Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher
to protect the messages.
This needs at least 32 byte long keys. These can be provided either
by a config file change or letting a KDF derive the 32 byte key used
from the 16 byte key given.
This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Replace the previously used extension of IEEE 802.11 managed Ethertype
89-0d (originally added for Remote Request/Response in IEEE 802.11r)
with Ethertype 88-b7 (OUI Extended EtherType) for FT inter-AP
communication. The new design uses a more properly assigned identifier
for the messages.
This assigns the OUI 00:13:74 vendor-specific subtype 0x0001 for the new
hostapd AP-to-AP communication purposes. Subtypes 1 (PULL), 2 (RESP),
and 3 (PUSH) are also assigned in this commit for the R0KH-R1KH
protocol.
This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Commit 941caed980 ('MBO: Add MBO
ANQP-element processing on AP') changed the design by using the
rx_anqp_vendor_specific() function to process all ANQP vendor specific
elements. However, the caller for this was within ifdef CONFIG_HS20
block. Fix this by calling the function even in CONFIG_HS20=y is not
included in the build. This fixes CONFIG_MBO=y builds without
CONFIG_HS20=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
When starting AP in HT40 mode and both HT40+ and HT40- options are
specified in hostapd.conf, select a valid secondary channel for the AP
automatically.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Allow this function to be called from outside ieee802_11.c and with the
final steps replaced through a callback function.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This function does not need the frame header, so pass in only the IE
area to make it easier to share this for driver-based AP SME handling.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is used with partial AP SME in driver cases to enable FILS
association (AES-SIV) processing.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to add more parameters without having to change the
callback function prototype.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
MDE was already added with RSNE, but FTE needed to be added to the FILS
Authentication frame for the FT initial mobility domain association
using FILS authentication case.
Signed-off-by: Jouni Malinen <j@w1.fi>
With AP-AP communication, when hapd0 sends a packet, hapd1 can receive
it immediately and send a response. But hapd0 will only read and process
the response after it has returned from the sending context, that is
entered eloop again. So one does not need to consider the RX function of
the reply to run for the request sending hapd before the send calling
function has returned.
Previously, with intra-process communication, the packet is not
scheduled through eloop. Thus the RX handler of the reply might be run
while the sending context of the original request has not returned.
This might become problematic, e.g., when deferring a management frame
processing until an RRB response is received and then have the request
restarted and finished before the original request handling has been
stopped.
I'm not aware of any concrete bug this is currently triggering but came
across it while thinking of FT RRB AP-AP sequence numbering.
I think the non-eloop scheduling approach might be error-prone and thus
propose to model it more closely to the way the message would be
received from a socket. Additionally, this ensures that the tests model
AP-AP communication more closely to real world.
Solution: queue these packets through eloop.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
With multiple interface like AP and station which is already
associated to some other AP, when we try to do channel switch
for the AP mode (different from the operation channel support of
station) and if the AP channel switch fails continously (including
the fallback channel switch), results in a crash due to NULL pointer
dereference. This is because hostapd_deinit_driver() assigns the
driver context (drv_priv) to NULL as we are not able to bring up
the interface with a new channel
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
This fixes the following compiler warning:
wpa_auth.c:4249:34: error: address of array 'a->conf.fils_cache_id'
will always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds an option to configure hostapd to enable use of perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime configuration parameter fils_dh_group is used to enable this
by specifying which DH group to use. For example, fils_dh_group=19 would
allow FILS SK PFS to be used with a 256-bit random ECP group.
Signed-off-by: Jouni Malinen <j@w1.fi>
draft-harkins-owe-07.txt does not specify these parameters, so need to
pick something sensible to use for the experimental implementation. The
Suite B 128-bit level AKM 00-0F-AC:11 has reasonable parameters for the
DH group 19 case (i.e., SHA256 hash), so use it for now. This can be
updated if the OWE RFC becomes clearer on the appropriate parameters
(KEK/KCK/MIC length, PRF/KDF algorithm, and key-wrap algorithm).
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds AP side processing for OWE Diffie-Hellman Parameter element in
(Re)Association Request frame and adding it in (Re)Association Response
frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the GAS server to process MBO ANQP-elements and reply to a
query for the Cellular Data Connection Preference (if configured). The
new configuration parameter mbo_cell_data_conn_pref can be used to set
the value (0, 1, or 255) for the preference to indicate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
As FCC DFS requirement does not explicitly mention about the validity of
the (pre-)CAC when channel is switched, it is safe to assume that the
pre-CAC result will not be valid once the CAC completed channel is
switched or radar detection is not active on the (CAC completed) channel
within a time period which is allowed (10 seconds - channel switch time)
as per FCC DFS requirement.
Use the new driver event to allow the driver to notify expiry of the CAC
result on a channel. Move the DFS state of the channel to 'usable' when
processing pre-CAC expired event. This means any future operation on
that channel will require a new CAC to be completed. This event is
applicable only when DFS is not offloaded to the kernel driver.
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
When DFS channel state is shared across multiple radios on the system it
is possible that a CAC completion event is propagated from other radio
to us. When in enabled state, do not proceed with setup completion upon
processing CAC completion event with devices where DFS is not offloaded,
when in state other than enabled make sure the configured DFS channel is
in available state before start the AP.
Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.
The mechanical conversions all over the code were done with
the following spatch:
@@
expression SIZE, SRC;
expression a;
@@
-a = os_malloc(SIZE);
+a = os_memdup(SRC, SIZE);
<...
if (!a) {...}
...>
-os_memcpy(a, SRC, SIZE);
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
It was possible to hit a double-free on the l2_packet socket if
initialization of DHCP/NDISC snoop failed on a hostapd interface that
had previously had those enabled successfully. Fix this by clearing the
l2_packet pointers during deinit.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd.conf parameter country3 can now be used to configure the
third octet of the Country String that was previously hardcoded to ' '
(= 0x20).
For example:
All environments of the current frequency band and country (default)
country3=0x20
Outdoor environment only
country3=0x4f
Indoor environment only
country3=0x49
Noncountry entity (country_code=XX)
country3=0x58
IEEE 802.11 standard Annex E table indication: 0x01 .. 0x1f
Annex E, Table E-4 (Global operating classes)
country3=0x04
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When getting the channel number from a frequency, all supported modes
should be checked rather than just the current mode. This is needed when
hostapd switches to a channel in different band.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The __FAVOR_BSD macro was previously used in netinet/udp.h to select
between two different names of the variables in struct udphdr. Define
that to force the versions with the uh_ prefix. In addition, use the
same style consistently within fils_hlp.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new broadcast_deauth parameter can be used to disable sending of the
Deauthentication frame whenever AP is started or stopped. The default
behavior remains identical to the past behavior (broadcast_deauth=1).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 01e2231fdc ('hostapd: Skip some
configuration steps for mesh cases') removed some operations based on
hapd->iface->mconf being NULL. This was within #ifdef CONFIG_MESH, so it
should not impact hostapd, but it can impact AP mode with
wpa_supplicant. That does not sound intentional, so make these
conditional on hapd->conf->mesh being enabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows PMKSA cache entries to be shared between all the BSSs
operated by the same hostapd process when those BSSs use the same FILS
Cache Identifier value.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response
frames. These elements are using vendor specific forms for now since the
IEEE 802.11ax draft is not yet finalized and the element contents is
subject to change.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Let mesh STA A be a STA which has config disable_ht=0 and disable_vht=1.
Let mesh STA B be a STA which has config disable_ht=0 and disable_vht=0.
The mesh STA A and B was connected.
Previously, the mesh STA A sent frame with VHT rate even though its VHT
was disabled. This commit fixes the issue by checking the local BSS VHT
configuration.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Let mesh STA A be a STA which has config disable_ht=1.
Let mesh STA B be a STA which has config disable_ht=0.
The mesh STA A and B was connected.
Previously, the mesh STA A sent frame with HT rate even though its HT
was disabled. This commit fixes the issue by checking the local BSS HT
configuration.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
While the FILS authentication cases were already using the proper PMK
length (48 octets instead of the old hardcoded 32 octet), the initial
association case had not yet been updated to cover the new FILS SHA384
AKM and ended up using only a 32-octet PMK. Fix that to use 48-octet PMK
when using FILS SHA384 AKM.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, any potential (even if very unlikely) local operation error
was ignored. Now these will result in aborting the negotiation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The url argument to ieee802_11_send_bss_trans_mgmt_request() was
hardcoded to NULL in the only caller, so this code cannot be reached.
wnm_send_bss_tm_req() construct the same frame with more generic
parameters, including option for including the URL, so
ieee802_11_send_bss_trans_mgmt_request() can be simplified.
Signed-off-by: Jouni Malinen <j@w1.fi>
The length of the WNM-Sleep element was not verified before using it.
This could result in reading the subfields in this element (total of
four octets) beyond the end of the buffer. Fix this by ignoring the
element if it is not long enough to contain all the subfields.
Signed-off-by: Jouni Malinen <j@w1.fi>
The struct wpa_stsl_negotiation seemed to have been for some kind of
tracking of state of PeerKey negotiations within hostapd. However,
nothing is actually adding any entries to wpa_auth->stsl_negotiations or
using this state. Since PeerKey does not look like something that would
be deployed in practice, there is no justification to spend time on
making this any more complete. Remove the dead code now instead of
trying to figure out what it might be used for.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the int medium_time variable to overflow, so use a
64-bit unsigned integer to get a large enough value for the
multiplication.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to maintain different return paths for STA being
completely not present and not authorized, so merge these into a single
case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This 16-bit field uses little endian encoding and it must be read with
WPA_GET_LE16() instead of assuming host byte order is little endian. In
addition, this could be misaligned, so using a u16 pointer here was not
appropriate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hapd->acl_cache and hapd->acl_queries were not reset back to NULL in
hostapd_acl_deinit() when cached results and pending ACL queries were
freed. This left stale pointers to freed memory in hapd. While this was
normally followed by freeing of the hapd data, it is possible to re-use
that hapd when disabling and re-enabling an interface. That sequence
could result in use of freed memory if done while there were cached
results or pending ACL operations with a RADIUS server (especially, if
that server did not reply).
Fix this by setting hapd->acl_queries to NULL when the pending entries
are freed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The "!wpabuf_resize(...) == 0" condition does not make any sense. It
happens to work, but this is really supposed to simple check with
wpabuf_resize() returns non-zero and "wpabuf_resize(...)" is the
cleanest way of doing so.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the OSU Providers configuration was invalid (included osu_server_uri
but not osu_method_list), it was possible for the GAS response
generation to hit a NULL dereference. Fix this by checking for the
invalid configuration before trying to fill in the OSU methods.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It can happen if the station is unreachable or sleeping longer than
the actual total GTK rekey timeout. To fix the latter case
wpa_group_update_count may be increased.
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).
Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
Some channels fail to be set, when falling back to 20 MHz, due to
remaining VHT info of center freq. As we are going to 20 MHz, reset the
VHT center frequency segment information as well.
Signed-off-by: Eduardo Abinader <eduardoabinader@gmail.com>
Commit 91d91abf6f ('FILS: DHCP relay for
HLP requests') added steps that are conditional on sta->fils_hlp_resp
being non-NULL. One of these cases within send_assoc_resp() was properly
protected from sta == NULL error case (that is now possible after a
recent DMG change), but the first one was not. A DMG error case in a
CONFIG_FILS=y build could have hit a NULL pointer dereference here. Fix
this by verifying sta != NULL more consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
P802.11i/D3.0 described the Key Length as having value 16 for the group
key handshake. However, this was changed to 0 in the published IEEE Std
802.11i-2004 amendment (and still remains 0 in the current standard IEEE
Std 802.11-2016). We need to maintain the non-zero value for WPA (v1)
cases, but the RSN case can be changed to 0 to be closer to the current
standard.
Signed-off-by: Jouni Malinen <j@w1.fi>
While the IEEE Std 802.11-2016 is still indicating that GNonce would be
exchanged in EAPOL-Key messages (see, e.g., Figure 12-52 showing the
Send EAPOL-Key operation in the REKEYNEGOTIATING state or the sample
group key handshake in Figure 12-47), there are also examples of
describing this field as having value zero (e.g., 12.7.7.2 Group key
handshake message 1).
GNonce is used only with the Authenticator and the Supplicant does not
have any use for it, so it is better not to expose that internal value.
Hardcode the Key Nonce field to 0 in EAPOL-Key group message 1/2.
Signed-off-by: Jouni Malinen <j@w1.fi>
sm->Pair needs to be initialized to TRUE since unicast cipher is
supported and this is an ESS. However, the normal place for setting this
(WPA_PTK::INITIALIZE) is skipped with using FT protocol or FILS
authentication, so need to do that separately when forcing PTKINITDONE.
Signed-off-by: Jouni Malinen <j@w1.fi>
The local custom version of allocating and initializing struct
hostapd_data within wpa_supplicant_mesh_init() is problematic. This has
already missed couple of initialization steps that are required. Instead
of trying to remember to keep this up to date, use
hostapd_alloc_bss_data() so that there is only one place for this
initialization.
This is fixing a recent issue where FILS HLP started using
hapd->dhcp_server and expected that to be initialized to -1. For the
mesh case, that did not happen and when removing the interface, the FILS
HLP implementation ended up unregistering eloop socket for
hapd->dhcp_server (= 0). This could result in missing socket callbacks
for an arbitrary socket.
Signed-off-by: Jouni Malinen <j@w1.fi>
The hostapd processing of the AES-SIV AAD was incorrect. The design for
the AAD changed between P802.11ai/D7.0 and D8.0 from a single vector
with concatenated data to separate vectors. The change in the
implementation had missed the change in the aes_siv_decrypt() call for
the num_elem parameter. This happened to work with the mac80211
implementation due to a similar error there.
Fix this by using the correct numbers of vectors in the SIV AAD so that
all the vectors get checked. The last vector was also 14 octets too long
due to incorrect starting pointer, so fix that as well. The changes here
are not backwards compatible, i.e., a similar fix in the Linux mac80211
is needed to make things interoperate again.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.
The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Do not depend on undefined behavior with pointer arithmetic when
checking whether there is sufficient room for an option.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These can be reused for other purposes than just the DHCP snoofing for
Proxy ARP. In addition, use more complete definition of the parameters
based on the current IANA registry.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
With device_ap_sme disabled, ACL was checked upon authentication
request. In 802.11ad there is no authentication phase so need to check
ACL upon association.
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
Previously, the temporary STA session timeout was set to 5 seconds. If
gas_comeback_delay is configured to be longer than 5 seconds, GAS
Comeback Response frame can't include queried information as all pending
data has already been cleared due to session timeout. This commit
resolves the issue by setting session timeout to be larger than
gas_comeback_delay.
Signed-off-by: Daniel Kim <kimdan@qca.qualcomm.com>
Instead of copying the struct wpa_auth_callbacks, just keep a pointer to
it, keep the context pointer separate, and let the user just provide a
static const structure. This reduces the attack surface of heap
overwrites, since the function pointers move elsewhere.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This adds parsing of received FILS HLP requests from (Re)Association
Request frames. The reassembled requests are verified to be in valid
format and are printed in debug output. However, actual processing or
forwarding of the packets is not yet implemented, i.e., the vendor
specific frame filtering logic is for now practically dropping all HLP
requests.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These commnds are mesh version of PMKSA_GET/ADD commands. So the usage
and security risk is similar to them. Refer to
commit 3459381dd2 ('External persistent
storage for PMKSA cache entries') also.
The MESH_PMKSA_GET command requires peer MAC address or "any" as an
argument and outputs appropriate stored PMKSA cache. And the
MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store
the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache,
wpa_supplicant can skip commit message creation which can use
significant CPU resources.
The output of the MESH_PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <expiration in seconds>
The example of MESH_PMKSA_ADD command is this.
MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930
MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180
This functionality is disabled by default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Relational operators (==) have higher precedence than the ternary
conditional in C. The last_subtype check for association/reassociation
was broken due to incorrect assumption about the precedence. Fix this by
adding parenthesis around the ternary conditional.
The previous implementation worked for Association Request frames by
accident since WLAN_FC_STYPE_ASSOC_REQ happens to have value 0 and when
the last receive frame was an Association Request frame, the
sta->last_subtype == reassoc check was true and non-zero
WLAN_FC_STYPE_REASSOC_REQ was interpreted as true. However, this was
broken for Reassociation Request frame. reassoc == 1 in that case could
have matched received Association Response frame (subtype == 1), but
those are not received in AP mode and as such, this did not break other
behavior apart from not being able to drop duplicated Reassociation
Request frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds helper functions for deriving PMK and PMKID from ERP exchange
in FILS shared key authentication as defined in IEEE Std 802.11ai-2016,
12.12.2.5.2 (PMKSA key derivation with FILS authentication). These
functions is used to fix PMK and PMKID derivation which were previously
using the rMSK directly as PMK instead of following the FILS protocol to
derive PMK with HMAC from nonces and rMSK.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Check the action TX status callback contents more thoroughly and report
the BEACON-REQ-TX-STATUS event only if the Measurement Type indicates
beacon report.
Signed-off-by: Jouni Malinen <j@w1.fi>
Authentication and Deauthentication frames are not used in DMG/IEEE
802.11ad networks. For DMG/IEEE 802.11ad the following was implemented:
Upon receiving association request, allocate the sta object and
initialize it as if authentication took place. Upon receiving
disassociation, deallocate the sta object.
ap_sta_disassociate/ap_sta_deauthenticate/ap_sta_disconnect all use
disassociation instead of deauthentication. In driver_nl80211,
i802_sta_deauth() is routed to i802_sta_disassoc().
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
Supported Rates element is not present in DMG/IEEE 802.11ad frames. Make
copy_supp_rates() immediately return with success if hardware mode is
IEEE 802.11ad.
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
The new hostapd control interface event "BEACON-RESP-RX <STA address>
<dialog token> <report mode> <beacon report>" is now used to report
received beacon reports as a reponse to the REQ_BEACON operation.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new BEACON-REQ-TX-STATUS control interface event is now used to
report whether a beacon request (from REQ_BEACON command) was delivered
successfully. This event has the following parameters: <STA address>
<dialog token> <ack=0/1>.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new control interface command "REQ_BEACON <STA addr>
[req_mode=<mode>] <beacon request>" can now be used to request hostapd
to transmit a measurement request to request a beacon report from an
associated STA. This command returns the assigned dialog token (1-255)
or FAIL on failure.
Signed-off-by: Jouni Malinen <j@w1.fi>
The loop to add hash values was supposed to be limited to at most 10000
values, but the count variable was not being decremented in the loop.
Fix this by decrementing counting for each iteration. This fixes
ANQP-element format in the unlikely case of there being more than 10000
configuration realms.
Signed-off-by: Jouni Malinen <j@w1.fi>
The actual BSS configuration parameter can be updated with the SET
control interface command, so there is no need to maintain a separate
per-BSS parameter and a separate control interface handling for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the hostapd ft_over_ds parameter was used to only advertise
whether FT-over-DS is enabled in MDE and leave it to the stations to
follow that advertisement. This commit extends this to explicitly reject
(silently drop) FT Action frames if a station does not follow the
advertised capabilities.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, this was noted in error log, but the invalid value was
stored in the configuration without rejecting it.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to try to do driver operations before the driver
interface had been initialized when processing a SIGHUP signal. This
would result in NULL pointer dereference. Fix this by skipping the steps
when SIGHUP is issued before the interface is enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
This function is already checking the fname argument against NULL, so
use that check on its own instead of duplicating the check in the only
caller.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is apparently possible for the NL80211_CMD_UNEXPECTED_4ADDR_FRAME
event to be delivered to hostapd before the NL80211_CMD_FRAME_TX_STATUS
event for (Re)Association Response frame. This resulted in the 4-address
WDS mode not getting enabled for a STA. This could occur in particular
when operating under heavy load and the STA is reconnecting to the same
AP in a sequence where Deauthentication frame is followed immediately by
Authentication frame and the driver event processing gets delayed due to
removal of the previous netdev taking time in the middle of this
sequence.
Fix this by recording a pending item for 4-address WDS enabling if the
NL80211_CMD_UNEXPECTED_4ADDR_FRAME event would have been dropped due to
incompleted association and then process this pending item if the TX
status for the (Re)Association Response frame is received and it shows
that the frame was acknowledged.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new hostapd configuration parameter fils_realm=<realm> can now be
used to configure one or more FILS realms to advertise for ERP domains
when using FILS. This replaces the use of erp_domain=<domain> parameter
for the FILS use case.
Signed-off-by: Jouni Malinen <j@w1.fi>
P802.11ai/D7.0 changed from CRC32 to SHA256 as the hash algorithm for
the FILS realm name. Update the implementation to match that change.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the secondary channel was not found at all, no debug print was shown
to indicate that the channel was rejected due to that problem. Print a
clearer message indicating which channel was behind the reason to reject
channel configuration as unsuitable for AP mode.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd didn't send "TERMINATING" event when stopped by
SIGTERM. Android handles this event to stop monitor thread.
This commit adds "TERMINATING" event same as with wpa_supplicant.
Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
Previously, os_sleep() was used to block the hostapd (or wpa_supplicant
AP/P2P GO mode) processing between sending out EAP-Failure and
disconnecting the STA. This is not ideal for couple of reasons: it
blocks all other parallel operations in the process and it leaves a
window during which the station might deauthenticate and the AP would
have no option for reacting to that before forcing out its own
Deauthentication frame which could go out after the STA has already
started new connection attempt.
Improve this design by scheduling an eloop timeout of 10 ms instead of
the os_sleep() call and perform the delayed operations from the eloop
callback function. This eloop timeout is cancelled if the STA
disconnects or initiates a new connection attempt before the 10 ms time
is reached. This gets rid of the confusing extra Deauthentication frame
in cases where the STA reacts to EAP-Failure by an immediate
deauthentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.
By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.
When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.
This also does not implement Directed Multicast Service (DMS).
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
We should unconditionally remove inactivity timers for wired network
cases. This commit checks for this after a new station association:
hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED
and then cancels the timeout and does not register a new one.
It prints out a debug message like this:
1476740180.276286: IEEE 802.1X: 00:02:00:00:00:07 CTRL_DIR entering
state FORCE_BOTH
1476740180.276295: hostapd_new_assoc_sta: canceled wired ap_handle_timer
timeout for 00:02:00:00:00:07
This was tested on a debian jessie amd64 system with a configured 120
second inactivity timer and the session did not timeout.
Signed-off-by: Sam Tannous <stannous@cumulusnetworks.com>
Data connection was lost if a station reassociated without the STA entry
being cleaned up on the AP side. Fix this by moving reconfiguration of
the STA WDS parameters in association response callback to happen only
after the STA flags have been updated to associated stated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This fixes a regression from commit
bb598c3bdd ('AP: Add support for full
station state'). That commit added code to remove and re-add the kernel
STA entry when processing Authentication frames with a driver that
advertises support for full AP client state. That resulted in bypassing
PMF protections for unprotected Authentication frames with such drivers
since the TK was lost in this operation.
It is simplest to skip the STA entry clearing in this type of case
completely to leave the TK in place and to process the new
authentication exchange otherwise normally. This matches the behavior
used with the drivers that do not implement full AP client state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE Std 802.11-2012, 12.4.2 states that if an MDE is present in an
(Re)Association Request frame but the RSNE uses a non-FT AKM suite, the
AP shall reject the association using status code 43 ("Invalid AKMP").
wpa_validate_wpa_ie() now explicitly checks for this condition to meet
this requirement instead of simply ignoring the MDE based on non-FT AKM.
Signed-off-by: Will Glynn <will@willglynn.com>
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:
Legacy (CCK/OFDM rates):
beacon_rate=<legacy rate in 100 kbps>
HT:
beacon_rate=ht:<HT MCS>
VHT:
beacon_rate=vht:<VHT MCS>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the anqp_elem configuration parameter support for new Info
IDs (270 (TDLS Capability) was previously missed from the list of
defined values, 280 has already been assigned in REVmc/D8.0; 281..299
are yet to be assigned). No additional source code changes are needed to
allow hostapd to advertise support for these if the ANQP-element value
is set with the anqp_elem parameter.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.
Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The Channel Center Frequency Segment subfields use the channel index
instead of frequency in MHz.
Signed-off-by: Beni Lev <beni.lev@intel.com>
Signed-off-by: David Spinadel <david.spinadel@intel.com>
The return value from this function may be used in an outgoing message,
so use a valid status code instead of -1.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add a configuration option in hostapd.conf and in neighbor report that
sets an AP as stationary. To enable this option on the current AP set
the config option stationary_ap to 1. To set a neighbor entry to be
marked as stationary add the word stat to the SET_NEIGHBOR command. This
option tells hostapd to send LCI data even if it is older than requested
by max age subelement in RRM request.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
It is possible that a LCI or location civic configuration buffer
is valid but contains no data. In such a case do not add the LCI
and location civic information to the entry in the neighbor
data base.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This has already been done for WEP, but there's same constraint for not
allowing VTH rates in case of TKIP.
Signed-off-by: Filip Matusiak <filip.matusiak@tieto.com>
Add signal level information to the station tracking information. Also
make it available via the "TRACK_STA_LIST" control command.
Signed-off-by: Kevin Mahoney <k.mahoney@cablelabs.com>
This makes wpa_remove_ptk() call to wpa_auth_set_key() more consistent
with all the other calls that verify the return value to keep static
analyzers happier.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This implements processing of FILS Authentication frame for FILS shared
key authentication with ERP and PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ieee802_1x_encapsulate_radius() and ieee802_1x_alloc_eapol_sm() need to
be called from FILS processing.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This changes 4-way handshake authenticator processing to decrypt the
EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before
processing the Key Data field. This replaces Key MIC validation for the
cases where AEAD cipher is used. This needs to move the EAPOL-Key msg
2/4 RSN element processing to happen only after the PTK has been derived
and validated. That is done for all AKMs to avoid extra complexity with
having to maintain two code paths for this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the
previous fixed length Key MIC field with a variable length field. That
change was addressed with an addition of a new struct defined for the
second MIC length. This is not really scalable and with FILS coming up
with a zero-length MIC case for AEAD, a more thorough change to support
variable length MIC is needed.
Remove the Key MIC and Key Data Length fields from the struct
wpa_eapol_key and find their location based on the MIC length
information (which is determined by the AKMP). This change allows the
separate struct wpa_eapol_key_192 to be removed since struct
wpa_eapol_key will now include only the fixed length fields that are
shared with all EAPOL-Key cases in IEEE Std 802.11.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Calculate the hashed realm from hostapd erp_domain configuration
parameter and add this to the FILS Indication element when ERP is
enabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If FILS is enabled, indicate that in Beacon, Probe Response, and
(Re)Association Response frames in the Extended Capabilities element.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Station should be able to connect initially without ft_pmk_cache filled,
so the target AP has the PSK available and thus the same information as
the origin AP. Therefore neither caching nor communication between the
APs with respect to PMK-R0 or PMK-R1 or VLANs is required if the target
AP derives the required PMKs locally.
This patch introduces the generation of the required PMKs locally for
FT-PSK. Additionally, PMK-R0 is not stored (and thus pushed) for FT-PSK.
So for FT-PSK networks, no configuration of inter-AP communication is
needed anymore when using ft_psk_generate_local=1 configuration. The
default behavior (ft_psk_generate_local=0) remains to use the pull/push
protocol.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The reason detail field was removed from non_pref_chan attr in MBO
v0.0_r25 draft. Don't parse for this element to be compliant with the
latest drafr.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
A weakness in the initial client taxonomy mechanism is from storing both
the Probe and Associate in struct sta_info. struct sta_info is created
after a client associates (or starts authentication frame exchange),
which means that any Probe Request frames sent prior to association are
not retained. The Associate Request frame has to be seen, and then
another Probe Request frame after association, before we have a
signature for the client.
Most clients send lots of Probe Request frames (lots and lots and lots
of Probes, actually), but a few do not. ChromeOS is notably sparing in
sending Probe Request frames, it can take a long time before a signature
for a ChromeOS device is available.
Store the most recent Probe Request frame in struct hostapd_sta_info
tracking list. When a struct sta_info is created, move the Probe Request
frame information from struct hostapd_sta_info to struct sta_info.
Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)
Implement the signature mechanism described in the paper
"Passive Taxonomy of Wifi Clients using MLME Frame Contents"
published by Denton Gentry and Avery Pennarun.
http://research.google.com/pubs/pub45429.htmlhttps://arxiv.org/abs/1608.01725
This involves:
1. Add a CONFIG_TAXONOMY compile option. Enabling taxonomy incurs
a memory overhead of up to several kilobytes per associated
station.
2. If enabled, store the Probe Request and (Re)Associate Request frame in
struct sta_info.
3. Implement code to extract the ID of each Information Element,
plus selected fields and bitmasks from certain IEs, into a
descriptive text string. This is done in a new source file,
src/ap/taxonomy.c.
4. Implement a "signature qq:rr:ss:tt:uu:vv" command
in hostapd_cli to retrieve the signature.
Signatures take the form of a text string. For example, a signature
for the Nexus 5X is:
wifi4|probe:0,1,127,45,191,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:338061b2,
vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:00000a0201000040|assoc:0,1,48,45,
221(0050f2,2),191,127,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:339071b2,
vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:0000000000000040
Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)