In the P2P specification v1.1, the P2P Client Discoverability bit is
described in Table 12 "Device Capability Bitmap definition". The table
says "Within a P2P Group Info attribute and a (Re)association request
frame the P2P Client Discoverability field shall be set to 1 when the
P2P Device supports P2P Client Discoverability, and is set to 0
otherwise. This field shall be reserved and set to 0 in all other frames
or uses.". To match with this, filter out P2P Client Discoverability bit
from frames where its use is reserved.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
If the peer uses an unknown reauth id, it would still be possible to use
pseudonym instead of permanent id. Allow this by changing the
AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is
used in EAP-Response/Identity.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There is a race condition in GO Negotiation Request frame sending and
processing that may end up with both devices sending GO Negotiation
Response. This response frame was previously accepted even if a response
had already been sent. This could result in two GO Negotiation Confirm
frames being exchanged and consequently, with two separate GO
Negotiations completing concurrently. These negotiations could result in
getting mismatching parameters (e.g., both device could believe it was
the GO).
Fix this by ignoring GO Negotiation Response from the peer if twe have
already sent a GO Negotiation Response frame and we have the higher P2P
Device Address. This is similar to the rule used to determine whether to
reply to GO Negotiation Request frame when Request was already sent,
i.e., the same direction of GO Negotiation is maintained here to enforce
that only the negotiation initiated by the device with smaller P2P
Device Address is completed.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If both peers initiate GO Negotiation at about the same time, it is
possible for the GO Negotiation Request frame from the peer to be
received between the local attempt to send the GO Negotiation Request
and TX status event for that. This could result in both devices sending
GO Negotiation Response frames even though one of them should have
skipped this based which device uses a higher MAC address.
Resolve this race by incrementing go_neg_req_sent when p2p_send_action()
returns success instead of doing this from the TX status callback. If
the frame is not acknowledged, go_neg_req_sent is cleared in TX status
handler.
Signed-off-by: Neeraj Garg <neerajkg@broadcom.com>
Stop the connection attempt if GO Negotiation Confirm is not received
within 100 ms of the GO Negotiation Response getting acknowledged.
Previously, we would have continued trying to connect to the peer even
in this case which could result in confusing second GO Negotiation
Request frame and unnecessarily long wait before indicating failure.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The GO Negotiation Confirm frame doesn't need to be sent with a wait
since we don't expect a response to it.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Concurrent Operation bit was not set for GO even if the device
supports concurrent operations. Make sure the Device Capability
value is consistent with other P2P use cases by using the value
determined in p2p_init().
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
Send an "EAP" signal via the new DBus interface under various
conditions during EAP authentication:
- During method selection (ACK and NAK)
- During certificate verification
- While sending and receiving TLS alert messages
- EAP success and failure messages
This provides DBus callers a number of new tools:
- The ability to probe an AP for available EAP methods
(given an identity).
- The ability to identify why the remote certificate was
not verified.
- The ability to identify why the remote peer refused
a TLS connection.
Signed-hostap: Paul Stewart <pstew@chromium.org>
In certain cases like PBC session overlap it appears to be possible that
an interface is removed due to an event handled on it, this leads to
list corruption. Use safe iteration to prevent this issue.
Reported-by: Nirav Shah <nirav.j2.shah@intel.com>
Reported-by: Neeraj Kumar Garg <neerajkg@broadcom.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
intended-for: hostap-1
When hostapd (or wpa_supplicant AP mode) limits the maximum number
of STA entries with a driver that implements SME, the driver needs
to be notified of the failed STA addition. Disassociate the STA if
the driver notifies of an association that would go beyond the
maximum number of STAs.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If WNM is enabled for the build (CONFIG_WNM=y), add BSS max idle period
information to the (Re)Association Response frame from the AP and parse
this information on the station. For SME-in-wpa_supplicant case, add a
timer to handle periodic transmission of the keep-alive frame. The
actual request for the driver to transmit a frame is not yet
implemented.
Signed-hostap: Jouni Malinen <j@w1.fi>
When sending an offchannel frame (mainly, P2P Invitation Request), the
wait_time parameter was hardcoded to 0 for drivers that implement AP
mode SME. This is not correct and can cause problems for drivers that
support offloading of off-channel operations with driver/firmware based
AP SME.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is a workaround for interoperability issues with some deployed P2P
implementations that require a Provision Discovery exchange to be used
before GO Negotiation. The new provdisc parameter for the p2p_connect
command can be used to request this behavior without having to run a
separate p2p_prov_disc command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The nl80211 driver interface does not allow 128-bit WEP to be used
without a vendor specific cipher suite and no such suite is defined for
this purpose. Do not accept WEP key length 16 for nl80211 driver
interface forn ow. wext-interface can still try to use these for
backwards compatibility.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If the AP indicates support for Hotspot 2.0, show this in the
ctrl_iface commands for BSS table and status.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If PD Request includes P2P Group ID, verify that the specified
group matches with a group we are currently operating. If no match
is found, reject the PD Request for join-a-group case.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This can be used with P2P management operations that need to verify
whether the local device is operating a specific group based on
P2P Group ID attribute from a peer.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 349b213cc8 added a separate
callback prov_disc_fail() for indicating PD failures, but it left the
Provision Discovery Response handler to call both callbacks in case the
peer rejected the PD. Commit f65a239ba4
added ctrl_iface event for PD failures. This combination can result in
two ctrl_iface events in the peer rejecting a PD case. Clean this up by
only indicating the failure event.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Some drivers may accept the remain-on-channel command, but instead of
indicating start event for remain-on-channel, just indicate that the
operation has been canceled immediately. This could result in continuous
loop of search/listen states with very limited time to do anything else
in wpa_supplicant if the scan command is also completed quickly (e.g.,
if the driver is unable to scan other channels than the current
operating channel).
As a workaround, do not start the next step (search) in P2P device
discovery if this type of rejection of listen operation is detected.
This gives some more time for wpa_supplicant to handle whatever else
may be needed at to be done at the same time and reduces the amount
of CPU used in a loop that does not really work correctly from the
view point of being discoverable.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
This adds the basic DAS mechanism to enable hostapd to be configured
to request dynamic authorization requests (Disconnect-Request and
CoA-Request). This commit does not add actual processing of the
requests, i.e., this will only receive and authenticate the requests
and NAK them regardless of what operation is requested.
Signed-hostap: Jouni Malinen <j@w1.fi>
New configuration parameters radius_auth_req_attr and
radius_acct_req_attr can now be used to add (or override) RADIUS
attributes in Access-Request and Accounting-Request packets.
Signed-hostap: Jouni Malinen <j@w1.fi>
radius_request_cui=1 configuration parameter can now be used to
configure hostapd to request CUI from the RADIUS server by including
Chargeable-User-Identity attribute into Access-Request packets.
Signed-hostap: Jouni Malinen <j@w1.fi>
If Access-Accept packet includes the Chargeable-User-Identity attribute,
copy this attribute as-is into accounting messages.
Signed-hostap: Jouni Malinen <j@w1.fi>
There was a technical change between the last IETF draft version
(draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters
used in the username (i.e., use unique characters for EAP-AKA' instead
of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and
peer implementations to use the leading characters based on the final
RFC.
Note: This will make EAP-AKA' not interoperate between the earlier
draft version and the new version.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Incorrect identity string could end up being used with EAP-AKA' when
the EAP client is using pseudonym. This code was supposed to use
sm->identity just like the EAP-AKA case.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
The misplaced parenthesis caused Device ID matching to check only the
first octet of the P2P Device Address, i.e., we could have replied to
Probe Request frames that was searching for another device if any of
the last five octets of the address were different.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
An existing persistent group information can now be used to force GO
Negotiation to use the previously used SSID/passphrase from a persistent
group if we become a GO. This can be used as an alternative to inviting
a new P2P peer to join the group (i.e., use GO Negotiation with GO
intent 15 instead of starting an autonomous GO and using invitation),
e.g., in case a GO Negotiation Request is received from a peer while we
are not running as a GO. The persistent group to use for parameters is
indicated with persistent=<network id> parameter to p2p_connect.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commits 17bef1e97a and
ffe98dfb88 started using p2p_add_device()
with other frames than just Probe Response frames from scan results.
However, these changes did not take into account that the PD Request
and Invitation Request frames are normally received on the our own
Listen channel, not on the Listen channel of the peer. As such, these
frames must not be used to update Listen channel information for the
peer.
Fix this by letting p2p_add_device() know whether the results are from
scan results and if not, skip the peer table updates that are specific
to Probe Response frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Add provisional discovery failure ctrl_iface event
(P2P-PROV-DISC-FAILURE) to indicate to the application layer in case of
PD failure.
Signed-off-by: Deepthi Gowri <deepthi@codeaurora.org>
Commit d9bdba9f86 was supposed to allow
p2p_listen to schedule new after scan operation only if a p2p_connect
operation was not pending. However, it used incorrect P2P_AFTER_SCAN_
value for this and did not actually prevent overriding of p2p_connect
and could have caused some p2p_listen operations to be skipped
unnecessarily.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Unlike the unicast SD queries, the queries directed to all peers depend
on P2P_DEV_SD_INFO flag being cleared to allow the query to be sent to
a peer that has previously replied to any SD query.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the timeout scheduled during the previous association was
used after reassociation if the STA entry had not yet been removed. The
next timeout does not need to happen that quickly, so reschedule it
during reassociation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to figure out what exactly was done with the
ap_handle_timer registration/cancellation based on a debug log.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The next ap_handle_timer action was already cleared when association
is handled with user space -based SME. However, this step was missing
from the driver callback for indicating new association. This could
result in the first ap_handle_timer timeout on the new association
removing the station unexpectedly. Fix this by resetting the timeout_next
in hostapd_notif_assoc().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
A station may move from EAP/WPS key_mgmt to PSK using re-association. In
practice, this can happen most likely with WPS when the station runs
through the provisioning step (EAP/WPS) followed by PSK authentication.
If a deauthentication event is missed from the station for whatever
reason, the EAPOL authenticator state machine could have been left
running.
This can result in various issues, including unexpected disconnection of
the station while both the 4-way handshake and EAPOL authenticator state
machines (EAP) are running at the same time when the supplicant is
trying to use PSK. Fix this by explicitly clearing EAPOL authenticator
state machine on (re)association if the new association does not use it.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
When starting an AP with HT40 on 2.4 GHz, limit the set of channels
to scan for based on the affected frequency range to speed up the
AP setup.
Signed-hostap: Jouni Malinen <j@w1.fi>
Mark the debug print excessive and print it only in case the entropy
collection is used since this function can get called pretty frequently.
Signed-hostap: Jouni Malinen <j@w1.fi>
OpenSSL wrapper was using the same certificate store for both Phase 1
and Phase 2 TLS exchange in case of EAP-PEAP/TLS, EAP-TTLS/TLS, and
EAP-FAST/TLS. This would be fine if the same CA certificates were used
in both phases, but does not work properly if different CA certificates
are used. Enforce full separation of TLS state between the phases by
using a separate TLS library context in EAP peer implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
This was never really completed and is of not much use at this point,
so clean up the repository by removing the Symbian-specific changes.
Signed-hostap: Jouni Malinen <j@w1.fi>
This optional parameter to the BSS command can be used to select which
fields are included in the output to avoid having to parse through
unneeded information and to reduce the buffer size.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
There is no need to subscribe to event messages during deinit process,
so skip this to avoid unnecessary operations and to keep the debug logs
a bit cleaner.
Signed-hostap: Jouni Malinen <j@w1.fi>
This should keep us from getting into a state where we bounce large
numbers of stations all at once. Spreading out the bounce should cause
less stress on the network as the idle stations won't all be trying to
reconnect at once.
Signed-hostap: Ben Greear <greearb@candelatech.com>
wps_vendor_ext_m1 configuration parameter can now be used to add a
vendor specific attribute into the WPS M1 message, e.g., for
Windows Vertical Pairing.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This was previously indicated as disassociation, but the P2P group
session ending case expect a deauthentication notification. Since the
cfg80211 disconnection event does not really indicate which frame was
used, the easiest approach for now seems to be to just indicate these
as deauthentication events.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use reason code 3 (Deauthenticated because sending STA is leaving)
instead of reason code 2 (Previous authentication ot valid) in the
Deauthentication frame sent at the time a BSS is terminated. This is
more accurate reason for the message and allows the stations to get
better understand on why they were disconnected. This can be useful
especially for P2P clients that can use this as a signal that the
P2P group session was ended per P2P specification section 3.2.9.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
On P2P group removal, the GO is deinitialized correctly (and the vif
mode is set back to sta in case of nl80211), but the P2P client mode
wasn't deinitialized, and the nl80211 vif stays in P2P client mode.
Add a new deinit_p2p_cli op (similar to deinit_ap), which currently only
sets the interface back to station mode.
Signed-hostap: Eliad Peller <eliad@wizery.com>
intended-for: hostap-1
Some applications require knowing about probe requests to identify
devices. This can be the case in AP mode to see the devices before they
connect, or even in P2P mode when operating as a P2P device to identify
non-P2P peers (P2P peers are identified via PeerFound signals).
As there are typically a lot of probe requests, require that an
interested application subscribes to this signal so the bus isn't always
flooded with these notifications. The notifications in DBus are then
unicast only to that application.
A small test script is also included.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The signal strength is currently never used as the only driver reporting
it is nl80211 which uses IEEE80211_RADIOTAP_DB_ANTSIGNAL which is never
populated by the kernel. The kernel will (soon) populate
IEEE80211_RADIOTAP_DBM_ANTSIGNAL instead though, so use that.
Also, since it was never really populated, we can redefine the signal
field to be in dBm units only.
My next patch will also require knowing the signal strength of probe
requests throughout the code (where available), so add it to the
necessary APIs.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
When hostapd is about to start an AP using HT40, it starts a scan to
check whether it is allowed or not. If OLBC is detected before the
scan has completed, it sets the beacons prematurely.
To fix this, instead of setting all beacons when OLBC is detected,
only update the ones that have already been started.
Signed-off-by: Luciano Coelho <coelho@ti.com>
ieee802_1x_encapsulate_radius() frees the RADIUS message if
radius_client_send() returns error. This could have resulted in use of
freed memory and double freeing of the RADIUS message if send() fails
since the message is also left in the retransmit list. Avoid this by not
returning error to the caller in such a case.
Signed-off-by: Alexander Couzens <lynxis@c-base.org>
Add the option (-T) to wpa_supplicant to log all debug messages into the
kernel tracing, allowing to aggregate kernel debugging with
wpa_supplicant debugging and recording all with trace-cmd.
Since tracing has relatively low overhead and can be filtered
afterwards, record all messages regardless of log level. However, it
will honor the -K option and not record key material by default.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The "BSS p2p_dev_addr=address" command uses p2p_parse_dev_addr() to
figure out the P2P Device Address of the GO from scan results. This used
to work only if the P2P IE was received from Probe Response frames since
only those include the P2P Device Info attribute. Make this work with
Beacon frames, too, by using P2P Device ID attribute if the P2P Device
Info attribute is not present.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A network block specific background scan period can now be configured
for drivers that implement internal background scan mechanism for
roaming and BSS selection.
Signed-hostap: Bala Shanmugam <bkamatch@qca.qualcomm.com>
Implement wps_cancel for hostapd similarly to how it was already
supported in wpa_supplicant AP mode.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_pref_chan configuration parameter can now be used to set the
list of preferred channel for P2P GO Negotiation. This will be used
in the priority order if the peer does not support the channel we
are trying to use as the GO (configured operating channel or the
best 2.4 GHz/5 GHz channel) for the case where a forced channel is
not used.
p2p_pref_chan=<op class:channel>,...
For example:
p2p_pref_chan=81:1,81:2,81:3,81:4,81:5,81:6
This would configure 2.4 GHz channels 1-6 as the preferred ones with
channel 1 the most preferred option.
These configuration parameters can be set in wpa_supplicant.conf and
dynamically updated with "wpa_cli set <param> <value>".
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
When drivers advertise their capability to free up inactive
stations based on ap_max_inactivity, send the inactivity period
timeout to driver in NL80211_ATTR_INACTIVITY_TIMEOUT. This
introduces a WPA_DRIVER_FLAGS (WPA_DRIVER_FLAGS_INACTIVITY_TIMER)
so that the inactivity period will be sent only when this capability
bit is set.
Signed-hostap: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
When the driver (or firmware) implements AP mode SME, the use of raw
management frame TX functions is not working properly at the moment. As
an initial step, convert these AP mode operations to use
NL80211_CMD_DEL_STATION and do not claim that driver provides TX status
for deauth/disassoc frames. While this does not address all use cases
(e.g., reason code is not specified in the command), this fixes number
of issues where the station does not get disconnected properly.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 30680e9332 changed the length
of the implicit challenge result to match with the exact length used
in TTLS. However, it failed to update the peer_challenge generation
to use a separate random value. Previously, this was generated as
part of the implicit challenge, but more correct way would have been
to generate a random value for it separately. Do this now to fix the
read after the allocated buffer (16 bytes after the implicit
challenge).
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
This DO has a maximum length of 127 bytes (TS 102 221), so better use
large enough buffer when reading the record.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, this provisioning info was cleared using the P2P Interface
Address of the GO as the key. That did not always work in the case the
where we joined an already running group. This could result in the next
connection to that same GO skipping provision discovery. Fix this by
finding the peer entry based on its P2P Device Address instead of the
P2P Interface Address which may not always be set.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
If a wildcard PIN is used on any of the radios that hostapd is
controlling, invalidate the matching PIN on all the other radios
to avoid multiple uses of the same PIN.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use Device Password ID in WSC IE of Probe Request and Probe Response
frames to advertise immediate availability of WPS credentials per P2P
specification sections 3.1.2.1.1 (Listen State), 3.1.2.1.2 (Scan Phase),
and 3.1.2.1.3 (Find Phase).
For now, the Device Password ID is set only for the case where we are
active GO Negotiation with a specific peer. In practice, this means that
the Probe Response frames during pending GO Negotiation (whenever in
Listen state) indicate availability of the credential.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_flush did not explicit stop all P2P operations, i.e., the exact
behavior depended on the P2P module state at the time the p2p_flush
command was issued. Make this more consistent by explicitly calling
p2p_stop_find() from p2p_flush().
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If Listen state was in progress on another channel when a request to
send an Action frame (e.g., Provision Discovery Request or Invitation
Request to a peer on the peer's Listen channel that is different from
our Listenc hannel) is issued, wpa_supplicant tried to use concurrent
remain-on-channel operations. While some drivers can handle this
cleanly, there are drivers that don't and wpa_supplicant is not expected
to request concurrent remain-on-channel operations.
Fix this by cancelling the ongoing remain-on-channel with stop_listen
prior to sending the Action frame on another channel. If a P2P search
was in progress, it will be continued after the timeout on the new
operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new venue_name configuration parameter can now be used to configure
the ANQP Venue Name values that stations can request through GAS.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This adds GAS/ANQP implementation into hostapd. This commit brings in
the basic GAS/ANQP functionality, but only the ANQP Capability List
element is supported.
For testing purposes, hostapd control interface SET command can be used
to set the gas_frag_limit parameter dynamically.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
New global configuration parameters pcsc_reader and pcsc_pin can now be
used to initialize PC/SC reader context at start of wpa_supplicant.
Signed-hostap: Jouni Malinen <j@w1.fi>
Definition of ANonce selection in IEEE Std 802.11i-2004 is somewhat
ambiguous. The Authenticator state machine uses a counter that is
incremented by one for each 4-way handshake. However, the security
analysis of 4-way handshake points out that unpredictable nonces help in
preventing precomputation attacks. Instead of the state machine
definition, use an unpredictable nonce value here to provide stronger
protection against potential precomputation attacks.
Signed-hostap: Jouni Malinen <j@w1.fi>