Channel 140 is needed as allowed HT40 channel pair to use
channel 144 introduced in 802.11ac for VHT40 and VHT80.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
Handle NL80211_ATTR_EXT_FEATURES attribute and
NL80211_EXT_FEATURE_VHT_IBSS to determine whether
the driver supports VHT with IBSS.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
It was possible for bitfield_get_first_zero() to read one octet beyond
the allocated bit buffer in case the first zero bit was not within
size-1 first octets.
Signed-off-by: Jouni Malinen <j@w1.fi>
This event was previously used only when disabling AP mode operation
through hostapd control interface. Make this more consistent by
providing same indication when disabling hostapd interface through the
interface deinit path. This adds the event to the case where a full
hostapd radio instance is removed which also applies for the
wpa_supplicant AP mode operations.
Signed-off-by: Jouni Malinen <j@w1.fi>
If OpenSSL reports that a presented leaf certificate is invalid,
but it has been explicitly pinned, accept it anyway.
Signed-off-by: Rohit Agrawal <rohit.agrawal.mn@gmail.com>
Previously, it would have been possible to complete RSN connection by
skipping the msg 3/4 and 4/4 completely. This would have resulted in
pairwise key not being configured. This is obviously not supposed to
happen in practice and could result in unexpected behavior, so reject
group key message before the initial 4-way handshake has been completed.
Signed-off-by: Jouni Malinen <j@w1.fi>
ML80211_ATTR_TDLS_OPERATION can now set to NL80211_TDLS_DISCOVERY_REQ to
allow the driver to request wpa_supplicant to initiate TDLS Discovery
Request.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends the TDLS operation request mechanism to allow TDLS
Discovery Request to be initiated by the driver similarly to the
existing Setup and Teardown requests.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, it was possible for the wpa_sm_start_preauth() and
wpa_sm_rekey_ptk() eloop callbacks to remain active after disconnection
and potentially continue to be used for the next association. This is
not correct behavior, so explicitly cancel these timeouts to avoid
unexpected attempts to complete RSN preauthentication or to request PTK
to be rekeyed.
It was possible to trigger this issue, e.g., by running the following
hwsim test case sequence: ap_wpa2_ptk_rekey ap_ft_sae_over_ds
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The initial IEEE 802.11 ProxyARP functionality in the kernel needed
changes in behavior and that ended up requiring an independent
configuration parameter to be used. Update hostapd to use that new
proxyarp_wifi parameter instead of the earlier proxyarp.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This converts the QCA vendor event to EVENT_DFS_* events for the case
of DFS offloaded to the driver.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Modify the string for AP-CSA-FINISHED event indication to include a flag
which tells the framework whether the new channel is a DFS channel.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add handling logic for DFS offloaded case, and add a helper function
that takes the frequency (MHz) as a param and returns 1 if given channel
requires DFS, or 0 otherwise.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If DFS is offloaded to the driver, hostapd should not be performing
these operations. Send the relevant control interface events to provide
information to upper layer software that may use such events to track
DFS/CAC state. This makes the offloaded DFS implementation more
consistent with the DFS-in-hostapd behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit introduces a callback to notify any configuration updates
from the eap_proxy layer. This is used to trigger re-reading of IMSI and
MNC length.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a connection with the primary server cannot be established, restore
connection to the previously used server.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 347c55e216 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a new option for
initialing RADIUS server failover from radius_client_retransmit(), but
ended up trying to change authentication servers when accounting server
was supposed to be changed due to a copy-paste issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the GO Negotiation Response (failure) TX status to
be processed at a point where there is no P2P timeout to continue
search. Avoid stopping the ongoing search operation by explicitly
restarting it from this callback.
Signed-off-by: Jouni Malinen <j@w1.fi>
The optional freq=<MHz> can now be used with the P2P_FIND command to
specify a single channel to scan during the first round of P2P search.
For example, this can be used to replace the full initial scan with a
single channel scan of a known operation channel.
Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
This reverts commit 3df2f4fe99 ('P2P:
Remove unused P2P_SCAN_SPECIFIC') with a modification to fit the current
code base.
Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
Disable VHT caps for STAs for which there is not even a single
allowed MCS in any supported number of streams. i.e STA is
advertising 3 (not supported) as VHT MCS rates for all supported
streams.
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
Commit 347c55e216 ('RADIUS client: Re-try
connection if socket is closed on retransmit') added a possibility of
executing RADIUS server failover change within
radius_client_retransmit() without taking into account that this
operation may end up freeing the pending message that is being
processed. This could result in use of freed memory. Avoid this by
checking whether any pending messages have been removed and if so, do
not try to retransmit the potentially freed message.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, send() was called with invalid fd = -1 in some error cases
for retransmission and this could even result in a loop of multiple such
attempts. This is obviously not going to work, so drop such attempts and
instead, try to reconnect a socket to the server if the current socket
is not valid.
In addition, initiate server failover immediately if the current socket
is not valid instead of waiting for a timeout.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the initial attempt at opening the socket connection to the RADIUS
server failed due to missing IP connectivity during startup, e.g., with
"connect[radius]: Network is unreachable", hostapd did not try to
reconnect when RADIUS messages were sent. Instead, it only reported "No
authentication server configured" even if the configuration did have a
server entry.
This was broken by commit 9ed4076673
('RADIUS client: Do not try to send message without socket') for the
initial case and the more recent fixes in RADIUS server failover cases
did not cover the initial failure case.
Signed-off-by: Jouni Malinen <j@w1.fi>
It does not look likely that the old DSA design would be added into the
internal TLS implement, so remove this otherwise dead code.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows wpa_supplicant to recover from some of the cases where
cfg80211 is unloaded and reloaded without restarting wpa_supplicant. The
netlink socket used for nl80211 events (global->nl_event) seemed to end
up in otherwise functionality state, but with all the event memberships
lost when cfg80211 gets reloaded.
There does not seem to be any clear way of determining when this has
happened, so it looks simplest to just try to re-subscribe to all the
events whenever an interface is re-enabled or added.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit e6dd8196e5 ('Work around Linux
packet socket regression') closed the workaround socket on the first
received EAPOL frame from the main packet socket. This can result in
closing the socket in cases where the kernel does not really work in the
expected way during the following initial association since
reauthentication/rekeying using EAPOL frames happens while operstate is
not dormant and as such, the frames can get delivered through the main
packet socket.
Fix this by closing the workaround socket only in case the first EAPOL
frame is received through the main packet socket. This case happens
while the interface is in dormant state and as such, is more likely to
show the more restricted case of kernel functionality.
In order to avoid processing the received EAPOL frames twice, verify a
checksum of the frame contents when receiving frames alternatively from
the main packet socket and the workaround socket.
Signed-off-by: Jouni Malinen <j@w1.fi>
These values were previously used only for sorting the scan results, but
it may be useful to provide access to the used values through the BSS
entries.
Signed-off-by: Jouni Malinen <j@w1.fi>
This modifies the BSS selection routines to calculate SNR and estimated
throughput for each scan result and then use the estimated throughput as
a criteria for sorting the results. This extends the earlier design by
taking into account higher throughput rates if both the AP and local
device supports HT20, HT40, or VHT80. In addition, the maximum rate is
restricted based on SNR.
In practice, this gives significantly higher probability of selecting
HT/VHT APs when there are multiple BSSes in the same ESS and SNR is not
low enough to prevent higher MCS use.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it somewhat easier to use CONFIG_WPA_TRACE=y build with
external programs that might not be aware of the initialization
requirement, e.g., when linking wpa_ctrl.c with a program that does not
use the os_*() wrappers.
Signed-off-by: Jouni Malinen <j@w1.fi>
This change adds the function hostapd_config_clear_wpa_psk() that
deletes an entire wpa_psk structure, making sure to follow the linked
list and to free the allocated memory of each PSK node. This helps to
prevent memory leaks when using PSKs from multiple sources and
reconfiguring the AP during runtime.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Configure the GO CTWindow on APstart if the driver supports it and this
parameter is set in wpa_supplicant configuration.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Read p2p_go_ctwindow (0-127 TUs) from the config file, and pass it to
the driver on GO start.
Use p2p_go_ctwindow=0 (no CTWindow) by default.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Some APs (e.g., Cisco 1260) sometimes add padding to the end of short
TDLS management packets and that can look like invalid IEs. This was
allowed on M3 and discovery packets, but not in others. Allow it for the
other packets as well, since required IEs are verified in the code
anyway.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Add fixed_freq=<0/1> network block parameter and pass it to the driver
when starting or joining an IBSS. If this flag is set, IBSS should not
try to look for other IBSS networks to merge with on different channels.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
The '/usr/include/libnl3' header path is unsafe for cross-compilation.
Use pkg-config to find libnl-3.0 headers by default and alternatively,
allow LIBNL_INC=<path> to be used in .config to override.
Signed-off-by: Romain Naour <romain.naour@openwide.fr>
These were not supposed to include a newline at the end of the message
text since such formatting gets handled by tls_show_errors(). In
addition, change the message about the issuer's issuer to be more
accurate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If addition of a peer issuer certificate fails, the certs pointer would
be NULL when being passed to sk_X509_push() for peer issuer's issuer.
Fix this by skipping addition of issuer's issue if issuer addition
fails.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When DFS offloading capability is supported by the driver, the driver
should use these events to indicate when a radar pattern has been
detected, channel availability check (CAC) has been completed, aborted
or finished after the non-occupancy period is over on a DFS channel.
Also, add a new driver.h event to be used by NL80211 to indicate CAC
Started event on a DFS channel.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the driver indicates that the interface has been disabled, assume
that all associations have been lost and remove the hostapd STA entries.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
RTM_NEWLINK event without IFF_UP were processed for all related
interfaces (including VLANs and bridge). While these events may need to
be processed for other purposes, they should not end up claiming that
the main interface has been disabled, so indicate
EVENT_INTERFACE_DISABLED only if the ifname matches the first BSS ifname
for the interface. In addition, fix some of the ifup/down checks from
if_indextoname() cases to actually use the resolved ifname (namebuf)
rather than hardcoding the first configured ifname to be used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This uses couple of additional helper macros and prints more debug
information to make the VLAN events easier to analyze.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Sending client probe on already removed client from kernel driver does
not have any benefit and may lead unintended behavior among variable
drivers (mac80211 has a WARN_ON() that could have been triggered after
ifconfig down+up earlier when hostapd did not re-enable beaconing on
ifup). Skip this step in discussion when the kernel driver reports that
client entry is removed.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
This allows WPA2 mode AP to be re-enabled automatically after external
ifconfig down + up on a netdev used by hostapd.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is a step towards enabling hostapd to restart AP mode functionality
if the interface is disabled and re-enabled, e.g., with ifconfig down
and up. This commit takes care of beaconining only which may be
sufficient for open mode connection, but not for WPA2 cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It is possible for an Action frame TX operation to be stopped in a way
that results in the TX status callback function not being called. This
could happen, e.g., when P2P_STOP_FIND was issued while waiting for PD
Response TX status. This specific case ended in leaving
p2p->send_action_in_progress set to 1 and that ending up stopping a
future TX operation when p2p_send_action_cb() gets called with
p2p->pending_action_state == P2P_NO_PENDING_ACTION.
This could result in reception of a fragmented service discovery
response failing due to the GAS sequence getting stopped when receiving
TX callback for the first GAS comeback request. That sequence could be
hit in mac80211_hwsim tests when p2p_listen_and_offchannel_tx was
followed by p2p_service_discovery_fragmentation (even after a long time
since this was on dev1 and there could be even 10 minutes between these
test cases).
Fix this issue by clearing send_action_in_progress whenever stopping
pending P2P operation with p2p_stop_find (or P2P_FLUSH for that matter).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When DFS offloading capability is supported by the driver, the driver
should use this event to indicate when channel availability check (CAC)
is started on a DFS channel.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds testing code (for CONFIG_TESTING_OPTIONS=y builds only) to
send an nl80211 vendor command and report a test vendor event in case
the driver supports this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Do not reply to a Probe Request frame with a DSSS Parameter Set element
in which the channel is different than the operating channel of the AP,
as the sending station is not found on the AP's operating channel.
IEEE Std 802.11-2012 describes this as a requirement for an AP with
dot11RadioMeasurementActivated set to true, but strictly speaking does
not allow such ignoring of Probe Request frames if
dot11RadioMeasurementActivated is false. Anyway, this can help reduce
number of unnecessary Probe Response frames for cases where the STA is
less likely to see them (Probe Request frame sent on a neighboring, but
partially overlapping, channel).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Send MESH-SAE-AUTH-BLOCKED event if SAE authentication is blocked. The
BLOCK state will finish when a new peer notification event is sent for
the same MAC address.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
SAE authentication fails likely with wrong password. This commit adds a
notification of the failure to the upper application (UI) so that the
application can notify suspection of a wrong password to the user. The
control interface monitor even for this is "MESH-SAE-AUTH-FAILURE
addr=<peer>".
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Commit 5a2a6de6a5 ('mesh: Make inactivity
timer configurable') has a problem on 32 bit systems. Setting
NL80211_MESHCONF_PLINK_TIMEOUT to 0xffffffff causes expiration of STA in
a minute by NL80211_CMD_DEL_STATION event. this is the kernel rule for
STA expiration:
(current jiffies) > (frame Rx jiffies + NL80211_MESHCONF_PLINK_TIMEOUT * 250)
On a 32 bit system, the right side could overflow and be unexpected
small value if NL80211_MESHCONF_PLINK_TIMEOUT is sufficiently large. STA
expiration occurs by this reason.
This patch solves the problem by disabling the STA expiration
functionality in mac80211. However, old kernel does not support
disabling it. If so, this patch sets mac80211 inactivity timer 60
seconds into future from the wpa_supplicant inactivity timer.
And I mis-understood that mesh_max_inactivity=0 disables inactivity
timer in wpa_supplicant. This commit fixes it also.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
If HT40 co-ex scan fails due to the driver rejecting scan triggers
multiple times, it was possible for the ap_ht40_scan_retry() timeout
being left behind and it getting run after hapd->drv_priv has been
cleared. This would result in NULL pointer dereference in
driver_nl80211_scan.c. Fix this by canceling the timeout when disabling
the interface.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit e6dd8196e5 ('Work around Linux
packet socket regression') added a mechanism to close the workaround
bridge socket in l2_packet_receive(). However, it did not take into
account the possibility of the l2->rx_callback() closing the l2_packet
socket altogether. This could result in use of freed memory when usin
RSN pre-authentication. Fix this by reordering the calls to clear the
workaround socket before calling the rx_callback.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, a channel with even a single scan/survey result missing
information was skipped in ACS. This may not be desirable in cases when
multiple scan iterations are used (which is the case by default in
hostapd). Instead, use all channels that provided at least one complete
set of results. Calculate the average interference factor as an average
of the iterations that did provide complete values.
This seems to help with some cases, e.g., when ath9k may not be able to
report the noise floor for all channels from the first scan iteration
immediately after the driver has been loaded, but then returns it for
all other scan iterations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new acs_chan_bias configuration parameter is a space-separated list
of <channel>:<bias> pairs. It can be used to increase (or decrease) the
likelihood of a specific channel to be selected by the ACS algorithm.
The total interference factor for each channel gets multiplied by the
specified bias value before finding the channel with the lowest value.
In other words, values between 0.0 and 1.0 can be used to make a channel
more likely to be picked while values larger than 1.0 make the specified
channel less likely to be picked. This can be used, e.g., to prefer the
commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default
behavior on 2.4 GHz band if no acs_chan_bias parameter is specified).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The interference factors for adjacent 2.4 GHz channels were summed
together without doing any kind of weighted average on them. This
resulted in the channels at the band edges getting undue preference due
to only including interference factors from three channels vs. five for
the channels in the middle of the band.
While it is somewhat unclear whether the design here was supposed to
count overlapping channels together in this way or whether that is
already covered in channel survey results, it is clear that this summing
of three to five values together and then comparing the sum rather than
average of some kind gives too much preference to the channels at the
edges of the band by assuming that there is no interference whatsoever
outside the band.
Use weighted average of the interference factors rather than a sum from
different number of values. For now, the adjacent 2.4 GHz channels get
weight of 0.85 (1.0 for the main channel itself) and the neighboring
channels to those adjacent ones get 0.55 weight. Band-edge channels are
handled in a way that takes average over the channels that were actually
considered instead of assuming zero interference from neighboring bands.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If p2p_find_timeout triggers after starting SD but before getting TX
status for send action, unwanted search could get triggered again when
TX status arrives though p2p_find_timeout moved the state to P2P_IDLE by
then. p2p_continue_find() would then move the state to P2P_SEARCH again.
Do not trigger the find operation from this context if state is
P2P_IDLE to avoid this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is going to be required for OpenSSL 1.1.0 which makes the SSL
structure opaque. Older versions starting from OpenSSL 1.0.1 include
this function, so start using it now based on OPENSSL_VERSION_NUMBER.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 0.9.8 and newer includes SSL_CTX_get_cert_store() and
SSL_CTX_set_cert_store() helper functions, so there is no need to
dereference the SSL_CTX pointer to cert ssl_ctx->cert_store. This helps
in working with the future OpenSSL 1.1.0 release that makes the SSL_CTX
structure opaque.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not claim to change the Listen channel in a debug message when
previously configured channel prevents this. In addition, fix a typo in
another related debug print.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If OBSS scan interval is not set, the AP must not schedule a timeout to
restore 40 MHz operation immediately after having moved to a 20 MHz
channel based on an unsolicited co-ex report. Fix this by scheduling the
timeout only if obss_interval is non-zero.
Since we do not currently support AP doing OBSS scans after the initial
BSS setup, this means practically that 40-to-20 MHz transition is
allowed, but 20-to-40 MHz is not with obss_interval=0. The latter gets
enabled if obss_interval is set to a non-zero value so that associated
STAs can take care of OBSS scanning.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
p2p_timeout_prov_disc_req is getting triggered in P2P_IDLE,
P2P_SEARCH and P2P_LISTEN_ONLY states. Retry logic should not be
limited to only P2P_IDLE state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
During service discovery if P2P_FIND times out, P2P_FIND_STOPPED event
is sent to upper layers to allow follow up P2P_FIND commands. This needs
to be done also in case an SD was in progress during the find operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This introduces a P2P module callback function that will be used to
create the pending P2PS group after sending PD Response and receiving
ACK status for it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When the peer device is trying to form a new group despite having
old persistent group with same roles, remove the stale persistent
group.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This extends wpas_p2p_prov_disc() implementation to accept P2PS
parameters. None of the callers are yet using this functionality; the
following commit introduces a user.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds a data structure for storing P2PS PD information and code to
add the related attributes into PD Request. The actual operation to
trigger this behavior will be added in a separate commit.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add support to parse received GAS requests for ASP services and
prepare GAS responses accordingly.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In addition, add a new P2P_SERVICE_REP command that can be used to
replace existing ASP advertisements.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This make it easier to use wpa_s->p2p_group without having to check
whether there is a group initialized on this wpa_s instance.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This provides additional WPS definitions and rules for negotiating use
of P2PS default PIN configuration method.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>