Commit Graph

1518 Commits

Author SHA1 Message Date
Masashi Honma
5972dc73c1 mesh: Use correct rate in VHT and HT mixed environment
Let mesh STA A be a STA which has config disable_ht=0 and disable_vht=1.
Let mesh STA B be a STA which has config disable_ht=0 and disable_vht=0.
The mesh STA A and B was connected.

Previously, the mesh STA A sent frame with VHT rate even though its VHT
was disabled. This commit fixes the issue by checking the local BSS VHT
configuration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Masashi Honma
84ea61cffe mesh: Use correct rate in HT and legacy mixed environment
Let mesh STA A be a STA which has config disable_ht=1.
Let mesh STA B be a STA which has config disable_ht=0.
The mesh STA A and B was connected.

Previously, the mesh STA A sent frame with HT rate even though its HT
was disabled. This commit fixes the issue by checking the local BSS HT
configuration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Masashi Honma
a7a638c2c4 hw_features: Move VHT capabilities checks to common
This allows the previous AP-specific functions to be use for IBSS/mesh
setup in wpa_supplicant.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 15:53:05 +02:00
Jouni Malinen
a8e25deeb8 FT: Merge similar error paths to use common steps
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-19 12:23:21 +02:00
Jouni Malinen
834c5d6816 FILS: Fix PMK length for initial connection with FILS SHA384 AKM
While the FILS authentication cases were already using the proper PMK
length (48 octets instead of the old hardcoded 32 octet), the initial
association case had not yet been updated to cover the new FILS SHA384
AKM and ended up using only a 32-octet PMK. Fix that to use 48-octet PMK
when using FILS SHA384 AKM.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 22:15:29 +02:00
Jouni Malinen
364c064a41 FT: Check key derivation results explicitly in AP operations
Previously, any potential (even if very unlikely) local operation error
was ignored. Now these will result in aborting the negotiation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-14 16:33:01 +02:00
Jouni Malinen
885bbd4de3 WNM: Remove unused code from BSS TM Req generation
The url argument to ieee802_11_send_bss_trans_mgmt_request() was
hardcoded to NULL in the only caller, so this code cannot be reached.
wnm_send_bss_tm_req() construct the same frame with more generic
parameters, including option for including the URL, so
ieee802_11_send_bss_trans_mgmt_request() can be simplified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
e7ddd86a98 WNM: Use a common error path in ieee802_11_send_wnmsleep_resp()
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
d6d5970e23 WNM: Fix WNM-Sleep Mode Request parsing for WNM-Sleep element
The length of the WNM-Sleep element was not verified before using it.
This could result in reading the subfields in this element (total of
four octets) beyond the end of the buffer. Fix this by ignoring the
element if it is not long enough to contain all the subfields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 17:44:56 +02:00
Jouni Malinen
8492cc79c0 PeerKey: Remove dead code related to STSL negotiation state
The struct wpa_stsl_negotiation seemed to have been for some kind of
tracking of state of PeerKey negotiations within hostapd. However,
nothing is actually adding any entries to wpa_auth->stsl_negotiations or
using this state. Since PeerKey does not look like something that would
be deployed in practice, there is no justification to spend time on
making this any more complete. Remove the dead code now instead of
trying to figure out what it might be used for.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-12 11:15:49 +02:00
Jouni Malinen
0d60567030 WMM: Fix estimated medium time calculation for some corner cases
It was possible for the int medium_time variable to overflow, so use a
64-bit unsigned integer to get a large enough value for the
multiplication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 12:12:28 +02:00
Jouni Malinen
ae26d30213 Fix "IEEE 802.11: Ignored Action frame" debug message
The arguments to printf were in incorrect order which resulted in
incorrect STA address in the debug message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 12:08:12 +02:00
Jouni Malinen
4ead4c7ecd WMM: Remove obsolete TODO comments
These are more about kernel behavior than anything that hostapd would
implement.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:29:18 +02:00
Jouni Malinen
401243b73e RRM: Fix range request overriding
This was supposed to cancel the existing eloop timeout instead of
registering another one.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-09 13:26:06 +02:00
Jouni Malinen
fb81c0a3d1 RRM: Merge similar error returns to a single one
There is no need to maintain different return paths for STA being
completely not present and not authorized, so merge these into a single
case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-09 13:26:06 +02:00
Jouni Malinen
13b30052d9 RRM: Fix Range Request max age parsing
This 16-bit field uses little endian encoding and it must be read with
WPA_GET_LE16() instead of assuming host byte order is little endian. In
addition, this could be misaligned, so using a u16 pointer here was not
appropriate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-09 13:26:06 +02:00
Jouni Malinen
bd6ec7f7ca Fix MAC ACL query freeing on deinit
hapd->acl_cache and hapd->acl_queries were not reset back to NULL in
hostapd_acl_deinit() when cached results and pending ACL queries were
freed. This left stale pointers to freed memory in hapd. While this was
normally followed by freeing of the hapd data, it is possible to re-use
that hapd when disabling and re-enabling an interface. That sequence
could result in use of freed memory if done while there were cached
results or pending ACL operations with a RADIUS server (especially, if
that server did not reply).

Fix this by setting hapd->acl_queries to NULL when the pending entries
are freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-08 23:48:19 +02:00
Jouni Malinen
0d6dc6830c FILS: Clean up HLP resize check
The "!wpabuf_resize(...) == 0" condition does not make any sense. It
happens to work, but this is really supposed to simple check with
wpabuf_resize() returns non-zero and "wpabuf_resize(...)" is the
cleanest way of doing so.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 20:50:33 +02:00
Jouni Malinen
65ab7eb1fa GAS: Fix OSU Providers List response with invalid configuration
If the OSU Providers configuration was invalid (included osu_server_uri
but not osu_method_list), it was possible for the GAS response
generation to hit a NULL dereference. Fix this by checking for the
invalid configuration before trying to fill in the OSU methods.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 17:47:58 +02:00
Günther Kelleter
4bb9b674c8 Add a log message when GTK rekeying failed
It can happen if the station is unreachable or sleeping longer than
the actual total GTK rekey timeout. To fix the latter case
wpa_group_update_count may be increased.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Günther Kelleter
41f140d386 Add hostapd options wpa_group_update_count and wpa_pairwise_update_count
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).

Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Eduardo Abinader
276e936548 hw_features: Clean center freq for falling back HT40 channels
Some channels fail to be set, when falling back to 20 MHz, due to
remaining VHT info of center freq. As we are going to 20 MHz, reset the
VHT center frequency segment information as well.

Signed-off-by: Eduardo Abinader <eduardoabinader@gmail.com>
2017-02-06 19:26:07 +02:00
Jouni Malinen
84bb12aa6d FILS: Fix send_assoc_resp() HLP extension to cover sta == NULL
Commit 91d91abf6f ('FILS: DHCP relay for
HLP requests') added steps that are conditional on sta->fils_hlp_resp
being non-NULL. One of these cases within send_assoc_resp() was properly
protected from sta == NULL error case (that is now possible after a
recent DMG change), but the first one was not. A DMG error case in a
CONFIG_FILS=y build could have hit a NULL pointer dereference here. Fix
this by verifying sta != NULL more consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 16:40:15 +02:00
Jouni Malinen
caab23f192 Set EAPOL-Key Key Length field to 0 for group message 1/2 in RSN
P802.11i/D3.0 described the Key Length as having value 16 for the group
key handshake. However, this was changed to 0 in the published IEEE Std
802.11i-2004 amendment (and still remains 0 in the current standard IEEE
Std 802.11-2016). We need to maintain the non-zero value for WPA (v1)
cases, but the RSN case can be changed to 0 to be closer to the current
standard.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 13:52:43 +02:00
Jouni Malinen
b0fb2be77a Do not send GNonce in EAPOL-Key group message 1/2
While the IEEE Std 802.11-2016 is still indicating that GNonce would be
exchanged in EAPOL-Key messages (see, e.g., Figure 12-52 showing the
Send EAPOL-Key operation in the REKEYNEGOTIATING state or the sample
group key handshake in Figure 12-47), there are also examples of
describing this field as having value zero (e.g., 12.7.7.2 Group key
handshake message 1).

GNonce is used only with the Authenticator and the Supplicant does not
have any use for it, so it is better not to expose that internal value.
Hardcode the Key Nonce field to 0 in EAPOL-Key group message 1/2.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 13:39:57 +02:00
Jouni Malinen
3bbc470502 Fix EAPOL-Key Install bit in Group Key 1/2 with FT and FILS auth
sm->Pair needs to be initialized to TRUE since unicast cipher is
supported and this is an ESS. However, the normal place for setting this
(WPA_PTK::INITIALIZE) is skipped with using FT protocol or FILS
authentication, so need to do that separately when forcing PTKINITDONE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 13:28:42 +02:00
Jouni Malinen
db5e53cb06 mesh: Fix struct hostapd_data initialization
The local custom version of allocating and initializing struct
hostapd_data within wpa_supplicant_mesh_init() is problematic. This has
already missed couple of initialization steps that are required. Instead
of trying to remember to keep this up to date, use
hostapd_alloc_bss_data() so that there is only one place for this
initialization.

This is fixing a recent issue where FILS HLP started using
hapd->dhcp_server and expected that to be initialized to -1. For the
mesh case, that did not happen and when removing the interface, the FILS
HLP implementation ended up unregistering eloop socket for
hapd->dhcp_server (= 0). This could result in missing socket callbacks
for an arbitrary socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-04 22:17:54 +02:00
Jouni Malinen
d77f330418 FILS: Fix AES-SIV AAD for (Re)Association Request frame decryption
The hostapd processing of the AES-SIV AAD was incorrect. The design for
the AAD changed between P802.11ai/D7.0 and D8.0 from a single vector
with concatenated data to separate vectors. The change in the
implementation had missed the change in the aes_siv_decrypt() call for
the num_elem parameter. This happened to work with the mac80211
implementation due to a similar error there.

Fix this by using the correct numbers of vectors in the SIV AAD so that
all the vectors get checked. The last vector was also 14 octets too long
due to incorrect starting pointer, so fix that as well. The changes here
are not backwards compatible, i.e., a similar fix in the Linux mac80211
is needed to make things interoperate again.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-04 13:09:52 +02:00
Jouni Malinen
91d91abf6f FILS: DHCP relay for HLP requests
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.

The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-01 18:17:39 +02:00
Jouni Malinen
54b04d6f39 FILS: Move HLP request handling into a separate file
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:13 +02:00
Jouni Malinen
5a9d504938 ProxyARP: Use more robust DHCP option parsing
Do not depend on undefined behavior with pointer arithmetic when
checking whether there is sufficient room for an option.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:13 +02:00
Jouni Malinen
e64c13febb Move DHCP definitions into a common file
These can be reused for other purposes than just the DHCP snoofing for
Proxy ARP. In addition, use more complete definition of the parameters
based on the current IANA registry.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:11 +02:00
Dedy Lansky
53d171440f AP: Check ACL upon association request for 802.11ad
With device_ap_sme disabled, ACL was checked upon authentication
request. In 802.11ad there is no authentication phase so need to check
ACL upon association.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2017-01-30 22:22:40 +02:00
Daniel Kim
4cc61c3866 GAS: Set temporary session timeout bigger than gas_comeback_delay
Previously, the temporary STA session timeout was set to 5 seconds. If
gas_comeback_delay is configured to be longer than 5 seconds, GAS
Comeback Response frame can't include queried information as all pending
data has already been cleared due to session timeout. This commit
resolves the issue by setting session timeout to be larger than
gas_comeback_delay.

Signed-off-by: Daniel Kim <kimdan@qca.qualcomm.com>
2017-01-30 13:25:48 +02:00
Johannes Berg
cef8fac04b wpa_auth: Make struct wpa_auth_callbacks const
Instead of copying the struct wpa_auth_callbacks, just keep a pointer to
it, keep the context pointer separate, and let the user just provide a
static const structure. This reduces the attack surface of heap
overwrites, since the function pointers move elsewhere.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:41:26 +02:00
Johannes Berg
30eddf3529 Fix or supress various sparse warnings
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:33:10 +02:00
Jouni Malinen
5208160b4b FILS: Parse received FILS HLP requests
This adds parsing of received FILS HLP requests from (Re)Association
Request frames. The reassembled requests are verified to be in valid
format and are printed in debug output. However, actual processing or
forwarding of the packets is not yet implemented, i.e., the vendor
specific frame filtering logic is for now practically dropping all HLP
requests.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 14:32:17 +02:00
Masashi Honma
4d77d80edd mesh: Add MESH_PMKSA_GET/ADD commands
These commnds are mesh version of PMKSA_GET/ADD commands. So the usage
and security risk is similar to them. Refer to
commit 3459381dd2 ('External persistent
storage for PMKSA cache entries') also.

The MESH_PMKSA_GET command requires peer MAC address or "any" as an
argument and outputs appropriate stored PMKSA cache. And the
MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store
the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache,
wpa_supplicant can skip commit message creation which can use
significant CPU resources.

The output of the MESH_PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <expiration in seconds>

The example of MESH_PMKSA_ADD command is this.
MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930
MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180

This functionality is disabled by default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-14 18:07:46 +02:00
Jouni Malinen
fa67debf4c Fix duplicate Reassociation Request frame dropping
Relational operators (==) have higher precedence than the ternary
conditional in C. The last_subtype check for association/reassociation
was broken due to incorrect assumption about the precedence. Fix this by
adding parenthesis around the ternary conditional.

The previous implementation worked for Association Request frames by
accident since WLAN_FC_STYPE_ASSOC_REQ happens to have value 0 and when
the last receive frame was an Association Request frame, the
sta->last_subtype == reassoc check was true and non-zero
WLAN_FC_STYPE_REASSOC_REQ was interpreted as true. However, this was
broken for Reassociation Request frame. reassoc == 1 in that case could
have matched received Association Response frame (subtype == 1), but
those are not received in AP mode and as such, this did not break other
behavior apart from not being able to drop duplicated Reassociation
Request frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-14 01:04:31 +02:00
Jouni Malinen
fcd3d6ce32 FILS: Fix PMK and PMKID derivation from ERP
This adds helper functions for deriving PMK and PMKID from ERP exchange
in FILS shared key authentication as defined in IEEE Std 802.11ai-2016,
12.12.2.5.2 (PMKSA key derivation with FILS authentication). These
functions is used to fix PMK and PMKID derivation which were previously
using the rMSK directly as PMK instead of following the FILS protocol to
derive PMK with HMAC from nonces and rMSK.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 21:07:40 +02:00
Jouni Malinen
167f78a5e8 Send BEACON-REQ-TX-STATUS event only for beacon reports
Check the action TX status callback contents more thoroughly and report
the BEACON-REQ-TX-STATUS event only if the Measurement Type indicates
beacon report.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 22:23:13 +02:00
Dedy Lansky
05e5e615e6 AP: Skip authentication/deauthentication phase for DMG/IEEE 802.11ad
Authentication and Deauthentication frames are not used in DMG/IEEE
802.11ad networks. For DMG/IEEE 802.11ad the following was implemented:
Upon receiving association request, allocate the sta object and
initialize it as if authentication took place. Upon receiving
disassociation, deallocate the sta object.
ap_sta_disassociate/ap_sta_deauthenticate/ap_sta_disconnect all use
disassociation instead of deauthentication. In driver_nl80211,
i802_sta_deauth() is routed to i802_sta_disassoc().

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2017-01-05 17:28:23 +02:00
Dedy Lansky
0c4b9025c1 AP: Do not look for supported rates in DMG/IEEE 802.11ad
Supported Rates element is not present in DMG/IEEE 802.11ad frames. Make
copy_supp_rates() immediately return with success if hardware mode is
IEEE 802.11ad.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2017-01-05 17:05:00 +02:00
Jouni Malinen
ec45927b8a Report received beacon report with BEACON-RESP-RX event
The new hostapd control interface event "BEACON-RESP-RX <STA address>
<dialog token> <report mode> <beacon report>" is now used to report
received beacon reports as a reponse to the REQ_BEACON operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
f3383366aa Report beacon request TX status as control interface event
The new BEACON-REQ-TX-STATUS control interface event is now used to
report whether a beacon request (from REQ_BEACON command) was delivered
successfully. This event has the following parameters: <STA address>
<dialog token> <ack=0/1>.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
90d9d7c32a Beacon request through hostapd control interface
The new control interface command "REQ_BEACON <STA addr>
[req_mode=<mode>] <beacon request>" can now be used to request hostapd
to transmit a measurement request to request a beacon report from an
associated STA. This command returns the assigned dialog token (1-255)
or FAIL on failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
f56877414c Do not add own BSS in neighbor report with invalid op_class/channel
Verify that ieee80211_freq_to_channel_ext() succeeds before adding the
own BSS in the neighbor report.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 15:18:30 +02:00
Jouni Malinen
aeff0645d2 FILS: Fix FILS Realm Information ANQP-element construction
The loop to add hash values was supposed to be limited to at most 10000
values, but the count variable was not being decremented in the loop.
Fix this by decrementing counting for each iteration. This fixes
ANQP-element format in the unlikely case of there being more than 10000
configuration realms.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 15:18:30 +02:00
Jouni Malinen
2977f5193a GAS: Remove unnecessarily duplicate gas_frag_limit configuration
The actual BSS configuration parameter can be updated with the SET
control interface command, so there is no need to maintain a separate
per-BSS parameter and a separate control interface handling for this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-30 00:23:10 +02:00
Jouni Malinen
1940559ea4 FT: Drop FT Action frames if ft_over_ds=0
Previously, the hostapd ft_over_ds parameter was used to only advertise
whether FT-over-DS is enabled in MDE and leave it to the stations to
follow that advertisement. This commit extends this to explicitly reject
(silently drop) FT Action frames if a station does not follow the
advertised capabilities.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-29 01:13:59 +02:00
Jouni Malinen
78022c8366 Fix memory leak on hostapd eap_user_file parsing error paths
Need to free all the pending completed EAP users if a parsing error
prevents the file from being used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:47:00 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Jouni Malinen
9266d00bf9 hostapd: Reject invalid macaddr_acl value
Previously, this was noted in error log, but the invalid value was
stored in the configuration without rejecting it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-27 11:43:13 +02:00
Jouni Malinen
1dfd25a68a Fix hostapd SIGHUP processing before interface is enabled
It was possible to try to do driver operations before the driver
interface had been initialized when processing a SIGHUP signal. This
would result in NULL pointer dereference. Fix this by skipping the steps
when SIGHUP is issued before the interface is enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-27 11:16:51 +02:00
Jouni Malinen
34e29dfd4b Remove unnecessary NULL check from hostapd_config_read_wpa_psk() call
This function is already checking the fname argument against NULL, so
use that check on its own instead of duplicating the check in the only
caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-26 17:42:41 +02:00
Jouni Malinen
1f0fdaf0e4 Fix race condition between AssocResp callback and 4addr event
It is apparently possible for the NL80211_CMD_UNEXPECTED_4ADDR_FRAME
event to be delivered to hostapd before the NL80211_CMD_FRAME_TX_STATUS
event for (Re)Association Response frame. This resulted in the 4-address
WDS mode not getting enabled for a STA. This could occur in particular
when operating under heavy load and the STA is reconnecting to the same
AP in a sequence where Deauthentication frame is followed immediately by
Authentication frame and the driver event processing gets delayed due to
removal of the previous netdev taking time in the middle of this
sequence.

Fix this by recording a pending item for 4-address WDS enabling if the
NL80211_CMD_UNEXPECTED_4ADDR_FRAME event would have been dropped due to
incompleted association and then process this pending item if the TX
status for the (Re)Association Response frame is received and it shows
that the frame was acknowledged.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-20 01:30:09 +02:00
Jouni Malinen
8183aee6cc FILS: Add support for building FILS Realm Information ANQP-element
This allows full list of hashed realm names to be fetched from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:59 +02:00
Jouni Malinen
26bf70e3d2 FILS: Separate FILS realm configuration from ERP domain
The new hostapd configuration parameter fils_realm=<realm> can now be
used to configure one or more FILS realms to advertise for ERP domains
when using FILS. This replaces the use of erp_domain=<domain> parameter
for the FILS use case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:08:23 +02:00
Jouni Malinen
42b847ac1e FILS: Fix hashed realm name derivation
P802.11ai/D7.0 changed from CRC32 to SHA256 as the hash algorithm for
the FILS realm name. Update the implementation to match that change.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:07:57 +02:00
Jouni Malinen
cebda0e3e5 Make debug print clearer for AP/mesh mode secondary channel issues
If the secondary channel was not found at all, no debug print was shown
to indicate that the channel was rejected due to that problem. Print a
clearer message indicating which channel was behind the reason to reject
channel configuration as unsuitable for AP mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 15:09:15 +02:00
Daisuke Niwa
655dc4a432 Send "TERMINATING" event from hostapd
hostapd didn't send "TERMINATING" event when stopped by
SIGTERM. Android handles this event to stop monitor thread.

This commit adds "TERMINATING" event same as with wpa_supplicant.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
2016-12-12 20:32:28 +02:00
Jouni Malinen
0f5eb69f85 Use eloop timeout for post-EAP-Failure wait before disconnection
Previously, os_sleep() was used to block the hostapd (or wpa_supplicant
AP/P2P GO mode) processing between sending out EAP-Failure and
disconnecting the STA. This is not ideal for couple of reasons: it
blocks all other parallel operations in the process and it leaves a
window during which the station might deauthenticate and the AP would
have no option for reacting to that before forcing out its own
Deauthentication frame which could go out after the STA has already
started new connection attempt.

Improve this design by scheduling an eloop timeout of 10 ms instead of
the os_sleep() call and perform the delayed operations from the eloop
callback function. This eloop timeout is cancelled if the STA
disconnects or initiates a new connection attempt before the 10 ms time
is reached. This gets rid of the confusing extra Deauthentication frame
in cases where the STA reacts to EAP-Failure by an immediate
deauthentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-08 18:56:02 +02:00
Michael Braun
34f7c699a6 Add multicast to unicast support
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.

By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.

When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.

This also does not implement Directed Multicast Service (DMS).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-12-04 21:00:06 +02:00
Sam Tannous
08032c7418 Remove inactivity timeout for wired interfaces
We should unconditionally remove inactivity timers for wired network
cases. This commit checks for this after a new station association:

   hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED

and then cancels the timeout and does not register a new one.

It prints out a debug message like this:

1476740180.276286: IEEE 802.1X: 00:02:00:00:00:07 CTRL_DIR entering
state FORCE_BOTH
1476740180.276295: hostapd_new_assoc_sta: canceled wired ap_handle_timer
timeout for 00:02:00:00:00:07

This was tested on a debian jessie amd64 system with a configured 120
second inactivity timer and the session did not timeout.

Signed-off-by: Sam Tannous <stannous@cumulusnetworks.com>
2016-12-04 20:38:45 +02:00
Jouni Malinen
cb2b666670 Fix 4addr reassociation-without-deauthentication on AP
Data connection was lost if a station reassociated without the STA entry
being cleaned up on the AP side. Fix this by moving reconfiguration of
the STA WDS parameters in association response callback to happen only
after the STA flags have been updated to associated stated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-02 12:51:16 +02:00
Jouni Malinen
2ab09656ae AP: Do not drop STA entry if PMF is used with full AP client state
This fixes a regression from commit
bb598c3bdd ('AP: Add support for full
station state'). That commit added code to remove and re-add the kernel
STA entry when processing Authentication frames with a driver that
advertises support for full AP client state. That resulted in bypassing
PMF protections for unprotected Authentication frames with such drivers
since the TK was lost in this operation.

It is simplest to skip the STA entry clearing in this type of case
completely to leave the TK in place and to process the new
authentication exchange otherwise normally. This matches the behavior
used with the drivers that do not implement full AP client state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-29 16:26:00 +02:00
Will Glynn
209dad066e FT: Explicitly check for MDE not present in non-FT association
IEEE Std 802.11-2012, 12.4.2 states that if an MDE is present in an
(Re)Association Request frame but the RSNE uses a non-FT AKM suite, the
AP shall reject the association using status code 43 ("Invalid AKMP").

wpa_validate_wpa_ie() now explicitly checks for this condition to meet
this requirement instead of simply ignoring the MDE based on non-FT AKM.

Signed-off-by: Will Glynn <will@willglynn.com>
2016-11-26 11:39:44 +02:00
Purushottam Kushwaha
29483a5678 Add support for user configurable Beacon frame data rate for AP mode
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:

Legacy (CCK/OFDM rates):
	beacon_rate=<legacy rate in 100 kbps>
HT:
	beacon_rate=ht:<HT MCS>
VHT:
	beacon_rate=vht:<VHT MCS>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-25 23:12:30 +02:00
Jouni Malinen
4051dd8667 GAS: Add Capability List ANQP-element support for Info ID 270, 280..299
This extends the anqp_elem configuration parameter support for new Info
IDs (270 (TDLS Capability) was previously missed from the list of
defined values, 280 has already been assigned in REVmc/D8.0; 281..299
are yet to be assigned). No additional source code changes are needed to
allow hostapd to advertise support for these if the ANQP-element value
is set with the anqp_elem parameter.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-17 16:00:25 +02:00
Jouni Malinen
d50f518e95 Fix libap.a build
Add the new defines and files to allow src/ap/libap.a to be build with
all the needed functions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-16 13:26:23 +02:00
Ilan Peer
4ec1fd8e42 FT: Differentiate between FT for station and for AP in build
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.

Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 22:14:54 +03:00
Beni Lev
f0259c3f68 hostapd: Fix own wide bandwidth subelement generation (neighbor report)
The Channel Center Frequency Segment subfields use the channel index
instead of frequency in MHz.

Signed-off-by: Beni Lev <beni.lev@intel.com>
Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-10-29 22:03:43 +03:00
Ilan Peer
0a63635ed0 AP: Use valid status code in wpa_ft_send_rrb_auth_resp()
The return value from this function may be used in an outgoing message,
so use a valid status code instead of -1.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 22:02:14 +03:00
David Spinadel
451a27b1ad hostapd: Add a configuration to set an AP as stationary
Add a configuration option in hostapd.conf and in neighbor report that
sets an AP as stationary. To enable this option on the current AP set
the config option stationary_ap to 1. To set a neighbor entry to be
marked as stationary add the word stat to the SET_NEIGHBOR command. This
option tells hostapd to send LCI data even if it is older than requested
by max age subelement in RRM request.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-10-29 19:16:47 +03:00
Ilan Peer
f5ec346902 hostapd: Fix adding neighbor entry
It is possible that a LCI or location civic configuration buffer
is valid but contains no data. In such a case do not add the LCI
and location civic information to the entry in the neighbor
data base.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 19:10:17 +03:00
Filip Matusiak
59d7cff7e3 AP: Disable VHT in TKIP-only configuration
This has already been done for WEP, but there's same constraint for not
allowing VTH rates in case of TKIP.

Signed-off-by: Filip Matusiak <filip.matusiak@tieto.com>
2016-10-29 00:55:49 +03:00
Kevin Mahoney
a818425d1c hostapd: Added signal level to STA tracking
Add signal level information to the station tracking information. Also
make it available via the "TRACK_STA_LIST" control command.

Signed-off-by: Kevin Mahoney <k.mahoney@cablelabs.com>
2016-10-29 00:55:49 +03:00
Nishant Chaprana
5f99d96287 Removed redundant NULL check for sta in hostapd_event_sta_low_ack()
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-10-28 19:06:20 +03:00
Jouni Malinen
2a0b86d319 Note set_key(WPA_ALG_NONE) failure in debug log
This makes wpa_remove_ptk() call to wpa_auth_set_key() more consistent
with all the other calls that verify the return value to keep static
analyzers happier.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:41:04 +03:00
Jouni Malinen
ff338fab92 FILS: Setup EAPOL state machines properly after FILS association (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:41:04 +03:00
Jouni Malinen
da24c5aa1c FILS: Set TK after association (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:41:04 +03:00
Jouni Malinen
07e0117d21 FILS: Mark connection fully authorized after FILS Association (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:20:04 +03:00
Jouni Malinen
e73ffa0925 FILS: Add Association Response frame elements and encrypt them (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-25 20:42:52 +03:00
Jouni Malinen
78815f3dde FILS: Decrypt Association Request elements and check Key-Auth (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-25 20:42:52 +03:00
Jouni Malinen
c4fd6d8aa8 FILS: Process FILS Authentication frame (AP)
This implements processing of FILS Authentication frame for FILS shared
key authentication with ERP and PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:27:01 +03:00
Jouni Malinen
ffb62f2272 FILS: Add a helper function for status code conversion
This will allow the existing code to be reused for FILS needs.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:27:01 +03:00
Jouni Malinen
c1bd4bac5f FILS: Extend wpa_auth_pmksa_get() to support PMKID matching
This is needed for FILS processing to enable PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
c30bd28b14 FILS: Export IEEE 802.1X helper functions
ieee802_1x_encapsulate_radius() and ieee802_1x_alloc_eapol_sm() need to
be called from FILS processing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
a6228b8ed6 ERP: Update client identity based on EAP-Initiate/Re-auth
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
2aa1e48a45 FILS: Do not clear PTK on FILS Auth/Assoc (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 18:11:14 +03:00
Jouni Malinen
2449791b8e FILS: Update EAPOL-Key Descriptor Version RX rules (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
75c8563e05 FILS: Perform AEAD processing after PTK has been confirmed
This covers EAPOL-Key frames other than 2/4 that needed special handling
to confirm PTK.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
b729fd8df9 FILS: Use AEAD cipher to protect EAPOL-Key frames (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
3b5b7aa8fb FILS: Use AEAD cipher to check received EAPOL-Key frames (AP)
This changes 4-way handshake authenticator processing to decrypt the
EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before
processing the Key Data field. This replaces Key MIC validation for the
cases where AEAD cipher is used. This needs to move the EAPOL-Key msg
2/4 RSN element processing to happen only after the PTK has been derived
and validated. That is done for all AKMs to avoid extra complexity with
having to maintain two code paths for this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
b986648389 FILS: Update EAPOL-Key RX rules for FILS (AP)
Key Descriptor Version 0 is used with FILS and Key Info MIC field is set
to 0 with AEAD ciphers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:47 +03:00
Jouni Malinen
36a50fd4e8 FILS: Set EAPOL-Key Key Descriptor Version to 0 with FILS AKMs (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
dc5bad48af RSN authenticator: Add more debug print details on EAPOL-Key RX
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
6d014ffc6e Make struct wpa_eapol_key easier to use with variable length MIC
Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the
previous fixed length Key MIC field with a variable length field. That
change was addressed with an addition of a new struct defined for the
second MIC length. This is not really scalable and with FILS coming up
with a zero-length MIC case for AEAD, a more thorough change to support
variable length MIC is needed.

Remove the Key MIC and Key Data Length fields from the struct
wpa_eapol_key and find their location based on the MIC length
information (which is determined by the AKMP). This change allows the
separate struct wpa_eapol_key_192 to be removed since struct
wpa_eapol_key will now include only the fixed length fields that are
shared with all EAPOL-Key cases in IEEE Std 802.11.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
94f66e8a26 FILS: Advertise ERP domain in FILS Indication element
Calculate the hashed realm from hostapd erp_domain configuration
parameter and add this to the FILS Indication element when ERP is
enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
c30ed45f45 FILS: Allow hostapd to select FILS AKM for connection
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
f55acd909e FILS: Set FILS Capability bit in management frames from AP
If FILS is enabled, indicate that in Beacon, Probe Response, and
(Re)Association Response frames in the Extended Capabilities element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
198a942c83 FILS: Add FILS Indication element to Beacon and Probe Response frames
If FILS is enabled, indicate that in AP Beacon/Probe Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:46 +03:00
Jouni Malinen
903ecbe8da FILS: Add hostapd configuration options
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:27 +03:00
Jouni Malinen
94318a0d30 FILS: Add AKM definitions
This adds definitions for the new AKM suite values from P802.11ai/D11.0.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 20:46:36 +03:00
Michael Braun
96590564d6 FT: Allow PMK-R0 and PMK-R1 for FT-PSK to be generated locally
Station should be able to connect initially without ft_pmk_cache filled,
so the target AP has the PSK available and thus the same information as
the origin AP. Therefore neither caching nor communication between the
APs with respect to PMK-R0 or PMK-R1 or VLANs is required if the target
AP derives the required PMKs locally.

This patch introduces the generation of the required PMKs locally for
FT-PSK. Additionally, PMK-R0 is not stored (and thus pushed) for FT-PSK.

So for FT-PSK networks, no configuration of inter-AP communication is
needed anymore when using ft_psk_generate_local=1 configuration. The
default behavior (ft_psk_generate_local=0) remains to use the pull/push
protocol.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-10-09 11:57:56 +03:00
Nishant Chaprana
746e5c2565 Fix spelling mistakes in number of comments
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
2016-09-30 22:45:03 +03:00
vamsi krishna
64c92c0757 MBO: Do not parse reason_detail in non_pref_chan attr (AP)
The reason detail field was removed from non_pref_chan attr in MBO
v0.0_r25 draft. Don't parse for this element to be compliant with the
latest drafr.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-09-25 17:31:26 +03:00
Denton Gentry
442819406c taxonomy: Store Probe Request frames in hostapd_sta_info
A weakness in the initial client taxonomy mechanism is from storing both
the Probe and Associate in struct sta_info. struct sta_info is created
after a client associates (or starts authentication frame exchange),
which means that any Probe Request frames sent prior to association are
not retained. The Associate Request frame has to be seen, and then
another Probe Request frame after association, before we have a
signature for the client.

Most clients send lots of Probe Request frames (lots and lots and lots
of Probes, actually), but a few do not. ChromeOS is notably sparing in
sending Probe Request frames, it can take a long time before a signature
for a ChromeOS device is available.

Store the most recent Probe Request frame in struct hostapd_sta_info
tracking list. When a struct sta_info is created, move the Probe Request
frame information from struct hostapd_sta_info to struct sta_info.

Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)
2016-09-22 00:45:24 +03:00
Denton Gentry
04059ab844 Passive Client Taxonomy
Implement the signature mechanism described in the paper
"Passive Taxonomy of Wifi Clients using MLME Frame Contents"
published by Denton Gentry and Avery Pennarun.

http://research.google.com/pubs/pub45429.html
https://arxiv.org/abs/1608.01725

This involves:
1. Add a CONFIG_TAXONOMY compile option. Enabling taxonomy incurs
   a memory overhead of up to several kilobytes per associated
   station.
2. If enabled, store the Probe Request and (Re)Associate Request frame in
   struct sta_info.
3. Implement code to extract the ID of each Information Element,
   plus selected fields and bitmasks from certain IEs, into a
   descriptive text string. This is done in a new source file,
   src/ap/taxonomy.c.
4. Implement a "signature qq:rr:ss:tt:uu:vv" command
   in hostapd_cli to retrieve the signature.

Signatures take the form of a text string. For example, a signature
for the Nexus 5X is:
  wifi4|probe:0,1,127,45,191,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:338061b2,
  vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:00000a0201000040|assoc:0,1,48,45,
  221(0050f2,2),191,127,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:339071b2,
  vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:0000000000000040

Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)
2016-09-22 00:45:24 +03:00
Jouni Malinen
5e993390f6 Initialize iface->sta_seen on allocation
Previously, struct hostapd_iface sta_seen list head was initialized only
when completing interface setup. This left a window for operation that
could potentially iterate through the list before the list head has been
initialized. While the existing code checked iface->num_sta_seen to
avoid this case, it is much cleaner to initialize the list when struct
hostapd_iface is allocated to avoid any accidental missing of the extra
checks before list iteration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-09-22 00:45:24 +03:00
Nick Lowe
81258efacb Remove unused generation of Request Authenticator in Account-Request
Do not generate an unused and invalid Request Authenticator (random
value) when constructing Accounting-Request packets. The correct Request
Authenticator is calculated subsequently in radius_msg_finish_acct()
using MD5(msg + shared secret).

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-09-22 00:34:19 +03:00
Joel Cunningham
711e3cab07 Handle NULL return from os_zalloc() in sta_track_add()
This adds handling for a memory allocation failure in sta_track_add().

Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
2016-09-06 18:58:08 +03:00
Lior David
faecb39236 hostapd: Allow FTM functionality to be published
Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside hostapd. When framework is
activated, it will use hostapd to configure the AP to publish the FTM
functionality. See IEEE P802.11-REVmc/D7.0, 9.4.2.27.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-09-05 21:23:07 +03:00
Tamizh chelvam
fc72a48a63 hostapd: Use stations nsts capability in (Re)Association Response frame
Some deployed stations incorrectly consider nsts capability in
(Re)Association Response frame as required capability instead of maximum
capability and if it is greater than station's capability then beamform
will not happen in uplink traffic.

This commit adds support for an optional workaround to use station's
nsts capability in (Re)Association Response frame if the station's nsts
is less than AP by using the use_sta_nsts=1 configuration parameter.
This configuration is introduced in this commit and it is disabled by
default.

Signed-off-by: Tamizh chelvam <c_traja@qti.qualcomm.com>
2016-09-05 21:14:40 +03:00
Jouni Malinen
f2f8616e80 Initialize hapd->nr_db in hostapd_alloc_bss_data()
Previously, this was initialized in hostapd_setup_bss() which made it
possible for a REMOVE_NEIGHBOR control interface command to be issued
prior to the list head pointers having been set. That resulted in a NULL
pointer dereference. Fix this by initializing the list head at the time
the data structure gets allocated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-22 17:44:05 +03:00
Jouni Malinen
1f3b8b4edb Check for driver initialization before doing driver operations
Number of hostapd control interface commands (e.g., STATUS-DRIVER) could
result in NULL pointer dereference when issued on not yet enabled BSS.
Fix this by checking that the driver interface has been initialized
before calling the driver_ops function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-19 16:08:00 +03:00
Petko Bordjukov
72a652d785 IAPP: Set SO_REUSEADDR on listening socket
Make it possible for several instances of hostapd to listen on the same
network interface.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
2016-08-18 20:01:48 +03:00
Johannes Berg
81372e347a ap: Use is_multicast_ether_addr() more
Various checks should use is_multicast_ether_addr() instead
of hardcoding the equivalent, change it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2016-08-17 13:43:31 +03:00
Nick Lowe
8468189e90 Do not include NAS-Port attribute with AID 0
Do not include a NAS-Port attribute in Access-Request and
Accounting-Request packets where the Association ID (AID) is 0, i.e.,
not yet assigned or known.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-08-13 10:28:01 +03:00
Nick Lowe
42d30e9ea0 Add a require_message_authenticator configuration option
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-08-08 00:36:17 +03:00
Johannes Berg
842c5af5d3 ap: Use is_broadcast_ether_addr()
There's no need to have a separate variable and open-code a more
complicated version of this, just use is_broadcast_ether_addr().

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2016-08-06 16:51:48 +03:00
Jouni Malinen
e55df99ee6 Share a single str_starts() implementation
No need to define this as a static function in multiple files.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-08-06 12:38:21 +03:00
Jouni Malinen
5a5638a3bf Show disabled HT/VHT properly in AP mode STATUS command
Previously, HT/VHT state was shown in STATUS based on the configuration
parameter instead of the runtime operational parameters. This could
result in claiming HT/VHT to be enabled even when it was forced to be
disabled due to an incompatible configuration. Clear HT/VHT information
in the STATUS output if HT/VHT has been disabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-02 17:41:01 +03:00
Wu Gao
551817a582 AP: Disable VHT in WEP configuration
This was already done for HT, but VHT has the same constraint on not
allowing WEP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-08-02 17:31:48 +03:00
Masashi Honma
e347cafe57 mesh: Report mesh peer AID to kernel
Previously, mesh power management functionality works only with kernel
MPM. Because user space MPM did not report mesh peer AID to kernel,
the kernel could not identify the bit in TIM element. So this patch
reports mesh peer AID to kernel.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-07-23 20:26:26 +03:00
Jouni Malinen
d735811329 tests: Add TEST_FAIL() to hostapd_get_aid()
This allows additional testing coverage for AID unavailability cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-28 20:44:55 +03:00
Jouni Malinen
ebae413550 Fix a debug print in p2p_manager_disconnect()
fc2str() expects to get the 16-bit frame control value in host byte
order.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-24 19:02:58 +03:00
Jouni Malinen
451e094c7e dhcp_snoop: Silence a sparse warning
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-24 19:02:58 +03:00
Jouni Malinen
bbae0f03aa ndisc_snoop: Include ndisc_snoop.h to check prototypes
This allows the compiler to check that function prototypes match the
implementation. In addition, this gets rid of sparse warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-24 19:02:58 +03:00
Jouni Malinen
468b7b12a6 Fix hostapd_sta_add() call to use NULL as the pointer instead of 0
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-23 13:14:17 +03:00
Jouni Malinen
3b6deac0e7 mesh: Avoid use of hardcoded cipher
This moves pairwise, group, and management group ciphers to various mesh
data structures to avoid having to hardcode cipher in number of places
through the code. While CCMP and BIP are still the hardcoded ciphers,
these are now set only in one location.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-19 20:18:09 +03:00
Jouni Malinen
f868d5607d mesh: Clean up AMPE element encoding and parsing
The AMPE element includes number of optional and variable length fields
and those cannot really be represented by a fixed struct
ieee80211_ampe_ie. Remove the optional fields from the struct and
build/parse these fields separately.

This is also adding support for IGTKdata that was completely missing
from the previous implementation. In addition, Key RSC for MGTK is now
filled in and used when configuring the RX MGTK for a peer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-19 20:18:09 +03:00
Jouni Malinen
4367eec439 mesh: Do not use RX MGTK as RX IGTK
The previous implementation was incorrect in forcing the MGTK to be used
as the IGTK as well. Define new variable for storing IGTK and use that,
if set, to configure IGTK to the driver. This commit does not yet fix
AMPE element parsing to fill in this information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-19 20:18:09 +03:00
Jouni Malinen
a4eec3c230 mesh: Use variable length MGTK for RX
This extends the data structures to allow variable length MGTK to be
stored for RX. This is needed as an initial step towards supporting
different cipher suites.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-19 20:18:09 +03:00
Jouni Malinen
b02f4d058c mesh: Add variable length MTK support
This is needed as a part in enabling support for different pairwise
ciphers in mesh.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-19 20:18:09 +03:00
Jouni Malinen
18aca1a07d mesh: Use ieee80211w profile parameter
This is initial step in fixing issues in how PMF configuration for RSN
mesh was handled. PMF is an optional capability for mesh and it needs to
be configured consistently in both hostapd structures (to get proper
RSNE) and key configuration (not included in this commit).

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-18 15:52:54 +03:00
Jouni Malinen
b8b499e4a4 mesh: Use WPA_NONCE_LEN macro
No need to use the magic value 32 here since there is a generic define
for the RSN-related nonce values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-18 15:52:54 +03:00
Sunil Dutt
bb4e19e3f4 hostapd: Skip hostapd ACL check for drivers supporting ACL offload
Commit 0603bcb7fe ('hostapd: Process MAC
ACLs on a station association event (SME in driver)') processes MAC ACL
on a station association event for drivers which use AP SME offload but
does not consider the scenario where the drivers offload ACL. This can
result in station disconnection, though the driver accepts the
connection. Address this by avoiding the hostapd ACL check for the
drivers offloading MAC ACL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-17 20:45:35 +03:00
Jouni Malinen
cc27c8e680 hostapd: Fix early init failure path
eloop deinit calls could trigger segmentation fault if the early error
path is hit before eloop_init() gets called.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-06-13 00:37:23 +03:00
Jouni Malinen
8359472589 hostapd Make GAS Address3 field selection behavior configurable
gas_address3=1 can now be used to force hostapd to use the IEEE 802.11
standards compliant Address 3 field value (Wildcard BSSID when not
associated) even if the GAS request uses non-compliant address (AP
BSSID).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-10 22:13:37 +03:00
Jouni Malinen
6996ff7b6d hostapd: Fix Public Action frame TX status processing for wildcard BSSID
Previously all TX status events with wildcard BSSID were ignored. This
did not allow Public Action frame TX status to be processed with the
corrected wildcard BSSID use. Fix this to be allowed. In practice, this
affects only test cases since Action frame TX status was not used for
anything else.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-10 21:44:49 +03:00
Jouni Malinen
78a3632765 hostapd: Fix Public Action frame addressing (BSSID field)
IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies
that the wildcard BSSID value is used in Public Action frames that are
transmitted to a STA that is not a member of the same BSS. hostapd used
to use the actual BSSID value for all such frames regardless of whether
the destination STA is a member of the BSS.

Fix this by using the wildcard BSSID in cases the destination STA is not
a member of the BSS. Leave group addressed case as-is (i.e., the actual
BSSID), since both values are accepted. No such frames are currently
used, though.

This version is still using the AP BSSID value in the Address 3 field
for GAS response frames when replying to a GAS request with AP BSSID
instead of Wildcard BSSID. This is left as a workaround to avoid
interoperability issues with deployed STA implementations that are still
using the non-compliant address and that might be unable to process the
standard compliant case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-10 21:44:49 +03:00
Kanchanapally, Vidyullatha
cc9a2575ca nl80211: Use extended capabilities per interface type
This adds the necessary changes to support extraction and use of the
extended capabilities specified per interface type (a recent
cfg80211/nl80211 extension). If that information is available,
per-interface values will be used to override the global per-radio
value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-31 21:35:54 +03:00
Jouni Malinen
dad0129227 mesh: Support simple SAE group negotiation case
This allows the simplest case of SAE group negotiation to occur by
selecting the next available group if the peer STA indicates the
previous one was not supported. This is not yet sufficient to cover all
cases, e.g., when both STAs need to change their groups, but at least
some cases are no covered.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-30 21:14:08 +03:00
Jouni Malinen
9c10be3f71 mesh: Fix error path handling in init OOM cases
hostapd deinit functions were not ready to handle a case where the data
structures were not fully initialized. Make these more robust to allow
wpa_supplicant mesh implementation to use the current deinit design in
OOM error cases without causing NULL pointer dereferences.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-05-30 01:05:16 +03:00
Bala Krishna Bhamidipati
a911227061 Add assocresp_elements parameter for hostapd
This new parameter allows hostapd to add Vendor Specific elements into
(Re)Association Response frames similarly to the way vendor_elements
parameter can be used for Beacon and Probe Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-04-20 13:12:50 +03:00
Günther Kelleter
b92d2a57ef FT: Fix RRB for FT over-the-air case
Commit 66d464067d ('FT: Register RRB
l2_packet only if FT-over-DS is enabled') disabled RRB l2_packet socket
if ft_over_ds is disabled, but this socket is required for FT
over-the-air, too (FT key distribution). Enable the socket regardless of
ft_over_ds setting if FT is enabled.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2016-04-19 00:57:17 +03:00
David Spinadel
220754c553 hostapd: Add FTM range request
Add FTM range request via RRM. The AP sends Radio measurement request
with FTM range request as a request for the receiving STA to send FTM
requests to the given list of APs. The neighbor report part of the
request is taken from the neighbor database.

The control interface command is:

REQ_RANGE <dst addr> <rand_int> <min_ap> <responder> [<responder>..]

dst addr: MAC address of an associated STA
rand_int: Randomization Interval (0..65535) in TUs
min_ap: Minimum AP Count (1..15); minimum number of requested FTM ranges
	between the associated STA and the listed APs
responder: List of BSSIDs for neighboring APs for which a measurement
	is requested

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:12 +03:00
David Spinadel
f4f185a224 hostapd: Add LCI request
Add a hostapd control interface command REQ_LCI to request LCI from an
associated station using radio measurement.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:12 +03:00
David Spinadel
629e1804da hostapd: Save RM enabled capability of station
Save RM enabled capability element of an associating station if radio
measurement is supported in its capability field.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:12 +03:00