_db.c
This is needed to fix the builds after commit
ee431d77a5.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-21 17:55:36 +02:00
Vladimir Kondratiev
9c6f8cb9c8 Fix wpa_supplicant compilation after adding eap_user database
Commit ee431d77a5 broke wpa_supplicant
compilation:

../src/ap/ieee802_1x.o: In function `ieee802_1x_get_eap_user':
/../src/ap/ieee802_1x.c:1689: undefined reference to `hostapd_get_eap_user'
collect2: error: ld returned 1 exit status
make: *** [wpa_supplicant] Error 1

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
2012-11-21 17:49:47 +02:00