Commit graph

1972 commits

Author SHA1 Message Date
Jouni Malinen
865721c695 Merge wpa_supplicant and hostapd EAPOL-Key KDE parsers
Use a single struct definition and a single shared implementation for
parsing EAPOL-Key KDEs and IEs instead of maintaining more or less
identical functionality separately for wpa_supplicant and hostapd.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 13:02:27 +03:00
Jouni Malinen
898b6d58f3 SAE: Verify that STA negotiated H2E if it claims to support it
If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
the AP configuration, require H2E to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 12:48:28 +03:00
Jouni Malinen
74866f5378 RSN: Verify RSNXE match between (Re)AssocReq and EAPOL-Key msg 2/4
If the STA advertises RSN Extension element, it has to be advertised
consistently in the unprotected ((Re)Association Request) and protected
(EAPOL-Key msg 2/4) frames. Verify that this is the case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 00:20:29 +03:00
Jouni Malinen
9981d5bf31 Add RSNXE into AP KDE parser
This is needed for SAE hash-to-element implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 00:20:29 +03:00
Jouni Malinen
d3516cad7a Store a copy of Association Request RSNXE in AP mode for later use
This is needed to be able to compare the received RSNXE to a protected
version in EAPOL-Key msg 2/4.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 00:20:29 +03:00
Andrei Otcheretianski
49e95ee1ee AP: Publish only HE capabilities and operation IEs on 6 GHz band
When operating on the 6 GHz band, add 6 GHz Operation Information inside
the HE Operation element and don't publish HT/VHT IEs.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

- Replace HOSTAPD_MODE_IEEE80211AX mode checks with is_6ghz_op_class()

Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2019-10-15 15:39:22 +03:00
Liangwei Dong
a5b2faa714 AP: Add op_class config item to specify 6 GHz channels uniquely
Add hostapd config option "op_class" for fixed channel selection along
with existing "channel" option. "op_class" and "channel" config options
together can specify channels across 2.4 GHz, 5 GHz, and 6 GHz bands
uniquely.

Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
032c8264d4 SAE: Check that peer's rejected groups are not enabled in AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
a5dc2a5c1a SAE: H2E version of SAE commit message handling for AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
43b20b4370 SAE: Derive H2E PT in AP when starting the AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
3134bb13a8 SAE: Advertise Extended RSN Capabilities when H2E is enabled
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
cc0da0ff4c SAE: Advertise BSS membership selector for H2E-only case
If hostapd is configured to enable only the hash-to-element version of
SAE PWE derivation (sae_pwe=1), advertise BSS membership selector to
indicate this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
a36e13a7cd SAE: Add sae_pwe configuration parameter for hostapd
This parameter can be used to specify which PWE derivation mechanism(s)
is enabled. This commit is only introducing the new parameter; actual
use of it will be address in separate commits.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
86f6084862 SAE: Tell sae_parse_commit() whether H2E is used
This will be needed to help parsing the received SAE commit.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-14 19:38:41 +03:00
Jouni Malinen
f7fe055224 SAE: Allow AP behavior for SAE Confirm to be configured
hostapd is by default waiting STA to send SAE Confirm before sending the
SAE Confirm. This can now be configured with sae_confirm_immediate=1
resulting in hostapd sending out SAE Confirm immediately after sending
SAE Commit.

These are the two different message sequences:

sae_confirm_immediate=0
STA->AP: SAE Commit
AP->STA: SAE Commit
STA->AP: SAE Confirm
AP->STA: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

sae_confirm_immediate=1
STA->AP: SAE Commit
AP->STA: SAE Commit
AP->STA: SAE Confirm
STA->AP: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-10 15:38:26 +03:00
Alexei Avshalom Lazar
f6f8c6ade9 AP: Show EDMG channel info in STATUS output
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 17:20:41 +03:00
Alexei Avshalom Lazar
241dd76cfd hostapd: Check EDMG configuration against capability
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 17:20:41 +03:00
Alexei Avshalom Lazar
dc3457cc4a hostapd: Check usability of EDMG channel
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 17:02:12 +03:00
Alexei Avshalom Lazar
bebd91e9c4 Add EDMG parameters to set_freq functions
This updates the frequency parameter setting functions to include
argument for EDMG.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 16:59:23 +03:00
Alexei Avshalom Lazar
5c5ff22efc hostapd: Add EDMG channel configuration parameters
Add two new configuration parameters for hostapd:
enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band
edmg_channel: Configure channel bonding for AP mode in the 60 GHz band

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 16:46:29 +03:00
Jouni Malinen
52d469de11 DPP2: Support multiple Config Objects in Enrollee
Process all received DPP Configuration Object attributes from
Configuration Result in Enrollee STA case. If wpa_supplicant is
configured to add networks automatically, this results in one network
being added for each included Configuration Object.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-01 14:21:51 +03:00
Alexander Wetzel
7a4b01c879 AP: Provide correct keyid to wpa_send_eapol() for EAPOL-Key msg 3/4
PTKINITNEGOTIATING in the WPA state machine calls wpa_send_eapol() and
hands over the GTK instead of the PTK keyid.

Besides a confusing debug message this does not have any negative side
effects: The variable is only set to a wrong value when using WPA2 but
then it's not used.

With this patch PTKINITNEGOTIATING sets the PTK keyid unconditionally to
zero for EAPOL-Key msg 3/4 and differentiates more obviously between GTK
and PTK keyids.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2019-09-19 12:34:21 +03:00
Neo Jou
d9286d0997 ACS: Stop before scan if no channels in chanlist are available
When we set "channel=0" in hostapd.conf to enable ACS function, and set
a wrong channel list, e.g., chanlist=222-999 on purpose, hostapd would
still start ACS process to compute the ideal channel, even when there
are no available channels with such configuration.

Though there is no problem since hostapd fails to initialize interface,
it spends time going through the scan and the debug log entries may make
it more difficult to tell what was behind the failure.

Thus, check if there are any available channels in acs_request_scan(),
and return -1 if no available channel, then it will fail at acs_init(),
without doing ACS computation. It will show the following in the log:
    Could not select hw_mode and channel. (-3)
    wlan0: interface state UNINITIALIZED->DISABLED

Then we can know the setting is incorrect already in
hostapd_select_hw_mode(), instead of waiting for scan callback function
to know if the setting is ok for ACS or not. This can save time and help
to tell if the setting is correct at the initial function at the first.
This will also allow the ENABLE control interface command to return FAIL
when adding an interface dynamically.

Signed-off-by: Neo Jou <neojou@gmail.com>
2019-09-19 12:09:47 +03:00
Jouni Malinen
8f8c423a51 DPP: Add bandSupport JSON array into config request
Indicate supported global operating classes when wpa_supplicant is
operating as an Enrollee.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-19 00:21:47 +03:00
Jouni Malinen
5a5639b068 DPP: Allow name and mudurl to be configured for Config Request
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-19 00:21:47 +03:00
Jouni Malinen
3394def5a8 More consistent SA check for unexpected Data frames
Use the same rules for dropping driver notifications for Data frames
from unassociated stations as were added for Management frame reception.
This results in more consistent behavior in sending out Deauthentication
frames with Reason Code 6/7.

This case was already checking for unexpected multicast addresses, so
there was no issue for the PMF protections for unexpected disconnection.
Anyway, better avoid unnecessary Deauthentication frames consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-17 12:38:15 +03:00
Jouni Malinen
b10e01a795 DPP2: Connection status result (Configurator)
A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be
used to set Configurator to request a station Enrollee to report
connection result after a successfully completed provisioning step. If
the peer supports this, the DPP-CONF-SENT event indicates this with a
new argument (wait_conn_status=1) and the Configurator remains waiting
for the connection result for up to 16 seconds.

Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event
is generated with arguments result, ssid, and channel_list indicating
what the Enrollee reported. result=0 means success while non-zero codes
are for various error cases as specified in the DPP tech spec. If no
report is received from the Enrollee, the event with "timeout" argument
is generated locally.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-16 17:13:46 +03:00
Jouni Malinen
018edec9b2 Remove IAPP functionality from hostapd
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been
maintained nor is there any expectation of the withdrawn trial-use
recommended practice to be maintained in the future. Furthermore,
implementation of IAPP in hostapd was not complete, i.e., only parts of
the recommended practice were included. The main item of some real use
long time ago was the Layer 2 Update frame to update bridges when a STA
roams within an ESS, but that functionality has, in practice, been moved
to kernel drivers to provide better integration with the networking
stack.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-11 13:11:03 +03:00
Jouni Malinen
d86d66dc07 AP: Silently ignore management frame from unexpected source address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.

In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-11 12:28:37 +03:00
John Crispin
a84bf44388 HE: Send the AP's OBSS PD settings to the kernel
This allows us to send the OBSS PD settings to the kernel, such that the
driver can propagate them to the hardware/firmware.

Signed-off-by: John Crispin <john@phrozen.org>
2019-09-10 14:00:14 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Hu Wang
0229261874 DFS offload: Fix hostapd state and CAC info in STATUS output
With DFS offloaded to the driver, hostapd state and CAC info was not
updated in DFS-CAC-START event, so STATUS output showed wrong info. Fix
this by updating the CAC related state when processing the driver event.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-02 12:29:10 +03:00
Jouni Malinen
8d76e0ad7b EAP server: Configurable maximum number of authentication message rounds
Allow the previously hardcoded maximum numbers of EAP message rounds to
be configured in hostapd EAP server. This can be used, e.g., to increase
the default limits if very large X.509 certificates are used for EAP
authentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:35 +03:00
John Crispin
0497e41481 HE: Fix HE Capabilities element size
Set the max value of optional bytes inside the data structure. This
requires us to calculate the actually used size when copying the
HE capabilities and generating the IE.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-08-30 15:59:20 +03:00
Jouni Malinen
69e8e7817e HS 2.0: Do not add two copies of OSEN element into Beacon/Probe Resp
OSEN element was getting added both through the Authenticator IEs
(before some non-vendor elements) and separately at the end of the
frames with other vendor elements. Fix this by removing the separate
addition of the OSEN element and by moving the Authenticator IE addition
for OSEN to match the design used with WPA so that the vendor element
gets added in the proper place in the sequence of IEs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-30 15:41:58 +03:00
Jouni Malinen
a762ba8b1e HS 2.0 AP: Do not mandate PMF for HS 2.0 Indication in open OSU network
Even though the station is not supposed to include Hotspot 2.0
Indication element in the Association Request frame when connecting to
the open OSU BSS, some station devices seem to do so. With the strict
PMF-required-with-Hotspot-2.0-R2 interpretation, such connection
attempts were rejected. Relax this to only perform the PMF check if the
local AP configuration has PMF enabled, i.e., for the production BSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-30 15:22:42 +03:00
Jouni Malinen
e49ce2990f IEEE 802.1X authenticator: Coding style cleanup
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-24 19:15:25 +03:00
Jouni Malinen
31aaddc90d Clean up IEEE 802.1X authentication debug messages for EAP code
Merge the separate debug print with the text name of the EAP code into
the same debug line with the numerical value to clean up debug log.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-24 19:15:25 +03:00
Jouni Malinen
fa1f0751cc RADIUS server: Use struct eap_config to avoid duplicated definitions
Use struct eap_config as-is within RADIUS server to avoid having to
duplicate all the configuration variables at each interface. This
continues cleanup on struct eap_config duplication in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-20 02:33:12 +03:00
Jouni Malinen
a00cb1b1f5 EAP-TEAP server: Fix eap_teap_pac_no_inner configuration
This was not passed correctly to the EAP server code when using hostapd
internal EAP server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-20 02:13:22 +03:00
Jouni Malinen
e54cfbb56a EAP-TEAP server: Allow a specific Identity-Type to be requested/required
The new hostapd configuration parameter eap_teap_id can be used to
configure the expected behavior for used identity type.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-20 02:13:22 +03:00
Jouni Malinen
822e7c66ae EAP server: Use struct eap_config to avoid duplicated definitions
Use struct eap_config as-is within struct eap_sm and EAPOL authenticator
to avoid having to duplicate all the configuration variables at each
interface. Split the couple of session specific variables into a
separate struct to allow a single const struct eap_config to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-18 17:36:32 +03:00
Jouni Malinen
76ddfae6eb EAP-TEAP server: Testing mechanism for Result TLV in a separate message
The new eap_teap_separate_result=1 hostapd configuration parameter can
be used to test TEAP exchange where the Intermediate-Result TLV and
Crypto-Binding TLV are send in one message exchange while the Result TLV
exchange in done after that in a separate message exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-17 00:08:47 +03:00
John Crispin
05822609d1 HE: MCS size is always a minimum of 4 bytes
The MCS set always has a minimal size of 4 bytes. Without this change
HE20 failed to work.

Signed-off-by: John Crispin <john@phrozen.org>
2019-08-11 18:04:26 +03:00
Jouni Malinen
6bb11c7a40 EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabled
The new hostapd configuration option eap_sim_id can now be used to
disable use of pseudonym and/or fast reauthentication with EAP-SIM,
EAP-AKA, and EAP-AKA'.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-01 10:36:11 +03:00
Terry Burton
f4111ff3d1 Extra RADIUS request attributes from SQLite
Add an SQLite table for defining per station MAC address version of
radius_auth_req_attr/radius_acct_req_attr information. Create the
necessary table and index where this doesn't exist. Select attributes
from the table keyed by station MAC address and request type (auth or
acct), parse and apply to a RADIUS message.

Add radius_req_attr_sqlite hostapd config option for SQLite database
file. Open/close RADIUS attribute database for a lifetime of a BSS and
invoke functions to add extra attributes during RADIUS auth and
accounting request generation.

Signed-off-by: Terry Burton <tez@terryburton.co.uk>
2019-07-30 19:58:09 +03:00
Terry Burton
74707def8f Move hostapd_parse_radius_attr() into ap_config.c
We will want to parse RADIUS attributes in config file format when
retrieving them from an SQLite database.

Signed-off-by: Terry Burton <tez@terryburton.co.uk>
2019-07-30 19:42:48 +03:00
Jouni Malinen
d1b1f9fa9a Report WPA/RSN protocol and AKM suite selector in STA MIB
The new "wpa" and "AKMSuiteSelector" entries in hostapd "STA <addr>"
control interface output can be used to determine the negotiated WPA/RSN
protocol and AKM suite of an associated station.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-07-24 12:58:49 +03:00
Jouni Malinen
e2722bf81d OpenSSL: Allow two server certificates/keys to be configured on server
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-12 18:13:10 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
Sven Eckelmann
29d8bd1dec nl80211: Add driver multi iftype HE capability parsing
The HE capabilities are no longer per PHY but per iftype on this
specific PHY. It is therefore no longer enough to just parse the AP
capabilities.

The he_capabilities are now duplicated to store all information for
IEEE80211_MODE_* which hostap cares about. The nl80211 driver fills in
this information when the iftype supports HE. The rest of the code still
only uses the IEEE80211_HE_AP portion but can be extended later to also
use other HE capabilities.

Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-06-23 18:03:51 +03:00
Andrei Otcheretianski
a00ace9fd7 AP: Simplify "i" definition in hostapd_config_free_bss()
Declare the variable only once and reuse it instead of openning
unneeded scopes.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-06-23 18:03:51 +03:00
Sven Eckelmann
29f8556189 HE: Fix HE capability check for PPE threshold present
The the mask for PPE threshold present in the HE phy capability byte 6 is
0x80 and not 0x6. This incorrect mask breaks the length calculation and as
result the acceptance of the HE capabilities for STAs which either:

* don't have the PPE threshold present bit set AND the Codebook Size={7,5}
  MU Feedback or the Triggered SU Beamforming feedback bit set

* do have the PPE threshold present set AND neither the Codebook Size={7,5}
  MU Feedback nor the Triggered SU Beamforming feedback bit set

Fixes: 8f5fc369e2 ("HE: Fix HE Capabilities element variable length encoding")
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-06-22 20:35:26 +03:00
Jouni Malinen
09448d94a7 Avoid use of a shadowed local variable
The same len variable can be used for both needs within
ieee802_1x_get_keys() to avoid compiler warning about use of shadowed
variable.

Fixes: 0ee6885dae ("macsec: Store EAP-Key-Name as eapSessionId")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-19 01:17:54 +03:00
Liangwei Dong
ef60f0121f hostapd: Process OWE IE and update DH IE to the driver if needed
This implements the required functionality in hostapd to facilitate OWE
connection with the AP SME-in-driver cases. Stations can either send DH
IE or PMKID (in RSNE) (or both) in Association Request frame during the
OWE handshake. The drivers that use this offload mechanism do not
interpret this information and instead, pass the same to hostapd for
further processing. hostapd will either validate the PMKID obtained from
the STA or generate DH IE and further indicate the same to the driver.
The driver further sends this information in the Association Response
frame.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:51 +03:00
Jouni Malinen
524dc5bf10 macsec: Do not change eapol_version for non-MACsec cases in hostapd
It is safer to maintain the old EAPOL version (2) in EAPOL frames that
are not related to MACsec and only update the version to 3 for the
MACsec specific cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-03 20:27:44 +03:00
leiwei
a93b369c17 macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
leiwei
a872bfcf31 macsec: Export eapSessionId
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
leiwei
0ee6885dae macsec: Store EAP-Key-Name as eapSessionId
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
leiwei
a90cc1c997 macsec: Note that MKA takes care of EAPOL-MKA processing
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
leiwei
29c832d0ea macsec: Add configuration parameters for hostapd
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
Srinivas Dasari
14d85a5af7 SAE: Do not send PMKID to the driver if PMKSA caching is disabled
External auth status to the driver includes the PMKID derived as part of
SAE authentication, but this is not valid if PMKSA caching is disabled.
Drivers might not be expecting PMKID when it is not valid. Do not send
the PMKID to the driver in such cases.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
2019-05-31 16:52:15 +03:00
Haim Dreyfuss
de6aafaa63 AP: Consider regulatory limitation when filling WMM element
In case the current channel has regulatory WMM limitations, take them
into account when filling the WMM element. Also check if the new WMM
element is different from the previous one and if so change the
parameter_set_count to imply stations to look into it.

Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
2019-05-28 23:37:25 +03:00
Johannes Berg
d5d156bd92 AP: add station with basic rates configuration
When a new station is added, let it have some supported rates
(they're empty without this change), using the basic rates
that it must support to connect.

This, together with the kernel-side changes for client-side,
lets us finish the complete auth/assoc handshake with higher
rates than the mandatory ones, without any further config.

However, the downside to this is that a broken station that
doesn't check the basic rates are supported before it tries
to connect will possibly not get any response to its auth
frame.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2019-05-28 13:33:00 +03:00
John Crispin
4f3f33804a HE: Make the basic NSS/MCS configurable
Add a config option to allow setting a custom Basic NSS/MCS set. As a
default we use single stream HE-MCS 0-7.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:45:04 +03:00
John Crispin
63e1940432 HE: Verify supported capabilities
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:42:40 +03:00
John Crispin
0cd5b4ee30 HE: Enable channel switch similarly to VHT
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:42:14 +03:00
John Crispin
958cb34886 HE: Enable DFS similarly to VHT
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:41:49 +03:00
John Crispin
1d2c45ecfc HE: Enable ACS similarly to VHT
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:41:23 +03:00
John Crispin
8b18d2b24e HE: Disable HE on channel 14
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:40:59 +03:00
John Crispin
de21d1d6e2 HE: Handle HE capability in neighbor DB
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:40:33 +03:00
John Crispin
88005ee98d HE: Pass in HE information into hostapd_set_freq_params()
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:33:59 +03:00
John Crispin
78d35b16de HE: Add AP mode MLME/SME handling for HE stations
Process HE information in (Re)Association Request frames and add HE
elements into (Re)Association Response frames when HE is enabled in the
BSS.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:40:48 +03:00
John Crispin
8f5fc369e2 HE: Fix HE Capabilities element variable length encoding
The HE Capibilities element has dynamic size due to the variable length
and optional fields at the end. Mask out the channel width capabilities
that are less than the configured. Only add the MCS/NSS sets for the
announced channel widths and also add the PPET elements.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:23 +03:00
John Crispin
05b28306f5 HE: Add HE channel management configuration options
These are symmetric with the VHT ones.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
c6b7ac077f HE: Add helpers for getting the channel width parameters
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
39b9d059cd HE: Remove vht_ prefix from acs_adjust_vht_center_freq()
This is used for both VHT and HE, so remove the misleading prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
7118a697f4 HE: Remove vht_ prefix from seg0/seg1_idx in DFS
These are used for both VHT and HE, so remove the misleading prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
f428332d32 HE: Remove vht_ prefix from bw/seg0/seg1_idx in CSA fallback
These are used for both VHT and HE, so remove the misleading prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
f200631c35 HE: Remove vht_ prefix from CSA/bandwidth
Bandwidth is used for both VHT and HE here.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
b04e43086b HE: Remove vht_ prefix from shared set_freq argument
oper_chwidth is used for both VHT and HE here.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
464dcfd030 HE: Remove VHT_ prefix from CHANWITDH_* define
The bandwidth values are shared between VHT and HE mode so remove the
VHT specific prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:27:49 +03:00
John Crispin
846e8396ab HE: Mask out the beamforming capabilities if they are not configured
These bits might be set by the capabilities read from the kernel, so
mask them out if beamforming is not enabled in the local configuration.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:27:41 +03:00
Jouni Malinen
d70776098d VHT: Remove copying of VHT Operation element from (Re)Assoc Req
This copying attempt was added incorrectly since that element is never
actually present in (Re)Association Request frames. It is only valid to
copy that element from the mesh peering frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 18:03:40 +03:00
Jouni Malinen
ce362f885f FILS: Explicitly clear plaintext buffer for Assoc Resp
This buffer may contain GTK and IGTK, so better clear it explicitly from
heap memory before freeing the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 16:11:56 +03:00
Jouni Malinen
31bc66e4d1 More forceful clearing of stack memory with keys
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 16:11:56 +03:00
Jouni Malinen
5bad612311 WNM: Fix bounds checking in SSID List element matching
The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927
Fixes: 0a66ce3c49 ("WNM: Add support for SSID List element matching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-25 01:29:47 +03:00
Jouni Malinen
831d8c9cf5 FILS: Add RSNE into (Re)Association Response frame
This AP behavior was missing from IEEE Std 802.11ai-2016, but it is
needed for the RSNE validation to work correctly and for a FILS STA to
be able to perform the mandatory check for RSNE matching when processing
the (Re)Association Response frame (as described in 802.11ai). REVmd
will be updating the standard to cover this AP case, so prepare the
implementation to match that. Without this, a FILS STA might reject
association whenever using FILS authentication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-23 00:34:43 +03:00
John Crispin
b505ef7e96 HE: Do not add SPR IE if sr_control is set to 0
If none of the sr_control bits are set, we do not neet to add the IE to
the Beacon frame.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-05 00:58:25 +03:00
Jouni Malinen
de94be0acd Enforce that IEEE 802.1X EAPOL-Key Replay Counter increases
While this should not happen in practical use cases,
wpa_get_ntp_timestamp() could return the same value when called twice in
a row quickly. Work around that case by enforcing a new Replay Counter
value based on stored last value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-05 00:57:37 +03:00
Toke Høiland-Jørgensen
ef7217518b hostapd: Add airtime policy configuration support
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439

The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.

The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.

In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-05-02 14:57:43 +03:00
Toke Høiland-Jørgensen
6720b9482f nl80211: Station airtime weight configuration
This provides a mechanism for configuring per-STA airtime weight for
airtime policy configuration.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-05-02 13:28:17 +03:00
Jouni Malinen
a7b7ce82f4 FT: Allow cached XXKey/MPMK to be used if new XXKey is not available
This allows authenticator side to complete FT initial mobility domain
association using FT-EAP with PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 15:52:43 +03:00
Jouni Malinen
64f4809371 FT: Store XXKey/MPMK in PMKSA cache instead of MSK (authenticator)
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-28 15:52:08 +03:00
Jouni Malinen
c3805fb623 Ignore channel switch event if AP interface is not yet ready
It is apparently possible to somehow trigger the driver to report a
channel switch event during ACS operation when the interface information
is not yet complete. hapd->iface->current_mode could be NULL in that
case and that would result in process termination due to NULL pointer
dereference.

It should not really be possible to trigger a channel switch during ACS
is running (i.e., before the AP mode operation has been started), but
since that has been seen in an arbitrary test sequence with interface
start/stop operations with various parameters (both valid and invalid),
better prevent a crash here by ignoring the unexpected event instead of
trying to process it.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-26 16:24:31 +03:00
Jouni Malinen
eb314e8af2 Verify that channel info is available in hostapd_hw_get_channel()
Unexpected CHAN_SWITCH command could get this function using a NULL
pointer if the channel switch was requested while the interface was
already disabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-26 16:17:59 +03:00
Jouni Malinen
b9058266f0 Clear cached extended_capa pointers on hapd_deinit() call
driver->hapd_deinit() is going to free the memory that the cached
pointers are pointing to, so clear the pointers to avoid possibility of
dereferencing used memory. It seemed to be possible to hit a code path
using those fields by issuing a CHAN_SWITCH command on disabled hostapd
interface in some cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-26 16:15:15 +03:00
Hu Wang
6afde52a78 Indicate ieee80211ax configuration in hostapd STATUS output
This adds a ieee80211ax=0/1 line to the STATUS output to indicate
the configuration of ieee80211ax, which similar to ieee80211n and
ieee80211ac.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-26 15:06:30 +03:00
Jouni Malinen
e6f9eab90e HE: Fix HE Operation element byte order on bigendian CPUs
The first four octets of the element were used as a host byte order u32.
That is not correct on bigendian CPUs, so handle byte swapping needs
properly. Mark the he_oper_params field as le32 to explicitly indicate
the byte order and swap the generated params content based on CPU byte
order.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-25 23:57:47 +03:00
John Crispin
3869c159d9 HE: Fix HE operation field size
The current code will always use the size required when all optional
elements are present. This will cause the Linux kernel to consider the
field to be malformed if the elements are not actually flagged as being
present.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-04-25 23:51:04 +03:00