Currently the P2P Interface name[p2p-%s-%d] is reset when the P2P
Interface name reaches the "IFNAMSIZ" limit. Monitor interface name is
derived from p2p interface name with the addition of few characters
[mon.p2p-%s-%d] and hence Monitor interface name hits IFNAMSIZ limit
before P2P Interface name. Rename the monitor interface name to
mon-%s-%d to reduce the length to same with p2p-%s-%d.
Data path for stations that get successfully associated to the
hostapd but fail to get added in the driver/firmware, will not
work. In such cases, hostapd should deauth and disconnect such
stations. In such scenario, hostapd should disconnect the STAs.
Sample output with following patch
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: authenticated
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED 0c:74:c2:9a:4c:59
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: Could not add STA to kernel driver
wlan0: STA 0c:74:c2:9a:4c:59 IEEE 802.11: deauthenticated due to local deauth request
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Nishant Sarmukadam <nishants@marvell.com>
The password_hash parameter was not copied in case of the integrated
authentication server (but was for RADIUS server). This broke EAP
authentication when the user entry used NT-hash.
This currently unused function would have triggered wpabuf overflows
due to incorrect variable being reset to zero in the case the old
NoA wpabuf was large enough for the new data.
The EAPOL authenticator was previously forcing disconnection in the WPS
use case. However, this can be benefitial operation with any IEEE 802.1X
authentication mechanism and need not be limited to WPS. This helps some
use cases like EAP-FAST where provisioning may require two
authentication runs if the authentication server does not allow the PAC
provisioning step to be used for normal data connection. While the
station would be free to decide to re-associate in such a case, not all
stations do and as such, it helps if the AP does that instead of leaving
the association up with EAPOL state machine in HELD state for 60
seconds.
While EAP-FAST uses protected success notification, RFC 5422, Section
3.5 points out a possibility of EAP-Failure being sent out even after
protected success notification in case of provisioning. Change the
EAP-FAST peer implementation to accept that exception to the protected
success notification. This allows the station to re-connect more quickly
to complete EAP-FAST connection in the case the server rejects the
initial attempt by only allowing it to use to provision a new PAC.
If GO Negotiation Request (or in theory, also GO Negotiation Response)
frame is delivered multiple time for processing, the SSID of the group
could end up getting changed. This could result in possible issues if
the peer ended up using different SSID. To avoid this, make sure the
SSID does not get changed unless the negotiation is for a new group.
Whenever PMK gets changed (e.g., due to re-authentication), all PMKSA
caching entries that were created using the previous PMK needs to be
replaced. Previously, only the entry for the current AP was cleared.
Flush the other entries based on network_ctx matches to get rid of the
OKC entries. These entries can then be re-creating using OKC with the
new PMK.
When polling a station that has been inactive for a while, hostapd currently
always uses a null data frame. This is a bit strange with uAPSD clients
(though it seems to mostly work) since the EOSP bit can never be set in a
non-QoS frame. Make hostapd use QoS null data frames for probing when the
station is a QoS STA.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Wrap self-generated WPS credential for new AP settings and send that to
control interface to provide the needed information in
WPS-NEW-AP-SETTINGS for external processing.
GAS/ANQP is a generic protocol and in no way specific to P2P, so move
routines used to build GAS/ANQP frames to a separate file that can be
shared for other uses than just P2P service discovery.
The new function, p2p_scan_ie_buf_len(), can be used to figure out
how large a buffer needs to be allocated for p2p_scan_ie() use. This
makes it easier to add new data into the buffer without forcing all
callers to be updated to use a larger buffer.
The P2P search mechanism depends on the same scan functionality that
is used for station mode scans. If these operations are being used
at the same time, scan result processing is not handled properly.
Avoid unexpected behavior by delaying station mode scan requests
if a P2P operation is in progress.
Among other things, this allows the station mode connection attempt
to be continued after a P2P find or group formation has been completed
if the interface is available (i.e., when the P2P group uses a
separate virtual interface).
If the initial attempt to start a scan for p2p_find fails, an error
is reported. However, the P2P scan handler and search state was
left behind. That can result in unexpected behavior when the next
non-P2P scan results are indicated. Avoid this by clearing the
P2P search state on failure.
This new flag can be used to change wpa_supplicant behavior in the
default ap_scan=1 mode to move BSS selection into the driver (likely
firmware). This commit is only adding the flag; separate commits
will be used to change the actual connection/roaming behavior.
These protocols seem to be abandoned: latest IETF drafts have expired
years ago and it does not seem likely that EAP-TTLSv1 would be
deployed. The implementation in hostapd/wpa_supplicant was not complete
and not fully tested. In addition, the TLS/IA functionality was only
available when GnuTLS was used. Since GnuTLS removed this functionality
in 3.0.0, there is no available TLS/IA implementation in the latest
version of any supported TLS library.
Remove the EAP-TTLSv1 and TLS/IA implementation to clean up unwanted
complexity from hostapd and wpa_supplicant. In addition, this removes
any potential use of the GnuTLS extra library.
This fixes some build issues in GnuTLS wrapper to be compatible with
at least following GnuTLS versions: 2.2.5, 2.4.3, 2.6.6, 2.8.6,
2.10.5, 2.12.11, 3.0.3.
Instead of using separate bad_record_mac and decryption_failed alerts,
use only bad_record_mac alert regardless of how the CBC decryption
failed. This provides less information to attackers that could modify
packets. In addition, instead of returning immediately on error, run
through the MAC check to make timing attacks more difficult.
When the received data will be decrypted, there is no need to first
copy it and then handle decryption in-place when decryption step can
take care of both operations.
TLS v1.0 and v1.1 RFCs were not exactly clear on the use of the
protocol version in record later. As such, accept any {03,xx} value
to remain compatible with existing implementations and new protocol
versions.
The p2p->drv_in_listen variable is used to track Listen state operations
in the driver. This is cleared when the driver reports that the Listen
state has ended (p2p_listen_end() gets called). However, it is possible
that the driver does not indicate that if the Listen state is canceled.
This can apparently happen in some cases where p2p_connect command is
issues while the Listen state is in progress.
Work around this issue by clearing p2p->drv_in_listen when Listen state
is stopped as part of p2p_stop operation. This allows the P2P module to
process CONNECT_LISTEN timeout in p2p_timeout_connect_listen() to move
to CONNECT state, e.g., when starting GO Negotiation after Device
Discoverability mechanism.
The "too long" buffer (32+1 octets) prevented AP from starting up with
32 octet SSID with WE-21 and newer. Fix this by reducing the
SIOCGIWESSID buffer length.
This adds support for RSN pre-authentication with nl80211 interface and
drivers that handle roaming internally (i.e., wpa_supplicant is not
responsible for requesting scan results that provide the needed
information without these events).
cfg80211 does not currently allow NL80211_CMD_CONNECT when there
is already an association. This can result in wpa_supplicant being
unable to request a connection if the interface is already in
connected state. Work around this by requesting disconnection if
the connect command fails with EALREADY error. This allows
wpa_supplicant to recover from the unexpected state and complete
the connect request on next attempt.
eapol_test command line argument -o<file> can now be used to request
the received server certificate chain to be written to the specified
file. The certificates will be written in PEM format. [Bug 391]
Make the WPS processing of (Re)Association Request frame IEs conditional
on WPS support. This fixes a build issue with wps_is_20() not being
defined and makes the non-WPS build a bit smaller.
os_*() wrappers should be used instead of functions from time.h.
Removing the header from includes.h enforces this. os_unix.c can
include this its uses are valid wrapper calls. wps_upnp.c uses
gmtime() for which there is no os_*() wrapper available yet, so
allow it to use time.h, too. Similarly, allow dump_state.c to
use time.h for ctime().
Currently, the following can happen:
1) P2P state machine requests R-O-C
2) user changes their mind and aborts
3) P2P state machine aborts R-O-C
4) driver_nl80211 rejects abort since there
was no notification about the start yet
5) R-O-C period start notification from kernel
6) P2P state machine requests new R-O-C
7) this overlaps with old R-O-C -- iwlwifi driver
can't handle that and returns -EBUSY
8) state machine stops dead in its tracks
The reason is that the abort isn't going through properly. Instead of
tracking whether a R-O-C is active in driver_nl80211, track whether one
was requested to avoid this scenario.
Reported-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This allows drivers to disable CCK rates from Probe Request frames.
For nl80211, this is currently applying only to the supported rates
element(s), but this mechanism could be extended to address TX rate
control masking, too, to lessen need for global rate disabling.
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Since the kernel can now advertise P2P concurrent support by advertising
interface combinations, we can take advantage of that and automatically
use P2P_CONCURRENT / P2P_MGMT_AND_NON_P2P for drivers that advertise
support.
Keep driver_param=use_p2p_group_interface=1 for anyone not advertising
interface combinations in their drivers yet.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The default config methods was hardcoded to claim support for
PushButton, Display, and Keypad. While these are supported by
most P2P devices, there may be some cases where it is convenient
to be able to disable a specific config method. Use config_methods
configuration parameter to set the default values for Config Methods
in the P2P Device Info attribute.
The P2P specification (3.1.4.3) disallows use of the Label configuration
method between two P2P devices. This was previously enforced at upper
level, but the obsolete code can be removed from wpa_supplicant. This
adds a bit more strict enforcement of the policy, but should not result
in practical differences since no known P2P implementation uses Label
config method.
If a network configuration block is removed or modified, flush
all PMKSA cache entries that were created using that network
configuration. Similarly, invalidate EAP state (fast re-auth).
The special case for OKC on wpa_supplicant reconfiguration
(network_ctx pointer change) is now addressed as part of the
PMKSA cache flushing, so it does not need a separate mechanism
for clearing the network_ctx values in the PMKSA cache.
If the driver maintains its own copy of the PMKSA cache, we need to
clear an entry from the driver whenever wpa_supplicant is dropping
an old PMKSA cache entry.
The Deauth/Disassoc TX status callbacks were ending up kicking the
station entry from kernel driver when test functionality was used to
inject Deauth/Disassoc frames from the AP with the purpose of leaving
the local association in place. Fix this by using STA flags to figure
out whether there was a pending callback for the frame that we need
to act on.
In addition, add forgotten functionality for the Disassoc TX status
callback to match the behavior with Deauth.
The previous code was trying to figure out which WPA version is
used based on the extra IEs requested for Association Request. That
did not work properly in cases where non-WPA networks are used with
some extra IEs. Fix this by using more robust mechanism for passing
the WPA versions from core wpa_supplicant to the driver_ops
associate().
Instead of hardcoding the Config Methods attribute value in Probe
Request frames, set this based on the configured parameter
config_methods to allow correct set of methods to be advertised.
The device description file may include multiple devices. Improve the
simplistic parser by first trying to find the WFADevice:1 device before
fetching the device parameters. While this is still far from complete
XML parsing, this should address the most common root device
specifications.
This allows non-mac80211 drivers to report received Probe Request
frames to user space and Probe Response and Action frames to be sent
from user space when using AP/P2P GO mode.
This allows the driver to use PS buffering of Deauthentication and
Disassociation frames when the STA is in power save sleep. The STA
entry (and PTK) will be removed from the kernel only after the
Deauth/Disassoc has been transmitted (e.g., when the STA wakes up).
A hardcoded two second timeout is used to limit the length of this
window should the driver fail to deliver the frame (e.g., the STA
is out of range and does not wake up). The kernel STA entry is
marked unauthorized during the wait to avoid accepting Data
frames from the STA that we have decided to disconnect.
This behavior is available only with drivers that provide TX status
events for Deauth/Disassoc frames (nl80211 at this point). Other
drivers continue to use the previous behavior where the STA entry
is removed immediately.
Extend the code that waits for the station to send EAPOL-Start before
initiating EAPOL authenticator operations to cover the case where the
station includes WPS IE in (Re)Association Request frame if that IE
does not include support for WPS 2.0. While this should not really
be needed, this may help with some deployed WPS 1.0 stations that do
not support EAPOL operations correctly and may get confused of the
EAP-Request/Identity packets that would show up twice if EAPOL-Start
is transmitted.
If an ER tries to send a message to a STA that is not in the middle
of WPS protocol, do not try to deliver that. This can help with issues
where an ER takes long time to reply to M1 and another Registrar has
already completed negotiation.
It is possible to get a response for a pending EAP callback after the
EAP state machine has already completed its work or has timed out. For
those cases, make sure that the callback function is not delivered since
it could result in NULL pointer dereferences.
The Config Methods attribute in M2 and M2D messages is supposed to
indicate which configuration methods are supported by the Registrar. As
such, it should not depend on whether PBC mode is currently active or
not. That will only affect the Selected Registrar Config Methods and
Device Password ID attributes.
This change is a first step in better supporting different driver
architectures for AP mode operations with nl80211. This commit in
itself does not add new functionality, but it makes it easier to add
new AP mode parameters to address needs of drivers that have more of
the MLME/SME in firmware or kernel.
Split WPA initialization into two parts so that the Beacon frames can be
configured fully before the initial keys (GTK/IGTK) are configured. This
makes it easier for drivers that depend on the AP security mode being
fully set before the keys are configured.
This avoids a request to the driver to first start beaconing before
the WPA/RSN IE has been generated and then immediately changing the
beacon IEs once the WPA/RSN IE is ready.
Such using params->wpa_ie to figure out whether the connection is for
WPA/WPA2 is not correct since that buffer is used also to add WPS IE. In
case of WPS, do not add NL80211_ATTR_WPA_VERSIONS to avoid confusing
drivers.
Some compilers complain about fwrite calls if the return value is
not checked, so check the value even if it does not really make
much of a difference in this particular case.
The internal TLS implementation assumes that the certificate chain
is ordered by issuer certificate following the certificate that it
signed. Add the certificates to the chain in suitable order when
loading multiple certificates.
Commit e1d526293b added code for verifying
whether the receive Probe Request frame was indicating support for only
802.11b rates, but it missed the for loop for the extended supported
rates element. Add that to fix the validation code for cases where
non-802.11b rates are in the extended supported rates element.
Currently, wpa_driver_nl80211_authenticate() changes the interface type
to station. However, in case of P2P, we need to change the interface
type to P2P_CLI.
Add p2p field to the authentication params, and consider it for choosing
the correct interface type.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Commit 9f51b11395 added support for P2P
interfaces when adding a new interface. However, it didn't handle the
case in which the same interface is being used and its type is being
changed. Add support for this case.
Consequently, when doing "ap_scan_as_station" we now need to save the
actual AP interface type (AP/P2P GO) in order to restore it properly.
For that, change ap_scan_as_station type from int to nl80211_iftype, and
set it to NL80211_IFTYPE_UNSPECIFED when not used.
Signed-off-by: Eliad Peller <eliad@wizery.com>
When driver_nl80211.c has to set the netdev down to change iftype, an
RTM_NEWLINK event is generated. Do not generate
EVENT_INTERFACE_DISABLED event based on that.
Reassociation Request/Response frame validation need to count all IEs in
the RIC. In addition, TIE is not protected, so it should not be included
in the count.
Signed-off-by: Hong Wu <hong.wu@dspg.com>
Only accept Probe Request frames that have a Wildcard BSSID and a
destination address that matches with our P2P Device Address or is the
broadcast address per P2P specification 3.1.2.1.1.
When a new interface is created and already has a separate MAC address
assigned by the kernel, then we need to use that address, not just when
we've created a locally administered address.
This fixes use_p2p_group_interface=1 for iwlagn as it already makes
mac80211 assign an address for a second interface since the hardware has
two addresses assigned.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Add support to wpa_supplicant for device-based GTK rekeying. In order to
support that, pass the KEK, KCK, and replay counter to the driver, and
handle rekey events that update the latter.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Send STA flags to kernel when adding a new station. This ensures
stations are added with up to date flags by kernel drivers.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
When adding a new station, set the STA flags as part of the sta_add()
command. This ensures the flags are up to date when the station is added
by lower level drivers.
Signed-off-by: Arik Nemtsov <arik@wizery.com>
A new hostapd configuration parameter, disable_pmksa_caching=1, can now
be used to disable PMKSA caching on the Authenticator. This forces the
stations to complete EAP authentication on every association when WPA2
is being used.
In general, this patch attemps to extend commit
00468b4650 with dbus support.
This can be used by dbus client to implement subject match text
entry with preset value probed from server. This preset value, if
user accepts it, is remembered and passed to subject_match config
for any future authentication.
Signed-off-by: Michael Chang <mchang@novell.com>
Data path is broken when hostapd reloads its configuration
disabling the security which was previously enabled (WEP/WPA),
using kill -1, as old keys were not cleared.
The patch clears the keys configured when hostapd reloads
its configuration.
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
This phase1 parameter for TLS-based EAP methods was already supported
with GnuTLS and this commit extends that support for OpenSSL and the
internal TLS implementation.
Fix a bug with the current dev_found()/dev_lost() usage. Previously
in p2p_device_free() dev_lost() was invoked for devices that had
not been dev_found(). This caused dbus related msgs to stderr like:
"Attempted to unregister path (path[0] = fi path[1] = w1) which isn't
registered"
Signed-off-by: Angie Chinchilla <angie.v.chinchilla@intel.com>
Some P2PDevice properties were not updated in p2p->cfg structure:
reg_class, channel, op_reg_class, and op_channel. Hence, update p2p->cfg
parameters through p2p core calls in wpas_p2p_update_config().
Signed-off-by: Jean-Michel.Bachot <jean-michelx.bachot@intel.com>
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Move level parameter from p2p_device to p2p_device_info in order to
expose this information and modify D-Bus P2P handler to return this new
parameter through the P2P device properties.
Signed-off-by: Fabien Marotte <fabienx.marotte@intel.com>
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Previously hostapd just masked the STAs HT caps with its own. However,
some HT caps are not symmetric and as such need to be handled
different.
hostapd shouldn't overwrite the STAs SMPS mode as otherwise the driver
cannot know it has to use RTS/CTS to wake the receiver from dynamic
SMPS for MCS rates > 7.
hostapd shouldn't mask the RX and TX STBC caps with it's own. They are
already handled in a special case below.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
This file is a part of the radiotap parser that Andy Green agreed to
relicense under the BSD license (per email, 11 Aug 2007 07:42:05
+0100). The copyright/license statement was updated in radiotap.c,
but this radiotap_iter.h file was forgotten at that point.
In set_key handler, the seq[8] is in little endian order defined by
WPA. BSD kernel uses a u_int64_t value ik_keyrsc to represent it
internally. The kernel expects the native endian order for the value.
Thus, we need to detect the endian order and swap bytes when
necessary.
This fixes an issue with SA Query Response frames not being processed
anymore after wpa_supplicant started registering a handler for those.
This handler registration is in generic driver_nl80211.c code, so
hostapd uses it, too.
Implement PMKSA cache operations add, remove, and flush using nl80211
commands NL80211_CMD_{SET,DEL,FLUSH}_PMKSA to support PMKSA caching
with drivers that select the AP and generate the RSN IE internally.
When provision discovery fails, this new callback will be called
so P2P users can react to the failure.
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Since the peer may not be in Listen state when the provision discovery
request is sent, try to send the request again number of times when in
IDLE state. This was already done when p2p_find is in progress, but this
commit adds retries to the case where no other P2P operations are in
progress.
Signed-off-by: Jayant Sane <jayant.sane@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This can be used to avoid rejection of first two 4-way handshakes every
time hostapd (or wpa_supplicant in AP/IBSS mode) is restarted. A new
command line parameter, -e, can now be used to specify an entropy file
that will be used to maintain the needed state.
Some of these are required for proper functionality (like
get_seqnum); others may not be needed yet, but including them
allows some extra ifdef/endif blocks to be removed.
.set_rate_sets is not defined for non-hostapd, which prevents
configuring basic_rates when working as P2P GO.
Signed-off-by: Eliad Peller <eliad@wizery.com>
If the driver wrapper is setting up the interface up only at commit(),
UPnP initialization fails. Fix that by moving UPnP setup to happen after
the driver commit() call.
Windows 7 uses incorrect way of figuring out AP's WPS capabilities by
acting as a Registrar and using M1 from the AP. The config methods
attribute in that message is supposed to indicate only the configuration
method supported by the AP in Enrollee role, i.e., to add an external
Registrar. For that case, PBC shall not be used and as such, the
PushButton config method is removed from M1 by default. If pbc_in_m1=1
is included in the configuration file, the PushButton config method is
left in M1 (if included in config_methods parameter) to allow Windows 7
to use PBC instead of PIN (e.g., from a label in the AP).
cfg80211 maintains separate BSS table entries for APs if the same
BSSID,SSID pair is seen on multiple channels. wpa_supplicant does
not use frequency as a separate key in the BSS table, so filter out
duplicated entries. Prefer associated BSS entry in such a case in
order to get the correct frequency into the BSS table.
It may take some time for the TX status to be delivered for a
(Re)Association Response frame and if any Data frames are received
during that time, they may end up getting dropped as Class 3 frames in
not-associated state. This results in a Disassociation frame being sent
to the station and it assuming that the association has been lost.
Work around the issue by remembering that the (Re)Association Request
has already been accepted and skip the Deauth/Disassoc sending because
of the possible Class 3 frames before the TX status callback is
received.
In theory, these calls could fail, but it is not really likely to
happen in practice in the use case here. Anyway, check that they do
not return an error before accepting the length of the file.
This function does not get called with in_data == NULL in practice, but
it seems to be at least partly prepared for that case, so better make it
consistent by handling the NULL value throughout the function.
Both the SA and IEs from the received Probe Request frames must be
included and the Probe Request RX callback functions may assume that
these are not NULL.
The change to use wpa_dbg() in wpa_sm_parse_own_wpa_ie() could result
in a NULL pointer dereference if the function were called when WPA
state machine has not been initialized. While this cannot really
happen in practice, it is better to be prepared for that since that
was the case before the wpa_dbg() change.
The size_t value here can be 64-bit and result in implicit sign
extension. In this particular case, that gets masked out by
host_to_be32(), so there is no practical difference, but it is better
to get rid of the 64-bit variable explicitly.
The supportedTypes parameter is a list of TNC_MessageType values
and the buffer to be copied should use size of TNC_MessageType, not
TNC_MessageTypeList. In practice, these are of same length on most
platforms, so this is not a critical issue, but anyway, the correct
type should be used.
This avoids reading past the end of the IE buffer should the FTIE
be too short. In addition, one debug hexdump was using uninitialized
pointer to the FTIE buffer, so fixed it to use the pointer from the
parse data.
AF_INET6 is not always enabled by default, so use AF_INET instead. In
addition, use the old fixed length, 2048, as a failover value if the
sysctl fails for any reason.
Commit 03d3f28a69 broke initialization of
EAPOL authenticator state machines since an error value from
wpa_auth_sta_key_mgmt() (-1) was not handled properly and the fixed
wpa_key_mgmt_wpa_psk() identified the value as a PSK-based AKM because
of all bits being set to 1. The special error value needs to handled
separately to avoid skipping EAPOL state machine initialization.
