Commit Graph

5186 Commits

Author SHA1 Message Date
Dedy Lansky
f2d6c17aa0 nl80211: Support network hierarchy of a master interface under bridge
Since commit cb05808c46 ('nl80211: Generic
Linux master interface support for hostapd'), hostapd is listening for
EAPOL frames on any master which the interface is enslaved under.

This commit allows hostapd to support network hierarchy in which the
interface is enslaved under some master which in turn is enslaved under
a bridge.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2016-03-09 21:03:41 +02:00
Jouni Malinen
f85399f396 Reserve QCA vendor specific nl80211 commands 116..118
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-08 23:08:45 +02:00
Zefir Kurtisi
3bd58861ae hostapd: Handle running out of DFS channels
In scenarios where only DFS channels are available (e.g., outdoor,
special country codes), hostapd must be able to handle situations
where all are unavailable.

The two possibilities to get there are
1) while operating on the last available DFS channel a radar is
   detected
2) hostapd is started while all channels are unavailable

In both cases, hostapd instead of terminating should better
wait for the NOPs to pass and re-try operation after the CAC.

This patch provides that feature by using the condition
(iface->state == HAPD_IFACE_DFS && !iface->cac_started)
as NOP mode signature to retry operation from within
hostapd_dfs_nop_finished().

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2016-03-08 12:16:37 +02:00
Dedy Lansky
cc1af6faed FST: Fix session setup failure with peer without MB IE
Upon receiving FST setup request on old band, the peer is searched on
new band. The assumption is that MB IE from this peer on new band
previously received either in assoc event or in FST setup request.

There are cases in which above assumption doesn't work, peer is not
found and session setup fails. For example:
- STA connects over 11ac. Due to driver limitation, MB IE is not included
in assoc event
- STA connects over 11ad. MB IE included in assoc event.
- FST session established on 11ac band, with AP as initiator. i.e. FST
setup request sent in AP=>STA direction. STA searches for peer's (AP)
MB IE on 11ad band which exists.
- FST switch occur
- FST session established on 11ad band, with STA as initiator. i.e. FST
setup request sent in STA=>AP direction. AP searches for peer's (STA)
MB IE on 11ac band which are absent.

For fixing the above, consider also peers without MB IE as candidates in
the search algorithm.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2016-03-07 18:04:47 +02:00
Lior David
e4a1469cec P2P: Adjust service discovery maximum fragment size for 60 GHz
In the 60 GHz band, service discovery management frames are sent over
the control PHY and have a smaller maximum frame size (IEEE Std
802.11ad-2012, 21.4.3.2). Fix the code to use sufficiently small
fragment size when operating in the 60 GHz band.

The 60 GHz fragment size (928) is derived from the maximum frame size
for control PHY (1023) and subtracting 48 bytes of header size, and some
spare so we do not reach frames with the absolute maximum size.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-03-07 13:47:01 +02:00
Eliad Peller
6448e06415 hostapd: Allow use of driver-generated interface addresses
Add a new 'use_driver_iface_addr' configuration parameter to allow use
of the default interface address generated by the driver on interface
creation. This can be useful when specific MAC addresses were allocated
to the device and we want to use them for multi-BSS operation.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2016-03-06 20:00:40 +02:00
Eliad Peller
f2accfe708 AP: Save EAPOL received before Association Response ACK
There is a race condition in which AP might receive the EAPOL-Start
frame (from the just-associated station) before the TX completion of the
Association Response frame. This in turn will cause the EAPOL-Start
frame to get dropped, and potentially failing the connection.

Solve this by saving EAPOL frames from authenticated-but-not-associated
stations, and handling them during the Association Response frame TX
completion processing.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2016-03-06 17:08:12 +02:00
Janusz Dziedzic
56885eecf4 hostapd: Add UDP support for ctrl_iface
Add UDP support for ctrl_iface:

New config option could be set:
CONFIG_CTRL_IFACE=udp
CONFIG_CTRL_IFACE=udp-remote
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote

And hostapd_cli usage:
hostapd_cli -i localhost:8877

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-05 17:44:37 +02:00
Janusz Dziedzic
acf57fae76 ctrl_iface_common: Use sockaddr_storage instead of sockaddr_un
This is a step towards allowing UDP sockets to be used with the common
implementation.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-05 17:15:05 +02:00
Janusz Dziedzic
89b781bc89 hostapd: Use common functions for ctrl_iface
Use the common functions, structures when UNIX socket ctrl_iface used.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-05 17:15:05 +02:00
Janusz Dziedzic
ca974ae53f Add common ctrl_iface files
This is preparation for sharing a single implementation for ctrl_iface
functionality in wpa_supplicant and hostapd.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-05 17:15:05 +02:00
Avichal Agarwal
35986959d9 P2P: Update peer WFD IE from PD Response and GO Negotiation Response
Update the peer WFD IE information based on WFD elements received in
Provision Discovery Response and GO Negotiation Response frames.

Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2016-03-05 10:02:59 +02:00
Ilan Peer
12c1fdf19a P2P: Update peer listen channel from Probe Request frames
In case a Probe Request frame is received from a known peer P2P Device,
update the listen channel based on the P2P attributes in the Probe
Request frame. This can be useful for cases where the peer P2P Device
changed its listen channel, and the local P2P device is about to start a
GO Negotiation or invitation signaling with the peer.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-03-03 17:10:26 +02:00
Ayala Beker
7441698fcf nl80211: Abort an ongoing scan upon scan timeout indication
Currently, when scan is stuck in the kernel/driver/fw,
the nl80211 driver tries to recover by faking a SCAN_RESULTS flow.
However, the scan is still stuck in the kernel/driver/fw.

To avoid that stuck request, abort it upon scan timeout.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-03-03 17:10:26 +02:00
Ilan Peer
b8f02d8baf EAP-PWD peer: Fix possible memory leak on error path
Fix possible memory leak in eap_pwd_perform_commit_exchange().

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-03-03 16:28:41 +02:00
Eliad Peller
4a6e9e5599 Fix CONFIG_WPA_TRACE=y compilation without CONFIG_WPA_TRACE_BFD=y
syms is defined only for WPA_TRACE_BFD:

../src/utils/trace.c: In function ‘wpa_trace_deinit’:
../src/utils/trace.c:372:7: error: ‘syms’ undeclared (first use in this function)
  free(syms);
       ^
../src/utils/trace.c:372:7: note: each undeclared identifier is reported only once for each function it appears in
make: *** [../src/utils/trace.o] Error 1
make: *** Waiting for unfinished jobs....

Add appropriate #ifdef.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2016-03-03 16:23:23 +02:00
Lior David
c58eed6dc7 P2P: Add Dev Info attribute to Probe Request frames in 60 GHz
When building P2P IE for Probe Request frames in P2P scan, add the
device information attribute if the 60 GHz band is included in the scan,
since this is required by the P2P specification.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-03-03 15:13:56 +02:00
Lior David
2b6e9f91df wpa_supplicant: Expose wpas_get_bands() and related API
Expose the functions wpas_get_bands() and wpas_freq_to_band() and the
enum wpa_radio_work_band, since they will be needed outside
wpa_supplicant.c.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-03-03 15:10:50 +02:00
Dedy Lansky
0147afa9df FST: Enlarge State Transition Timeout (STT)
STT guards the exchange of FST Action frames with the peer station.
It was observed that sometimes Action frames sending is delayed at
driver/FW layers for few hundreds millisec.

Enlarge the STT to overcome such cases.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2016-03-03 13:50:03 +02:00
Peng Xu
e1d00d47c7 Add error handling for offloaded ACS with vendor command failures
In case vendor ACS command returns invalid channel or hardware mode,
complete the interface setup with an error code instead of simply
return, so that hostapd can properly clean up the interface setup.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-03 12:19:43 +02:00
Jouni Malinen
b9ca12a911 nl80211: Add more address fields into RX frame debug message
This makes it easier to debug issues related to Public Action frame
addressing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-29 21:18:27 +02:00
Jouni Malinen
debde14b5b RADIUS: Add Acct-Delay-Time into accounting messages
This tells to the server how long we have been trying to transmit the
message so that the actual time of the message generation can be
determined from receive time (ignoring network delays and only at
accuracy of one second).

For interim updates, only value 0 is used since there are no
retransmissions of the same message. For other accounting messages, the
initial attempt goes out with value 0 and the retransmissions, if
needed, show the number of seconds the message has been waiting in the
queue.

Update the Identifier and Authenticator in the messages whenever
updating the Acct-Delay-Time per RFC 2866, 4.1 requirements.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-29 17:43:13 +02:00
Jouni Malinen
669b5324e1 RADIUS: Update full message for interim accounting updates
Instead of using the RADIUS client retransmission design with the old
RADIUS message contents for each retry, trigger a completely new interim
accounting update instance more quickly (using the same schedule as
RADIUS message retransmissions) to improve accounting updates in cases
where RADIUS message delivery fails. This allows the server to get up to
date information from the time the "retry" message was sent instead of
the old information from the time the first failed attempt was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-29 11:52:16 +02:00
Jouni Malinen
902c07a7af Replace hostapd_mac_comp_empty() with is_zero_ether_addr()
There is no need to maintain two implementations of the functionality.
is_zero_ether_addr() is easier to understand, so use it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-28 20:11:58 +02:00
Michael Braun
5aef495fda VLAN: Avoid use of libnl cache
Using rtnl_link_alloc_cache() is expensive as it fills in all configured
links. Using rtnl_link_get_kernel() is much more lightweight.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 20:05:17 +02:00
Michael Braun
732b1d20ec nl80211: Clean up ifidx properly if interface in a bridge is removed
When an interface is removed while it was in a bridge, the bridge was
not removed from the local ifidx list.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 19:42:40 +02:00
Michael Braun
170c545ab4 FT: Check destination MAC address on RRB receive
As the Linux variant of l2_packet_init() does not use its own_addr
argument and l2_packet_receive() does not filter on destination MAC
address, this needs to be checked in the callback.

If there are multiple BSSes listening for FT RRB packets, all their
BSSIDs need to be local to the bridge interface. As l2_packet_init() is
going to receive all of them going for any local address, those RRB
messages started turning up on BSSes that were not destinated for and
cluttering logs.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 19:23:17 +02:00
Michael Braun
57b2c9140c RADIUS: Allow RADIUS server to provide PSK instead of passphrase
If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.

This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 19:06:49 +02:00
Michael Braun
d8912fd80e Cache hashed passphrase in RADIUS-based PSK delivery
Instead of copying the full struct hostapd_sta_wpa_psk_short, share the
existing entry and use reference counting to check when it needs to be
freed. This allows caching of PSKs derived from passphrases to avoid
having to perform the heavy hashing operation multiple times.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 19:06:45 +02:00
Michael Braun
f8e09bc57e Defer passphrase-to-PSK hashing out of 802.11 authentication ACL check
Hashing takes quite some time (can be about one second on a low-power
CPU for each passphrase provided), so hostapd can easily hit the 900 ms
Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can
be fixed by storing the passphrase instead of PSK with the STA and defer
the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs.

This applies for the case where a RADIUS server is used to store the
per-STA passphrases and this passphrase is delivered as part of the MAC
ACL check during IEEE 802.11 Authentication frame processing.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 18:46:05 +02:00
Michael Braun
cc9c805a51 VLAN: Use stack instead of heap allocation for new interface name
The VLAN ifname is limited to the maximum length of IFNAMSIZ, so there
is no need to use heap allocation for it.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 18:29:58 +02:00
Michael Braun
d48d1b88d0 FT: Use BSSID as r1_key_holder if no value is configured
r1_key_holder is an identifier that was always set to zero if unless
configured before.

See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
 "R1KH-ID is a MAC address of the holder of the PMK-R1 in the
  Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
 "Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
  identifier within the mobility domain."
 "The R1KH-ID shall be set to a MAC address of the physical entity
  that stores the PMK-R1 ..."

Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 17:56:42 +02:00
Michael Braun
71456dbdf2 FT: Check hapd->wpa_auth before RRB internal delivery
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.

Fix this by checking hapd->wpa_auth before delivery.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 17:45:45 +02:00
Michael Braun
0270bdedcc FT: Fix R0KH-R1KH protocol data length values
The FT RRB hostapd packets have a length field. For PULL frames, it
counted the bytes starting with nonce and up to the last before pad. For
RESP frames, it counted the bytes starting with nonce and up to the last
before pad except for 2 bytes. For PUSH frames, it counted the bytes
starting with nonce and up to including pad.

As rounding is done with AES encryption, including pad does not make
sense. Not including the last field before pad does not make sense
either. These were broken in the earlier addition of the 2 octet
pairwise field in commit 1b484d60e5 ('FT:
Include pairwise cipher suite in PMK-R0 SA and PMK-R1 SA').

AES encryption is not affected, as rounding hides the differences. The
packets data_length field is not used, so the differences have no effect
there.

This patch changes the constants to match the bytes used, thus excluding
the pad. To validate the changes, look at remainder modulo 8 of the sum
of the size constants and the padding sizes.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 15:43:50 +02:00
Jouni Malinen
eb20cea590 nl80211: Add an option to specify the BSSID to scan for
This allows scans to be optimized when a response is needed only from a
single, known BSS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-26 17:19:20 +02:00
Jouni Malinen
adf0478e8e AP: Store STA supported operating classes information
This makes hostapd track Supported Operating Classes information from
the associated STAs. The stored information is available through the STA
control interface command (supp_op_classes row) as a hexdump of the
Supported Operating Classes element starting from the Length field. This
information can be used as input to BSS transition management and
channel switching decisions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-24 12:20:31 +02:00
Dedy Lansky
077dcfb8c4 AP: Debug print management frame TX result
Inside management frame TX status callback, print the TX result where it
was missing. This is useful for debugging management frame drops.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2016-02-22 21:51:19 +02:00
Jouni Malinen
ca911d61f3 MBO: Parse non-preferred channel list on the AP
This adds parsing of non-preferred channel list on an MBO AP. The
information in (Re)Association Request and WNM Notification Request
frames is parsed to get the initial value and updates from each
associated MBO STA. The parsed information is available through the STA
control interface command non_pref_chan[i] rows.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 21:17:38 +02:00
Jouni Malinen
3f48274d0e WNM: Fix a memory leak on AP error path
If the second memory allocation in ieee802_11_send_wnmsleep_resp() were
to fail and ieee80211_11_get_tfs_ie() succeed, the wnmtfs_ie allocation
would not have been freed on the error path.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Michael Braun
f5ca1766dc VLAN: Fix vlan_compare() for tagged VLANs
While refactoring VLAN comparison into vlan_compare(), it was overlooked
that modifications are needed for tagged VLAN support.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-22 19:53:05 +02:00
Jouni Malinen
4c572281ed MBO: Mandate use of PMF for WPA2+MBO association (AP)
If WPA2 and MBO are enabled, PMF needs to be enabled in hostapd
configuration. If PMF is optional in the configuration, an MBO STA is
required to negotiate use of PMF.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
8dd49f0cff MBO: Update STA cellular data capability based on WNM Notification
This makes hostapd parse a received WNM Notification Request frame
subelements and if a WFA MBO cellular data capability subelement is
seen, update the cellular data capability for the STA.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
6332aaf3b2 MBO: Track STA cellular data capability from association request
This makes hostapd parse the MBO attribute in (Re)Association Request
frame and track the cellular data capability (mbo_cell_capa=<val> in STA
control interface command).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
f3cb7a6969 WNM: Minimal processing for WNM Notification Request frames on AP
Write debug log entries on receiving WNM Notification Request frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
e578343457 MBO: Indicate WNM-Notification support on AP when MBO is enabled
This is needed to allow MBO STAs to send WNM Notification Request
frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
990b7b6f38 Simplify hostapd_build_ap_extra_ies() with helper functions
This removes multiple copies of wpabuf_resize() following by
wpabuf_put_{buf,data}() with the help of two simple helper functions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:04 +02:00
Jouni Malinen
f4c74e1360 MBO: Parse MBO IE in ieee802_11_parse_elems()
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-22 19:53:04 +02:00
Avraham Stern
c0e2a172a7 hostapd: Add MBO IE to BSS Transition Management Request frame
Add an option to add MBO IE to BSS Transition Management Request frame.
The MBO IE includes the transition reason code, cellular data connection
preference, and, if the disassoc imminent bit is set, it may also
include re-association retry delay. Otherwise, the re-association retry
delay should be set to zero.

The additional BSS_TM_REQ argument uses the following format:
mbo=<reason>:<reassoc delay>:<cell pref>
reason: 0-9
reassoc delay: 0-65535 (seconds; 0 = disabled)
cell pref: 0, 1, 255

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2016-02-22 19:53:04 +02:00
Avraham Stern
fb9a1c3e28 hostapd: Add MBO IE to Beacon, Probe Response, Association Response
Add MBO IE with AP capability attribute to Beacon, Probe Response, and
(Re)Association Response frames to indicate the AP supports MBO.

Add option to add Association Disallowed attribute to Beacon, Probe
Response, and (Re)Association Response frames. Usage:

SET mbo_assoc_disallow <reason code>

Valid reason code values are between 1-5. Setting the reason code to
0 will remove the Association Disallowed attribute from the MBO IE
and will allow new associations.

MBO functionality is enabled by setting "mbo=1" in the config file.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2016-02-22 19:53:04 +02:00
Avraham Stern
84d1c0fd5a WNM: Add candidate list to BSS transition response
Add the transition candidate list to BSS Transition Management Response
frame. The candidates preference is set using the regular wpa_supplicant
BSS selection logic. If the BSS transition request is rejected and
updated scan results are not available, the list is not added.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2016-02-22 19:53:04 +02:00