Add a new hostapd_is_dfs_overlap() helper function to DFS module. This
function tells whether the selected frequency range overlaps with DFS
channels in the current hostapd configuration. Selected frequency reange
is specified by its center frequency and bandwidth.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Rename DFS helper hostapd_config_dfs_chan_available() to
hostapd_is_dfs_chan_available(). Enable access to this helper function
from other hostapd components.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
EVP_PKEY_get0_EC_KEY() was added in OpenSSL 1.1.0, so add a
compatibility wrapper for it when building with OpenSSL 1.0.2.
Fixes: c025c2eb59 ("DPP: DPPEnvelopedData generation for Configurator backup")
Fixes: 7d9e320054 ("DPP: Received Configurator backup processing")
Signed-off-by: Jouni Malinen <j@w1.fi>
The new skip_prune_assoc=1 parameter can be used to configure hostapd
not to prune associations from other BSSs operated by the same process
when a station associates with another BSS. This can be helpful in
testing roaming cases where association and authorization state is
maintained in an AP when the stations returns.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new driver param full_ap_client_state=0 can be used to test
functionality with the driver capability for full AP client state being
forced to be disabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use local variables to avoid sm->wpa_auth->conf type of dereferences
where multiple instances within a function can be cleaned up.
Signed-off-by: Jouni Malinen <j@w1.fi>
Drivers that trigger roaming need to know the lifetime and reauth
threshold time of configured PMKSA so that they can trigger full
authentication to avoid unnecessary disconnection. To support this, send
dot11RSNAConfigPMKLifetime and dot11RSNAConfigPMKReauthThreshold values
configured in wpa_supplicant to the driver while configuring a PMKSA.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
The new hostapd configuration parameter dpp_pfs can be used to specify
how PFS is applied to associations. The default behavior (dpp_pfs=0)
remains same as it was previously, i.e., allow the station to decide
whether to use PFS. PFS use can now be required (dpp_pfs=1) or rejected
(dpp_pfs=2).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add definition for HE bit in neighbor report BSSID Information field
from IEEE P802.11ax/D6.0, 9.4.2.36 Neighbor Report element.
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
This functionality was repeated for multiple different frames. Use a
shared helper function to avoid such duplication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process the received Presence Announcement frames in Controller. If a
matching bootstrapping entry for the peer is found, initiate DPP
authentication to complete provisioning of the Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process the received Presence Announcement frames in AP/Relay. If a
matching bootstrapping entry for the peer is found in a local
Configurator, that Configurator is used. Otherwise, the frame is relayed
to the first configured Controller (if available).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process received Presence Announcement frames and initiate
Authentication exchange if matching information is available on the
Configurator.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new hostapd configuration parameter
dpp_configurator_connectivity=1 to request Configurator connectivity to
be advertised for chirping Enrollees.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new wpa_supplicant control interface command "DPP_CHIRP own=<BI
ID> iter=<count>" to request chirping, i.e., sending of Presence
Announcement frames, to be started.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add new identifier definitions for presence announcement,
reconfiguration, and certificate enrollment.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to
set peer specific configurator parameters which will override any global
parameters from dpp_configurator_params.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is a more convenient way of addressing cases where a
Configurator/Controller may store a large number of peer bootstrapping
information instances and may need to manage different configuration
parameters for each peer while operating as the Responder.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Set the global pointer and msg_ctx when allocating struct
dpp_authentication instead of needing to pass these to
dpp_set_configurator().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
hostapd (and wpa_supplicant in AP mode) was internally updating the STA
flags on disconnection cases to remove authorization and association.
However, some cases did not result in immediate update of the driver STA
entry. Update all such cases to send out the update to the driver as
well to reduce risk of race conditions where new frames might be
accepted for TX or RX after the port authorization or association has
been lost and configured keys are removed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Check whether the Transition Disable KDE is received from an
authenticated AP and if so, whether it contains valid indication for
disabling a transition mode. If that is the case, update the local
network profile by removing the less secure options.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd configuration parameter transition_disable can now be
used to configure the AP to advertise that use of a transition mode is
disabled. This allows stations to automatically disable transition mode
by disabling less secure network profile parameters.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Define the OUI Type and bitmap values for Transition Disable KDE. These
will be shared by both the AP and STA implementations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add QCA_WLAN_VENDOR_CFR_NDPA_NDP_ALL in enum
qca_wlan_vendor_cfr_capture_type. This capture type requests all NDPA
NDP frames to be filtered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
hostapd will trigger EDMG auto channel selection by setting
QCA_WLAN_VENDOR_ATTR_ACS_EDMG_ENABLED. The 60 GHz driver will be
called to start an auto channel selection and will return the
primary channel and the EDMG channel.
Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
Addition of chan_2ghz_or_5ghz_to_freq() broke 60 GHz ACS, because it
assumes reported ACS channel is on either 2.4 or 5 GHz band. Fix this
by converting chan_2ghz_or_5ghz_to_freq() to a more generic
chan_to_freq(). The new function uses hw_mode to support 60 GHz.
Fixes: 41cac481a8 ("ACS: Use frequency params in ACS (offload) completed event interface")
Signed-off-by: Noam Shaked <nshaked@codeaurora.org>
The parameters that need to be applied are symmetric to those of VHT,
however the validation code needs to be tweaked to check the HE
capabilities.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Enhanced channel frequency response supports capturing of channel status
information based on RX. Define previous CFR as version 1 and enhanced
CFR as version 2. If target supports both versions, two versions can't
be enabled at same time. Extend attributes for enhanced CFR capture in
enum qca_wlan_vendor_peer_cfr_capture_attr.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Support Extended Key ID in wpa_supplicant according to
IEEE Std 802.11-2016 for infrastructure (AP) associations.
Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing STAs to also connect to APs not supporting it.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Support Extended Key ID in hostapd according to IEEE Std 802.11-2016.
Extended Key ID allows to rekey pairwise keys without the otherwise
unavoidable MPDU losses on a busy link. The standard is fully backward
compatible, allowing an AP to serve STAs with and without Extended Key
ID support in the same BSS.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets/signals/events be registered.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets be registered (which is not really going to happen in practice).
Signed-off-by: Jouni Malinen <j@w1.fi>
This avoids a theoretical integer overflow with 16-bit unsigned int
should a certificate be encoded with more that 65535 friendly names or
icons.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int (not that there would ever
be more that 32767 signal handlers getting registered).
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no point in starting a huge number of pending SA Queries, so
limit the number of pending queries to 1000 to have an explicit limit
for how large sa_query_count can grow.
Signed-off-by: Jouni Malinen <j@w1.fi>
While RADIUS messages are limited to 4 kB, use size_t to avoid even a
theoretical overflow issue with 16-bit int.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the kernel rtm_newlink or rtm_dellink send the maximum length of
ifname (IFNAMSIZ), the event handlers in
wpa_driver_nl80211_event_rtm_addlink() and
wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME
value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the
NULL termination, that equals the IFNAMSIZ.
Fix the condition when IFNAME reach maximum size.
Signed-off-by: Ouden <Ouden.Biz@gmail.com>
Add more hang reason codes for the hang reason in the
QCA_NL80211_VENDOR_SUBCMD_HANG events. This also introduces the
attribute QCA_WLAN_VENDOR_ATTR_HANG_REASON_DATA to carry the required
data for the respective hang reason. This data is expected to contain
the required dump to analyze the reason for the hang.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some APs have managed to add two SSID elements into Beacon frames and
that used to result in picking the last one which had incorrect data in
the known examples of this misbehavior. Pick the first one to get the
correct SSID.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was not supposed to be conditional on CONFIG_FILS.
Fixes: ecbf59e693 ("wpa_supplicant configuration for Beacon protection")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
int_array_concat() and int_array_add_unique() could potentially end up
overflowing the int type variable used to calculate their length. While
this is mostly theoretical for platforms that use 32-bit int, there
might be cases where a 16-bit int overflow could be hit. This could
result in accessing memory outside buffer bounds and potentially a
double free when realloc() ends up freeing the buffer.
All current uses of int_array_add_unique() and most uses of
int_array_concat() are currently limited by the buffer limits for the
local configuration parameter or frame length and as such, cannot hit
this overflow cases. The only case where a long enough int_array could
be generated is the combination of scan_freq values for a scan. The
memory and CPU resource needs for generating an int_array with 2^31
entries would not be realistic to hit in practice, but a device using
LP32 data model with 16-bit int could hit this case.
It is better to have more robust checks even if this could not be
reached in practice, so handle cases where more than INT_MAX entries
would be added to an int_array as memory allocation failures instead of
allowing the overflow case to proceed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to
remove RSNXE from Beacon frames. This can be used to test protection
mechanisms for downgrade attacks.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Response frame so
that a STA not supporting RSNXE can still validate the FTE MIC
correctly.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Request frame so
that an AP not supporting RSNXE can still validate the FTE MIC
correctly.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Verify that the AP included RSNXE in Beacon/Probe Response frames if it
indicated in FTE that RSNXE is used. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Verify that the STA includes RSNXE if it indicated in FTE that RSNXE is
used and the AP is also using RSNXE. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is a workaround needed to keep FT protocol backwards compatible for
the cases where either the AP or the STA uses RSNXE, but the other one
does not. This commit adds setting of the new field to 1 in
Reassociation Request/Response frame during FT protocol when the STA/AP
uses RSNXE in other frames. This mechanism is described in 20/332r3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add key configuration parameters needed to support Extended Key ID with
pairwise keys. Add a driver capability flag to indicate support forusing
this.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.
This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").
Add it again and update check_key_flag() accordingly.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
The actual TX status (whether ACK frame was received) was not included
in the debug log in AP mode. Add that for all cases. In addition, add
some more details in the debug log to make the log more helpful in
debugging issues related to frame delivery.
Signed-off-by: Jouni Malinen <j@w1.fi>
While 13.7.1 (FT reassociation in an RSN) in P802.11-REVmd/D3.0 did not
explicitly require this to be done, this is implied when describing the
contents of the fourth message in the FT authentication sequence (see
13.8.5). Furthermore, 20/332r2 is proposing an explicit validation step
to be added into 13.7.1.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 5f9b4afd ("Use frequency in HT/VHT validation steps done before
starting AP") modified hostapd_is_usable_edmg() to use freq instead of
channel numbers. Unfortunately, it did not convert the frequency
calculation correctly and this broke EDMG functionality.
Fix the frequency calculation so that EDMG channel 9 works again.
Fixes: 5f9b4afdfa ("Use frequency in HT/VHT validation steps done before starting AP")
Signed-off-by: Hrishikesh Vidwans <hvidwans@codeaurora.org>
Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
In theory, hmac_sha256() might fail, so check for that possibility
instead of continuing with undetermined index value that could point to
an arbitrary token entry.
Signed-off-by: Jouni Malinen <j@w1.fi>
The return value from nl80211_send_monitor() is not suitable for use
with strerror(). Furthermore, nl80211_send_monitor() itself is printing
out a more detailed error reason.
Signed-off-by: Jouni Malinen <j@w1.fi>
send_and_recv_msgs() returns a negative number as the error code and
that needs to be negated for strerror().
Fixes: 8759e9116a ("nl80211: Control port over nl80211 helpers")
Signed-off-by: Jouni Malinen <j@w1.fi>
send_auth_reply() could be called with sta == NULL in certain error
conditions. While that is not applicable for this special test
functionality for SAE, the inconsistent checks for the sta pointer could
result in warnings from static analyzers. Address this by explicitly
checking the sta pointer here.
Signed-off-by: Jouni Malinen <j@w1.fi>
mode->he_capab is an array and as such, there is no point in checking
whether it is NULL since that cannot be the case. Check for the
he_supported flag instead. In addition, convert the TWT responder
capability bit into a fixed value 1 to avoid any surprising to the
callers. In practice, neither of these changes results in different
behavior in the current implementation, but this is more robust.
Signed-off-by: Jouni Malinen <j@w1.fi>
There was a copy-paste error in this code that would be adding the
connectorTemplate once that becomes available. In practice, this was not
reachable code, but anyway, this should be ready for potential addition
of connectorTemplate in the future.
Signed-off-by: Jouni Malinen <j@w1.fi>
While there may have initially been cases where the RSNE from
Beacon/Probe Response frames was not available from some drivers, it is
now more valuable to notice if such a case were to be hit with drivers
that are always expected to have such information available. As such,
make it a fatal error if the scan results for the current AP are not
available to check the RSNE/RSNXE in EAPOL-Key msg 3/4.
Signed-off-by: Jouni Malinen <j@w1.fi>
Avoid printing confusing FT debug entries from wpa_sm_set_ft_params()
when FT is not actually used for the connection.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use the same reason code to indicate that IE different in 4-way
handshake and also print a hexdump of RSNXE in both Beacon/ProbeResp and
EAPOL-Key msg 3/4 in the log.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter rsne_override_eapol can now be
used similarly to the previously added rsnxe_override_eapol to override
(replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used
for station protocol testing to verify sufficient checks for RSNE
modification between the Beacon/Probe Response frames and EAPOL-Key msg
3/4.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previous implementation was determining whether the override value was
set based on its length being larger than zero. Replace this with an
explicit indication of whether the parameter is set to allow zero length
replacement, i.e., remove of RSNXE from EAPOL-Key msg 3/4.
In addition, move IE replacement into a more generic helper function to
allow this to be used with other IEs as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
The 4-address frames WDS design in mac80211 uses VLAN interfaces
similarly to the way VLAN interfaces based on VLAN IDs are used. The EAP
authentication case ended up overriding the WDS specific assignment even
when the RADIUS server did not assign any specific VLAN for the STA.
This broke WDS traffic.
Fix this by skipping VLAN assignment to VLAN ID 0 for STAs that have
been detected to use 4-address frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
The resource-load-started cannot be used to replace the older
resource-request-starting signal and as such, the final redirect to the
special http://localhost:12345/ URL did not work. Use the decide-policy
signal for navigation action instead.
Also remove the attempt to modify the request URI from
resource-load-started since that is not going to work either. This is
not really critical for functionality, but could eventually be replaced
with a handler for the WebKitWebPage send-request signal.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_tdls_set_key() did set the key_id to -1 to avoid a useless
NL80211_CMD_SET_KEY call that the updated nl80211 driver no longer
carries out. Remove the no longer required workaround.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
After a radar signal is detected, the AP should switch to another
channel, but in the case of 80+80 MHz, channel switch failed because
hostapd did not select the secondary channel in the process. Fix this by
selecting a secondary channel in the case of 80+80 MHz.
Signed-off-by: Xin Wang <xwangw@codeaurora.org>
Signed-off-by: Pravas Kumar Panda <kumarpan@codeaurora.org>
The initial implementation of the PTK derivation workaround for
interoperability with older OWE implementations forced
WPA_KEY_MGMT_PSK_SHA256 to be used for all of PTK derivation. While that
is needed for selecting which hash algorithm to use, this was also
changing the length of the PTK components and by doing so, did not
actually address the backwards compatibility issue.
Fix this by forcing SHA256 as the hash algorithm in PTK derivation
without changing the PTK length calculation for OWE when
owe_ptk_workaround is enabled.
Fixes: 65a44e849a ("OWE: PTK derivation workaround in AP mode")
Fixes: 8b138d2826 ("OWE: PTK derivation workaround in STA mode")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Migrate nl80211 driver to key_flag API and add additional sanity checks.
I'm still not sure why we install unicast WEP keys also as default
unicast keys. Based on how I understand how mac80211 handles that it
should be pointless. I just stuck to how we do things prior to the patch
for WEP keys to not break anything. After all other drivers may need it.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Always report an error when NL80211_CMD_SET_KEY can't set a key to
default.
The old ioctl-based design used a single command to add, set, and delete
a key and had to ignore ENOENT for key deletions. It looks like that
special handling was also ported for NL80211_CMD_NEW_KEY and
NL80211_CMD_SET_KEY instead only for NL80211_CMD_DEL_KEY.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Calling NL80211_CMD_NEW_KEY with NL80211_KEY_DEFAULT_TYPES attributes is
pointless. The information is not expected and therefore the kernel
never forwards it to the drivers. That attribute is used with
NL80211_CMD_SET_KEY.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Allow to abort key installations with different error codes and fix one
misleading return code.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Turns out we are sometime providing a seq when deleting the key. Since
that makes no sense on key deletion let's stop forwarding that to the
driver at least.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Add masks for each key type to define which flags can be combined and
add a helper function to validate key_flag values.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
I decided to drop KEY_FLAG_MODIFY instead of allowing flag combinations not
yet used in the code and will simply recreate it with the Extended Key
ID patches once we get there. For that reason I also did not renumber
the flags.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
