Commit graph

2520 commits

Author SHA1 Message Date
Vinay Gannevaram
85e28a79ba PASN: Set secure ranging context to driver after association
After the secure association and PTK derivation are completed, if the
device supports LTF keyseed, generate the LTF keyseed using KDK and set
the ranging context to the driver by using the command
QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 17:07:56 +03:00
Vinay Gannevaram
9b62b61c68 PASN: Configure secure ranging context to the driver in AP mode
AP as a responder, on successful completion of PASN authentication
configures the required keys by using the command
QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT to the driver.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 16:25:20 +03:00
Vinay Gannevaram
24929543ba PASN: Deauthenticate on PTKSA cache entry expiration
Add an option for an alternative processing of PTKSA life time expiry.

Register a callback in wpa_supplicant to handle the life time expiry of
the keys in PTKSA cache. Send PASN deauthentication when a PTKSA cache
entry expires.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 16:18:14 +03:00
Vinay Gannevaram
580bd04cf3 Add own MAC address used for key derivation to PTKSA cache
On successful PASN handshake or 4-way handshake with a peer, PTK is
derived using the local and peer MAC addresses as input. Store the own
MAC address that is used for key derivation in PTKSA cache to maintain
that state over potential MAC addresses changes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 19:01:21 +03:00
Vinay Gannevaram
96a604128b Use separate PASN capabilities for AP and STA modes
Use separate capabilities for AP and STA modes for P802.11az security
parameters secure LTF support, secure RTT measurement exchange support,
and protection of range negotiation and measurement management frames
support.

P802.11az security parameters are considered to be supported for both
station and AP modes if the driver sets NL80211_EXT_FEATURE_SECURE_LTF,
NL80211_EXT_FEATURE_SECURE_RTT, and
NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE flags. The driver can
advertize capabilities specific to each mode using
QCA_WLAN_VENDOR_FEATURE_SECURE_LTF*,
QCA_WLAN_VENDOR_FEATURE_SECURE_RTT*, and
QCA_WLAN_VENDOR_FEATURE_PROT_RANGE_NEGO_AND_MEASURE* flags.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 18:59:52 +03:00
Jouni Malinen
1f9a988f1f DPP3: Do not initiate PKEX for PB if no configuration is available
Reorder PKEX initiation function to send out the PKEX Exchange Request
frame at the end after all possible error cases have been checked. This
prevents Enrollee from seeing a PKEX frame when the session is about to
fail.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-27 00:50:05 +03:00
Jouni Malinen
54706957e3 DPP: Fix DPP_RELAY_ADD_CONTROLLER command parsing
hostapd_dpp_add_controller() ended up trying to parse the IP address
without nul terminating it. This might work with some C libraries, but
not all. And anyway, this was already supposed to nul terminate the
string since a temporary copy is created of the constant string. Fix
this by adding the missed replacement of the space with nul.

Fixes: bfe3cfc382 ("DPP: Allow Relay connections to Controllers to be added and removed")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-26 17:27:45 +03:00
Jouni Malinen
89de431f23 DPP: Add config response status value to DPP-CONF-SENT
This can be helpful for upper layers to be able to determine whether the
configuration was rejected.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-29 18:55:37 +03:00
Jouni Malinen
e81ec0962d SAE: Use H2E unconditionally with the new AKM suites
The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
f8eed2e8b8 SAE: Store PMK length and AKM in SAE data
These are needed to be able to support new AKM suites with variable
length PMK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
91df8c9c65 SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
d22dfe9187 DPP: Event message for indicating when Relay would need a Controller
The new DPP-RELAY-NEEDS-CONTROLLER control interface event can be used
to trigger mDNS discovery of a Controller to see if such a connection
can be established automatically at the time an Enrollee is trying to
initiate an operation.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
bfe3cfc382 DPP: Allow Relay connections to Controllers to be added and removed
The new control interface commands "DPP_RELAY_ADD_CONTROLLER <IP addr>
<PK hash>" and "DPP_RELAY_REMOVE_CONTROLLER <IP addr>" can now be used
to dynamically add and remove connections to Controllers for the cases
where the connection is initialized through a DPP Public Action frame
(i.e., Controller as the Responder).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
f7763880bd DPP: Advertise Configurator connectivity on Relay automatically
Instead of requiring explicit configuration through
dpp_configurator_connectivity=1, advertise Configurator connectivity
automatically if a Relay is configured with a Controller that can
operate as a Responder.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
ca682f80a9 DPP: Dynamic Controller initiated connection on Relay
Accept an incoming TCP connection from a Controller in a Relay that is
configured with dpp_relay_port even if that Controller is not configured
with a dpp_controller parameter. This allows more dynamic Controller
initiated operations, e.g., when using mDNS to discover a Relay.

This type of a dynamic Controller entry will not be used for exchanges
that are initiated by an Enrollee (i.e., based on a DPP Public Action
frame received by the Relay).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-23 16:57:54 +03:00
Jouni Malinen
d2388bcca5 DPP: Strict validation of PKEX peer bootstrapping key during auth
Verify that the peer does not change its bootstrapping key between the
PKEX exchange and the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:08:08 +03:00
Jouni Malinen
a7b8cef8b7 DPP3: Fix push button boostrapping key passing through PKEX
When PKEX was started through the push button mechanism, the own
bootstrapping key was not bound correctly to the Authentication phase
information and that ended up in incorrectly generating a new
bootstrapping key for the Authentication exchange. Fix this by added the
needed own=<id> parameter into the cached parameters when using push
button.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:06:04 +03:00
Jouni Malinen
69d7c8e6bb DPP: Add peer=id entry for PKEX-over-TCP case
The peer=<id> information about the specific boostrapping key provided
through PKEX was added for Public Action frame cases, but the TCP
variant did not do same. Add the same information there to maintain
knowledge of the specific peer bootstrapping key from PKEX to
Authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:04:08 +03:00
Jouni Malinen
1ff9251a83 DPP3: Push button Configurator in wpa_supplicant
Extend DPP push button support in wpa_supplicant to allow the role of
the Configurator to be used. This provides similar functionality to the
way the DPP_PUSH_BUTTON command in hostapd worked when providing the
configuration parameters with that command (instead of building the
config object based on current AP configuration).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 12:28:18 +03:00
Jouni Malinen
e9137950fa DPP: Recognize own PKEX Exchange Request if it ends up being received
It is possible for a Controller to receive a copy of its own PKEX
Exchange Request in the case where the Controller is initiating a PKEX
exchange through a Relay. The Configurator role in the device would have
a matching PKEX code in that case and the device might reply as a PKEX
responder which would result in going through the exchange with the
Controller device itself. That is clearly not desired, so recognize this
special case by checking whether the Encrypted Key attribute value
matches a pending locally generated one when processing a received PKEX
Exchange Request.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 20:30:07 +03:00
Jouni Malinen
15af83cf18 DPP: Delete PKEX code and identifier on success completion of PKEX
We are not supposed to reuse these without being explicitly requested to
perform PKEX again. There is not a strong use case for being able to
provision an Enrollee multiple times with PKEX, so this should have no
issues on the Enrollee. For a Configurator, there might be some use
cases that would benefit from being able to use the same code with
multiple Enrollee devices, e.g., for guess access with a laptop and a
smart phone. That case will now require a new DPP_PKEX_ADD command on
the Configurator after each completion of the provisioning exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 23:28:33 +03:00
Jouni Malinen
148de3e0dc DPP3: Private Peer Introduction protocol
Add a privacy protecting variant of the peer introduction protocol to
allow the station device to hide its Connector from 3rd parties. The new
wpa_supplicant network profile parameter dpp_connector_privacy=1 can be
used to select this alternative mechanism to the peer introduction
protocol added in the initial release of DPP.

It should be noted that the new variant does not work with older DPP APs
(i.e., requires support for release 3). As such, this new variant is
disabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
0e2217c95b DPP: Allow 3rd party information to be added into config request obj
This allows the DPP Configuration Request Object from an Enrollee to be
extended with 3rd party information. The new dpp_extra_conf_req_name and
dpp_extra_conf_req_value configuration parameters specify the name of
the added JSON node and its contents. For example:
dpp_extra_conf_req_name=org.example
dpp_extra_conf_req_value={"a":1,"b":"test"}

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-16 17:22:23 +03:00
Jouni Malinen
451ede2c31 DPP: Allow AP/Relay to be configured to listed for new TCP connections
This extends Relay functionality to allow a Controller to intitiate a
new DPP exchange in addition to the previously supported case where the
exchange was initiated through a DPP Public Action frame.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-09 13:09:04 +03:00
Jouni Malinen
7bbe859873 DPP3: Allow external configuration to be specified on AP for PB
While the most likely production use case for DPP push button is to
provision the AP's current configuration, there might be some use cases
for providing different configuration. Add possibility for doing this by
extending the DPP_PUSH_BUTTON command to accept an optional set of
parameters similarly to the other DPP commands for the Configurator.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-08 00:14:06 +03:00
Jouni Malinen
37bccfcab8 DPP3: Push button bootstrap mechanism
Add support to use a push button -based bootstrap mechanism with DPP.
The new DPP_PUSH_BUTTON control interface command enables this mode on
the AP/hostapd and station/wpa_supplicant. This goes through the
following sequence of events: a suitable peer in active push button mode
is discovered with session overlap detection, PKEX is executed with
bootstrap key hash validation, DPP authentication and configuration
exchanges are performed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-07 00:31:30 +03:00
Veerendranath Jakkam
085a3fc76e EHT: Add 320 channel width support
Add initial changes to support 320 MHz channel width.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
2022-06-20 14:39:26 +03:00
Aleti Nageshwar Reddy
bafe35df03 Move CHANWIDTH_* definitions from ieee80211_defs.h to defs.h
Move most of CHANWIDTH_* definitions from ieee80211_defs.h to defs.h as
the definitions are getting used mostly for internal purpose only. Also
change prefix of the definitions to CONF_OPER_CHWIDTH_* and update in
all the files accordingly.

Leave the couple of VHT-specific exceptions to use the old defines (the
reason why they were originally added as VHT values), to avoid use of
clearly marked configuration values in information elements. In
addition, use the defines instead of magic values where appropriate.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2022-06-20 14:39:18 +03:00
Jouni Malinen
e4015440af ProxyARP: Clear bridge parameters on deinit only if hostapd set them
Skip the x_snoop_deinit() operations if hostapd did not actually
configure the parameters in the first place. While clearing these
specific parameters is unlikely to change how they were set outside the
scope of hostapd, it is better to leave them as-is to avoid surprises if
hostapd was not configured to use ProxyARP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-31 11:53:05 +03:00
Jouni Malinen
ed325ff0f9 DPP: Allow TCP destination (address/port) to be used from peer URI
tcp_addr=from-uri can now be used as a special case for initiating
DPP-over-TCP to the destination indicated in the peer bootstrapping URI.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-19 22:53:36 +03:00
Jouni Malinen
1142b6e415 EHT: Do not check HE PHY capability info reserved fields
Only use the bandwidth bits that are applicable for the current
operating band. This avoids use of reserved bits when determining the
length of the Support EHT-MCS And NSS Set field length.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 19:39:57 +03:00
Jouni Malinen
bc36991791 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
IEEE Std 802.11-2020 is ambiguous on how the Secure bit is set in
EAPOL-Key msg 1/4 and 2/4 in the case where 4-way handshake is use to
rekey the PTK. 12.7.2 describes this with "set to 1 once the initial key
exchange is complete" while 12.7.6 shows EAPOL-Key msg 1/4 and 2/4 using
Secure=0 without any consideration on whether the handshake is for
rekeying.

TGme seems to be moving towards clarifying this to use Secure=1 based on
there being a shared PTKSA between the Authenticator and the Supplicant.
In other words, this would use Secure=1 in EAPOL-Key msg 1/4 and 2/4 in
the case of rekeying. Change implementation to match that. This bit was
already practically ignored on the reception side, so this should not
have impact on actual functionality beyond this one bit changing its
value in the frame.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 17:47:17 +03:00
Jouni Malinen
fc9648a6a1 DPP: Debug print if not relay is available for PKEX exchange
This makes it easier to see what happened with the received PKEX frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:25:09 +03:00
Jouni Malinen
77bb12a604 P2P: Maintain ip_pool bitfield index separately
Avoid the somewhat confusing mechanism of determining the bitfield index
from the assigned IP address to make this easier for static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:59:31 +03:00
Jouni Malinen
6e8518749f GAS: Limit maximum comeback delay value
Limit the GAS comeback delay to 60000 TUs, i.e., about 60 seconds. This
is mostly to silence static analyzers that complain about unbounded
value from external sources even though this is clearly bounded by being
a 16-bit value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:41:37 +03:00
Jouni Malinen
469528a6e5 BSS coloring: Fix bitmap check
BIT(r) is not sufficient here since it does not cover 64 bit values.
Write this out with 1ULL to be large enough for the shift operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:36:09 +03:00
Jouni Malinen
993eb12407 FST: Make sure get_hw_modes() callback is set for hostapd
It looks like fst_wpa_obj::get_hw_modes would have been left
uninitialized in hostapd. It is not obviously clear why this would not
have caused issues earlier, but in any case, better make this set
properly to allow unexpected behavior should that function pointer ever
be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 00:27:51 +03:00
MeiChia Chiu
96a7f38329 hostapd: Add the destination address of unsolicited Probe Response frame
Without this, hostapd generates Probe Response frames with the null
destination address when hostapd enables unsolicited Probe Response
frame transmission. Fix this to use the broadcast address instead.

Fixes: 024b4b2a29 ("AP: Unsolicited broadcast Probe Response configuration")
Signed-off-by: MeiChia Chiu <meichia.chiu@mediatek.com>
2022-05-07 21:37:08 +03:00
Jouni Malinen
8690374439 Discard unencrypted EAPOL/EAP when TK is set and PMF is enabled (AP)
RSN design is supposed to encrypt all Data frames, including EAPOL
frames, once the TK has been configured. However, there are deployed
implementations that do not really follow this design and there are
various examples from the older uses of EAPOL frame where those frames
were not encrypted. As such, strict filtering of unencrypted EAPOL
frames might results in undesired interoperation issues.

However, some of the most important cases of missing EAPOL frame
encryption should be possible to handle without causing too significant
issues. These are for cases where an attacker could potentially cause an
existing association to be dropped when PMF is used. EAPOL-Start and
EAPOL-Logoff are potential candidate for such attacks since those frames
could be used to terminate an authentication or initiate a new EAP
authentication. Such an attack could result in the station ending up
disconnecting or at minimum, getting into somewhat mismatching state
with the AP.

Drop EAPOL-Start/Logoff/EAP frames on the AP/Authenticator when it is
known that it was not encrypted but should have been and when PMF is
enabled. While it would be correct to drop this even without PMF, that
does not provide any significant benefit since it is trivial to force
disconnection in no-PMF cases. It should also be noted that not all
drivers provide information about the encryption status of the EAPOL
frames and this change has no impact with drivers that do not indicate
whether the frame was encrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
18c0ac8901 Provide information about the encryption status of received EAPOL frames
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:03 +03:00
Jouni Malinen
7ee814201b FILS: Set pairwise_set when configuring TK after association
sm->pairwise_set needs to be set whenever the TK has been configured to
the driver to request following EAPOL frames to be encrypted (or more
specifically, not to request them to not be encrypted). The FILS case
missed this setting and that could result in rekeying or
reauthentication in an associated started with FILS not working
correctly.

Fixes: da24c5aa1c ("FILS: Set TK after association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 20:36:49 +03:00
Jouni Malinen
7a7a4ea578 Check need for SA Query/assoc comeback before updating RSNE parameters
wpa_validate_wpa_ie() might update sm->* values, so it should not be
allowed for an existing STA entry if that STA has negotiated MFP to be
used for the association. Fix this by first checking whether an SA Query
procedure needs to be initiated. In particular, this prevents a
potential bypass of the disconnection protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-07 18:52:13 +03:00
Veerendranath Jakkam
27e828d728 ACS: Send EHT enabled info to driver
The driver can consider EHT specific parameters such as the puncture
pattern for ACS when this flag attribute is indicated by userspace.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:25:44 +03:00
Veerendranath Jakkam
43fe1ce35d EHT: Add [EHT] flag into AP mode STA command
This indicates whether an associated stations supports EHT.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:21:35 +03:00
Veerendranath Jakkam
4994c41f22 EHT: Indicate ieee80211be configuration in hostapd STATUS output
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:20:15 +03:00
Veerendranath Jakkam
50d8837106 EHT: Fix invalid length checking for EHT Capability element
Do not consider optional octets maximum lengths when validating EHT
fixed fields length. Furthermore, do not use the first two octets of the
PPE Thresholds field without explicitly confirming that these octets
were included in the element and fix PPE Thresholds field length
calculation.

Fixes: a6d1b4c46c ("EHT: Process (Re)Association Request frame capabilities")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:19:56 +03:00
Sunil Ravi
2c78f11a9f Fix compilation due to forward declaration of macaddr_acl
enum macaddr_acl is forward declared in wpa_supplicant/ap.h.
c++ compiler doesn't allow forward declaration. So to fix the
compilation error, moved the enum macaddr_acl declaration out
of struct hostapd_bss_config.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-05-05 13:04:13 +03:00
Jouni Malinen
a561d12d24 EAP peer status notification for server not supporting RFC 5746
Add a notification message to indicate reason for TLS handshake failure
due to the server not supporting safe renegotiation (RFC 5746).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 00:21:46 +03:00
Juliusz Sosinowicz
ca26224815 Check the return of pbkdf2_sha1() for errors
pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:13:31 +03:00
Jouni Malinen
21098e39fe EAP-SIM/AKA server: IMSI privacy
Add support for IMSI privacy in the EAP-SIM/AKA server implementation.
If the new hostapd configuration parameter imsi_privacy_key is used to
specify an RSA private key, that key will be used to decrypt encrypted
permanent identity.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:16 +03:00
Muna Sinada
c3d389b72f EHT: Channel switch command support
Add option to hostapd control interface CHAN_SWITCH command to allow
switch in EHT mode.

Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:44:18 +03:00
Muna Sinada
dae7940a48 EHT: Additions to hostapd_set_freq_params()
Modify hostapd_set_freq_params() to include EHT parameters and update
the calling functions to match.

Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:40:13 +03:00
Aloka Dixit
e646b11fea EHT: Indicate EHT support in Neighbor Report element
Set bit 21 in the neighbor report for an EHT AP as described in IEEE
P802.11be/D1.5, 9.4.2.36. Also move the check for HE outside the check
for HT as neither HT nor VHT are enabled in the 6 GHz band.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:30:26 +03:00
Aloka Dixit
f915d52dee EHT: Provide EHT capabilities in STA addition path
Add support for EHT capabilities in the addition of a new station entry
to the driver.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
a6d1b4c46c EHT: Process (Re)Association Request frame capabilities
Parse EHT capabilities sent by a non-AP STA in (Re)Association Request
frames. Validate the length of the element, matching MCS rates between
AP TX and STA RX. Store the capabilities in the station info structure.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
d54e3d0495 EHT: Add operation element in AP mode Management frames
Add EHT Operation element in Beacon, Probe Response, and (Re)Association
Response frames using the format described in IEEE P802.11be/D1.5,
9.4.2.311.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
9b7202d665 EHT: Add capabilities element in AP mode Management frames
Add EHT Capabilities element in Beacon, Probe Response, and
(Re)Association Response frames.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
a7ea721889 EHT: Add configuration options for beamforming capabilities
Add configuration options to set EHT SU/MU beamforming capabilities.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Aloka Dixit
8db3881c76 EHT: Add operating channel width configuration
Add new configuration options to configure EHT operating channel
width and center frequency.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Aloka Dixit
8dcc2139ff EHT: AP mode configuration options to enable/disable the support
Add compilation support for IEEE 802.11be along with options to enable
EHT support per radio and disable per interface.

Enabling HE is mandatory to enable EHT mode.

Tested-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Jouni Malinen
86310c2202 Set hostapd hw_mode automatically based on 6 GHz op_class
Allow hostapd configuration to specify use of the 6 GHz band with the
specific op_class values without having to set the hw_mode=a parameter
explicitly.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-29 11:19:43 +03:00
Ben Greear
f1686d7761 hostapd: Allow enabling background radar
This feature does not work on all radios that advertise this feature
with the current driver implementation, and possibly some users don't
want to use it even if it works fine, so disable it by default for now,
but let users enable it as desired with enable_background_radar=1.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2022-04-23 23:38:58 +03:00
Nicolas Escande
3a759dcc8c ACS: Honor acs_exclude_dfs with hostapd's ACS implementation
The acs_exclude_dfs parameter is documented as a way to exclude DFS
channels when performing ACS without disabling DFS altogether. The
problem is this parameter is only enforced when ACS is offloaded to the
driver (WPA_DRIVER_FLAGS_ACS_OFFLOAD). So from now on, lets also check
acs_exclude_dfs in the internal ACS implementation to exclude channels
marked with radar detection.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-04-17 19:50:23 +03:00
John Crispin
33c4dd26cd BSS coloring: Handle the collision and CCA events coming from the kernel
This commit activates the functionality of the previous commits by
handling the actual events that will trigger the CCA process.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:30:30 +03:00
John Crispin
86bd90eb37 BSS coloring: Disable BSS color during CCA
While we are doing CCA the BSS Color Disabled field inside the HE
Operation Parameters field needs to be set.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:13:51 +03:00
John Crispin
f7d0b740e7 BSS coloring: BSS Color Change Announcement element generation
This information element is similar to the CSA one. It contains a
counter and the target color. Once the counter expired, the change to
the new color happens.

Just note the current implementation is based on CCA counter attributes
that only take Beacon and Probe Response framesinto account.
(Re)Association Response frames do not currently have kernel APIs to
decrement the CCA counter since mediatek mcu firmware does not support
it yet and it will be added in future firmware release.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:13:08 +03:00
John Crispin
654d2395dd BSS coloring: Handling of collision events and triggering CCA
Add the core code for handling BSS color collision events and triggering
CCA inside the kernel. The caller of hostapd_switch_color() will be
added in the following commits.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:06:06 +03:00
Jouni Malinen
b94371af84 RADIUS attributes for EAPOL-Key message details
Use vendor specific RADIUS attributes for sending ANonce and EAPOL-Key
msg 2/4 for the wpa_psk_radius=3 case. The vendor specific attributes
for this are defined in FreeRADIUS as follows:

BEGIN-VENDOR    FreeRADIUS      format=Extended-Vendor-Specific-5
ATTRIBUTE       FreeRADIUS-802.1X-Anonce        1       octets[32]
ATTRIBUTE       FreeRADIUS-802.1X-EAPoL-Key-Msg 2       octets
END-VENDOR      FreeRADIUS

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-15 18:40:55 +03:00
Jouni Malinen
dacb6d278d Update IEEE P802.11ax draft references to published amendment
Get rid of the old references to drafts since the amendment has been
published.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-08 19:50:32 +03:00
Pradeep Kumar Chitrapu
8128ea76af Add Transmit Power Envelope element in 6 GHz
Add Transmit Power Envelope element for 6 GHz per IEEE Std
802.11ax-2021.

Currently, this uses hard coded EIRP/PSD limits which are applicable to
6 GHz operation in United states, Japan, and Korea. Support to extract
power limits from kernel data will be added after complete regulatory
support is added for the 6 GHz band.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 19:50:26 +03:00
Pradeep Kumar Chitrapu
bc3dc72a3a Extend 6 GHz Operation Info field in HE Operation element
Add new field definitions for the 6 GHz Operation Information field in
the HE Operation element per IEEE Std 802.11ax-2021, 9.4.2.249. These
will be used for TPC operation in the 6 GHz band.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 13:22:31 +03:00
Pradeep Kumar Chitrapu
0eb686637d hostapd: Add config option to specify 6 GHz regulatory AP type
IEEE Std 802.11ax-2021 introduces Regulatory Info subfield to specify
the 6 GHz access point type per regulatory. Add a user config option for
specifying this.

When not specified, Indoor AP type is selected for the 6 GHz AP by
default.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 13:19:10 +03:00
Pradeep Kumar Chitrapu
ee06165e96 hostapd: Extend Country element to support 6 GHz band
Add support for the Country element for the 6 GHz band per IEEE Std
802.11ax-2021, 9.4.2.8 (Country element).

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 12:57:46 +03:00
Jouni Malinen
f5ad972455 PASN: Fix build without CONFIG_TESTING_OPTIONS=y
force_kdk_derivation is defined within CONFIG_TESTING_OPTIONS, so need
to use matching condition when accessing it.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:47:31 +03:00
Jouni Malinen
7114e56060 EAP-TLS: Testing functionality to skip protected success indication
This server side testing functionality can be used to test EAP-TLSv1.3
peer behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:43:12 +03:00
Jouni Malinen
95fd54b862 Disconnect STA on continuous EAP reauth without 4-way handshake completion
It could have been possible to get into an endless loop of retried EAP
authentication followed by failing or not completed 4-way handshake if
there was a different interpretation of EAP authentication result
(success on AP, failure on STA). Avoid this by limiting the number of
consecutive EAPOL reauth attempts without completing the following 4-way
handshake.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:28:49 +03:00
Karthikeyan Kathirvel
d27f7bd946 FILS: Fix config check to allow unsolicited broadcast Probe Response
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.

Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
2022-04-05 00:33:33 +03:00
Jouni Malinen
65a3a273cd OWE: Reuse own DH private key in AP if STA tries OWE association again
This is a workaround for mac80211 behavior of retransmitting the
Association Request frames multiple times if the link layer retries
(i.e., seq# remains same) fail. The mac80211 initiated retransmission
will use a different seq# and as such, will go through duplicate
detection. If we were to change our DH key for that attempt, there would
be two different DH shared secrets and the STA would likely select the
wrong one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
576662d277 ieee802_11_auth: Coding style cleanup - NULL comparison
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
945acf3ef0 ieee802_11_auth: Coding style cleanup - no string constant splitting
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
1c3438fec4 RADIUS ACL/PSK check during 4-way handshake
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:32 +03:00
Jouni Malinen
5b5c954c04 Fix AP config check to recognize all PSK AKMs
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 16:26:02 +03:00
Chaoli Zhou
fd0d738ff4 Add return value to ACL functions
While these do not return error code within the current hostapd
implementation, matching functions in wpa_supplicant AP functionality
will have an error case and using consistent return type will make the
control interface code more consistent.

In addition, export hostapd_set_acl() in preparation for the
wpa_supplicant control interface implementation extension.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:28 +02:00
Chaoli Zhou
f5ac428116 Move ACL control interface commands into shared files
This is a step towards allowing these commands to be used from
wpa_supplicant.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 14:22:24 +02:00
Chaoli Zhou
9306956626 Add BSS-TM-QUERY event to indicate reception of BSS TM Query
This allows upper layers to learn about associated stations requesting
BSS transition management from the AP.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Chaoli Zhou
0f8c6e9955 Move BTM control interface commands into shared file
This is a step towards allowing these commands to be used from
wpa_supplicant.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Chaoli Zhou
e059d8ece8 Update the Extended Capability element to struct sta_info
Only the SME-in-hostapd case updated sta->ext_capability while the
SME-in-the-driver case updated sta->qos_map_enabled, but not other items
related to the extended capabilities. This resulted in reduced
information being available through the control interface.

Use the shared helper function for both cases to get matching
information available regardless of the SME architecture.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Jouni Malinen
ce86f2446f DFS: Remove unnecessary variable
This was not used for anything else than checking the value returned by
the called function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 21:23:54 +02:00
Lorenzo Bianconi
760a5ae26b DFS: Switch to background radar channel if available
On radar detection on the main chain switch to the channel monitored
by the background chain if we have already performed the CAC there.
If a radar pattern is reported on the background chain, just select a
new random channel according to the regulations for monitoring.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:23:10 +02:00
Lorenzo Bianconi
b63d953feb DFS: Enable CSA for background radar detection
Rely on hostapd_dfs_request_channel_switch() to enable CSA for
background radar detection switching back to the selected channel.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:15:48 +02:00
Lorenzo Bianconi
25663241c5 DFS: Introduce hostapd_dfs_request_channel_switch()
This is a preliminary patch to add Channel Switch Announcement for
background radar detection.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:12:43 +02:00
Lorenzo Bianconi
316a9dc63b DFS: Configure background radar/CAC detection
Introduce the capability to perform radar/CAC detection on an offchannel
radar chain available on some hardware (e.g., mt7915). This feature
allows to avoid CAC downtime switching on a different channel during CAC
detection on the selected radar channel.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:06:51 +02:00
Lorenzo Bianconi
effd6111b8 DFS: Rely on channel_type in dfs_downgrade_bandwidth()
Add the capability to specify all 3 channel type possibilities in
dfs_downgrade_bandwidth(). This is a preliminary change to introduce
radar/CAC background detection support.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 18:30:56 +02:00
Nicolas Escande
56a14cc720 DFS: Don't let cac_time_left_seconds overflow
There can be some discrepancy between the theorical dfs cac end (as
computed with the cac duration and cac start) and the actual cac end as
reported by the driver. During that window, the value of remaining time
outputed by the status command on the socket control interface will
display an overflowed, invalid value.
To mitigate this lets compute the remaining time as signed and display
it only when positive, otherwise defaulting it to 0.

Status command shows something like that when polling every seconds:

state=DFS
cac_time_seconds=60
cac_time_left_seconds=1
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=0
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967294
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967293
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967292
...
state=ENABLED
cac_time_seconds=60
cac_time_left_seconds=N/A

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-03-12 10:39:43 +02:00
Jouni Malinen
de64dfe98e DPP: Curve change for netAccessKey
Allow the Configurator to be configured to use a specific curve for the
netAccessKey so that it can request the Enrollee to generate a new key
during the configuration exchange to allow a compatible Connector to be
generated when the network uses a different curve than the protocol keys
used during the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 01:07:59 +02:00
Jouni Malinen
eeb72e7c9a DPP: Extend DPP_PKEX_ADD ver=<1/2> to cover Responder role
Allow PKEX v1-only or v2-only behavior to be specific for the Responder
role. This is mainly for testing purposes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-07 21:37:40 +02:00
Mario Hros
fcbdaae8a5 SAE: Add support for RADIUS passphrase as the SAE password
Allow the first Tunnel-Password RADIUS entry to be used for SAE in
addition to the sae_password entries and wpa_passphrase parameters from
the static configuration file.

Signed-off-by: Mario Hros <git@reversity.org>
2022-03-04 12:25:14 +02:00
Baligh Gasmi
3d86fcee07 cleanup: Remove unreachable code
There is no need for unreachable code in these places, so remove it.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2022-03-04 12:07:46 +02:00
Lorenzo Bianconi
0a73649b64 DFS: Add capability to select radar-only channels
Introduce type parameter to dfs_get_valid_channel() routine to allow
selection of a radar-only channel where the CAC detection has not been
performed yet. This is a preliminary patch to enable background
radar/CAC detection.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-04 01:16:01 +02:00
Lorenzo Bianconi
f39765369a DFS: Introduce dfs_set_valid_channel() utility routine
This is a preliminary change to introduce radar/CAC background detection
support.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-04 00:22:15 +02:00
Jouni Malinen
dec626109e HE: Fix invalid length checking for HE Capability element
Do not use the first octet of the PPE Thresholds field without
explicitly confirming that that octet was included in the element.
Furthermore, allow the received element to have additional octets in the
end since IEEE Std 802.11ax-2021 defines this to be an extensible
element and new fields could be added to the end of it in the future.

Fixes: 0497e41481 ("HE: Fix HE Capabilities element size")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-03 01:31:39 +02:00
Shiva Sankar Gajula
53be64f7d9 HE: Fix calculation of the PPE Threshold field length
The previously used calculation was not correct for the cases where the
extra padding field was needed. Fix this by properly calculating the
number of full octets in the field.

Fixes: 0497e41481 ("HE: Fix HE Capabilities element size")
Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
2022-03-03 01:31:39 +02:00
Jouni Malinen
738fef2f0b Clear PSK explicitly from memory in couple more cases on deinit
Couple of the WPS/P2P/RADIUS-PSK cases were freeing heap memory
allocations without explicitly clearing the PSK value. Add such clearing
for these to avoid leaving the PSK in memory after it is not needed
anymore.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
567b9764fb Clear PMK explicitly even without FT support in AP build
Unlike the other keys that were cleared here, the PMK is available
without FT support built into hostapd and as such, should be cleared in
all cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
0bd29c1768 Remove duplicated pointer check
The following if statement verifies the exact same thing here.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
1364f322bf Remove GTK/IGTK/BIGTK from memory explicitly in AP mode
Make sure these keys do not remain in memory beyond the time they are
needed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
af1f0694e1 Clear last set keys (for testing purposes) from memory explicitly
This makes it easier to scan process memory for key information that is
not supposed to remain there after the last use.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
leiwei
46c635910a MACsec: Support GCM-AES-256 cipher suite
Allow macsec_csindex to be configured and select the cipher suite when
the participant acts as a key server.

Signed-off-by: leiwei <quic_leiwei@quicinc.com>
2022-02-16 22:54:49 +02:00
Narasimha Rao PVS
a91072503c OCV: Don't start SA Query timer on CSA when SA Query is offloaded
Check driver support for SA Query offload in AP mode and skip starting
SA Query timer on CSA for OCV enabled STAs when the driver indicates
support for offloading SA Query procedures.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-09 20:32:17 +02:00
Jouni Malinen
33cb47cf01 DPP: Fix connection result reporting when using TCP
The TCP code path did not handle the postponed connection attempt on TX
status and the following result message from the Enrollee to the
Configurator. Fix this by adding TCP-versions of these operations to
match the way wpa_supplicant implemented this for the Public Action
frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-28 17:28:49 +02:00
Jouni Malinen
1822bd3789 DPP: Testing capability for invalid Protocol Version in Network Intro
This extends dpp_test functionality to allow DPP Network Introduction
exchanges to use an incorrect value in the Protocol Version attribute.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-27 18:44:07 +02:00
Jouni Malinen
d7be749335 DPP3: PKEX over TCP
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2022-01-26 00:40:09 +02:00
Jouni Malinen
bdcccbc275 DPP: Change PKEX version configuration design
Use a separate ver=<1|2> parameter to DPP_PKEX_ADD instead of
overloading init=1 with version indication. This allows additional
options for forcing v1-only and v2-only in addition to automatic mode
(start with v2 and fall back to v1, if needed).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-25 20:32:48 +02:00
Jouni Malinen
9d3f347a2b DPP3: Add PKEX initiator retries and fallback from v2 to v1 for hostapd
This extends hostapd with the design used in wpa_supplicant for PKEX
initiator retries and automatic version fallback from v2 to v1 (the
latter is enabled only with CONFIG_DPP3=y).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-24 22:58:38 +02:00
Jouni Malinen
3f67ab5871 DPP: Handle TX status events for broadcast DPP messages
Report TX status for DPP messages even if the destination address was
broadcast. This is needed to get appropriate trigger for PKEX retries.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-24 22:58:38 +02:00
Qiwei Cai
f32f99df11 P2P: Send response frame on channel where the request is received
The rx_freq of Public Action frame was not maintained by the GO and the
GO always sent the response on the operating channel. This causes
provision discovery failure when a P2P Device is sending a PD Request on
a 2.4 GHz social channel and the GO is responding on a 5 GHz operating
channel.

Save the rx_freq and use it for GO to sent the response. This extends
commit c5cc7a59ac ("Report offchannel RX frame frequency to hostapd")
to cover additional frame types.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-17 20:27:37 +02:00
peterhuang
bc24a8a09e Update supported channel width set (HT40) after channel switch
hostapd should update Supported Channel Width Set of HT Capability
Information field after channel switching done. Otherwise, it would
continue to use the old setting.

Signed-off-by: peterhuang <peterhuang@realtek.com>
2021-12-12 22:53:22 +02:00
peterhuang
ff7e403f06 Fix channel switch wrapper when switching from HT to VHT/HE
Because ieee80211ac and ieee80211ax were not updated before channel
switch is done, hostapd didn't build the Channel Switch Wrapper element
when it switched from HT to bandwidth more than 40 MHz of VHT/HE. fix
this by allowing hostapd_eid_wb_chsw_wrapper() to determine internally
when the element needs to be added based on the new channel instead of
the old configuration.

Signed-off-by: peterhuang <peterhuang@realtek.com>
2021-12-12 22:42:59 +02:00
peterhuang
5606ede121 Update ieee80211ac when channel switching
hostapd will build wrong beacon_after in hostapd_fill_csa_settings() if
it doesn't update ieee80211ac when channel switching.

Signed-off-by: peterhuang <peterhuang@realtek.com>
2021-12-12 22:36:51 +02:00
Daniel Golle
e6db1bc5da mesh: Make forwarding configurable
Allow mesh_fwding (dot11MeshForwarding) to be specified in a mesh BSS
config, pass that to the driver (only nl80211 implemented for now) and
announce forwarding capability accordingly.

Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-12-12 22:31:13 +02:00
Alan Young
5ef9277d0b ACS/DFS: Support min_tx_power configuration
If min_tx_power is specified (default 0 dBm, i.e., no constraint), ACS
and DFS will not consider channels whose available max_tx_power is less
than the configured value.

This may be useful to exclude SRD (Short Range Device) channels which
may be limited to 13.9 dBm (25 mW) in some regulatory domains.

Signed-off-by: Alan Young <consult.awy@gmail.com>
2021-12-12 22:20:18 +02:00
Jouni Malinen
b57273d069 DPP2: PKEXv2 core protocol changes
Add support for PKEXv2 core protocol. This defines a new PKEX Exchange
Request message type with protocol negotiation and different rules for
key derivation with PKEXv2 or newer is used.

This does not change existing behavior for PKEX, i.e., the PKEXv1
variant will still be used by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-07 23:26:29 +02:00
Jouni Malinen
b21b310148 DPP: Testing functionality to omit Protocol Version from Peer Discovery
Allow the dpp_test parameter to be used to request the Protocol Version
attributed to be omitted from the Peer Discovery Request/Response
message.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Jouni Malinen
341e7cd664 DPP3: Verify version match during Network Introduction
Verify that the Protocol Version attribute is used appropriate in Peer
Discovery Request/Response messages in cases where the signed Connector
includes the version information.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Jouni Malinen
f26fd5ee6c DPP3: Use Connector version instead of current version in Peer Discovery
Generate Peer Discovery Request/Response messages using the protected
version from the Connector, if present, instead of the currently
supported protocol version which might be higher than the one that got
included into the signed Connector during provisioning earlier.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Aloka Dixit
b16b88acdb RNR: Do not allow FILS Discovery and unsolicited Probe Response simultaneously
Reduced neighbor report has a field to indicate whether unsolicited
Probe Response transmission is active. Add a check to return failure if
both FILS discovery and unsolicited Probe Response are enabled at the
same time to ensure that RNR includes valid data.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 18:02:02 +02:00
Muna Sinada
15f099ec70 RNR: Allow Probe Response frame for a colocated 6 GHz AP
When a Probe Request frame from a station includes an SSID matching that
of a co-located 6 GHz AP, AP should respond with a Probe Response frame
that includes Reduced Neighbor Report element containing information
regarding the requested BSS.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:55:45 +02:00
Aloka Dixit
f17f7ca4e0 RNR: Update Beacon frames for 6 GHz colocation
Update 2.4/5 GHz Beacon frames every time Beacon frames for co-located 6
GHz AP(s) are set. This is required for 6 GHz out-of-band discovery so
that lower band Beacon frames will include RNR element with 6 GHz AP
information irrespective of the AP bring-up order. Similarly, RNR is
included in FILS Discovery frames by default in 6 GHz-only mode,
updating the Beacon frames will remove it when co-located 2.4/5 GHz
interfaces are brought up.

This change also ensures that the changes in 6 GHz AP configuration such
as new channel and bandwidth get reflected in the lower bands Beacon
frames.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:50:02 +02:00
John Crispin
01efcc2929 RNR: Addition in Beacon, Probe Response, and FILS Discovery frames
Add Reduced Neighbor Report element in Beacon, Probe Response, and FILS
Discovery frames.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:44:45 +02:00
John Crispin
0c9457ee23 RNR: Additions for a 6 GHz AP
Include Reduced Neighbor Report element in Beacon and Probe Response
frames by default if the reporting AP is 2.4/5 GHz and it is co-located
with a 6 GHz AP. Similarly, include RNR by default in FILS Discovery
frames if the AP is a standalone 6 GHz AP.

Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:33:14 +02:00
John Crispin
b2bbedcb21 RNR: Add co-located BSSes
Calculate the length and include data for the BSSes active on the same
radio as the reporting BSS in the Reduced Neighbor Report element. This
element is included in Beacon and Probe Response frames.

Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Co-developed-by: Muna Sinada <msinada@codeaurora.org>
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 00:21:29 +02:00
John Crispin
a7c152d6b8 RNR: Add data from neighbor database
Include data from the existing neighbor database in the Reduced Neighbor
Report element in Beacon frames if the configuration option 'rnr' is
enabled for the BSS.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 00:16:12 +02:00
John Crispin
847f76760a RNR: Add configuration option
Adds configuration option 'rnr' to enable the reduced neighbor report
elements in Beacon and Probe Response frames.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-08 23:57:43 +02:00
John Crispin
1b8eb39757 RNR: Add bss_parameters to the neighbor_db
Add a new field to include BSS Parameter subfield in the neighbor
database as described in IEEE Std 802.11ax-2021, Figure 9-632a (BSS
Parameters subfield format). This field holds information related to
multiple BSSID, access point co-location, and 20 TU probe response
active/inactive state.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-08 23:39:46 +02:00
John Crispin
9d0948ecc9 RNR: Short SSID assignment
Calculate and store short SSID in hostapd_data context during config
load time and in neighbor report.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-08 23:34:02 +02:00
David Bauer
979f197165 WNM: Allow specifying dialog token for BSS transition request
Adds the ability to specify the dialog token of a WNM BSS Transition
Management Request frame via the hostapd control interface.

For this, the new 'dialog_token' option can be used with the BSS_TM_REQ
command. It accepts values as an 8 bit unsigned integer. If not
specified, the dialog token is set to 1 like before.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-22 17:11:36 +03:00
Jouni Malinen
5bac420e5e DPP2: Clean up Controller on hostapd interface removal
Stop the DPP Controller instance, if one is started, when the hostapd
interface that was used to start that Controller is removed. This is
needed to remove the control pointers that point to the soon-to-be-freed
hostapd structures. This fixes an issue where a Controller operation
with multiple interfaces could have resulted in references to freed
memory if an interface is removed without explicitly stopping the DPP
Controller.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-19 00:32:02 +03:00
David Bauer
08bdf4f90d proxyarp: Fix compilation with Hotspot 2.0 disabled
The disable_dgaf config field is only available in case hostapd is
compiled with Hotspot 2.0 support (CONFIG_HS20=y), however Proxy-ARP
(CONFIG_PROXYARP=y) does not depend on Hotspot 2.0.

Only add the code related to this config field when Hotspot 2.0 is
enabled to fix compilation with the aformentioned preconditions.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-18 21:24:59 +03:00
Masashi Honma
973f3e244f Fix hostapd segfault on WPS_CONFIG control interface command to non-WPS AP
Execution of "hostapd_cli wps_config" to non-WPS AP causes segmentation
fault in hostapd.

$ hostapd_cli wps_config test WPA2PSK CCMP 12341234

wlp11s0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlp11s0: interface state COUNTRY_UPDATE->ENABLED
wlp11s0: AP-ENABLED
WPA_TRACE: eloop SIGSEGV - START
[1]: ./git/hostap/hostapd/hostapd(+0x6c196) [0x55b270245196]
     eloop_sigsegv_handler() ../src/utils/eloop.c:123
[2]: /lib/x86_64-linux-gnu/libc.so.6(+0x46210) [0x7f87574a7210]
[3]: ./git/hostap/hostapd/hostapd(hostapd_wps_config_ap+0x1a9) [0x55b2702ce349]
     hostapd_wps_config_ap() ../src/ap/wps_hostapd.c:1970
[4]: ./git/hostap/hostapd/hostapd(+0x90a9f) [0x55b270269a9f]
     hostapd_ctrl_iface_receive_process() ctrl_iface.c:3606
[5]: ./git/hostap/hostapd/hostapd(+0x94069) [0x55b27026d069]
     hostapd_ctrl_iface_receive() ctrl_iface.c:4093
[6]: ./git/hostap/hostapd/hostapd(+0x6c6d3) [0x55b2702456d3]
     eloop_sock_table_dispatch() ../src/utils/eloop.c:606
[7]: ./git/hostap/hostapd/hostapd(eloop_run+0x251) [0x55b2702461c1]
     eloop_sock_table_dispatch() ../src/utils/eloop.c:597
     eloop_run() ../src/utils/eloop.c:1229
[8]: ./git/hostap/hostapd/hostapd(main+0xd53) [0x55b270205773]
     hostapd_global_run() main.c:447
     main() main.c:892
[9]: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f87574880b3]
[10]: ./git/hostap/hostapd/hostapd(_start+0x2e) [0x55b2702058fe]
     _start() (null):0
WPA_TRACE: eloop SIGSEGV - END
Aborted

Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-10-14 16:37:49 +03:00
Arowa Suliman
77dd712432 Replace "dummy" with "stub" in Authenticator group keys
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:52:06 +03:00
Arowa Suliman
7b50f2f04c Replace "sanity" with "validity"
Replaced the word "sanity" with the inclusive word "validity". The
comment in acs_survey_interference_factor() was referring a function
that does not exist, so remove it instead of trying rename the function.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:25:21 +03:00
Hu Wang
41ec97cd09 HE: Use a random BSS Color if not defined in the config file
Commit 0cb39f4fd5 ("HE: Extend BSS color support") sets the BSS Color
default value to 1 as "Interoperability testing showed that stations
will require a BSS color to be set even if the feature is disabled."

A new interop issue was observed with hardcoded BSS color value of 1:
- REF device using one interface (e.g., wlan0) to connect to an HE
  AP, whose BSS color is enabled and value is 1.
- REF device using another interface (e.g., p2p0) to connect to a
  P2P GO using BSS color default settings.
  (i.e., BSS color disabled and value is 1).
- REF device checks both AP's and P2P GO's BSS Color values even though
  GO's BSS color is disabled. This causes collision of the BSS
  color somehow causing RX problems.

For DUT as a P2P GO, its firmware uses default BSS color value 1 from
wpa_supplicant, then triggers a timer (e.g., 120 s) to update its BSS
color values based on its neighboring BSSes. To reduce the likelihood of
BSS color collision with REF device before that, use a random BSS Color
if not defined in the config file.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-28 11:04:08 +03:00
Ben Wang
61c0757618 EDMG: Validate pri channel lookup result before using it
At least in theory, hw_get_channel_freq() could return NULL, so add
error handling for that.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-02 18:45:09 +03:00
David Bauer
2341585c34 ACS: Fix channel 100 frequency
Channel 100 is a valid channel to choose for 80 MHz operation. However,
it was converted to 5500 MHz, not 5550 MHz, for the 80 MHz case while
the conversion to other bandwidths was done correctly. In fact, there is
no channel assigned to this frequency 5550 MHz.

Fix this obvious typo to allow ACS to select channel 100 for 80 MHz
operation again.

Fixes: bef5eee4f7 ("Convert channel to frequency based selection for AP mode ACS")
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-08-26 16:10:26 +03:00
Shay Bar
f02ac5140c HE: Option to disable HE ER SU in HE operation in AP mode
Add option to disable 242-tone HE ER SU PPDU reception by the AP
in HE operation IE.

Signed-off-by: Shay Bar <shay.bar@celeno.com>
2021-08-25 12:45:14 +03:00
Gokul Sivakumar
63f043f4fd Generalize the function name as it is not dealing with only TX & RX params
For the function hostapd_get_sta_tx_rx(), the name
hostapd_get_sta_info() is more appropriate as it is also responsible for
getting many other STA specific params like RSSI, inactive milliseconds
along with TX and RX bytes.

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-08-25 12:27:17 +03:00
Gokul Sivakumar
3cdc6d381a mesh: Show peer connected time in the wpa_cli STA cmd output for Mesh mode
When a Mesh interface is managed by wpa_supplicant, include the peer
link connected time (secs) in the output of "sta <addr>", "all_sta"
wpa_cli cmds for each peer. This will be helpful to find when the peer
link connection got established. The NL80211_STA_INFO_CONNECTED_TIME
netlink attribute data is used for this purpose if available.

$ wpa_cli -i mesh0 all_sta
02:00:00:00:02:00
flags=[ASSOC][WMM][HT]
aid=1
capability=0x0
listen_interval=0
supported_rates=82 84 8b 96 8c 12 98 24 b0 48 60 6c
timeout_next=NULLFUNC POLL
rx_packets=77
tx_packets=3
rx_bytes=8510
tx_bytes=284
inactive_msec=104
signal=-30
rx_rate_info=65 mcs 0
tx_rate_info=65 mcs 0
ht_mcs_bitmask=ffff0000000000000000
connected_time=24
ht_caps_info=0x103c

The connected_time field in the output of "hostapd_cli -i ap0 all_sta"
cmd is not affected and it will continue to show the connected time
maintained by hostapd for each STA.

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-08-25 12:26:25 +03:00
Masashi Honma
eddcd27534 Fix some compiler warnings on 32 bit platform
../src/ap/ieee802_11.c: In function ‘pasn_wd_handle_sae_commit’:
../src/ap/ieee802_11.c:2401:60: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
                                                          ~~^
                                                          %u
       buf_len);
       ~~~~~~~
../src/ap/ieee802_11.c: In function ‘pasn_wd_handle_sae_confirm’:
../src/ap/ieee802_11.c:2477:60: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
                                                          ~~^
                                                          %u
       buf_len);
       ~~~~~~~
../src/ap/ieee802_11.c: In function ‘pasn_wd_handle_fils’:
../src/ap/ieee802_11.c:2707:62: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%lu",
                                                            ~~^
                                                            %u
       buf_len);
       ~~~~~~~

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-08-25 12:03:02 +03:00
Disha Das
1071f75395 DPP2: Fix channel 6 inclusion for chirping with non-2 GHz interfaces
When the driver provides a list of supported modes, hostapd ended up
adding channel 6 even if the 2.4 GHz mode was not included. This
resulted in incorrect behavior of trying to transmit on a not supported
channel in case of 5 GHz only radios.

Fix this by adding the channel 6 by default only if the driver does not
provide a list of supported modes. Whenever the supported modes are
available, only add this channel if it is explicitly listed as an
enabled channel.

This is similar to an earlier wpa_supplicant change in commit
8e5739c3ac ("DPP2: Check channel 6 validity before adding it to chirp
channel list").

Signed-off-by: Disha Das <dishad@codeaurora.org>
2021-07-29 20:07:52 +03:00
Jia Ding
9557ba336b AP: Don't increment auth_transaction upon SAE authentication failure
IEEE Std 802.11-2016, 12.4.7.6 specifies:

An SAE Commit message with a status code not equal to SUCCESS shall
indicate that a peer rejects a previously sent SAE Commit message.

An SAE Confirm message, with a status code not equal to SUCCESS, shall
indicate that a peer rejects a previously sent SAE Confirm message.

Thus when SAE authentication failure happens, authentication transaction
sequence number should not be incremented.

Signed-off-by: Jia Ding <jiad@codeaurora.org>
2021-07-14 18:18:47 +03:00