There was a technical change between the last IETF draft version
(draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters
used in the username (i.e., use unique characters for EAP-AKA' instead
of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and
peer implementations to use the leading characters based on the final
RFC.
Note: This will make EAP-AKA' not interoperate between the earlier
draft version and the new version.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Incorrect identity string could end up being used with EAP-AKA' when
the EAP client is using pseudonym. This code was supposed to use
sm->identity just like the EAP-AKA case.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
The misplaced parenthesis caused Device ID matching to check only the
first octet of the P2P Device Address, i.e., we could have replied to
Probe Request frames that was searching for another device if any of
the last five octets of the address were different.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
An existing persistent group information can now be used to force GO
Negotiation to use the previously used SSID/passphrase from a persistent
group if we become a GO. This can be used as an alternative to inviting
a new P2P peer to join the group (i.e., use GO Negotiation with GO
intent 15 instead of starting an autonomous GO and using invitation),
e.g., in case a GO Negotiation Request is received from a peer while we
are not running as a GO. The persistent group to use for parameters is
indicated with persistent=<network id> parameter to p2p_connect.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commits 17bef1e97a and
ffe98dfb88 started using p2p_add_device()
with other frames than just Probe Response frames from scan results.
However, these changes did not take into account that the PD Request
and Invitation Request frames are normally received on the our own
Listen channel, not on the Listen channel of the peer. As such, these
frames must not be used to update Listen channel information for the
peer.
Fix this by letting p2p_add_device() know whether the results are from
scan results and if not, skip the peer table updates that are specific
to Probe Response frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Add provisional discovery failure ctrl_iface event
(P2P-PROV-DISC-FAILURE) to indicate to the application layer in case of
PD failure.
Signed-off-by: Deepthi Gowri <deepthi@codeaurora.org>
Commit d9bdba9f86 was supposed to allow
p2p_listen to schedule new after scan operation only if a p2p_connect
operation was not pending. However, it used incorrect P2P_AFTER_SCAN_
value for this and did not actually prevent overriding of p2p_connect
and could have caused some p2p_listen operations to be skipped
unnecessarily.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Unlike the unicast SD queries, the queries directed to all peers depend
on P2P_DEV_SD_INFO flag being cleared to allow the query to be sent to
a peer that has previously replied to any SD query.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the timeout scheduled during the previous association was
used after reassociation if the STA entry had not yet been removed. The
next timeout does not need to happen that quickly, so reschedule it
during reassociation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to figure out what exactly was done with the
ap_handle_timer registration/cancellation based on a debug log.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The next ap_handle_timer action was already cleared when association
is handled with user space -based SME. However, this step was missing
from the driver callback for indicating new association. This could
result in the first ap_handle_timer timeout on the new association
removing the station unexpectedly. Fix this by resetting the timeout_next
in hostapd_notif_assoc().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
A station may move from EAP/WPS key_mgmt to PSK using re-association. In
practice, this can happen most likely with WPS when the station runs
through the provisioning step (EAP/WPS) followed by PSK authentication.
If a deauthentication event is missed from the station for whatever
reason, the EAPOL authenticator state machine could have been left
running.
This can result in various issues, including unexpected disconnection of
the station while both the 4-way handshake and EAPOL authenticator state
machines (EAP) are running at the same time when the supplicant is
trying to use PSK. Fix this by explicitly clearing EAPOL authenticator
state machine on (re)association if the new association does not use it.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
When starting an AP with HT40 on 2.4 GHz, limit the set of channels
to scan for based on the affected frequency range to speed up the
AP setup.
Signed-hostap: Jouni Malinen <j@w1.fi>
Mark the debug print excessive and print it only in case the entropy
collection is used since this function can get called pretty frequently.
Signed-hostap: Jouni Malinen <j@w1.fi>
OpenSSL wrapper was using the same certificate store for both Phase 1
and Phase 2 TLS exchange in case of EAP-PEAP/TLS, EAP-TTLS/TLS, and
EAP-FAST/TLS. This would be fine if the same CA certificates were used
in both phases, but does not work properly if different CA certificates
are used. Enforce full separation of TLS state between the phases by
using a separate TLS library context in EAP peer implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
This was never really completed and is of not much use at this point,
so clean up the repository by removing the Symbian-specific changes.
Signed-hostap: Jouni Malinen <j@w1.fi>
This optional parameter to the BSS command can be used to select which
fields are included in the output to avoid having to parse through
unneeded information and to reduce the buffer size.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
There is no need to subscribe to event messages during deinit process,
so skip this to avoid unnecessary operations and to keep the debug logs
a bit cleaner.
Signed-hostap: Jouni Malinen <j@w1.fi>
This should keep us from getting into a state where we bounce large
numbers of stations all at once. Spreading out the bounce should cause
less stress on the network as the idle stations won't all be trying to
reconnect at once.
Signed-hostap: Ben Greear <greearb@candelatech.com>
wps_vendor_ext_m1 configuration parameter can now be used to add a
vendor specific attribute into the WPS M1 message, e.g., for
Windows Vertical Pairing.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This was previously indicated as disassociation, but the P2P group
session ending case expect a deauthentication notification. Since the
cfg80211 disconnection event does not really indicate which frame was
used, the easiest approach for now seems to be to just indicate these
as deauthentication events.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use reason code 3 (Deauthenticated because sending STA is leaving)
instead of reason code 2 (Previous authentication ot valid) in the
Deauthentication frame sent at the time a BSS is terminated. This is
more accurate reason for the message and allows the stations to get
better understand on why they were disconnected. This can be useful
especially for P2P clients that can use this as a signal that the
P2P group session was ended per P2P specification section 3.2.9.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
On P2P group removal, the GO is deinitialized correctly (and the vif
mode is set back to sta in case of nl80211), but the P2P client mode
wasn't deinitialized, and the nl80211 vif stays in P2P client mode.
Add a new deinit_p2p_cli op (similar to deinit_ap), which currently only
sets the interface back to station mode.
Signed-hostap: Eliad Peller <eliad@wizery.com>
intended-for: hostap-1
Some applications require knowing about probe requests to identify
devices. This can be the case in AP mode to see the devices before they
connect, or even in P2P mode when operating as a P2P device to identify
non-P2P peers (P2P peers are identified via PeerFound signals).
As there are typically a lot of probe requests, require that an
interested application subscribes to this signal so the bus isn't always
flooded with these notifications. The notifications in DBus are then
unicast only to that application.
A small test script is also included.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The signal strength is currently never used as the only driver reporting
it is nl80211 which uses IEEE80211_RADIOTAP_DB_ANTSIGNAL which is never
populated by the kernel. The kernel will (soon) populate
IEEE80211_RADIOTAP_DBM_ANTSIGNAL instead though, so use that.
Also, since it was never really populated, we can redefine the signal
field to be in dBm units only.
My next patch will also require knowing the signal strength of probe
requests throughout the code (where available), so add it to the
necessary APIs.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When hostapd is about to start an AP using HT40, it starts a scan to
check whether it is allowed or not. If OLBC is detected before the
scan has completed, it sets the beacons prematurely.
To fix this, instead of setting all beacons when OLBC is detected,
only update the ones that have already been started.
Signed-off-by: Luciano Coelho <coelho@ti.com>
ieee802_1x_encapsulate_radius() frees the RADIUS message if
radius_client_send() returns error. This could have resulted in use of
freed memory and double freeing of the RADIUS message if send() fails
since the message is also left in the retransmit list. Avoid this by not
returning error to the caller in such a case.
Signed-off-by: Alexander Couzens <lynxis@c-base.org>
Add the option (-T) to wpa_supplicant to log all debug messages into the
kernel tracing, allowing to aggregate kernel debugging with
wpa_supplicant debugging and recording all with trace-cmd.
Since tracing has relatively low overhead and can be filtered
afterwards, record all messages regardless of log level. However, it
will honor the -K option and not record key material by default.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The "BSS p2p_dev_addr=address" command uses p2p_parse_dev_addr() to
figure out the P2P Device Address of the GO from scan results. This used
to work only if the P2P IE was received from Probe Response frames since
only those include the P2P Device Info attribute. Make this work with
Beacon frames, too, by using P2P Device ID attribute if the P2P Device
Info attribute is not present.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A network block specific background scan period can now be configured
for drivers that implement internal background scan mechanism for
roaming and BSS selection.
Signed-hostap: Bala Shanmugam <bkamatch@qca.qualcomm.com>
Implement wps_cancel for hostapd similarly to how it was already
supported in wpa_supplicant AP mode.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_pref_chan configuration parameter can now be used to set the
list of preferred channel for P2P GO Negotiation. This will be used
in the priority order if the peer does not support the channel we
are trying to use as the GO (configured operating channel or the
best 2.4 GHz/5 GHz channel) for the case where a forced channel is
not used.
p2p_pref_chan=<op class:channel>,...
For example:
p2p_pref_chan=81:1,81:2,81:3,81:4,81:5,81:6
This would configure 2.4 GHz channels 1-6 as the preferred ones with
channel 1 the most preferred option.
These configuration parameters can be set in wpa_supplicant.conf and
dynamically updated with "wpa_cli set <param> <value>".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When drivers advertise their capability to free up inactive
stations based on ap_max_inactivity, send the inactivity period
timeout to driver in NL80211_ATTR_INACTIVITY_TIMEOUT. This
introduces a WPA_DRIVER_FLAGS (WPA_DRIVER_FLAGS_INACTIVITY_TIMER)
so that the inactivity period will be sent only when this capability
bit is set.
Signed-hostap: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
When the driver (or firmware) implements AP mode SME, the use of raw
management frame TX functions is not working properly at the moment. As
an initial step, convert these AP mode operations to use
NL80211_CMD_DEL_STATION and do not claim that driver provides TX status
for deauth/disassoc frames. While this does not address all use cases
(e.g., reason code is not specified in the command), this fixes number
of issues where the station does not get disconnected properly.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 30680e9332 changed the length
of the implicit challenge result to match with the exact length used
in TTLS. However, it failed to update the peer_challenge generation
to use a separate random value. Previously, this was generated as
part of the implicit challenge, but more correct way would have been
to generate a random value for it separately. Do this now to fix the
read after the allocated buffer (16 bytes after the implicit
challenge).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1