This adds the FST IEs received from the FST module into Beacon, Probe
Response, and (Re)Association Response frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit implements hostapd global control interface notifications
infrastructure. hostapd global control interface clients issue
ATTACH/DETACH commands to register and deregister with hostapd
correspondingly - the same way as for any other hostapd/wpa_supplicant
control interface.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The IPv6 address in the frame buffer may not be 32-bit aligned, so use a
local copy to align this before reading the address with 32-bit reads
(s6_addr32[]).
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not allow 40 MHz co-ex PRI/SEC switch to force us to change our PRI
channel if we have an existing connection on the selected PRI channel
since doing multi-channel concurrency is likely to cause more harm than
using different PRI/SEC selection in environment with multiple BSSes on
these two channels with mixed 20 MHz or PRI channel selection.
Signed-off-by: Jouni Malinen <j@w1.fi>
This check explicitly for reflection attack and stops authentication
immediately if that is detected instead of continuing to the following
4-way handshake that would fail due to the attacker not knowing the key
from the SAE exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
The eap argument to this function is never NULL and the earlier
ieee802_1x_learn_identity() call is dereferencing it anyway, so there is
no point in checking whether it is NULL later in the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
This needs to find the PRI channel also in cases where the affected
channel is the SEC channel of a 40 MHz BSS, so need to include the
scanning coverage here to be 40 MHz from the center frequency. Without
this, it was possible to miss a neighboring 40 MHz BSS that was at the
other end of the 2.4 GHz band and had its PRI channel further away from
the local BSS.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the common WLAN-* RADIUS attributes were added only when WPA
or WPA2 was used. These can be of use for OSEN as well, so include them
in that case, too.
Signed-off-by: Jouni Malinen <j@w1.fi>
Change send_mlme() API to allow sending management frames on a specific
channel, overriding the internal driver decision.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Currently, if multiple bss share are bridge and tagged vlan interface,
only the first instance of struct hostapd_vlan for this vlanid will have
the DVLAN_CLEAN_VLAN flag added. Thus, when this instance is removed,
the tagged vlan interface will be removed from bridge, thought other bss
might still need it. Similarily, the bridge will be left over, as the
does not have zero ports when the first instance of a struct
hostapd_vlan is freed.
This patch fixes this by having a global (per process) reference counter
for dynamic tagged vlan and dynamically created bridge interfaces, so
they are only removed after all local users are freed. (struct
hapd_interfaces *)->vlan_priv is used to hold src/ap/vlan_init.c global
per-process data like drv_priv does; right now this is only used for the
interface reference counting, but could get extended when needed. Then
possibly some vlan_global_init / vlan_global_deinit should be added, but
this is not required right now.
Additionally, vlan->configured is checked to avoid reference counter
decreasing before vlan_newlink increased them.
In order to avoid race conditions, vlan_dellink is called explicitly
after hostapd_vlan_if_remove. Otherwise there would be a short timeframe
between hostapd_vlan_if_remove and vlan_dellink during which the struct
hostapd_vlan still exists, so ap_sta_bind_vlan would try to attach
stations to it.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Commit 95b6bca66d ('Add rsn_pairwise bits
to set_ieee8021x() driver_ops') modified cipher configuration to use
unconditionally wpa_pairwise | rsn_pairwise. While that works for many
cases, it does not handle the case of dynamic configuration changes over
the control interface where wpa_pairwise or rsn_pairwise values may not
get cleared when the wpa parameter is modified. Fix this inconsistency
by configuring the driver with only the bits that are valid for the
currently enabled WPA/WPA2 version(s).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
So that systems with bad clocks will send random session IDs,
instead of always ones starting at the same second.
If os_get_random() isn't available, use os_get_time(). But also
mix in now.tv_usec, so that the accounting session ID is more
likely to be globally and temporally unique.
Signed-off-by: Alan DeKok <aland@freeradius.org>
Explicitly check for iface->current_mode before dereferencing it. While
this case may not happen in practice, it is better for the setup
functions to be more careful when doing the initial band selection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When device supports dual band operations with offloaded ACS, hw_mode
can now be set to any band (hw_mode=any) in order to allow ACS to select
the best channel from any band. After a channel is selected, the hw_mode
is updated for hostapd.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ACS code part of hostapd scans all the channels even if the channel
list is specified in the hostapd.conf. Limit the ACS scan channels to
the list specified in the config file.
Signed-off-by: Srinivasa Duvvuri<sduvvuri@chromium.org>
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.
This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).
Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
In theory, the previous version could have resulted in reading one byte
beyond the end of the management frame RX buffer if the local driver
were to deliver a truncated Public Action frame for processing. In
practice, this did not seem to happen with mac80211-based drivers and
even if it were, the extra octet would be an uninitialized value in a
buffer rather than read beyond the end of the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Handling of WPS RF band for 60 GHz was missing. Add it in all relevant
places and also map "AES" as the cipher to GCMP instead of CCMP when
operating on the 60 GHz band.
Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
This can be used with Proxy ARP to allow multicast NAs to be forwarded
to associated STAs using link layer unicast delivery. This used to be
hardcoded to be enabled, but it is now disabled by default and can be
enabled with na_mcast_to_ucast=1. This functionality may not be desired
in all networks and most cases work without it, so the new
default-to-disabled is more appropriate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, struct wpa_group was created when the first station enters
the group and the struct wpa_group was not freed when all station left
the group. This causes a problem because wpa_group will enter
FATAL_FAILURE when a wpa_group is running while the AP_VLAN interface
has already been removed.
Fix this by adding a reference counter to struct wpa_group and free a
group if it is unused.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
If hostapd has bound a STA into a specific VLAN, the new vlan_id
parameter in the control interface STA command can now be used to check
which VLAN ID is in use.
Signed-off-by: Jouni Malinen <j@w1.fi>
All the system header files are supposed to be included before any other
internal header file apart from utils/includes.h.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, mesh state machine transmits updated Commit Message when
receiving a Confirm Message in Committed state. According to the
standard, it should (re)send the latest Commit Message previously sent.
IEEE Std 802.11-2012, 11.3.8.6.4 Protocol instance behavior - Committed
state:
"Upon receipt of a Con event, ... If Sync is not greater than
dot11RSNASAESync, the protocol instance shall increment Sync, transmit
the last Commit Message sent to the peer, and set the t0
(retransmission) timer."
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This extends dynamic_vlan=required checks to apply for WPA-PSK with
macaddr_acl=2 (RADIUS) case.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 88b32a99d3 ('FT: Add FT AP support
for drivers that manage MLME internally') added an alternative way of
processing the WMM TSPEC from RIC. However, that change did not seem to
include the same checks for WMM TSPEC element length that were used in
the original implementation for MLME-in-hostapd case. Fix this by
sharing the older implementation of copying the WMM TSPEC from RIC for
both cases.
It looks like the destination buffer for the response is sufficiently
long for the fixed length copy, but it may have been possible to trigger
a read beyond the end of the FTIE by about 50 bytes. Though, that seems
to be within the buffer received for RX buffer in the case that uses
this driver-based AP MLME design for FT.
Signed-off-by: Jouni Malinen <j@w1.fi>
The multi-SSID design that used a single beaconing BSSID with multiple
SSIDs was never completed in this repository, so there is no need to
maintain the per-STA ssid/ssid_probe pointers that could only point to
&hapd->conf->ssid. Save some memory and reduce code complexity by
removing this unused partial capability.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to interpret debug logs for cases where hostapd
control multiple interfaces.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to interpret debug logs in case hostapd controls
multiple interfaces and a STA roams between them.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Currently, vlan_remove_dynamic() is only called when the station VLAN ID
is changed (ap_sta_bind_vlan), but not when the station is freed. So
dynamic VLAN interfaces are not removed actually except within 1x
reauthentification VLAN ID change, although most of the code is already
there.
This patch fixes this by calling vlan_remove_dynamic() in ap_free_sta().
It cannot just use sta->vlan_id for this, as this might have been
changed without calling ap_sta_bind_vlan() (ap/ieee802_11.c:handle_auth
fetches from RADIUS cache for WPA-PSK), thus reference counting might
not have been updated. Additionally, reference counting might get wrong
due to old_vlanid = 0 being passed unconditionally, thus increasing the
reference counter multiple times.
So tracking the currently assigned (i.e., dynamic_vlan counter
increased) VLAN is done in a new variable sta->vlan_id_bound. Therefore,
the old_vlan_id argument of ap_sta_bind_vlan() is no longer needed and
setting the VLAN for the sta in driver happens unconditionally.
Additionally, vlan->dynamic_vlan is only incremented when it actually
is a dynamic VLAN.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
hostapd receives NEWLINK messages multiple times and thus does
configuration of the the vlan interface multiple times.
This is not required and leads to the following during cleanup in
test pmksa_cache_preauth_vlan_used:
1. run-test.py does: brctl delif brvlan1 wlan3.1
2. hostapd processes NEWLINK and does: brctl addif brvlan1 wlan3.1
3. run-test.py does: brctl delbr brvlan1
-> fails as wlan3.1 is still in the bridge
This patch fixes this by ignoring repeated NEWLINK messages.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
When hitting
> Failed to create interface wlan3.1: -23 (Too many open files in system)
> Try to remove and re-create wlan3.1
hostapd deletes the AP_VLAN interface and then recreates it. Thus the
kernel assigns the same ifidx to the new interfaces and sends DELLINK
and NEWLINK mesages.
As the DELLINK messages are processed after the struct hostapd_vlan is
added, hostapd deletes the struct hostapd_vlan entry, deconfigures the
AP_VLAN interface and leaves vlan_newlink nothing to find afterwards.
So this patch makes DELLINK messages to be ignored when the interface
exists.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Previously, during RSN preauthentication, ap_sta_bind_vlan() was called,
which fails for non-zero sta->vlan_id as the station is not known to the
kernel driver.
Fix this by binding the station only if it is associated. If it is not
associated, ap_sta_bind_vlan() will be done later during association.
In addition, reject Access-Accept if the returned VLAN ID is not valid
in the current hostapd configuration.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
is_ht_allowed is a confusing name since this variable is used to track
whether 40 MHz channel bandwidth is allowed instead of whether HT is
allowed in general.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If NEED_AP_MLME=y is not defined, compilation might
fail under some configurations:
src/ap/drv_callbacks.c:594:2: warning: implicit declaration of
function ‘hostapd_acs_completed’ [-Wimplicit-function-declaration]
src/ap/sta_info.c:253: undefined reference to `sae_clear_retransmit_timer'
Fix these errors by adding the missing hostapd_acs_completed() stub,
and defining NEED_AP_MLME in case of CONFIG_SAE.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Add SQLite error message and DB name to the DB related errors. Add
enough tracing so that users can know exactly where users are failing to
be found.
Signed-off-by: Ben Greear <greearb@candelatech.com>
HT requires QoS/WMM, so unset HT capabilities for a station
whose association request does not include a valid WMM IE.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Update ACS driver offload feature for VHT configuration. In addition,
this allows the chanlist parameter to be used to specify which channels
are included as options for the offloaded ACS case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There's off-by-one in the range availability check - the case of
first_chan_idx + num_chans == num_channels should be allowed (e.g., 0 +
1 == 1, for the case of a single 20 MHz channel).
Signed-off-by: Maital Hahn <maitalm@ti.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
When looking for a new operating channel, consider the case of
non-contiguous channels when checking all the needed channels (e.g., the
driver might support channels 36, 38, 40, so look for channels 36+40
explicitly, instead of failing when encountering channel 38).
Signed-off-by: Eliad Peller <eliad@wizery.com>
If the AP/Authenticator receives an EAPOL-Key msg 2/4 for an association
that negotiated use of PSK and the EAPOL-Key MIC does not match, it is
likely that the station is trying to use incorrect PSK/passphrase.
Report this with "AP-STA-POSSIBLE-PSK-MISMATCH <STA addr>" control
interface event.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This event was previously used only when disabling AP mode operation
through hostapd control interface. Make this more consistent by
providing same indication when disabling hostapd interface through the
interface deinit path. This adds the event to the case where a full
hostapd radio instance is removed which also applies for the
wpa_supplicant AP mode operations.
Signed-off-by: Jouni Malinen <j@w1.fi>
Modify the string for AP-CSA-FINISHED event indication to include a flag
which tells the framework whether the new channel is a DFS channel.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add handling logic for DFS offloaded case, and add a helper function
that takes the frequency (MHz) as a param and returns 1 if given channel
requires DFS, or 0 otherwise.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If DFS is offloaded to the driver, hostapd should not be performing
these operations. Send the relevant control interface events to provide
information to upper layer software that may use such events to track
DFS/CAC state. This makes the offloaded DFS implementation more
consistent with the DFS-in-hostapd behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Disable VHT caps for STAs for which there is not even a single
allowed MCS in any supported number of streams. i.e STA is
advertising 3 (not supported) as VHT MCS rates for all supported
streams.
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
This change adds the function hostapd_config_clear_wpa_psk() that
deletes an entire wpa_psk structure, making sure to follow the linked
list and to free the allocated memory of each PSK node. This helps to
prevent memory leaks when using PSKs from multiple sources and
reconfiguring the AP during runtime.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Read p2p_go_ctwindow (0-127 TUs) from the config file, and pass it to
the driver on GO start.
Use p2p_go_ctwindow=0 (no CTWindow) by default.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
If the driver indicates that the interface has been disabled, assume
that all associations have been lost and remove the hostapd STA entries.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This uses couple of additional helper macros and prints more debug
information to make the VLAN events easier to analyze.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Sending client probe on already removed client from kernel driver does
not have any benefit and may lead unintended behavior among variable
drivers (mac80211 has a WARN_ON() that could have been triggered after
ifconfig down+up earlier when hostapd did not re-enable beaconing on
ifup). Skip this step in discussion when the kernel driver reports that
client entry is removed.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
This allows WPA2 mode AP to be re-enabled automatically after external
ifconfig down + up on a netdev used by hostapd.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is a step towards enabling hostapd to restart AP mode functionality
if the interface is disabled and re-enabled, e.g., with ifconfig down
and up. This commit takes care of beaconining only which may be
sufficient for open mode connection, but not for WPA2 cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Do not reply to a Probe Request frame with a DSSS Parameter Set element
in which the channel is different than the operating channel of the AP,
as the sending station is not found on the AP's operating channel.
IEEE Std 802.11-2012 describes this as a requirement for an AP with
dot11RadioMeasurementActivated set to true, but strictly speaking does
not allow such ignoring of Probe Request frames if
dot11RadioMeasurementActivated is false. Anyway, this can help reduce
number of unnecessary Probe Response frames for cases where the STA is
less likely to see them (Probe Request frame sent on a neighboring, but
partially overlapping, channel).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If HT40 co-ex scan fails due to the driver rejecting scan triggers
multiple times, it was possible for the ap_ht40_scan_retry() timeout
being left behind and it getting run after hapd->drv_priv has been
cleared. This would result in NULL pointer dereference in
driver_nl80211_scan.c. Fix this by canceling the timeout when disabling
the interface.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, a channel with even a single scan/survey result missing
information was skipped in ACS. This may not be desirable in cases when
multiple scan iterations are used (which is the case by default in
hostapd). Instead, use all channels that provided at least one complete
set of results. Calculate the average interference factor as an average
of the iterations that did provide complete values.
This seems to help with some cases, e.g., when ath9k may not be able to
report the noise floor for all channels from the first scan iteration
immediately after the driver has been loaded, but then returns it for
all other scan iterations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new acs_chan_bias configuration parameter is a space-separated list
of <channel>:<bias> pairs. It can be used to increase (or decrease) the
likelihood of a specific channel to be selected by the ACS algorithm.
The total interference factor for each channel gets multiplied by the
specified bias value before finding the channel with the lowest value.
In other words, values between 0.0 and 1.0 can be used to make a channel
more likely to be picked while values larger than 1.0 make the specified
channel less likely to be picked. This can be used, e.g., to prefer the
commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default
behavior on 2.4 GHz band if no acs_chan_bias parameter is specified).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The interference factors for adjacent 2.4 GHz channels were summed
together without doing any kind of weighted average on them. This
resulted in the channels at the band edges getting undue preference due
to only including interference factors from three channels vs. five for
the channels in the middle of the band.
While it is somewhat unclear whether the design here was supposed to
count overlapping channels together in this way or whether that is
already covered in channel survey results, it is clear that this summing
of three to five values together and then comparing the sum rather than
average of some kind gives too much preference to the channels at the
edges of the band by assuming that there is no interference whatsoever
outside the band.
Use weighted average of the interference factors rather than a sum from
different number of values. For now, the adjacent 2.4 GHz channels get
weight of 0.85 (1.0 for the main channel itself) and the neighboring
channels to those adjacent ones get 0.55 weight. Band-edge channels are
handled in a way that takes average over the channels that were actually
considered instead of assuming zero interference from neighboring bands.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If OBSS scan interval is not set, the AP must not schedule a timeout to
restore 40 MHz operation immediately after having moved to a 20 MHz
channel based on an unsolicited co-ex report. Fix this by scheduling the
timeout only if obss_interval is non-zero.
Since we do not currently support AP doing OBSS scans after the initial
BSS setup, this means practically that 40-to-20 MHz transition is
allowed, but 20-to-40 MHz is not with obss_interval=0. The latter gets
enabled if obss_interval is set to a non-zero value so that associated
STAs can take care of OBSS scanning.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use standard numbers-and-dots format for IPv4 in debug logs instead
of hexdump in two different byte orders.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the old VLAN ID could have been deleted before the STA was
bound to the new VLAN in case the RADIUS server changed the VLAN ID
during an association. This did not exactly work well with mac80211, so
reorder the operations in a way that first binds the STA to the new VLAN
ID and only after that, removes the old VLAN interface if no STAs remain
in it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, it was possible for some corner cases to leave the WPA
authenticator state machine running if PMK could not be derived. Change
this to forcefully disconnect the STA to get more consistent behavior
and faster notification of the error.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This type of error reporting cases should use wpa_printf() to get
consistent debug logging behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.
Signed-off-by: Jouni Malinen <j@w1.fi>
In ieee802_1x_decapsulate_radius(), eap_server_get_name() may return
NULL, and it could be dereferenced depending on printf implementation.
Change it to return "unknown" instead for the case of no matching EAP
method found. This makes it easier for the callers to simply print this
in logs (which is the only use for this function).
Signed-off-by: Eytan Lifshitz <eytan.lifshitz@intel.com>
Add the possibility to define a subset of channels used by the ACS
engine when not operating on DFS channels.
Signed-off-by: Adrien Decostre <ad.decostre@gmail.com>
If the inactivity check returns that there is no entry remaining for the
STA in the kernel, drop the STA in hostapd as well.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit e7d0e97bdb ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.
This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.
Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
Add the t0 retransmission timer as specified by IEEE Std 802.11-2012,
11.3.8.4. This makes SAE much more likely to succeed in the case of lost
frames.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
When performing SAE authentication in mesh, one station may
initiate authentication by sending a COMMIT as soon as a peer
candidate is discovered. Previously we did this in mesh_rsn.c,
but this left some of the state initialization in a different
part of the code from the rest of the state machine, and we may
need to add other initializations here in the future, so move
that to a more central function.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
The local conf pointer needs to be cleared once it gets assigned to
hapd_iface to avoid double-free of the configuration data on error path.
Signed-off-by: Jouni Malinen <j@w1.fi>
The per-BSS configuration information needs to be freed if hostapd fails
to add a new interface for a BSS added with "ADD bss_config=..."
command.
Signed-off-by: Jouni Malinen <j@w1.fi>
If hostapd_alloc_bss_data() failed to allocate the struct hostapd_data
instance, dynamic interface addition path ended up trying to dereference
freed memory due to incorrect cleanup steps. Fix this by decrementing
the interface count when the newly added interface is removed. In
addition, make the setup more robust by clearing all changes within
hostapd_data_alloc() if any of the allocations fails.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to add WPS vendor extensions through the D-Bus
WPSVendorExtensions setter, but these extensions were not freed when the
P2P GO was stopped or when replacing previously configured extensions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some of the struct hostapd_data variables get initialized with allocated
memory in the P2P GO case even before hapd->started has been set to 1.
As such, hostapd_free_hapd_data() needs to free these even if
!hapd->stated.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is a possible race condition between receiving the
NEW_PEER_CANDIDATE event and the Authentication frame from the peer.
Previously, if the Authentication frame RX event was indicated first,
that frame got dropped silently. Now, this frame is still dropped, but a
copy of it is stored and the frame gets processed on the following
NEW_PEER_CANDIDATE event if that is received for the same peer within
two seconds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 587d60d2b7 ('Add AP mode support
for HT 20/40 co-ex Action frame') added processing of co-ex report, but
did not include proper bounds checking or IE type checking for the
payload. Furthermore, this was not ready for the possible extensibility
of the 20/40 BSS Coexistence element.
Fix these by checking IE ids for both elements and doing more
apprioriate bounds checking for the element lengths to avoid potentially
reading beyond the frame buffer. Though, the event receive buffer in
both libnl and driver_nl80211_monitor.c is sufficiently large to make it
very unlikely that the maximum read of about 260 bytes beyond the end of
the Action frame would really have any chances of hitting the end of the
memory buffer, so the practical effect of missing bounds checking would
have been possibly accepting an invalid report frame and moving to 20
MHz channel unnecessarily.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 5ce3ae4c8f tried to clean up
fetching a pointer to the action code field, but it forgot to add
IEEE80211_HDRLEN to the pointer. This resulted in the coex report
elements being read from too early in the frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
These hostapd configuration parameter was left at the default values
(WPA-PSK/TKIP) even for cases where WPA was disabled. While these
parameters are not really used much in non-WPA cases, they do get used
for one corner case in nl80211 configuration to disable encryption of
EAPOL frames in IEEE 802.1X WEP case.
Signed-off-by: Jouni Malinen <j@w1.fi>
While other authentication algorithms mark Status Code as being Reserved
in the case of the transaction number 1, SAE does not. Check that the
Status Code indicates success before creating SAE state. In addition,
fix the mesh anti-clogging token request parsing on big endian CPUs.
Transaction number 2 (confirm) can also have non-zero Status Code to
report an error. Those should be processed, but not replied to with yet
another error message. This could happen in mesh case. Avoid a loop of
error messages by dropping the non-success case without additional
response.
In addition, don't reply to unknown transaction numbers if the status
code is non-zero. This avoids a loop of error messages if an invalid
frame where to be injected (or unlikely corruption were to occur).
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be used to drop any pending ERP key from both the internal AP
authentication server and RADIUS server use of hostapd.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd.conf radio_measurements parameter can now be used to
configure a test build to advertise support for radio measurements with
neighbor report enabled. There is no real functionality that would
actually process the request, i.e., this only for the purpose of minimal
STA side testing for now.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, only WPA + WPA2 was covered. If FT is enabled in addition to
WPA, MDIE is included in the buffer between RSN and WPA elements. The
previous version ended up leaving only the MDIE after having skipped RSN
element. Fix this to skip MDIE as well to leave only WPA IE regardless
of whether FT is enabled in AP configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This converts os_snprintf() result validation cases to use
os_snprintf_error() in cases where success condition was used to execute
a step. These changes were done automatically with spatch using the
following semantic patch:
@@
expression E1,E2,E3;
statement S1;
@@
E1 = os_snprintf(E2, E3, ...);
- if (\( E1 >= 0 \| E1 > 0 \) && \( (size_t) E1 < E3 \| E1 < (int) E3 \| E1 < E3 \))
+ if (!os_snprintf_error(E3, E1))
S1
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the immediate EAPOL authenticator startup was scheduled
without having received EAPOL-Start only for the case where WPA/WPA2 was
enabled. This can be extended to speed up non-WPA/WPA2 cases as well if
the STA includes WPS IE in Association Request frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
If "ADD bss_config=" command failed in driver_init() or
hostapd_setup_interface(), some of the allocated resources were not
freed properly.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using aes_wrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is not just the single struct member. (CID 68111)
Signed-off-by: Jouni Malinen <j@w1.fi>
Using aes_unwrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is initialized and that the target is not just the single struct member.
In addition, clean up the design to avoid removal of const with a
typecast. (CID 68112, CID 68134, CID 68135, CID 68136)
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 16689c7cfc ('hostapd: Allow ACS to
be offloaded to the driver') used incorrect operator to determine
whether HT40 was configured. Fix that to mask the ht_capab bit
correctly. (CID 77286)
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.
The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.
Signed-off-by: Jouni Malinen <j@w1.fi>
Using QCA vendor command, allow ACS function to be offloaded to the
driver. Once channels are selected, hostapd is notified to perform OBSS
operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This flag was left in the STA entry for the short duration after the STA
gets deauthenticated. If the STA sends a Class 2 or 3 frame during that
short time, the AP would not have replied with Deauthentication frame
indicating no association is present.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.
Signed-off-by: Jouni Malinen <j@w1.fi>
This field needs to be validated in addition to validating the total
length of the received frame to avoid reading beyond the frame buffer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Only the NS frames should be checked to be long enough to cover all the
fields used in the NS data structure. This allows shorter RA and NA
frames to be processed for multicast-to-unicast rules.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
l2_packet_send() returns >= 0 on success, i.e., non-zero value does not
mean failure. Fix this debug print to show up only on negative return
values.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to debug operations. The debug message is marked
EXCESSIVE, though, to avoid filling the logs with too much information
in default debugging cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no point in trying to send the unicast converted version to a
STA that is not in authorized state since the driver would be expected
to drop normal TX Data frames in such state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These need to be marked packed to avoid issues with compilers
potentially adding padding between the fields (e.g., gcc on 64-bit
seemed to make struct icmpv6_ndmsg two octets too long which broke IPv6
address discovery).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>