IEEE Std 802.11-2012, 12.4.2 states that if an MDE is present in an
(Re)Association Request frame but the RSNE uses a non-FT AKM suite, the
AP shall reject the association using status code 43 ("Invalid AKMP").
wpa_validate_wpa_ie() now explicitly checks for this condition to meet
this requirement instead of simply ignoring the MDE based on non-FT AKM.
Signed-off-by: Will Glynn <will@willglynn.com>
If the driver advertises support for setting Beacon frame data rate,
allow the user to configure this rate as part of starting the AP. Only
one Beacon frame TX rate is allowed.
Drivers advertising such support should set corresponding flag via the
NL80211_ATTR_EXT_FEATURES attribute.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:
Legacy (CCK/OFDM rates):
beacon_rate=<legacy rate in 100 kbps>
HT:
beacon_rate=ht:<HT MCS>
VHT:
beacon_rate=vht:<VHT MCS>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
cfg80211 rejects the scans issued with random MAC address if the STA is
in connected state. This resulted in failures when using MAC_RAND_SCAN
while connected (CTRL-EVENT-SCAN-FAILED ret=-95). Enable random MAC
address functionality only if the STA is not in connected state to avoid
this. The real MAC address of the STA is already revealed in the
association, so this is an acceptable fallback mechanism for now.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit adds IP address information into GroupStarted event on the
P2P client side like it is sent over the control interface.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
Commit 4ec1fd8e42 ('FT: Differentiate
between FT for station and for AP in build') renamed all
CONFIG_IEEE80211R instances within src/ap/* to CONFIG_IEEE80211R_AP, but
it did not change hostapd/* files to match. While this does not cause
much harm for normal use cases, this broke some test builds where
wpa_supplicant build is used to build in hostapd/*.c files for analysis.
Fix this by completing CONFIG_IEEE80211R_AP renaming.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, wpa_supplicant only supported hardcoded port == 1 in the
SCI, but users may want to choose a different port.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
The first peer may take a long time to come up. In PSK mode we are
basically in a p2p system, and we cannot know when a peer will join the
key exchange. Wait indefinitely, and let the administrator decide if
they want to abort.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This enables configuring key_mgmt=NONE + mka_ckn + mka_cak.
This allows wpa_supplicant to work in a peer-to-peer mode, where peers
are authenticated by the pre-shared (CAK,CKN) pair. In this mode, peers
can act as key server to distribute keys for the MACsec instances.
This is what some MACsec switches support, and even without HW
support, it's a convenient way to setup a network.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Remove the extra equals sign from the line since hostapd usage text does
not have it for other entries either (while wpa_supplicant does and this
was likely copy-pasted from there).
Signed-off-by: Jouni Malinen <j@w1.fi>
doc/eap.doxygen was mentioning eap_method structure, but there was no
reference as in doc/eap_server.doxygen on a similar paragraph
Signed-off-by: Sergei Sinyak <serega.belarus@gmail.com>
BoringSSL is the only supported version of SSL, so remove this guard so
we can continue to compile when the flavor.mk is removed.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This commit fixes the nl80211 driver call get_inact_sec() to return -1
when STA inactivity time retrieval fails in i802_read_sta_data().
This was intended to be handled by initalizing the inactive_msec member
to -1 but i802_read_sta_data() assumes the data parameter is
uninitialized and memsets the entire structure, neutralizing the attempt
to distinguish between no value (-1) and a time value of 0.
This is fixed by now requiring i802_read_sta_data() callers to
initialize the data structure first (allowing get_inact_sec() to use
-1). This is a safe change because it does not change any driver API
behavior and only affects one other static function in driver_nl80211.c
Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
In commit a25e4efc9e ('mka: Add driver op
to get macsec capabilities') I added some code to check the driver's
capabilities. This commit has two problems:
- wrong enum type set in kay->macsec_confidentiality
- ignores that drivers could report MACSEC_CAP_NOT_IMPLEMENTED, in
which case the MKA would claim that MACsec is supported.
Fix this by interpreting MACSEC_CAP_NOT_IMPLEMENTED in the same way as a
DO_NOT_SECURE policy, and set the correct value in
kay->macsec_confidentiality.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This extends the anqp_elem configuration parameter support for new Info
IDs (270 (TDLS Capability) was previously missed from the list of
defined values, 280 has already been assigned in REVmc/D8.0; 281..299
are yet to be assigned). No additional source code changes are needed to
allow hostapd to advertise support for these if the ANQP-element value
is set with the anqp_elem parameter.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The optional "-m <multi.dat>" command line option can now be used to
specify a data file that can include multiple management frames with
each one prefixed with a 16-bit big endian length field. This allows a
single fuzzer run to be used to go through multi-frame exchanges. The
multi.dat file shows an example of this with Probe Request frame,
Authentication frame, Association Request frame, and an Action frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This provides more details on BSS selection process in the debug log.
Previously, the BSSs that were not either the current or the selected
one were not necessarily printed at all. Now all BSSs that match the
currently selected network are listed with their frequency and signal
strength details.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the estimated throughput was used to enable roaming to a
better AP. However, this information was not used when considering a
roam to an AP that has better signal strength, but smaller estimated
throughput. This could result in allowing roaming from 5 GHz band to 2.4
GHz band in cases where 2.4 GHz band has significantly higher signal
strength, but still a lower throughput estimate.
Make this less likely to happen by increasing/reducing the minimum
required signal strength difference based on the estimated throughputs
of the current and selected AP. In addition, add more details about the
selection process to the debug log to make it easier to determine whaty
happened and why.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the first wt.clear_bss_counters(bssid) call to fail
the test if timing worked out in a way that the wlantest process had not
received any Beacon frames from the first AP. Run a directed scan for
both of the BSSs before starting the test validation steps to make sure
such a case cannot fail this test case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.
Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The Channel Center Frequency Segment subfields use the channel index
instead of frequency in MHz.
Signed-off-by: Beni Lev <beni.lev@intel.com>
Signed-off-by: David Spinadel <david.spinadel@intel.com>
The return value from this function may be used in an outgoing message,
so use a valid status code instead of -1.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
CONFIG_MBO was defined inside ifdef CONFIG_AP, so when AP support
was not compiled, MBO was not compiled either. However, CONFIG_MBO
is not related AP support, so it should not depend on CONFIG_AP.
Fix this by moving CONFIG_MBO outside of ifdef CONFIG_AP.
Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
Add a configuration option in hostapd.conf and in neighbor report that
sets an AP as stationary. To enable this option on the current AP set
the config option stationary_ap to 1. To set a neighbor entry to be
marked as stationary add the word stat to the SET_NEIGHBOR command. This
option tells hostapd to send LCI data even if it is older than requested
by max age subelement in RRM request.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
In case that LCI or location civic configuration is cleared,
free the buffer holding the corresponding information to avoid
cases that the information is considered as valid/useful.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
It is possible that a LCI or location civic configuration buffer
is valid but contains no data. In such a case do not add the LCI
and location civic information to the entry in the neighbor
data base.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
struct data_key already had a 'user' field for reference counting, but
it was basically unused.
Add an ieee802_1x_kay_use_data_key() function to take a reference on a
key, and use ieee802_1x_kay_deinit_data_key() to release the reference.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Document some data structures from IEEE Std 802.1X-2010, and add the
(not used yet) struct ieee802_1x_mka_dist_cak_body.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This is specific to the macsec_qca driver. The core implementation
shouldn't care about this, and only deal with the complete secure
channel, and pass this down to the driver.
Drivers that have such limitations should take care of these in their
->create functions and throw an error.
Since the core MKA no longer saves the channel number, the macsec_qca
driver must be able to recover it. Add a map (which is just an array
since it's quite short) to match SCIs to channel numbers, and lookup
functions that will be called in every place where functions would get
the channel from the core code. Getting an available channel should be
part of channel creation, instead of being a preparation step.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This has already been done for WEP, but there's same constraint for not
allowing VTH rates in case of TKIP.
Signed-off-by: Filip Matusiak <filip.matusiak@tieto.com>
When starting ASP provisioning with connection capability set to NEW,
don't create the pending P2P interface as a GO interface because
Go negotiation will determine which side will be the GO and it is
possible that eventually this interface will become the client.
In this case, when the P2P client is started it will start scanning
and do other station specific operations while the interface type
is AP.
Instead, use type WPA_IF_P2P_GROUP when creating the interface which
means the interface type will be determined later.
Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
Receiving a provision discovery request for an ASP service that
has auto accept set to false should result in a provision discovery
response with the status field set to "currently unavailable".
Having stale P2PS provision data, results in sending a response with
the status set to success because it is mistakenly referred to as the
follow-on provision discovery request.
Fix that by clearing stale P2PS provision data in the following cases:
1. When provision discovery is complete
2. When ASP services are flushed (in which case old ASP provisioning
is no longer valid).
Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
