Avoid adding more than P2P_MAX_REG_CLASSES operating classes or
P2P_MAX_REG_CLASS_CHANNELS channels while populating P2P channels. The
current limits on the operating classes or channels per operating class
could be hit in some case (mainly, with 6 GHz, but in theory, with a
2.4/5/60 GHz capable device as well).
If the local driver advertised a larger number of supported operarting
classes or channels per operating class, the construction of the struct
p2p_reg_class instances could have resulted in writing beyond the end of
the buffer and ending up corrupting memory around the struct p2p_config.
This could result in unexpected behavior in some other operations that
used corrupted memory, e.g., generation of a P2P Channel List failing
(with validation code stopping the process to avoid writing beyond the
end of the message buffer) due to not having sufficient buffer space for
the corrupted data.
This issue is triggered only based on information from the local driver
(mainly based on addition of support for 6 GHz band operating classes),
so the issue cannot be triggered based on received frames or any other
remote information.
The issue was introduced by commit d7c2c5c98c ("AP: Add initial
support for 6 GHz band") which added the operating class 131 which has
sufficiently large number of channels to go beyond the
P2P_MAX_REG_CLASS_CHANNELS limit.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This attribute aims to configure the STA to send the Beacon Report
Response with failure reason for the scenarios where the Beacon Report
Request cannot be handled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Explicitly flush cfg80211 scan cache for this test case since the BSS
entry check might fail if there are multiple results for the same BSSID.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously it was possible for the PKEX/DPP exchange to terminate with
an error and the ongoing Action frame TX/RX offchannel operation not
getting terminated. This could leave the driver waiting on offchannel
until timeout and failing following operations before that timeout
happens. Fix this by explicitly stopping the Action frame sequence in
the driver in the previously missed cases.
This fixes a case that was showing up with the following test sequence
every now and then:
dpp_qr_code_chan_list_unicast dpp_pkex_test_fail dpp_enrollee_reject_config
dpp_pkex_test_fail was adding a large number of pending offchannel
operations and dpp_enrollee_reject_config could fail if those pending
operations were blocking new remain-on-channel or offchannel TX
operation for a sufficiently long time.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This ugly hack for being able to search for optional arguments with
space before them was quite inconvenient and unexpected. Clean this up
by handling this mess internally with a memory allocation and string
duplication if needed so that the users of wpa_supplicant control
interface do not need to care about such details.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously DPP_AUTH_INIT command update wpa_s->dpp_netrole only if the
netrole parameter was included. This could leave AP or configurator
network in place for the next DPP_AUTH_INIT command. This would be
unexpected behavior, so reset wpa_s->dpp_netrole back to the
DPP_NETROLE_STA default if no explicit netrole parameter is included.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
connection_vht flag was set to true when both Association Request and
Response frame IEs have VHT capability. Thus all devices that have
support for the vendor specific partial VHT support in the 2.4 GHz band
were also being reported as VHT capable. However, IEEE Std 802.11ac-2013
defines VHT STA to operate in frequency bands below 6 GHz excluding the
2.4 GHz band.
Do not set connection_vht when the operating band is 2.4 GHz. This
avoids reporting wifi_generation 5 on the 2.4 GHz band and reserves the
generation value 5 for full VHT as defined in the IEEE 802.11 standard.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
As qca_vendor.h alone can be included by other applications, define
macro BIT() in qca_vendor.h itself if not yet defined, e.g., by
including utils/common.h before qca_vendor.h.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wlantest build did not define build options to determine key management
values for SAE, OWE, and DPP. Add those and the needed SHA512 functions
to be able to decrypt sniffer captures with PMK available from an
external source.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
(Re)Association Response frames should include radio measurement
capabilities in order to let stations know if they can, e.g., use
neighbor requests.
I tested this commit with a Samsung S8, which does not send neighbor
requests without this commit and sends them afterwards.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
A driver supports FT if it either supports SME or the
NL80211_CMD_UPDATE_FT_IES command. When selecting AKM suites,
wpa_supplicant currently doesn't take into account whether or not either
of those conditions are met. This can cause association failures, e.g.,
when an AP supports both WPA-EAP and FT-EAP but the driver doesn't
support FT (wpa_supplicant will decide to do FT-EAP since it is unaware
the driver doesn't support it). This change allows an FT suite to be
selected only when the driver also supports FT.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previous version accepted both 0 and 126 values in SAE commit message
from the AP. Explicitly check that the value the AP uses matches what
the STA started with to avoid unexpected cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This was not supposed to set the constructed bit in the header. Fix this
to avoid parsing issues with other ASN.1 DER parsers.
Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new dpp-nfc.py command line argument --chan can be used to replace
the local channel list default (81/1).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Make Configurator provisioning require explicit conf parameter enabling
similarly to the previously used conf=ap-* and conf=sta-* cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new dpp_alloc_auth() function addition changed function call
backtraces for memory allocation failure tests.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This avoids unexpected behavior if GAS query fails and the Config
Response does not get processed at all. Previously, this could result in
configuration being assumed to be successful instead of failure when
Config Response object was not received at all. That could result in
undesired Config Result frame transmission with DPP Rel 2 and not
clearing the ongoing DPP session.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, unexpected Authentication Confirm messages were ignored in
cases where no Authentication Confirm message was expected at all, but
if this message was received twice in a state where it was expected, the
duplicated version was also processed. This resulted in unexpected
behavior when authentication result was processed multiple times (e.g.,
two instances of GAS client could have been started).
Fix this by checking auth->waiting_auth_conf before processing
Authetication Confirm. That boolean was already tracked, but it was used
only for other purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Only one peer-commit-scalar value was stored for a specific STA (i.e.,
one per MAC address) and that value got replaced when the next SAE
Authentication exchange was started. This ended up breaking the check
against re-use of peer-commit-scalar from an Accepted instance when
anti-clogging token was requested. The first SAE commit message (the one
without anti-clogging token) ended up overwriting the cached
peer-commit-scalar value while leaving that instance in Accepted state.
The second SAE commit message (with anti-clogging token) added ended up
getting rejected if it used the same value again (and re-use is expected
in this particular case where the value was not used in Accepted
instance).
Fix this by using a separate pointer for storing the peer-commit-scalar
value that was used in an Accepted instance. There is no need to
allocate memory for two values, i.e., it is sufficient to maintain
separate pointers to the value and move the stored value to the special
Accepted state pointer when moving to the Accepted state.
This fixes issues where a peer STA ends up running back-to-back SAE
authentication within couple of seconds, i.e., without hostapd timing
out the STA entry for a case where anti-clogging token is required.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, hostapd ignored the secondary channel provided by ACS if
both HT40+ and HT40- are set in hostapd.conf. This change selects such
channel for HT40 if it's valid, which is more reasonable.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The internal WMM AC parameters use just the exponent of the CW value,
while nl80211 reports the full CW value. This led to completely bogus
CWmin/CWmax values in the WMM IE when a regulatory limit was present.
Fix this by converting the value to the exponent before passing it on.
Fixes: 636c02c6e9 ("nl80211: Add regulatory wmm_limit to hostapd_channel_data")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
nl80211 uses a different queue mapping from hostap, so AC indexes need
to be converted.
Fixes: 636c02c6e9 ("nl80211: Add regulatory wmm_limit to hostapd_channel_data")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Local variable should be used. This fixes an issue where IEs are
available only from a Beacon frame.
Fixes: ad06ac0b0 ("Move throughput estimation into a helper function")
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
The size of a single route(4) message cannot be derived from
either the size of the AF_INET or AF_INET6 routing tables.
Both could be empty or very large.
As such revert back to a buffer size of 2048 which mirrors
other programs which parse the routing socket.
Signed-off-by: Roy Marples <roy@marples.name>
Now that both hostapd and wpa_supplicant react to interface flag
changes, there is no need to set or remove IFF_UP.
It should be an administrative flag only.
Signed-off-by: Roy Marples <roy@marples.name>
There is little point in having both and it brings interface
addition/removal and IFF_UP notifications to hostapd.
Signed-off-by: Roy Marples <roy@marples.name>
When external authentication is used, the station send mlme frame (auth)
to the driver may not be able to get the frequency (bss->freq) after
hostap.git commit b6f8b5a9 ("nl80211: Update freq only when CSA
completes"). Use the assoc_freq to send the MLME frame when SAE external
authentication is used to avoid this issue.
Signed-off-by: Ouden <Ouden.Biz@gmail.com>
This commit introduces additional stats to query through
QCA_NL80211_VENDOR_SUBCMD_UPDATE_STA_INFO.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
