Commit graph

1428 commits

Author SHA1 Message Date
Jouni Malinen
6996ff7b6d hostapd: Fix Public Action frame TX status processing for wildcard BSSID
Previously all TX status events with wildcard BSSID were ignored. This
did not allow Public Action frame TX status to be processed with the
corrected wildcard BSSID use. Fix this to be allowed. In practice, this
affects only test cases since Action frame TX status was not used for
anything else.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-10 21:44:49 +03:00
Jouni Malinen
78a3632765 hostapd: Fix Public Action frame addressing (BSSID field)
IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies
that the wildcard BSSID value is used in Public Action frames that are
transmitted to a STA that is not a member of the same BSS. hostapd used
to use the actual BSSID value for all such frames regardless of whether
the destination STA is a member of the BSS.

Fix this by using the wildcard BSSID in cases the destination STA is not
a member of the BSS. Leave group addressed case as-is (i.e., the actual
BSSID), since both values are accepted. No such frames are currently
used, though.

This version is still using the AP BSSID value in the Address 3 field
for GAS response frames when replying to a GAS request with AP BSSID
instead of Wildcard BSSID. This is left as a workaround to avoid
interoperability issues with deployed STA implementations that are still
using the non-compliant address and that might be unable to process the
standard compliant case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-10 21:44:49 +03:00
Kanchanapally, Vidyullatha
cc9a2575ca nl80211: Use extended capabilities per interface type
This adds the necessary changes to support extraction and use of the
extended capabilities specified per interface type (a recent
cfg80211/nl80211 extension). If that information is available,
per-interface values will be used to override the global per-radio
value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-31 21:35:54 +03:00
Jouni Malinen
dad0129227 mesh: Support simple SAE group negotiation case
This allows the simplest case of SAE group negotiation to occur by
selecting the next available group if the peer STA indicates the
previous one was not supported. This is not yet sufficient to cover all
cases, e.g., when both STAs need to change their groups, but at least
some cases are no covered.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-05-30 21:14:08 +03:00
Jouni Malinen
9c10be3f71 mesh: Fix error path handling in init OOM cases
hostapd deinit functions were not ready to handle a case where the data
structures were not fully initialized. Make these more robust to allow
wpa_supplicant mesh implementation to use the current deinit design in
OOM error cases without causing NULL pointer dereferences.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-05-30 01:05:16 +03:00
Bala Krishna Bhamidipati
a911227061 Add assocresp_elements parameter for hostapd
This new parameter allows hostapd to add Vendor Specific elements into
(Re)Association Response frames similarly to the way vendor_elements
parameter can be used for Beacon and Probe Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-04-20 13:12:50 +03:00
Günther Kelleter
b92d2a57ef FT: Fix RRB for FT over-the-air case
Commit 66d464067d ('FT: Register RRB
l2_packet only if FT-over-DS is enabled') disabled RRB l2_packet socket
if ft_over_ds is disabled, but this socket is required for FT
over-the-air, too (FT key distribution). Enable the socket regardless of
ft_over_ds setting if FT is enabled.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2016-04-19 00:57:17 +03:00
David Spinadel
220754c553 hostapd: Add FTM range request
Add FTM range request via RRM. The AP sends Radio measurement request
with FTM range request as a request for the receiving STA to send FTM
requests to the given list of APs. The neighbor report part of the
request is taken from the neighbor database.

The control interface command is:

REQ_RANGE <dst addr> <rand_int> <min_ap> <responder> [<responder>..]

dst addr: MAC address of an associated STA
rand_int: Randomization Interval (0..65535) in TUs
min_ap: Minimum AP Count (1..15); minimum number of requested FTM ranges
	between the associated STA and the listed APs
responder: List of BSSIDs for neighboring APs for which a measurement
	is requested

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:12 +03:00
David Spinadel
f4f185a224 hostapd: Add LCI request
Add a hostapd control interface command REQ_LCI to request LCI from an
associated station using radio measurement.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:12 +03:00
David Spinadel
629e1804da hostapd: Save RM enabled capability of station
Save RM enabled capability element of an associating station if radio
measurement is supported in its capability field.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:12 +03:00
David Spinadel
2572df34b2 hostapd: Handle Neighbor Report Request frame
Process Neighbor Report Request frame and send Neighbor Report Response
frame based on the configured neighbor report data.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-17 12:29:07 +03:00
David Spinadel
061269b316 hostapd: Add own neighbor report data to neighbor database
Add own neighbor report data to neighbor database based on local LCI and
location civic data.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-16 21:05:40 +03:00
David Spinadel
9b4b226426 hostapd: Add a database of neighboring APs
Add a configurable neighbor database that includes the content of
Nighbor Report element, LCI and Location Civic subelements and SSID.

All parameters for a neighbor must be updated at once; Neighbor Report
element and SSID are mandatory, LCI and civic are optional. The age of
LCI is set to the time of neighbor update.

The control interface API is:
SET_NEIGHBOR <BSSID> <ssid=SSID> <nr=data> [lci=<data>] [civic=<data>]

To delete a neighbor use:
REMOVE_NEIGHBOR <BSSID> <SSID>

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-16 21:05:40 +03:00
David Spinadel
010182120d hostapd: Extend the configuration of RRM capabilities
Extend the radio_measurements parameter to save all the supported
RRM capabilities as it's used in RM enabled capabilities element.

Make this parameter not directly configurable via config file (though,
keep the radio_measurements parameter for some time for backwards
compatibility). Instead, add a configuration option to enable neighbor
report via radio measurements. Other features can be added later as
well.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-16 21:05:39 +03:00
David Spinadel
74e982d8d7 hostapd: Set LCI and Location Civic information in configuration
Enable configuration of LCI and location civic information in
hostapd.conf.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-09 11:18:55 +03:00
Jouni Malinen
1854eeca19 Add POLL_STA command to check connectivity in AP mode
The hostapd "POLL_STA <addr>" control interface command can be used to
check whether an associated station ACKs a QoS Data frame. The received
ACK for such a frame is reported as an event message ("AP-STA-POLL-OK
<addr>").

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-04-09 00:30:49 +03:00
Jouni Malinen
3dbfb28cfe Allow AP to disconnect STA without sending Deauth/Disassoc frame
The optional tx=0 parameter can be added to the hostapd
DEAUTHENTICATE/DISASSOCIATE command to request disconnection without
transmitting the Deauthentication/Disassociation frame to the STA.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-04-09 00:30:49 +03:00
Jouni Malinen
de92314033 Add inactive_msec into STA output
This allows external programs to fetch the driver inactivity value for a
specific STA ("STA <addr>" hostapd control interface command).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-04-09 00:30:49 +03:00
Ayala Beker
ae33239c55 AP: Pass station P2P PS capabilities info during station add/set
If a legacy client with no P2P PS support is trying to connect to
a P2P GO, the driver should know that, and change its PS behavior
accordingly.

Add a parameter to hostapd_sta_add_params() indicating if P2P PS is
supported by the station and pass this parameter to kernel with nl80211
driver when the station is added/set.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-04-08 13:02:49 +03:00
Ayala Beker
f1863f2b82 RADIUS: Fix possible memory leak when parsing per-STA passphrase
Fix a possible memory leak in decode_tunnel_passwords() if an invalid
passphrase is received from the RADIUS server.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-04-08 11:19:40 +03:00
Jouni Malinen
e1b99620c9 AP: Do not use struct ieee80211_mgmt::u.probe_req
This struct in the union is empty, but the design of using a zero-length
u8 array here is not fully compatible with C++ and can result in
undesired compiler warnings. Since there are no non-IE fields in the
Probe Request frames, get the location of the variable length IEs simply
by using the pointer to the frame header and the known header length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-04-02 16:55:01 +03:00
Jouni Malinen
795abc8e0a Drop USE_KERNEL_HEADERS define
This was only used for providing an option to use linux/if_packet.h
instgead of netpacket/packet.h in src/ap/iapp.c. However,
netpacket/packet.h is nowadays commonly available and hostapd already
depends on it through src/l2_packet/l2_packet_linux.c, so there is no
need to continue to provide this option for the kernel header.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-26 11:29:53 +02:00
Jouni Malinen
9b7cd5788a Use a separate header file for Linux bridge interface definitions
This moves the BRCTL_* defines from vlan_full.c to linux_bridge.h to
clean up header inclusion.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-26 11:27:18 +02:00
Jouni Malinen
c815fab83a Use own header file for defining Linux VLAN kernel interface
This gets rid of need to include linux/if_vlan.h and additional defines
in vlan_ioctl.c to avoid issues with missing definitions in libc
headers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-26 11:24:38 +02:00
Jörg Krause
81606ab73b vlan: Fix musl libc conflict with Linux kernel headers
Due to both <netinet/in.h> (in "utils/includes.h") and <linux/in6.h> (in
<linux/if_bridge.h>) being included, the in6_addr is being redefined:
once from the C library headers and once from the Linux kernel headers.
This causes some build failures with for example the musl C library:

In file included from /usr/include/linux/if_bridge.h:18,
                 from ../src/ap/vlan_init.c:17:
/usr/include/linux/in6.h:32: error: redefinition of 'struct in6_addr'
/usr/include/linux/in6.h:49: error: redefinition of 'struct sockaddr_in6'
/usr/include/linux/in6.h:59: error: redefinition of 'struct ipv6_mreq'

Mixing C library and Linux kernel headers is a bit problematic [1] and
should be avoided if possible [2]. In order to fix this, define just the
macros needed from <linux/if_bridge.h> as done in Busybox for the brctl
applet [3].

[1] https://sourceware.org/bugzilla/show_bug.cgi?id=15850
[2] http://www.openwall.com/lists/musl/2015/10/06/1
[3] https://git.busybox.net/busybox/commit/?id=5fa6d1a632505789409a2ba6cf8e112529f9db18

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
2016-03-26 11:02:16 +02:00
Jouni Malinen
e86859929f vlan: Move if_nametoindex() use out of vlan_init.c
With this, vlan_init.c does not need any special header files anymore
and vlan_ifconfig.c does not need hostapd-specific header files that
might conflict with net/if.h on NetBSD.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-25 18:00:44 +02:00
Jouni Malinen
7c03c08229 vlan: Move ifconfig helpers to a separate file
This removes final ioctl() use within vlan_init.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-25 17:56:07 +02:00
Jouni Malinen
59d6390440 vlan: Move CONFIG_FULL_DYNAMIC_VLAN functionality into a separate file
This cleans up vlan_init.c by removing number of C pre-processor
dependencies.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-25 17:55:40 +02:00
Jouni Malinen
0fe28ddf17 vlan: Remove unnecessary header includes from netlink implementation
The implementation in vlan_util.c does not use many of the header files
that were pulled in.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-25 17:27:16 +02:00
Jouni Malinen
84d6755108 vlan: Clean up netlink vs. ioctl API implementation
Move the ioctl-based VLAN implementation to a separate file to avoid
need for conditional blocks within vlan_ioctl.c. This removes the
internal CONFIG_VLAN_NETLINK define, i.e., this is now used only in
build configuration (.config) to select whether to include the
vlan_util.c (netlink) or vlan_ioctl.c (ioctl) implementation of the
functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-25 17:24:20 +02:00
Jörg Krause
cb38bc886e vlan: Fix musl build error
caddr_t is legacy BSD and should be avoided [1]. While glibc may still
use __caddr_t as the type, Linux kernel does not (it is "void __user *
ifru_data").

This fixes compile errors with the musl libc:

../src/ap/vlan_init.c: In function 'br_delif':
../src/ap/vlan_init.c:218:18: error: '__caddr_t' undeclared (first use in this function)
  ifr.ifr_data = (__caddr_t) args;

[1] http://stackoverflow.com/questions/6381526/what-is-the-significance-of-caddr-t-and-when-is-it-used

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
2016-03-25 16:57:05 +02:00
Jouni Malinen
8854f90bad mesh: Simplify wpa_auth_pmksa_set_to_sm()
pmksa->pmk or pmksa->pmkid cannot be NULL since they are arrays. Remove
the unnecessary NULL checks and use the provided pmksa pointer directly
to simplify the implementation. (CID 138519)

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-03-22 20:38:44 +02:00
Roy Marples
45e3fc72c6 Find correct driver for interface additions/removals
Interface additions/removals are not guaranteed to be for the driver
listening to the kernel events. As such, send the events to
wpa_supplicant_event_global() which can then pick the correct interface
registered with wpa_supplicant to send the event to.

Signed-off-by: Roy Marples <roy@marples.name>
2016-03-22 17:41:37 +02:00
Jouni Malinen
90377029c6 wpa_supplicant: Fix CONFIG_IBSS_RSN=y build without CONFIG_AP=y
Commit 1889af2e0f ('VLAN: Separate station
grouping and uplink configuration') added an ap_sta_set_vlan() function
that gets called from pmksa_cache_auth.c. This broke CONFIG_IBSS_RSN=y
build if src/ap/sta_info.c did not get included in the build, i.e., if
CONFIG_AP=y was not set.

Fix this by making the ap_sta_set_vlan() call conditional on
CONFIG_NO_VLAN being undefined and define this for CONFIG_IBSS_RSN=y
builds. This is fine for wpa_supplicant since CONFIG_AP=y case was
already defining this. For hostapd, this function call is not needed for
CONFIG_NO_VLAN case either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-21 21:12:20 +02:00
Masashi Honma
9f2cf23e2e mesh: Add support for PMKSA caching
This patch add functionality of mesh SAE PMKSA caching. If the local STA
already has peer's PMKSA entry in the cache, skip SAE authentication and
start AMPE with the cached value.

If the peer does not support PMKSA caching or does not have the local
STA's PMKSA entry in the cache, AMPE will fail and the PMKSA cache entry
of the peer will be removed. Then STA retries with ordinary SAE
authentication.

If the peer does not support PMKSA caching and the local STA uses
no_auto_peer=1, the local STA can not retry SAE authentication because
NEW_PEER_CANDIDATE event cannot start SAE authentication when
no_auto_peer=1. So this patch extends MESH_PEER_ADD command to use
duration(sec). Throughout the duration, the local STA can start SAE
authentication triggered by NEW_PEER_CANDIDATE even though
no_auto_peer=1.

This commit requires commit 70c93963ed
('SAE: Fix PMKID calculation for PMKSA cache'). Without that commit,
chosen PMK comparison will fail.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:56:38 +02:00
Masashi Honma
4c522c7798 PMKSA: Flush AP/mesh PMKSA cache by PMKSA_FLUSH command
This extends the wpa_supplicant PMKSA_FLUSH control interface command to
allow the PMKSA list from the authenticator side to be flushed for AP
and mesh mode. In addition, this adds a hostapd PMKSA_FLUSH control
interface command to flush the PMKSA entries.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:37:53 +02:00
Masashi Honma
b8daac18a4 PMKSA: Show AP/mesh PMKSA list in PMKSA command
This extends the wpa_supplicant PMKSA control interface command to allow
the PMKSA list from the authenticator side to be listed for AP and mesh
mode. In addition, this adds a hostapd PMKSA control interface command
to show the same list for the AP case.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-03-20 17:37:53 +02:00
Zefir Kurtisi
3bd58861ae hostapd: Handle running out of DFS channels
In scenarios where only DFS channels are available (e.g., outdoor,
special country codes), hostapd must be able to handle situations
where all are unavailable.

The two possibilities to get there are
1) while operating on the last available DFS channel a radar is
   detected
2) hostapd is started while all channels are unavailable

In both cases, hostapd instead of terminating should better
wait for the NOPs to pass and re-try operation after the CAC.

This patch provides that feature by using the condition
(iface->state == HAPD_IFACE_DFS && !iface->cac_started)
as NOP mode signature to retry operation from within
hostapd_dfs_nop_finished().

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2016-03-08 12:16:37 +02:00
Eliad Peller
6448e06415 hostapd: Allow use of driver-generated interface addresses
Add a new 'use_driver_iface_addr' configuration parameter to allow use
of the default interface address generated by the driver on interface
creation. This can be useful when specific MAC addresses were allocated
to the device and we want to use them for multi-BSS operation.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2016-03-06 20:00:40 +02:00
Eliad Peller
f2accfe708 AP: Save EAPOL received before Association Response ACK
There is a race condition in which AP might receive the EAPOL-Start
frame (from the just-associated station) before the TX completion of the
Association Response frame. This in turn will cause the EAPOL-Start
frame to get dropped, and potentially failing the connection.

Solve this by saving EAPOL frames from authenticated-but-not-associated
stations, and handling them during the Association Response frame TX
completion processing.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2016-03-06 17:08:12 +02:00
Janusz Dziedzic
56885eecf4 hostapd: Add UDP support for ctrl_iface
Add UDP support for ctrl_iface:

New config option could be set:
CONFIG_CTRL_IFACE=udp
CONFIG_CTRL_IFACE=udp-remote
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote

And hostapd_cli usage:
hostapd_cli -i localhost:8877

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-05 17:44:37 +02:00
Janusz Dziedzic
89b781bc89 hostapd: Use common functions for ctrl_iface
Use the common functions, structures when UNIX socket ctrl_iface used.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2016-03-05 17:15:05 +02:00
Peng Xu
e1d00d47c7 Add error handling for offloaded ACS with vendor command failures
In case vendor ACS command returns invalid channel or hardware mode,
complete the interface setup with an error code instead of simply
return, so that hostapd can properly clean up the interface setup.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-03-03 12:19:43 +02:00
Jouni Malinen
debde14b5b RADIUS: Add Acct-Delay-Time into accounting messages
This tells to the server how long we have been trying to transmit the
message so that the actual time of the message generation can be
determined from receive time (ignoring network delays and only at
accuracy of one second).

For interim updates, only value 0 is used since there are no
retransmissions of the same message. For other accounting messages, the
initial attempt goes out with value 0 and the retransmissions, if
needed, show the number of seconds the message has been waiting in the
queue.

Update the Identifier and Authenticator in the messages whenever
updating the Acct-Delay-Time per RFC 2866, 4.1 requirements.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-29 17:43:13 +02:00
Jouni Malinen
669b5324e1 RADIUS: Update full message for interim accounting updates
Instead of using the RADIUS client retransmission design with the old
RADIUS message contents for each retry, trigger a completely new interim
accounting update instance more quickly (using the same schedule as
RADIUS message retransmissions) to improve accounting updates in cases
where RADIUS message delivery fails. This allows the server to get up to
date information from the time the "retry" message was sent instead of
the old information from the time the first failed attempt was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-29 11:52:16 +02:00
Jouni Malinen
902c07a7af Replace hostapd_mac_comp_empty() with is_zero_ether_addr()
There is no need to maintain two implementations of the functionality.
is_zero_ether_addr() is easier to understand, so use it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-28 20:11:58 +02:00
Michael Braun
5aef495fda VLAN: Avoid use of libnl cache
Using rtnl_link_alloc_cache() is expensive as it fills in all configured
links. Using rtnl_link_get_kernel() is much more lightweight.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 20:05:17 +02:00
Michael Braun
170c545ab4 FT: Check destination MAC address on RRB receive
As the Linux variant of l2_packet_init() does not use its own_addr
argument and l2_packet_receive() does not filter on destination MAC
address, this needs to be checked in the callback.

If there are multiple BSSes listening for FT RRB packets, all their
BSSIDs need to be local to the bridge interface. As l2_packet_init() is
going to receive all of them going for any local address, those RRB
messages started turning up on BSSes that were not destinated for and
cluttering logs.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 19:23:17 +02:00
Michael Braun
57b2c9140c RADIUS: Allow RADIUS server to provide PSK instead of passphrase
If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.

This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 19:06:49 +02:00
Michael Braun
d8912fd80e Cache hashed passphrase in RADIUS-based PSK delivery
Instead of copying the full struct hostapd_sta_wpa_psk_short, share the
existing entry and use reference counting to check when it needs to be
freed. This allows caching of PSKs derived from passphrases to avoid
having to perform the heavy hashing operation multiple times.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 19:06:45 +02:00
Michael Braun
f8e09bc57e Defer passphrase-to-PSK hashing out of 802.11 authentication ACL check
Hashing takes quite some time (can be about one second on a low-power
CPU for each passphrase provided), so hostapd can easily hit the 900 ms
Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can
be fixed by storing the passphrase instead of PSK with the STA and defer
the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs.

This applies for the case where a RADIUS server is used to store the
per-STA passphrases and this passphrase is delivered as part of the MAC
ACL check during IEEE 802.11 Authentication frame processing.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 18:46:05 +02:00
Michael Braun
cc9c805a51 VLAN: Use stack instead of heap allocation for new interface name
The VLAN ifname is limited to the maximum length of IFNAMSIZ, so there
is no need to use heap allocation for it.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 18:29:58 +02:00
Michael Braun
d48d1b88d0 FT: Use BSSID as r1_key_holder if no value is configured
r1_key_holder is an identifier that was always set to zero if unless
configured before.

See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
 "R1KH-ID is a MAC address of the holder of the PMK-R1 in the
  Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
 "Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
  identifier within the mobility domain."
 "The R1KH-ID shall be set to a MAC address of the physical entity
  that stores the PMK-R1 ..."

Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 17:56:42 +02:00
Michael Braun
71456dbdf2 FT: Check hapd->wpa_auth before RRB internal delivery
A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.

Fix this by checking hapd->wpa_auth before delivery.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 17:45:45 +02:00
Michael Braun
0270bdedcc FT: Fix R0KH-R1KH protocol data length values
The FT RRB hostapd packets have a length field. For PULL frames, it
counted the bytes starting with nonce and up to the last before pad. For
RESP frames, it counted the bytes starting with nonce and up to the last
before pad except for 2 bytes. For PUSH frames, it counted the bytes
starting with nonce and up to including pad.

As rounding is done with AES encryption, including pad does not make
sense. Not including the last field before pad does not make sense
either. These were broken in the earlier addition of the 2 octet
pairwise field in commit 1b484d60e5 ('FT:
Include pairwise cipher suite in PMK-R0 SA and PMK-R1 SA').

AES encryption is not affected, as rounding hides the differences. The
packets data_length field is not used, so the differences have no effect
there.

This patch changes the constants to match the bytes used, thus excluding
the pad. To validate the changes, look at remainder modulo 8 of the sum
of the size constants and the padding sizes.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 15:43:50 +02:00
Jouni Malinen
adf0478e8e AP: Store STA supported operating classes information
This makes hostapd track Supported Operating Classes information from
the associated STAs. The stored information is available through the STA
control interface command (supp_op_classes row) as a hexdump of the
Supported Operating Classes element starting from the Length field. This
information can be used as input to BSS transition management and
channel switching decisions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-24 12:20:31 +02:00
Dedy Lansky
077dcfb8c4 AP: Debug print management frame TX result
Inside management frame TX status callback, print the TX result where it
was missing. This is useful for debugging management frame drops.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
2016-02-22 21:51:19 +02:00
Jouni Malinen
ca911d61f3 MBO: Parse non-preferred channel list on the AP
This adds parsing of non-preferred channel list on an MBO AP. The
information in (Re)Association Request and WNM Notification Request
frames is parsed to get the initial value and updates from each
associated MBO STA. The parsed information is available through the STA
control interface command non_pref_chan[i] rows.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 21:17:38 +02:00
Jouni Malinen
3f48274d0e WNM: Fix a memory leak on AP error path
If the second memory allocation in ieee802_11_send_wnmsleep_resp() were
to fail and ieee80211_11_get_tfs_ie() succeed, the wnmtfs_ie allocation
would not have been freed on the error path.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Michael Braun
f5ca1766dc VLAN: Fix vlan_compare() for tagged VLANs
While refactoring VLAN comparison into vlan_compare(), it was overlooked
that modifications are needed for tagged VLAN support.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-22 19:53:05 +02:00
Jouni Malinen
4c572281ed MBO: Mandate use of PMF for WPA2+MBO association (AP)
If WPA2 and MBO are enabled, PMF needs to be enabled in hostapd
configuration. If PMF is optional in the configuration, an MBO STA is
required to negotiate use of PMF.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
8dd49f0cff MBO: Update STA cellular data capability based on WNM Notification
This makes hostapd parse a received WNM Notification Request frame
subelements and if a WFA MBO cellular data capability subelement is
seen, update the cellular data capability for the STA.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
6332aaf3b2 MBO: Track STA cellular data capability from association request
This makes hostapd parse the MBO attribute in (Re)Association Request
frame and track the cellular data capability (mbo_cell_capa=<val> in STA
control interface command).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
f3cb7a6969 WNM: Minimal processing for WNM Notification Request frames on AP
Write debug log entries on receiving WNM Notification Request frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
e578343457 MBO: Indicate WNM-Notification support on AP when MBO is enabled
This is needed to allow MBO STAs to send WNM Notification Request
frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:05 +02:00
Jouni Malinen
990b7b6f38 Simplify hostapd_build_ap_extra_ies() with helper functions
This removes multiple copies of wpabuf_resize() following by
wpabuf_put_{buf,data}() with the help of two simple helper functions.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-22 19:53:04 +02:00
Avraham Stern
c0e2a172a7 hostapd: Add MBO IE to BSS Transition Management Request frame
Add an option to add MBO IE to BSS Transition Management Request frame.
The MBO IE includes the transition reason code, cellular data connection
preference, and, if the disassoc imminent bit is set, it may also
include re-association retry delay. Otherwise, the re-association retry
delay should be set to zero.

The additional BSS_TM_REQ argument uses the following format:
mbo=<reason>:<reassoc delay>:<cell pref>
reason: 0-9
reassoc delay: 0-65535 (seconds; 0 = disabled)
cell pref: 0, 1, 255

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2016-02-22 19:53:04 +02:00
Avraham Stern
fb9a1c3e28 hostapd: Add MBO IE to Beacon, Probe Response, Association Response
Add MBO IE with AP capability attribute to Beacon, Probe Response, and
(Re)Association Response frames to indicate the AP supports MBO.

Add option to add Association Disallowed attribute to Beacon, Probe
Response, and (Re)Association Response frames. Usage:

SET mbo_assoc_disallow <reason code>

Valid reason code values are between 1-5. Setting the reason code to
0 will remove the Association Disallowed attribute from the MBO IE
and will allow new associations.

MBO functionality is enabled by setting "mbo=1" in the config file.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2016-02-22 19:53:04 +02:00
Jouni Malinen
75cc211d6b VLAN: Check vlan_desc validity in a failure debug print
The recent VLAN changes added an explicit code path that sets vlan_desc
= NULL within ap_sta_set_vlan(). This makes some code analyzers warn
about the debug print that could potentially dereference this pointer.
Silence that warning by verifying the pointer more consistently within
this function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-20 19:22:43 +02:00
Nick Lowe
43022abdb9 Use 64-bit TX/RX byte counters for statistics
If the driver supports 64-bit TX/RX byte counters, use them directly.
The old 32-bit counter extension is maintained for backwards
compatibility with older drivers.

For nl80211 driver interface, the newer NL80211_STA_INFO_RX_BYTES64 and
NL80211_STA_INFO_TX_BYTES64 attributes are used when available. This
resolves the race vulnerable 32-bit value wrap/overflow. Rework RADIUS
accounting to use these for Acct-Input-Octets, Acct-Input-Gigawords,
Acct-Output-Octets, and Acct-Output-Gigawords, these values are often
used for billing purposes.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-20 19:03:10 +02:00
Andrei Otcheretianski
3f81ac0762 AP: Set STA assoc flag in the driver before sending Assoc Resp frame
Previously, stations were added to the driver only after the
(Re)Association Response frame was acked. In the time period between the
station has acked the (Re)Association Response frame and the time the
station was added to the kernel, the station can already start sending
Data frames, which will be dropped by the hardware/driver. In addition
to the data loss, the driver may ignore NDPs with PM bit set from this
STA.

Fix this by setting/adding the STA with associated flag set to the
driver before the AP sends the (Re)Association Response frame with
status success. If the (Re)Association Response frame wasn't acked,
remove the station from the driver.

Note that setting a station to associated state before the non-AP
station acknowledges the (Re)Association Response frame is not compliant
with the IEEE 802.11 standard that specifically states that a non-AP
station should transition to authenticated/associated state only after
it acknowledged the (Re)Association Response frame. However, this is a
justifiable simplification to work around the issue described above since

1. The station will be removed in case it does not acknowledge the
   (Re)Association Response frame.
2. All Data frames would be dropped until the station is set to
   authorized state and there are no known issues with processing the
   other Class 3 frames during the short window before the
   acknowledgement is seen.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2016-02-20 18:25:13 +02:00
Ayala Beker
bb598c3bdd AP: Add support for full station state
Add support for drivers that support full AP client state, i.e., can
handle adding stations that are not associated yet. For such drivers,
add a station after processing the authentication request, instead of
adding it in the association response callback.

Doing so is beneficial in cases where the driver cannot handle the add
station request, in which case it is useless to perform the complete
connection establishment.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-20 18:25:13 +02:00
Nick Lowe
239952b4da DFS: Remove the os_random() fallback
Remove the fallback dependency on os_random() from the code that gets a
valid DFS channel. This is exceptionally unlikely to ever be called as
the call to os_get_random() is unlikely to fail. The intention is to
facilitate future removal of os_random() as it uses a low quality PRNG.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-19 18:44:40 +02:00
Nick Lowe
98a516eae8 WPS: Use only os_get_random() for PIN generation
Remove the fallback dependency on os_random() when generating a WPS pin.
This is exceptionally unlikely to ever be called as the call to
os_get_random() is unlikely to fail. The intention is to facilitate
future removal of os_random() as it uses a low quality PRNG.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-19 18:44:40 +02:00
Nick Lowe
f441e5af77 Use os_get_random() for Shared Key authentication challenge
Do not use the system clock or os_random() that uses a low quality PRNG
as part of the pseudo-random challenge in auth_shared_key(). The
construction can be improved upon by replacing it with a call to
os_get_random(), which uses a high quality PRNG.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-19 18:44:40 +02:00
Nick Lowe
8c676b5056 Add RADIUS Service-Type attribute with a value of Framed
This seems to be the common value used by APs and also mentioned in RFC
3580.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-19 18:44:39 +02:00
Masashi Honma
09d96de09e mesh: Drop Authentication frames from BLOCKED STA
Previously, only mesh Action frames from BLOCKED STA were dropped.
Extend that to drop Authentication frames as well.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-18 21:27:06 +02:00
Masashi Honma
70c93963ed SAE: Fix PMKID calculation for PMKSA cache
The SAE PMKID is calculated with IEEE Std 802.11-2012 11.3.5.4, but the
PMKID was re-calculated with 11.6.1.3 and saved into PMKSA cache. Fix
this to save the PMKID calculated with 11.3.5.4 into the PMKSA cache.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-02-18 21:07:47 +02:00
Nick Lowe
1492fbb90c Print Acct-Session-Id and Acct-Multi-Session-Id 64-bit values
These are now 64-bit variables and the printf formats and type casts
need to be updated to match.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-18 20:58:21 +02:00
Roy Marples
a5a3efccc2 Fix compile on NetBSD for vlan
Shuffle includes above system ones so to fix a compile issue
on NetBSD where the if_type #define from <net/if.h>
conflicts with the wpa_driver_if_type enum.

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-18 17:09:14 +02:00
Michael Braun
8be640b780 VLAN: Add per-STA vif option
This allows the stations to be assigned to their own vif. It does not
need dynamic_vlan to be set. Make hostapd call ap_sta_set_vlan even if
!vlan_desc.notempty, so vlan_id can be assigned regardless.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
d0bdc96bdd VLAN: Actually add tagged VLANs to AP_VLAN
This makes vlan_newlink() and vlan_dellink() add tagged VLANs to AP_VLAN
interfaces as given by struct vlan_description.

hostapd_vlan_if_remove() is done in vlan_dellink() as tagged interfaces
need to be removed before the interface can be deleted and a DELLINK
message can be generated.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
f9c00188ca VLAN: Factor out per-vid code in newlink/dellink
To prepare for adding tagged VLAN support in vlan_init.c, vlan_newlink()
and vlan_dellink() are split into multiple functions. This reduces
indention and eases adding tagged VLANs as well.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
8e44c192da radius: Add tagged VLAN parsing
1. Add tagged VLAN to struct vlan_description
    (compile limited number of tagged VLANs per description)
    For k tagged VLANs, the first k entries in vlan_description.tagged
    are used. They are sorted in ascending order. All other entries are
    zero. This way os_memcmp() can find identical configurations.
2. Let tagged VLANs be parsed from RADIUS Access-Accept
3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set
4. Select an unused vlan_id > 4096 for new tagged VLAN configurations
5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
1889af2e0f VLAN: Separate station grouping and uplink configuration
Separate uplink configuration (IEEE 802.1q VID) and grouping of stations
into AP_VLAN interfaces.

The int vlan_id will continue to identify the AP_VLAN interface the
station should be assigned to. Each AP_VLAN interface corresponds to an
instance of struct hostapd_vlan that is uniquely identified by int
vlan_id within an BSS.

New: Each station and struct hostapd_vlan holds a struct
vlan_description vlan_desc member that describes the uplink
configuration requested. Currently this is just an int untagged IEEE
802.1q VID, but can be extended to tagged VLANs and other settings
easily.

When the station was about to be assigned its vlan_id, vlan_desc and
vlan_id will now be set simultaneously by ap_sta_set_vlan(). So
sta->vlan_id can still be tested for whether the station needs to be
moved to an AP_VLAN interface.

To ease addition of tagged VLAN support, a member notempty is added to
struct vlan_description. Is is set to 1 if an untagged or tagged VLAN
assignment is requested and needs to be validated. The inverted form
allows os_zalloc() to initialize an empty description.

Though not depended on by the code, vlan_id assignment ensures:
  * vlan_id = 0 will continue to mean no AP_VLAN interface
  * vlan_id < 4096 will continue to mean vlan_id = untagged vlan id
    with no per_sta_vif and no extra tagged vlan.
  * vlan_id > 4096 will be used for per_sta_vif and/or tagged vlans.

This way struct wpa_group and drivers API do not need to be changed in
order to implement tagged VLANs or per_sta_vif support.

DYNAMIC_VLAN_* will refer to (struct vlan_description).notempty only,
thus grouping of the stations for per_sta_vif can be used with
DYNAMIC_VLAN_DISABLED, but not with CONFIG_NO_VLAN, as struct
hostapd_vlan is still used to manage AP_VLAN interfaces.

MAX_VLAN_ID will be checked in hostapd_vlan_valid and during setup of
VLAN interfaces and refer to IEEE 802.1q VID. VLAN_ID_WILDCARD will
continue to refer to int vlan_id.

Renaming vlan_id to vlan_desc when type changed from int to struct
vlan_description was avoided when vlan_id was also used in a way that
did not depend on its type (for example, when passed to another
function).

Output of "VLAN ID %d" continues to refer to int vlan_id, while "VLAN
%d" will refer to untagged IEEE 802.1q VID.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:11 +02:00
Lior David
b907491281 wpa_supplicant: Basic support for PBSS/PCP
PBSS (Personal Basic Service Set) is a new BSS type for DMG
networks. It is similar to infrastructure BSS, having an AP-like
entity called PCP (PBSS Control Point), but it has few differences.
PBSS support is mandatory for IEEE 802.11ad devices.

Add a new "pbss" argument to network block. The argument is used
in the following scenarios:
1. When network has mode=2 (AP), when pbss flag is set will start
as a PCP instead of an AP.
2. When network has mode=0 (station), when pbss flag is set will
connect to PCP instead of AP.

The function wpa_scan_res_match() was modified to match BSS according to
the pbss flag in the network block (wpa_ssid structure). When pbss flag
is set it will match only PCPs, and when it is clear it will match only
APs.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-02-08 22:23:56 +02:00
Srinivasa Duvvuri
9684c7567e mesh: Fix peer link counting when a mesh peer reconnects
When a mesh point reconnects by starting from Authentication frame
sequence, the plink count was not decremented from its last connection.
This resulted in leaking peer link count and causing wpa_supplicant to
reject the connection after max_peer_links (default: 99) reconnects.

This was reproduced by pre-configuring 2 mesh points with mesh
credentials. Boot both mesh points and make sure they connect to each
other. Then in a loop reboot one of the mesh points after it
successfully connects while leaving the other mesh point up and running.
After 99 iterations the supplicant on mesh point that is not rebooting
will reject the connection request from the other mesh point.

Fix this by decrementing num_plinks when freeing a STA entry that is
still in PLINK_ESTAB state.

Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
2016-02-06 21:22:29 +02:00
Jouni Malinen
1fc63fe299 RADIUS: Share a single function for generating session IDs
There is no need to maintain three copies of this functionality even if
it is currently implemented as a single function call.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-06 17:19:35 +02:00
Nick Lowe
2cbc6ffb3a RADIUS: Redesign Request Authenticator generation
Simplify and make properly random the generation of the Request
Authenticator.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:19:35 +02:00
Nick Lowe
b71a64aa01 Send an Acct-Multi-Session-Id attribute in Access-Request packets
Previously, this was included only in Accounting-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:13:21 +02:00
Nick Lowe
4260e1a1ff Add Acct-Session-Id to Accounting-On/Off
An Acct-Session-Id is required on Accounting-On and Accounting-Off forms
of Accounting-Request.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:11:01 +02:00
Nick Lowe
d72a00539c RADIUS: Use more likely unique accounting Acct-{,Multi-}Session-Id
Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to
give better global and temporal uniqueness. Previously, only 32-bits of
the Acct-Session-Id would contain random data, the other 32-bits would
be incremented. Previously, the Acct-Multi-Session-Id would not use
random data. Switch from two u32 variables to a single u64 for the
Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves
no legitimate purpose. Exclusively use os_get_random() to get quality
random numbers, do not use or mix in the time. Inherently take a
dependency on /dev/urandom working properly therefore. Remove the global
Acct-Session-Id and Acct-Multi-Session-Id values that serve no
legitimate purpose.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:10:19 +02:00
Jouni Malinen
d689317ddb EAPOL auth: Move radius_cui/identity freeing to eapol_auth_free()
These can get allocated within eapol_auth_alloc(), so it is more logical
to free them in eapol_auth_free() instead of ieee802_1x_free_station()
that ends up calling eapol_auth_free().

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-06 16:32:22 +02:00
Nick Lowe
9b6177a891 Add Event-Timestamp to all Accounting-Request packets
Event-Timestamp should be sent for all Accounting-Request packets and
only after the system clock has a sane value, not where there's a value
close to the Unix time epoch.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 01:24:59 +02:00
Max Stepanov
d179089b6d GAS: Calculate response buffer length of ANQP elements
Calculate the required length needed for the extra ANQP elements added
to GAS response buffer instead of using fixed size and truncating the
response if there was not sufficient space.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2016-02-06 01:19:32 +02:00
Nick Lowe
479f46c4c2 Do not send Acct-Authentic in Accounting-On/Off
Acct-Authentic is used to indicate how the user was authenticated and as
such, should not be sent in Accounting-On and Accounting-Off.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-05 18:06:33 +02:00
Nick Lowe
696544efed RADIUS: Do not include Acct-Terminate-Cause in Accounting-On/Off
Per RFC 2866, 5.10, it is invalid to send Acct-Terminate-Cause in
Accounting-On and Accounting-Off (this is included only when
Acct-Status-Type is set to Stop).

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-05 17:59:07 +02:00
Eduardo Abinader
236053e532 Make fallback from HT40 to HT20 work
Ensure that if it is not possible to configure an allowed 20 MHz
channel pair, hostapd falls back to a single 20 MHz channel.

Signed-off-by: Eduardo Abinader <eabinader@ocedo.com>
2016-02-05 17:52:47 +02:00
Jouni Malinen
03a72eacda VHT: Add an interoperability workaround for 80+80 and 160 MHz channels
Number of deployed 80 MHz capable VHT stations that do not support 80+80
and 160 MHz bandwidths seem to misbehave when trying to connect to an AP
that advertises 80+80 or 160 MHz channel bandwidth in the VHT Operation
element. To avoid such issues with deployed devices, modify the design
based on newly proposed IEEE 802.11 standard changes.

This allows poorly implemented VHT 80 MHz stations to connect with the
AP in 80 MHz mode. 80+80 and 160 MHz capable stations need to support
the new workaround mechanism to allow full bandwidth to be used.
However, there are more or less no impacted station with 80+80/160
capability deployed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-02 00:09:19 +02:00
Jouni Malinen
03269d558a AP: Print interface name in more STA events
This makes it easier to follow a debug log from a hostapd process that
manages multiple interfaces.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 19:32:49 +02:00
Jouni Malinen
9e8fde2134 AP: Fix Deauth/Disassoc TX status timeout handling
The ap_sta_deauth_cb and ap_sta_disassoc_cb eloop timeouts are used to
clear a disconnecting STA from the kernel driver if the STA did not ACK
the Deauthentication/Disassociation frame from the AP within two
seconds. However, it was possible for a STA to not ACK such a frame,
e.g., when the disconnection happened due to hostapd pruning old
associations from other BSSes and the STA was not on the old channel
anymore. If that same STA then started a new authentication/association
with the BSS, the two second timeout could trigger during this new
association and result in the STA entry getting removed from the kernel.

Fix this by canceling these eloop timeouts when receiving an indication
of a new authentication or association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-15 19:32:49 +02:00
Jouni Malinen
12a81b64e1 ACS: Remove unreachable case from a debug print
n_chans can have only values 1, 2, or 4 in this function, so the -1 case
could never be reached. Remove the unreachable case to get rid of static
analyzer warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-07 16:50:53 +02:00
Jouni Malinen
896607d36b Remove a pointer check that can never be true
chan is set to the result of pointer arithmetic (pointer to an entry in
an array) that can never be NULL. As such, there is no need to check for
it to be non-NULL before deference. Remove this check to avoid
complaints from static analyzers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-07 16:47:17 +02:00
Jouni Malinen
a95cc47a92 ACS: Be more consistent with iface->current_mode checks
Offloading of ACS to the driver changed the design a bit in a way that
iface->current_mode could actually be NULL when the offloaded ACS
mechanism supports band selection in addition to channel selection. This
resulted in a combination that is too complex for static analyzers to
notice. While acs_init() can be called with iface->current_mode == NULL
that is only in the case where WPA_DRIVER_FLAGS_ACS_OFFLOAD is in use.
In other words, the actual ACS functions like acs_cleanup() that would
dereference iface->current_mode are not used in such a case.

Get rid of static analyzer warnings by explicitly checking
iface->current_mode in acs_init() for the case where ACS offloading is
not used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-01-07 16:39:10 +02:00
Jouni Malinen
4f6cd3f426 Fix wpa_supplicant AP mode P2P IE handling if P2P is disabled
If P2P support is included in wpa_supplicant build (CONFIG_P2P=y), but
P2P functionality is explicitly disabled (e.g., "P2P_SET disabled 1"),
couple of AP management frame processing steps did not check against
hapd->p2p_group being NULL and could end up dereferencing a NULL pointer
if a Probe Request frame or (Re)Association Request frame was received
with a P2P IE in it. Fix this by skipping these steps if hapd->p2p_group
is NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-01 17:12:43 +02:00
Jouni Malinen
db671e0aee WPS: Do not build Credential with unsupported encr combination on AP
It was possible for the Registrar code to generate a Credential with
auth type WPAPSK (i.e., WPA v1) with encr type AES if the Enrollee
claimed support for WPAPSK and not WPA2PSK while the AP was configured
in mixed mode WPAPSK+WPA2PSK regardless of how wpa_pairwise (vs.
rsn_pairwise) was set since encr type was selected from the union of
wpa_pairwise and rsn_pairwise. This could result in the Enrollee
receiving a Credential that it could then not use with the AP.

Fix this by masking the encryption types separately on AP based on the
wpa_pairwise/rsn_pairwise configuration. In the example case described
above, the Credential would get auth=WPAPSK encr=TKIP instead of
auth=WPAPSK encr=AES.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-01 13:42:04 +02:00
Jouni Malinen
d7c3347f59 HS 2.0: Postpone WNM-Notification sending by 100 ms
This makes it somewhat easier for the station to be able to receive and
process the encrypted WNM-Notification frames that the AP previously
sentt immediately after receiving EAPOL-Key msg 4/4. While the station
is supposed to have the TK configured for receive before sending out
EAPOL-Key msg 4/4, not many actual implementations do that. As such,
there is a race condition in being able to configure the key at the
station and the AP sending out the first encrypted frame after EAPOL-Key
4/4. The extra 100 ms time here makes it more likely for the station to
have managed to configure the key in time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 21:46:08 +02:00
Tomasz Bursztyka
d99097177a wpa_supplicant: Enable Automatic Channel Selection support for AP mode
Since hostapd supports ACS now, let's enable its support in
wpa_supplicant as well when starting AP mode.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
[u.oelmann@pengutronix.de: adjusted added text in defconfig]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
2015-12-24 22:24:05 +02:00
Tomasz Bursztyka
96bc508684 Handle survey event properly in wpa_supplicant
Let's reuse hostapd code for such handling. This will be useful to get
ACS support into wpa_supplicant where this one needs to handle the
survey event so it fills in the result ACS subsystem will require.

Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
[u.oelmann@pengutronix.de: rebased series from hostap_2_1~944 to master]
Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de>
2015-12-24 21:35:54 +02:00
Jouni Malinen
5bd9be4d17 Fix RADIUS Called-Station-Id to not escape SSID
Commit 986de33d5c ('Convert remaining SSID
routines from char* to u8*') started using wpa_ssid_txt() to print out
the SSID for the Called-Station-Id attribute in RADIUS messages. This
was further modified by commit 6bc1f95613
('Use printf escaping in SSID-to-printable-string conversion') to use
printf escaping (though, even without this, wpa_ssid_txt() would have
masked characters).

This is not desired for Called-Station-Id attribute. While it is defined
as a "String", RFC 2865 indicates that "a robust implementation SHOULD
support the field as undistinguished octets.".

Copy the SSID as an array of arbitrary octets into Called-Station-Id to
avoid any kind of masking or escaping behavior. This goes a step further
from the initial implementation by allowing even the possible (but
unlikely in practical use cases) 0x00 octet in the middle of an SSID.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 12:15:36 +02:00
Jouni Malinen
5addb0df59 Server configuration for OCSP stapling with ocsp_multi (RFC 6961)
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 19:42:07 +02:00
Jouni Malinen
a587666cba GAS server: Replenish temporary STA entry timeout on comeback request
Previously, the five second timeout was added at the beginning of the
full GAS query and it was not replenished during fragmented exchanges.
This could result in timing out a query if it takes significant time to
go through the possibly multiple fragments and long comeback delay.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 19:43:23 +02:00
Jouni Malinen
9257610a6e FT: Fix FTIE generation for EAPOL-Key msg 3/4
This FTIE needs to be an exact copy of the one in (Re)Association
Response frame. Copy the stored element rather than building a new copy
that would not have the correct MIC value. This is needed to fix PTK
rekeying after FT protocol run.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 00:14:36 +02:00
Jouni Malinen
e44bd28cd1 FT: Fix sm->assoc_resp_ftie storing on the AP side
The FTIE from (Re)Association Response frame was copied before
calculating the MIC. This resulted in incorrect value being used when
comparing the EAPOL-Key msg 2/4 value in case PTK rekeying was used
after FT protocol run. Fix this by storing the element after the MIC
field has been filled in.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 00:14:35 +02:00
Jouni Malinen
59e78c2408 FT: Fix FTIE generation for 4-way handshake after FT protocol run
wpa_insert_pmkid() did not support cases where the original RSN IE
included any PMKIDs. That case can happen when PTK rekeying through
4-way handshake is used after FT protocol run. Such a 4-way handshake
used to fail with wpa_supplicant being unable to build the EAPOL-Key msg
2/4.

Fix this by extending wpa_insert_pmkid() to support removal of the old
PMKIDs, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 00:14:35 +02:00
Rajkumar Manoharan
3c417499e7 hostapd: Add Transmit Power Envelope IE when VHT is enabled
Add Transmit Power Envelope element defined in IEEE P802.11-REVmc/D4.3,
8.4.2.161.

Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
2015-11-26 20:40:24 +02:00
Avraham Stern
d8a3b66d7f driver: Make setting up AP optional when creating AP interface
When an AP interface it created, it is also setup and subscribes
for management frames etc. However, when the interface is added by
wpa_supplicant, setting up for AP operations is redundant because
it will be done by wpa_supplicant on wpa_drv_init() when setting
the interface mode to AP.

In addition, it may cause wpa_supplicant to fail initializing the
interface as it will try to subscribe for management frames on this
interface but the interface is already registered.

Change this, so when adding an AP interface, make setting up the AP
optional, and use it only when the interface is added by hostapd but not
when it is added by wpa_supplicant.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2015-11-22 17:42:59 +02:00
Alexander Bondar
6bdc43c4db AP: Avoid 20/40 MHz co-ex scan if PRI/SEC switch is not allowed
When an AP is started on the 5.2 GHz band with 40 MHz bandwidth, a
scan is issued in order to handle 20/40 MHz coexistence. However,
the scan is issued even if iface->conf->no_pri_sec_switch is set,
which is redundant.

Fix this by checking iface->conf->no_pri_sec_switch before starting
the scan.

Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
2015-11-21 18:42:53 +02:00
Jouni Malinen
f68d491b0a FT auth: Fix EAPOL reauthentication after FT protocol run
The EAPOL AUTH_PAE state machine was left in incomplete state at the
completion of FT protocol. Set portValid = TRUE to allow the state
machine to proceed from AUTHENTICATING to AUTHENTICATED state, so that a
new EAPOL reauthentication can be triggered.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-19 21:16:06 +02:00
Anton Nayshtut
0603bcb7fe hostapd: Process MAC ACLs on a station association event (SME in driver)
Now hostapd will use station MAC-based permissions according to the
macaddr_acl policy also for drivers which use AP SME offload, but do not
support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It
should be noted that in this type of case the association goes through
and the station gets disconnected immediately after that.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-17 12:38:32 +02:00
Frederic Leroy
7b0f5500b0 eap_sim_db: Implement eap_sim_db_expire_pending()
Expire pending DB request for EAP-SIM/AKA/AKA'. Timeout defaults to 1
second and is user configurable in hostapd.conf (eap_sim_db_timeout).

Signed-off-by: Frederic Leroy <frederic.leroy@b-com.com>
2015-10-31 16:28:16 +02:00
Srinivasa Duvvuri
053693d266 hostapd: Add feature to start all interfaces at the same time in sync
When multiple interfaces across mutiple radios are started using a
single instance of hostapd, they all come up at different times
depending upon how long the ACS and HT scan take on each radio. This
will result in stations (that already have the AP profile) associating
with the first interfaces that comes up. For example in a dual band
radio case (2G and 5G) with ACS enabled, 2G always comes up first
because the ACS scan takes less time on 2G and this results in all
stations associating with the 2G interface first.

This feature brings up all the interfaces at the same time. The list of
interfaces specified via hostapd.conf files on the command line are all
marked as sync interfaces. All the interfaces are synchronized in
hostapd_setup_interface_complete().

This feature is turned on with '-S' commmand line option.

Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
2015-10-28 19:47:17 +02:00
Jouni Malinen
f88bcad015 GAS server: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
1e72ba2e61 RSN auth: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
a5a2f252cb AP: Avoid undefined behavior in pointer arithmetic in IE parsing
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
1166b20c95 Add Framed-IP-Address to Accounting-Request if STA address is known
The recently added ProxyARP support (proxy_arp=1) in hostapd allows a
STA IPv4 address to be learned from DHCP or ARP messages. If that
information is available, add it to Account-Request messages in
Framed-IP-Address attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 19:53:29 +03:00
Jouni Malinen
9b7a1bd7ed Option to reduce Probe Response frame responses during max STA
The new hostapd configuration parameter no_probe_resp_if_max_sta=1 can
be used to request hostapd not to reply to broadcast Probe Request
frames from unassociated STA if there is no room for additional stations
(max_num_sta). This can be used to discourage a STA from trying to
associate with this AP if the association would be rejected due to
maximum STA limit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 19:30:49 +03:00
Jouni Malinen
207976f053 Fix Suite B 192-bit AKM to use proper PMK length
In addition to the PTK length increasing, the length of the PMK was
increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was
missing from the initial implementation and a fixed length (256-bit) PMK
was used for all AKMs.

Fix this by adding more complete support for variable length PMK and use
384 bits from MSK instead of 256 bits when using this AKM. This is not
backwards compatible with the earlier implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 18:43:26 +03:00
Jouni Malinen
ae7d9fbd3d Remove unreachable PMKSA cache entry addition on Access-Accept
The previous implementation used an obsolete sm->eapol_key_crypt pointer
which was not set anywhere (i.e., was always NULL). In addition, the
condition of sm->eap_if->eapKeyAvailable was not valid here since this
is the case of MSK from an external authentication server and not the
internal EAP server. Consequently, the wpa_auth_pmksa_add() call here
was never used.

The PMKSA cache was still added, but it happened at the completion of
the 4-way handshake rather than at the completion of EAP authentication.
That later location looks better, so delete the unreachable code in
Access-Accept handling. In addition, remove the now complete unused
struct eapol_state_machine eapol_key_* variables.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 18:43:26 +03:00
Jouni Malinen
1b822f52e6 hostapd: Fix WPA, IEEE 802.1X, and WPS deinit in cases where init fails
With driver wrappers that implement set_privacy(), set_generic_elem(),
set_ieee8021x(), or set_ap_wps_ie(), it was possible to hit a NULL
pointer dereference in error cases where interface setup failed and
the network configuration used WPA/WPA2, IEEE 802.1X, or WPS.

Fix this by skipping the driver operations in case the driver interface
is not initialized.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 18:42:07 +03:00
Jouni Malinen
695dbbea88 Interworking: Add support for configuring arbitrary ANQP-elements
The new hostapd configuration parameter anqp_elem can now be used to
configure arbitrary ANQP-elements for the GAS/ANQP server. In addition
to supporting new elements, this can be used to override previously
supported elements if some special values are needed (mainly for testing
purposes).

The parameter uses following format:
anqp_elem=<InfoID>:<hexdump of payload>

For example, AP Geospatial Location ANQP-element with unknown location:
anqp_elem=265:0000
and AP Civic Location ANQP-element with unknown location:
anqp_elem=266:000000

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-07 17:07:21 +03:00
Dmitry Ivanov
9b285081ff Wait longer for inactive client probe (empty data frame)
Some devices cannot respond to inactive client probe (empty data frame)
within one second. For example, iPhone may take up to 3 secs. This
becomes a significant problem when ap_max_inactivity is set to lower
value such as 10 secs. iPhone can lose Wi-Fi connection after ~1 min
of user inactivity.

Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
2015-10-06 23:09:55 +03:00
Bob Copeland
681753f23c mesh: Generate proper AID for peer
IEEE Std 802.11-2012 13.3.1 states that the AID should be generated on
the local node for each peer. Previously, we were using the peer link ID
(generated by the peer) which may not be unique among all peers. Correct
this by reusing the AP AID generation code.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
2015-10-06 01:27:29 +03:00
Michael Braun
41d621075e Remove WEP support from VLAN
Commit d66dcb0d0b ('WEP: Remove VLAN
support from hostapd') already removed VLAN support for WEP encryption,
so vlan_setup_encryption_dyn() is no longer needed.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-10-06 01:27:27 +03:00
Michael Braun
7cebc8e210 Fix init of group state machine for static VLANs
This ensures that group key is set as long as the interface exists.

Additionally, ifconfig_up is needed as wpa_group will enter
FATAL_FAILURE if the interface is still down. Also vlan_remove_dynamic()
is moved after wpa_auth_sta_deinit() so vlan_remove_dynamic() can check
it was the last user of the wpa_group.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-10-06 01:25:36 +03:00
Johannes Berg
2b6e121676 hostapd: Add testing option to use only ECSA
Some APs don't include a CSA IE when an ECSA IE is generated,
and mac80211 used to fail following their channel switch. Add
a testing option to hostapd to allow reproducing the behavior.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-10-03 21:37:17 +03:00
Andrei Otcheretianski
fa53d74c9e Handle VHT operating classes correctly
Fix and extend the ieee80211_freq_to_channel_ext() function to deal
correctly with VHT operating classes (128, 129, 130).

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 21:35:08 +03:00
Luciano Coelho
7d82170aba Set channel and operating class in hostapd_fill_csa_settings()
The CSA channel and operating class values need to be set for all types
of channel switch (i.e., either if it's triggered by the control
interfaces or due to the GO-follows-STA flow). To do so, move the code
that sets them from the GO-follows-STA flow to the more generic
hostapd_fill_csa_settings() function.

Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
2015-10-03 21:26:23 +03:00
Luciano Coelho
d308a44fcc Use ieee80211_freq_to_chan() when getting segment indices
The hostapd_hw_get_channel() function can't be used to convert center
frequencies to channel numbers, because the hw mode lists don't have all
the center frequencies. The hw mode lists have the main channel
frequencies and flags to indicate the channel topography.

For instance, channel 5805 with VHT80- has the channel center frequency
segment 0 at 5775. This segment is only indicated indirectly in the hw
mode list by the HOSTAPD_CHAN_VHT_50_30 flag. The hw mode list doesn't
have any elements with frequency 5775 to allow the conversion to a
channel number. Thus, we need to use ieee80211_freq_to_chan() instead.

Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
2015-10-03 21:19:09 +03:00
Andrei Otcheretianski
95e551c5f7 Provide an offset to CSA counters in Probe Response frames
Pass to the driver a list of CSA counter offsets when sending Probe
Response frames during a CSA period. This allows the kernel to correctly
update the CSA/eCSA elements.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 21:08:22 +03:00
Andrei Otcheretianski
2d3943ce5b nl80211: Specify CSA offsets in send_mlme() driver op
Some management frames contain CSA counters which should be updated by
kernel. Change driver op send_mlme() allowing to send a frame,
specifying an array of offsets to the CSA counters which should be
updated. For example, CSA offsets parameters should be specified when
sending Probe Response frames during CSA period.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 21:07:35 +03:00
Andrei Otcheretianski
c0d94d6118 Advertise Supported Operating Classes elements in Beacon/Probe Response
Advertise current operating class in Beacon and Probe Response frames.
This Supported Operating Classes element is required by the standard
when extended channel switch is supported. However, since this element
doesn't reflect correctly the sub-band spectrum breakdown and can't be
effectively used by clients, publish only the minimal required part
which is the current operating class.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 21:01:49 +03:00
Andrei Otcheretianski
38d9048fa8 Fix CSA related IEs order
Fix the order of CSA, eCSA, Secondary Channel Offset, and Wide Bandwidth
Channel Switch Wrapper elements in Beacon and Probe Response frames.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 21:01:47 +03:00
Andrei Otcheretianski
967791fe60 Move HT CSA related IE function
Move Secondary Channel element function to ieee802_11_ht.c.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 20:31:30 +03:00
Andrei Otcheretianski
98b0508121 P2P: Implement P2P_GO_FREQ_MOVE_SCM_ECSA policy
Add new GO frequency move policy. The P2P_GO_FREQ_MOVE_SCM_ECSA prefers
SCM if all the clients advertise eCSA support and the candidate
frequency is one of the group common frequencies.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 20:30:40 +03:00
Ilan Peer
4e0ab656d2 Move hostapd_csa_in_progress() to hostapd.c
Move hostapd_csa_in_progress() to hostapd.{h,c} so it can be used
for contexts other than DFS.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-10-03 20:19:06 +03:00
Andrei Otcheretianski
6315bfdba2 Add support for eCSA
Extended channel switch provides an ability to switch between operating
classes and is required for P2P Devices by the P2P specification when
switching in 5 GHz.

When the operating class is provided for channel switch, the AP/P2P GO
will use eCSA IE in addition to the regular CSA IE both on 2.4 GHz and 5
GHz bands.

Transitions between different hw_modes are not supported.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 20:00:50 +03:00
Andrei Otcheretianski
366179d218 nl80211: Suppport multiple CSA counters
Channel switch may be performed using both CSA and eCSA IEs together.
This may happen, for example with a P2P GO on band A with legacy
clients. Extend driver API to support up to 2 CSA counters.

This patch also includes the required implementation for nl80211.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 19:56:08 +03:00
Andrei Otcheretianski
982896ffef Support VHT channel width change for CSA
When building Beacon and Probe Response frames for the target channel,
consider bandwidth parameter for VHT channels. In addition, add support
for updating vht_oper_centr_freq_seg0_idx and
vht_oper_centr_freq_seg1_idx.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 19:50:22 +03:00
Andrei Otcheretianski
244d4d8bff Add Wide Bandwidth Channel Switch element
When switching to a VHT channel with width greater than 20 MHz, add Wide
Bandwidth Channel Switch element. This element is added in Beacon and
Probe Response frames inside Channel Switch Wrapper element.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 19:40:46 +03:00
Andrei Otcheretianski
9438e9c785 Use previously computed channel in cs_freq_params for Beacon frames
When CSA is started, hostapd_change_config_freq() computes the channel
from the provided frequency. Use this stored channel to add CSA IE in
Beacon frames, instead of recomputing the channel each time.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2015-10-03 19:02:49 +03:00
Jouni Malinen
2976715217 Do not clear RSN parameters before full configuration
This fixes an issue where hostapd SET command is used to configure RSN
parameters and the wpa parameter is sent after the other parameters.
Previously, the default case here ended up clearing rsn_pairwise and
wpa_pairwise values and once wpa=2 was finally set, the cipher
configuration had already been lost.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-27 15:55:11 +03:00
Ashok Raj Nagarajan
28ffd21c07 Do not copy STA VHT capabilities if VHT is not enabled for AP
Previously, station's VHT information elements were copied and passed
regardless of the AP's VHT configuration. As a result, AP with VHT
disabled in configuration could have ended up transmitting packets in
VHT rates though AP is not advertising VHT support. Fix this by copying
the station's VHT capabilities only when AP supports VHT (both hardware
and configuration).

Signed-off-by: Ashok Raj Nagarajan <arnagara@qti.qualcomm.com>
2015-09-23 12:09:35 +03:00
Chen, Yi
24fd20438f WPS: Fix num_probereq_cb clearing on DISABLE to avoid segfault
Reset hapd->num_probereq_cb to 0 on an interface deinit to avoid
unexpected behavior if the same interface is enabled again without fully
freeing the data structures. hostapd_register_probereq_cb() increments
hapd->num_probereq_cb by one and leaves all old values unchanged. In
this deinit+init case, that would result in the first entry in the list
having an uninitialized pointer and the next Probe Request frame
processing would likely cause the process to terminate on segmentation
fault.

This issue could be hit when hostapd was used with WPS enabled (non-zero
wps_state configuration parameter) and control interface command DISABLE
and ENABLE were used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-09-07 20:51:58 +03:00
Masashi Honma
8a51dcbc2f mesh: Rename IE field to clarify its use
This is used only for RSNE.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-09-05 21:15:53 +03:00
Jouni Malinen
b308a304d4 Add station tracking based on other management frame subtypes
This extends the previous tracking design to add a station entry based
on other management frames than Probe Request frames. For example, this
covers a case where the station is using passive scanning.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-05 19:38:06 +03:00
Jouni Malinen
0e2412d086 Add option to reject authentication on 2.4 GHz from dualband STA
The new no_auth_if_seen_on=<ifname> parameter can now be used to
configure hostapd to reject authentication from a station that was seen
on another radio.

This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to reject
authentication attempts from a station that has been detected to be
capable of operating on another band, e.g., to try to reduce likelihood
of the station selecting a 2.4 GHz BSS when the AP operates both a 2.4
GHz and 5 GHz BSS concurrently.

Note: Enabling this can cause connectivity issues and increase latency for
connecting with the AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-05 19:11:02 +03:00
Jouni Malinen
964f64e2ee Add option to ignore Probe Request frames on 2.4 GHz from dualband STA
The new no_probe_resp_if_seen_on=<ifname> parameter can now be used to
configure hostapd to not reply to group-addressed Probe Request from a
station that was seen on another radio.

This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to restrict Probe
Request frame handling from replying to group-addressed Probe Request
frames from a station that has been detected to be capable of operating
on another band, e.g., to try to reduce likelihood of the station
selecting a 2.4 GHz BSS when the AP operates both a 2.4 GHz and 5 GHz
BSS concurrently.

Note: Enabling this can cause connectivity issues and increase latency
for discovering the AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-05 17:53:15 +03:00
Jouni Malinen
a65a9b8d67 hostapd: Add mechanism to track unconnected stations
hostapd can now be configured to track unconnected stations based on
Probe Request frames seen from them. This can be used, e.g., to detect
dualband capable station before they have associated. Such information
could then be used to provide guidance on which colocated BSS to use in
case of a dualband AP that operates concurrently on multiple bands under
the control of a single hostapd process.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-05 17:11:11 +03:00
Vasanthakumar Thiagarajan
8065377199 Do not advertise DSSS/CCK support in 40 MHz for 5 GHz band
DSSS/CCK rate support in 40 MHz has to be set to 0 for 5 GHz band since
this mechanism is designed only for the 2.4 GHz band. Clear
HT_CAP_INFO_DSSS_CCK40MHZ in ht_capab when the configured mode is
neither 11b nor 11g.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qti.qualcomm.com>
2015-09-05 01:14:01 +03:00
Jouni Malinen
bb119228b0 Remove unnecessary enum typedef from wpa_auth_sm_event()
This is more consistent with the expected coding style.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-28 16:34:38 +03:00
Jouni Malinen
43f49c3788 EAPOL auth: Avoid recursive wpa_sm_step() on WPA_DEAUTH case
It was possible for wpa_auth_sm_event(WPA_DEAUTH) to be called from
wpa_sm_step() iteration in the case the EAPOL authenticator state
machine ended up requesting the station to be disconnected. This
resulted in unnecessary recursive call to wpa_sm_step(). Avoid this by
using the already running call to process the state change.

It was possible to hit this sequence in the hwsim test case
ap_wpa2_eap_eke_server_oom.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-28 16:32:14 +03:00
Jouni Malinen
681e199dfb EAP server: Add tls_session_lifetime configuration
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
9c3380d776 Remove duplicated sta_authorized_cb call
Commit 6959145b86 ('FST: Integration into
hostapd') introduced this duplicated call due to an incorrect merge
conflict resolution in ap_sta_set_authorized(). An earlier commit
61fc90483f ('P2P: Handle improper WPS
termination on GO during group formation') had moved this call to an
earlier location in the function and there is no point in re-introducing
another copy of the call at the end of the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-17 00:18:32 +03:00
Jouni Malinen
e1938ba934 WPS: Fix multi-interface WPS operations in hostapd
Couple of the for-each-interface loops used incorrect return value when
skipping over non-WPS interfaces. This could result in skipping some WPS
interfaces in the loop and returning error. Setting AP PIN did not check
for WPS being enabled at all and trigger a NULL pointer dereference if
non-WPS interface was enabled.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-16 23:14:44 +03:00
Jouni Malinen
bc02843e75 hostapd: Add testing option to override own WPA/RSN IE(s)
This allows the new own_ie_override=<hexdump> configuration parameter to
be used to replace the normally generated WPA/RSN IE(s) for testing
purposes in CONFIG_TESTING_OPTIONS=y builds.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-08 18:18:03 +03:00
Jouni Malinen
44fa5e747b FT: Remove optional fields from RSNE when using PMF
The PMKIDCount, PMKID List, and Group Management Cipher Suite fields are
optional to include in the RSNE in cases where these would not have
values that are different from the default values. In practice,
PMKIDCount is always 0 in Beacon and Probe Response frames, so the only
field of these that could have a non-default value is Group Management
Cipher Suite. When BIP is used, that field is not needed either due to
BIP being the default cipher when PMF is enabled.

Remove these fields from RSNE when BIP is used to save six octets in
Beacon and Probe Response frames. In addition to reduced frame length,
this is a workaround for interoperability issues with iOS 8.4 in cases
where FT and PMF are enabled. iOS seems to be rejecting EAPOL-Key msg
3/4 during FT initial mobility domain association if the RSNE includes
the PMKIDCount field.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-06 20:47:26 +03:00
Jouni Malinen
7e97d813ee WPS: Reject AP settings with invalid network key (PSK/passphrase)
This is similar to the earlier commit
b363121a20 ('WPS: Reject invalid
credential more cleanly'), but for the AP cases where AP settings are
being replaced. Previously, the new settings were taken into use even if
the invalid PSK/passphrase had to be removed. Now, the settings are
rejected with such an invalid configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-06 20:47:25 +03:00
Jouni Malinen
84bcb4e7a9 FST: Mark fst_ies buffer const
This buffer is owned by the FST module, so mark it const in the
set_ies() callback to make it clearer which component is responsible for
modifying and freeing this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-08-03 17:40:30 +03:00
Masashi Honma
ecd40fef74 mesh: Fix mesh SAE auth on low spec devices
The mesh SAE auth often fails with master branch. By bisect I found
commit eb5fee0bf5 ('SAE: Add side-channel
protection to PWE derivation with ECC') causes this issue. This does not
mean the commit has a bug. This is just a CPU resource issue.

After the commit, sae_derive_pwe_ecc() spends 101(msec) on my PC (Intel
Atom N270 1.6GHz). But dot11RSNASAERetransPeriod is 40(msec). So
auth_sae_retransmit_timer() is always called and it can causes
continuous frame exchanges. Before the commit, it was 23(msec).

On the IEEE 802.11 spec, the default value of dot11RSNASAERetransPeriod
is defined as 40(msec). But it looks short because generally mesh
functionality will be used on low spec devices. Indeed Raspberry Pi B+
(ARM ARM1176JZF-S 700MHz) requires 287(msec) for new
sae_derive_pwe_ecc().

So this patch makes the default to 1000(msec) and makes it configurable.

This issue does not occur on infrastructure SAE because the
dot11RSNASAERetransPeriod is not used on it.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-08-02 21:37:10 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
e03e56c3d6 Comment out EAPOL-Key WEP support in CONFIG_FIPS=y build
This avoids a call to hmac_md5() to fix the build. The EAPOL-Key frame
TX code is not applicable for any FIPS mode operation, so the simplest
approach is to remove this from the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:49:34 +03:00
Jouni Malinen
bfc284c5c7 Make ieee802_1x_tx_key() static
This is used only within ieee802_1x.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:45:18 +03:00
Peng Xu
d0cdccd307 Fix generating offloaded ACS channel list when hw_mode is set to any
When ACS is offloaded to device driver and the hw_mode parameter is set
to any, the current_mode structure is NULL which fails the ACS command.
Fix this by populating the ACS channel list with channels from all bands
when current_mode is NULL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-28 23:22:24 +03:00
Jouni Malinen
94edea89fd FST: Print reason for ignoring FST Action frame in debug log
This makes it easier to understand why some frames are not processed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-25 23:20:33 +03:00
Ashok Ponnaiah
8659e33342 atheros: Enable PMF functionality without CONFIG_IEEE80211R=y
This extends the previous PMF (CONFIG_IEEE80211W=y) design that used
functionality from the FT (CONFIG_IEEE80211R=y) changes to work without
requiring CONFIG_IEEE80211R=y build option to be included.

Signed-off-by: Ashok Ponnaiah <aponnaia@qti.qualcomm.com>
2015-07-24 16:55:16 +03:00
Jouni Malinen
48b06c17fa drv_callbacks: Coding style cleanup
Clean up inconsistent whitespace use and split strings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-22 19:56:04 +03:00
Jouni Malinen
de74489276 Move ap_list_timer() to use common AP periodic cleanup mechanism
This reduces number of periodic eloop timeouts when AP mode operations
are in progress.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-20 13:42:35 +03:00
Jouni Malinen
22fd2822f9 Move hostapd_acl_expire() to use common AP periodic cleanup mechanism
This reduces number of periodic eloop timeouts when AP mode operations
are in progress.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-20 13:39:22 +03:00
Jouni Malinen
3188aabaf1 Add shared periodic cleanup function for AP mode
This new mechanism can be used to combine multiple periodic AP
(including P2P GO) task into a single eloop timeout to minimize number
of wakeups for the process. hostapd gets its own periodic caller and
wpa_supplicant uses the previously added timer to trigger these calls.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-20 13:33:30 +03:00
Jouni Malinen
a0f04da517 FST: Mark get_mb_ie() return value const
The caller is not expected to free or modify the value since this is
returning a reference to a buffer maintained by the upper layer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-18 17:23:55 +03:00
PavanKumar N
fab51186dc Allow driver to be set in hostapd through global control interface
This extends the hostapd global control interface ADD command to allow
driver wrapper to be specified ("ADD <ifname> <ctrl_iface> <driver>").
Previously, this case that did not use a configuration file allowed only
the default driver wrapper to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-17 23:54:29 +03:00
Jouni Malinen
66d464067d FT: Register RRB l2_packet only if FT-over-DS is enabled
There is no need to waste resources for this packet socket if FT-over-DS
is disabled or when operating P2P GO or AP mode in wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-17 11:16:15 +03:00
Anton Nayshtut
8bae489f15 FST: Do not prune STAs belonging to the same FST
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
347827ff6e FST: Add FST IEs into AP mode management frames
This adds the FST IEs received from the FST module into Beacon, Probe
Response, and (Re)Association Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
037378ff31 FST: Send FST Action frames to AP mode processing
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
8e9a8b0f8c FST: hostapd control interface
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
6959145b86 FST: Integration into hostapd
This commit integrates the FST into the hostapd.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
ae667c0827 FST: Store MB IEs from (Re)Association Request
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
104bef453b FST: hostapd configuration parameters
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Anton Nayshtut
ee1e3f57b5 hostapd: Global control interface notifications
This commit implements hostapd global control interface notifications
infrastructure. hostapd global control interface clients issue
ATTACH/DETACH commands to register and deregister with hostapd
correspondingly - the same way as for any other hostapd/wpa_supplicant
control interface.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 12:33:29 +03:00
Jouni Malinen
cf6fd19b34 ndisc_snoop: Avoid misaligned read of IPv6 address
The IPv6 address in the frame buffer may not be 32-bit aligned, so use a
local copy to align this before reading the address with 32-bit reads
(s6_addr32[]).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-07-07 16:25:06 +03:00
Jouni Malinen
aac1efec34 Reject the initial 4-way handshake if initial GTK setup fails
This makes the AP/Authenticator design more robust against unexpected
failures in random number generation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-29 23:23:56 +03:00
Jouni Malinen
55413ce072 P2P: Do not allow 40 MHz co-ex PRI/SEC switch to force MCC
Do not allow 40 MHz co-ex PRI/SEC switch to force us to change our PRI
channel if we have an existing connection on the selected PRI channel
since doing multi-channel concurrency is likely to cause more harm than
using different PRI/SEC selection in environment with multiple BSSes on
these two channels with mixed 20 MHz or PRI channel selection.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-28 18:14:58 +03:00
Jouni Malinen
6a58444d27 SAE: Verify that own/peer commit-scalar and COMMIT-ELEMENT are different
This check explicitly for reflection attack and stops authentication
immediately if that is detected instead of continuing to the following
4-way handshake that would fail due to the attacker not knowing the key
from the SAE exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 23:10:36 +03:00
Jouni Malinen
c99df20192 Remove redundant NULL check in ieee802_1x_encapsulate_radius()
The eap argument to this function is never NULL and the earlier
ieee802_1x_learn_identity() call is dereferencing it anyway, so there is
no point in checking whether it is NULL later in the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 18:18:25 +03:00
Jouni Malinen
2eb5967d99 AP: Add more 2.4 GHz channels for 20/40 MHz HT co-ex scan
This needs to find the PRI channel also in cases where the affected
channel is the SEC channel of a 40 MHz BSS, so need to include the
scanning coverage here to be 40 MHz from the center frequency. Without
this, it was possible to miss a neighboring 40 MHz BSS that was at the
other end of the 2.4 GHz band and had its PRI channel further away from
the local BSS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 11:25:22 +03:00
Jouni Malinen
3dce85ceb0 HS 2.0: Add WLAN RADIUS attributes in OSEN case
Previously, the common WLAN-* RADIUS attributes were added only when WPA
or WPA2 was used. These can be of use for OSEN as well, so include them
in that case, too.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-20 23:04:32 +03:00
Andrei Otcheretianski
5d180a7739 drivers: Add freq parameter to send_mlme() function
Change send_mlme() API to allow sending management frames on a specific
channel, overriding the internal driver decision.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
2015-06-14 23:16:55 +03:00
Michael Braun
132dfbe8c2 Fix removal of tagged interface and bridge when multiple BSS share them
Currently, if multiple bss share are bridge and tagged vlan interface,
only the first instance of struct hostapd_vlan for this vlanid will have
the DVLAN_CLEAN_VLAN flag added. Thus, when this instance is removed,
the tagged vlan interface will be removed from bridge, thought other bss
might still need it. Similarily, the bridge will be left over, as the
does not have zero ports when the first instance of a struct
hostapd_vlan is freed.

This patch fixes this by having a global (per process) reference counter
for dynamic tagged vlan and dynamically created bridge interfaces, so
they are only removed after all local users are freed. (struct
hapd_interfaces *)->vlan_priv is used to hold src/ap/vlan_init.c global
per-process data like drv_priv does; right now this is only used for the
interface reference counting, but could get extended when needed. Then
possibly some vlan_global_init / vlan_global_deinit should be added, but
this is not required right now.

Additionally, vlan->configured is checked to avoid reference counter
decreasing before vlan_newlink increased them.

In order to avoid race conditions, vlan_dellink is called explicitly
after hostapd_vlan_if_remove. Otherwise there would be a short timeframe
between hostapd_vlan_if_remove and vlan_dellink during which the struct
hostapd_vlan still exists, so ap_sta_bind_vlan would try to attach
stations to it.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-06-14 13:33:07 +03:00