wpa_supplicant now retries for P2P_GO_NEG_CNF_MAX_RETRY_COUNT times if
it doesn't receive acknowledgement for GO Negotiation Confirmation
frame. Currently, P2P_GO_NEG_CNF_MAX_RETRY_COUNT is set to 1.
While this is not strictly speaking following the P2P specification,
this can improve robustness of GO Negotiation in environments with
interference and also with peer devices that do not behave properly
(e.g., by not remaining awake on the negotiation channel through the
full GO Negotiation).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
NL80211_CMD_LEAVE_IBSS was used only with wpa_supplicant-based SME.
Extend this to drivers that implement SME internally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.
This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Only the Neighbor Report element should be included here, so verify that
the element id matches. In addition, verify that each subelement has
valid length before using the data.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes the definitions match the terminology used in IEEE Std
802.11-2012 and makes it easier to understand how the HT Operation
element subfields are used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
QCA vendor extension is used for NAN functionality. This defines the
subcommand and attribute to address this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is somewhat of a corner case since there is no real point in using
so short a fragmentation threshold that it would result in this message
getting fragmented. Anyway, it is better be complete and support this
case as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).
Signed-off-by: Jouni Malinen <j@w1.fi>
"SET tdls_testing 0x800" can be used to enable a special test mode that
forces the FTIE MIC in TDLS setup messages to be incorrect.
Signed-off-by: Jouni Malinen <j@w1.fi>
Following events are now sent to ctrl_iface monitors to indicate if
credential blocks have been added, modified, or removed:
CRED-ADDED <id>
CRED-MODIFIED <id> <field>
CRED-REMOVE <id>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_supplicant and wpa_cli had already moved to allowing up to 4096 byte
buffer size to be used for control interface commands. This was limited
by the line edit buffer in interactive mode. Increase that limit to
match the other buffers to avoid artificially truncating long commands.
Signed-off-by: Jouni Malinen <j@w1.fi>
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.
Signed-off-by: Jouni Malinen <j@w1.fi>
p2p_dev_addr was not NULL, so the all zeros case was printed as well.
Clean this up by printing p2p_dev_addr in debug prints only if it is a
real P2P Device Address.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support of vendor command to hostapd ctrl_iface.
Vendor command's format:
VENDOR <vendor id> <sub command id> [<hex formatted data>]
The 3rd argument will be converted to binary data and then passed as
argument to the sub command.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When primary and secondary channel were switched and config was
reloaded, secondary channel was incorrectly overwritten.
Proceed as for other settings that should not be changed and don't
allow to overwrite.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
While framing the TDLS Setup Confirmation frame, the driver needs to
know if the TDLS peer is VHT/HT/WMM capable and thus shall construct the
VHT/HT operation / WMM parameter elements accordingly. Supplicant
determines if the TDLS peer is VHT/HT/WMM capable based on the presence
of the respective IEs in the received TDLS Setup Response frame.
The host driver should not need to parse the received TDLS Response
frame and thus, should be able to rely on the supplicant to indicate
the capability of the peer through additional flags while transmitting
the TDLS Setup Confirmation frame through tdls_mgmt operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When hostapd choose to reuse an existing interface, it does not add it
to the set of interfaces from which we accept EAPOL packets.
Make sure we always add it to that set.
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
This allows drivers that build the WPA/RSN IEs internally to use similar
design for building the OSEN IE.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Scan for GO on the negotiated operating channel for few iterations
before searching on all the supported channels during persistent group
reinvocation. In addition, use the already known SSID of the group in
the scans. These optimizations reduce group formation time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Especially when multiple BSSes are used with ACS, number of the error
paths were not cleaning up driver initialization properly. This could
result in using freed memory and crashing the process if ACS failed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the PMK-R1 needs to be pulled for the R0KH, the previous
implementation ended up rejecting the over-the-air authentication and
over-the-DS action frame unnecessarily while waiting for the RRB
response. Improve this by postponing the Authentication/Action frame
response until the pull response is received.
Signed-off-by: Jouni Malinen <j@w1.fi>
This moves some of the p2p_prepare_channel_best() functionality into
separate helper functions to make the implementation easier to read.
Signed-off-by: Jouni Malinen <j@w1.fi>
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds. This is similar to the earlier
commit that commented out in-memory update.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 94b84bc725 missed one path where
p2p->op_reg_class should have been updated. Set this to 81 during
operating channel selection from 2.4 GHz.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the driver supports full offloading of DFS operations, do not disable
a channel marked for radar detection. The driver will handle the needed
operations for such channels.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This uses a QCA vendor extension to determine if the driver supports
fully offloaded DFS operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not select pre-configured channel as operating channel preference if
it is unavailable maybe due to interference or possible known
co-existence constraints, and try to select random available channel.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There was possibility that the current channel in Beacon information
element was incorrectly set. This problem was easily observed when
primary and secondary channel were switched and then some of hostapd
settings (for example password) were changed using WPS External
Registrar. This caused hostapd_reload_config() function overwrite the
current channel information from config file.
This patch prevents this situation and does not allow to overwrite
channel and some other settings when config is reloaded.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
It was possible for hapd->wps_beacon_ie and hapd->wps_probe_resp_ie to
be set if WPS initialization in hostapd failed after having set these
parameters (e.g., during UPnP configuration). In addition, many of the
other WPS configuration parameters that were allocated during the first
part of the initialization were not properly freed on error paths.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While the device itself may support WPA/WPA2-Enterprise, enrollment of
credentials for EAP authentication is not supported through WPS. As
such, there is no need to claim support for these capabilities within
WPS information.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The scan_for_auth workaround for cfg80211 missing a BSS entry for the
target BSS during authentication uses a single channel scan controlled
within driver_nl80211.c. This operation does not indicate
EVENT_SCAN_RESULTS to the upper layer code. However, it did report
EVENT_SCAN_STARTED and this resulted in the radio work protection code
assuming that an external program triggered a scan, but that scan never
completed. This resulted in all new radio work items getting stuck
waiting for this scan to complete.
Fix this by handling the scan_for_auth situation consistently within
driver_nl80211.c by filtering both the EVENT_SCAN_STARTED and
EVENT_SCAN_RESULTS.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Do not truncate CURLINFO entries on first linefeed to get full IN/OUT
headers and data into debug log. Use wpa_hexdump_ascii() if any
non-displayable characters are included. Remove the separate header/data
debug dumps since all that information is now available from the debug
callback.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These were previous set to 3.0 and 1.5 ms which ended up using values 93
and 46 in 36 usec inits. However, the default values for these are
actually defined as 3.008 ms and 1.504 ms (94/47) and those values are
also listed in the hostapd.conf example.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
test-tls-4: Short 511-bit RSA-DHE prime
test-tls-5: Short 767-bit RSA-DHE prime
test-tls-6: Bogus RSA-DHE "prime" 15
test-tls-7: Very short 58-bit RSA-DHE prime in a long container
test-tls-8: Non-prime as RSA-DHE prime
Signed-off-by: Jouni Malinen <j@w1.fi>
The center segment0 calculation for VHT20 ACS was incorrect. This caused
ACS to fail with: "Could not set channel for kernel driver".
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Secondary channel was compared incorrectly (-4/4 vs. actual channel
number) which broke matching neighboring 40 MHz BSSes and only the
no-beacons-on-secondary-channel rule was applied in practice. Once
sec_chan was fixed, this triggered another issue in this function where
both rules to switch pri/sec channels could end up getting applied in a
way that effectively canceled the switch.
Signed-off-by: Jouni Malinen <j@w1.fi>
previous_ap and last_assoc_req were not really used for anything
meaninful, so get rid of them to reduce the size of per-STA memory
allocation.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the control interface and some of the BSS setup to
be left partially initialized in failure cases while the BSS structures
were still freed. Fix this by properly cleaning up anything that may
have passed initialization successfully before freeing memory.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd to set a different management group cipher than the
previously hardcoded default BIP (AES-128-CMAC). The new configuration
file parameter group_mgmt_cipher can be set to BIP-GMAC-128,
BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in
IEEE Std 802.11ac-2013.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
For some client OBSS implementations that are performed in
firmware, all OBSS parameters need to be set to valid values.
Do this, as well as supplying the "20/40 Coex Mgmt Support"
flag in the extended capabilities IE.
Signed-hostap: Paul Stewart <pstew@chromium.org>
The 802.11ac amendment specifies that that the center segment 0 field
is reserved, so it should be zero. Hostapd previously required it to
be set, which is likely a good idea for interoperability, but allow it
to be unset. However, don't allow it to be set to a random value, only
allow zero and the correct channel.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Some of the remote ANQP server concepts were introduces into gas_serv.c,
but these were not completed. Remote the unused implementation for now.
It can be added back if support for remote ANQP server is added at some
point.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When wpa_psk_file is used instead of wpa_psk/wpa_passphrase, each WPS
Enrollee was given a unique PSK. This did not work for the
station-as-Registrar case where ER would learn the current AP settings
instead of enrolling itself (i.e., when using the AP PIN instead of
station PIN). That case can be covered with a similar design, so
generate a per-device PSK when building M7 as an AP in wpa_psk_file
configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd DEAUTHENTICATE and DISASSOCIATE control interface commands
accepted both a test=<0/1> and reason=<val> parameters, but these were
not supported in the same command as a combination. Move the code around
a bit to allow that as well since it can be helpful for automated test
scripts.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
TDLS Setup Request/Response frames from the peers include the WMM IE,
hence parse the same and consider the QoS Info from the WMM IE. The
qos_info obtained in the WMM IE overwrites the one obtained through
WLAN_EID_QOS attribute.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_find removes P2P_DEV_REPORTED flag from every existing P2P peer
entry. Thus, if a GO Negotiation Request frame is received before the
peer is re-discovered based on Probe Response frame, report
P2P-DEVICE-FOUND indication prior to the P2P-GO-NEG-REQUEST similarly to
how this is done the first time the peer is found.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, some of the last initialization steps could fail without
clearly marking the interface disabled. For example, configuring the
channel to the driver could fail, but hostapd would not clearly identify
as the interface not being in functional state apart from not moving it
to the ENABLED state. Send an AP-DISABLED event and mark interface state
DISABLED if such a setup operation fails.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This hs20-osu-client client command can be used to parse a DER encoded
X.509v3 certificate with the logotype extensions and
id-wfa-hotspot-friendlyName values shown in detail.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If NL80211_CMD_AUTHENTICATE fails due to exiting authentication, forced
deauthentication is used to clear cfg80211 start and a new
authentication command is retried. This resulted in an extra
disconnection event getting delivered to the core wpa_supplicant code
and that could end up confusing state there, e.g., by clearing
connection parameters like wpa_s->key_mgmt and preventing the following
association from reaching proper COMPLETED state with open networks.
Fix this by hiding the unnecessary disconnection event when using the
deauth-for-auth workaround.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
On RF-kill, we should not request the kernel to start a P2P device. In
addition, we should call i802_set_iface_flags() both for a P2P Device
interface and any other interface instead of calling a dedicated
function for each.
Signed-off-by: Moshe Benji <Moshe.Benji@intel.com>
At least in nl80211, broadcast management frames like Probe Request
frames, may be processed multiple times per BSS if multi-BSS is active
and NL80211_CMD_FRAME event is used to deliver them. In the case of
Probe Request frames, hostapd will create multiple redundant Probe
Response frames which are problematic when many BSS are on one channel.
This problem is caused by driver_nl80211 generating an event for
wpa_supplicant_event() for each BSS, and hostapd_mgmt_rx() calls
ieee802_11_mgmt() for each BSS, too.
Fix this by processing broadcast events only for the BSS the driver
intended to. The behavior is not changed for drivers not setting a BSS.
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
If channels are "available", change to "usable" DFS channels as a
fallback, too. This requires CAC, but it is still better to do that
instead of stopping service completely.
Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
If DFS channels are marked as "available", an AP can switch to them
immediately without performing CAC. Therefore, the channel selection
function should consider these channels even though these are radar
channels.
Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
Different channels allow different transmission power, at least in ETSI
countries. Also, ETSI requires a "channel plan" for DFS operation, and
channels should be randomly choosen from these channels.
Add a channel list configuration option for users to add channels
hostapd may pick from.
Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
Previously, EAP-SIM/AKA/AKA' did not work with number of crypto
libraries (GnuTLS, CryptoAPI, NSS) since the required FIPS 186-2 PRF
function was not implemented. This resulted in somewhat confusing error
messages since the placeholder functions were silently returning an
error. Fix this by using the internal implementation of FIP 186-2 PRF
(including internal SHA-1 implementation) with crypto libraries that do
not implement this in case EAP-SIM/AKA/AKA' is included in the build.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Incorrect PTK length was used in PMK-to-PTK derivation and the Michael
MIC TX/RX key swapping code was incorrectly executed for these ciphers
on supplicant side.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While these were already available from elsewhere in the debug log, it
is convenient to have the values also available at the location where
the actual nl80211 command is issued.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The internal TLS server implementation and RADIUS server implementation
in hostapd can be configured to allow EAP clients to be tested to
perform TLS validation steps correctly. This functionality is not
included in the default build; CONFIG_TESTING_OPTIONS=y in
hostapd/.config can be used to enable this.
When enabled, the RADIUS server will configure special TLS test modes
based on the received User-Name attribute value in this format:
<user>@test-tls-<id>.<rest-of-realm>. For example,
anonymous@test-tls-1.example.com. When this special format is used, TLS
test modes are enabled. For other cases, the RADIUS server works
normally.
The following TLS test cases are enabled in this commit:
1 - break verify_data in the server Finished message
2 - break signed_params hash in ServerKeyExchange
3 - break Signature in ServerKeyExchange
Correctly behaving TLS client must abort connection if any of these
failures is detected and as such, shall not transmit continue the
session.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows the internal TLS implementation to write log entries to the
same authlog with rest of the RADIUS server and EAP server
functionality.
Signed-off-by: Jouni Malinen <j@w1.fi>
If eap_user_file is configured to point to an SQLite database, RADIUS
server code can use that database for log information.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, this was silently dropped which left the connection waiting
for timeout. decrypt_error alert can be used here to avoid that.
Signed-off-by: Jouni Malinen <j@w1.fi>
This same design is used in both the server and the client roles in the
internal TLS implementation. Instead of duplicated implementation, use a
helper function.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of separate server and client side implementations, use a common
set of helper functions for calculating the ServerParams hash for
ServerKeyExchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
The SHA256-based RSA-AES-128/256 cipher suites were already implemented
and enabled for the internal TLS client, but they had not been enabled
for the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, this was enabled only at msgdump verbosity level, but any
level that is more verbose than it should also be included.
Signed-off-by: Jouni Malinen <j@w1.fi>
This reverts commit 4345fe963e. That
introduced number of memory leaks and since the rest of the VLAN changes
did not yet go in, it is easier to revert this for now and bring back
the changes after fixes if there is sufficient interest for them in the
future.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the design already available for Access-Request packets to
the RADIUS server and Access-Accept messages. Each user entry can be
configured to add arbitrary RADIUS attributes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Request the driver to send a Deauthentication frame before doing
any other disconnection steps on the session timeout path. This is
needed when PMF is negotiated for the association since the driver
will need to find the STA entry and the PTK for it to be able to
protect the robust Deauthentication frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In case of Automatic Channel Selection (ACS) failure, we do not have a
real fallback path. Interface still remains in ACS state. To reflect we
did not succeed with ACS, simply disable the interface and indicate this
to user/upper layer entity so that a suitable recovery or error
notification can be performed.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
wpa_supplicant already allowed beacon interval to be configured for AP
mode operations, but this was not passed to the driver for IBSS even
though the same parameter can used for that case. Add this for the
nl80211 driver interface to allow beacon interval to be controlled for
IBSS as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
handle_assoc_cb() got this addition, but the check in
hostapd_new_assoc_sta() was not modified to be aware of the OSEN special
case for EAPOL state machines to be used for marking a STA authorized.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was done in handle_assoc_cb() in ieee802_11.c for drivers that use
hostapd SME/MLME. However, drivers that include SME/MLME implementation
do not use that function and the STA flag needs to be set when
processing the association notification. This is needed to get the STA
entry into showing the proper authorized state and to get the
AP-STA-CONNECTED/DISCONNECTED events on the control interface.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
As per IEEE Std 802.11ac-2013, 'Maximum A-MPDU Length Exponent' field
value is in the range of 0 to 7. Previous implementation assumed EXP0 to
be the maximum length (bits 23, 24 and 25 set) what is incorrect.
This patch adds options to set it up within the 0 to 7 range.
Signed-off-by: Bartosz Markowski <bartosz.markowski@tieto.com>
For example, the previous implementation considered [44, 48, 52, 56] to
be a valid VHT80 channel -- which it is not. This resulted in, e.g.,
failure to start CAC when channels on overlapped segments included DFS
channels.
Add a check similar to the HT40 one to prevent that. The check is
performed this way as the ACS implementation assumes the primary channel
to be the first channel in a given segment.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Previously, we printed this message as a debug one, which was confusing
in case verbose debug messages were disabled. User could think CAC
started but never ended. Add more parameterss to DFS_EVENT_CAC_START, so
external programs can more easily check what was wrong in case of
errors.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This commit adds an option to optimize AP teardown by leaving the
deletion of keys (including group keys) and stations to the driver.
This optimization option should be used if the driver supports stations
and keys removal when stopping an AP.
For example, the optimization option will always be used for cfg80211
drivers since cfg80211 shall always remove stations and keys when
stopping an AP (in order to support cases where the AP is disabled
without the knowledge of wpa_supplicant/hostapd).
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Previously, both this and combination of OUI_WFA and P2P_OUI_TYPE were
used. Using the full 32-bit value as a single operation saves a bit in
code size, so start moving towards using it more consistently when
writing or finding the P2P vendor specific element.
Signed-off-by: Rahul Jain <rahul.jain@samsung.com>
CONFIG_TESTING_OPTIONS=y build of wpa_supplicant now allows arbitrary
cfg80211 commands to be performed through the new VENDOR ctrl_iface
command by using a special vendor_id ffffffff. The command identifier
(NL80211_CMD_*) is encoded as the subcmd and the attributes in the
hexformatted data area. Response attributes are returned as a hexdump.
For example, this shows a NL80211_CMD_FRAME and a response (cookie
attribute) on a little endian host:
wpa_cli -i wlan0 vendor ffffffff 59 080003004d0000000800260085090000....
0c00580000d7868c0388ffff
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When an interface is disabled through rtm event, wpa_supplicant's
EVENT_INTERFACE_DISABLED is generated, which in turn, may
completely destroy wpa_driver_nl80211_data struct (drv). This
scenario happens now when P2P GO interface is disabled. Since this
struct may be used later in this function it causes segmentation fault.
Fix it by trying to find drv again in the interface list after
wpa_supplicant's event handling.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add a callback to the driver interface that allows vendor specific
commands to be sent. In addition, a control interface command is added
to expose this new interface outside wpa_supplicant:
Vendor command's format:
VENDOR <vendor id> <sub command id> [<hex formatted data>]
The 3rd argument will be converted to binary data and then passed as
argument to the sub command.
This interface is driver independent, but for now, this is only
implemented for the nl80211 driver interface using the cfg80211 vendor
commands.
Signed-off-by: Beni Lev <beni.lev@intel.com>
wpa_driver_nl80211_if_remove() checks bss->if_added before deleting an
interface, which is 0 for the first BSS. The only part of
wpa_driver_nl80211_if_remove() that should get called for WDS STA
interfaces is the call to nl80211_remove_iface(), which can be pulled in
here directly.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
There is no need to use a for loop here since the h variable is
set identically at the beginning of the body anyway.
Signed-off-by: Jouni Malinen <j@w1.fi>
The following if statements set the new_op_mode value in all cases,
so there is no need to initialize this to 0 first. This removes a
static analyzer warning.
Signed-off-by: Jouni Malinen <j@w1.fi>
The pos variable was not used between its first and second assignment.
Clean this up by using the pos variables instead of the buf (start of
the buffer).
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to maintain a separate counter for this in addition to
the pointer to the current location. In addition, this gets rid of
warnings about unused variable write.
Signed-off-by: Jouni Malinen <j@w1.fi>
If hapd_iface->bss[i] == NULL, this could have resulted in NULL pointer
dereference in the debug print. Avoid this by skipping the message in
case of NULL pointer. In addition, clear iface->bss[i] to NULL for
additional robustness even though this array gets freed immediately.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was previously checked through the eap_peer_tls_ssl_init() call
which made it difficult for static analyzers. Add an explicit check for
config == NULL into the beginnign of eap_fast_init() since this will
always result in initialization failing anyway.
Signed-off-by: Jouni Malinen <j@w1.fi>
If wpa_driver_roboswitch_read() fails before such comparison, the values
that are being compared are not initialized properly and as such, there
is not much point in comparing them either.
Signed-off-by: Jouni Malinen <j@w1.fi>
This seemed to be fine on most code paths, but the code was complex
enough to make the analysis difficult (and a bit too much for static
analyzers). There is no harm in forcing these parameters to be
initialized, so do that to make sure they cannot be left uninitialized.
Signed-off-by: Jouni Malinen <j@w1.fi>
bfd_demangle() call could be skipped if data.function == NULL. Make sure
the already freed aname pointer cannot be used again in such a case.
Signed-off-by: Jouni Malinen <j@w1.fi>
record->type == NULL case was handled through the record->type_length
comparison. While this was correct, it is a bit difficult for static
analyzers to understand, so add an extra check for NULL to avoid false
reports on this.
Signed-off-by: Jouni Malinen <j@w1.fi>
no_offchannel_tx=1 driver parameter can now be used to force the older
remain-on-channel -based offchannel TX design to be used with
mac80211_hwsim. This can be used to increase test coverage with the
hwsim test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the error path to try to use P2P Group ID attribute
even if one was not included in the message. This could result in
dereferencing a NULL pointer, so re-check the pointer before copying the
data.
Signed-off-by: Jouni Malinen <j@w1.fi>
The special case of non-zero status code used in a GAS Comeback Response
frame to indicate that additional delay is needed before the response is
available was not working properly. This case needs to allow the status
code check to be bypassed for the comeback case prior to having received
any response data.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like leaving behind the freed pointed at the end of the array
could end up in a crash triggered by double free in some cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
PD Response is sent out using a 200 ms offchannel wait, but that wait
was not cancelled on TX status report. This could result in offchannel
operation being left waiting unnecessarily long. Fix this by making the
P2P_NO_PENDING_ACTION case in Action TX callback cancel the wait if a
pending wait is marked (and mark this for PD Response).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like some deployed devices may send an invalid supported
operating class element (length = 0) in TDLS Setup messages. With
cfg80211, this results in the NL80211_CMD_SET_STATION command failing
due to an invalid argument (cfg80211 mandates supported operating
classes information to have a length of 2..253 octets).
Work around this interop issue by ignoring the Supported Operating Class
element if it has invalid length.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new hostapd.conf parameter subscr_remediation_url can be used to
define the URL of the Subscription Remediation Server that will be added
in a WFA VSA to Access-Accept message if the SQLite user database
indicates that the user need subscription remediation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd can now be configured to advertise OSU Providers with the
new osu_* confgiuration parameters.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
hostapd can now be configured to provide access for icon files
(hs20_icon config file parameter) for OSU. The hs20_icon data contains
additional meta data about the icon that is not yet used, but it will be
needed for the OSU Providers list ANQP element.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the authentication server includes the WFA HS 2.0 Session Info URL
AVP in Access-Accept, schedule ESS Disassociation Imminent frame to be
transmitted specified warning time prior to session timeout.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the RADIUS server includes deauthentication request in Access-Accept,
send a WNM-Notification frame to the station after 4-way handshake and
disconnect the station after configurable timeout.
A new control interface command, WNM_DEAUTH_REQ, is added for testing
purposes to allow the notification frame to sent based on local request.
This case does not disconnect the station automatically, i.e., a
separate control interface command would be needed for that.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the RADIUS server includes the WFA RADIUS VSA in Access-Accept to
indicate need for subscription remediation, copy the server URL from
the message and send it to the station after successfully completed
4-way handshake (i.e., after PTK is set to allow PMF to work) in a
WNM-Notification.
AP must not allow PMKSA caching to be used after subscription
remediation association, so do not add the PMKSA cache entry whenever
the authentication server is indicating need for subscription
remediation. This allows station reassociation to use EAP authentication
to move to non-remediation connection.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the station indicated support for Hotspot 2.0, send its release
number and PPS MO ID in Access-Request messages using the WFA RADIUS
VSA.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The Access-Request frames are used to inform the RADIUS server about the
Hotspot 2.0 release number supported by the AP.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Subscription remediation notification can now be sent from hostapd with:
hostapd_cli hs20_wnm_notif 02:00:00:00:00:00 http://example.com/foo/
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The HS 2.0 Indication element from hostapd now includes the release
number field and the new ANQP Domain ID field. This ID can be configured
with anqp_domain_id parameter in hostapd.conf.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Move excluded SSID filtering step to the end of credential validation
process and return list of BSSes that would otherwise have matching
credentials, but have an excluded SSID. Automatic network selection will
not select such a network, but interworking_connect command can be used
to pick excluded networks.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_supplicant can request OSU icon data with "hs20_icon_request <BSSID>
<icon filename>". This transmits an Icon Request ANQP element and
processes the response in Icon Binary File ANQP elements.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Subscription remediation notification WNM-Notification Request is now
shown in the following way in wpa_supplicant control interface:
<3>HS20-SUBSCRIPTION-REMEDIATION http://example.com/foo/
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The HS 2.0 Indication element from wpa_supplicant now includes the
release number field and wpa_supplicant shows the release number of the
AP in STATUS command (hs20=1 replaced with hs20=<release>).
The new update_identifier field in the cred block can now be used to
configure the PPS MO ID so that wpa_supplicant adds it to the Indication
element in Association Request frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Many drivers support operation without GTK configured, but most (if any)
today do not advertise this. Handle this by skipping GTK cipher suite
configuration if the driver did not advertise support in order to work
around cfg80211 validation steps.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Allow mixed DFS and non-DFS channels, e.g., VHT160 on channels 36-64.
This is useful for testing VHT160 with mac80211_hwsim.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Add IPv6 support when using udp/udp-remote control interface using the
following new build configuration options:
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote
This is useful for testing, while we don't need to assign IPv4 address
(static or using DHCP) and can just use auto configured IPv6 addresses
(link local, which is based on the MAC address). Also add scope id
support for link local case.
For example,
./wpa_cli
./wpa_cli -i ::1,9877
./wpa_cli -i fe80::203:7fff:fe05:69%wlan0,9877
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
The regulatory rules in Japan do not allow OFDM to be used on channel
14. While this was to some extend assumed to be enforced by drivers
(many of which apparently don't), it is safer to make hostapd enforce
this by disabling any OFDM-related functionality. This tries to avoid
backwards compatibility issues by downgrading the mode rather than
rejecting the invalid configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add configuration of Spectrum Management subfield in the Capability
Information of Beacon, Probe Response, and Association Response frames.
Spectrum Management bit is set when directly requested by new
configuration option spectrum_mgmt_required=1 or when AP is running on
DFS channels. In the future, also TPC shall require this bit to be set.
Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
Add Power Constraint information element to Beacon and Probe Response
frames when hostapd is configured on 5 GHz band and Country information
element is also added. According to IEEE Std 802.11-2012 a STA shall
determine a local maximum transmit power for the current channel based
on information derived from Country and Power Constraint elements.
In order to add Power Constraint element ieee80211d option need to be
enabled and new local_pwr_constraint config option need to be set to
unsigned value in units of decibels. For now this value is statically
configured but the future goal is to implement dynamic TPC algorithm
to control local power constraint.
Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
UPnP-arch-DeviceArchitecture describe ErrorCode 412 to be used for the
case where no un-epxired subscription matches. This used to return 200
which is not strictly speaking correct even though it is unlikely to
cause any problems.
Signed-off-by: Jouni Malinen <j@w1.fi>
The caller of the GET parser is checking this already and the GET case
was the only one that ended up doing the duplicated validation step.
Signed-off-by: Jouni Malinen <j@w1.fi>
When a Probe Request frame from an invitation peer is received, a timer
is schedule to start invitation. However, this could have been scheduled
multiple times (once per Probe Request frame) which is undesirable since
only a single invitation should be initiated.
Signed-off-by: Rahul Jain <rahul.jain@samsung.com>
The previous parser would have skipped a WFA vendor extension attribute
that includes only a single zero-length subelement. No such subelement
has been defined so far, so this does not really affect any
functionality, but better make the parser address this correctly should
such an element ever be added.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like discovery_dev_id test case can still fail and based on the
previously added debug prints, this is happening since the P2P module
believes it is not in Listen state even when a P2P_LISTEN was issued.
p2p_listen_cb() did not get called on remain-on-channel event for some
reason, so lets add more debug to find out why this can happen.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Suppose we have multiple peers and we have peers advertising SD
capability, but no services registered for advertising. In this case,
even if there are multiple broadcast queries set, we might end up
sending only the lastly added broadcast query to the same device (since
SD_INFO won't get set for the first broadcast query). Add support for
multiple wildcard queries to be tracked to enable this type of use
case.
Some times it is seen that before advancing to next device in the list,
the scan results come and update SD_SCHEDULE flag. This will result in
sending the already sent query to the same device without giving chance
to other devices. This issue again is seen with peer devices advertising
SD capability without any services registered.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
These can be used to disable TLSv1.1 and TLSv1.2 as a workaround for AAA
servers that have issues interoperating with newer TLS versions.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This allows NAS-IP-Address, NAS-Identifier, and NAS-IPv6-Address to be
included in the Disconnect-Request packets.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When a station is disconnected based on Disconnect-Request, it is better
to force the station to go through full EAP authentication if it tries
to reconnect.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It is possible for an ER to send an unexpected PutWLANResponse action
when the destination STA is in disassociated, but not fully
deauthenticated state. sta->eapol_sm can be NULL in such state and as
such, it would be possible to hit a NULL pointer dereference in the
eapol_auth_eap_pending_cb() call at the end of the
hostapd_wps_probe_req_rx() when trying to proxy the WPS message to the
station. Fix this by validating that sta->eapol_sm is set before
processing the message.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This reverts commit 51e3eafb68. There are
too many deployed AAA servers that include both id-kp-clientAuth and
id-kp-serverAuth EKUs for this change to be acceptable as a generic rule
for AAA authentication server validation. OpenSSL enforces the policy of
not connecting if only id-kp-clientAuth is included. If a valid EKU is
listed with it, the connection needs to be accepted.
Signed-off-by: Jouni Malinen <j@w1.fi>
It can be helpful to see from the debug log why the P2P Device role did
not reply to a Probe Request frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the connection from hostapd authentication server to hlr_auc_gw fails
due to hlr_auc_gw not running yet, the local socket file was left
behind. Delete the socket file on connect() failure path.
Signed-off-by: Jouni Malinen <j@w1.fi>
This fixes issues in using a password that includes a UTF-8 character
with three-byte encoding with EAP methods that use NtPasswordHash
(anything using MSCHAPv2 or LEAP).
Signed-off-by: Jouni Malinen <j@w1.fi>
Use nl80211_set_iface_id() in wpa_driver_nl80211_get_hw_feature_data(),
as otherwise the function fails for a P2P Device interface (which does
not have a netdev associated with it).
Signed-hostap: Ilan Peer <ilan.peer@intel.com>
In function ieee802_1x_get_mib_sta(), eap_server_get_name() may return
NULL, and it could be dereferenced immidiately by os_snprintf() (if the
snprintf implementation does not handle NULL pointer).
Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
In function tls_verify_cb(), X509_STORE_CTX_get_current_cert() may
return NULL, and it will be dereferenced by X509_get_subject_name().
Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
Initialize variables explicitly to avoid [-Wmaybeuninitialized] compiler
warning in hostapd_handle_dfs() and
hostapd_dfs_start_channel_switch_cac() functions.
Signed-hostap: Max Stepanov <Max.Stepanov@intel.com>
This uses the new nl80211 attributes to allow the connect command to
provide bssid and freq hints to the driver without limiting roaming to
the specific BSS/frequency. This can be used by drivers that perform
internal BSS selection (WPA_DRIVER_FLAGS_BSS_SELECTION) as a candidate
for initial association.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Confirm-before-commit validation step allowed execution to continue on
error case. This could result in segfault in sae_check_confirm() if the
temporary SAE data was not available (as it would not be, e.g., in case
of an extra SAE confirm message being received after successful
exchange). Fix this by stopping SAE processing immediately after
detecting unexpected state for confirm message. In addition, make the
public sae.c functions verify sae->tmp before dereferencing it to make
this type of bugs less likely to result in critical issues.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible to FAIL return for a P2P_FIND command that was issued
while an already started P2P_FIND operation was in the scan phase. This
can be confusing for upper layer software, so hide the failure report
from the ctrl_iface response. The previously started scan will continue
the find operation after this.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, unconfigured state was forcing the best supported
authentication and encryption state to be shown in WPS messages,
including AP Settings in M7 in case the AP acts as an Enrollee. This is
not really correct for the AP Settings case, so change that one to
indicate the currently configured state.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The mechanism of using Status attribute in GO Negotiation Request was
used in some early specification drafts, but it is not compliant with
the current P2P specification where GO Negotiation Request is used only
for the purpose of initiating a new GO Negotiation. However, some
deployed devices use it to indicate rejection of GO Negotiation in a
case where they have sent out GO Negotiation Response with status 1. The
P2P specification explicitly disallows this.
To avoid unnecessary interoperability issues and extra frames, mark the
pending negotiation as failed and do not reply to this GO Negotiation
Request frame. Previously, GO Negotiation Response frame with status=4
was sent back as an indication of the GO Negotiation Request frame being
invalid. This response is not sent anymore and the status code for the
P2P-GO-NEG-FAILURE event is changed from 4 (invalid parameters) to 11
(rejected by user) for this specific workaround case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
It is possible for the driver to report Beacon RX prior to hostapd
having completed AP mode setup, e.g., when changing country code. Beacon
frame processing for OLBC was not prepared for this and could trigger
segfault due to NULL pointer dereference. Fix this by ignoring the
Beacon frames received prior to completing interface setup when
determining OLBC updates.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit b1f625e0d8 extended
ap_scan_as_station to be able to distinguish between AP and P2P GO
iftypes. However, it did this in a way that completely lost the original
mode because drv->nlmode had already been replaced with the station
mode. Fix this by storing the correct old mode.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the peer device has already acknowledge receipt of the Invitation
Request frame, it is better not to re-start invitation by sending
another Invitation Request. This should not be needed since the peer
already has received the Invitation Request frame and sending the second
round in this type of sequence can cause issues with nl80211 offloaded
offchannel TX operations since driver_nl80211.c will lose the cookie
value for the first pending Action frame and may not be able to cancel
offchannel wait for it properly. this has been seen to trigger a failure
in the p2p_go_invite_auth test case with the scan failing due to GO
sending out Probe Response frame on incorrect channel (the channel used
in that not-cancelled Action TX).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit bd3a373767 added a mechanism to use
AP Channel attribute from within a Credential attribute to optimize
scans. However, this design is not actually used with the WPS NFC use
cases. With configuration token, the AP Channel attribute is in the same
container with the Credential attribute (and that was also handled in
the previous implementation). With connection handover, AP Channel
information is outside the Credential attribute as well.
Simplify implementation by removing the AP Channel within Credential
case. This allows wpas_wps_use_cred() to get the AP Channel from the
container instead of having to find this during credential iteration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is not really used in practice and there is no need to maintain
unsed code that would only print debug log entries.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 795baf773f ('hostapd: Filter
channel list updated events after country code change') uses the
EVENT_CHANNEL_LIST_CHANGED data pointer, but it updated only one of the
callers to provide that data. NL80211_CMD_REG_BEACON_HINT event was
still sending the event without the initiator data and resulted in NULL
pointer dereference, e.g., if a scan was run while hostapd was running
and the driver was in world roaming state and enabled a channel for
active scans.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The hostapd compilation displays a below warning On NetBSD 6.1.2.
../src/drivers/driver_bsd.c:72:1: warning: 'get80211opmode' defined but not used
This patch solves it and moves other functions to appropriate position to
reduce #ifdef.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
Before this patch, 1 second timeout was used for regulatory updates. In
some cases, specially when we reload driver modules on some slower
platforms this could take more than 1 second (about 2 seconds). This is
important specially for DFS case, where we have to have correct DFS
region before we will start CAC. In other case (unknown DFS region), CAC
will fail. 5 seconds should be enough for all cases.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
The original RSSI filter semantics for scheduled scan were
really confusing - a separate matchset was created, but it
wasn't actually treated as a separate matchset in the kernel
but rather used as the global RSSI value. The RSSI matchset
thus behaved like an RSSI filter outside of the matchsets,
being ANDed rather than ORed (as normal between matchsets.)
To make this less confusing, I changed the kernel API a bit
to actually treat the RSSI inside each matchset properly,
but keeping it compatible with the old approach by using a
matchset with only an RSSI value as the default for all the
other matchsets, and adding it as a separate matchset only
if it's the only one.
The proper way for wpa_supplicant to do this then would be
to add the RSSI to each SSID matchset, and only add another
matchset without SSID if there's none with.
However, to keep compatibility with older kernels, always
keep the non-SSID matchset and only add the RSSI to all the
other matchsets. This gets close to the desired behaviour,
the only difference would be that we shouldn't add the RSSI
matchset if there are others, but stays compatible with old
and new kernels, as new ones ignore the RSSI-only matchset
if there are others and those others have an RSSI.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
1. In wpa_config_process_bgscan() fix memory leak after
calling wpa_config_parse_string()
2. In hostapd_config_defaults(), on failure to allocate bss->radius,
conf->bss was not freed.
3. In p2p_deauth_nofif(), memory allocated in p2p_parse_ies() was not
freed in case of NULL minor_reason_code.
4. In p2p_disassoc_nofif(), memory allocated in p2p_parse_ies() was
not freed in case of NULL minor_reason_code.
5. In p2p_process_go_neg_conf(), memory allocated was not freed in
case that the P2P Device interface was not waiting for a
GO Negotiation Confirm.
6. In wpa_set_pkcs11_engine_and_module_path(), the wrong pointer was
checked.
Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
It is possible for channel switch notification to be missing channel
type attribute. This is true at least for VHT80. This led to
iface->conf->secondary_channel being set to 0. This in turn made
subsequent DFS-triggered CSA to fail due to invalid frequency
parameters.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
This checks if the NL80211_ATTR_IFINDEX attribute is present before
trying to get the value of interface index.
Signed-hostap: Shital Jaju <shitalj@broadcom.com>
If CONFIG_WPS_TESTING=y is enabled in build configuration, the new
wps_corrupt_pkhash parameter (similar to wps_testing_dummy_cred) can be
used to request public key hash to be corrupted in all generated OOB
Device Password attributes. This can be used for testing purposes to
validate public key hash validation steps.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a new P2P Invitation mechanism to invite a P2P Device with an
NFC Tag to an already operating group when the GO with NFC Device reads
the NFC Tag. The P2P Device with the NFC Tag will then accept invitation
and connect to the group automatically using its OOB Device Password.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When "P2P_SET nfc_tag 1" is used to enable the own NFC Tag for P2P, also
enable it for any running GO interface.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
P2P Group ID can optionally be included in the connection handover
messages when acting as a P2P Client in a group. Add this information
and show it in the P2P-NFC-PEER-CLIENT event message.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When the NFC connection handover message received from a peer indicates
that the peer is operating as a GO on a specific channel, use that
information to avoid having to go through full scan. In addition, skip
the separate join-a-group scan since we already know the operating
channel, GO P2P Device Address, and SSID.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This was already done for Registrar, but the Enrollee case did not
set config error properly if Registrar public key did not match the
hash received during NFC connection handover.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of automatically triggering a connection, provide an indication
of one of the devices being a P2P client to upper layers to allow user
to determine what to do next.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Send a P2P-NFC-BOTH-GO event to upper layers to determine what to
do in case both devices going through NFC connection handover are
already operating as a GO.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This new mechanism allows P2P Client to request an IPv4 address from the
GO as part of the 4-way handshake to avoid use of DHCP exchange after
4-way handshake. If the new mechanism is used, the assigned IP address
is shown in the P2P-GROUP-STARTED event on the client side with
following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP
address is included in the AP-STA-CONNECTED event on the GO side as a
new ip_addr parameter. The IP address is valid for the duration of the
association.
The IP address pool for this new mechanism is configured as global
wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask,
ip_addr_star, ip_addr_end. For example:
ip_addr_go=192.168.42.1
ip_addr_mask=255.255.255.0
ip_addr_start=192.168.42.2
ip_addr_end=192.168.42.100
DHCP mechanism is expected to be enabled at the same time to support P2P
Devices that do not use the new mechanism. The easiest way of managing
the IP addresses is by splitting the IP address range into two parts and
assign a separate range for wpa_supplicant and DHCP server.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When NFC connection handover is used to trigger GO Negotiation, the
channel used for the GO Negotiation frames is already known. As such,
there is no need to use the Listen operations to find the peer.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The device with the NFC Tag can be configured to enable NFC to be used
with "P2P_SET nfc_tag 1" and "P2P_LISTEN" commands to allow static
handover to be used.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
"NFC_REPORT_HANDOVER {INIT,RESP} P2P <req> <sel>" can now be used to
report completed NFC negotiated connection handover in which the P2P
alternative carrier was selected.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
"NFC_GET_HANDOVER_{REQ,SEL} NDEF P2P-CR" can now be used to build P2P
alternative carrier record for NFC connection handover request/select
messages.
Static connection handover case can be enabled by configuring the DH
parameters (either with wps_nfc_* configuration parameters or with
WPS_NFC_TOKEN command at run time. The NFC Tag contents can be generated
with "NFC_GET_HANDOVER_SEL NDEF P2P-CR-TAG" after having configured
Listen channel (p2p_listen_reg_class/p2p_listen_channel).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
GO Negotiation needs to know which OOB Device Password ID is assigned
for the peer when NFC is used as the trigger.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
These functions can be used to build the WPS attributes for P2P NFC
connection handover messages.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new WPS connection handover select includes Registrar public key
hash instead of credential. Use the new information to start
abbreviated WPS handshake instead of configuring a new network directly
from the old Credential-from-NFC design.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The contents of the WPS connection handover select message was modified
to include the Registrar public key hash instead of the credential.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new NFC connection handover design requires the AP/Registrar to
process the connection handover request message received from the
Enrollee. Add control interface commands for handling this.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
It is more useful to be able to build a single NFC carrier record
instead of the full connection handover request message to allow
external components to decide whether to negotiate which alternative
carrier is used. This updates the carrier record contents to the new
design to include Enrollee public key hash and provides this as a
carrier record instead of full message. An external program is expected
to be used to build the full NFC connection handover message with
potentially other alternative carrier records included.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows DH key generation to be shared for other purposes than just
the case of OOB Device Password building. In addition, force the DH
public key buffer to be full 192 octets with zero padding to avoid
issues with the buffer being used in messages sent to a peer device.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new Device Password ID 7 is used to indicate that NFC connection
handover is used with DH public key hash from both devices being
exchanged over the NFC connection handover messages. This allows an
abbreviated M1-M2 handshake to be used since Device Password does not
need to be used when DH is authenticated with the out-of-band
information (validation of the public key against the hash).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When both the Registrar and Enrollee public key hashes are delivered
out-of-band (in NFC connection handover), use abbreviated WPS handshake
(skip M3-M8).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Since the Enrollee can now get the public key hash from the Registrar,
there is need to validate this during the WPS protocol run.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of terminating the WPS protocol immediately, go through an M2D
exchange to notify Enrollee of the public key hash mismatch.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This old Version attribute is not really needed anymore for these use
cases with the assumption that there are no existing WPS+NFC
deployments. It was removed from the WSC specification, so make the
implementation match that change.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Provide local GO channel to the P2P module so that it can be used in
messages that indicate the current operating channel.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This functionality is needed for other messages, too, so split the group
info building code into a separate helper function.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a QCA vendor specific nl80211 event to allow the driver to
indicate a list of frequency ranges that should be avoided due to
interference or possible known co-existance constraints. Such
frequencies are marked as not allowed for P2P use to force groups to be
formed on different channels.
If a P2P GO is operating on a channel that the driver recommended not to
use, a notification about this is sent on the control interface and
upper layer code may decide to tear down the group and optionally
restart it on another channel. As a TODO item, this could also be changed
to use CSA to avoid removing the group.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This file is used as a registry of identifier assignments from the
Qualcomm Atheros OUI 00:13:74 for purposes other than MAC address
assignment. One of the first uses will be for nl80211 vendor
commands/events which is reason for the preparation change in
driver_nl80211.c
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When GAS is used with PMF negotiated, Protected Dual of Public Action
frames are expected to be used instead of Public Action frames, i.e.,
the GAS/ANQP frames are expected to be encrypted. Conver Public Action
GAS queries to use Dual of Public Action frame if PMF has been
negotiated with the AP to which the frame is being sent.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When GAS is used with PMF negotiated, Protected Dual of Public Action
frames are expected to be used instead of Public Action frames, i.e.,
the GAS/ANQP frames are expected to be encrypted. Add support for this
different category of Action frames being used for GAS. The payload
after the Category field is identical, so the only change is in using
the Category field based on what was received in the request frames. For
backwards compatibility, do not enforce protected dual to be used on the
AP side, i.e., follow what the station does.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Due to misplaced parenthesis, unprotected not-Robust Action frames
(e.g., Public Action frames) were dropped in handle_assoc() when such
frames were received during an association that had negotiated use of
PMF. This is not correct since only unprotected Robust Action frames
were supposed to be handled in this way.
This would have broken any Public Action frame use during PMF
association, but such frames were not really supposed to be used
currently (ANQP as the only possible use case should really use
protected dual option in such case).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Fix sizeof in a validity comparison of nl80211_vendor_cmd_info size. The
incorrect version happened to work on 64-bit builds due the structure
being eight octets, but this was incorrect and would not used with
32-bit builds.
Signed-hostap: Max Stepanov <Max.Stepanov@intel.com>
While iterating over the stations hostapd_ctrl_iface_sta_mib()
might be called with sta == NULL. Fix this.
Signed-hostap: Ilan Peer <ilan.peer@intel.com>
The new default value (from 300 to 60 seconds) makes the internal P2P
peer list somewhat faster to react to peers becoming unreachable while
still maintaining entries for some time to avoid them disappearing
during user interaction (e.g., selecting a peer for a connection or
entering a PIN).
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
A P2P Device while in the Listen state waiting to respond for the
obtained group negotiation request shall give a fair chance for other
concurrent sessions to use the shared radio by inducing an idle time
between the successive listen states. However, if there are no
concurrent operations, this idle time can be reduced.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, GO Negotiation Request frame was used to update a peer entry
if only a Probe Request from that peer had been received. However, it
would be possible, even if unlikely, for a peer to be discovered based
on receiving Provision Discovery Request frame from it and no Probe
Request frame. In such a case, the Listen frequency of the peer would
not be known and group formation could not be (re-)initialized with that
peer. Fix this by allowing the GO Negotiation Request frame to update
peer entry if the current peer entry does not include Listen or
Operating frequency.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds one more case of active P2P peer detection so that
p2p_expire_peers() cannot hit a case where a GO Negotiation peer would
be removed.
Signed-hostap: Jithu Jance <jithu@broadcom.com>
The information of the peer's supported channel and operating class
is required for the driver to do TDLS off channel operations with a
compatible peer. Pass this information to the driver when the peer
station is getting added.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Some EAP methods can go through a step that is expected to fail and as
such, should not trigger temporary network disabling when processing
EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as
a special case, but similar behavior is needed for EAP-FAST with
unauthenticated provisioning.
Signed-hostap: Jouni Malinen <j@w1.fi>
EAP-FAST requires pac_file to be configured, so make it clearer from the
debug output if missing configuration parameter was the reason for
EAP-FAST initialization failing.
Signed-hostap: Jouni Malinen <j@w1.fi>
The hash return buffer was previously left uninitialized in case
externally stored password ("password=ext:...") was used. This could
result in MSCHAPv2 failure if that uninitialized memory happened to be
something else than zero.
Signed-hostap: Jouni Malinen <j@w1.fi>
It is possible for the configuration to be temporarily invalid when
adding a new AP through SET commands followed by ENABLE. Avoid this
issue by using less strict validation on SET commands and perform full
configuration validation only on ENABLE. Use cases with configuration
file maintain their previous behavior, i.e., full validation after the
file has been read.
Signed-hostap: Jouni Malinen <j@w1.fi>
This reverts commit 792c8877c3
('P2P: Send GO Negotiation Confirm without wait').
Some drivers rely on the wait period for sending packets on the
off-channel. If the wait value is small, there's a race condition where
the driver ROC might complete before the packet was sent out. This
doesn't impede other drivers, as the wait is cancelled when a
Tx-completion arrives from the remote peer.
Signed-hostap: Arik Nemtsov <arik@wizery.com>
The missing call to scan_action_done() may keep us off-channel for 250
ms following sending GO Negotiation Response. In case the operating
channel is different from this channel and we're GO, a race could lead
to start beaconing while off-channel. This could potentially cause the
Beacon frames to go out on incorrect channel with some drivers.
Signed-hostap: Eyal Shapira <eyal@wizery.com>
The error path in bsd_init() on struct bsd_driver_data allocation was
jumping to location where drv is dereferenced. That will crash and it is
easier to just return from the function since no cleanup steps are
needed in this case.
Signed-hostap: Jouni Malinen <j@w1.fi>
Currently these three steps runs for each event.
1. get buffer size via system
2. allocate a memory for event
3. free the memory
The wpa_supplicant receives 4 events from boot to be connected.
So this patch prepare the event buffer at the init process.
I have tested wpa_supplicant on NetBSD 6.1.2.
But I could not tested hostapd because I do not have AP enabled device.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
Replace channel_switch_supported flag of the
wpa_driver_nl80211_data by WPA_DRIVER_FLAGS_AP_CSA inside
wpa_driver_capa.flags. It makes more sense and also can
be accessed by wpa_supplicant.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This is just like the same command in wpa_supplicant, i.e., "hostapd_cli
status driver" can be used to fetch information about the driver status
and capabilities.
Signed-hostap: Jouni Malinen <j@w1.fi>
PEAPv2 implementation was not fully completed and there does not seem to
be any deployments of PEAPv2 nor any clear sign of such showing up in
the future either. As such, there is not much point in maintaining this
implementation in hostapd/wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
The standard fragment_size network parameter can now be used to
configure EAP-pwd fragmentation limit instead of always using the
hardcoded value of 1020.
Signed-hostap: Jouni Malinen <j@w1.fi>
The standard fragment_size network parameter can now be used to
configure EAP-IKEv2 fragmentation limit instead of always using the
hardcoded value of 1400.
Signed-hostap: Jouni Malinen <j@w1.fi>
Setting methodState = DONE for the case where GPSK-1 is found to be
invalid or incompatible allows EAP state machine to proceed to FAILURE
state instead of remaining stuck until AP times out the connection.
Signed-hostap: Jouni Malinen <j@w1.fi>
phase1 parameter 'cipher' can now be used to specify which algorithm
proposal is selected, e.g., with phase1="cipher=1" selecting AES-based
design and cipher=2 SHA256-based. This is mainly for testing purposes,
but can also be used to enforce stronger algorithms to be used.
Signed-hostap: Jouni Malinen <j@w1.fi>
One of the RFC 4137 state transitions (METHOD -> FAILURE) had been
forgotten and this could result in EAP peer method processing not
reporting failure immediately and instead, remain stuck waiting for the
connection to time out. Fix this by adding the methodState == DONE &&
decision == FAIL case to allow immediate reporting of failures.
The condition from RFC 4137 as-is would cause problems for number of the
existing EAP method implementations since they use that in places where
the final message before EAP-Failure should really be sent to the EAP
server (e.g., WSC_Done in EAP-WSC). Address this by includng eapRespData
== NULL as an additional constraint for entering FAILURE state directly
from METHOD.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit e2f5a9889a was supposed to prevent
new scan request from pushing out the old one. However, it did not
really do that since eloop_deplete_timeout() returned 0 both for the
case where the old timeout existed (and was sooner) and if the old
timeout did not exist. It returned 1 only for the case where an old
timeout did exist and was larger than the new requested value. That case
used to result in wpa_supplicant_req_scan() rescheduling the timeout,
but hew code in eloop_deplete_timeout() did the exact same thing and as
such, did not really change anything apart from the debug log message.
Extend the eloop_deplete_timeout() (and eloop_replenish_timeout() for
that matter since it is very similar) to return three different values
based on whether the timeout existed or not and if yes, whether it was
modified. This allows wpa_supplicant_req_scan() to schedule a new
timeout only in the case there was no old timeout.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new control interface command RADIO_WORK can be used by external
programs to request radio allocation slots from wpa_supplicant if
exclusive radio control is needed, e.g., for offchannel operations. If
such operations are done directly to the driver, wpa_supplicant may not
have enough information to avoid conflicting operations. This new
command can be used to provide enough information and radio scheduling
to avoid issues with such cases.
Signed-hostap: Jouni Malinen <j@w1.fi>
Avoid concurrent P2P scan requests with any other exclusive use of the
radio by using the radio work queuing mechanism. This removes some of
the earlier workarounds that postponed scans depending on other
operations.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the port status did not change or would not need to get an update
after portEnabled changes, there is no need to try to set the driver to
use the same value it is already using based on the previous state.
Remove such calls to reduce number of operations during reassociation.
In addition, this cleans up the debug log by removing unnecessary
duplicated entries.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the BSS table within wpa_supplicant is flushed, request the driver to
flush its own scan result table during the next scan. This can avoid
unexpected old BSS entries showing up after BSS_FLUSH or FLUSH command
in cases where the driver may maintain its internal cache of scan
results (e.g., cfg80211 BSS table persists at least for 15 seconds).
In addition to doing this automatically on BSS_FLUSH/FLUSH, a new SCAN
command argument, only_new=1, can be used to request a manual scan
request to do same. Though, it should be noted that this maintains the
BSS table within wpa_supplicant. BSS_FLUSH followed by SCAN command can
be used to clear all BSS entries from both the driver and
wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
This debugging mechanism has now been deprecated by the control
interface commands that can be used to fetch same internal information
from hostapd in a more convenient way. Leave the empty USR1 signal
handler and configuration file parameter for backwards compatibility.
They can be removed in future versions of hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
The per-STA/Supplicant state information from the EAPOL authenticator
is now available through "STA <MAC Address> eapol" command.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds TX/RX statistics and information about association into the
per-STA data that is available through the hostapd control interface. In
addition, information about the EAP method is now included with the IEEE
802.1X data.
Signed-hostap: Jouni Malinen <j@w1.fi>
These old driver wrappers have been removed quite some time ago, but
some of the build configuration notes were still describing how they
are configured.
Signed-hostap: Jouni Malinen <j@w1.fi>
Print into the debug log the list of vendor commands and events that the
driver supports. In addition, add a generic handler for vendor events.
This can be extended for each vendor/subcmd.
Signed-hostap: Jouni Malinen <j@w1.fi>
The P2P_PRESENCE_REQ command did not give any easily available
indication of the response received from the GO. Make this more useful
by providing such response (if received) as a ctrl_iface monitor event
(P2P-PRESENCE-RESPONSE).
Signed-hostap: Jouni Malinen <j@w1.fi>
intval is marked le16 and should be used through proper byte order
conversion functions even if it ended up getting set correctly due to
the two operations cancelling each other.
Signed-hostap: Jouni Malinen <j@w1.fi>
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.
Signed-hostap: Jouni Malinen <j@w1.fi>
use_monitor=1 and force_connect_cmd=1 driver parameters can now be used
to force older monitor interface design and the connect API (SME in
driver) to increase hwsim testing coverage.
Signed-hostap: Jouni Malinen <j@w1.fi>
If Action frame registration in nl80211_mgmt_subscribe_non_ap() failed
for any frame type, the previous implementation skipped
nl80211_mgmt_handle_register_eloop() call. This is not desirable since
none of the Action frame types could be received and even worse, the
following nl80211_destroy_eloop_handle() call for nl_mgmt would likely
result in crashing the process due to the ELOOP_SOCKET_INVALID XOR
operation. This could be triggered at least in a P2P group interface
startup failure case.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, it was possible for bss_info_handler() to end up dropping a
newer scan result entry if there were two entries with the same BSSID
and SSID (i.e., only frequency was different) and we were not associated
with either. This could happen, e.g., in some P2P use cases where device
discovery may happen on different channels. Fix this by checking the age
of the scan entries as well to prefer the most recent response.
Signed-hostap: Jouni Malinen <j@w1.fi>
Most of the attributes to these commands are identical and there is no
need to maintain two copies of the same functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
WPA_CIPHER_* and CIPHER_* are used for the exact same set of cipher
suites with the main difference being that the WPA_CIPHER_* version is
suitable to be used as a bitfield. Similarly, WPA_KEY_MGMT_* and
KEY_MGMT_* have similar design for AKMs. There is no need to maintain
two separate copies of the definitions since the bitfield compatible
version can be used for both needs. Get rid of the CIPHER_* and
KEY_MGMT_* versions to clean up the implementation by getting rid of
unnecessary mapping functions.
Signed-hostap: Jouni Malinen <j@w1.fi>
NL80211_ATTR_CONTROL_PORT was previously set only for
NL80211_CMD_ASSOCIATE, but it should also be set when using
NL80211_CMD_COMMAND (driver-based SME) even though none of the current
non-mac80211 drivers use this.
Signed-hostap: Jouni Malinen <j@w1.fi>
The option of handling upper layer P2P management operations within the
driver/firmware was originally planned to be used with wpa_supplicant,
but this has not really happened and there is no clear sign of this
being needed in the near term either. This functionality has not been
completed and it is certainly not being kept up-to-date or tested. As
such, it is best to remove it for now and if this or something similar
is needed in the future, it can be brought back once a clear need for it
has been demonstrated first.
Signed-hostap: Jouni Malinen <j@w1.fi>
prime_len was added to the start pointer twice and because of this, the
actual y coordinate was not verified to be valid. This could also result
in reading beyond the buffer in some cases.
Signed-hostap: Jouni Malinen <j@w1.fi>
phase1 parameters dhgroup, encr, prf, and mac can now be used to specify
which algorithm proposal is selected, e.g., with phase1="dhgroup=3
encr=1 prf=1 mac=1" selecting the mandatory-to-implement case. This is
mainly for testing purposes, but can also be used to enforce stronger
algorithms to be used.
Signed-hostap: Jouni Malinen <j@w1.fi>
These information elements are not really used anywhere in hostapd or
wpa_supplicant nor is there any plan to use them. As such, there is no
need to keep the code here either, so save couple of bytes here.
Signed-hostap: Jouni Malinen <j@w1.fi>
This driver event was used separately for some Action frames, but all
the driver wrappers converted to this from information that would have
been enough to indicate an EVENT_RX_MGMT event. In addition, the
received event was then converted back to a full IEEE 802.11 management
frame for processing in most cases. This is unnecessary complexity, so
get rid of the extra path and use EVENT_RX_MGMT for Action frames as
well as other management frame subtypes.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to silence compiler warnings in cases where #ifdef
blocks can leave some variables or functions unused and there is no
cleaner way of avoiding the warnings.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 88b32a99d3 added support for using
some Action frame processing in hostapd for drivers that handle most of
SME/MLME internally (it added FT, this has since be extended for SA
Query and WNM). However, this was added in a way that ended up getting
both the hostapd_rx_action() and hostapd_action_rx() called for Action
frames. This could result in an attempt to process FT, SA Query, and WNM
Action frames twice.
There is need for more significant cleanup in Action frame processing in
hostapd depending on the driver type, but as a simple step to avoid
issues, skip the hostapd_action_rx() call if hostapd_rx_action()
processed the frame.
Signed-hostap: Jouni Malinen <j@w1.fi>
Even though this is a short timeout, it is at least theoretically
possible for the interface to be removed while waiting for
reconfiguration to start. Avoid issues with this by cancelling the
timeout on any WPS interface deinit. In theory, this should be postponed
until interface removal, but that does not fit very nicely to the
current wps_hostapd.c style.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, wps_version_number was used only to test extensibility to
newer version numbers, but it can also be used to enable testing of
older versions (1.0), e.g., to avoid hitting some 2.0 specific
validation steps.
Signed-hostap: Jouni Malinen <j@w1.fi>
It is fine to try to cancel a registration that does not exist, so there
is no need to have the duplicated checks for eloop timeout and socket
registration.
Signed-hostap: Jouni Malinen <j@w1.fi>
It was already possible to configure hostapd and wpa_supplicant to use
FT-SAE for the key management, but number of places were missing proper
AKM checks to allow FT to be used with the new AKM.
Signed-hostap: Jouni Malinen <j@w1.fi>
Action frame RX report through EVENT_RX_ACTION did not indicate whether
the frame was protected or not even though that information is available
in mlme_event_mgmt(). hostapd_rx_action() has a workaround for setting
the protected flag for SA Query frames, but that did not apply for other
frames, like FT Action. This broke FT-over-DS when PMF is enabled with
newer kernel versions (i.e., the ones that do not use monitor interface
for receiving management frames).
Signed-hostap: Jouni Malinen <j@w1.fi>
The earlier changes to buffer EAPOL frames when not associated to avoid
race conditions (especially commit
3ab35a6603 but maybe something even before
that) broke PeerKey 4-way handshake. Fix this by using a separate check
before the race condition workaround to process PeerKey 4-way handshake
EAPOL-Key messages differently.
Signed-hostap: Jouni Malinen <j@w1.fi>
PeerKey entries need to be removed on disassociation and this needs to
be done in a way that cancels the possibly pending eloop timeout.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is not really needed for anything and the standard does not require
such validation step to be made for Authentication frame transmission.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be useful for displaying the current STA state and also for
determining whether some operations are likely to fail or need
additional delay.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd_drv_wnm_oper() needs to indicate an error if the driver callback
function is not implemented. Without this, the buf_len argument could
have been left uninitialized which could result in crashing the process.
Signed-hostap: Jouni Malinen <j@w1.fi>
This makes it easier to trigger the ESS Disassociation Imminent
operation from different sources.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds first steps at processing a BSS Transition Management Query on
the AP side. Mainly, the message is parsed and printed out in the debug
log and a minimal BSS Transition Management Request frame is sent as a
response. BSS Transition Management Response frame is also parsed and
details printed out in the debug log.
Signed-hostap: Jouni Malinen <j@w1.fi>
The previous version could end up calling WPA authenticator routines
even though the authenticator had not been initialized and this could
result in NULL pointer dereference.
Signed-hostap: Jouni Malinen <j@w1.fi>
This prepares wpa_supplicant for accepting cases where the AP does not
use group addressed frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the extended key usage of the AAA server certificate indicates
that the certificate is for client use, reject the TLS handshake.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
OCSP response may not include all the needed CA certificates, so use the
ones received during TLS handshake.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The five second timeout to call wps_er_deinit_finish() could potentially
be left behind when removing the ER data based on some other event. This
could result in double-freeing of wps_er context killing the process,
e.g., if the WPS ER functionality is stopped while in the process of
unsubscribing from an AP and then restarted.
In addition, AP entries could still be present in the
er->ap_unsubscribing list when the deinit timeout hits. These entries
would still maintain HTTP context pointing to the ER which would be
freed here and as such, the following HTTP client callback could refer
to freed memory and kill the process. Fix this by freeing AP entries
from ap_unsubscribing list when ER is deinitialized from timeout even if
such AP entries have not completed unsubscription from UPnP events.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Reduce race condition of the station trying to reconnect immediately
after AP reconfiguration through WPS by rescheduling the reload
timeout to happen after EAP completion rather than the originally
scheduled 100 ms after new configuration became known.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This enables more convenient protocol testing of station side
functionality in various error cases and unexpected sequences without
having to implement each test scenario within hostapd.
ext_mgmt_frame_handle parameter can be set to 1 to move all management
frame processing into an external program through control interface
events (MGMT-RX and MGMT-TX-STATUS) and command (MGMT_TX).
Signed-hostap: Jouni Malinen <j@w1.fi>
These files have been distributed only under the BSD license option
since February 2012. Clarify the license statements in the files to
match that to avoid confusion.
Signed-hostap: Jouni Malinen <j@w1.fi>
If configuration of the group key to the driver fails, move the WPA
group into failed state and indication group setup error to avoid cases
where AP could look like it is working even through the keys are not set
correctly.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds initial parts for supporting the new GCMP-256, CCMP-256,
BIP-GMAC-128, BIP-GMAC-256, and BIP-CMAC-256 cipher suites.
Signed-hostap: Jouni Malinen <j@w1.fi>
If secondary channel is provided for CSA, advertise it in the Secondary
Channel Offset element in Beacon and Probe Response frames.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When CSA flow starts, store the entire struct hostapd_freq_params and
not only CS frequency as it was before. The additional freq_params are
required to advertise CS supplementary IEs such as secondary channel,
wide bandwidth CS, etc.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This allows use of structs (and not only pointers) defined in drivers.h.
Remove also some not needed forward declarations and redundant includes.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The event debouncing isn't very accurate (since it doesn't
take sub-second resolution into account), but it should use
monotonic time anyway since it doesn't care about the wall
clock.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The PBC ignore-start workaround just needs to check whether
the time is within 5 seconds, so should use monotonic time.
While at it, add a few more ifdefs to clearly separate the
code and variables needed.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
PBC sessions are just time-stamped when activated, and
eventually time out, so should use monotonic time.
While at it, make the code use os_reltime_expired().
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The eloop already tracks the expiration/lifetime, and the expiration
isn't really used, so remove it. It should otherwise have used monotonic
time, but since it's not actually used, we can remove it instead.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The RADIUS server needs to calculate uptime, which is relative
and thus should use monotonic time.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Since the RADIUS client cares about relative time (retry timeout)
only, it should use monotonic time.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The BSS table, scan timeout, and related functionality should use
monotonic time since they care about relative values (age) only.
Unfortunately, these are all connected, so the patch can't be split
further. Another problem with this is that it changes the driver wrapper
API. Though, it seems only the test driver is using this.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This should probably have used monotonic time for entry timestamps, but
as those aren't used at all right now, so just remove them entirely.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The request retry loop only retries for 5 seconds, so any time
jumps would probably not affect it much, but it should be using
monotonic time nonetheless since it only cares about duration.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Wall time jumps shouldn't affect MMIC failure/TKIP countermeasures,
so use monotonic time. Change the michael_mic_failure variable to
struct os_reltime for type-safety.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Since the PMKSA cache only uses relative time, use the monotonic time
functions instead of wall time to be correct when the clock jumps.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
For type-safety, make sta->acct_session_start a struct os_reltime
and then use monotonic time for accounting. For RADIUS reporting,
continue to use wall clock time as specified by RFC 2869, but for
the session time use monotonic time.
Interestingly, RFC 2869 doesn't specify a timezone, so the value
is somewhat arbitrary.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Do not assume the driver supports QoS Mapping, but instead, advertise
support for this only if CONFIG_INTERWORKING is defined and driver
indicates support for configuring QoS Map.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The driver_nl80211.c changes are needed to avoid compiler warnings
with two frequency attributes pointing to the same value.
Signed-hostap: Jouni Malinen <j@w1.fi>
If more BSSes are added in config file than are supported by the driver,
segmentation fault can appear. For this case, the interface_added flag
needs to be cleared if adding a new BSS fails.
Signed-hostap: Marek Kwaczynski <marek.kwaczynski@tieto.com>
Until now DFS was simply restarting the AP when radar was detected. Now
CSA is used to perform smooth switch to the new channel. Stations not
supporting CSA will behave as before.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
This is needed for AP CSA. Since CSA must happen immediately after radar
is detected there's no time to perform CAC. Thus, radar channels must be
disabled when looking for a new channel to escape to after a radar is
detected.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
Adds support for VHT by parsing bandwidth and center_freq{1,2}.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Just the usual, with a new function os_reltime_initialized()
thrown in that checks whether time has ever been retrieved
(time can't be completely zero).
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
This helper functions checks whether a given entry has expired,
given the last active timestamp, the current time, and a timeout.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Based on priority, remove the connection with least priority whenever
a frequency conflict is detected.
Signed-hostap: Jithu Jance <jithu@broadcom.com>
Allow another EAP method to be tried if one of the enabled methods
fails. If all the remaining methods fail, reject connection by adding a
new METHOD_REQUEST -> FAILURE transition. Previously, this case resulted
in the state machine trying to send a message when none was available
and then waiting for a following event until timeout.
Signed-hostap: Jouni Malinen <j@w1.fi>
It is possible for the authentication server to be configured with a
PKCS #12 file that includes a private key, a server certificate, and a
CA certificate. This combination could result in server_cert and ca_cert
parameters not being present and that should still result in TLS context
getting initialized.
Signed-hostap: Jouni Malinen <j@w1.fi>
It was possible to configure hostapd in a way that could try to
initialize a TLS-based EAP method even when TLS library context was not
initialized (e.g., due to not configuring server or CA certificate).
Such a case could potentially result in NULL pointer dereference in the
TLS library, so check for this condition and reject EAP method
initialization.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit 390e489c0d extended hostapd BSS
interface removal capabilities. However, it ended up causing a
regression in wpa_supplicant P2P group interface handling. That P2P
group interface is removed through another driver_nl80211.c BSS context
and as such, the bss->added_if is not set. Fix this by verifying whether
the request is for another ifindex and if so, removing the interface
even if added_if is not marked.
Signed-hostap: Jouni Malinen <j@w1.fi>
Some non-mac80211 drivers, such as ath6kl, support STA inactivity timer
in firmware and may not provide connected stations' idle time to the
userspace. If the driver indicates support for offloaded operation, do
not start the inactivity timer in the hostapd.
Signed-hostap: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
struct beacon_data contains a lot of pointers. Make sure it gets cleared
to zero if hostapd_build_beacon_data() gets called from a path that does
not clear the structure first.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This is a mechanism used in Android to extend driver interface in vendor
specific ways. This is included only for the purpose of Android
compatibility. Proper interface commands should be used for any new
functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
Android uses a vendor specific library for implementing couple of driver
interface functions. Add the wrapper code to allow that mechanism to be
used.
Signed-hostap: Jouni Malinen <j@w1.fi>
Despite interface (and group) related sockets are not used
for control, they are created and may be left.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Check if the BSS interface has started before setting beacon.
Lack of this condition can cause segmantation fault.
Signed-hostap: Marek Kwaczynski <marek.kwaczynski@tieto.com>
A reenable of the TDLS link while the host driver is already processing
the same (due to the retransmitted M2/M3 frames) might result in a
failed TDLS setup handshake due to some host driver's implementation.
Thus, issue enable link only when the peer's TDLS status signifies no
prior link (tpk_success=0).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit de3cdf354a adding copying of the
STA's VHT capabilities into the STA entry on the AP. This was done in
allocated memory, but that new memory allocation was not freed anywhere.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Relative time shouldn't be calculated based on gettimeofday
because that clock can jump (e.g., when the time is adjusted
by the system administrator.)
On systems where that is available, use CLOCK_BOOTTIME (on
fairly recent Linux systems, this clock takes into account
the time spend suspended) or CLOCK_MONOTONIC (on Linux and
some POSIX systems, this clock is just freely running with
no adjustments.)
Reported-by: Holger Schurig <holgerschurig@gmail.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The 'started' state was tracked incorrectly. It also broke DFS
as it was using hostapd_enable/disable_iface() functions.
Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
Some devices disable use of U-NII-1 (channels 36-48) for P2P due to it
being indoor use only in number of locations. If U-NII-3 (channels
149-161) is available, try to pick a channel from that range first
during random channel selection to reduce likelihood of interoperability
issues.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If there are no other preferences from local configuration or driver,
prefer a random VHT channel instead of falling back to the fixed
pre-configured channel or 5 GHz/HT40 channel preference.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If there are no other preferences from local configuration or driver,
prefer a random HT40 channel instead of falling back to the fixed
pre-configured channel or 5 GHz channel preference.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If there are no other preferences from local configuration or driver,
prefer a random 5 GHz channel instead of falling back to the fixed
pre-configured channel (which is selected by default to be 1, 6, or 11).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use the new p2p_channel_select() function to select a VHT channel
at random when no other preferences are in effect.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use the new p2p_channel_select() function to select an HT40 channel
at random when no other preferences are in effect.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new p2p_channel_select() function can be re-used to implement
random channel selection from a set of operating classes in all
places that need such functonality.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows wlantest debug log output to be directed to a file so that
RELOG command can be used to rotate files more easily than stdout.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add chan_switch to the control interface of wpa_supplicant and hostapd,
and also to wpa_cli and hostapd_cli.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Build CSA settings and call the driver to perform the switch. Construct
Beacon, Probe Response, and (Re)Association Response frames both for CSA
period and for the new channel. These frames are built based on the
current configuration. Add CSA IE in Beacon and Probe Response frames.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add csa_settings struct which holds parameters for CSA. Change driver
interface for switch_channel(), so that it will receive this struct and
not only the new frequency as it was before. This allows wpa_supplicant
to provide all the required parameters (beacons, proberesp, assocresp,
CSA IE) which are required by cfg80211 implementation.
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This was supposed to be a minimal sample of eloop wrapper, but it is
unclear whether this is of that much use and the file has not been kept
up-to-date. Remove this file to reduce maintenance effort. The other
eloop*.c files can be used as a starting point if something new is
needed.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit eb32460029 left an unneeded
sim_type argument to scard_init(). Remove that unnecessary argument to
clean up the implementation.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
Add DBus methods for TDLS operations similar to those available
for the control interface. This includes Discover, Setup, and
Teardown commands. While here, add a method to query the TDLS
link status and add a DBus method for it.
Tested with CONFIG_TDLS enabled, on a TDLS-enabled host and
peer capable of TDLS:
dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \
/fi/w1/wpa_supplicant1/Interfaces/0 \
fi.w1.wpa_supplicant1.Interface.TDLSStatus string:<peer-mac-address>
yields: string "peer does not exist"
dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \
/fi/w1/wpa_supplicant1/Interfaces/0 \
fi.w1.wpa_supplicant1.Interface.TDLSDiscover string:<peer-mac-address>
yields no error
dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \
/fi/w1/wpa_supplicant1/Interfaces/0 \
fi.w1.wpa_supplicant1.Interface.TDLSSetup string:<peer-mac-address>
yields no error
dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \
/fi/w1/wpa_supplicant1/Interfaces/0 \
fi.w1.wpa_supplicant1.Interface.TDLSStatus string:<peer-mac-address>
yields: string "connected" after TDLS completes
dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \
/fi/w1/wpa_supplicant1/Interfaces/0 \
fi.w1.wpa_supplicant1.Interface.TDLSTeardown string:<peer-mac-address>
yields no error
dbus-send --system --dest=fi.w1.wpa_supplicant1 --print-reply \
/fi/w1/wpa_supplicant1/Interfaces/0 \
fi.w1.wpa_supplicant1.Interface.TDLSStatus string:<peer-mac-address>
yields: string "peer not connected"
Signed-hostap: Paul Stewart <pstew@chromium.org>
During persistent group re-invocation, GO may end up using a different
channel as the operation channel compared to what was indicated in the
invitation frames. This may break the connection if the peer device ends
up scanning the GO only on the channel from the invitation frame. Fix
this by using the negotiated channel (if available) on the GO as the
operating channel instead of the channel that was provided in the
p2p_invite command to start negotiation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
We were not filtering the EVENT_CHANNEL_LIST_CHANGED events based on the
regulatory hint initiator. So wait for EVENT_CHANNEL_LIST_CHANGED event
after our own change was triggered even when regulatory hint initiator
was the driver. This could result in the wait for the channel list to be
updated to be terminated before the real change has occurred and as
such, old channel list remaining in use when configuring
hostapd/wpa_supplicant country parameter. Fix this by filtering the
hints according to the initiator and only regulatory hints initiated by
user will be used to stop the wait.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If hostapd was started with the interface already in AP mode, leave the
interface in AP mode on deinit instead of unconditionally forcing it to
station mode.
Signed-hostap: Jouni Malinen <j@w1.fi>
It is common to build wpa_supplicant with AP mode support and it is
justifiable to clean up driver_nl80211.c by removing the conditional
build blocks based on hostapd vs. wpa_supplicant builds.
Signed-hostap: Jouni Malinen <j@w1.fi>
This gets rid of some ifdef HOSTAPD constructs and shares more
of the initialization code between hostapd and wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
These variables were originally used in hostapd to clear HT channel
information when exiting. However, that functionality was lost with
commit f019981aee when moving to a common
code for setting the channel. Taken into account that no one seems to
have missed this functionality over the last four years, it seems safe
to drop this rather than try to fix the old hostapd behavior.
Signed-hostap: Jouni Malinen <j@w1.fi>
It's not possible to get a raw private key from keystore anymore, so
this would fail every time anyway. Remove it so it doesn't confuse
anyone that looks at this code.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
The new keystore ENGINE is usable to perform private key operations when
we can't get the actual private key data. This is the case when hardware
crypto is enabled: the private key never leaves the hardware.
Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't
PKCS#11 or OpenSC. This just changes a few #define variables to allow us
to talk to our keystore engine without having one of those enabled and
without using a PIN.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>