This changes 4-way handshake authenticator processing to decrypt the
EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before
processing the Key Data field. This replaces Key MIC validation for the
cases where AEAD cipher is used. This needs to move the EAPOL-Key msg
2/4 RSN element processing to happen only after the PTK has been derived
and validated. That is done for all AKMs to avoid extra complexity with
having to maintain two code paths for this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the
previous fixed length Key MIC field with a variable length field. That
change was addressed with an addition of a new struct defined for the
second MIC length. This is not really scalable and with FILS coming up
with a zero-length MIC case for AEAD, a more thorough change to support
variable length MIC is needed.
Remove the Key MIC and Key Data Length fields from the struct
wpa_eapol_key and find their location based on the MIC length
information (which is determined by the AKMP). This change allows the
separate struct wpa_eapol_key_192 to be removed since struct
wpa_eapol_key will now include only the fixed length fields that are
shared with all EAPOL-Key cases in IEEE Std 802.11.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Calculate the hashed realm from hostapd erp_domain configuration
parameter and add this to the FILS Indication element when ERP is
enabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If FILS is enabled, indicate that in Beacon, Probe Response, and
(Re)Association Response frames in the Extended Capabilities element.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Station should be able to connect initially without ft_pmk_cache filled,
so the target AP has the PSK available and thus the same information as
the origin AP. Therefore neither caching nor communication between the
APs with respect to PMK-R0 or PMK-R1 or VLANs is required if the target
AP derives the required PMKs locally.
This patch introduces the generation of the required PMKs locally for
FT-PSK. Additionally, PMK-R0 is not stored (and thus pushed) for FT-PSK.
So for FT-PSK networks, no configuration of inter-AP communication is
needed anymore when using ft_psk_generate_local=1 configuration. The
default behavior (ft_psk_generate_local=0) remains to use the pull/push
protocol.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The reason detail field was removed from non_pref_chan attr in MBO
v0.0_r25 draft. Don't parse for this element to be compliant with the
latest drafr.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
A weakness in the initial client taxonomy mechanism is from storing both
the Probe and Associate in struct sta_info. struct sta_info is created
after a client associates (or starts authentication frame exchange),
which means that any Probe Request frames sent prior to association are
not retained. The Associate Request frame has to be seen, and then
another Probe Request frame after association, before we have a
signature for the client.
Most clients send lots of Probe Request frames (lots and lots and lots
of Probes, actually), but a few do not. ChromeOS is notably sparing in
sending Probe Request frames, it can take a long time before a signature
for a ChromeOS device is available.
Store the most recent Probe Request frame in struct hostapd_sta_info
tracking list. When a struct sta_info is created, move the Probe Request
frame information from struct hostapd_sta_info to struct sta_info.
Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)
Implement the signature mechanism described in the paper
"Passive Taxonomy of Wifi Clients using MLME Frame Contents"
published by Denton Gentry and Avery Pennarun.
http://research.google.com/pubs/pub45429.htmlhttps://arxiv.org/abs/1608.01725
This involves:
1. Add a CONFIG_TAXONOMY compile option. Enabling taxonomy incurs
a memory overhead of up to several kilobytes per associated
station.
2. If enabled, store the Probe Request and (Re)Associate Request frame in
struct sta_info.
3. Implement code to extract the ID of each Information Element,
plus selected fields and bitmasks from certain IEs, into a
descriptive text string. This is done in a new source file,
src/ap/taxonomy.c.
4. Implement a "signature qq:rr:ss:tt:uu:vv" command
in hostapd_cli to retrieve the signature.
Signatures take the form of a text string. For example, a signature
for the Nexus 5X is:
wifi4|probe:0,1,127,45,191,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:338061b2,
vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:00000a0201000040|assoc:0,1,48,45,
221(0050f2,2),191,127,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:339071b2,
vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:0000000000000040
Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)
Previously, struct hostapd_iface sta_seen list head was initialized only
when completing interface setup. This left a window for operation that
could potentially iterate through the list before the list head has been
initialized. While the existing code checked iface->num_sta_seen to
avoid this case, it is much cleaner to initialize the list when struct
hostapd_iface is allocated to avoid any accidental missing of the extra
checks before list iteration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not generate an unused and invalid Request Authenticator (random
value) when constructing Accounting-Request packets. The correct Request
Authenticator is calculated subsequently in radius_msg_finish_acct()
using MD5(msg + shared secret).
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside hostapd. When framework is
activated, it will use hostapd to configure the AP to publish the FTM
functionality. See IEEE P802.11-REVmc/D7.0, 9.4.2.27.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Some deployed stations incorrectly consider nsts capability in
(Re)Association Response frame as required capability instead of maximum
capability and if it is greater than station's capability then beamform
will not happen in uplink traffic.
This commit adds support for an optional workaround to use station's
nsts capability in (Re)Association Response frame if the station's nsts
is less than AP by using the use_sta_nsts=1 configuration parameter.
This configuration is introduced in this commit and it is disabled by
default.
Signed-off-by: Tamizh chelvam <c_traja@qti.qualcomm.com>
Previously, this was initialized in hostapd_setup_bss() which made it
possible for a REMOVE_NEIGHBOR control interface command to be issued
prior to the list head pointers having been set. That resulted in a NULL
pointer dereference. Fix this by initializing the list head at the time
the data structure gets allocated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Number of hostapd control interface commands (e.g., STATUS-DRIVER) could
result in NULL pointer dereference when issued on not yet enabled BSS.
Fix this by checking that the driver interface has been initialized
before calling the driver_ops function.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Various checks should use is_multicast_ether_addr() instead
of hardcoding the equivalent, change it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Do not include a NAS-Port attribute in Access-Request and
Accounting-Request packets where the Association ID (AID) is 0, i.e.,
not yet assigned or known.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
There's no need to have a separate variable and open-code a more
complicated version of this, just use is_broadcast_ether_addr().
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Previously, HT/VHT state was shown in STATUS based on the configuration
parameter instead of the runtime operational parameters. This could
result in claiming HT/VHT to be enabled even when it was forced to be
disabled due to an incompatible configuration. Clear HT/VHT information
in the STATUS output if HT/VHT has been disabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, mesh power management functionality works only with kernel
MPM. Because user space MPM did not report mesh peer AID to kernel,
the kernel could not identify the bit in TIM element. So this patch
reports mesh peer AID to kernel.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This allows the compiler to check that function prototypes match the
implementation. In addition, this gets rid of sparse warnings.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This moves pairwise, group, and management group ciphers to various mesh
data structures to avoid having to hardcode cipher in number of places
through the code. While CCMP and BIP are still the hardcoded ciphers,
these are now set only in one location.
Signed-off-by: Jouni Malinen <j@w1.fi>
The AMPE element includes number of optional and variable length fields
and those cannot really be represented by a fixed struct
ieee80211_ampe_ie. Remove the optional fields from the struct and
build/parse these fields separately.
This is also adding support for IGTKdata that was completely missing
from the previous implementation. In addition, Key RSC for MGTK is now
filled in and used when configuring the RX MGTK for a peer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous implementation was incorrect in forcing the MGTK to be used
as the IGTK as well. Define new variable for storing IGTK and use that,
if set, to configure IGTK to the driver. This commit does not yet fix
AMPE element parsing to fill in this information.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the data structures to allow variable length MGTK to be
stored for RX. This is needed as an initial step towards supporting
different cipher suites.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is initial step in fixing issues in how PMF configuration for RSN
mesh was handled. PMF is an optional capability for mesh and it needs to
be configured consistently in both hostapd structures (to get proper
RSNE) and key configuration (not included in this commit).
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 0603bcb7fe ('hostapd: Process MAC
ACLs on a station association event (SME in driver)') processes MAC ACL
on a station association event for drivers which use AP SME offload but
does not consider the scenario where the drivers offload ACL. This can
result in station disconnection, though the driver accepts the
connection. Address this by avoiding the hostapd ACL check for the
drivers offloading MAC ACL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
eloop deinit calls could trigger segmentation fault if the early error
path is hit before eloop_init() gets called.
Signed-off-by: Jouni Malinen <j@w1.fi>
gas_address3=1 can now be used to force hostapd to use the IEEE 802.11
standards compliant Address 3 field value (Wildcard BSSID when not
associated) even if the GAS request uses non-compliant address (AP
BSSID).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously all TX status events with wildcard BSSID were ignored. This
did not allow Public Action frame TX status to be processed with the
corrected wildcard BSSID use. Fix this to be allowed. In practice, this
affects only test cases since Action frame TX status was not used for
anything else.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies
that the wildcard BSSID value is used in Public Action frames that are
transmitted to a STA that is not a member of the same BSS. hostapd used
to use the actual BSSID value for all such frames regardless of whether
the destination STA is a member of the BSS.
Fix this by using the wildcard BSSID in cases the destination STA is not
a member of the BSS. Leave group addressed case as-is (i.e., the actual
BSSID), since both values are accepted. No such frames are currently
used, though.
This version is still using the AP BSSID value in the Address 3 field
for GAS response frames when replying to a GAS request with AP BSSID
instead of Wildcard BSSID. This is left as a workaround to avoid
interoperability issues with deployed STA implementations that are still
using the non-compliant address and that might be unable to process the
standard compliant case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds the necessary changes to support extraction and use of the
extended capabilities specified per interface type (a recent
cfg80211/nl80211 extension). If that information is available,
per-interface values will be used to override the global per-radio
value.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows the simplest case of SAE group negotiation to occur by
selecting the next available group if the peer STA indicates the
previous one was not supported. This is not yet sufficient to cover all
cases, e.g., when both STAs need to change their groups, but at least
some cases are no covered.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd deinit functions were not ready to handle a case where the data
structures were not fully initialized. Make these more robust to allow
wpa_supplicant mesh implementation to use the current deinit design in
OOM error cases without causing NULL pointer dereferences.
Signed-off-by: Jouni Malinen <j@w1.fi>
This new parameter allows hostapd to add Vendor Specific elements into
(Re)Association Response frames similarly to the way vendor_elements
parameter can be used for Beacon and Probe Response frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 66d464067d ('FT: Register RRB
l2_packet only if FT-over-DS is enabled') disabled RRB l2_packet socket
if ft_over_ds is disabled, but this socket is required for FT
over-the-air, too (FT key distribution). Enable the socket regardless of
ft_over_ds setting if FT is enabled.
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
Add FTM range request via RRM. The AP sends Radio measurement request
with FTM range request as a request for the receiving STA to send FTM
requests to the given list of APs. The neighbor report part of the
request is taken from the neighbor database.
The control interface command is:
REQ_RANGE <dst addr> <rand_int> <min_ap> <responder> [<responder>..]
dst addr: MAC address of an associated STA
rand_int: Randomization Interval (0..65535) in TUs
min_ap: Minimum AP Count (1..15); minimum number of requested FTM ranges
between the associated STA and the listed APs
responder: List of BSSIDs for neighboring APs for which a measurement
is requested
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Add a hostapd control interface command REQ_LCI to request LCI from an
associated station using radio measurement.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Save RM enabled capability element of an associating station if radio
measurement is supported in its capability field.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Process Neighbor Report Request frame and send Neighbor Report Response
frame based on the configured neighbor report data.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Add a configurable neighbor database that includes the content of
Nighbor Report element, LCI and Location Civic subelements and SSID.
All parameters for a neighbor must be updated at once; Neighbor Report
element and SSID are mandatory, LCI and civic are optional. The age of
LCI is set to the time of neighbor update.
The control interface API is:
SET_NEIGHBOR <BSSID> <ssid=SSID> <nr=data> [lci=<data>] [civic=<data>]
To delete a neighbor use:
REMOVE_NEIGHBOR <BSSID> <SSID>
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Extend the radio_measurements parameter to save all the supported
RRM capabilities as it's used in RM enabled capabilities element.
Make this parameter not directly configurable via config file (though,
keep the radio_measurements parameter for some time for backwards
compatibility). Instead, add a configuration option to enable neighbor
report via radio measurements. Other features can be added later as
well.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
The hostapd "POLL_STA <addr>" control interface command can be used to
check whether an associated station ACKs a QoS Data frame. The received
ACK for such a frame is reported as an event message ("AP-STA-POLL-OK
<addr>").
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The optional tx=0 parameter can be added to the hostapd
DEAUTHENTICATE/DISASSOCIATE command to request disconnection without
transmitting the Deauthentication/Disassociation frame to the STA.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows external programs to fetch the driver inactivity value for a
specific STA ("STA <addr>" hostapd control interface command).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a legacy client with no P2P PS support is trying to connect to
a P2P GO, the driver should know that, and change its PS behavior
accordingly.
Add a parameter to hostapd_sta_add_params() indicating if P2P PS is
supported by the station and pass this parameter to kernel with nl80211
driver when the station is added/set.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Fix a possible memory leak in decode_tunnel_passwords() if an invalid
passphrase is received from the RADIUS server.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
This struct in the union is empty, but the design of using a zero-length
u8 array here is not fully compatible with C++ and can result in
undesired compiler warnings. Since there are no non-IE fields in the
Probe Request frames, get the location of the variable length IEs simply
by using the pointer to the frame header and the known header length.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was only used for providing an option to use linux/if_packet.h
instgead of netpacket/packet.h in src/ap/iapp.c. However,
netpacket/packet.h is nowadays commonly available and hostapd already
depends on it through src/l2_packet/l2_packet_linux.c, so there is no
need to continue to provide this option for the kernel header.
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of need to include linux/if_vlan.h and additional defines
in vlan_ioctl.c to avoid issues with missing definitions in libc
headers.
Signed-off-by: Jouni Malinen <j@w1.fi>
Due to both <netinet/in.h> (in "utils/includes.h") and <linux/in6.h> (in
<linux/if_bridge.h>) being included, the in6_addr is being redefined:
once from the C library headers and once from the Linux kernel headers.
This causes some build failures with for example the musl C library:
In file included from /usr/include/linux/if_bridge.h:18,
from ../src/ap/vlan_init.c:17:
/usr/include/linux/in6.h:32: error: redefinition of 'struct in6_addr'
/usr/include/linux/in6.h:49: error: redefinition of 'struct sockaddr_in6'
/usr/include/linux/in6.h:59: error: redefinition of 'struct ipv6_mreq'
Mixing C library and Linux kernel headers is a bit problematic [1] and
should be avoided if possible [2]. In order to fix this, define just the
macros needed from <linux/if_bridge.h> as done in Busybox for the brctl
applet [3].
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=15850
[2] http://www.openwall.com/lists/musl/2015/10/06/1
[3] https://git.busybox.net/busybox/commit/?id=5fa6d1a632505789409a2ba6cf8e112529f9db18
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
With this, vlan_init.c does not need any special header files anymore
and vlan_ifconfig.c does not need hostapd-specific header files that
might conflict with net/if.h on NetBSD.
Signed-off-by: Jouni Malinen <j@w1.fi>
Move the ioctl-based VLAN implementation to a separate file to avoid
need for conditional blocks within vlan_ioctl.c. This removes the
internal CONFIG_VLAN_NETLINK define, i.e., this is now used only in
build configuration (.config) to select whether to include the
vlan_util.c (netlink) or vlan_ioctl.c (ioctl) implementation of the
functions.
Signed-off-by: Jouni Malinen <j@w1.fi>
caddr_t is legacy BSD and should be avoided [1]. While glibc may still
use __caddr_t as the type, Linux kernel does not (it is "void __user *
ifru_data").
This fixes compile errors with the musl libc:
../src/ap/vlan_init.c: In function 'br_delif':
../src/ap/vlan_init.c:218:18: error: '__caddr_t' undeclared (first use in this function)
ifr.ifr_data = (__caddr_t) args;
[1] http://stackoverflow.com/questions/6381526/what-is-the-significance-of-caddr-t-and-when-is-it-used
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
pmksa->pmk or pmksa->pmkid cannot be NULL since they are arrays. Remove
the unnecessary NULL checks and use the provided pmksa pointer directly
to simplify the implementation. (CID 138519)
Signed-off-by: Jouni Malinen <j@w1.fi>
Interface additions/removals are not guaranteed to be for the driver
listening to the kernel events. As such, send the events to
wpa_supplicant_event_global() which can then pick the correct interface
registered with wpa_supplicant to send the event to.
Signed-off-by: Roy Marples <roy@marples.name>
Commit 1889af2e0f ('VLAN: Separate station
grouping and uplink configuration') added an ap_sta_set_vlan() function
that gets called from pmksa_cache_auth.c. This broke CONFIG_IBSS_RSN=y
build if src/ap/sta_info.c did not get included in the build, i.e., if
CONFIG_AP=y was not set.
Fix this by making the ap_sta_set_vlan() call conditional on
CONFIG_NO_VLAN being undefined and define this for CONFIG_IBSS_RSN=y
builds. This is fine for wpa_supplicant since CONFIG_AP=y case was
already defining this. For hostapd, this function call is not needed for
CONFIG_NO_VLAN case either.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This patch add functionality of mesh SAE PMKSA caching. If the local STA
already has peer's PMKSA entry in the cache, skip SAE authentication and
start AMPE with the cached value.
If the peer does not support PMKSA caching or does not have the local
STA's PMKSA entry in the cache, AMPE will fail and the PMKSA cache entry
of the peer will be removed. Then STA retries with ordinary SAE
authentication.
If the peer does not support PMKSA caching and the local STA uses
no_auto_peer=1, the local STA can not retry SAE authentication because
NEW_PEER_CANDIDATE event cannot start SAE authentication when
no_auto_peer=1. So this patch extends MESH_PEER_ADD command to use
duration(sec). Throughout the duration, the local STA can start SAE
authentication triggered by NEW_PEER_CANDIDATE even though
no_auto_peer=1.
This commit requires commit 70c93963ed
('SAE: Fix PMKID calculation for PMKSA cache'). Without that commit,
chosen PMK comparison will fail.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This extends the wpa_supplicant PMKSA_FLUSH control interface command to
allow the PMKSA list from the authenticator side to be flushed for AP
and mesh mode. In addition, this adds a hostapd PMKSA_FLUSH control
interface command to flush the PMKSA entries.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This extends the wpa_supplicant PMKSA control interface command to allow
the PMKSA list from the authenticator side to be listed for AP and mesh
mode. In addition, this adds a hostapd PMKSA control interface command
to show the same list for the AP case.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
In scenarios where only DFS channels are available (e.g., outdoor,
special country codes), hostapd must be able to handle situations
where all are unavailable.
The two possibilities to get there are
1) while operating on the last available DFS channel a radar is
detected
2) hostapd is started while all channels are unavailable
In both cases, hostapd instead of terminating should better
wait for the NOPs to pass and re-try operation after the CAC.
This patch provides that feature by using the condition
(iface->state == HAPD_IFACE_DFS && !iface->cac_started)
as NOP mode signature to retry operation from within
hostapd_dfs_nop_finished().
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Add a new 'use_driver_iface_addr' configuration parameter to allow use
of the default interface address generated by the driver on interface
creation. This can be useful when specific MAC addresses were allocated
to the device and we want to use them for multi-BSS operation.
Signed-off-by: Eliad Peller <eliad@wizery.com>
There is a race condition in which AP might receive the EAPOL-Start
frame (from the just-associated station) before the TX completion of the
Association Response frame. This in turn will cause the EAPOL-Start
frame to get dropped, and potentially failing the connection.
Solve this by saving EAPOL frames from authenticated-but-not-associated
stations, and handling them during the Association Response frame TX
completion processing.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Add UDP support for ctrl_iface:
New config option could be set:
CONFIG_CTRL_IFACE=udp
CONFIG_CTRL_IFACE=udp-remote
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote
And hostapd_cli usage:
hostapd_cli -i localhost:8877
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
In case vendor ACS command returns invalid channel or hardware mode,
complete the interface setup with an error code instead of simply
return, so that hostapd can properly clean up the interface setup.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This tells to the server how long we have been trying to transmit the
message so that the actual time of the message generation can be
determined from receive time (ignoring network delays and only at
accuracy of one second).
For interim updates, only value 0 is used since there are no
retransmissions of the same message. For other accounting messages, the
initial attempt goes out with value 0 and the retransmissions, if
needed, show the number of seconds the message has been waiting in the
queue.
Update the Identifier and Authenticator in the messages whenever
updating the Acct-Delay-Time per RFC 2866, 4.1 requirements.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of using the RADIUS client retransmission design with the old
RADIUS message contents for each retry, trigger a completely new interim
accounting update instance more quickly (using the same schedule as
RADIUS message retransmissions) to improve accounting updates in cases
where RADIUS message delivery fails. This allows the server to get up to
date information from the time the "retry" message was sent instead of
the old information from the time the first failed attempt was sent.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to maintain two implementations of the functionality.
is_zero_ether_addr() is easier to understand, so use it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using rtnl_link_alloc_cache() is expensive as it fills in all configured
links. Using rtnl_link_get_kernel() is much more lightweight.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
As the Linux variant of l2_packet_init() does not use its own_addr
argument and l2_packet_receive() does not filter on destination MAC
address, this needs to be checked in the callback.
If there are multiple BSSes listening for FT RRB packets, all their
BSSIDs need to be local to the bridge interface. As l2_packet_init() is
going to receive all of them going for any local address, those RRB
messages started turning up on BSSes that were not destinated for and
cluttering logs.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.
This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Instead of copying the full struct hostapd_sta_wpa_psk_short, share the
existing entry and use reference counting to check when it needs to be
freed. This allows caching of PSKs derived from passphrases to avoid
having to perform the heavy hashing operation multiple times.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Hashing takes quite some time (can be about one second on a low-power
CPU for each passphrase provided), so hostapd can easily hit the 900 ms
Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can
be fixed by storing the passphrase instead of PSK with the STA and defer
the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs.
This applies for the case where a RADIUS server is used to store the
per-STA passphrases and this passphrase is delivered as part of the MAC
ACL check during IEEE 802.11 Authentication frame processing.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The VLAN ifname is limited to the maximum length of IFNAMSIZ, so there
is no need to use heap allocation for it.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
r1_key_holder is an identifier that was always set to zero if unless
configured before.
See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
"R1KH-ID is a MAC address of the holder of the PMK-R1 in the
Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
"Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
identifier within the mobility domain."
"The R1KH-ID shall be set to a MAC address of the physical entity
that stores the PMK-R1 ..."
Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.
Fix this by checking hapd->wpa_auth before delivery.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The FT RRB hostapd packets have a length field. For PULL frames, it
counted the bytes starting with nonce and up to the last before pad. For
RESP frames, it counted the bytes starting with nonce and up to the last
before pad except for 2 bytes. For PUSH frames, it counted the bytes
starting with nonce and up to including pad.
As rounding is done with AES encryption, including pad does not make
sense. Not including the last field before pad does not make sense
either. These were broken in the earlier addition of the 2 octet
pairwise field in commit 1b484d60e5 ('FT:
Include pairwise cipher suite in PMK-R0 SA and PMK-R1 SA').
AES encryption is not affected, as rounding hides the differences. The
packets data_length field is not used, so the differences have no effect
there.
This patch changes the constants to match the bytes used, thus excluding
the pad. To validate the changes, look at remainder modulo 8 of the sum
of the size constants and the padding sizes.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This makes hostapd track Supported Operating Classes information from
the associated STAs. The stored information is available through the STA
control interface command (supp_op_classes row) as a hexdump of the
Supported Operating Classes element starting from the Length field. This
information can be used as input to BSS transition management and
channel switching decisions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Inside management frame TX status callback, print the TX result where it
was missing. This is useful for debugging management frame drops.
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
This adds parsing of non-preferred channel list on an MBO AP. The
information in (Re)Association Request and WNM Notification Request
frames is parsed to get the initial value and updates from each
associated MBO STA. The parsed information is available through the STA
control interface command non_pref_chan[i] rows.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the second memory allocation in ieee802_11_send_wnmsleep_resp() were
to fail and ieee80211_11_get_tfs_ie() succeed, the wnmtfs_ie allocation
would not have been freed on the error path.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While refactoring VLAN comparison into vlan_compare(), it was overlooked
that modifications are needed for tagged VLAN support.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If WPA2 and MBO are enabled, PMF needs to be enabled in hostapd
configuration. If PMF is optional in the configuration, an MBO STA is
required to negotiate use of PMF.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes hostapd parse a received WNM Notification Request frame
subelements and if a WFA MBO cellular data capability subelement is
seen, update the cellular data capability for the STA.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes hostapd parse the MBO attribute in (Re)Association Request
frame and track the cellular data capability (mbo_cell_capa=<val> in STA
control interface command).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This removes multiple copies of wpabuf_resize() following by
wpabuf_put_{buf,data}() with the help of two simple helper functions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add an option to add MBO IE to BSS Transition Management Request frame.
The MBO IE includes the transition reason code, cellular data connection
preference, and, if the disassoc imminent bit is set, it may also
include re-association retry delay. Otherwise, the re-association retry
delay should be set to zero.
The additional BSS_TM_REQ argument uses the following format:
mbo=<reason>:<reassoc delay>:<cell pref>
reason: 0-9
reassoc delay: 0-65535 (seconds; 0 = disabled)
cell pref: 0, 1, 255
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Add MBO IE with AP capability attribute to Beacon, Probe Response, and
(Re)Association Response frames to indicate the AP supports MBO.
Add option to add Association Disallowed attribute to Beacon, Probe
Response, and (Re)Association Response frames. Usage:
SET mbo_assoc_disallow <reason code>
Valid reason code values are between 1-5. Setting the reason code to
0 will remove the Association Disallowed attribute from the MBO IE
and will allow new associations.
MBO functionality is enabled by setting "mbo=1" in the config file.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
The recent VLAN changes added an explicit code path that sets vlan_desc
= NULL within ap_sta_set_vlan(). This makes some code analyzers warn
about the debug print that could potentially dereference this pointer.
Silence that warning by verifying the pointer more consistently within
this function.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the driver supports 64-bit TX/RX byte counters, use them directly.
The old 32-bit counter extension is maintained for backwards
compatibility with older drivers.
For nl80211 driver interface, the newer NL80211_STA_INFO_RX_BYTES64 and
NL80211_STA_INFO_TX_BYTES64 attributes are used when available. This
resolves the race vulnerable 32-bit value wrap/overflow. Rework RADIUS
accounting to use these for Acct-Input-Octets, Acct-Input-Gigawords,
Acct-Output-Octets, and Acct-Output-Gigawords, these values are often
used for billing purposes.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Previously, stations were added to the driver only after the
(Re)Association Response frame was acked. In the time period between the
station has acked the (Re)Association Response frame and the time the
station was added to the kernel, the station can already start sending
Data frames, which will be dropped by the hardware/driver. In addition
to the data loss, the driver may ignore NDPs with PM bit set from this
STA.
Fix this by setting/adding the STA with associated flag set to the
driver before the AP sends the (Re)Association Response frame with
status success. If the (Re)Association Response frame wasn't acked,
remove the station from the driver.
Note that setting a station to associated state before the non-AP
station acknowledges the (Re)Association Response frame is not compliant
with the IEEE 802.11 standard that specifically states that a non-AP
station should transition to authenticated/associated state only after
it acknowledged the (Re)Association Response frame. However, this is a
justifiable simplification to work around the issue described above since
1. The station will be removed in case it does not acknowledge the
(Re)Association Response frame.
2. All Data frames would be dropped until the station is set to
authorized state and there are no known issues with processing the
other Class 3 frames during the short window before the
acknowledgement is seen.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support for drivers that support full AP client state, i.e., can
handle adding stations that are not associated yet. For such drivers,
add a station after processing the authentication request, instead of
adding it in the association response callback.
Doing so is beneficial in cases where the driver cannot handle the add
station request, in which case it is useless to perform the complete
connection establishment.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Remove the fallback dependency on os_random() from the code that gets a
valid DFS channel. This is exceptionally unlikely to ever be called as
the call to os_get_random() is unlikely to fail. The intention is to
facilitate future removal of os_random() as it uses a low quality PRNG.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Remove the fallback dependency on os_random() when generating a WPS pin.
This is exceptionally unlikely to ever be called as the call to
os_get_random() is unlikely to fail. The intention is to facilitate
future removal of os_random() as it uses a low quality PRNG.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Do not use the system clock or os_random() that uses a low quality PRNG
as part of the pseudo-random challenge in auth_shared_key(). The
construction can be improved upon by replacing it with a call to
os_get_random(), which uses a high quality PRNG.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Previously, only mesh Action frames from BLOCKED STA were dropped.
Extend that to drop Authentication frames as well.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the
PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix
this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Shuffle includes above system ones so to fix a compile issue
on NetBSD where the if_type #define from <net/if.h>
conflicts with the wpa_driver_if_type enum.
Signed-off-by: Roy Marples <roy@marples.name>
This allows the stations to be assigned to their own vif. It does not
need dynamic_vlan to be set. Make hostapd call ap_sta_set_vlan even if
!vlan_desc.notempty, so vlan_id can be assigned regardless.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This makes vlan_newlink() and vlan_dellink() add tagged VLANs to AP_VLAN
interfaces as given by struct vlan_description.
hostapd_vlan_if_remove() is done in vlan_dellink() as tagged interfaces
need to be removed before the interface can be deleted and a DELLINK
message can be generated.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
To prepare for adding tagged VLAN support in vlan_init.c, vlan_newlink()
and vlan_dellink() are split into multiple functions. This reduces
indention and eases adding tagged VLANs as well.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
1. Add tagged VLAN to struct vlan_description
(compile limited number of tagged VLANs per description)
For k tagged VLANs, the first k entries in vlan_description.tagged
are used. They are sorted in ascending order. All other entries are
zero. This way os_memcmp() can find identical configurations.
2. Let tagged VLANs be parsed from RADIUS Access-Accept
3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set
4. Select an unused vlan_id > 4096 for new tagged VLAN configurations
5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Separate uplink configuration (IEEE 802.1q VID) and grouping of stations
into AP_VLAN interfaces.
The int vlan_id will continue to identify the AP_VLAN interface the
station should be assigned to. Each AP_VLAN interface corresponds to an
instance of struct hostapd_vlan that is uniquely identified by int
vlan_id within an BSS.
New: Each station and struct hostapd_vlan holds a struct
vlan_description vlan_desc member that describes the uplink
configuration requested. Currently this is just an int untagged IEEE
802.1q VID, but can be extended to tagged VLANs and other settings
easily.
When the station was about to be assigned its vlan_id, vlan_desc and
vlan_id will now be set simultaneously by ap_sta_set_vlan(). So
sta->vlan_id can still be tested for whether the station needs to be
moved to an AP_VLAN interface.
To ease addition of tagged VLAN support, a member notempty is added to
struct vlan_description. Is is set to 1 if an untagged or tagged VLAN
assignment is requested and needs to be validated. The inverted form
allows os_zalloc() to initialize an empty description.
Though not depended on by the code, vlan_id assignment ensures:
* vlan_id = 0 will continue to mean no AP_VLAN interface
* vlan_id < 4096 will continue to mean vlan_id = untagged vlan id
with no per_sta_vif and no extra tagged vlan.
* vlan_id > 4096 will be used for per_sta_vif and/or tagged vlans.
This way struct wpa_group and drivers API do not need to be changed in
order to implement tagged VLANs or per_sta_vif support.
DYNAMIC_VLAN_* will refer to (struct vlan_description).notempty only,
thus grouping of the stations for per_sta_vif can be used with
DYNAMIC_VLAN_DISABLED, but not with CONFIG_NO_VLAN, as struct
hostapd_vlan is still used to manage AP_VLAN interfaces.
MAX_VLAN_ID will be checked in hostapd_vlan_valid and during setup of
VLAN interfaces and refer to IEEE 802.1q VID. VLAN_ID_WILDCARD will
continue to refer to int vlan_id.
Renaming vlan_id to vlan_desc when type changed from int to struct
vlan_description was avoided when vlan_id was also used in a way that
did not depend on its type (for example, when passed to another
function).
Output of "VLAN ID %d" continues to refer to int vlan_id, while "VLAN
%d" will refer to untagged IEEE 802.1q VID.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
PBSS (Personal Basic Service Set) is a new BSS type for DMG
networks. It is similar to infrastructure BSS, having an AP-like
entity called PCP (PBSS Control Point), but it has few differences.
PBSS support is mandatory for IEEE 802.11ad devices.
Add a new "pbss" argument to network block. The argument is used
in the following scenarios:
1. When network has mode=2 (AP), when pbss flag is set will start
as a PCP instead of an AP.
2. When network has mode=0 (station), when pbss flag is set will
connect to PCP instead of AP.
The function wpa_scan_res_match() was modified to match BSS according to
the pbss flag in the network block (wpa_ssid structure). When pbss flag
is set it will match only PCPs, and when it is clear it will match only
APs.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
When a mesh point reconnects by starting from Authentication frame
sequence, the plink count was not decremented from its last connection.
This resulted in leaking peer link count and causing wpa_supplicant to
reject the connection after max_peer_links (default: 99) reconnects.
This was reproduced by pre-configuring 2 mesh points with mesh
credentials. Boot both mesh points and make sure they connect to each
other. Then in a loop reboot one of the mesh points after it
successfully connects while leaving the other mesh point up and running.
After 99 iterations the supplicant on mesh point that is not rebooting
will reject the connection request from the other mesh point.
Fix this by decrementing num_plinks when freeing a STA entry that is
still in PLINK_ESTAB state.
Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
There is no need to maintain three copies of this functionality even if
it is currently implemented as a single function call.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to
give better global and temporal uniqueness. Previously, only 32-bits of
the Acct-Session-Id would contain random data, the other 32-bits would
be incremented. Previously, the Acct-Multi-Session-Id would not use
random data. Switch from two u32 variables to a single u64 for the
Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves
no legitimate purpose. Exclusively use os_get_random() to get quality
random numbers, do not use or mix in the time. Inherently take a
dependency on /dev/urandom working properly therefore. Remove the global
Acct-Session-Id and Acct-Multi-Session-Id values that serve no
legitimate purpose.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
These can get allocated within eapol_auth_alloc(), so it is more logical
to free them in eapol_auth_free() instead of ieee802_1x_free_station()
that ends up calling eapol_auth_free().
Signed-off-by: Jouni Malinen <j@w1.fi>
Event-Timestamp should be sent for all Accounting-Request packets and
only after the system clock has a sane value, not where there's a value
close to the Unix time epoch.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Calculate the required length needed for the extra ANQP elements added
to GAS response buffer instead of using fixed size and truncating the
response if there was not sufficient space.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Acct-Authentic is used to indicate how the user was authenticated and as
such, should not be sent in Accounting-On and Accounting-Off.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Per RFC 2866, 5.10, it is invalid to send Acct-Terminate-Cause in
Accounting-On and Accounting-Off (this is included only when
Acct-Status-Type is set to Stop).
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Ensure that if it is not possible to configure an allowed 20 MHz
channel pair, hostapd falls back to a single 20 MHz channel.
Signed-off-by: Eduardo Abinader <eabinader@ocedo.com>
Number of deployed 80 MHz capable VHT stations that do not support 80+80
and 160 MHz bandwidths seem to misbehave when trying to connect to an AP
that advertises 80+80 or 160 MHz channel bandwidth in the VHT Operation
element. To avoid such issues with deployed devices, modify the design
based on newly proposed IEEE 802.11 standard changes.
This allows poorly implemented VHT 80 MHz stations to connect with the
AP in 80 MHz mode. 80+80 and 160 MHz capable stations need to support
the new workaround mechanism to allow full bandwidth to be used.
However, there are more or less no impacted station with 80+80/160
capability deployed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to follow a debug log from a hostapd process that
manages multiple interfaces.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ap_sta_deauth_cb and ap_sta_disassoc_cb eloop timeouts are used to
clear a disconnecting STA from the kernel driver if the STA did not ACK
the Deauthentication/Disassociation frame from the AP within two
seconds. However, it was possible for a STA to not ACK such a frame,
e.g., when the disconnection happened due to hostapd pruning old
associations from other BSSes and the STA was not on the old channel
anymore. If that same STA then started a new authentication/association
with the BSS, the two second timeout could trigger during this new
association and result in the STA entry getting removed from the kernel.
Fix this by canceling these eloop timeouts when receiving an indication
of a new authentication or association.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
n_chans can have only values 1, 2, or 4 in this function, so the -1 case
could never be reached. Remove the unreachable case to get rid of static
analyzer warnings.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
chan is set to the result of pointer arithmetic (pointer to an entry in
an array) that can never be NULL. As such, there is no need to check for
it to be non-NULL before deference. Remove this check to avoid
complaints from static analyzers.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Offloading of ACS to the driver changed the design a bit in a way that
iface->current_mode could actually be NULL when the offloaded ACS
mechanism supports band selection in addition to channel selection. This
resulted in a combination that is too complex for static analyzers to
notice. While acs_init() can be called with iface->current_mode == NULL
that is only in the case where WPA_DRIVER_FLAGS_ACS_OFFLOAD is in use.
In other words, the actual ACS functions like acs_cleanup() that would
dereference iface->current_mode are not used in such a case.
Get rid of static analyzer warnings by explicitly checking
iface->current_mode in acs_init() for the case where ACS offloading is
not used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If P2P support is included in wpa_supplicant build (CONFIG_P2P=y), but
P2P functionality is explicitly disabled (e.g., "P2P_SET disabled 1"),
couple of AP management frame processing steps did not check against
hapd->p2p_group being NULL and could end up dereferencing a NULL pointer
if a Probe Request frame or (Re)Association Request frame was received
with a P2P IE in it. Fix this by skipping these steps if hapd->p2p_group
is NULL.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the Registrar code to generate a Credential with
auth type WPAPSK (i.e., WPA v1) with encr type AES if the Enrollee
claimed support for WPAPSK and not WPA2PSK while the AP was configured
in mixed mode WPAPSK+WPA2PSK regardless of how wpa_pairwise (vs.
rsn_pairwise) was set since encr type was selected from the union of
wpa_pairwise and rsn_pairwise. This could result in the Enrollee
receiving a Credential that it could then not use with the AP.
Fix this by masking the encryption types separately on AP based on the
wpa_pairwise/rsn_pairwise configuration. In the example case described
above, the Credential would get auth=WPAPSK encr=TKIP instead of
auth=WPAPSK encr=AES.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it somewhat easier for the station to be able to receive and
process the encrypted WNM-Notification frames that the AP previously
sentt immediately after receiving EAPOL-Key msg 4/4. While the station
is supposed to have the TK configured for receive before sending out
EAPOL-Key msg 4/4, not many actual implementations do that. As such,
there is a race condition in being able to configure the key at the
station and the AP sending out the first encrypted frame after EAPOL-Key
4/4. The extra 100 ms time here makes it more likely for the station to
have managed to configure the key in time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Since hostapd supports ACS now, let's enable its support in
wpa_supplicant as well when starting AP mode.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
[u.oelmann@pengutronix.de: adjusted added text in defconfig]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Let's reuse hostapd code for such handling. This will be useful to get
ACS support into wpa_supplicant where this one needs to handle the
survey event so it fills in the result ACS subsystem will require.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
Commit 986de33d5c ('Convert remaining SSID
routines from char* to u8*') started using wpa_ssid_txt() to print out
the SSID for the Called-Station-Id attribute in RADIUS messages. This
was further modified by commit 6bc1f95613
('Use printf escaping in SSID-to-printable-string conversion') to use
printf escaping (though, even without this, wpa_ssid_txt() would have
masked characters).
This is not desired for Called-Station-Id attribute. While it is defined
as a "String", RFC 2865 indicates that "a robust implementation SHOULD
support the field as undistinguished octets.".
Copy the SSID as an array of arbitrary octets into Called-Station-Id to
avoid any kind of masking or escaping behavior. This goes a step further
from the initial implementation by allowing even the possible (but
unlikely in practical use cases) 0x00 octet in the middle of an SSID.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the five second timeout was added at the beginning of the
full GAS query and it was not replenished during fragmented exchanges.
This could result in timing out a query if it takes significant time to
go through the possibly multiple fragments and long comeback delay.
Signed-off-by: Jouni Malinen <j@w1.fi>
This FTIE needs to be an exact copy of the one in (Re)Association
Response frame. Copy the stored element rather than building a new copy
that would not have the correct MIC value. This is needed to fix PTK
rekeying after FT protocol run.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The FTIE from (Re)Association Response frame was copied before
calculating the MIC. This resulted in incorrect value being used when
comparing the EAPOL-Key msg 2/4 value in case PTK rekeying was used
after FT protocol run. Fix this by storing the element after the MIC
field has been filled in.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_insert_pmkid() did not support cases where the original RSN IE
included any PMKIDs. That case can happen when PTK rekeying through
4-way handshake is used after FT protocol run. Such a 4-way handshake
used to fail with wpa_supplicant being unable to build the EAPOL-Key msg
2/4.
Fix this by extending wpa_insert_pmkid() to support removal of the old
PMKIDs, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When an AP interface it created, it is also setup and subscribes
for management frames etc. However, when the interface is added by
wpa_supplicant, setting up for AP operations is redundant because
it will be done by wpa_supplicant on wpa_drv_init() when setting
the interface mode to AP.
In addition, it may cause wpa_supplicant to fail initializing the
interface as it will try to subscribe for management frames on this
interface but the interface is already registered.
Change this, so when adding an AP interface, make setting up the AP
optional, and use it only when the interface is added by hostapd but not
when it is added by wpa_supplicant.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When an AP is started on the 5.2 GHz band with 40 MHz bandwidth, a
scan is issued in order to handle 20/40 MHz coexistence. However,
the scan is issued even if iface->conf->no_pri_sec_switch is set,
which is redundant.
Fix this by checking iface->conf->no_pri_sec_switch before starting
the scan.
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
The EAPOL AUTH_PAE state machine was left in incomplete state at the
completion of FT protocol. Set portValid = TRUE to allow the state
machine to proceed from AUTHENTICATING to AUTHENTICATED state, so that a
new EAPOL reauthentication can be triggered.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Now hostapd will use station MAC-based permissions according to the
macaddr_acl policy also for drivers which use AP SME offload, but do not
support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It
should be noted that in this type of case the association goes through
and the station gets disconnected immediately after that.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Expire pending DB request for EAP-SIM/AKA/AKA'. Timeout defaults to 1
second and is user configurable in hostapd.conf (eap_sim_db_timeout).
Signed-off-by: Frederic Leroy <frederic.leroy@b-com.com>
When multiple interfaces across mutiple radios are started using a
single instance of hostapd, they all come up at different times
depending upon how long the ACS and HT scan take on each radio. This
will result in stations (that already have the AP profile) associating
with the first interfaces that comes up. For example in a dual band
radio case (2G and 5G) with ACS enabled, 2G always comes up first
because the ACS scan takes less time on 2G and this results in all
stations associating with the 2G interface first.
This feature brings up all the interfaces at the same time. The list of
interfaces specified via hostapd.conf files on the command line are all
marked as sync interfaces. All the interfaces are synchronized in
hostapd_setup_interface_complete().
This feature is turned on with '-S' commmand line option.
Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
The recently added ProxyARP support (proxy_arp=1) in hostapd allows a
STA IPv4 address to be learned from DHCP or ARP messages. If that
information is available, add it to Account-Request messages in
Framed-IP-Address attribute.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter no_probe_resp_if_max_sta=1 can
be used to request hostapd not to reply to broadcast Probe Request
frames from unassociated STA if there is no room for additional stations
(max_num_sta). This can be used to discourage a STA from trying to
associate with this AP if the association would be rejected due to
maximum STA limit.
Signed-off-by: Jouni Malinen <j@w1.fi>
In addition to the PTK length increasing, the length of the PMK was
increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was
missing from the initial implementation and a fixed length (256-bit) PMK
was used for all AKMs.
Fix this by adding more complete support for variable length PMK and use
384 bits from MSK instead of 256 bits when using this AKM. This is not
backwards compatible with the earlier implementations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous implementation used an obsolete sm->eapol_key_crypt pointer
which was not set anywhere (i.e., was always NULL). In addition, the
condition of sm->eap_if->eapKeyAvailable was not valid here since this
is the case of MSK from an external authentication server and not the
internal EAP server. Consequently, the wpa_auth_pmksa_add() call here
was never used.
The PMKSA cache was still added, but it happened at the completion of
the 4-way handshake rather than at the completion of EAP authentication.
That later location looks better, so delete the unreachable code in
Access-Accept handling. In addition, remove the now complete unused
struct eapol_state_machine eapol_key_* variables.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
With driver wrappers that implement set_privacy(), set_generic_elem(),
set_ieee8021x(), or set_ap_wps_ie(), it was possible to hit a NULL
pointer dereference in error cases where interface setup failed and
the network configuration used WPA/WPA2, IEEE 802.1X, or WPS.
Fix this by skipping the driver operations in case the driver interface
is not initialized.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new hostapd configuration parameter anqp_elem can now be used to
configure arbitrary ANQP-elements for the GAS/ANQP server. In addition
to supporting new elements, this can be used to override previously
supported elements if some special values are needed (mainly for testing
purposes).
The parameter uses following format:
anqp_elem=<InfoID>:<hexdump of payload>
For example, AP Geospatial Location ANQP-element with unknown location:
anqp_elem=265:0000
and AP Civic Location ANQP-element with unknown location:
anqp_elem=266:000000
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some devices cannot respond to inactive client probe (empty data frame)
within one second. For example, iPhone may take up to 3 secs. This
becomes a significant problem when ap_max_inactivity is set to lower
value such as 10 secs. iPhone can lose Wi-Fi connection after ~1 min
of user inactivity.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
IEEE Std 802.11-2012 13.3.1 states that the AID should be generated on
the local node for each peer. Previously, we were using the peer link ID
(generated by the peer) which may not be unique among all peers. Correct
this by reusing the AP AID generation code.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Commit d66dcb0d0b ('WEP: Remove VLAN
support from hostapd') already removed VLAN support for WEP encryption,
so vlan_setup_encryption_dyn() is no longer needed.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This ensures that group key is set as long as the interface exists.
Additionally, ifconfig_up is needed as wpa_group will enter
FATAL_FAILURE if the interface is still down. Also vlan_remove_dynamic()
is moved after wpa_auth_sta_deinit() so vlan_remove_dynamic() can check
it was the last user of the wpa_group.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Some APs don't include a CSA IE when an ECSA IE is generated,
and mac80211 used to fail following their channel switch. Add
a testing option to hostapd to allow reproducing the behavior.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fix and extend the ieee80211_freq_to_channel_ext() function to deal
correctly with VHT operating classes (128, 129, 130).
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The CSA channel and operating class values need to be set for all types
of channel switch (i.e., either if it's triggered by the control
interfaces or due to the GO-follows-STA flow). To do so, move the code
that sets them from the GO-follows-STA flow to the more generic
hostapd_fill_csa_settings() function.
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
The hostapd_hw_get_channel() function can't be used to convert center
frequencies to channel numbers, because the hw mode lists don't have all
the center frequencies. The hw mode lists have the main channel
frequencies and flags to indicate the channel topography.
For instance, channel 5805 with VHT80- has the channel center frequency
segment 0 at 5775. This segment is only indicated indirectly in the hw
mode list by the HOSTAPD_CHAN_VHT_50_30 flag. The hw mode list doesn't
have any elements with frequency 5775 to allow the conversion to a
channel number. Thus, we need to use ieee80211_freq_to_chan() instead.
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Pass to the driver a list of CSA counter offsets when sending Probe
Response frames during a CSA period. This allows the kernel to correctly
update the CSA/eCSA elements.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Some management frames contain CSA counters which should be updated by
kernel. Change driver op send_mlme() allowing to send a frame,
specifying an array of offsets to the CSA counters which should be
updated. For example, CSA offsets parameters should be specified when
sending Probe Response frames during CSA period.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Advertise current operating class in Beacon and Probe Response frames.
This Supported Operating Classes element is required by the standard
when extended channel switch is supported. However, since this element
doesn't reflect correctly the sub-band spectrum breakdown and can't be
effectively used by clients, publish only the minimal required part
which is the current operating class.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Fix the order of CSA, eCSA, Secondary Channel Offset, and Wide Bandwidth
Channel Switch Wrapper elements in Beacon and Probe Response frames.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add new GO frequency move policy. The P2P_GO_FREQ_MOVE_SCM_ECSA prefers
SCM if all the clients advertise eCSA support and the candidate
frequency is one of the group common frequencies.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Extended channel switch provides an ability to switch between operating
classes and is required for P2P Devices by the P2P specification when
switching in 5 GHz.
When the operating class is provided for channel switch, the AP/P2P GO
will use eCSA IE in addition to the regular CSA IE both on 2.4 GHz and 5
GHz bands.
Transitions between different hw_modes are not supported.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Channel switch may be performed using both CSA and eCSA IEs together.
This may happen, for example with a P2P GO on band A with legacy
clients. Extend driver API to support up to 2 CSA counters.
This patch also includes the required implementation for nl80211.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When building Beacon and Probe Response frames for the target channel,
consider bandwidth parameter for VHT channels. In addition, add support
for updating vht_oper_centr_freq_seg0_idx and
vht_oper_centr_freq_seg1_idx.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When switching to a VHT channel with width greater than 20 MHz, add Wide
Bandwidth Channel Switch element. This element is added in Beacon and
Probe Response frames inside Channel Switch Wrapper element.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
