The loop to add hash values was supposed to be limited to at most 10000
values, but the count variable was not being decremented in the loop.
Fix this by decrementing counting for each iteration. This fixes
ANQP-element format in the unlikely case of there being more than 10000
configuration realms.
Signed-off-by: Jouni Malinen <j@w1.fi>
This conversion will be done several times in the code, so add a helper
function that does this conversion.
Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
Add a function to get operating class definition (including bandwidth,
channel numbers, etc.) from the operating class number and country.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Add helper function that converts non-global operating classes to global
operating classes according to IEEE Std 802.11-2016, Annex E.
Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
Add support for:
1. Setting scan dwell time
2. Parsing scan start TSF and beacon received TSF reported
by the driver
3. Setting driver capabilities for the above
These capabilities are needed for Beacon Report radio measurement.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Add the following parameters to scan request:
1. Dwell time on each channel.
2. Whether the specified dwell time is mandatory.
In addition, add to scan results info the time that the scan actually
started, and to each scan result the time the beacon/probe was received,
both in terms of TSF of the BSS that the interface that requested the
scan is connected to (if available).
Add flags to indicate whether the driver supports dwell time
configuration and scan information reporting.
This scan configuration and information is required to support beacon
report radio measurement.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
The address of msg.device_name array is obviously always true, and some
compilers even warn about it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The actual BSS configuration parameter can be updated with the SET
control interface command, so there is no need to maintain a separate
per-BSS parameter and a separate control interface handling for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the hostapd ft_over_ds parameter was used to only advertise
whether FT-over-DS is enabled in MDE and leave it to the stations to
follow that advertisement. This commit extends this to explicitly reject
(silently drop) FT Action frames if a station does not follow the
advertised capabilities.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to hit the previously used maximum of 100 active session
in some hwsim test case sequences like this one: eap_proto_pwd_errors
eap_proto_ikev2_errors eap_proto_sim_errors. This happened due to the
large number of RADIUS authentication iterations in short period of
time, i.e., within the 10 second timeout for expiring completed
sessions.
Increase RADIUS_MAX_SESSION from 100 to 1000 and also reduce the timeout
on expiring completed sessions from 10 to 5 seconds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, this was noted in error log, but the invalid value was
stored in the configuration without rejecting it.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to try to do driver operations before the driver
interface had been initialized when processing a SIGHUP signal. This
would result in NULL pointer dereference. Fix this by skipping the steps
when SIGHUP is issued before the interface is enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
This function is already checking the fname argument against NULL, so
use that check on its own instead of duplicating the check in the only
caller.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a new wpa_supplicant network profile parameter
mka_priority=0..255 to set the priority of the MKA Actor.
Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
wpa_cipher_to_alg() returns enumerated values from enum wpa_alg and all
uses of the return value treat it as enum wpa_alg (by either assigning
it to a variable of type enum wpa_alg or passing to a function that
expects enum wpa_alg).
This commit updates the return value to match the expected usage
(enum wpa_alg) rather than int. This ensures the return value is
of the proper type and eliminates the following compiler warnings:
ARM RVCT (2.2):
'Warning: #188-D: enumerated type mixed with another type'
Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
Number of deployed use cases assume the default OpenSSL behavior of auto
chaining the local certificate is in use. BoringSSL removed this
functionality by default, so we need to restore it here to avoid
breaking existing use cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This simplifies the implementation since the SSL_clear_options() and
SSL_CTX_clear_options() are available in all supported versions of
OpenSSL. These were previously needed with older (now obsolete) versions
of OpenSSL, but the ifdefs were missed when removing the more explicit
version macro based backwards compatibility sections.
In practice, this reverts commit
d53d2596e4.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The full SD Response frame is not going to be followed by another Action
frame from the peer, so remove the 200 ms wait time from the offchannel
TX command in that case. This avoids leaving a 200 ms lock on the radio
to remain on the channel unnecessarily.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It is apparently possible for the NL80211_CMD_UNEXPECTED_4ADDR_FRAME
event to be delivered to hostapd before the NL80211_CMD_FRAME_TX_STATUS
event for (Re)Association Response frame. This resulted in the 4-address
WDS mode not getting enabled for a STA. This could occur in particular
when operating under heavy load and the STA is reconnecting to the same
AP in a sequence where Deauthentication frame is followed immediately by
Authentication frame and the driver event processing gets delayed due to
removal of the previous netdev taking time in the middle of this
sequence.
Fix this by recording a pending item for 4-address WDS enabling if the
NL80211_CMD_UNEXPECTED_4ADDR_FRAME event would have been dropped due to
incompleted association and then process this pending item if the TX
status for the (Re)Association Response frame is received and it shows
that the frame was acknowledged.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This registers a new callback to indicate change in SIM state. This
helps to do some clean up (more specifically pmksa_flush) based on the
state change of the SIM. Without this, the reconnection using the cached
PMKSA could happen though the SIM is changed.
Currently eap_proxy_sim_state corresponds to only SIM_STATE_ERROR. This
can be further extended.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The eapol_cb structure was made const and that change resulted in a
compilation warning/error if CONFIG_EAP_PROXY=<name> is enabled in the
wpa_supplicant build configuration. Fix this by updating the function
prototype to match the change.
Note: This results in a change needed to external eap_proxy_*.c
implementations to match the change.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit c93b7e1888 ('RSN: Check result of
EAPOL-Key frame send request') forgot to update two PeerKey users of
EAPOL-Key TX functions. That resulted in STK handshake failing since
message 2/4 and 4/4 TX calls were assumed to have failed when the return
value was changed from 0 to a positive value for success case. This
resulted in not updating nonce information properly and hitting
following error when processing STK 4-way handshake message 3/4:
RSN: INonce from message 1 of STK 4-Way Handshake differs from 3 of STK
4-Way Handshake - drop packet (src=<addr>)
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 6d014ffc6e ('Make struct
wpa_eapol_key easier to use with variable length MIC') forgot to update
number of EAPOL-Key processing steps for SMK and STK exchanges and broke
PeerKey. Fix this by updating the Key Data field pointers to match the
new style with variable length Key MIC field.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter fils_realm=<realm> can now be
used to configure one or more FILS realms to advertise for ERP domains
when using FILS. This replaces the use of erp_domain=<domain> parameter
for the FILS use case.
Signed-off-by: Jouni Malinen <j@w1.fi>
P802.11ai/D7.0 changed from CRC32 to SHA256 as the hash algorithm for
the FILS realm name. Update the implementation to match that change.
Signed-off-by: Jouni Malinen <j@w1.fi>
This updates definitions for Status Codes, Reason Codes,
Information Element IDs, Action frame categories, Public Action
codes, Protected Dual of Public Action codes, Advertisement
Protocol ID, and ANQP info IDs based on IEEE Std 802.11-2016.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes both the Probe Response and Beacon frame IEs available to
upper layers if scan results include both IE sets. When the BSS command
mask includes WPA_BSS_MASK_BEACON_IE, a new beacon_ie=<hexdump> entry
will be included in output if the BSS entry has two separate sets of IEs
(ie=<hexdump> showing the Probe Response frame contents and
beacon_ie=<hexdump> the Beacon rame contents).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the secondary channel was not found at all, no debug print was shown
to indicate that the channel was rejected due to that problem. Print a
clearer message indicating which channel was behind the reason to reject
channel configuration as unsuitable for AP mode.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds new wpa_supplicant control interface commands PMKSA_GET and
PMKSA_ADD that can be used to store PMKSA cache entries in an external
persistent storage when terminating a wpa_supplicant process and then
restore those entries when starting a new process. The previously added
PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing
the external storage with the memory-only volatile storage within
wpa_supplicant.
"PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to
a specific network profile. The network_id of the current profile is
available with the STATUS command (id=<network_id). In addition, the
network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The
output of the PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds>
<akmp> <opportunistic>
For example:
02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0
02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0
The PMKSA_GET command uses the following format:
<network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration
in seconds> <akmp> <opportunistic>
(i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET
output data; however, the reauth_time and expiration values need to be
updated by decrementing them by number of seconds between the PMKSA_GET
and PMKSA_ADD commands)
For example:
PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0
PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0
This functionality is disabled be default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be
noted that this allows any process that has access to the wpa_supplicant
control interface to use PMKSA_ADD command to fetch keying material
(PMK), so this is for environments in which the control interface access
is restricted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These allow external program to monitor PMKSA cache updates in
preparation to enable external persistent storage of PMKSA cache.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd didn't send "TERMINATING" event when stopped by
SIGTERM. Android handles this event to stop monitor thread.
This commit adds "TERMINATING" event same as with wpa_supplicant.
Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
This allows the vendor scan to be optimized when a response is needed
only from a single, known BSS.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit documents the QCA vendor commands 61-73 and the
corresponding definitions of the attributes. This set of commands were
previously reserved for QCA without documentation here.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These thresholds values indicate how many Beacon frames can be missed
before before disconnecting from the AP.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit c79238b6a4 ('Define a QCA vendor
command to configure SAR Power limits') had a mismatch between the enum
qca_vendor_attr_sar_limits_selections documentations and actual values.
The BDF SAR profiles are 0-based, so rename the enum values and reorder
the values keep the actual values more convenient. While this changes
values over the interface, this is justifiable since the new command was
introduced only recently and it had not been released in any driver.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is to handle the case when peer changes device name and same needs
to be updated to upper layers by P2P-DEVICE-FOUND event. It is similar
to the case when a peer changes wfd_subelems and P2P-DEVICE-FOUND event
goes to upper layers.
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
When a peer device stops sending wfd_subelems, wpa_supplicant should
remove dev->info.wfd_subelems from peer's properties. Previously,
wpa_supplicant left the previously learned dev->info.wfd_subelems in
place whenever the new message did not include wfd_subelems.
In addition to fixing the clearing of the old wfd_subelems, this
resolves another issue. As "wfd_changed" variable becomes true even when
peer stops sending wfd_subelems and dev->info.wfd_subelems has an old
value, a new P2P-DEVICE-FOUND event notification was sent again and
again to upper layers whenever a new discovery response was received
from the peer that previously advertised WFD subelements.
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Previously, this flag was cleared only in case of failed GO Negotiation.
That could leave the flag set for a peer and if a new group formation
was performed with the same peer before the entry expired, there was
increased risk of getting stuck in a state where neither peer replied to
a GO Negotiation Request frame if a GO Negotiation Response frame with
Status 1 was dropped.
The error sequence could happen in the go_neg_with_bss_connected test
case when timing was suitable to make the second GO negotiation drop a
pending TX Action frame if the GO Negotiation Response with Status 1 was
scheduled for transmission during a P2P scan and P2P_CONNECT was issued
before that scan got aborted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is a regulatory requirement for Specific Absorption Rate (SAR)
whereby the device transmit power is reduced when it is determined that
the device is in close proximity to the body. Implement a vendor command
interface to allow a userspace entity to dynamically control the SAR
power limits.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, os_sleep() was used to block the hostapd (or wpa_supplicant
AP/P2P GO mode) processing between sending out EAP-Failure and
disconnecting the STA. This is not ideal for couple of reasons: it
blocks all other parallel operations in the process and it leaves a
window during which the station might deauthenticate and the AP would
have no option for reacting to that before forcing out its own
Deauthentication frame which could go out after the STA has already
started new connection attempt.
Improve this design by scheduling an eloop timeout of 10 ms instead of
the os_sleep() call and perform the delayed operations from the eloop
callback function. This eloop timeout is cancelled if the STA
disconnects or initiates a new connection attempt before the 10 ms time
is reached. This gets rid of the confusing extra Deauthentication frame
in cases where the STA reacts to EAP-Failure by an immediate
deauthentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
On a connect nl80211 event, wpa_supplicant uses
wpa_driver_nl80211_get_ssid() to fetch the current associated SSID to
compare to existing configurations. However,
wpa_driver_nl80211_get_ssid() uses drv->ssid, which is a cached value.
It is set when we explicitly initial a connect request using
wpa_supplicant. If the association was initiated outside of
wpa_supplicant, we need another way to populate drv->ssid. This commit
sets drv->ssid based on cfg80211 BSS information on connect/associate
nl80211 events.
Signed-off-by: Ningyuan Wang <nywang@google.com>
Commit adcd7c4b0b ('nl80211: Support
vendor scan together with normal scan') made the drv->scan_state updates
for NL80211_CMD_NEW_SCAN_RESULTS and NL80211_CMD_SCAN_ABORTED
conditional on drv->last_scan_cmd being NL80211_CMD_TRIGGER_SCAN. This
missed the part about the possibility of last_scan_cmd == 0 and an
externally started cfg80211 scan is ending. This could leave
drv->scan_state into SCAN_STARTED state even after the scan was
completed. Consequently, hwsim test cases could get stuck in reset()
handler waiting for scan to terminate.
Fix this by updating drv->scan_state also in drv->last_scan_cmd == 0
case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.
By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.
When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.
This also does not implement Directed Multicast Service (DMS).
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
We should unconditionally remove inactivity timers for wired network
cases. This commit checks for this after a new station association:
hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED
and then cancels the timeout and does not register a new one.
It prints out a debug message like this:
1476740180.276286: IEEE 802.1X: 00:02:00:00:00:07 CTRL_DIR entering
state FORCE_BOTH
1476740180.276295: hostapd_new_assoc_sta: canceled wired ap_handle_timer
timeout for 00:02:00:00:00:07
This was tested on a debian jessie amd64 system with a configured 120
second inactivity timer and the session did not timeout.
Signed-off-by: Sam Tannous <stannous@cumulusnetworks.com>
Do not use the generic bss_info_handler() design to fetch all scan
results into temporary memory buffer. Instead, use a separate BSS info
handler that fetches the requested information without fully parsing the
BSS entries and without allocating any memory for collecting all the
results.
This is also simplifying bss_info_handler() and nl80211_parse_bss_info()
design by getting rid of the special case that was used only for
nl80211_get_assoc_freq() and not normal scan result fetching.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of fetching all scan results to a temporary buffer, debug print
scan result dump directly from the message handler function one BSS at a
time.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows a single scan result to be parsed at a time. This is a step
towards optimizing scan result fetching without having to allocate
memory for all entries at the same time.
Signed-off-by: Jouni Malinen <j@w1.fi>
The way the removal of duplicated (one per frequency) BSS entries in the
cfg80211 scan results were removed in driver_nl80211_scan.c
bss_info_handler() depended on having the full scan results available to
allow iteration through the other entries. This is problematic for the
goal of being able to optimize memory allocations for scan result
fetching in a manner that would not build the full result buffer in
memory.
Move this duplicate removal into bss.c since it has sufficient
information available for doing the same determination of which one of
two BSS entries is more current.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which
resulted in invalid scan data being accepted in driver_privsep.c. Add
support for res->beacon_ie_len and also fix the validation step to take
this new variable length field into account.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows a single scan result to be checked at a time. This is a step
towards optimizing scan result fetching without having to allocate
memory for all entries at the same time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This untangles the NL80211_CMD_GET_SURVEY handler loop from
NL80211_CMD_GET_SCAN processing so that the per-channel noise
information can be fetched with a common function to a local data
structure that can then be easily used to update individual scan results
(a single BSS) instead of having to go through a full set of scan
results. This is a step towards optimizing scan result fetching without
having to allocate memory for all entries at the same time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Data connection was lost if a station reassociated without the STA entry
being cleaned up on the AP side. Fix this by moving reconfiguration of
the STA WDS parameters in association response callback to happen only
after the STA flags have been updated to associated stated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These are used only within driver_wired_common.c now at the end of the
refactoring changes, so there is no need to make these helper functions
available outside driver_wired_common.c.
Signed-off-by: Jouni Malinen <j@w1.fi>
This uses libnl3 to communicate with the macsec module available on
Linux. A recent enough version of libnl is needed for the macsec.h file
(which is not yet available in a formal libnl release at the time of
this commit).
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This continues refactoring of the common parts of wired drivers code
into a shared file, so that they can be reused by other drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Refactor the common parts of wired drivers code into a shared file, so
that they can be reused by other drivers. The macsec_qca driver already
contains a lot of code duplication from the wired driver, and the
macsec_linux driver would do the same. A structure to hold data common
to all wired drivers is added and used in all these drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This commit enhances the abort scan implementation to also abort the
vendor scan, if one was used to trigger the scan.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new QCA_NL80211_VENDOR_SUBCMD_ABORT_SCAN command can be used to
abort an ongoing scan that was started with
QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This fixes a regression from commit
bb598c3bdd ('AP: Add support for full
station state'). That commit added code to remove and re-add the kernel
STA entry when processing Authentication frames with a driver that
advertises support for full AP client state. That resulted in bypassing
PMF protections for unprotected Authentication frames with such drivers
since the TK was lost in this operation.
It is simplest to skip the STA entry clearing in this type of case
completely to leave the TK in place and to process the new
authentication exchange otherwise normally. This matches the behavior
used with the drivers that do not implement full AP client state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE Std 802.11-2012, 12.4.2 states that if an MDE is present in an
(Re)Association Request frame but the RSNE uses a non-FT AKM suite, the
AP shall reject the association using status code 43 ("Invalid AKMP").
wpa_validate_wpa_ie() now explicitly checks for this condition to meet
this requirement instead of simply ignoring the MDE based on non-FT AKM.
Signed-off-by: Will Glynn <will@willglynn.com>
If the driver advertises support for setting Beacon frame data rate,
allow the user to configure this rate as part of starting the AP. Only
one Beacon frame TX rate is allowed.
Drivers advertising such support should set corresponding flag via the
NL80211_ATTR_EXT_FEATURES attribute.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:
Legacy (CCK/OFDM rates):
beacon_rate=<legacy rate in 100 kbps>
HT:
beacon_rate=ht:<HT MCS>
VHT:
beacon_rate=vht:<VHT MCS>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, wpa_supplicant only supported hardcoded port == 1 in the
SCI, but users may want to choose a different port.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
So that the user can turn encryption on (MACsec provides
confidentiality+integrity) or off (MACsec provides integrity only). This
commit adds the configuration parameter while the actual behavior change
to disable encryption in the driver is handled in the following commit.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
The first peer may take a long time to come up. In PSK mode we are
basically in a p2p system, and we cannot know when a peer will join the
key exchange. Wait indefinitely, and let the administrator decide if
they want to abort.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This commit fixes the nl80211 driver call get_inact_sec() to return -1
when STA inactivity time retrieval fails in i802_read_sta_data().
This was intended to be handled by initalizing the inactive_msec member
to -1 but i802_read_sta_data() assumes the data parameter is
uninitialized and memsets the entire structure, neutralizing the attempt
to distinguish between no value (-1) and a time value of 0.
This is fixed by now requiring i802_read_sta_data() callers to
initialize the data structure first (allowing get_inact_sec() to use
-1). This is a safe change because it does not change any driver API
behavior and only affects one other static function in driver_nl80211.c
Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
In commit a25e4efc9e ('mka: Add driver op
to get macsec capabilities') I added some code to check the driver's
capabilities. This commit has two problems:
- wrong enum type set in kay->macsec_confidentiality
- ignores that drivers could report MACSEC_CAP_NOT_IMPLEMENTED, in
which case the MKA would claim that MACsec is supported.
Fix this by interpreting MACSEC_CAP_NOT_IMPLEMENTED in the same way as a
DO_NOT_SECURE policy, and set the correct value in
kay->macsec_confidentiality.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This extends the anqp_elem configuration parameter support for new Info
IDs (270 (TDLS Capability) was previously missed from the list of
defined values, 280 has already been assigned in REVmc/D8.0; 281..299
are yet to be assigned). No additional source code changes are needed to
allow hostapd to advertise support for these if the ANQP-element value
is set with the anqp_elem parameter.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.
Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The Channel Center Frequency Segment subfields use the channel index
instead of frequency in MHz.
Signed-off-by: Beni Lev <beni.lev@intel.com>
Signed-off-by: David Spinadel <david.spinadel@intel.com>
The return value from this function may be used in an outgoing message,
so use a valid status code instead of -1.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add a configuration option in hostapd.conf and in neighbor report that
sets an AP as stationary. To enable this option on the current AP set
the config option stationary_ap to 1. To set a neighbor entry to be
marked as stationary add the word stat to the SET_NEIGHBOR command. This
option tells hostapd to send LCI data even if it is older than requested
by max age subelement in RRM request.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
It is possible that a LCI or location civic configuration buffer
is valid but contains no data. In such a case do not add the LCI
and location civic information to the entry in the neighbor
data base.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
struct data_key already had a 'user' field for reference counting, but
it was basically unused.
Add an ieee802_1x_kay_use_data_key() function to take a reference on a
key, and use ieee802_1x_kay_deinit_data_key() to release the reference.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Document some data structures from IEEE Std 802.1X-2010, and add the
(not used yet) struct ieee802_1x_mka_dist_cak_body.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This is specific to the macsec_qca driver. The core implementation
shouldn't care about this, and only deal with the complete secure
channel, and pass this down to the driver.
Drivers that have such limitations should take care of these in their
->create functions and throw an error.
Since the core MKA no longer saves the channel number, the macsec_qca
driver must be able to recover it. Add a map (which is just an array
since it's quite short) to match SCIs to channel numbers, and lookup
functions that will be called in every place where functions would get
the channel from the core code. Getting an available channel should be
part of channel creation, instead of being a preparation step.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This has already been done for WEP, but there's same constraint for not
allowing VTH rates in case of TKIP.
Signed-off-by: Filip Matusiak <filip.matusiak@tieto.com>
Receiving a provision discovery request for an ASP service that
has auto accept set to false should result in a provision discovery
response with the status field set to "currently unavailable".
Having stale P2PS provision data, results in sending a response with
the status set to success because it is mistakenly referred to as the
follow-on provision discovery request.
Fix that by clearing stale P2PS provision data in the following cases:
1. When provision discovery is complete
2. When ASP services are flushed (in which case old ASP provisioning
is no longer valid).
Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
drv->in_listen should be cleared whenever the state timeout is cleared,
if they were set together. If the flag is not cleared, the
p2p_listen_end() called during cancel-remain-on-channel will not restart
the search, relying on the state timeout function to do it. Use the
p2p_stop_listen_for_freq() function to clear the listen state properly.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Otherwise, if a P2PS provision is incomplete before the flush, it can
cause incorrect provision responses to be sent out.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Add signal level information to the station tracking information. Also
make it available via the "TRACK_STA_LIST" control command.
Signed-off-by: Kevin Mahoney <k.mahoney@cablelabs.com>
ext_capab/ext_capab_len do not include ID and Length so no extra +2
offset should be used. This fixes a regression from commit
faf427645a ('TDLS: Use proper IE parsing
routine for non-EAPOL-Key cases') that replaced the IE parser without
noticing the difference in the pointer offset.
Signed-off-by: Flavia Vanetti <flavia.vanetti@ceva-dsp.com>
When channel switch happens, driver wrapper's internal channel
information needs to be updated so that the new frequency will be used
in operations using drv->assoc_freq. Previously, only bss->freq was
updated and the new frequency was also indicated in the EVENT_CH_SWITCH
event. This could potentially leave out couple of cases that use
drv->assoc_freq at least as a fallback mechanism for getting the current
operating frequency.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit adds a control interface command to configure the TDLS
trigger mode to the host driver. This TDLS mode is configured through
the "SET tdls_trigger_control" control interface command.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These attributes were previously maintained elsewhere. This commit moves
them to follow the standard assignment process through the qca-vendor.h
file in hostap.git.
Signed-off-by: Li Feng <lifeng@qti.qualcomm.com>
Add a new vendor attribute config to set the reorder blocksize and
timeout in 4 ACs, and then report the frame aggregation failure
statistics in QCA_NL80211_VENDOR_SUBCMD_STATS_EXT command. In addition,
fix the spelling of the enum value for this subcommand.
Signed-off-by: Li Feng <lifeng@qti.qualcomm.com>
This sends the FILS KEK and AAD context (nonces) to the driver with the
NL80211_CMD_ASSOCIATE messages when using FILS.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes wpa_remove_ptk() call to wpa_auth_set_key() more consistent
with all the other calls that verify the return value to keep static
analyzers happier.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
"GET_CAPABILITY fils" used to return "FILS" based on wpa_supplicant
configuration. This can be made more useful by checking both for
wpa_supplicant and driver support for FILS.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Decrypt the AES-SIV protected elements and verify Key-Auth. Parse and
configure keys to the driver.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows the FILS KEK and AAD data (nonces) to be configured to the
driver for association so that the driver can encrypt the
(Re)Association Request frame and decrypt the (Re)Association Response
frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This implements processing of FILS Authentication frame for FILS shared
key authentication with ERP and PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
ieee802_1x_encapsulate_radius() and ieee802_1x_alloc_eapol_sm() need to
be called from FILS processing.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a PMKSA cache entry for the target AP is available, try to use FILS
with PMKSA caching.
If an ERP key for the target AP is available, try to use FILS with
EAP-Initiate/Re-auth added as Wrapper Data element.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This needs to be callable through the EAPOL supplicant wrappers to allow
FILS implementation to use ERP.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This implements Key-Auth derivation for (Re)Association Request frames
(see P802.11ai/D11.0 12.12.2.6.2) and (Re)Association Response frames
(see P802.11ai/D11.0 12.12.2.6.3).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is the PTKSA key derivation used as part of the FILS authentication
exchange. See P802.11ai/D11.0 12.12.2.5.3.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it cleaner for the FILS implementation to use the same design
for setting Authentication frame elements as was already done with SAE.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add operations to allow low level control over RF sectors in QCA DMG
(11ad) chipsets. Operations include getting/setting the configuration of
a specific sector, as well as getting/setting the selected sector which
the HW uses to communicate with a specific station.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
That function does not need the full EAP header -- it only needs to know
which EAP identifier to use in the message. Make this usable for cases
where the previous EAP message may not exist (FILS).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This changes 4-way handshake authenticator processing to decrypt the
EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before
processing the Key Data field. This replaces Key MIC validation for the
cases where AEAD cipher is used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This changes 4-way handshake authenticator processing to decrypt the
EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before
processing the Key Data field. This replaces Key MIC validation for the
cases where AEAD cipher is used. This needs to move the EAPOL-Key msg
2/4 RSN element processing to happen only after the PTK has been derived
and validated. That is done for all AKMs to avoid extra complexity with
having to maintain two code paths for this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS
AKMs) to provide both integrity protection for the EAPOL-Key frame and
encryption for the Key Data field. It should be noted that this starts
encrypting the Key Data field in EAPOL-Key message 2/4 while it remains
unencrypted (but integrity protected) in non-FILS cases. Similarly, the
empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD
cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This will be needed to be able to implement AEAD cipher support from
FILS that will need to use KEK to protect the frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Suite B 192-bit addition from IEEE Std 802.11ac-2013 replaced the
previous fixed length Key MIC field with a variable length field. That
change was addressed with an addition of a new struct defined for the
second MIC length. This is not really scalable and with FILS coming up
with a zero-length MIC case for AEAD, a more thorough change to support
variable length MIC is needed.
Remove the Key MIC and Key Data Length fields from the struct
wpa_eapol_key and find their location based on the MIC length
information (which is determined by the AKMP). This change allows the
separate struct wpa_eapol_key_192 to be removed since struct
wpa_eapol_key will now include only the fixed length fields that are
shared with all EAPOL-Key cases in IEEE Std 802.11.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Calculate the hashed realm from hostapd erp_domain configuration
parameter and add this to the FILS Indication element when ERP is
enabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If FILS is enabled, indicate that in Beacon, Probe Response, and
(Re)Association Response frames in the Extended Capabilities element.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds definitions for new information elements from P802.11ai/D11.0
and parsing of these IEs.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous implementation was hardcoded to use 128-bit AES key
(AEAD_AES_SIV_CMAC_256). Extend this by allowing AEAD_AES_SIV_CMAC_384
and AEAD_AES_SIV_CMAC_512 with 192-bit and 256-bit AES keys.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows the CRC-32 routine to be shared for other purposes in
addition to the WEP/TKIP/FCS within wlantest.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Station should be able to connect initially without ft_pmk_cache filled,
so the target AP has the PSK available and thus the same information as
the origin AP. Therefore neither caching nor communication between the
APs with respect to PMK-R0 or PMK-R1 or VLANs is required if the target
AP derives the required PMKs locally.
This patch introduces the generation of the required PMKs locally for
FT-PSK. Additionally, PMK-R0 is not stored (and thus pushed) for FT-PSK.
So for FT-PSK networks, no configuration of inter-AP communication is
needed anymore when using ft_psk_generate_local=1 configuration. The
default behavior (ft_psk_generate_local=0) remains to use the pull/push
protocol.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This also implements the macsec_get_capability for the macsec_qca
driver to maintain the existing behavior.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
RFC 5931 Section 2.8.5.1 does not list the Prep field as something that
the server validates to match the Request. However, the supplicant side
has to use the same pre-processing mechanism for the password for the
authentication to work, so we may as well as enforce this field to match
the requested value now that wpa_supplicant implementation is fixed to
copy the value from the request.
Signed-off-by: Jouni Malinen <j@w1.fi>
Fix the pre-processing field in the response when EAP_PWD_PREP_MS is
being used. This fixes interoperability with EAP-pwd servers that
validate the Prep field in EAP-pwd-ID/Response when the RFC2759
(PasswordHashHash) pre-processing is used.
Signed-off-by: Brian Candler <B.Candler@pobox.com>
Clean up the driver interface by passing pointers to struct receive_sc
down the stack to the {create,delete}_recevie_sc() ops, instead of
passing the individual properties of the SC.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to struct transmit_sc
down the stack to the {create,delete}_transmit_sc() ops, instead of
passing the individual arguments.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This basically just follows commit
587b0457e0 ('LibreSSL: Fix build with
LibreSSL') with the same pattern, which was missed here.
Signed-off-by: Julian Ospald <hasufell@hasufell.de>
Due to a missing guard for old OpenSSL code, SSL_library_init() was not
called, which is required for LibreSSL. Likewise for cleanup.
Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
Add LibreSSL check to old OpenSSL #ifdef guard as DH_{get0,set0}_key()
is not implemented in LibreSSL.
Signed-off-by: Christian Neukirchen <chneukirchen@gmail.com>
Add attributes for specifing the frequency where FTM/AOA measurement is
done over the air. This allows the user space framework to maintain its
own cache of peers without depending on the kernel scan results cache,
or perform scans less often (since entries in the kernel scan results
cache expire quickly). The change is backward compatible. If the
frequency attribute is not specified, the kernel scan results cache will
be queried, like done today.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Clean up the driver interface by passing pointers to struct receive_sa
down the stack to the {create,enable,disable}_receive_sa() ops, instead
of passing the individual properties of the SA.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to struct transmit_sa
down the stack to the {create,enable,disable}_transmit_sa ops, instead
of passing the individual properties of the SA.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to structs transmit_sa
and receive_sa down the stack to get_receive_lowest_pn(),
get_transmit_next_pn(), and set_transmit_next_pn() ops, instead of
passing the individual arguments.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
These structs will be passed down to macsec drivers in a coming patch to
make the driver interface cleaner, so they need to be shared between the
core MKA implementation and the drivers.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This makes it easier to copy a subset of definitions without
accidentally getting mismatching values.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends ANQP_GET command to support querying MBO cellular
preference also. The cellular preference can be requested along with
neigbor report by appending mbo:1 to the command arguments.
For example:
ANQP_GET <bssid> 272,mbo:1
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The user space app use QCA_NL80211_VENDOR_SUBCMD_GET_CHAIN_RSSI cmd to
get the corresponding antenna rssi value for the specific chain. And the
associcated attributes are added to configure the antenna diversity and
related selftest.
Signed-off-by: Li Feng <lifeng@qti.qualcomm.com>
The reason detail field was removed from non_pref_chan attr in MBO
v0.0_r25 draft. Don't parse for this element to be compliant with the
latest drafr.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
MBO capable APs can set association disallowed in the Beacon/Probe
Response frames. For testing purposes, the STA needs to be configured to
not ignore the association disallowed set by APs and continue to connect
to such AP like non-MBO enabled STA. Add a QCA vendor attribute for
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION vendor sub command to
configure the driver to ignore association disallowed functionality.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need to find bss->drv separately for each parameter, so do
this once at the beginning of the function.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add driver parameter command to force capability flag
WPA_DRIVER_FLAGS_BSS_SELECTION even if driver states otherwise. This is
mainly for testing purposes.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
Ignore group members for which there is no supported channels
information when calculating common group frequencies.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This command carries 802.11 header and payload along with key (TK) and
PN for encryption/decryption purpose. Firmware/driver encrypts/decrypts
the given data and sends to userspace as a response to the command. User
space component can validate the data received from the driver to unit
test the hardware's encryption engine.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
A weakness in the initial client taxonomy mechanism is from storing both
the Probe and Associate in struct sta_info. struct sta_info is created
after a client associates (or starts authentication frame exchange),
which means that any Probe Request frames sent prior to association are
not retained. The Associate Request frame has to be seen, and then
another Probe Request frame after association, before we have a
signature for the client.
Most clients send lots of Probe Request frames (lots and lots and lots
of Probes, actually), but a few do not. ChromeOS is notably sparing in
sending Probe Request frames, it can take a long time before a signature
for a ChromeOS device is available.
Store the most recent Probe Request frame in struct hostapd_sta_info
tracking list. When a struct sta_info is created, move the Probe Request
frame information from struct hostapd_sta_info to struct sta_info.
Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)
Implement the signature mechanism described in the paper
"Passive Taxonomy of Wifi Clients using MLME Frame Contents"
published by Denton Gentry and Avery Pennarun.
http://research.google.com/pubs/pub45429.htmlhttps://arxiv.org/abs/1608.01725
This involves:
1. Add a CONFIG_TAXONOMY compile option. Enabling taxonomy incurs
a memory overhead of up to several kilobytes per associated
station.
2. If enabled, store the Probe Request and (Re)Associate Request frame in
struct sta_info.
3. Implement code to extract the ID of each Information Element,
plus selected fields and bitmasks from certain IEs, into a
descriptive text string. This is done in a new source file,
src/ap/taxonomy.c.
4. Implement a "signature qq:rr:ss:tt:uu:vv" command
in hostapd_cli to retrieve the signature.
Signatures take the form of a text string. For example, a signature
for the Nexus 5X is:
wifi4|probe:0,1,127,45,191,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:338061b2,
vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:00000a0201000040|assoc:0,1,48,45,
221(0050f2,2),191,127,htcap:01ef,htagg:03,htmcs:0000ffff,vhtcap:339071b2,
vhtrxmcs:030cfffa,vhttxmcs:030cfffa,extcap:0000000000000040
Signed-off-by: dgentry@google.com (Denton Gentry)
Signed-off-by: denny@geekhold.com (Denton Gentry)
Signed-off-by: rofrankel@google.com (Richard Frankel)
Signed-off-by: richard@frankel.tv (Richard Frankel)
Previously, struct hostapd_iface sta_seen list head was initialized only
when completing interface setup. This left a window for operation that
could potentially iterate through the list before the list head has been
initialized. While the existing code checked iface->num_sta_seen to
avoid this case, it is much cleaner to initialize the list when struct
hostapd_iface is allocated to avoid any accidental missing of the extra
checks before list iteration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not generate an unused and invalid Request Authenticator (random
value) when constructing Accounting-Request packets. The correct Request
Authenticator is calculated subsequently in radius_msg_finish_acct()
using MD5(msg + shared secret).
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
This reverts commit 647862eb60.
The second check of device_ap_sme looks like duplicated, but it isn't
actually. The trick is nl80211_create_monitor_interface may change that
variable value and the second evaluation may give a different result.
This definitely isn't a very clear code, but that change caused a
regression for drivers that:
1) Don't report NL80211_ATTR_DEVICE_AP_SME
2) Don't support monitor mode
3) Don't support subscribing for PROBE_REQ and/or ACTION frames
like brcmfmac. With such drivers hostapd doesn't start anymore.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
The places using drv->use_monitor were already skipping creation of the
monitor interface if drv->device_ap_sme == 0. This means that the
monitor interface operations would not have worked anyway and it is safe
to set drv->use_monitor to zero for all such cases. This fixes an issue
with management frame subscription not happening properly for the case
where the AP SME is in the driver and the driver supports monitor
interfaces (for other purposes).
This commit also removes the check for monitor support and the
previously used workaround that cleared drv->use_monitor in
drv->device_ap_sme == 1 case if monitor interface was not supported
since that condition cannot occur anymore.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Upon receiving FST Setup Request from some peer on some interface,
search is made to see if same peer is connected on other interface with
specific band_id. With multiple peers, bug in
fst_group_does_iface_appear_in_other_mbies() caused wrong peer address
to be returned sometimes.
Fix this with a modified, simplified search algorithm of peer's "other"
connection.
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
Fix some mistakes in the previous commit for adding QCA vendor commands
for indoor location.
Note: The renamed enum value does not change the ABI, but the addition
of QCA_WLAN_VENDOR_ATTR_FTM_MEAS_INVALID in the beginning of enum
qca_wlan_vendor_attr_ftm_meas does renumber
QCA_WLAN_VENDOR_ATTR_FTM_MEAS_* values. The previous values were
committed yesterday and have not been used in any released code yet, so
this is a justifiable quick fix.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Assign QCA vendor specific commands, attributes, and events for
supporting indoor location features.
These features include:
1. Fine timing measurement (FTM) - allows measurement of distance
between two stations. Based on IEEE P802.11-REVmc/D7.0, 11.24.6 FTM is
performed between two stations: one is an initiator, typically a client
that wants to measure distance to another AP, and one is a responder,
typically an AP which responds to measurement requests from other
clients. The responder can be configured to report its location, either
in absolute coordinates (LCI) or free-form description (LCR).
2. Angle of arrival (AOA) - allows measurement of azimuth and elevation
between two stations.
The above features can be combined to allow a station to get an accurate
indoor location.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside hostapd. When framework is
activated, it will use hostapd to configure the AP to publish the FTM
functionality. See IEEE P802.11-REVmc/D7.0, 9.4.2.27.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Some deployed stations incorrectly consider nsts capability in
(Re)Association Response frame as required capability instead of maximum
capability and if it is greater than station's capability then beamform
will not happen in uplink traffic.
This commit adds support for an optional workaround to use station's
nsts capability in (Re)Association Response frame if the station's nsts
is less than AP by using the use_sta_nsts=1 configuration parameter.
This configuration is introduced in this commit and it is disabled by
default.
Signed-off-by: Tamizh chelvam <c_traja@qti.qualcomm.com>
Some user space monitor wants to offload link layer statistics to
firmware. A new command QCA_NL80211_VENDOR_SUBCMD_LL_STATS_EXT and
associcated attributes are added. The monitor will use this new command
to configure monitoring paramters and get link layer statistics.
Attributes added in this change:
1. Parameters for FW to trigger the statistics report
2. Peer STA power state
3. TX failure statistics
Signed-off-by: Zhang Qian <zhangq@qti.qualcomm.com>
Assign cs in ieee802_1x_mka_decode_dist_sak_body and reuse it.
Cleanup of key allocation: ieee802_1x_kay_generate_new_sak() and
ieee802_1x_mka_decode_dist_sak_body() both allocate a struct key_conf,
fill it, and ask ieee802_1x_kay_init_data_key() to allocate and set up a
struct data_key. They also allocate multiple key buffers and copy the
same data around. Stop moving data from buffer to buffer, and just
allocate what we really need.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Instead of copying from kay to a temporary struct, and then from the
struct to the sm, just copy from kay to cp.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This avoids unnecessary typecasting while still being able to compare
the value to CS_TABLE_SIZE without compiler warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
Share mka deletion implementation in ieee802_1x_participant_timer() for
the cak_life and mka_life expiration cases.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This takes care of priority comparison followed by MAC address
comparison if the priorities are identical.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This is a known constant value (CS_ID_LEN, i.e., the length of the EUI64
identifier) and does not need to be provided separately in these
function calls.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
to_use_sak is a Boolean variable, so there is no need for an if
statement to figure out whether to return TRUE or FALSE.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Use for loop to remove unnecessary goto use and similar cleanup to
simplify the loops in ieee802_1x_mka_i_in_peerlist(),
ieee802_1x_mka_decode_live_peer_body(), and
ieee802_1x_kay_decode_mkpdu().
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Each loop iteration resets body_peer in the beginning, so there is no
need to increment this pointer in the end.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Add ieee802_1x_kay_get_potential_peer() similarly to the previously used
ieee802_1x_kay_get_live_peer() and use these helper functions more
consistently to avoid multiple implementations of peer lookups.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This splits the u32 bitfields into u8 variables and using bitfields only
for the cases where under 8-bit fields are used.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Previously, this was initialized in hostapd_setup_bss() which made it
possible for a REMOVE_NEIGHBOR control interface command to be issued
prior to the list head pointers having been set. That resulted in a NULL
pointer dereference. Fix this by initializing the list head at the time
the data structure gets allocated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Number of hostapd control interface commands (e.g., STATUS-DRIVER) could
result in NULL pointer dereference when issued on not yet enabled BSS.
Fix this by checking that the driver interface has been initialized
before calling the driver_ops function.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When the RADIUS client has not yet been fully enabled, MIB command was
segfaulting hostapd.
Signed-off-by: Eduardo Abinader <eduardoabinader@gmail.com>
Accoding to the comment of struct wpa_driver_mesh_bss_params, the
max_peer_links parameter should be under that struct.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Various checks should use is_multicast_ether_addr() instead
of hardcoding the equivalent, change it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Previously, driver_nl80211 sets NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT in
AP mode, to get EAPOL frames out unencrypted when using IEEE 802.1X/WEP.
However, due to the way nl80211/cfg80211 is implemented, this attribute
is ignored by the kernel if NL80211_ATTR_CONTROL_PORT_ETHERTYPE isn't
specified as well. Fix this by including
NL80211_ATTR_CONTROL_PORT_ETHERTYPE set to ETH_P_PAE. This can be done
unconditionally, since the kernel will allow ETH_P_PAE to be set even
when the driver didn't advertise support for arbitrary ethertypes.
Additionally, the params->pairwise_ciphers appear to not be set at
this point, so relax the check and allow them to be zero.
In client mode, this whole thing was missing, so add it. Again, the
pairwise suite can be WPA_CIPHER_NONE, so allow that case as well.
This fixed IEEE 802.1X/WEP EAP reauthentication and rekeying to use
unencrypted EAPOL frames which is the de facto way of implementing this
in wireless networks.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
To be consistent with OpenSSL 1.1.0, the free functions should
internally check for NULL. EVP_MD_CTX_free also was missing an
EVP_MD_CTX_cleanup, so this leaked a little.
OpenSSL 1.1.0 also has given get_rfc3526_prime_1536 a better namespace
with get_rfc3526_prime_1536 as a compatibility-only name. Use that
instead in 1.1.0.
Signed-off-by: David Benjamin <davidben@google.com>
Do not include a NAS-Port attribute in Access-Request and
Accounting-Request packets where the Association ID (AID) is 0, i.e.,
not yet assigned or known.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Previously, the check for mgmt->bssid matching own address (= BSSID)
ended up rejecting the case where Public Action frames are using
Wildcard BSSID in the Address 3 field. This could result in GAS queries
being dropped. Fix this by allowing both the own address (= AP BSSID)
and Wildcard BSSID in Action frame Address 3 field.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit introduces a new vendor sub command
QCA_NL80211_VENDOR_SUBCMD_GET_HW_CAPABILITY and the associated
attributes to get Wi-Fi hardware capabilities.
Signed-off-by: Yingying Tang <yintang@qti.qualcomm.com>
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
Trying to open file for checking file existence seems to be too much.
Instead use access system call which is meant for the same.
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
body_type, used to index in mka_body_handler, can be any u8 value, but
we have only ARRAY_SIZE(mka_body_handler) elements.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This uses a more accurate variable type for body_type and makes it
cleaner to compare this to other unsigned values.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the memory allocation in ieee802_1x_kay_init_receive_sc() fails, we
end up in an inconsistent state where the peer is moved to the live
peers list and its sci is setup, but we don't have an rxsc.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
The room we actually use is length. This could also mess up the
receiver, since it will advance by the actual length (as indicated by
the parameter body's length), which could differ from the offset at
which we stored the next item.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
1. The comparison between SCI's of two servers with identical priority
is broken, and would always return TRUE. Just use os_memcmp(), which
provides the ordering we need.
2. If no peer can be key server but this instance can, then become the
key server.
3. The ordering of blocks between peer as key server and ourself as key
server overwrites settings. Simple reordering fixes this.
4. Default to being the key server, so that we advertise our ability in
the MKPDUs we send. That's the only way peers can know we can be key
server. Cleared automatically as soon as we find a better peer.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
There's no need to have a separate variable and open-code a more
complicated version of this, just use is_broadcast_ether_addr().
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
In preparation for adding further command completion support
to hostapd_cli move some cli related utility functions out of
wpa_cli into a new common cli file.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
This commit defines QCA vendor subcommand and attributes for IE based
access control, i.e., the specific configured IE (full IE) is matched
with the frames originated by the Wi-Fi STA / AP to accept or deny the
connection. A specific IE can either be a whitelist or blacklist.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit introduces a new vendor sub command
QCA_NL80211_VENDOR_SUBCMD_GPIO_CONFIG_COMMAND and associated
attributes to configure GPIO pins.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes wpa_supplicant set default scan IEs to the driver (if the
vendor command is supported). The driver can use these IEs in the scan
requests initiated by the driver itself. Also the driver can merge these
IEs into further scan requests that it receives, in case if the scan
request doesn't carry any of the IEs sent in this command.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, HT/VHT state was shown in STATUS based on the configuration
parameter instead of the runtime operational parameters. This could
result in claiming HT/VHT to be enabled even when it was forced to be
disabled due to an incompatible configuration. Clear HT/VHT information
in the STATUS output if HT/VHT has been disabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If params->freq is NULL here, it leads to a segfault. Do not initialize
bss->bandwidth if params->freq is NULL.
Signed-off-by: Chaitanya T K <Chaitanya.Mgit@gmail.com>
Previously, HT capability IE and HT information IE were included in
Beacon and Mesh Peering Open/Confirm frames even if HT is disabled with
disable_ht=1. This patch removes these.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
If a peer stops sending adv_service_instance, we should clear the
existing dev->info.p2ps_instance.
This commit fixes the following scenario:
When peer device stops sending adv_service_instance, wpa_supplicant did
not remove old dev->info.p2ps_instance from device's property. This
variable should be updated as per peer behavior and should be cleared
when peer stops sending this information.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
Remove the unnecessary os_free() call from p2p_deinit() since
p2p_flush() called just above this takes care of freeing
p2p->after_scan_tx and the second call here ends up being no-op
os_free(NULL) in practice.
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Previously, mesh power management functionality works only with kernel
MPM. Because user space MPM did not report mesh peer AID to kernel,
the kernel could not identify the bit in TIM element. So this patch
reports mesh peer AID to kernel.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This commit introduces a new vendor sub command
QCA_NL80211_VENDOR_SUBCMD_SAP_CONDITIONAL_CHAN_SWITCH and associated
attributes which aim to configure selected frequencies on which the AP
can conditionally switch onto for preferred operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 49fe2ada20 ('OpenSSL: Support
OpenSSL 1.1.0 DH opacity') started using the new accessor functions, but
used incorrect success check for the DH_set0_key() call. This resulted
in dh5_init_fixed() failures and double-free on error path if the build
was linked against OpenSSL 1.1.0. Fix this by checking DH_set0_key()
return value to be 1 for the success case.
Signed-off-by: Jouni Malinen <j@w1.fi>
These control interface event message are used by external programs, so
define them a bit more formally in the header file.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows P2P Listen to be offloaded to device to enhance power
saving.
To start P2P listen offload, from wpa_cli interface, issue the command:
p2p_lo_start <freq> <period> <interval> <count>
To stop P2P listen offload, issue the command:
p2p_lo_stop
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Provides operating frequency in EVENT_ASSOC when IBSS is joined so that
wpa_s->assoc_freq can be updated when any IBSS network is joined.
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
During the P802.11s draft development, there were separate LISTEN and
IDLE states. However, the current IEEE 802.11 standards uses only the
IDLE state while the implementation called this LISTEN. Rename the state
in the implementation to match the one used in the standard to avoid
confusion. In addition, rename OPEN_{SENT,RCVD} to OPN_{SNT,RCVD} to
match the exact spelling of these states in the standard.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 1.1.0 (master branch) apparently ended up modifying the API
after the beta 2 release that was supposed to complete the work. Mark
the variables const to fix the compilation with the modified OpenSSL
API.
Signed-off-by: Jouni Malinen <j@w1.fi>
These elements can be used for pre-standard publication testing of HE
before P802.11ax draft assigns the element ID. The payload of these
vendor specific elements is defined by the latest P802.11ax draft.
Please note that the draft is still work in progress and the element
payload is subject to change.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is now annotated as be16, so use it as such in all cases instead of
first storing host byte order value and then swapping that to big endian
in other instances of the same structure. This gets rid of number of
sparse warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
driver_wired.c pulls in utils/common.h before net/if.h as a workaround
for NetBSD build. This results in IFNAMSIZ getting redefined and sparse
warning about this. Silence that warning by undefining the IFNAMSIZ
definition from common.h to allow the one from net/if.h being used. In
addition, remove duplicated inclusion of net/if.h.
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of a sparse warning and also allows the compatibility of
the declarations to be verified (a missing const declaration is fixed
here as well).
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of number of sparse warnings and also allows the
compatibility of the declarations to be verified (number of missing
const declarations are fixed here as well).
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows the compiler to check that function prototypes match the
implementation. In addition, this gets rid of sparse warnings.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These are called through function pointers, so no need to make the
function symbols directly available outside this file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This converts some of the PAE code to use a design that gets rid
unnecessary warnings from sparse and allows more thorough validation of
byte order operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These are called through function pointers, so no need to make the
function symbols directly available outside this file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These little endian fields were not marked properly and the type case in
the get_unaligned_* helper macros were causing warnings from sparse.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Couple of fsts_id and llt fields were not properly swapped from host
byte order to little endian byte order used in the frames. Fix this and
use the le32 type to make this more consistent and verifiable with
sparse.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Since crypto_openssl.c is now implementing couple of functions
internally, pull in the relevant header files md5.h and aes_wrap.h to
make sure the function declaration are consistent.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Freeing memory for subjectAltName in parse_cert(), will give cert_cb
pointers to freed memory zone that may already been overwritten. Memory
for subjectAltName is released in parse_cert_free().
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
The "Accepting Additional Mesh Peerings bit == 0" means the peer cannot
accept any more peers, so suppress attempt to open a connection to such
a peer.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This moves pairwise, group, and management group ciphers to various mesh
data structures to avoid having to hardcode cipher in number of places
through the code. While CCMP and BIP are still the hardcoded ciphers,
these are now set only in one location.
Signed-off-by: Jouni Malinen <j@w1.fi>
The AMPE element includes number of optional and variable length fields
and those cannot really be represented by a fixed struct
ieee80211_ampe_ie. Remove the optional fields from the struct and
build/parse these fields separately.
This is also adding support for IGTKdata that was completely missing
from the previous implementation. In addition, Key RSC for MGTK is now
filled in and used when configuring the RX MGTK for a peer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous implementation was incorrect in forcing the MGTK to be used
as the IGTK as well. Define new variable for storing IGTK and use that,
if set, to configure IGTK to the driver. This commit does not yet fix
AMPE element parsing to fill in this information.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the data structures to allow variable length MGTK to be
stored for RX. This is needed as an initial step towards supporting
different cipher suites.
Signed-off-by: Jouni Malinen <j@w1.fi>