Commit graph

1463 commits

Author SHA1 Message Date
Jouni Malinen
bc02843e75 hostapd: Add testing option to override own WPA/RSN IE(s)
This allows the new own_ie_override=<hexdump> configuration parameter to
be used to replace the normally generated WPA/RSN IE(s) for testing
purposes in CONFIG_TESTING_OPTIONS=y builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-08 18:18:03 +03:00
Jouni Malinen
44fa5e747b FT: Remove optional fields from RSNE when using PMF
The PMKIDCount, PMKID List, and Group Management Cipher Suite fields are
optional to include in the RSNE in cases where these would not have
values that are different from the default values. In practice,
PMKIDCount is always 0 in Beacon and Probe Response frames, so the only
field of these that could have a non-default value is Group Management
Cipher Suite. When BIP is used, that field is not needed either due to
BIP being the default cipher when PMF is enabled.

Remove these fields from RSNE when BIP is used to save six octets in
Beacon and Probe Response frames. In addition to reduced frame length,
this is a workaround for interoperability issues with iOS 8.4 in cases
where FT and PMF are enabled. iOS seems to be rejecting EAPOL-Key msg
3/4 during FT initial mobility domain association if the RSNE includes
the PMKIDCount field.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-06 20:47:26 +03:00
Jouni Malinen
7e97d813ee WPS: Reject AP settings with invalid network key (PSK/passphrase)
This is similar to the earlier commit
b363121a20 ('WPS: Reject invalid
credential more cleanly'), but for the AP cases where AP settings are
being replaced. Previously, the new settings were taken into use even if
the invalid PSK/passphrase had to be removed. Now, the settings are
rejected with such an invalid configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-06 20:47:25 +03:00
Jouni Malinen
84bcb4e7a9 FST: Mark fst_ies buffer const
This buffer is owned by the FST module, so mark it const in the
set_ies() callback to make it clearer which component is responsible for
modifying and freeing this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-03 17:40:30 +03:00
Masashi Honma
ecd40fef74 mesh: Fix mesh SAE auth on low spec devices
The mesh SAE auth often fails with master branch. By bisect I found
commit eb5fee0bf5 ('SAE: Add side-channel
protection to PWE derivation with ECC') causes this issue. This does not
mean the commit has a bug. This is just a CPU resource issue.

After the commit, sae_derive_pwe_ecc() spends 101(msec) on my PC (Intel
Atom N270 1.6GHz). But dot11RSNASAERetransPeriod is 40(msec). So
auth_sae_retransmit_timer() is always called and it can causes
continuous frame exchanges. Before the commit, it was 23(msec).

On the IEEE 802.11 spec, the default value of dot11RSNASAERetransPeriod
is defined as 40(msec). But it looks short because generally mesh
functionality will be used on low spec devices. Indeed Raspberry Pi B+
(ARM ARM1176JZF-S 700MHz) requires 287(msec) for new
sae_derive_pwe_ecc().

So this patch makes the default to 1000(msec) and makes it configurable.

This issue does not occur on infrastructure SAE because the
dot11RSNASAERetransPeriod is not used on it.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-08-02 21:37:10 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
e03e56c3d6 Comment out EAPOL-Key WEP support in CONFIG_FIPS=y build
This avoids a call to hmac_md5() to fix the build. The EAPOL-Key frame
TX code is not applicable for any FIPS mode operation, so the simplest
approach is to remove this from the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:49:34 +03:00
Jouni Malinen
bfc284c5c7 Make ieee802_1x_tx_key() static
This is used only within ieee802_1x.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:45:18 +03:00
Peng Xu
d0cdccd307 Fix generating offloaded ACS channel list when hw_mode is set to any
When ACS is offloaded to device driver and the hw_mode parameter is set
to any, the current_mode structure is NULL which fails the ACS command.
Fix this by populating the ACS channel list with channels from all bands
when current_mode is NULL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-28 23:22:24 +03:00
Jouni Malinen
94edea89fd FST: Print reason for ignoring FST Action frame in debug log
This makes it easier to understand why some frames are not processed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-25 23:20:33 +03:00
Ashok Ponnaiah
8659e33342 atheros: Enable PMF functionality without CONFIG_IEEE80211R=y
This extends the previous PMF (CONFIG_IEEE80211W=y) design that used
functionality from the FT (CONFIG_IEEE80211R=y) changes to work without
requiring CONFIG_IEEE80211R=y build option to be included.

Signed-off-by: Ashok Ponnaiah <aponnaia@qti.qualcomm.com>
2015-07-24 16:55:16 +03:00
Jouni Malinen
48b06c17fa drv_callbacks: Coding style cleanup
Clean up inconsistent whitespace use and split strings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-22 19:56:04 +03:00
Jouni Malinen
de74489276 Move ap_list_timer() to use common AP periodic cleanup mechanism
This reduces number of periodic eloop timeouts when AP mode operations
are in progress.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-20 13:42:35 +03:00
Jouni Malinen
22fd2822f9 Move hostapd_acl_expire() to use common AP periodic cleanup mechanism
This reduces number of periodic eloop timeouts when AP mode operations
are in progress.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-20 13:39:22 +03:00
Jouni Malinen
3188aabaf1 Add shared periodic cleanup function for AP mode
This new mechanism can be used to combine multiple periodic AP
(including P2P GO) task into a single eloop timeout to minimize number
of wakeups for the process. hostapd gets its own periodic caller and
wpa_supplicant uses the previously added timer to trigger these calls.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-20 13:33:30 +03:00
Jouni Malinen
a0f04da517 FST: Mark get_mb_ie() return value const
The caller is not expected to free or modify the value since this is
returning a reference to a buffer maintained by the upper layer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-18 17:23:55 +03:00
PavanKumar N
fab51186dc Allow driver to be set in hostapd through global control interface
This extends the hostapd global control interface ADD command to allow
driver wrapper to be specified ("ADD <ifname> <ctrl_iface> <driver>").
Previously, this case that did not use a configuration file allowed only
the default driver wrapper to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-17 23:54:29 +03:00
Jouni Malinen
66d464067d FT: Register RRB l2_packet only if FT-over-DS is enabled
There is no need to waste resources for this packet socket if FT-over-DS
is disabled or when operating P2P GO or AP mode in wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-17 11:16:15 +03:00
Anton Nayshtut
8bae489f15 FST: Do not prune STAs belonging to the same FST
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
347827ff6e FST: Add FST IEs into AP mode management frames
This adds the FST IEs received from the FST module into Beacon, Probe
Response, and (Re)Association Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
037378ff31 FST: Send FST Action frames to AP mode processing
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
8e9a8b0f8c FST: hostapd control interface
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
6959145b86 FST: Integration into hostapd
This commit integrates the FST into the hostapd.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
ae667c0827 FST: Store MB IEs from (Re)Association Request
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
104bef453b FST: hostapd configuration parameters
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
ee1e3f57b5 hostapd: Global control interface notifications
This commit implements hostapd global control interface notifications
infrastructure. hostapd global control interface clients issue
ATTACH/DETACH commands to register and deregister with hostapd
correspondingly - the same way as for any other hostapd/wpa_supplicant
control interface.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 12:33:29 +03:00
Jouni Malinen
cf6fd19b34 ndisc_snoop: Avoid misaligned read of IPv6 address
The IPv6 address in the frame buffer may not be 32-bit aligned, so use a
local copy to align this before reading the address with 32-bit reads
(s6_addr32[]).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-07 16:25:06 +03:00
Jouni Malinen
aac1efec34 Reject the initial 4-way handshake if initial GTK setup fails
This makes the AP/Authenticator design more robust against unexpected
failures in random number generation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
55413ce072 P2P: Do not allow 40 MHz co-ex PRI/SEC switch to force MCC
Do not allow 40 MHz co-ex PRI/SEC switch to force us to change our PRI
channel if we have an existing connection on the selected PRI channel
since doing multi-channel concurrency is likely to cause more harm than
using different PRI/SEC selection in environment with multiple BSSes on
these two channels with mixed 20 MHz or PRI channel selection.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-28 18:14:58 +03:00
Jouni Malinen
6a58444d27 SAE: Verify that own/peer commit-scalar and COMMIT-ELEMENT are different
This check explicitly for reflection attack and stops authentication
immediately if that is detected instead of continuing to the following
4-way handshake that would fail due to the attacker not knowing the key
from the SAE exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 23:10:36 +03:00
Jouni Malinen
c99df20192 Remove redundant NULL check in ieee802_1x_encapsulate_radius()
The eap argument to this function is never NULL and the earlier
ieee802_1x_learn_identity() call is dereferencing it anyway, so there is
no point in checking whether it is NULL later in the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 18:18:25 +03:00
Jouni Malinen
2eb5967d99 AP: Add more 2.4 GHz channels for 20/40 MHz HT co-ex scan
This needs to find the PRI channel also in cases where the affected
channel is the SEC channel of a 40 MHz BSS, so need to include the
scanning coverage here to be 40 MHz from the center frequency. Without
this, it was possible to miss a neighboring 40 MHz BSS that was at the
other end of the 2.4 GHz band and had its PRI channel further away from
the local BSS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 11:25:22 +03:00
Jouni Malinen
3dce85ceb0 HS 2.0: Add WLAN RADIUS attributes in OSEN case
Previously, the common WLAN-* RADIUS attributes were added only when WPA
or WPA2 was used. These can be of use for OSEN as well, so include them
in that case, too.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-20 23:04:32 +03:00
Andrei Otcheretianski
5d180a7739 drivers: Add freq parameter to send_mlme() function
Change send_mlme() API to allow sending management frames on a specific
channel, overriding the internal driver decision.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
2015-06-14 23:16:55 +03:00
Michael Braun
132dfbe8c2 Fix removal of tagged interface and bridge when multiple BSS share them
Currently, if multiple bss share are bridge and tagged vlan interface,
only the first instance of struct hostapd_vlan for this vlanid will have
the DVLAN_CLEAN_VLAN flag added. Thus, when this instance is removed,
the tagged vlan interface will be removed from bridge, thought other bss
might still need it. Similarily, the bridge will be left over, as the
does not have zero ports when the first instance of a struct
hostapd_vlan is freed.

This patch fixes this by having a global (per process) reference counter
for dynamic tagged vlan and dynamically created bridge interfaces, so
they are only removed after all local users are freed. (struct
hapd_interfaces *)->vlan_priv is used to hold src/ap/vlan_init.c global
per-process data like drv_priv does; right now this is only used for the
interface reference counting, but could get extended when needed. Then
possibly some vlan_global_init / vlan_global_deinit should be added, but
this is not required right now.

Additionally, vlan->configured is checked to avoid reference counter
decreasing before vlan_newlink increased them.

In order to avoid race conditions, vlan_dellink is called explicitly
after hostapd_vlan_if_remove. Otherwise there would be a short timeframe
between hostapd_vlan_if_remove and vlan_dellink during which the struct
hostapd_vlan still exists, so ap_sta_bind_vlan would try to attach
stations to it.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-06-14 13:33:07 +03:00
Jouni Malinen
e19c1d2cc7 Fix pairwise cipher suite bitfields to the driver in mixed mode
Commit 95b6bca66d ('Add rsn_pairwise bits
to set_ieee8021x() driver_ops') modified cipher configuration to use
unconditionally wpa_pairwise | rsn_pairwise. While that works for many
cases, it does not handle the case of dynamic configuration changes over
the control interface where wpa_pairwise or rsn_pairwise values may not
get cleared when the wpa parameter is modified. Fix this inconsistency
by configuring the driver with only the bits that are valid for the
currently enabled WPA/WPA2 version(s).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-06-10 13:49:59 +03:00
Jouni Malinen
c5ee4dd9d9 Fix spelling of initialize in a comment and an error message
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-06-10 12:02:46 +03:00
Alan T. DeKok
f13e815491 Set Acct-Session-Id from os_get_random() instead of os_get_time()
So that systems with bad clocks will send random session IDs,
instead of always ones starting at the same second.

If os_get_random() isn't available, use os_get_time(). But also
mix in now.tv_usec, so that the accounting session ID is more
likely to be globally and temporally unique.

Signed-off-by: Alan DeKok <aland@freeradius.org>
2015-06-06 17:23:43 +03:00
Jouni Malinen
0980c7face hostapd: Make sure band selection does not result in NULL dereference
Explicitly check for iface->current_mode before dereferencing it. While
this case may not happen in practice, it is better for the setup
functions to be more careful when doing the initial band selection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-06-02 20:06:49 +03:00
Peng Xu
3784c0589e Extend hw_mode to support any band for offloaded ACS case
When device supports dual band operations with offloaded ACS, hw_mode
can now be set to any band (hw_mode=any) in order to allow ACS to select
the best channel from any band. After a channel is selected, the hw_mode
is updated for hostapd.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-05-27 12:17:57 +03:00
Srinivasa Duvvuri
567098ec74 ACS: Scan only channels specified in the channel list
The ACS code part of hostapd scans all the channels even if the channel
list is specified in the hostapd.conf. Limit the ACS scan channels to
the list specified in the config file.

Signed-off-by: Srinivasa Duvvuri<sduvvuri@chromium.org>
2015-05-24 10:38:27 +03:00
Matthias May
8884ce03bc hostapd: check validity of cwMin/cwMax values
Signed-off-by: Matthias May <matthias.may@neratec.com>
2015-05-07 20:57:32 +03:00
Michael Braun
9649b5342d vlan: Print libnl error message on vlan_add / vlan_del
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-05-07 20:54:26 +03:00
Jouni Malinen
ef566a4d4f AP WMM: Fix integer underflow in WMM Action frame parser
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.

This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
fd66aa63f4 Check Public Action length explicitly before reading Action Code
In theory, the previous version could have resulted in reading one byte
beyond the end of the management frame RX buffer if the local driver
were to deliver a truncated Public Action frame for processing. In
practice, this did not seem to happen with mac80211-based drivers and
even if it were, the extra octet would be an uninitialized value in a
buffer rather than read beyond the end of the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:33:08 +03:00
Hamad Kadmany
01a025937c WPS: Add support for 60 GHz band
Handling of WPS RF band for 60 GHz was missing. Add it in all relevant
places and also map "AES" as the cipher to GCMP instead of CCMP when
operating on the 60 GHz band.

Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
2015-04-28 00:22:16 +03:00
Jouni Malinen
4a7ce98469 Make IPv6 NA multicast-to-unicast conversion configurable
This can be used with Proxy ARP to allow multicast NAs to be forwarded
to associated STAs using link layer unicast delivery. This used to be
hardcoded to be enabled, but it is now disabled by default and can be
enabled with na_mcast_to_ucast=1. This functionality may not be desired
in all networks and most cases work without it, so the new
default-to-disabled is more appropriate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-27 12:30:09 +03:00
Michael Braun
a0ad9e8c9e Remove WPA per-VLAN groups when no more stations remain
Previously, struct wpa_group was created when the first station enters
the group and the struct wpa_group was not freed when all station left
the group. This causes a problem because wpa_group will enter
FATAL_FAILURE when a wpa_group is running while the AP_VLAN interface
has already been removed.

Fix this by adding a reference counter to struct wpa_group and free a
group if it is unused.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-26 16:56:22 +03:00
Jouni Malinen
87b5b53959 Make VLAN ID available in STA info over control interface
If hostapd has bound a STA into a specific VLAN, the new vlan_id
parameter in the control interface STA command can now be used to check
which VLAN ID is in use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-26 15:58:10 +03:00
Jouni Malinen
209214b479 vlan: Move CONFIG_FULL_DYNAMIC_VLAN includes to proper places
All the system header files are supposed to be included before any other
internal header file apart from utils/includes.h.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-26 13:36:55 +03:00
Jouni Malinen
a6da824b19 Do not use C++ reserved words as variable names
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-26 13:36:55 +03:00
Masashi Honma
fabc6dd8c4 mesh: Retransmit the last Commit Message in the Committed state
Previously, mesh state machine transmits updated Commit Message when
receiving a Confirm Message in Committed state. According to the
standard, it should (re)send the latest Commit Message previously sent.

IEEE Std 802.11-2012, 11.3.8.6.4 Protocol instance behavior - Committed
state:
"Upon receipt of a Con event, ... If Sync is not greater than
dot11RSNASAESync, the protocol instance shall increment Sync, transmit
the last Commit Message sent to the peer, and set the t0
(retransmission) timer."

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-04-25 15:36:41 +03:00
Michael Braun
068669fc92 vlan: Verify RADIUS returned VLAN-ID and dynamic_vlan=required
This extends dynamic_vlan=required checks to apply for WPA-PSK with
macaddr_acl=2 (RADIUS) case.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-25 10:28:19 +03:00
Jouni Malinen
d6fefd64d2 Simplify HT Operation element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
40baac0e43 Simplify VHT Capabilities element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
baae4cb9b4 Simplify HT Capabilities element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
e8997b9407 Simplify ERP element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
f87c99c787 Simplify DSSS Parameter Set element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the only allowed element length is one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
253103681c FT: Fix WMM TSPEC validation in driver-based AP MLME case
Commit 88b32a99d3 ('FT: Add FT AP support
for drivers that manage MLME internally') added an alternative way of
processing the WMM TSPEC from RIC. However, that change did not seem to
include the same checks for WMM TSPEC element length that were used in
the original implementation for MLME-in-hostapd case. Fix this by
sharing the older implementation of copying the WMM TSPEC from RIC for
both cases.

It looks like the destination buffer for the response is sufficiently
long for the fixed length copy, but it may have been possible to trigger
a read beyond the end of the FTIE by about 50 bytes. Though, that seems
to be within the buffer received for RX buffer in the case that uses
this driver-based AP MLME design for FT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:19 +03:00
Jouni Malinen
26b3f64428 tests: Add ap-mgmt-fuzzer
This program can be used to run fuzzing tests for areas related to AP
management frame parsing and processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 11:44:19 +03:00
Jouni Malinen
d6c3067d32 Replace SSID_LEN with SSID_MAX_LEN
This makes source code more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:19 +03:00
Jouni Malinen
81847c22ba Replace HOSTAPD_MAX_SSID_LEN with SSID_MAX_LEN
This makes source code more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:44:18 +03:00
Jouni Malinen
f41ded6fa4 Remove unused leftover from multi-SSID design
The multi-SSID design that used a single beaconing BSSID with multiple
SSIDs was never completed in this repository, so there is no need to
maintain the per-STA ssid/ssid_probe pointers that could only point to
&hapd->conf->ssid. Save some memory and reduce code complexity by
removing this unused partial capability.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-22 11:17:32 +03:00
Jouni Malinen
1acf38f1a5 Add ifname to vlan_remove_dynamic() debug print
This makes it easier to interpret debug logs for cases where hostapd
control multiple interfaces.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-13 17:08:10 +03:00
Jouni Malinen
2e192bd08f Print debug entry on STA pruning from other interfaces
This makes it easier to interpret debug logs in case hostapd controls
multiple interfaces and a STA roams between them.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-13 17:08:10 +03:00
Michael Braun
c8e6beabb6 Remove VLAN interface on STA free
Currently, vlan_remove_dynamic() is only called when the station VLAN ID
is changed (ap_sta_bind_vlan), but not when the station is freed. So
dynamic VLAN interfaces are not removed actually except within 1x
reauthentification VLAN ID change, although most of the code is already
there.

This patch fixes this by calling vlan_remove_dynamic() in ap_free_sta().

It cannot just use sta->vlan_id for this, as this might have been
changed without calling ap_sta_bind_vlan() (ap/ieee802_11.c:handle_auth
fetches from RADIUS cache for WPA-PSK), thus reference counting might
not have been updated. Additionally, reference counting might get wrong
due to old_vlanid = 0 being passed unconditionally, thus increasing the
reference counter multiple times.

So tracking the currently assigned (i.e., dynamic_vlan counter
increased) VLAN is done in a new variable sta->vlan_id_bound. Therefore,
the old_vlan_id argument of ap_sta_bind_vlan() is no longer needed and
setting the VLAN for the sta in driver happens unconditionally.

Additionally, vlan->dynamic_vlan is only incremented when it actually
is a dynamic VLAN.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 17:08:10 +03:00
Michael Braun
de31fb052c vlan: Ignore multiple NEWLINK messages
hostapd receives NEWLINK messages multiple times and thus does
configuration of the the vlan interface multiple times.

This is not required and leads to the following during cleanup in
test pmksa_cache_preauth_vlan_used:
 1. run-test.py does: brctl delif brvlan1 wlan3.1
 2. hostapd processes NEWLINK and does: brctl addif brvlan1 wlan3.1
 3. run-test.py does: brctl delbr brvlan1
    -> fails as wlan3.1 is still in the bridge

This patch fixes this by ignoring repeated NEWLINK messages.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:34:33 +03:00
Michael Braun
371205dd0c vlan: Ignore DELLINK on interfaces that exists
When hitting
> Failed to create interface wlan3.1: -23 (Too many open files in system)
> Try to remove and re-create wlan3.1
hostapd deletes the AP_VLAN interface and then recreates it. Thus the
kernel assigns the same ifidx to the new interfaces and sends DELLINK
and NEWLINK mesages.

As the DELLINK messages are processed after the struct hostapd_vlan is
added, hostapd deletes the struct hostapd_vlan entry, deconfigures the
AP_VLAN interface and leaves vlan_newlink nothing to find afterwards.

So this patch makes DELLINK messages to be ignored when the interface
exists.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:31:56 +03:00
Michael Braun
a5e81ba9eb Fix STA VLAN bind for RSN pre-authentication case
Previously, during RSN preauthentication, ap_sta_bind_vlan() was called,
which fails for non-zero sta->vlan_id as the station is not known to the
kernel driver.

Fix this by binding the station only if it is associated. If it is not
associated, ap_sta_bind_vlan() will be done later during association.

In addition, reject Access-Accept if the returned VLAN ID is not valid
in the current hostapd configuration.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:26:40 +03:00
Michael Braun
3ffdeb7ac8 Fix RSN preauthentication with dynamic_vlan enabled but unused
sta->vlan_id == -1 means no VLAN, as does vlan_id = 0.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-13 15:26:40 +03:00
Jouni Malinen
60eb9e173e AP: Enable multicast snooping on bridge if ProxyARP IPv6 is in use
This is needed to allow correct ProxyARP behavior for IPv6.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-13 14:00:32 +03:00
Jouni Malinen
df8191d0b8 Rename HT 20/40 coex variable to be more descriptive
is_ht_allowed is a confusing name since this variable is used to track
whether 40 MHz channel bandwidth is allowed instead of whether HT is
allowed in general.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-30 12:59:43 +03:00
Eliad Peller
154a1d5f7f hostapd: Fix some compilation errors
If NEED_AP_MLME=y is not defined, compilation might
fail under some configurations:

src/ap/drv_callbacks.c:594:2: warning: implicit declaration of
function ‘hostapd_acs_completed’ [-Wimplicit-function-declaration]

src/ap/sta_info.c:253: undefined reference to `sae_clear_retransmit_timer'

Fix these errors by adding the missing hostapd_acs_completed() stub,
and defining NEED_AP_MLME in case of CONFIG_SAE.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2015-03-29 20:51:14 +03:00
Ben Greear
fc48d33b0d Improve error messages related to EAP DB
Add SQLite error message and DB name to the DB related errors. Add
enough tracing so that users can know exactly where users are failing to
be found.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2015-03-28 13:16:26 +02:00
Ilan Peer
54d3dc9184 AP: Unset HT capabilities for an HT association request without WMM
HT requires QoS/WMM, so unset HT capabilities for a station
whose association request does not include a valid WMM IE.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-03-25 15:02:58 +02:00
Ashok Kumar Ponnaiah
1de071007e atheros: Clear WPS appie during deinit
The WPS IE(s) need to be cleared from the driver explicitly.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-24 15:05:43 +02:00
Manikandan Mohan
857d94225a Extend offloaded ACS QCA vendor command to support VHT
Update ACS driver offload feature for VHT configuration. In addition,
this allows the chanlist parameter to be used to specify which channels
are included as options for the offloaded ACS case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-23 12:18:05 +02:00
Eliad Peller
030a3e12da DFS: Fix range availability check
There's off-by-one in the range availability check - the case of
first_chan_idx + num_chans == num_channels should be allowed (e.g., 0 +
1 == 1, for the case of a single 20 MHz channel).

Signed-off-by: Maital Hahn <maitalm@ti.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
2015-03-20 15:56:59 +02:00
Eliad Peller
56ef99255c DFS: Consider non-contiguous channels
When looking for a new operating channel, consider the case of
non-contiguous channels when checking all the needed channels (e.g., the
driver might support channels 36, 38, 40, so look for channels 36+40
explicitly, instead of failing when encountering channel 38).

Signed-off-by: Eliad Peller <eliad@wizery.com>
2015-03-20 15:56:59 +02:00
Jouni Malinen
2c50246078 Add a AP mode event message for possible PSK/passphrase mismatch
If the AP/Authenticator receives an EAPOL-Key msg 2/4 for an association
that negotiated use of PSK and the EAPOL-Key MIC does not match, it is
likely that the station is trying to use incorrect PSK/passphrase.
Report this with "AP-STA-POSSIBLE-PSK-MISMATCH <STA addr>" control
interface event.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-19 13:14:21 +02:00
Jouni Malinen
39c3bfcde3 Indicate AP-DISABLED on main AP mode deinit path
This event was previously used only when disabling AP mode operation
through hostapd control interface. Make this more consistent by
providing same indication when disabling hostapd interface through the
interface deinit path. This adds the event to the case where a full
hostapd radio instance is removed which also applies for the
wpa_supplicant AP mode operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-14 10:14:22 +02:00
Ahmad Kholaif
1e2aaffbc8 DFS offload: Indicate AP-CSA-FINISHED for DFS offloaded case
Modify the string for AP-CSA-FINISHED event indication to include a flag
which tells the framework whether the new channel is a DFS channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 17:22:03 +02:00
Ahmad Kholaif
c13578c339 DFS offload: Add main DFS handler for offloaded case
Add handling logic for DFS offloaded case, and add a helper function
that takes the frequency (MHz) as a param and returns 1 if given channel
requires DFS, or 0 otherwise.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 17:21:30 +02:00
Ahmad Kholaif
5de81d7a7a DFS offload: Skip user space processing for CAC operations
If DFS is offloaded to the driver, hostapd should not be performing
these operations. Send the relevant control interface events to provide
information to upper layer software that may use such events to track
DFS/CAC state. This makes the offloaded DFS implementation more
consistent with the DFS-in-hostapd behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-05 16:24:39 +02:00
Rajkumar Manoharan
d988ff76bf hostapd: Disable VHT caps for STAs when no valid VHT MCS found
Disable VHT caps for STAs for which there is not even a single
allowed MCS in any supported number of streams. i.e STA is
advertising 3 (not supported) as VHT MCS rates for all supported
streams.

Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
2015-02-28 21:00:00 +02:00
Stefan Tomanek
891dfb3336 Add helper function to clear and free wpa_psk list
This change adds the function hostapd_config_clear_wpa_psk() that
deletes an entire wpa_psk structure, making sure to follow the linked
list and to free the allocated memory of each PSK node. This helps to
prevent memory leaks when using PSKs from multiple sources and
reconfiguring the AP during runtime.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
2015-02-21 17:11:15 +02:00
Eliad Peller
0b8bcaa50f P2P: Allow configuring CTWindow when working as GO
Read p2p_go_ctwindow (0-127 TUs) from the config file, and pass it to
the driver on GO start.

Use p2p_go_ctwindow=0 (no CTWindow) by default.

Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
2015-02-21 16:07:53 +02:00
Janusz Dziedzic
ada157f3b0 Make hostapd_set_freq_params() common
Now this function can also be used from wpa_supplicant.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-02-21 16:07:53 +02:00
Jouni Malinen
c165cb400c Drop all hostapd STA entries on interface disabled event
If the driver indicates that the interface has been disabled, assume
that all associations have been lost and remove the hostapd STA entries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-11 10:31:12 +02:00
Jouni Malinen
eeb1cb28a2 VLAN: Clean up RTM_NEW/DELLINK processing
This uses couple of additional helper macros and prints more debug
information to make the VLAN events easier to analyze.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-11 10:31:12 +02:00
Peter Oh
47e5fbde44 hostapd: Avoid sending client probe on removed client
Sending client probe on already removed client from kernel driver does
not have any benefit and may lead unintended behavior among variable
drivers (mac80211 has a WARN_ON() that could have been triggered after
ifconfig down+up earlier when hostapd did not re-enable beaconing on
ifup). Skip this step in discussion when the kernel driver reports that
client entry is removed.

Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
2015-02-10 22:21:03 +02:00
Jouni Malinen
34782730c0 Re-configure WPA2 group keys on hostapd interface re-enable
This allows WPA2 mode AP to be re-enabled automatically after external
ifconfig down + up on a netdev used by hostapd.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-10 20:27:00 +02:00
Jouni Malinen
f33c8606f4 Re-enable beaconing on interface disable+enable
This is a step towards enabling hostapd to restart AP mode functionality
if the interface is disabled and re-enabled, e.g., with ifconfig down
and up. This commit takes care of beaconining only which may be
sufficient for open mode connection, but not for WPA2 cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-10 20:27:00 +02:00
Ilan Peer
c612ae97a4 AP: Do not reply to Probe Request frames with DS Params mismatch
Do not reply to a Probe Request frame with a DSSS Parameter Set element
in which the channel is different than the operating channel of the AP,
as the sending station is not found on the AP's operating channel.

IEEE Std 802.11-2012 describes this as a requirement for an AP with
dot11RadioMeasurementActivated set to true, but strictly speaking does
not allow such ignoring of Probe Request frames if
dot11RadioMeasurementActivated is false. Anyway, this can help reduce
number of unnecessary Probe Response frames for cases where the STA is
less likely to see them (Probe Request frame sent on a neighboring, but
partially overlapping, channel).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-02-08 22:49:41 +02:00
Jouni Malinen
99650cadc9 Add STOP_AP control interface command
This is mainly for testing purposes to allow beaconing to be stopped
without clearing AP state in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-08 13:35:49 +02:00
Jouni Malinen
4fada1215d Fix HT40 co-ex scanning issue on hostapd error path
If HT40 co-ex scan fails due to the driver rejecting scan triggers
multiple times, it was possible for the ap_ht40_scan_retry() timeout
being left behind and it getting run after hapd->drv_priv has been
cleared. This would result in NULL pointer dereference in
driver_nl80211_scan.c. Fix this by canceling the timeout when disabling
the interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-07 15:37:13 +02:00
Jouni Malinen
0d7eb4344f ACS: Accept channel if any (rather than all) survey results are valid
Previously, a channel with even a single scan/survey result missing
information was skipped in ACS. This may not be desirable in cases when
multiple scan iterations are used (which is the case by default in
hostapd). Instead, use all channels that provided at least one complete
set of results. Calculate the average interference factor as an average
of the iterations that did provide complete values.

This seems to help with some cases, e.g., when ath9k may not be able to
report the noise floor for all channels from the first scan iteration
immediately after the driver has been loaded, but then returns it for
all other scan iterations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 21:26:32 +02:00
Jouni Malinen
68fa00c341 ACS: Allow specific channels to be preferred
The new acs_chan_bias configuration parameter is a space-separated list
of <channel>:<bias> pairs. It can be used to increase (or decrease) the
likelihood of a specific channel to be selected by the ACS algorithm.
The total interference factor for each channel gets multiplied by the
specified bias value before finding the channel with the lowest value.
In other words, values between 0.0 and 1.0 can be used to make a channel
more likely to be picked while values larger than 1.0 make the specified
channel less likely to be picked. This can be used, e.g., to prefer the
commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default
behavior on 2.4 GHz band if no acs_chan_bias parameter is specified).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 17:59:57 +02:00
Jouni Malinen
6f41a25805 ACS: Use weighted average for 2.4 GHz adjacent channel interference
The interference factors for adjacent 2.4 GHz channels were summed
together without doing any kind of weighted average on them. This
resulted in the channels at the band edges getting undue preference due
to only including interference factors from three channels vs. five for
the channels in the middle of the band.

While it is somewhat unclear whether the design here was supposed to
count overlapping channels together in this way or whether that is
already covered in channel survey results, it is clear that this summing
of three to five values together and then comparing the sum rather than
average of some kind gives too much preference to the channels at the
edges of the band by assuming that there is no interference whatsoever
outside the band.

Use weighted average of the interference factors rather than a sum from
different number of values. For now, the adjacent 2.4 GHz channels get
weight of 0.85 (1.0 for the main channel itself) and the neighboring
channels to those adjacent ones get 0.55 weight. Band-edge channels are
handled in a way that takes average over the channels that were actually
considered instead of assuming zero interference from neighboring bands.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 17:21:17 +02:00
Jouni Malinen
d027c7b118 Fix 20/40 MHz co-ex report processing with obss_interval=0
If OBSS scan interval is not set, the AP must not schedule a timeout to
restore 40 MHz operation immediately after having moved to a 20 MHz
channel based on an unsolicited co-ex report. Fix this by scheduling the
timeout only if obss_interval is non-zero.

Since we do not currently support AP doing OBSS scans after the initial
BSS setup, this means practically that 40-to-20 MHz transition is
allowed, but 20-to-40 MHz is not with obss_interval=0. The latter gets
enabled if obss_interval is set to a non-zero value so that associated
STAs can take care of OBSS scanning.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 12:29:37 +02:00
Helmut Schaa
66bc6830d5 hostapd: Simplify vlan_add_dynamic error paths
Preparation for upcoming changes.
No functional changes.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
2015-02-01 11:06:24 +02:00
Jouni Malinen
a565e03086 dhcp_snoop: Make IPv4 addresses human readable in debug log
Use standard numbers-and-dots format for IPv4 in debug logs instead
of hexdump in two different byte orders.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-30 18:55:22 +02:00
Jouni Malinen
2dd4f3aede Fix STA re-bind to another VLAN on reauthentication
Previously, the old VLAN ID could have been deleted before the STA was
bound to the new VLAN in case the RADIUS server changed the VLAN ID
during an association. This did not exactly work well with mac80211, so
reorder the operations in a way that first binds the STA to the new VLAN
ID and only after that, removes the old VLAN interface if no STAs remain
in it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-30 01:09:51 +02:00
Jouni Malinen
1180dd66a9 WPA auth: Disconnect STA if MSK cannot be fetched
Previously, it was possible for some corner cases to leave the WPA
authenticator state machine running if PMK could not be derived. Change
this to forcefully disconnect the STA to get more consistent behavior
and faster notification of the error.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-29 22:31:41 +02:00
Jouni Malinen
40aaa64f9f WPA auth: Clear temporary MSK storage from stack explicitly
This reduces the duration of time a key may remain unnecessarily in
memory.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-29 22:24:27 +02:00
Jouni Malinen
01b481aff3 Convert couple of remaining printf to wpa_printf in ap_list
This type of error reporting cases should use wpa_printf() to get
consistent debug logging behavior.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-29 21:12:51 +02:00
Jouni Malinen
5e3b5197cc Add Suite B 192-bit AKM
WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into
use as the key management method.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:52 +02:00
Jouni Malinen
98cd3d1c3b Preparations for variable length KCK and KEK
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:49 +02:00
Ben Greear
400de9b1fe hostapd: Debug messages for dodgy RADIUS servers
These were helpful when tracking down why hostapd did not work
properly with a RADIUS server.

Signed-hostap: Ben Greear <greearb@candelatech.com>
2015-01-23 01:48:27 +02:00
Haim Dreyfuss
b62b0cb78a WNM: Fix possible memory leak by free buf
Buf is allocated and may not be freed on an error path.

Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
2015-01-20 02:14:19 +02:00
Avraham Stern
948d3a8731 hostapd: Remove unused variable from hostapd_get_hw_features
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2015-01-20 02:10:33 +02:00
Eytan Lifshitz
414f23d8b9 Avoid NULL string in printf on EAP method names in authenticator
In ieee802_1x_decapsulate_radius(), eap_server_get_name() may return
NULL, and it could be dereferenced depending on printf implementation.
Change it to return "unknown" instead for the case of no matching EAP
method found. This makes it easier for the callers to simply print this
in logs (which is the only use for this function).

Signed-off-by: Eytan Lifshitz <eytan.lifshitz@intel.com>
2015-01-20 02:07:22 +02:00
Adrien Decostre
1648cc6427 ACS: Allow subset of channels to be configured
Add the possibility to define a subset of channels used by the ACS
engine when not operating on DFS channels.

Signed-off-by: Adrien Decostre <ad.decostre@gmail.com>
2015-01-19 02:35:43 +02:00
Masashi Honma
b9749bac81 AP: Expire STA without entry in kernel
If the inactivity check returns that there is no entry remaining for the
STA in the kernel, drop the STA in hostapd as well.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-19 02:35:43 +02:00
Masashi Honma
a114c7235a AP: Remove redundant condition for STA expiration
This condition is always true because of surrounding if.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-01-19 02:35:43 +02:00
Jouni Malinen
cbc210de09 RADIUS DAS: Allow PMKSA cache entry to be removed without association
This extends Disconnect-Request processing to check against PMKSA cache
entries if no active session (STA association) match the request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 15:55:39 +02:00
Jouni Malinen
4e871ed1c3 RADIUS DAS: Support Acct-Multi-Session-Id as a session identifier
This extends Disconnect-Request support for an additiona session
identification attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-16 13:09:44 +02:00
Jouni Malinen
b52c0d453f Add authMultiSessionId into hostapd STA info
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 13:07:14 +02:00
Jouni Malinen
861beb7269 RADIUS DAS: Check for single session match for Disconnect-Request
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-16 12:50:16 +02:00
Jouni Malinen
dd5f902584 Get rid of a compiler warning
Commit e7d0e97bdb ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-14 01:38:26 +02:00
Yanbo Li
e7d0e97bdb hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.

This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
2015-01-14 00:59:22 +02:00
Janusz Dziedzic
a828f626af Make check_40mhz_2g4 common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
fdd989d17a Make check_20mhz_bss common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
0e550fe496 Make check_40mhz_5g common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
6d5d098f77 Make get_pri_sec_chan() common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
514427437a Introduce common allowed_ht40_channel_pair()
This can be used from hostapd/wpa_supplicant.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Janusz Dziedzic
5f10b7f498 Use common hw_get_freq/hw_get_chan helpers in hostapd
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Bob Copeland
f3b8ad4d78 SAE: Implement retransmission timer
Add the t0 retransmission timer as specified by IEEE Std 802.11-2012,
11.3.8.4. This makes SAE much more likely to succeed in the case of lost
frames.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2015-01-10 17:35:52 +02:00
Bob Copeland
a206e2a175 SAE: Centralize function for sending initial COMMIT
When performing SAE authentication in mesh, one station may
initiate authentication by sending a COMMIT as soon as a peer
candidate is discovered. Previously we did this in mesh_rsn.c,
but this left some of the state initialization in a different
part of the code from the rest of the state machine, and we may
need to add other initializations here in the future, so move
that to a more central function.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2015-01-10 11:43:29 +02:00
Jouni Malinen
27d9701dea Fix a memory leak on WPA authenticator error path
wpa_auth->group needs to be freed if PMK cache setup fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-08 02:34:08 +02:00
Jouni Malinen
c1c07dcb70 Fix hostapd interface addition error path
The local conf pointer needs to be cleared once it gets assigned to
hapd_iface to avoid double-free of the configuration data on error path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-08 02:34:08 +02:00
Jouni Malinen
e10422c025 Fix memory leak on hostapd BSS addition error path
The per-BSS configuration information needs to be freed if hostapd fails
to add a new interface for a BSS added with "ADD bss_config=..."
command.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 18:30:20 +02:00
Jouni Malinen
2801659268 Fix hostapd initialization error path on allocation failure
If hostapd_alloc_bss_data() failed to allocate the struct hostapd_data
instance, dynamic interface addition path ended up trying to dereference
freed memory due to incorrect cleanup steps. Fix this by decrementing
the interface count when the newly added interface is removed. In
addition, make the setup more robust by clearing all changes within
hostapd_data_alloc() if any of the allocations fails.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 18:30:20 +02:00
Jouni Malinen
4e8f31e2ef doc: Extend driver.h documentation
This documents some more parts of the driver wrapper interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-03 18:24:20 +02:00
Jouni Malinen
8509fb5cce D-Bus: Fix memory leak on P2P GO WPSVendorExtensions
It was possible to add WPS vendor extensions through the D-Bus
WPSVendorExtensions setter, but these extensions were not freed when the
P2P GO was stopped or when replacing previously configured extensions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-30 22:22:39 +02:00
Jouni Malinen
eae3df7ee4 P2P: Fix memory leak on GO startup failure path
Some of the struct hostapd_data variables get initialized with allocated
memory in the P2P GO case even before hapd->started has been set to 1.
As such, hostapd_free_hapd_data() needs to free these even if
!hapd->stated.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-25 16:37:12 +02:00
Jouni Malinen
3a322496f9 mesh: Delay Authentication frame process with no_auto_peer
There is a possible race condition between receiving the
NEW_PEER_CANDIDATE event and the Authentication frame from the peer.
Previously, if the Authentication frame RX event was indicated first,
that frame got dropped silently. Now, this frame is still dropped, but a
copy of it is stored and the frame gets processed on the following
NEW_PEER_CANDIDATE event if that is received for the same peer within
two seconds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-23 13:44:38 +02:00
Jouni Malinen
0acc2c809d HT: More robust 20/40 coex Action frame parsing
Commit 587d60d2b7 ('Add AP mode support
for HT 20/40 co-ex Action frame') added processing of co-ex report, but
did not include proper bounds checking or IE type checking for the
payload. Furthermore, this was not ready for the possible extensibility
of the 20/40 BSS Coexistence element.

Fix these by checking IE ids for both elements and doing more
apprioriate bounds checking for the element lengths to avoid potentially
reading beyond the frame buffer. Though, the event receive buffer in
both libnl and driver_nl80211_monitor.c is sufficiently large to make it
very unlikely that the maximum read of about 260 bytes beyond the end of
the Action frame would really have any chances of hitting the end of the
memory buffer, so the practical effect of missing bounds checking would
have been possibly accepting an invalid report frame and moving to 20
MHz channel unnecessarily.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-22 21:54:11 +02:00
Jouni Malinen
2a32ad66da HT: Fix 20/40 coex Action frame parsing
Commit 5ce3ae4c8f tried to clean up
fetching a pointer to the action code field, but it forgot to add
IEEE80211_HDRLEN to the pointer. This resulted in the coex report
elements being read from too early in the frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-22 20:41:19 +02:00
Jouni Malinen
13a3a20dfe Fix wpa_key_mgmt and wpa_pairwise configuration for non-WPA
These hostapd configuration parameter was left at the default values
(WPA-PSK/TKIP) even for cases where WPA was disabled. While these
parameters are not really used much in non-WPA cases, they do get used
for one corner case in nl80211 configuration to disable encryption of
EAPOL frames in IEEE 802.1X WEP case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-20 18:44:43 +02:00
Jouni Malinen
afa2ffb413 SAE: Check Status Code in Authentication frames
While other authentication algorithms mark Status Code as being Reserved
in the case of the transaction number 1, SAE does not. Check that the
Status Code indicates success before creating SAE state. In addition,
fix the mesh anti-clogging token request parsing on big endian CPUs.

Transaction number 2 (confirm) can also have non-zero Status Code to
report an error. Those should be processed, but not replied to with yet
another error message. This could happen in mesh case. Avoid a loop of
error messages by dropping the non-success case without additional
response.

In addition, don't reply to unknown transaction numbers if the status
code is non-zero. This avoids a loop of error messages if an invalid
frame where to be injected (or unlikely corruption were to occur).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-15 00:06:56 +02:00
Jouni Malinen
bd0b620371 SAE: Add sae_group to AP/mesh mode STA ctrl_iface data
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 20:14:33 +02:00
Jouni Malinen
9ae52e7034 Clean up VHT configuration validation
There is no need to use runtime call to find_first_bit() to determine
shift amount for a constant integer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 19:00:38 +02:00
Jouni Malinen
2c6411edd0 ERP: Add ERP_FLUSH for hostapd
This can be used to drop any pending ERP key from both the internal AP
authentication server and RADIUS server use of hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 15:47:04 +02:00
Jouni Malinen
0629eeb490 RRM: Add AP mode minimal advertisement support for testing
The new hostapd.conf radio_measurements parameter can now be used to
configure a test build to advertise support for radio measurements with
neighbor report enabled. There is no real functionality that would
actually process the request, i.e., this only for the purpose of minimal
STA side testing for now.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 20:45:31 +02:00
Jouni Malinen
774d414513 Fix AP IE in EAPOL-Key 3/4 for WPA + FT combination
Previously, only WPA + WPA2 was covered. If FT is enabled in addition to
WPA, MDIE is included in the buffer between RSN and WPA elements. The
previous version ended up leaving only the MDIE after having skipped RSN
element. Fix this to skip MDIE as well to leave only WPA IE regardless
of whether FT is enabled in AP configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-12 14:03:36 +02:00
Jouni Malinen
aaadd72733 Check os_snprintf() result more consistently - more checks
Add more os_snprintf() result validation checks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
a80ba67a26 Check os_snprintf() result more consistently - success case
This converts os_snprintf() result validation cases to use
os_snprintf_error() in cases where success condition was used to execute
a step. These changes were done automatically with spatch using the
following semantic patch:

@@
expression E1,E2,E3;
statement S1;
@@

  E1 = os_snprintf(E2, E3, ...);
- if (\( E1 >= 0 \| E1 > 0 \) && \( (size_t) E1 < E3 \| E1 < (int) E3 \| E1 < E3 \))
+ if (!os_snprintf_error(E3, E1))
  S1

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
faebdeaa9e Use os_calloc() instead of os_zalloc()
Automatic changes with spatch using the following semantic patch:

@@
constant C;
type T;
@@

- os_zalloc(C*sizeof(T))
+ os_calloc(C,sizeof(T))

@@
expression E;
type T;
@@

- os_zalloc((E)*sizeof(T))
+ os_calloc(E,sizeof(T))

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
80d5a3db9a WPS: Start EAPOL immediately even without WPA on WPS association
Previously, the immediate EAPOL authenticator startup was scheduled
without having received EAPOL-Start only for the case where WPA/WPA2 was
enabled. This can be extended to speed up non-WPA/WPA2 cases as well if
the STA includes WPS IE in Association Request frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
71f1d1e54d hostapd: Fix memory leak on dynamic add-BSS error path
If "ADD bss_config=" command failed in driver_init() or
hostapd_setup_interface(), some of the allocated resources were not
freed properly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-06 17:42:23 +02:00
Jouni Malinen
369d07afc1 FT: Make aes_wrap() call easier to analyze
Using aes_wrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is not just the single struct member. (CID 68111)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-06 12:16:32 +02:00
Jouni Malinen
7696760388 FT: Make aes_unwrap() calls easier to analyze
Using aes_unwrap() to initialize a data structure seemed to be too much
for some static analyzers to understand. Make it obvious that the target
is initialized and that the target is not just the single struct member.
In addition, clean up the design to avoid removal of const with a
typecast. (CID 68112, CID 68134, CID 68135, CID 68136)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-06 12:16:32 +02:00
Jouni Malinen
5085ffb8f8 hostapd: Fix HT40 determination for ACS offload
Commit 16689c7cfc ('hostapd: Allow ACS to
be offloaded to the driver') used incorrect operator to determine
whether HT40 was configured. Fix that to mask the ht_capab bit
correctly. (CID 77286)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-05 01:08:40 +02:00
Jouni Malinen
d3bddd8b84 ERP: Add support for ERP on EAP server and authenticator
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.

The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:27 +02:00
Jouni Malinen
2a5156a66c ERP: Add optional EAP-Initiate/Re-auth-Start transmission
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:08:56 +02:00
Peng Xu
16689c7cfc hostapd: Allow ACS to be offloaded to the driver
Using QCA vendor command, allow ACS function to be offloaded to the
driver. Once channels are selected, hostapd is notified to perform OBSS
operation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-03 22:31:53 +02:00
Jouni Malinen
631739b361 Clear WLAN_STA_ASSOC_REQ_OK on AP-initiated deauthentication
This flag was left in the STA entry for the short duration after the STA
gets deauthenticated. If the STA sends a Class 2 or 3 frame during that
short time, the AP would not have replied with Deauthentication frame
indicating no association is present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 13:31:54 +02:00
Jouni Malinen
0ecff8d7c3 Add hostapd driver_params config parameter
This is mainly for development testing purposes to allow driver_nl80211
behavior to be modified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 13:24:42 +02:00
Jouni Malinen
ebd557288c Remove forgotten driver_test.c variables
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 12:49:55 +02:00
Jouni Malinen
bcb132e185 proxyarp: Validate IPv4 header total length value in dhcp_snoop
This field needs to be validated in addition to validating the total
length of the received frame to avoid reading beyond the frame buffer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:41:26 +02:00
Jouni Malinen
8c5043b42c proxyarp: Relax frame length limit for RA and NA
Only the NS frames should be checked to be long enough to cover all the
fields used in the NS data structure. This allows shorter RA and NA
frames to be processed for multicast-to-unicast rules.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:37:05 +02:00
Jouni Malinen
ef3ea80c68 proxyarp: Fix x_snoop multicast-to-unicast debug print
l2_packet_send() returns >= 0 on success, i.e., non-zero value does not
mean failure. Fix this debug print to show up only on negative return
values.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:37:05 +02:00
Jouni Malinen
89052e9952 proxyarp: Add debug log entry on multicast-to-unicast conversion
This makes it easier to debug operations. The debug message is marked
EXCESSIVE, though, to avoid filling the logs with too much information
in default debugging cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:37:05 +02:00
Jouni Malinen
df131d4597 proxyarp: Try multicast-to-unicast conversion only for authorized STAs
There is no point in trying to send the unicast converted version to a
STA that is not in authorized state since the driver would be expected
to drop normal TX Data frames in such state.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:36:56 +02:00
Jouni Malinen
a6b4ee217a proxyarp: Print learned IPv6 address in debug log
This makes it easier to debug issues related to IPv6 address snooping.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-26 01:09:54 +02:00
Jouni Malinen
a7fb5ea463 proxyarp: Fix DHCP and ND message structures
These need to be marked packed to avoid issues with compilers
potentially adding padding between the fields (e.g., gcc on 64-bit
seemed to make struct icmpv6_ndmsg two octets too long which broke IPv6
address discovery).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-26 01:09:54 +02:00
Jouni Malinen
a437378f98 proxyarp: Use C library header files and CONFIG_IPV6
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-25 16:58:21 +02:00
Masashi Honma
a959a3b69d SAE: Fix Anti-Clogging Token request frame format
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 16:08:53 +02:00
Masashi Honma
872b754512 mesh: Fix SAE anti-clogging functionality for mesh
The mesh anti-clogging functionality is implemented partially. This
patch fixes to parse anti-clogging request frame and use anti-clogging
token.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-25 15:33:04 +02:00
Jouni Malinen
5c6787a6ca PeerKey: Clean up EAPOL-Key Key Data processing on AP
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-23 21:03:40 +02:00
Jouni Malinen
5351480047 Add BSS-TM-RESP ctrl_iface event
This event allows external monitors to track STA response to BSS
Transition Management Request.

BSS-TM-RESP <STA addr> status_code=<#> bss_termination_delay=<#>
[target_bssid=<BSSID>]

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-22 16:34:34 +02:00
Jouni Malinen
a30dff07fb Add BSS_TM_REQ command to send BSS Transition Management Request
hostapd control interface can now be used to request transmission of a
BSS Transition Management Request frame to a specified station.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 16:34:34 +02:00
Jouni Malinen
f23c5b17e1 AP: Extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
If the 4-way handshake ends up having to retransmit the EAPOL-Key
message 1/4 due to a timeout on waiting for the response, it is possible
for the Supplicant to change SNonce between the first and second
EAPOL-Key message 2/4. This is not really desirable due to extra
complexities it causes on the Authenticator side, but some deployed
stations are doing this.

This message sequence looks like this:
AP->STA: EAPOL-Key 1/4 (replay counter 1, ANonce)
AP->STA: EAPOL-Key 1/4 (replay counter 2, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 1, SNonce 1)
AP->STA: EAPOL-Key 3/4 (replay counter 3, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 2, SNonce 2)
followed by either:
STA->AP: EAPOL-Key 4/4 (replay counter 3 using PTK from SNonce 1)
or:
AP->STA: EAPOL-Key 3/4 (replay counter 4, ANonce)
STA->AP: EAPOL-Key 4/4 (replay counter 4, using PTK from SNonce 2)

Previously, Authenticator implementation was able to handle the cases
where SNonce 1 and SNonce 2 were identifical (i.e., Supplicant did not
update SNonce which is the wpa_supplicant behavior) and where PTK
derived using SNonce 2 was used in EAPOL-Key 4/4. However, the case of
using PTK from SNonce 1 was rejected ("WPA: received EAPOL-Key 4/4
Pairwise with unexpected replay counter" since EAPOL-Key 3/4 TX and
following second EAPOL-Key 2/4 invalidated the Replay Counter that was
used previously with the first SNonce).

This commit extends the AP/Authenticator workaround to keep both SNonce
values in memory if two EAPOL-Key 2/4 messages are received with
different SNonce values. The following EAPOL-Key 4/4 message is then
accepted whether the MIC has been calculated with the latest SNonce (the
previously existing behavior) or with the earlier SNonce (the new
extension). This makes 4-way handshake more robust with stations that
update SNonce for each transmitted EAPOL-Key 2/4 message in cases where
EAPOL-Key message 1/4 needs to be retransmitted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 17:02:00 +02:00
Jouni Malinen
db099951cb Print EAPOL-Key Replay Counter in Authenticator debug log
This makes it easier to debug issues relared to EAPOL-Key
retransmissions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-21 15:35:19 +02:00
Kyeyoon Park
47261405d7 AP: Add support for multicast-to-unicast conversion for DGAF Disable
When DGAF Disable is on, perform multicast-to-unicast for DHCP packets
and Router Advertisement packets. This is a requirement for Hotspot 2.0.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:47:06 +02:00
Kyeyoon Park
bd00c4311c AP: Add Neighbor Discovery snooping mechanism for Proxy ARP
This commit establishes the infrastructure, and handles the Neighbor
Solicitation and Neighbor Advertisement frames. This will be extended
in the future to handle other frames.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:47:06 +02:00
Kyeyoon Park
5c58944d08 AP: Add multicast-to-unicast conversion send for "x_snoop"
Multicast-to-unicast conversion send will be needed in various part of
Proxy ARP and DGAF Disable.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:25:13 +02:00
Kyeyoon Park
ed4ddb6d77 AP: Extend the BSS bridge neighbor entry management to support IPv6
This allows adding/deleting an IPv6 neighbor entry to/from the bridge,
to which the BSS belongs. This commit adds the needed functionality in
driver_nl80211.c for the Linux bridge implementation. In theory, this
could be shared with multiple Linux driver interfaces, but for now, only
the main nl80211 interface is supported.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:23:38 +02:00
Kyeyoon Park
1d783762cf AP: Convert "dhcp_snoop" to use the generic "x_snoop"
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:14:15 +02:00
Kyeyoon Park
c127355cb8 AP: Add a generic "x_snoop" infrastructure for Proxy ARP
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:14:02 +02:00
Ilan Peer
38cb0a2db6 AP: Drop retransmitted auth/assoc/action frames
It is possible that a station device might miss an ACK for an
authentication, association, or action frame, and thus retransmit the
same frame although the frame is already being processed in the stack.
While the duplicated frame should really be dropped in the kernel or
firmware code where duplicate detection is implemented for data frames,
it is possible that pre-association cases are not fully addressed (which
is the case at least with mac80211 today) and the frame may be delivered
to upper layer stack.

In such a case, the local AP will process the retransmitted frame although
it has already handled the request, which might cause the station to get
confused and as a result disconnect from the AP, blacklist it, etc.

To avoid such a case, save the sequence control of the last processed
management frame and in case of retransmissions drop them.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2014-11-19 15:20:47 +02:00
Jouni Malinen
afbe57d981 DFS: Fix hostapd operation without hw_mode driver data
If DFS implementation was built in, some configurations with drivers
that do not provide mode information could end up dereferencing a NULL
pointer. Fix this by skipping DFS operations in such cases since not
having information about modes and channels means that hostapd could not
perform DFS anyway (i.e., either this is not a wireless driver or the
driver takes care of DFS internally).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:14:35 +02:00
Jouni Malinen
e9b783d58c Fix hostapd operation without hw_mode driver data
Commit 7f0303d5b0 ('hostapd: Verify VHT
160/80+80 MHz driver support') added couple of hapd->iface->current_mode
dereferences of which the one in hostapd_set_freq() can be hit with some
configuration files when using driver wrappers that do not have hw_mode
data, i.e., when current_mode is NULL. This could result in segmentation
fault when trying to use driver=wired. Fix this by checking that
current_mode is not NULL before dereferencing it to get vht_capab.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-17 01:08:04 +02:00
Masashi Honma
e609679984 mesh: Make plink params configurable
This patch makes four MIB variables for plink configurable and sets the
correct default values based on IEEE Std 802.11s-2011.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2014-11-16 19:43:11 +02:00
Chun-Yeow Yeoh
c596f3f083 mesh: Add timer for SAE authentication in RSN mesh
Add timer to do SAE re-authentication with number of tries defined
by MESH_AUTH_RETRY and timeout defined by MESH_AUTH_TIMEOUT.

Ignoring the sending of reply message on "SAE confirm before commit"
to avoid "ping-pong" issues with other mesh nodes. This is obvious when
number of mesh nodes in MBSS reaching 6.

Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
2014-11-16 19:43:11 +02:00
Bob Copeland
c50d94f1f8 mesh: Start mesh peering after successful authentication
[original patch by: Thomas Pedersen <thomas@noack.us>]
Signed-off-by: Bob Copeland <me@bobcopeland.com>
2014-11-16 19:43:11 +02:00
Bob Copeland
e96da42b0e SAE: Enhance AP implementation to handle auth for mesh interfaces
Add state transition logic to the SAE frame handling in order to more
fully implement the state machine from the IEEE 802.11 standard. Special
cases are needed for infrastructure BSS case to avoid unexpected
Authentication frame sequence by postponing transmission of the second
Authentication frame untile the STA sends its Confirm.

[original patch by: Thomas Pedersen <thomas@noack.us>]
Signed-off-by: Bob Copeland <me@bobcopeland.com>
2014-11-16 19:43:11 +02:00
Thomas Pedersen
0f950df029 mesh: Add mesh robust security network
This implementation provides:

- Mesh SAE authentication mechanism
- Key management (set/get PSK)
- Cryptographic key establishment
- Enhanced protection mechanisms for robust management frames

Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
2014-11-16 19:43:06 +02:00
Dmitry Shmidt
88cb27c7a5 hostapd: Add wowlan_triggers config param
New kernels in wiphy_suspend() will call cfg80211_leave_all() that will
eventually end up in cfg80211_stop_ap() unless wowlan_triggers were set.
For now, use the parameters from the station mode as-is. It may be
desirable to extend (or constraint) this in the future for specific AP
mode needs.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-11-16 17:09:11 +02:00
Jouni Malinen
929a2ea5df Suite B: Select EAPOL-Key integrity and key-wrap algorithms based on AKM
This adds support for AKM 00-0F-AC:11 to specify the integrity and
key-wrap algorithms for EAPOL-Key frames using the new design where
descriptor version is set to 0 and algorithms are determined based on
AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 17:09:11 +02:00
Jouni Malinen
087a1f4efd Suite B: PMKID derivation for AKM 00-0F-AC:11
The new AKM uses a different mechanism of deriving the PMKID based on
KCK instead of PMK. hostapd was already doing this after the KCK had
been derived, but wpa_supplicant functionality needs to be moved from
processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 17:09:11 +02:00
Jouni Malinen
666497c8e6 Suite B: Add AKM 00-0F-AC:11
This adds definitions for the 128-bit level Suite B AKM 00-0F-AC:11. The
functionality itself is not yet complete, i.e., this commit only
includes parts to negotiate the new AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 13:20:51 +02:00
Yanbo Li
e3a8ad4405 hostapd: Change drv_flags from unsigned int to u64
Some flag already using a bit larger than 32, so extend the hostapd
drv_flags type similarly to the earlier wpa_supplicant change to get the
full flag content.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
2014-11-14 12:55:53 +02:00
Jouni Malinen
0f812c993b Remove unused EVENT_FT_RRB_RX
This was used in hostapd driver_test.c, but that driver wrapper has been
removed and there are no remaining or expected users for
EVENT_FT_RRB_RX.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-01 19:27:48 +02:00
Kyeyoon Park
7d597d4617 AP: Add support for Proxy ARP, DHCP snooping mechanism
Proxy ARP allows the AP devices to keep track of the hardware address to
IP address mapping of the STA devices within the BSS. When a request for
such information is made (i.e., ARP request, Neighbor Solicitation), the
AP will respond on behalf of the STA device within the BSS. Such
requests could originate from a device within the BSS or also from the
bridge. In the process of the AP replying to the request (i.e., ARP
reply, Neighbor Advertisement), the AP will drop the original request
frame. The relevant STA will not even know that such information was
ever requested.

This feature is a requirement for Hotspot 2.0, and is defined in IEEE
Std 802.11-2012, 10.23.13. While the Proxy ARP support code mainly
resides in the kernel bridge code, in order to optimize the performance
and simplify kernel implementation, the DHCP snooping code was added to
the hostapd.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-28 01:08:29 +02:00
Kyeyoon Park
7565752d47 AP: Add support for setting bridge network parameter
This allows setting a network parameter on the bridge that the BSS
belongs to.

This commit adds the needed functionality in driver_nl80211.c for the
Linux bridge implementation. In theory, this could be shared with
multiple Linux driver interfaces, but for now, only the main nl80211
interface is supported.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-28 01:08:29 +02:00
Kyeyoon Park
73d2294fbe AP: Add support for setting bridge port attributes
This allows setting a bridge port attribute. Specifically, the bridge
port in this context is the port to which the BSS belongs.

This commit adds the needed functionality in driver_nl80211.c for the
Linux bridge implementation. In theory, this could be shared with
multiple Linux driver interfaces, but for now, only the main nl80211
interface is supported.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-28 01:08:29 +02:00
Kyeyoon Park
71103bed42 AP: Add support for IPv4 neighbor entry management to the BSS bridge
This allows adding/deleting an IPv4 neighbor entry to/from the bridge,
to which the BSS belongs. This commit adds the needed functionality in
driver_nl80211.c for the Linux bridge implementation. In theory, this
could be shared with multiple Linux driver interfaces, but for now, only
the main nl80211 interface is supported.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-28 01:08:29 +02:00
Ahmad Masri
d77419d234 P2P: Support GCMP as part of 60 GHz support
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-27 17:15:09 +02:00
Jouni Malinen
2f06bcb361 Write human readable version of channel width to CSA event debug log
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-26 11:36:14 +02:00
Jouni Malinen
ab93fdebf1 hostapd: Add INTERFACE-ENABLED and INTERFACE-DISABLED events
These can be convenient for upper layer programs to determine if the
hostapd interface gets disabled/re-enabled, e.g., due to rfkill
block/unblock.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-26 10:52:54 +02:00
Ilan Peer
0a44358055 wpa_supplicant: Use the 'no_ir' notation
Use the 'no_ir' notation instead of the 'passive scan' and
'no_ibss' notations to match the earlier change in nl80211.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2014-10-26 01:23:43 +03:00
Javier Lopez
01e2231fdc hostapd: Skip some configuration steps for mesh cases
Modify hostapd.c logic to add checks for valid mconf data structure:

- For hostapd_setup_bss we don't need to flush old stations in case
  we're rejoining a mesh network.

- In hostapd_setup_interface_complete, we don't need to setup the
  interface until we join the mesh (same reasoning for
  hostapd_tx_queue_params).

Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
2014-10-25 17:45:36 +03:00
Bob Copeland
f3e9899e02 mesh: Accept Action frames without BSSID match
[original patch by: Thomas Pedersen <thomas@noack.us>]
Signed-off-by: Bob Copeland <me@bobcopeland.com>
2014-10-25 17:45:35 +03:00
Bob Copeland
5f92659d88 mesh: Add mesh peering manager
The mesh peering manager establishes and maintains links among
mesh peers, tracking each peer link via a finite state machine.

This implementation supports open mesh peerings.

[assorted fixes from Yu Niiro <yu.niiro@gmail.com>]
[more fixes from Masashi Honma <masashi.honma@gmail.com>]
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Ashok Nagarajan <ashok.dragon@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-hostap: Bob Copeland <me@bobcopeland.com>
2014-10-25 17:45:31 +03:00
Thomas Pedersen
8319e3120d mesh: Add mesh mode routines
Add routines to (de)initialize mesh interface data structures and
join and leave mesh networks.

Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
2014-10-25 17:43:20 +03:00
Jouni Malinen
5de748187e Fix channel switch to disable VHT with HT
If both HT and VHT was enabled on AP and channel switch event from the
driver indicated that HT was disabled, VHT was left enabled. This
resulted in the following channel configuration failing. Fix this by
disabling VHT if HT gets disabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-25 11:27:48 +03:00
Eliad Peller
8f461b50cf HT: Pass the smps_mode in AP parameters
The driver needs to know what SMPS mode it should use.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2014-10-24 01:27:31 +03:00
Eliad Peller
04ee647d58 HT: Let the driver advertise its supported SMPS modes for AP mode
Add smps_modes field, and let the driver fill it with its supported SMPS
modes (static/dynamic). This will let us start an AP with specific SMPS
mode (e.g., dynamic) that will allow it to reduce its power usage.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2014-10-24 01:25:29 +03:00
Jouni Malinen
a6b1215769 GAS: Do not reply to P2P SD query from generic GAS/ANQP server
This avoids an issue where a wpa_supplicant build with CONFIG_P2P=y and
CONFIG_HS20=y ended up processing a P2P SD query twice when operating as
a GO and sending out two replies. Only the P2P SD implementation should
reply to P2P SD query in such a case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-22 19:21:42 +03:00
Kyeyoon Park
ec8f36afca AP: Add support for BSS load element (STA Count, Channel Utilization)
The new "bss_load_update_period" parameter can be used to configure
hostapd to advertise its BSS Load element in Beacon and Probe Response
frames. This parameter is in the units of BUs (Beacon Units).

When enabled, the STA Count and the Channel Utilization value will be
updated periodically in the BSS Load element. The AAC is set to 0 sinze
explicit admission control is not supported. Channel Utilization is
calculated based on the channel survey information from the driver and
as such, requires a driver that supports providing that information for
the current operating channel.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-21 23:25:48 +03:00
Jouni Malinen
4a6cc86272 Add data test functionality
It is now possible to run hwsim_test like data connectivity test through
wpa_supplicant/hostapd control interface if CONFIG_TESTING_OPTIONS=y is
used for the build. Test functionality is enabled/disabled at runtime
with "DATA_TEST_CONFIG <1/0>". The "DATA_TEST_TX <dst> <src> <tos>"
command can be used to request a test frame to be transmitted.
"DATA-TEST-RX <dst> <src>" event is generated when the test frame is
received.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-19 20:51:45 +03:00
Andrei Otcheretianski
d66873f5cf Do not start CSA flow when CSA is not supported by the driver
Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2014-10-19 15:39:59 +03:00
Jouni Malinen
f299117093 SAE: Add support for PMKSA caching on the AP side
This makes hostapd create PMKSA cache entries from SAE authentication
and allow PMKSA caching to be used with the SAE AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 13:00:29 +03:00
Jouni Malinen
fcc306e3cc Add Acct-Multi-Session-Id into RADIUS Accounting messages
This allows multiple sessions using the same PMKSA cache entry to be
combined more easily at the server side. Acct-Session-Id is still a
unique identifier for each association, while Acct-Multi-Session-Id will
maintain its value for all associations that use the same PMKSA.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 10:38:17 +03:00
Jouni Malinen
aff039fada Remove duplicated Acct-Session-Id from Accounting-Request
Commit 8b24861154 ('Add Acct-Session-Id
into Access-Request messages') added Acct-Session-Id building into the
helper function shared between authentication and accounting messages.
However, it forgot to remove the same code from the generation of
accounting messages and as such, ended up with Accounting-Request
messages containing two copies of this attribute. Fix this by removing
the addition of this attribute from the accounting specific function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-18 10:35:33 +03:00
Jouni Malinen
f8995f8f1c hostapd: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled when hostapd is used as an EAP
server with OpenSSL as the TLS library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:52:05 +03:00
Jouni Malinen
7c0e5b58f9 DFS: Check os_get_random() result
This use does not really need a strong random number, so fall back to
os_random() if a theoretical error case occurs. (CID 72682)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-11 19:43:36 +03:00
Jouni Malinen
24661bbadc AP: Check os_get_random() return value more consistently
While this specific case does not really care what value is used, the
the theoretical error case can be handled more consistently. (CID 72684)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-11 19:43:36 +03:00
Jouni Malinen
4aa01d38f5 IAPP: Avoid warnings on unused write
The hlen and len variables are identical here, but only the hlen was
used in the end. Change this to use the len variable to avoid
unnecessary static analyzer warnings about unused writes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-11 18:03:38 +03:00
Jouni Malinen
e41e4f9ee3 Simplify memory allocation/freeing for static analyzers
It looks like the use of sm->wpa == WPA_VERSION_WPA2 in two locations
within the function was a bit too much for clang static analyzer to
understand. Use a separate variable for storing the allocated memory so
that it can be freed unconditionally. The kde variable can point to
either stack memory or temporary allocation, but that is now const
pointer to make the design clearer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-11 17:29:50 +03:00
Jouni Malinen
9d4ff04af3 Add external EAPOL transmission option for testing purposes
The new ext_eapol_frame_io parameter can be used to configure hostapd
and wpa_supplicant to use control interface for receiving and
transmitting EAPOL frames. This makes it easier to implement automated
test cases for protocol testing. This functionality is included only in
CONFIG_TESTING_OPTIONS=y builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-10 18:40:57 +03:00
Sunil Dutt
61fc90483f P2P: Handle improper WPS termination on GO during group formation
A P2P Client may be able to connect to the GO even if the WPS
provisioning step has not terminated cleanly (e.g., P2P Client does not
send WSC_Done). Such group formation attempt missed the event
notification about started group on the GO and also did not set the
internal state corresponding to the successful group formation.

This commit addresses the missing part by completing GO side group
formation on a successful first data connection if WPS does not complete
cleanly. Also, this commit reorders the STA authorization indications to
ensure that the group formation success notification is given prior to
the first STA connection to handle such scenarios.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-10 18:40:57 +03:00
Jouni Malinen
4a274f487a DFS: Allow 80+80 MHz be configured for VHT
This allows cases where neither 80 MHz segment requires DFS to be
configured. DFS CAC operation itself does not yet support 80+80, though,
so if either segment requires DFS, the AP cannot be brought up.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-10-09 14:25:55 +03:00
Jouni Malinen
eefec1e40b AES: Extend key wrap design to support longer AES keys
This adds kek_len argument to aes_wrap() and aes_unwrap() functions and
allows AES to be initialized with 192 and 256 bit KEK in addition to
the previously supported 128 bit KEK.

The test vectors in test-aes.c are extended to cover all the test
vectors from RFC 3394.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-07 14:57:06 +03:00
Jouni Malinen
a61fcc131a Clean up authenticator PMKSA cache implementation
This makes the implementation somewhat easier to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-04 23:01:08 +03:00
Jouni Malinen
cb129db34c Clear PMKSA cache entry data when freeing them
Avoid leaving the PMK information unnecessarily in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-04 23:01:08 +03:00
Jouni Malinen
8c8d26aada Remove unnecessary PMKSA cache freeing step
_pmksa_cache_free_entry() is a static function that is never called with
entry == NULL, so there is no need to check for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-04 23:01:08 +03:00
Jouni Malinen
9c829900bb Fix authenticator OKC fetch from PMKSA cache to avoid infinite loop
If the first entry in the PMKSA cache did not match the station's MAC
address, an infinite loop could be reached in pmksa_cache_get_okc() when
trying to find a PMKSA cache entry for opportunistic key caching cases.
This would only happen if OKC is enabled (okc=1 included in the
configuration file).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-04 23:01:08 +03:00
Jouni Malinen
47ea24c13d Fix PMKSA cache timeout from Session-Timeout in WPA/WPA2 cases
Previously, WPA/WPA2 case ended up using the hardcoded
dot11RSNAConfigPMKLifetime (43200 seconds) for PMKSA cache entries
instead of using the Session-Timeout value from the RADIUS server (if
included in Access-Accept). Store a copy of the Session-Timeout value
and use it instead of the default value so that WPA/WPA2 cases get the
proper timeout similarly to non-WPA/WPA2 cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-04 23:01:08 +03:00
Kyeyoon Park
39323bc16a AP: hostapd_setup_bss() code clean-up
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-09-29 13:10:13 +03:00
Philippe De Swert
375f4a3b5a hostapd: Avoid dead code with P2P not enabled
In case P2P is not enabled the if (dev_addr) is always ignored as
dev_addr will be NULL. As this code is relevant only to P2P, it can be
moved to be the ifdef to avoid static analyzer warnings. (CID 72907)

Signed-off-by: Philippe De Swert <philippe.deswert@jollamobile.com>
2014-09-28 20:47:06 +03:00
Stefan Lippers-Hollmann
8c6f4a5a50 ap_config.c: fix typo for "capabilities"
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2014-09-28 11:03:48 +03:00
Sunil Dutt
c53a9bf818 Check for driver's DFS offload capability before handling DFS
This fixes couple of code paths where the WPA_DRIVER_FLAGS_DFS_OFFLOAD
flag was not checked properly and unexpected DFS operations were
initiated (and failed) in case the driver handles all these steps.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-09-22 16:50:28 +03:00
Darshan Paranji Sri
e4474c1c20 FT: Fix hostapd with driver-based SME to authorize the STA
The driver-based SME case did not set STA flags properly to the kernel
in the way that hostapd-SME did in ieee802_11.c. This resulted in the FT
protocol case not marking the STA entry authorized. Fix that by handling
the special WLAN_AUTH_FT case in hostapd_notif_assoc() and also add the
forgotten hostapd_set_sta_flags() call to synchronize these flag to the
driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-09-12 18:46:56 +03:00
Jouni Malinen
04a258e7c5 hostapd: Check that EVENT_ASSOC data is present before using it
While hostapd should not really receive the EVENT_ASSOC message for
IBSS, driver_nl80211.c could potentially generate that if something
external forces the interface into IBSS mode and the IBSS case does not
provide the struct assoc_info data. Avoid the potential NULL pointer
dereference by explicitly verifying for the event data to be present.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-08-26 17:23:02 +03:00
Jouni Malinen
6c460eaf7e Add RSN cipher/AKM suite attributes into RADIUS messages
This adds hostapd support for the new WLAN-Pairwise-Cipher,
WLAN-Group-Cipher, WLAN-AKM-Suite, and WLAN-Group-Mgmt-Pairwise-Cipher
attributes defined in RFC 7268. These attributes are added to RADIUS
messages when the station negotiates use of WPA/RSN.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-31 19:55:29 +03:00
Jouni Malinen
cdffd72173 Add WLAN-HESSID into RADIUS messages
This adds hostapd support for the new WLAN-HESSID attribute defined in
RFC 7268. This attribute contains the HESSID and it is added whenever
Interworking is enabled and HESSID is configured.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-31 19:55:29 +03:00
Jouni Malinen
69002fb0a8 Add Mobility-Domain-Id into RADIUS messages
This adds hostapd support for the new Mobility-Domain-Id attribute
defined in RFC 7268. This attribute contains the mobility domain id and
it is added whenever the station negotiates use of FT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-31 19:55:29 +03:00
Jouni Malinen
c0e46bb7d4 DFS: Remove dead assignment
set_dfs_state() return value is not currently checked anywhere, so
remove the dead assignment to avoid static analyzer complaints.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-03 00:51:47 +03:00
Jouni Malinen
b7175b4d02 Clear hostapd configuration keys explicitly
Use an explicit memset call to clear any hostapd configuration parameter
that contains private information like keys or identity. This brings in
an additional layer of protection by reducing the length of time this
type of private data is kept in memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
164a453f9b FT: Debug print extra response data
This shows any extra data from FT response and also avoids a static
analyzer warning on dead increment.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
0233dcac5b SAE: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
34ef46ce54 WEP shared key: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:48 +03:00
Jouni Malinen
870834a19b RSN authenticator: Use os_memcmp_const() for hash/password comparisons
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-07-02 12:38:47 +03:00
Michal Kazior
5841958f26 hostapd: Use channel switch fallback on error
It's worth giving a try to fallback to re-starting BSSes at least once
hoping it works out instead of just leaving BSSes disabled.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-06-28 11:13:11 +03:00
Michal Kazior
8974620e3e hostapd: Perform multi-BSS CSA for DFS properly
Currently hostapd data structures aren't ready for multi-channel BSSes,
so make DFS work now at least with single-channel multi-BSS channel
switching.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-06-28 11:08:16 +03:00
Michal Kazior
6782b6846b hostapd: Move CSA parameters to hostapd_data
This prepares CSA structure and logic in hostapd for multi-BSS channel
switching.

Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
2014-06-28 11:02:39 +03:00
Pontus Fuchs
dedfa440ed Print frame type name in debug output
"stype=4" becomes "stype=4 (WLAN_FC_STYPE_PROBE_REQ)" etc.

Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
2014-06-22 00:51:39 +03:00
Jouni Malinen
35cbadbb14 VHT: Remove useless validation code from Operating Mode Notification
This was added by commit 8a45811638
('hostapd: Add Operating Mode Notification support'), but the validation
steps cannot be true either for the channel width (which is a two-bit
subfield that cannot encode more than the list four values) or Rx NSS
(which cannot encode a value larger 7). Furthermore, the VHT_CHANWIDTH_*
defines do not match the definition of the Channel Width subfield
values.

Since this check cannot ever match, it is better to remove it to make
the code easier to understand and to avoid getting complaints about dead
code from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-18 00:45:48 +03:00
Amarnath Hullur Subramanyam
cf1600ace4 hostapd: Configure driver ACL even if MAC address list is empty
Earlier commit related to MAC address based access control list
offloaded to the driver was not sending ACL configuration to the driver
if the MAC address list was empty. Remove this check as empty access
control list is a valid use case and sending ACL parameters should not
be dependent on whether the list is empty.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-16 16:22:36 +03:00
Jouni Malinen
da995b2e11 WNM: Use cleaner way of generating pointer to a field (CID 68099)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
062833c67c GAS server: Fix request frame length validation (CID 68098)
There seemed to be an off-by-one error in the validation of GAS request
frames. If a Public Action frame without the Action code field would
have reached this function, the length could have been passed as
(size_t) -1 which would likely have resulted in a crash due to reading
beyond the buffer. However, it looks like such frame would not be
delivered to hostapd at least with mac80211-based drivers. Anyway, this
function better be more careful with length validation should some other
driver end up reporting invalid Action frames.

In addition, the Action code field is in a fixed location, so the
IEEE80211_HDRLEN can be used here to clean up bounds checking to avoid
false reports from static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
5ce3ae4c8f HT: Use cleaner way of generating pointer to a field (CID 68097)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
1fde15a20a GAS server: Explicitly check that home realm is available
This makes the code easier to understand for static analyzers to avoid
false reports.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:05:33 +03:00
Jouni Malinen
aff0bee78a GAS server: Remove unused function parameter
This parameter was not used at all, so just remove the argument instead
of passing NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:04:17 +03:00
Jouni Malinen
bc32bb70d7 Make a code path easier for static analyzers to understand
prev cannot be NULL here in the hostapd_eid_country_add() call since
prev is set whenever start becomes non-NULL. That seems to be a bit too
difficult for some static analyzers, so check the prev pointer
explicitly to avoid false warnings.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 15:37:31 +03:00
Darshan Paranji Sri
95b6bca66d Add rsn_pairwise bits to set_ieee8021x() driver_ops
This fixes an issue where a driver using the deprecated set_ieee8021x()
callback did not include rsn_pairwise bits in the driver configuration
even if mixed WPA+WPA2 configuration was used. This could result, e.g.,
in CCMP not being enabled properly when wpa_pairwise=TKIP and
rsn_pairwise=CCMP was used in the configuration. Fix this by using
bitwise OR of the wpa_pairwise and rsn_pairwise values to allow the
driver to enable all pairwise ciphers.

In addition, make the newer set_ap() driver_ops use the same bitwise OR
design instead of picking between rsn_pairwise and wpa_pairwise. This
makes the code paths consistent and can also fix issues with mixed mode
configuration with set_ap().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-03 13:59:22 +03:00
Jouni Malinen
3d4d2348c0 FT: Fix GTK rekeying after FT protocol
Move to PTKINITDONE state and mark PTK valid after successful completion
of FT protocol. This allows the AP/Authenticator to start GTK rekeying
when FT protocol is used. Previously, the station using FT protocol did
not get the new GTK which would break delivery of group addressed
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-01 13:21:40 +03:00
Jouni Malinen
d92bdf9602 hostapd: Make sure hapd->drv_priv gets cleared on driver deinit
Couple of code paths in hostapd.c could have left hapd->drv_priv
pointing to memory that was freed in driver_nl80211.c when a secondary
BSS interface is removed. This could result in use of freed memory and
segfault when the next driver operation (likely during interface
deinit/removal). Fix this by clearing hapd->drv_priv when there is
reason to believe that the old value is not valid within the driver
wrapper anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 17:11:04 +03:00
Jouni Malinen
438e13339d hostapd: Use helper function to avoid duplicate deinit calls
These three calls were used already in three different paths. Use a
helper function to avoid adding even more copies of this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-31 15:57:36 +03:00
Michal Kazior
ac1a224092 hostapd: Clean up if interface setup fails
If for some reason interface setup fails mid-way when setting up
multi-BSS AP it was possible to get segmentation fault because driver
was not properly cleaned up.

One possible trigger, when using nl80211 driver, was udev renaming an
interface created by hostapd causing, e.g., linux_set_iface_flags() to
fail.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-05-31 15:53:56 +03:00
Michal Kazior
81c4fca100 hostapd: Reset hapd->interface_add properly
This variable is updated when calling hostapd_if_add(), so it makes
sense to do the same thing when calling hostapd_if_remove().

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-05-31 15:49:38 +03:00
Michal Kazior
3fbd036ea9 hostapd: Prevent double interface disabling from segfaulting
Performing, e.g. `wpa_cli -p /var/run/hostapd raw DISABLE` twice led to
hostapd segmentation fault if multiple BSSes were configured. Fix this
by checking if there is anything to disable at all before trying.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-05-31 15:46:45 +03:00
Jouni Malinen
5d67bf1566 hostapd: Fix configuration of multiple RADIUS servers with SET
The current RADIUS server pointer was updated after each SET command
which broke parsing of multiple RADIUS servers over the control
interface. Fix this by doing the final RADIUS server pointer updates
only once the full configuration is available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-30 20:40:11 +03:00
Jouni Malinen
d73c7b9626 GAS: Send error response if no room for pending dialog context
Instead of silently dropping the response that requires fragmentation,
send an error response to the station to make it aware that no full
response will be available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-26 17:21:43 +03:00
Jouni Malinen
10b58b5029 TNC: Allow TNC to be enabled dynamically
Previously, hostapd had to be started with at least one of the
configuration files enabling TNC for TNC to be usable. Change this to
allow TNC to be enabled when the first interface with TNC enabled gets
added during runtime.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-17 20:05:55 +03:00
Rajkumar Manoharan
f41d55da02 hostapd: Check for overlapping 20 MHz BSS before starting 20/40 MHz BSS
Before starting a 20/40 MHz BSS on the 2.4 GHz band, a 40-MHz-capable HT
AP is required by the rules defined in IEEE Std 802.11-2012 10.15.5 to
examine the channels of the current operational regulatory domain to
determine whether the operation of a 20/40 MHz BSS might unfairly
interfere with the operation of existing 20 MHz BSSs. The AP (or some of
its associated HT STAs) is required to scan all of the channels of the
current regulatory domain in order to ascertain the operating channels
of any existing 20 MHz BSSs and 20/40 MHz BSSs. (IEEE 802.11-2012 S.5.2
Establishing a 20/40 MHz BSS).

Add the check for an overlapping 20 MHz BSS to the initial AP scan for
the P == OT_i case in 10.15.3.2.

Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
2014-05-16 01:14:01 +03:00
Petar Koretic
c78c6b73fa WPS: Fix return value when context is not valid
If WPS isn't enabled, hostapd_cli returns 'OK' even though WPS doesn't
get activated because WPS context is not valid:

$ hostapd_cli wps_pbc
Selected interface 'wlan0'
OK

$ hostapd_cli wps_cancel
Selected interface 'wlan0'
OK

Fix this by returning appropriate error when WPS fails to activate:

$ hostapd_cli wps_pbc
Selected interface 'wlan0'
FAIL

$ hostapd_cli wps_cancel
Selected interface 'wlan0'
FAIL

Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
CC: Luka Perkov <luka.perkov@sartura.hr>
2014-05-16 00:58:48 +03:00
Jouni Malinen
c0333c8dd5 Check rx_mgmt::frame more consistently against NULL
If a driver wrapper misbehaves and does not indicate a frame body in the
event, core hostapd code should handle this consistently since that case
was already checked for in one location.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
d6c6b1fb9d Make sta NULL-check easier for static analyzers
sta == NULL check is already done above based on category !=
WLAN_ACTION_PUBLIC, but that seems to be too complex for some static
analyzers, so avoid invalid reports by explicitly checking for this
again in the WLAN_ACTION_FT case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
ee4fefc015 Remove duplicated variable zeroing
It's enough to do this once as part of the for loop.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
4a9d0ebe4a Make PMKID check easier for static analyzers
Checking sm->pmksa is sufficient here, but that seems to be too
difficult for static analyzers to follow, so avoid false reports by
explicitly checking pmkid as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Jouni Malinen
06df2aa60a Remove floating constant suffix 'd' from test coee
clang scan-build does not seem to like the 'd' suffix on floating
constants and ends up reporting analyzer failures. Since this suffix
does not seem to be needed, get rid of it to clear such warnings.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-29 12:52:10 +03:00
Peng Xu
5f0bca77a8 Retry initial 20/40 MHz co-ex scan if the driver is busy
This makes the initial OBSS scans in AP mode before starting 40 MHz BSS
more robust. In addition, HT20 can be used as a backup option if none of
the scans succeed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:09 +03:00
Peng Xu
587d60d2b7 Add AP mode support for HT 20/40 co-ex Action frame
If a 2.4 GHz band AP receives a 20/40 Coexistence management frame from
a connected station with 20/40 BSS Intolerant Channel Report element
containing the channel list in which any legacy AP are detected or AP
with 40 MHz intolerant bit set in HT Cap IE is detected in the affected
range of the BSS, the BSS will be moved from 40 to 20 MHz channel width.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:09 +03:00
Peng Xu
9c47f6a2a6 hostapd: Extend support for HT 20/40 coexistence feature
Extend the minimal HT 20/40 co-ex support to include dynamic changes
during the lifetime of the BSS. If any STA connects to a 2.4 GHz AP with
40 MHz intolerant bit set then the AP will switch to 20 MHz operating
mode.

If for a period of time specified by OBSS delay factor and OBSS scan
interval AP does not have any information about 40 MHz intolerant STAs,
the BSS is switched from HT20 to HT40 mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:52:09 +03:00
Peng Xu
196c9c7cd2 Make channel parameters available in set_ap() driver operation
This provides information to allow the driver to be configured for
updated channel parameters, e.g., when dynamically changing HT20/HT40
bandwidth.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-29 12:16:51 +03:00
Maxime Bizon
2aa82e52da Interworking: Don't filter probe requests when interworking is disabled
With hidden SSID (ignore_broadcast_ssid), an IOS device trying to
connect to the AP will send a probe request with ANT == 2. If
interworking support is just compiled (not enabled), we will drop the
probe request since default ANT is 0.

Check that interworking is enabled before filtering based on ANT or
HESSID to match the behavior of code without CONFIG_INTERWORKING.

Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
2014-04-24 12:15:32 +03:00
Marek Puzyniak
8a0f3bf613 AP: Fix checking if DFS is required
Sometimes function hostapd_is_dfs_required() returns -1 which indicates
that it was not possible to check if DFS was required. This happens for
channels from the 2.4 GHz band where DFS checking should not happen.
This can be fixed by returning DFS-not-required for mode different from
IEEE80211A and when DFS support is not available (ieee80211h not set).

Signed-off-by: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-04-17 17:12:52 +03:00
Jouni Malinen
5583b8d1eb Document and rename HT Capability/Operation fields
This makes the definitions match the terminology used in IEEE Std
802.11-2012 and makes it easier to understand how the HT Operation
element subfields are used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:45:11 +03:00
Jouni Malinen
1dde5b5cdd Remove PSMP option from ht_capab
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:02:14 +03:00
Jouni Malinen
dc39004318 WPS: Remove unused WEP related functionality
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-04-06 12:31:45 +03:00
Jouni Malinen
8943cc998a RADIUS server: Add support for MAC ACL
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 19:31:56 +02:00
Jouni Malinen
dc87541e1e Clean up debug print for PSK file search
p2p_dev_addr was not NULL, so the all zeros case was printed as well.
Clean this up by printing p2p_dev_addr in debug prints only if it is a
real P2P Device Address.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-29 09:50:51 +02:00
Janusz Dziedzic
bbbacbf2f8 DFS: Print CAC info in ctrl_iface STATUS command
Print CAC time and CAC left time in control interface STATUS command.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-03-28 23:02:45 +02:00
Avraham Stern
3ae8b7b7a2 hostapd: Add vendor command support
Add support of vendor command to hostapd ctrl_iface.
Vendor command's format:
VENDOR <vendor id> <sub command id> [<hex formatted data>]

The 3rd argument will be converted to binary data and then passed as
argument to the sub command.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2014-03-27 15:28:44 +02:00
Pawel Kulakowski
74a1319e50 Fix issue with incorrect secondary_channel in HT40/HT80
When primary and secondary channel were switched and config was
reloaded, secondary channel was incorrectly overwritten.

Proceed as for other settings that should not be changed and don't
allow to overwrite.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-03-27 15:22:39 +02:00
Jouni Malinen
c201f93a9e WPS: Enable WSC 2.0 support unconditionally
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 18:33:21 +02:00
Jouni Malinen
4d1e38be9e ACS: Fix number of error path issues
Especially when multiple BSSes are used with ACS, number of the error
paths were not cleaning up driver initialization properly. This could
result in using freed memory and crashing the process if ACS failed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-25 13:12:29 +02:00
Jouni Malinen
692ec3058b FT: Add support for postponing FT response
If the PMK-R1 needs to be pulled for the R0KH, the previous
implementation ended up rejecting the over-the-air authentication and
over-the-DS action frame unnecessarily while waiting for the RRB
response. Improve this by postponing the Authentication/Action frame
response until the pull response is received.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-23 18:31:06 +02:00
Jouni Malinen
70c35233ae WPS: Comment out unused AP WEP config write with WPS 2.0
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds. This is similar to the earlier
commit that commented out in-memory update.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 23:31:39 +02:00
Amar Singhal
70634eec0c hostapd: Check driver DFS offload capability for channel disablement
If the driver supports full offloading of DFS operations, do not disable
a channel marked for radar detection. The driver will handle the needed
operations for such channels.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-22 21:31:15 +02:00
Jouni Malinen
a500f3102f WPS: Comment out unused AP WEP config update with WPS 2.0
The main WPS code rejects WEP parameters, so this code is not used and
can be commented out from WPS 2.0 builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 19:22:10 +02:00
Jouni Malinen
1d4fe3bcbc Remove unnecessary parameter validation
This is dead code since this helper function is always called with
non-NULL pointer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-22 16:25:28 +02:00
Pawel Kulakowski
513dcec656 Don't overwrite channel on hostapd config reload
There was possibility that the current channel in Beacon information
element was incorrectly set. This problem was easily observed when
primary and secondary channel were switched and then some of hostapd
settings (for example password) were changed using WPS External
Registrar. This caused hostapd_reload_config() function overwrite the
current channel information from config file.

This patch prevents this situation and does not allow to overwrite
channel and some other settings when config is reloaded.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-03-21 23:30:57 +02:00
Jouni Malinen
20ff2642e1 WPS: Clear WPS data on init failure
It was possible for hapd->wps_beacon_ie and hapd->wps_probe_resp_ie to
be set if WPS initialization in hostapd failed after having set these
parameters (e.g., during UPnP configuration). In addition, many of the
other WPS configuration parameters that were allocated during the first
part of the initialization were not properly freed on error paths.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-21 13:23:23 +02:00
Jouni Malinen
f4e3860f8a Fix AP mode default TXOP Limit values for AC_VI and AC_VO
These were previous set to 3.0 and 1.5 ms which ended up using values 93
and 46 in 36 usec inits. However, the default values for these are
actually defined as 3.008 ms and 1.504 ms (94/47) and those values are
also listed in the hostapd.conf example.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-17 18:48:40 +02:00
Michal Kazior
c3722e1241 ACS: Fix VHT20
The center segment0 calculation for VHT20 ACS was incorrect. This caused
ACS to fail with: "Could not set channel for kernel driver".

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-03-15 19:04:31 +02:00
Jouni Malinen
49b74430d9 Fix HT40 co-ex scan for some pri/sec channel switches
Secondary channel was compared incorrectly (-4/4 vs. actual channel
number) which broke matching neighboring 40 MHz BSSes and only the
no-beacons-on-secondary-channel rule was applied in practice. Once
sec_chan was fixed, this triggered another issue in this function where
both rules to switch pri/sec channels could end up getting applied in a
way that effectively canceled the switch.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
5bdac4abce Remove unused STA entry information
previous_ap and last_assoc_req were not really used for anything
meaninful, so get rid of them to reduce the size of per-STA memory
allocation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 09:57:10 +02:00
Jouni Malinen
c9d9ee94e5 Fix hostapd_add_iface error path to deinit partially initialized BSS
It was possible for the control interface and some of the BSS setup to
be left partially initialized in failure cases while the BSS structures
were still freed. Fix this by properly cleaning up anything that may
have passed initialization successfully before freeing memory.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-14 21:58:46 +02:00
Jouni Malinen
8dd9f9cdde Allow management group cipher to be configured
This allows hostapd to set a different management group cipher than the
previously hardcoded default BIP (AES-128-CMAC). The new configuration
file parameter group_mgmt_cipher can be set to BIP-GMAC-128,
BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in
IEEE Std 802.11ac-2013.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-14 21:58:45 +02:00
Paul Stewart
db63757dbc hostapd: Supply default parameters for OBSS scan
For some client OBSS implementations that are performed in
firmware, all OBSS parameters need to be set to valid values.
Do this, as well as supplying the "20/40 Coex Mgmt Support"
flag in the extended capabilities IE.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2014-03-14 21:49:08 +02:00
Johannes Berg
67e1a402df hostapd: For VHT 20/40, allow center segment 0 to be zero
The 802.11ac amendment specifies that that the center segment 0 field
is reserved, so it should be zero. Hostapd previously required it to
be set, which is likely a good idea for interoperability, but allow it
to be unset. However, don't allow it to be set to a random value, only
allow zero and the correct channel.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-03-14 17:07:17 +02:00
Jouni Malinen
d0bf06f2d9 GAS server: Remove incomplete remote ANQP processing
Some of the remote ANQP server concepts were introduces into gas_serv.c,
but these were not completed. Remote the unused implementation for now.
It can be added back if support for remote ANQP server is added at some
point.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-13 21:12:39 +02:00
Jouni Malinen
ce6b9cd482 Allow reason code to be specified for DEAUTH/DISASSOC test frame
hostapd DEAUTHENTICATE and DISASSOCIATE control interface commands
accepted both a test=<0/1> and reason=<val> parameters, but these were
not supported in the same command as a combination. Move the code around
a bit to allow that as well since it can be helpful for automated test
scripts.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-13 01:26:09 +02:00
Jouni Malinen
0f23a5e7d6 Mark AP disabled if initialization steps fail
Previously, some of the last initialization steps could fail without
clearly marking the interface disabled. For example, configuring the
channel to the driver could fail, but hostapd would not clearly identify
as the interface not being in functional state apart from not moving it
to the ENABLED state. Send an AP-DISABLED event and mark interface state
DISABLED if such a setup operation fails.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-12 13:55:05 +02:00
Ben Greear
7450c1287d DFS: Add extra debugging messages
This might help someone realize why their hostapd config isn't working
properly.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2014-03-11 19:26:48 +02:00
Simon Wunderlich
1d91f504e4 hostapd: Process management frames only once per BSS
At least in nl80211, broadcast management frames like Probe Request
frames, may be processed multiple times per BSS if multi-BSS is active
and NL80211_CMD_FRAME event is used to deliver them. In the case of
Probe Request frames, hostapd will create multiple redundant Probe
Response frames which are problematic when many BSS are on one channel.

This problem is caused by driver_nl80211 generating an event for
wpa_supplicant_event() for each BSS, and hostapd_mgmt_rx() calls
ieee802_11_mgmt() for each BSS, too.

Fix this by processing broadcast events only for the BSS the driver
intended to. The behavior is not changed for drivers not setting a BSS.

Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
2014-03-11 19:07:25 +02:00
Simon Wunderlich
e070051207 hostapd: Allow to switch to usable DFS channels
If channels are "available", change to "usable" DFS channels as a
fallback, too. This requires CAC, but it is still better to do that
instead of stopping service completely.

Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
2014-03-11 19:04:15 +02:00
Simon Wunderlich
01b99998bd hostapd: Allow to switch to DFS channels if available
If DFS channels are marked as "available", an AP can switch to them
immediately without performing CAC. Therefore, the channel selection
function should consider these channels even though these are radar
channels.

Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
2014-03-11 19:01:44 +02:00
Simon Wunderlich
70ee1be248 hostapd: Add config option chanlist for DFS channels
Different channels allow different transmission power, at least in ETSI
countries. Also, ETSI requires a "channel plan" for DFS operation, and
channels should be randomly choosen from these channels.

Add a channel list configuration option for users to add channels
hostapd may pick from.

Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
2014-03-11 18:59:40 +02:00
Jouni Malinen
3b9c5176d1 Fix PTK derivation for CCMP-256 and GCMP-256
Incorrect PTK length was used in PMK-to-PTK derivation and the Michael
MIC TX/RX key swapping code was incorrectly executed for these ciphers
on supplicant side.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-11 15:00:09 +02:00
Jouni Malinen
b465f5d3a1 Remove unused hostapd_wep_key_cmp()
The only user was removed five years ago in commit
fb6d357532.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-10 10:27:58 +02:00
Jouni Malinen
8a57da7e28 RADIUS server: Add option for storing log information to SQLite DB
If eap_user_file is configured to point to an SQLite database, RADIUS
server code can use that database for log information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-09 18:21:13 +02:00
Jouni Malinen
ec33bc67f8 Enable RADIUS message dumps with excessive debug verbosity
Previously, this was enabled only at msgdump verbosity level, but any
level that is more verbose than it should also be included.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-08 11:35:08 +02:00
Jouni Malinen
226e3579f9 Revert "bridge: Track inter-BSS usage"
This reverts commit 4345fe963e. That
introduced number of memory leaks and since the rest of the VLAN changes
did not yet go in, it is easier to revert this for now and bring back
the changes after fixes if there is sufficient interest for them in the
future.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-08 11:35:08 +02:00
Jouni Malinen
d0ee16edc8 Allow arbitrary RADIUS attributes to be added into Access-Accept
This extends the design already available for Access-Request packets to
the RADIUS server and Access-Accept messages. Each user entry can be
configured to add arbitrary RADIUS attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-08 11:35:08 +02:00
Jouni Malinen
0ac3876627 Fix PMF protect disconnection on session timeout
Request the driver to send a Deauthentication frame before doing
any other disconnection steps on the session timeout path. This is
needed when PMF is negotiated for the association since the driver
will need to find the STA entry and the PTK for it to be able to
protect the robust Deauthentication frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-07 23:24:54 +02:00
Pawel Kulakowski
185677b74c Disable interface if ACS fails
In case of Automatic Channel Selection (ACS) failure, we do not have a
real fallback path. Interface still remains in ACS state. To reflect we
did not succeed with ACS, simply disable the interface and indicate this
to user/upper layer entity so that a suitable recovery or error
notification can be performed.

Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
2014-03-06 23:12:33 +02:00
Jouni Malinen
95faa36ad9 HS 2.0R2: Check for OSEN when determining whether to authorize STA
handle_assoc_cb() got this addition, but the check in
hostapd_new_assoc_sta() was not modified to be aware of the OSEN special
case for EAPOL state machines to be used for marking a STA authorized.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-06 22:48:37 +02:00
Sunil Dutt Undekari
113318ad57 Set the station to authorized on assoc event for open authentication
This was done in handle_assoc_cb() in ieee802_11.c for drivers that use
hostapd SME/MLME. However, drivers that include SME/MLME implementation
do not use that function and the STA flag needs to be set when
processing the association notification. This is needed to get the STA
entry into showing the proper authorized state and to get the
AP-STA-CONNECTED/DISCONNECTED events on the control interface.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-06 22:45:15 +02:00
Bartosz Markowski
905828fea4 hostapd: Fix vht_capab 'Maximum A-MPDU Length Exponent' handling
As per IEEE Std 802.11ac-2013, 'Maximum A-MPDU Length Exponent' field
value is in the range of 0 to 7. Previous implementation assumed EXP0 to
be the maximum length (bits 23, 24 and 25 set) what is incorrect.

This patch adds options to set it up within the 0 to 7 range.

Signed-off-by: Bartosz Markowski <bartosz.markowski@tieto.com>
2014-03-06 00:09:37 +02:00
Michal Kazior
89de64c5c0 ACS: Fix VHT80 segment picking
For example, the previous implementation considered [44, 48, 52, 56] to
be a valid VHT80 channel -- which it is not. This resulted in, e.g.,
failure to start CAC when channels on overlapped segments included DFS
channels.

Add a check similar to the HT40 one to prevent that. The check is
performed this way as the ACS implementation assumes the primary channel
to be the first channel in a given segment.

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-03-06 00:01:29 +02:00
Janusz Dziedzic
1f37483416 DFS: Print error in case CAC fails
Previously, we printed this message as a debug one, which was confusing
in case verbose debug messages were disabled. User could think CAC
started but never ended. Add more parameterss to DFS_EVENT_CAC_START, so
external programs can more easily check what was wrong in case of
errors.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-03-05 23:59:04 +02:00
Moshe Benji
354c903f8e AP/GO interface teardown optimization
This commit adds an option to optimize AP teardown by leaving the
deletion of keys (including group keys) and stations to the driver.

This optimization option should be used if the driver supports stations
and keys removal when stopping an AP.

For example, the optimization option will always be used for cfg80211
drivers since cfg80211 shall always remove stations and keys when
stopping an AP (in order to support cases where the AP is disabled
without the knowledge of wpa_supplicant/hostapd).

Signed-off-by: Moshe Benji <moshe.benji@intel.com>
2014-03-05 23:57:02 +02:00
Rahul Jain
8bc4372f37 Use P2P_IE_VENDOR_TYPE more consistently
Previously, both this and combination of OUI_WFA and P2P_OUI_TYPE were
used. Using the full 32-bit value as a single operation saves a bit in
code size, so start moving towards using it more consistently when
writing or finding the P2P vendor specific element.

Signed-off-by: Rahul Jain <rahul.jain@samsung.com>
2014-03-05 23:36:54 +02:00
Jouni Malinen
5f7e1c06cd Redirect more frames with ext_mgmt_frame_handling=1
This allows Action frames from not-associated stations to be processed
by external test tools.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
78789d95b4 Remove unnecessary variable initialization
The following if statements set the new_op_mode value in all cases,
so there is no need to initialize this to 0 first. This removes a
static analyzer warning.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
e997bc75dd Remove a static analyzer warning about unused variable write
The pos variable was not used between its first and second assignment.
Clean this up by using the pos variables instead of the buf (start of
the buffer).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
7b6e81575f Clean up hostapd add_iface error path operations
If hapd_iface->bss[i] == NULL, this could have resulted in NULL pointer
dereference in the debug print. Avoid this by skipping the message in
case of NULL pointer. In addition, clear iface->bss[i] to NULL for
additional robustness even though this array gets freed immediately.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
3d91a0470f DFS: Make sure center frequency is always initialized for VHT
This seemed to be fine on most code paths, but the code was complex
enough to make the analysis difficult (and a bit too much for static
analyzers). There is no harm in forcing these parameters to be
initialized, so do that to make sure they cannot be left uninitialized.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 17:15:12 +02:00
Jouni Malinen
ca412c7a38 Remove unreachable return statement
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 10:35:33 +02:00
Jouni Malinen
b908c50a81 Clear hostapd bss entry to NULL on add-interface-failure
It looks like leaving behind the freed pointed at the end of the array
could end up in a crash triggered by double free in some cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-01 00:38:04 +02:00
Jouni Malinen
8d2a9921af HS 2.0R2: RADIUS server support to request Subscr Remediation
The new hostapd.conf parameter subscr_remediation_url can be used to
define the URL of the Subscription Remediation Server that will be added
in a WFA VSA to Access-Accept message if the SQLite user database
indicates that the user need subscription remediation.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
ae6d15c722 HS 2.0R2 AP: Add OSU Providers list ANQP element
hostapd can now be configured to advertise OSU Providers with the
new osu_* confgiuration parameters.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
f7bd7a01a8 HS 2.0R2 AP: Add Icon Request and Icon binary File ANQP elements
hostapd can now be configured to provide access for icon files
(hs20_icon config file parameter) for OSU. The hs20_icon data contains
additional meta data about the icon that is not yet used, but it will be
needed for the OSU Providers list ANQP element.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
97596f8ed4 HS 2.0R2 AP: Add support for Session Info URL RADIUS AVP
If the authentication server includes the WFA HS 2.0 Session Info URL
AVP in Access-Accept, schedule ESS Disassociation Imminent frame to be
transmitted specified warning time prior to session timeout.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
8e1146d9da HS 2.0R2 AP: Add support for deauthentication request
If the RADIUS server includes deauthentication request in Access-Accept,
send a WNM-Notification frame to the station after 4-way handshake and
disconnect the station after configurable timeout.

A new control interface command, WNM_DEAUTH_REQ, is added for testing
purposes to allow the notification frame to sent based on local request.
This case does not disconnect the station automatically, i.e., a
separate control interface command would be needed for that.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
a14896e8bb HS 2.0R2 AP: Add OSEN implementation
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
6ca0853d18 HS 2.0R2 AP: Use Subscr Remediation request from RADIUS server
If the RADIUS server includes the WFA RADIUS VSA in Access-Accept to
indicate need for subscription remediation, copy the server URL from
the message and send it to the station after successfully completed
4-way handshake (i.e., after PTK is set to allow PMF to work) in a
WNM-Notification.

AP must not allow PMKSA caching to be used after subscription
remediation association, so do not add the PMKSA cache entry whenever
the authentication server is indicating need for subscription
remediation. This allows station reassociation to use EAP authentication
to move to non-remediation connection.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
7bc9c25d1f HS 2.0R2 AP: Add STA's Hotspot 2.0 Release Number into Access-Request
If the station indicated support for Hotspot 2.0, send its release
number and PPS MO ID in Access-Request messages using the WFA RADIUS
VSA.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
76579ec75f HS 2.0R2 AP: Add AP Hotspot 2.0 Release Number as WFA RADIUS VSA
The Access-Request frames are used to inform the RADIUS server about the
Hotspot 2.0 release number supported by the AP.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
3fb17a9530 HS 2.0R2 AP: Add WNM-Notification Request for Subscription Remediation
Subscription remediation notification can now be sent from hostapd with:
hostapd_cli hs20_wnm_notif 02:00:00:00:00:00 http://example.com/foo/

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
d5d24784e6 HS 2.0R2 AP: Update HS 2.0 Indication element to Release 2
The HS 2.0 Indication element from hostapd now includes the release
number field and the new ANQP Domain ID field. This ID can be configured
with anqp_domain_id parameter in hostapd.conf.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
8c9cb81fb7 DFS: Fix coding style (missing whitespace)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-25 16:47:22 +02:00
Janusz Dziedzic
4f1e01b8e3 DFS: Add VHT160 available channels
Add VHT160 available channels we can choose from when having detected a
radar event.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-02-25 16:46:17 +02:00
Janusz Dziedzic
b8058a69b0 hostapd: DFS allow mixed channels
Allow mixed DFS and non-DFS channels, e.g., VHT160 on channels 36-64.
This is useful for testing VHT160 with mac80211_hwsim.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-02-25 16:45:11 +02:00
Jouni Malinen
c1151e47d5 Force OFDM/HT/VHT to be disabled on channel 14
The regulatory rules in Japan do not allow OFDM to be used on channel
14. While this was to some extend assumed to be enforced by drivers
(many of which apparently don't), it is safer to make hostapd enforce
this by disabling any OFDM-related functionality. This tries to avoid
backwards compatibility issues by downgrading the mode rather than
rejecting the invalid configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-25 13:55:10 +02:00
Chaitanya T K
3d7ad2f681 hostapd: Configure spectrum management capability
Add configuration of Spectrum Management subfield in the Capability
Information of Beacon, Probe Response, and Association Response frames.
Spectrum Management bit is set when directly requested by new
configuration option spectrum_mgmt_required=1 or when AP is running on
DFS channels. In the future, also TPC shall require this bit to be set.

Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-02-25 00:54:59 +02:00
Srinivasan B
e0392f825d hostapd: Add Power Constraint element
Add Power Constraint information element to Beacon and Probe Response
frames when hostapd is configured on 5 GHz band and Country information
element is also added. According to IEEE Std 802.11-2012 a STA shall
determine a local maximum transmit power for the current channel based
on information derived from Country and Power Constraint elements.

In order to add Power Constraint element ieee80211d option need to be
enabled and new local_pwr_constraint config option need to be set to
unsigned value in units of decibels. For now this value is statically
configured but the future goal is to implement dynamic TPC algorithm
to control local power constraint.

Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-02-24 23:51:23 +02:00
Jouni Malinen
cb10c7d12d RADIUS DAS: Add support for NAS identification attributes
This allows NAS-IP-Address, NAS-Identifier, and NAS-IPv6-Address to be
included in the Disconnect-Request packets.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-20 13:55:36 +02:00
Jouni Malinen
0d7c5e1dfc RADIUS DAS: Remove PMKSA entry on Disconnect-Request
When a station is disconnected based on Disconnect-Request, it is better
to force the station to go through full EAP authentication if it tries
to reconnect.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-20 13:26:22 +02:00
Jouni Malinen
d87a6acdf5 WPS: Fix STA state validation when processing PutWLANResponse
It is possible for an ER to send an unexpected PutWLANResponse action
when the destination STA is in disassociated, but not fully
deauthenticated state. sta->eapol_sm can be NULL in such state and as
such, it would be possible to hit a NULL pointer dereference in the
eapol_auth_eap_pending_cb() call at the end of the
hostapd_wps_probe_req_rx() when trying to proxy the WPS message to the
station. Fix this by validating that sta->eapol_sm is set before
processing the message.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-19 23:51:55 +02:00
Jouni Malinen
a1dd890a85 RADIUS: Add minimal accounting server support
This can be used to test RADIUS Accounting in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 16:26:48 +02:00
Marek Kwaczynski
8a45811638 hostapd: Add Operating Mode Notification support
Handle Operating Mode Notification received in (Re)Association Request
frames.

Signed-hostap: Marek Kwaczynski <marek.kwaczynski@tieto.com>
2014-02-14 19:30:05 +02:00
Eytan Lifshitz
6ceb95c950 Avoid NULL dereference in ieee802_1x_get_mib_sta() printf
In function ieee802_1x_get_mib_sta(), eap_server_get_name() may return
NULL, and it could be dereferenced immidiately by os_snprintf() (if the
snprintf implementation does not handle NULL pointer).

Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
2014-02-13 15:58:21 +02:00
Eytan Lifshitz
93a1caece0 Remove unnecessary NULL check
In send_assoc_resp(), sta was checked for NULL, although it can't be
NULL.

Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
2014-02-13 15:58:17 +02:00
Max Stepanov
5479ff906c DFS: Avoid compiler warnings in src/ap/dfs.c
Initialize variables explicitly to avoid [-Wmaybeuninitialized] compiler
warning in hostapd_handle_dfs() and
hostapd_dfs_start_channel_switch_cac() functions.

Signed-hostap: Max Stepanov <Max.Stepanov@intel.com>
2014-02-13 15:44:37 +02:00
Jouni Malinen
b64afe22aa Fix SAE state validation on AP
Confirm-before-commit validation step allowed execution to continue on
error case. This could result in segfault in sae_check_confirm() if the
temporary SAE data was not available (as it would not be, e.g., in case
of an extra SAE confirm message being received after successful
exchange). Fix this by stopping SAE processing immediately after
detecting unexpected state for confirm message. In addition, make the
public sae.c functions verify sae->tmp before dereferencing it to make
this type of bugs less likely to result in critical issues.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-12 17:46:33 +02:00
Jouni Malinen
d7a15d5953 WPS: Indicate current AP settings in M7 in unconfigurated state
Previously, unconfigured state was forcing the best supported
authentication and encryption state to be shown in WPS messages,
including AP Settings in M7 in case the AP acts as an Enrollee. This is
not really correct for the AP Settings case, so change that one to
indicate the currently configured state.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-07 19:33:19 +02:00
Jouni Malinen
334ec001bb Fix Beacon RX before AP setup completion
It is possible for the driver to report Beacon RX prior to hostapd
having completed AP mode setup, e.g., when changing country code. Beacon
frame processing for OLBC was not prepared for this and could trigger
segfault due to NULL pointer dereference. Fix this by ignoring the
Beacon frames received prior to completing interface setup when
determining OLBC updates.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-02-06 15:22:06 +02:00
Jouni Malinen
b37d582eaf Replace ieee802_11_print_ssid() with wpa_ssid_txt()
There is no need to maintain two different functions for printing out
ASCII text version of SSID.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-02-04 13:23:35 +02:00
Janusz Dziedzic
fd92413417 hostapd: Increase timeout for channel list update to 5 seconds
Before this patch, 1 second timeout was used for regulatory updates. In
some cases, specially when we reload driver modules on some slower
platforms this could take more than 1 second (about 2 seconds). This is
important specially for DFS case, where we have to have correct DFS
region before we will start CAC. In other case (unknown DFS region), CAC
will fail. 5 seconds should be enough for all cases.

Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-01-30 14:05:14 +02:00
Eytan Lifshitz
04c366cb1d Fix memory leaks and wrong memory access
1. In wpa_config_process_bgscan() fix memory leak after
   calling wpa_config_parse_string()
2. In hostapd_config_defaults(), on failure to allocate bss->radius,
   conf->bss was not freed.
3. In p2p_deauth_nofif(), memory allocated in p2p_parse_ies() was not
   freed in case of NULL minor_reason_code.
4. In p2p_disassoc_nofif(), memory allocated in p2p_parse_ies() was
   not freed in case of NULL minor_reason_code.
5. In p2p_process_go_neg_conf(), memory allocated was not freed in
   case that the P2P Device interface was not waiting for a
   GO Negotiation Confirm.
6. In wpa_set_pkcs11_engine_and_module_path(), the wrong pointer was
   checked.

Signed-hostap: Eytan Lifshitz <eytan.lifshitz@intel.com>
2014-01-30 14:01:31 +02:00
Jouni Malinen
d2f18378e1 WPS NFC: Add BSSID and AP channel info to Configuration Token
This information can help the Enrollee to find the AP more quickly with
an optimized scan.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:44:31 +02:00
Jouni Malinen
25ef8529c1 P2P: Add support for IP address assignment in 4-way handshake
This new mechanism allows P2P Client to request an IPv4 address from the
GO as part of the 4-way handshake to avoid use of DHCP exchange after
4-way handshake. If the new mechanism is used, the assigned IP address
is shown in the P2P-GROUP-STARTED event on the client side with
following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP
address is included in the AP-STA-CONNECTED event on the GO side as a
new ip_addr parameter. The IP address is valid for the duration of the
association.

The IP address pool for this new mechanism is configured as global
wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask,
ip_addr_star, ip_addr_end. For example:

ip_addr_go=192.168.42.1
ip_addr_mask=255.255.255.0
ip_addr_start=192.168.42.2
ip_addr_end=192.168.42.100

DHCP mechanism is expected to be enabled at the same time to support P2P
Devices that do not use the new mechanism. The easiest way of managing
the IP addresses is by splitting the IP address range into two parts and
assign a separate range for wpa_supplicant and DHCP server.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:44:26 +02:00
Jouni Malinen
14d8645f63 WPS NFC: Allow BSSID and channel to be included in handover select
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
068cdb1d98 WPS NFC: New style connection handover select from AP/Registrar
The contents of the WPS connection handover select message was modified
to include the Registrar public key hash instead of the credential.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
3189ca055d WPS NFC: Add AP mode connection handover report
The new NFC connection handover design requires the AP/Registrar to
process the connection handover request message received from the
Enrollee. Add control interface commands for handling this.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-27 21:10:55 +02:00
Jouni Malinen
5ce00d09c0 GAS server: Add support for Protected Dual of Public Action frames
When GAS is used with PMF negotiated, Protected Dual of Public Action
frames are expected to be used instead of Public Action frames, i.e.,
the GAS/ANQP frames are expected to be encrypted. Add support for this
different category of Action frames being used for GAS. The payload
after the Category field is identical, so the only change is in using
the Category field based on what was received in the request frames. For
backwards compatibility, do not enforce protected dual to be used on the
AP side, i.e., follow what the station does.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-23 11:19:55 +02:00
Jouni Malinen
7b2c42f8b9 hostapd: Fix PMF robust Action frame processing rules
Due to misplaced parenthesis, unprotected not-Robust Action frames
(e.g., Public Action frames) were dropped in handle_assoc() when such
frames were received during an association that had negotiated use of
PMF. This is not correct since only unprotected Robust Action frames
were supposed to be handled in this way.

This would have broken any Public Action frame use during PMF
association, but such frames were not really supposed to be used
currently (ANQP as the only possible use case should really use
protected dual option in such case).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-01-23 10:24:21 +02:00
Ilan Peer
a487b35572 hostapd: Fix segmentation fault when calling hostapd_cli all_sta
While iterating over the stations hostapd_ctrl_iface_sta_mib()
might be called with sta == NULL. Fix this.

Signed-hostap: Ilan Peer <ilan.peer@intel.com>
2014-01-22 19:28:57 +02:00
Janusz Dziedzic
eed65aad14 hostapd: DFS setup seg0 correctly for HT40-
Fix seg0 calculation for HT40+/HT40-.

Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-01-14 17:14:13 +02:00
Janusz Dziedzic
25592b236b hostapd: DFS/CSA check if CSA in progress
Check if CSA is already in progress, before triggering a new channel
switch.

Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2014-01-14 17:13:50 +02:00
Jouni Malinen
08081ad8ef hostapd: Skip full AP configuration validation on SET command
It is possible for the configuration to be temporarily invalid when
adding a new AP through SET commands followed by ENABLE. Avoid this
issue by using less strict validation on SET commands and perform full
configuration validation only on ENABLE. Use cases with configuration
file maintain their previous behavior, i.e., full validation after the
file has been read.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 20:23:56 +02:00
Jouni Malinen
f0cbb986ff Add DRIVER-STATUS command for hostapd
This is just like the same command in wpa_supplicant, i.e., "hostapd_cli
status driver" can be used to fetch information about the driver status
and capabilities.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:12 +02:00
Jouni Malinen
a09ffd5f2f Fix req_scan-deplete-timeout and update eloop API for this
Commit e2f5a9889a was supposed to prevent
new scan request from pushing out the old one. However, it did not
really do that since eloop_deplete_timeout() returned 0 both for the
case where the old timeout existed (and was sooner) and if the old
timeout did not exist. It returned 1 only for the case where an old
timeout did exist and was larger than the new requested value. That case
used to result in wpa_supplicant_req_scan() rescheduling the timeout,
but hew code in eloop_deplete_timeout() did the exact same thing and as
such, did not really change anything apart from the debug log message.

Extend the eloop_deplete_timeout() (and eloop_replenish_timeout() for
that matter since it is very similar) to return three different values
based on whether the timeout existed or not and if yes, whether it was
modified. This allows wpa_supplicant_req_scan() to schedule a new
timeout only in the case there was no old timeout.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-07 10:45:10 +02:00
Jouni Malinen
a1a31b6c3f Remove hostapd dump_file functionality
This debugging mechanism has now been deprecated by the control
interface commands that can be used to fetch same internal information
from hostapd in a more convenient way. Leave the empty USR1 signal
handler and configuration file parameter for backwards compatibility.
They can be removed in future versions of hostapd.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 18:15:07 +02:00
Jouni Malinen
ea23df652a Make EAPOL dump data available through ctrl_iface STA command
The per-STA/Supplicant state information from the EAPOL authenticator
is now available through "STA <MAC Address> eapol" command.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 17:49:48 +02:00
Jouni Malinen
f538be3e82 Add more STA information into the ctrl_iface STA command
This adds TX/RX statistics and information about association into the
per-STA data that is available through the hostapd control interface. In
addition, information about the EAP method is now included with the IEEE
802.1X data.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 16:58:14 +02:00
Jouni Malinen
f7fb676633 ACS: Mark acs_fail() static
This function is not used outside acs.c.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-31 22:30:49 +02:00
Jouni Malinen
5ace51a48a WNM: Clean up le16 variable use to avoid sparse warnings
intval is marked le16 and should be used through proper byte order
conversion functions even if it ended up getting set correctly due to
the two operations cancelling each other.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-31 19:41:47 +02:00
Jouni Malinen
8cf1e68c02 Move declaration of hostapd_acs_completed() into correct header file
This function is in hw_features.c and as such, should be declared in
hw_features.h.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-31 19:34:43 +02:00
Jouni Malinen
0187c41d88 Declare wpa_debug_* variables in src/utils/wpa_debug.h
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-31 19:29:52 +02:00
Jouni Malinen
fcc61230d1 Declare wpa_drivers in src/drivers/driver.h
This avoids some warnings from sparse.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-31 19:19:37 +02:00
Jouni Malinen
dbfb8e82ff Remove unnecessary EVENT_RX_ACTION
This driver event was used separately for some Action frames, but all
the driver wrappers converted to this from information that would have
been enough to indicate an EVENT_RX_MGMT event. In addition, the
received event was then converted back to a full IEEE 802.11 management
frame for processing in most cases. This is unnecessary complexity, so
get rid of the extra path and use EVENT_RX_MGMT for Action frames as
well as other management frame subtypes.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 17:18:17 +02:00
Jouni Malinen
912b34f000 Do not process Action frames twice in hostapd SME/MLME
Commit 88b32a99d3 added support for using
some Action frame processing in hostapd for drivers that handle most of
SME/MLME internally (it added FT, this has since be extended for SA
Query and WNM). However, this was added in a way that ended up getting
both the hostapd_rx_action() and hostapd_action_rx() called for Action
frames. This could result in an attempt to process FT, SA Query, and WNM
Action frames twice.

There is need for more significant cleanup in Action frame processing in
hostapd depending on the driver type, but as a simple step to avoid
issues, skip the hostapd_action_rx() call if hostapd_rx_action()
processed the frame.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 11:25:59 +02:00
Jouni Malinen
006309b546 Fix whitespace style
Commit 88b32a99d3 added couple of lines
with incorrect indentation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 11:25:59 +02:00
Jouni Malinen
0e22b8dd4c WPS: Make sure reconfiguration timeout is not left behind on deinit
Even though this is a short timeout, it is at least theoretically
possible for the interface to be removed while waiting for
reconfiguration to start. Avoid issues with this by cancelling the
timeout on any WPS interface deinit. In theory, this should be postponed
until interface removal, but that does not fit very nicely to the
current wps_hostapd.c style.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:32 +02:00
Jouni Malinen
aa189ac9dd Enable FT with SAE
It was already possible to configure hostapd and wpa_supplicant to use
FT-SAE for the key management, but number of places were missing proper
AKM checks to allow FT to be used with the new AKM.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:31 +02:00
Jouni Malinen
2d2ecf51aa nl80211: Fix protected Action frame reporting for AP mode
Action frame RX report through EVENT_RX_ACTION did not indicate whether
the frame was protected or not even though that information is available
in mlme_event_mgmt(). hostapd_rx_action() has a workaround for setting
the protected flag for SA Query frames, but that did not apply for other
frames, like FT Action. This broke FT-over-DS when PMF is enabled with
newer kernel versions (i.e., the ones that do not use monitor interface
for receiving management frames).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-29 10:00:31 +02:00
Jouni Malinen
8d321a7d4c WNM: Move disassociation imminent sending to wnm_ap.c
This gets all WNM BSS Transition Management frame building and sending
within hostapd into the same location.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-27 19:57:47 +02:00
Jouni Malinen
b76f4c2763 hostapd: Make STA flags available through ctrl_iface STA command
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-27 19:35:12 +02:00
Jouni Malinen
aa03dbd517 Remove IEEE80211_REQUIRE_AUTH_ACK
This is not really needed for anything and the standard does not require
such validation step to be made for Authentication frame transmission.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-27 19:35:12 +02:00
Jouni Malinen
121f2ab49a Remove unused STA flags
These three flags were only displayed, but never set or used for
anything else.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-27 19:35:12 +02:00
Jouni Malinen
3578e665bf WNM: Add STA flag to indicate the current WNM-Sleep-Mode state
This can be useful for displaying the current STA state and also for
determining whether some operations are likely to fail or need
additional delay.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-27 19:35:12 +02:00