Commit Graph

5881 Commits

Author SHA1 Message Date
Jouni Malinen
2971da270f P2P: Do not use wait_time for SD Response TX for last fragmentation
The last SD Response frame fragment is not going to be followed by
another Action frame from the peer, so remove the 200 ms wait time from
the offchannel TX command in that case. This avoids leaving a 200 ms
lock on the radio to remain on the channel unnecessarily.

This is similar to commit 7655bd7388
('P2P: Do not use wait_time for SD Response TX without fragmentation').

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-04-01 14:25:26 +03:00
Michael Braun
c5fee1604b FT: Schedule wpa_ft_rrb_rx() through eloop in intra-process communication
With AP-AP communication, when hapd0 sends a packet, hapd1 can receive
it immediately and send a response. But hapd0 will only read and process
the response after it has returned from the sending context, that is
entered eloop again. So one does not need to consider the RX function of
the reply to run for the request sending hapd before the send calling
function has returned.

Previously, with intra-process communication, the packet is not
scheduled through eloop. Thus the RX handler of the reply might be run
while the sending context of the original request has not returned.
This might become problematic, e.g., when deferring a management frame
processing until an RRB response is received and then have the request
restarted and finished before the original request handling has been
stopped.

I'm not aware of any concrete bug this is currently triggering but came
across it while thinking of FT RRB AP-AP sequence numbering.

I think the non-eloop scheduling approach might be error-prone and thus
propose to model it more closely to the way the message would be
received from a socket. Additionally, this ensures that the tests model
AP-AP communication more closely to real world.

Solution: queue these packets through eloop.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-04-01 12:51:05 +03:00
Jouni Malinen
4696773676 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2017-03-31.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-31 13:14:20 +03:00
Mohammed Shafi Shajakhan
775e986d5f hostapd: Fix crash on consecutive channel switch failures
With multiple interface like AP and station which is already
associated to some other AP, when we try to do channel switch
for the AP mode (different from the operation channel support of
station) and if the AP channel switch fails continously (including
the fallback channel switch), results in a crash due to NULL pointer
dereference. This is because hostapd_deinit_driver() assigns the
driver context (drv_priv) to NULL as we are not able to bring up
the interface with a new channel

Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
2017-03-29 15:03:16 +03:00
Zhaoyang Liu
1275958873 QCA vendor command: Add TA max duration attribute for OCB configure
Add attribute for TA max duration after last TA received. So that local
time is synchromous to other communicating OCB STAs. If the duration
expires, OCB STA without UTC time source is not in sync to other STAs
and stop scheduling DSRC channel switch after max duration.

Signed-off-by: Zhaoyang Liu <zhaoyang@codeaurora.org>
Signed-off-by: Ferry Zhou <tianguiz@codeaurora.org>
2017-03-27 17:19:38 +03:00
Zhaoyang Liu
2a9ec7c69c Define attributes for QCA vendor OCB commands
Document QCA vendor OCB commands about IEEE Std 802.11 communication
outside the context of a basic service set. Also define all attributes
for the specific OCB commands.

Signed-off-by: Zhaoyang Liu <zhaoyang@codeaurora.org>
Signed-off-by: Ferry Zhou <tianguiz@codeaurora.org>
2017-03-27 17:17:03 +03:00
Vidyullatha Kanchanapally
0119d44243 FILS: Fix wpa_supplicant compilation errors
This change fixes the following compilation error:

wpa.c:2465: error: undefined reference to 'crypto_ecdh_deinit'

in builds where CONFIG_ECC does not get defined.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-26 21:13:21 +03:00
Vidyullatha Kanchanapally
4cc6574d00 FILS: Fix fils_cache_id check
This fixes the following compiler warning:
wpa_auth.c:4249:34: error: address of array 'a->conf.fils_cache_id'
 will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-26 21:13:21 +03:00
Jouni Malinen
a5269dc209 wpa_helpers: Ignore link-local IPv4 address while waiting for DHCP
Do not accept a link-local IPv4 address when waiting for a valid DHCP
address. This helps with hs20-osu-client use cases where DHCP response
has not yet been received.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-26 21:13:21 +03:00
Jouni Malinen
e2f00bb5ff xml: Add Value node in TNDS node conversion for empty value case
Previously, the Value node was not added if value of a node could not be
fetched. This can cause interoperability issues, so address that in the
same way as an empty length value, i.e., by adding a Value node with
zero-length contents.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-26 21:13:21 +03:00
Davide Caratti
5db86df6a8 macsec_linux: Fix NULL pointer dereference on error cases
In case wpa_supplicant is using driver_macsec_linux, but macsec module
is not (yet) loaded in the kernel, nl_socket_alloc() fails and drv->sk
is NULL. In this case, don't call libnl functions rntl_link_add() or
rtnl_link_change() using such NULL pointer, to prevent program from
getting segmentation faults like:

 Program received signal SIGSEGV, Segmentation fault.
 nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
 365             if (sk->s_local.nl_pid == 0) {
 (gdb) p sk
 $1 = (const struct nl_sock *) 0x0
 (gdb) bt
 #0  nl_socket_get_local_port (sk=sk@entry=0x0) at socket.c:365
 #1  0x00007ffff79c56a0 in nl_complete_msg (sk=sk@entry=0x0,
  msg=msg@entry=0x55555595a1f0) at nl.c:491
 #2  0x00007ffff79c56d1 in nl_send_auto (sk=sk@entry=0x0,
  msg=msg@entry=0x55555595a1f0) at nl.c:522
 #3  0x00007ffff79c652f in nl_send_sync (sk=sk@entry=0x0,
  msg=0x55555595a1f0) at nl.c:556
 #4  0x00007ffff755faf5 in rtnl_link_add (sk=0x0,
  link=link@entry=0x55555595b0f0, flags=flags@entry=1024) at route/link.c:1548
 #5  0x000055555567a298 in macsec_drv_create_transmit_sc (priv=0x55555593b130,
  sc=0x55555593b320, conf_offset=<optimized out>) at ../src/drivers/driver_macsec_linux.c:998

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2017-03-26 21:13:21 +03:00
Davide Caratti
e50df5d2a2 mka: Fix use-after-free when transmit secure channels are deleted
ieee802_1x_kay_deinit_transmit_sc() frees the transmit secure channel
data, but secy_delete_transmit_sc() still needs it. Since this functions
are called sequentially, secy_delete_transmit_sc() can be called from
ieee802_1x_kay_deinit_transmit_sc() before txsc is freed.

Fixes: 128f6a98b3 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2017-03-26 21:13:21 +03:00
Davide Caratti
529d6ed726 mka: Fix use-after-free when receive secure channels are deleted
ieee802_1x_kay_deinit_receive_sc() frees the receive secure channel data,
but secy_delete_receive_sc() still needs it. Since these two functions
are always called sequentially, secy_delete_receive_sc() can be called
from ieee802_1x_kay_deinit_receive_sc() before rxsc is freed.

Fixes: 128f6a98b3 ("mka: Fix the order of operations in secure channel deletion")
Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2017-03-26 21:13:21 +03:00
lifeng
6c2056abe5 QCA vendor attributes to extend antenna diversity functionality
1. Add new attribute to report corresponding antenna information to the
chain RSSI which is used in subcmd
QCA_NL80211_VENDOR_SUBCMD_GET_CHAIN_RSSI.

2. Add a series of attr to support the new wmi interface
WMI_PDEV_PARAM_ANT_DIV_USRCFG which export parameters setting of antenna
diversity algorithm to userspace.

Signed-off-by: Li Feng <lifeng@qti.qualcomm.com>
2017-03-15 21:30:00 +02:00
Zhang Qian
b4ae5f04dc Add vendor attribute to config propagation delay's absolute value
QCA_WLAN_VENDOR_ATTR_CONFIG_PROPAGATION_ABS_DELAY is added to set
propagation delay's absolute value. This is a more detailed version of
QCA_WLAN_VENDOR_ATTR_CONFIG_PROPAGATION_DELAY.

Signed-off-by: Zhang Qian <zhangq@qti.qualcomm.com>
2017-03-15 21:24:25 +02:00
Dmitry Shmidt
7f5f4e46ac Fix QCA_ATTR_NUD_STATS_IS_DAD value
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2017-03-14 21:11:18 +02:00
Jouni Malinen
2c0ac6d613 P2P: Run full P2P_FIND scan after pending scan completes
If a P2P_FIND command is issued for running the initial full scan and
the attempt to start that full scan fails, the previous behavior was to
wait for the ongoing scan to complete and then continue p2p_find scan
iterations. However, this continued with the social channels scan
instead of the initial full scan. This could end up missing the full
scan completely.

Fix this by marking the full scan pending if the new scan cannot be
started immediately. Then start the initial full scan after the ongoing
scan completes before moving to social channel only scan iterations.
This applies both for the P2P_FIND_START_WITH_FULL (no specific
frequency set) and P2P_FIND_PROGRESSIVE cases since both of them start
with a single full scan round.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-14 20:41:08 +02:00
Jouni Malinen
d3bb082a73 P2P: Continue scanning specified channel with P2P_FIND freq argument
This makes the "P2P_FIND freq=<MHz>" operation more robust by continuing
to include the specified frequency in the consecutive scan rounds
instead of including it only once in the first scan. In other words, the
first scan is only for the specified frequency just like the previous
behavior, but the following scans include all the social channels and
the specified frequency instead of just the previously used social
channels.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-13 12:50:50 +02:00
Jouni Malinen
76e20f4fa7 FILS: Add FILS SK auth PFS support in STA mode
This adds an option to configure wpa_supplicant to use the perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime network profile parameter fils_dh_group is used to enable
this by specifying which DH group to use. For example, fils_dh_group=19
would use FILS SK PFS with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Jouni Malinen
1764559eef FILS: Add FILS SK auth PFS support in AP mode
This adds an option to configure hostapd to enable use of perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime configuration parameter fils_dh_group is used to enable this
by specifying which DH group to use. For example, fils_dh_group=19 would
allow FILS SK PFS to be used with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Jouni Malinen
cad291d671 FILS: Define authentication algorithm for FILS SK auth with PFS
This is needed to add PFS support into hostapd and wpa_supplicant FILS
shared key authentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 22:39:38 +02:00
Jouni Malinen
07a5fe823e OWE: Use AKM 00-0F-AC:11 style parameters for EAPOL-Key frames
draft-harkins-owe-07.txt does not specify these parameters, so need to
pick something sensible to use for the experimental implementation. The
Suite B 128-bit level AKM 00-0F-AC:11 has reasonable parameters for the
DH group 19 case (i.e., SHA256 hash), so use it for now. This can be
updated if the OWE RFC becomes clearer on the appropriate parameters
(KEK/KCK/MIC length, PRF/KDF algorithm, and key-wrap algorithm).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
ef9627cbc7 Print the algorithms used for EAPOL-Key professing in log
This makes it easier to debug crypto algorithm selection for 4-way
handshake related functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
ef23838590 Return success/failure result from sha384_prf()
This makes the function more consistent with sha256_prf().

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 20:43:06 +02:00
Jouni Malinen
0a6147991e OWE: Process Diffie-Hellman Parameter element in STA mode
This adds STA side addition of OWE Diffie-Hellman Parameter element into
(Re)Association Request frame and processing it in (Re)Association
Response frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Jouni Malinen
09368515d1 OWE: Process Diffie-Hellman Parameter element in AP mode
This adds AP side processing for OWE Diffie-Hellman Parameter element in
(Re)Association Request frame and adding it in (Re)Association Response
frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Jouni Malinen
f9561868ec OWE: Add driver capability flag for OWE AKM
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Jouni Malinen
a1ea1b4522 OWE: Define and parse OWE AKM selector
This adds a new RSN AKM "OWE".

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Jouni Malinen
9c7aac738b OWE: Define and parse Diffie-Hellman Parameter element
Add WLAN_EID_EXT_OWE_DH_PARAM definition and extend
ieee802_11_parse_elems() to recognize this element.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 00:23:36 +02:00
Jouni Malinen
e73244c240 tests: Extract-and-Expand HKDF (RFC 5869)
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:40:31 +02:00
Jouni Malinen
4ec833daf8 Extend hmac_sha256_kdf() to support HKDF-Expand() as defined in RFC 5869
The KDF define in RFC 5295 is very similar to HKDF-Expand() defined in
RFC 5869. Allow a NULL label to be used to select the RFC 5869 version
with arbitrary seed (info in RFC 5869) material without forcing the
label and NULL termination to be included. HKDF-Expand() will be needed
for OWE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:40:10 +02:00
Jouni Malinen
ae1ec1aaf2 OpenSSL: Add wrapper functions for ECDH
These allow ECDH to be used with compressed public key encoding (only
x-coordinate). This is needed for FILS PFS and OWE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-11 22:08:48 +02:00
Avraham Stern
e044a9d1e0 common: Add candidate list parsing helper function
Add a helper function that parses candidate list from command line
arguments.

This function will be used (in the following commits) to add
a candidate list to BSS transition management query.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-03-11 10:36:15 +02:00
Jouni Malinen
34f2851902 MBO: Parse MBO ANQP-element on STA
This extends the GAS/ANQP parser in wpa_supplicant to process MBO
ANQP-elements and indicate received Cellular Data Connection Preference
values over the control interface.

When a valid MBO ANQP-element is received, the following control
interface message is sent:

RX-MBO-ANQP <BSSID> cell_conn_pref=<value>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-10 18:57:12 +02:00
Jouni Malinen
941caed980 MBO: Add MBO ANQP-element processing on AP
This extends the GAS server to process MBO ANQP-elements and reply to a
query for the Cellular Data Connection Preference (if configured). The
new configuration parameter mbo_cell_data_conn_pref can be used to set
the value (0, 1, or 255) for the preference to indicate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-10 18:33:51 +02:00
Avraham Stern
2316cb358c MBO: Add option to add MBO query list to ANQP query
MBO techspec v0.0_r27 changed the MBO ANQP-element format. The MBO
element in ANQP query should now include an MBO Query List element that
contains a list of MBO elements to query.

Add API to add the MBO Query List to an ANQP query.

Format:
ANQP_GET <addr> <info_id>[,<info_id>]...[,mbo:<subtype>...]

Example for querying neighbor report with MBO cellular data
connection preference:
ANQP_GET <bssid> 272,mbo:2

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-03-10 16:53:10 +02:00
Vasanthakumar Thiagarajan
7cbb5f1a44 DFS: Handle pre-CAC expired event
As FCC DFS requirement does not explicitly mention about the validity of
the (pre-)CAC when channel is switched, it is safe to assume that the
pre-CAC result will not be valid once the CAC completed channel is
switched or radar detection is not active on the (CAC completed) channel
within a time period which is allowed (10 seconds - channel switch time)
as per FCC DFS requirement.

Use the new driver event to allow the driver to notify expiry of the CAC
result on a channel. Move the DFS state of the channel to 'usable' when
processing pre-CAC expired event.  This means any future operation on
that channel will require a new CAC to be completed. This event is
applicable only when DFS is not offloaded to the kernel driver.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-03-09 17:01:50 +02:00
Vasanthakumar Thiagarajan
62c8c7f721 nl80211: Handle pre-CAC expired event from the driver
Process the new nl80211 event NL80211_RADAR_PRE_CAC_EXPIRED to allow the
driver to notify expiry of the CAC result on a channel.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-03-09 17:01:36 +02:00
Jouni Malinen
caaaee072b Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2017-03-06.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-09 16:59:42 +02:00
Vasanthakumar Thiagarajan
3dcd735c1e DFS: Handle CAC completion event from other radio
When DFS channel state is shared across multiple radios on the system it
is possible that a CAC completion event is propagated from other radio
to us. When in enabled state, do not proceed with setup completion upon
processing CAC completion event with devices where DFS is not offloaded,
when in state other than enabled make sure the configured DFS channel is
in available state before start the AP.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2017-03-09 16:46:30 +02:00
Purushottam Kushwaha
d0330d57f3 nl80211: Add option to delay start of schedule scan plans
The userspace may want to delay the the first scheduled scan.
This enhances sched_scan to add initial delay (in seconds) before
starting first scan cycle. The driver may optionally choose to
ignore this parameter and start immediately (or at any other time).

This uses NL80211_ATTR_SCHED_SCAN_DELAY to add this via user
global configurable option: sched_scan_start_delay.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-09 15:44:26 +02:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Johannes Berg
dbdda355d0 Introduce os_memdup()
This can be used to clean the code and reduce size by converting
os_malloc() followed by os_memcpy() cases to use a single function call.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:18:49 +02:00
Kanchanapally, Vidyullatha
3ab484928a nl80211: Driver command for checking BTM accept/reject
Add driver interface command using the QCA vendor extensions to check
the driverr whether to accept or reject a BSS transition candidate. For
the reject case, report an MBO reject reason code.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-07 00:20:29 +02:00
Jouni Malinen
b9fd3c244e tests: Add TEST_FAIL() to radius_msg_add_attr()
This makes it easier to test error paths for RADIUS message
construction.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-05 16:37:52 +02:00
Jouni Malinen
de01f254a6 RADIUS server: Fix error paths in new session creation
radius_server_session_free() does not remove the session from the
session list and these radius_server_get_new_session() error paths ended
up leaving a pointer to freed memory into the session list. This
resulted in the following operations failing due to use of freed memory.

Fix this by using radius_server_session_remove() which removes the entry
from the list in addition to calling radius_server_session_free().

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-05 16:18:57 +02:00
Jouni Malinen
4c803dfcd7 ACS: Fix memory leak if interface is disabled during scan
The survey data was not freed if hostapd interface got disabled during
an ACS scan.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-04 17:30:15 +02:00
Jouni Malinen
29be2c090e ACS: Simplify code paths
This removes some unnecessarily duplicated return paths and simplifies
code paths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-04 17:30:10 +02:00
Jouni Malinen
fa07d2d463 tests: Add TEST_FAIL() checks in l2_packet
This enables additional test coverage for error paths.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-04 11:43:58 +02:00
Jouni Malinen
d4359923e1 Fix DHCP/NDISC snoop deinit followed by failing re-init
It was possible to hit a double-free on the l2_packet socket if
initialization of DHCP/NDISC snoop failed on a hostapd interface that
had previously had those enabled successfully. Fix this by clearing the
l2_packet pointers during deinit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-04 11:42:15 +02:00
Alexei Avshalom Lazar
160dca0784 Add QCA vendor command/attr for BRP antenna limit control
Add QCA_NL80211_VENDOR_SUBCMD_BRP_SET_ANT_LIMIT for setting the number
of antennas that will be active in different modes for each connection.

Signed-off-by: Alexei Avshalom Lazar <qca_ailizaro@qca.qualcomm.com>
2017-03-02 15:05:46 +02:00
Amarnath Hullur Subramanyam
e9518ae749 WFD: Add WFD R2 Subelements
Define and add support for WFD R2 Subelements.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 11:59:57 +02:00
Gaole Zhang
21ac782797 QCA nl80211 vendor attribute for specific sub-20 MHz channel width
Define a new attribute QCA_WLAN_VENDOR_ATTR_CONFIG_SUB20_CHAN_WIDTH.
This attribute can set a station device to work in 5 or 10 MHz channel
width while in disconnect state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 11:55:04 +02:00
Jouni Malinen
ff936bc753 Make the third octet of Country String configurable
The new hostapd.conf parameter country3 can now be used to configure the
third octet of the Country String that was previously hardcoded to ' '
(= 0x20).

For example:

All environments of the current frequency band and country (default)
country3=0x20

Outdoor environment only
country3=0x4f

Indoor environment only
country3=0x49

Noncountry entity (country_code=XX)
country3=0x58

IEEE 802.11 standard Annex E table indication: 0x01 .. 0x1f
Annex E, Table E-4 (Global operating classes)
country3=0x04

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 10:58:15 +02:00
Johannes Berg
5118319831 trace: Look up start to cope with ASLR
When ASLR is enabled, like it is by default on many distros now,
the trace code doesn't work right.

Fix this by looking up the start of the executable mapping and
subtracing it from all the lookups.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2017-02-28 11:37:19 +02:00
Jouni Malinen
206516e8c2 af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG)
CONFIG_TLS=linux can now be used to select the crypto implementation
that uses the user space socket interface (AF_ALG) for the Linux kernel
crypto implementation. This commit includes some of the cipher, hash,
and HMAC functions. The functions that are not available through AF_ALG
(e.g., the actual TLS implementation) use the internal implementation
(CONFIG_TLS=internal).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:15 +02:00
Jouni Malinen
b41d3e0a75 crypto: Process des_encrypt() error returns in callers
This updates all the des_encrypt() callers to handle error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:05 +02:00
Jouni Malinen
5f0e165e80 crypto: Add return value to DES and AES encrypt/decrypt
These operations may fail with some crypto wrappers, so allow the
functions to report their results to the caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:23:54 +02:00
Peng Xu
5b9f46df0e hostapd: Get channel number from frequency based on other modes as well
When getting the channel number from a frequency, all supported modes
should be checked rather than just the current mode. This is needed when
hostapd switches to a channel in different band.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:24:03 +02:00
Jouni Malinen
4c8836f139 FILS: Fix fils_hlp.c build with older netinet/udp.h definitions
The __FAVOR_BSD macro was previously used in netinet/udp.h to select
between two different names of the variables in struct udphdr. Define
that to force the versions with the uh_ prefix. In addition, use the
same style consistently within fils_hlp.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:18:29 +02:00
Jouni Malinen
57a2aacabf Add option to disable broadcast deauth in hostapd on AP start/stop
The new broadcast_deauth parameter can be used to disable sending of the
Deauthentication frame whenever AP is started or stopped. The default
behavior remains identical to the past behavior (broadcast_deauth=1).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
21ed24f5ad hostapd: Fix potential mesh-related change from impacting non-mesh cases
Commit 01e2231fdc ('hostapd: Skip some
configuration steps for mesh cases') removed some operations based on
hapd->iface->mconf being NULL. This was within #ifdef CONFIG_MESH, so it
should not impact hostapd, but it can impact AP mode with
wpa_supplicant. That does not sound intentional, so make these
conditional on hapd->conf->mesh being enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
869af30728 FILS: Use FILS Cache Identifier to extend PMKSA applicability
This allows PMKSA cache entries for FILS-enabled BSSs to be shared
within an ESS when the BSSs advertise the same FILS Cache Identifier
value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
ba9774bd76 FILS: Fix BSSID in reassociation case
The RSN supplicant implementation needs to be updated to use the new
BSSID whenever doing FILS authentication. Previously, this was only done
when notifying association and that was too late for the case of
reassociation. Fix this by providing the new BSSID when calling
fils_process_auth(). This makes PTK derivation use the correct BSSID.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 12:26:57 +02:00
Jouni Malinen
7eace3787c FILS: Find PMKSA cache entries on AP based on FILS Cache Identifier
This allows PMKSA cache entries to be shared between all the BSSs
operated by the same hostapd process when those BSSs use the same FILS
Cache Identifier value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 12:18:58 +02:00
Badrish Adiga H R
128f6a98b3 mka: Fix the order of operations in secure channel deletion
The correct order of deleting a secure channel is to purge all the
secure associations in the channel before actually deleting the secure
channel.

Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
2017-02-20 22:15:04 +02:00
Jouni Malinen
21fda4ee72 RSN: Fix pre-authentication EAPOL-Start startPeriod configuration
The RSN pre-authentication case ended up ignoring the initial
startPeriod value and delayed EAPOL-Start message by two seconds. Fix
this by forcing the first EAPOL-Start message to be sent when running
pre-authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-20 12:48:04 +02:00
Purushottam Kushwaha
3f23260da8 nl80211: Notify reason for connection timeout failure
This adds reason for timeout in event CTRL-EVENT-ASSOC-REJECT whenever
connection failure happens because of timeout. This extends the
"timeout" parameter in the event to include the reason, if available:
timeout=scan, timeout=auth, timeout=assoc.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-20 10:47:08 +02:00
Peng Xu
ca1ab9db2a hostapd: Get vendor HE capabilities
Allow hostapd query device HE capabilities via vendor command.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:39:33 +02:00
Peng Xu
7785c70bbb QCA vendor command for fetching HE capabilities
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:39:30 +02:00
Peng Xu
d512f406fc hostapd: Add IEEE 802.11ax HE IEs into Beacon/Probe Response frames
IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response
frames. These elements are using vendor specific forms for now since the
IEEE 802.11ax draft is not yet finalized and the element contents is
subject to change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:55 +02:00
Peng Xu
94380cb40a hostapd: Initial IEEE 802.11ax (HE) definitions
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:52 +02:00
Masashi Honma
5972dc73c1 mesh: Use correct rate in VHT and HT mixed environment
Let mesh STA A be a STA which has config disable_ht=0 and disable_vht=1.
Let mesh STA B be a STA which has config disable_ht=0 and disable_vht=0.
The mesh STA A and B was connected.

Previously, the mesh STA A sent frame with VHT rate even though its VHT
was disabled. This commit fixes the issue by checking the local BSS VHT
configuration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Masashi Honma
84ea61cffe mesh: Use correct rate in HT and legacy mixed environment
Let mesh STA A be a STA which has config disable_ht=1.
Let mesh STA B be a STA which has config disable_ht=0.
The mesh STA A and B was connected.

Previously, the mesh STA A sent frame with HT rate even though its HT
was disabled. This commit fixes the issue by checking the local BSS HT
configuration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Masashi Honma
a7a638c2c4 hw_features: Move VHT capabilities checks to common
This allows the previous AP-specific functions to be use for IBSS/mesh
setup in wpa_supplicant.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 15:53:05 +02:00
Jouni Malinen
e01cf2afc9 Define eapol_sm_get_eap_proxy_imsi() only with CONFIG_EAP_PROXY=y
This function is called only from locations within ifdef
CONFIG_EAP_PROXY, so there is no need to try to cover the not-defined
case here and the function can simply be removed completely if
CONFIG_EAP_PROXY=y is not used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-19 12:28:33 +02:00
Jouni Malinen
a8e25deeb8 FT: Merge similar error paths to use common steps
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-19 12:23:21 +02:00
Jouni Malinen
ecbdc1a1fc Mark RSN msg 1/2 key data debug dump as key material
This debug print can include GTK and IGTK, so use wpa_hexdump_key()
instead of wpa_hexdump() for it to avoid undesired exposure of keys in
debug log.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-18 21:39:01 +02:00
Jouni Malinen
834c5d6816 FILS: Fix PMK length for initial connection with FILS SHA384 AKM
While the FILS authentication cases were already using the proper PMK
length (48 octets instead of the old hardcoded 32 octet), the initial
association case had not yet been updated to cover the new FILS SHA384
AKM and ended up using only a 32-octet PMK. Fix that to use 48-octet PMK
when using FILS SHA384 AKM.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 22:15:29 +02:00
Jouni Malinen
e491389ebc FILS: Fix ifdef for PTK derivation with SHA384-based AKM
sha384_prf() is used both with Suite B and FILS, so add CONFIG_FILS as
another alternative to building in this functionality.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 22:15:29 +02:00
Jouni Malinen
2e555f9cb0 tests: Add HMAC-SHA256 and HMAC-SHA384 test vectors from RFC 4231
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 22:15:29 +02:00
Jouni Malinen
62944f7d2c Add HMAC-SHA384 with internal crypto
This is a copy of the internal HMAC-SHA256 implementation with the hash
block size and output length updated to match SHA384 parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-16 22:15:29 +02:00
Jouni Malinen
aeecd4eaec OpenSSL: Fix hmac_sha384_vector() implementation
The output length was incorrect (32 from the copy-pasted SHA256
version). Fix this to return the correct number of octets (48) for
SHA384. This fixes incorrect key derivation in FILS when using the
SHA384-based AKM.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 20:59:06 +02:00
Purushottam Kushwaha
5db32adc99 browser-wpadebug: Send HTTP response with HTTP/1.1 header
HTTP response was previously sent as a plaintext without the HTTP header
on port 12345. By default Android webview/Chrome assumes plaintext as
HTTP/0.9 data. Android webview/Chrome has removed support of HTTP/0.9
request/response on non-standard ports, i.e., other than port 80. This
results in error while opening URL 'http://localhost:12345/'.

Fix this by prefixing the HTTP response with the HTTP/1.1 header.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 13:35:44 +02:00
Jouni Malinen
79329ae0aa P2P: Verify local driver preferred frequencies for P2P use cases
Previously the peer operating channel preference was accepted if the
indicated frequency was listed in the local preference list from the
driver. This was assuming that the driver included only channels that
are currently enabled for GO operation. Since that might not be the
case, filter the local preference list by doing an explicit validation
of the indicated channels for P2P support.

This moves the similar validation steps from two other code paths in
p2p_check_pref_chan_recv() and p2p_check_pref_chan_no_recv() into a
common filtering step in p2p_check_pref_chan() for all three cases.

This avoids issues to start the GO in cases where the preferred
frequency list from the driver may include channels that are not
currently enabled for P2P GO use (e.g., 5 GHz band in world roaming
configuration).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 12:40:57 +02:00
Jouni Malinen
3a7819f0ad P2P: Add P2P_SET override_pref_op_chan to allow overriding preference
This new P2P_SET parameter uses <op_class>:<channel> format and is used
mainly for testing purposes to allow overriding the value of the GO
Negotiation Response frame Operating Channel attribute.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 12:08:22 +02:00
Jouni Malinen
364c064a41 FT: Check key derivation results explicitly in AP operations
Previously, any potential (even if very unlikely) local operation error
was ignored. Now these will result in aborting the negotiation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-14 16:33:01 +02:00
Jouni Malinen
f229f2c67d tests: Add TEST_FAIL() to OpenSSL aes_wrap() and aes_unwrap()
This makes it easier to add more testing coverage for error paths.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-14 10:53:10 +02:00
Jouni Malinen
885bbd4de3 WNM: Remove unused code from BSS TM Req generation
The url argument to ieee802_11_send_bss_trans_mgmt_request() was
hardcoded to NULL in the only caller, so this code cannot be reached.
wnm_send_bss_tm_req() construct the same frame with more generic
parameters, including option for including the URL, so
ieee802_11_send_bss_trans_mgmt_request() can be simplified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
e7ddd86a98 WNM: Use a common error path in ieee802_11_send_wnmsleep_resp()
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
d6d5970e23 WNM: Fix WNM-Sleep Mode Request parsing for WNM-Sleep element
The length of the WNM-Sleep element was not verified before using it.
This could result in reading the subfields in this element (total of
four octets) beyond the end of the buffer. Fix this by ignoring the
element if it is not long enough to contain all the subfields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
8492cc79c0 PeerKey: Remove dead code related to STSL negotiation state
The struct wpa_stsl_negotiation seemed to have been for some kind of
tracking of state of PeerKey negotiations within hostapd. However,
nothing is actually adding any entries to wpa_auth->stsl_negotiations or
using this state. Since PeerKey does not look like something that would
be deployed in practice, there is no justification to spend time on
making this any more complete. Remove the dead code now instead of
trying to figure out what it might be used for.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 11:15:49 +02:00
Jouni Malinen
0d60567030 WMM: Fix estimated medium time calculation for some corner cases
It was possible for the int medium_time variable to overflow, so use a
64-bit unsigned integer to get a large enough value for the
multiplication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 12:12:28 +02:00
Jouni Malinen
ae26d30213 Fix "IEEE 802.11: Ignored Action frame" debug message
The arguments to printf were in incorrect order which resulted in
incorrect STA address in the debug message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 12:08:12 +02:00
Jouni Malinen
4ead4c7ecd WMM: Remove obsolete TODO comments
These are more about kernel behavior than anything that hostapd would
implement.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:29:18 +02:00
vamsi krishna
20c846d9ee nl80211: sched_scan relative RSSI parameters
Add driver interface support to set sched_scan relative RSSI parameters
and to indicate driver support for this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Badrish Adiga H R
37e9f511eb mka: Send MKPDUs forever if mode is PSK
Issue: When 2 peers are running MACsec in PSK mode with CA
established, if the interface goes down and comes up after
time > 10 seconds, CA does not get re-established.

Root cause: This is because retry_count of both the peers
would have reached MAX_RETRY_CNT and stays idle for other to
respond. This is clear deadlock situation where peer A waits
for MKA packets from peer B to wake up and vice-versa.

Fix: If MACsec is running in PSK mode, we should send MKPDUs
forever for every 2 seconds.

Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
76aa318381 EAP: Call deinit_for_reauth() for Phase 2 EAP methods
EAP-TTLS/PEAP/FAST were previously doing this for init_for_reauth(), but
not for deinit_for_reauth(). Add the deinit_for_reauth() call as well to
cover cases like EAP-AKA cleaup of AT_CHECKCODE data.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
02156b98b7 EAP-AKA: Don't use anonymous identity in phase2
This adds the same changes to EAP-AKA that were previous done for
EAP-SIM to allow functionality within an EAP-TTLS/PEAP/FAST tunnel
without causing issues to the phase 1 identity string.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Paul Stewart
9e2afe10e6 EAP-SIM: Don't use anonymous identity in phase2
The "anonymous_identity" configuration field has more than one
semantic meaning. For tunneled EAP methods, this refers to the
outer EAP identity. For EAP-SIM, this refers to the pseudonym
identity. Also, interestingly, EAP-SIM can overwrite the
"anonymous_identity" field if one is provided to it by the
authenticator.

When EAP-SIM is tunneled within an outer method, it makes sense
to only use this value for the outer method, since it's unlikely
that this will also be valid as an identity for the inner EAP-SIM
method. Also, presumably since the outer method protects the
EAP-SIM transaction, there is no need for a pseudonym in this
usage.

Similarly, if EAP-SIM is being used as an inner method, it must
not push the pseudonym identity using eap_set_anon_id() since it
could overwrite the identity for the outer EAP method.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-02-10 19:48:12 +02:00