Commit graph

2763 commits

Author SHA1 Message Date
Aloka Dixit
903e3a1e62 FILS: Fix maximum NSS calculation for FD frame
Maximum NSS calculation assumed the host to be little endian while
retrieving MCS values from HE capabilities which is incorrect. Use
WPA_GET_LE16() instead.

Add a check for HE as the current NSS calculation assumes HE support.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2023-03-14 11:27:00 +02:00
Aloka Dixit
ecae45ff66 FILS: Make HE a requirement for FILS discovery
FILS discovery frame generation currently assumes HE support for
calculating the number of spatial streams. Add a check to reject
the configuration if the feature is enabled without enabling HE.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2023-03-14 11:15:06 +02:00
Pooventhiran G
4e86692ff1 AP: Fix 6 GHz AP setup after disable-enable
Once ACS picks a channel, iface->freq and iface->conf->channel are
updated. So, AP comes up in the last operating channel when 'ENABLED'
after 'DISABLED' though ACS is configured.

But this will fail for 6 GHz APs since configured_fixed_chan_to_freq()
checks if iface->conf->channel is filled or not irrespective of ACS
configuration, and the checks inside configured_fixed_chan_to_freq()
fail the AP setup. Fix this by clearing iface->freq and
iface->conf->channel in AP setup for ACS configuration.

Fixes: bb781c763f ("AP: Populate iface->freq before starting AP")
Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
2023-03-09 21:00:43 +02:00
Ilan Peer
c4cb62ca8e WPA_AUTH: MLO: Add functions to get the AA and SPA
As a preparation to use AP MLD address and non-AP MLD address
in the RSN Authenticator state machine, add utility functions to
get the current AA and SPA.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-03-07 23:54:50 +02:00
Ilan Peer
cab963e9f8 AP: Split check_assoc_ies()
As a preparation for processing an association request with
ML element, split the function such that the elements checking
would be separate from parsing.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-03-07 23:46:18 +02:00
Andrei Otcheretianski
df6561ec06 nl80211: AP MLD support for adding multi link stations
Multi link stations are represented in the kernel using a single
station with multiple links and the first ADD_STA command also
creates the first link. Subsequent links should be added with
LINK_ADD commands.

Implement this logic and provide the required MLD information per
station/link.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-03-07 21:43:41 +02:00
Anthony Refuerzo
eb146ee804 AP: Add some bridge port attribute settings
"multicast_to_unicast" and "hairpin_mode" are usually set outside of
hostapd. However, DFS channel change events pull the BSS out of the
bridge causing these attributes to be lost. Make these settings tunable
within hostapd so they are retained after the BSS is brought up again.

Signed-off-by: Anthony Refuerzo <anthony96922@gmail.com>
2023-03-01 10:50:07 +02:00
Emeel Hakim
6d24673ab8 mka: Allow configuration of MACsec hardware offload
Add new configuration parameter macsec_offload to allow user to set up
MACsec hardware offload feature.

Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
2023-02-21 19:26:47 +02:00
Antonio Prcela
3081a9cb62 hostapd: Output country_code and country3 when using STATUS
Add the country_code and country3 config parameter to the STATUS output
to easier determine the current values for each of an hostapd
access point. Currently neither STATUS, GET [country_code/country3] nor
GET_CONFIG output it.

This is useful if the hostapd access point has been created with
wpa_ctrl_request() without using a *.conf file (like hostapd.conf).

Signed-off-by: Antonio Prcela <antonio.prcela@gmail.com>
Signed-off-by: Antonio Prcela <antonio.prcela@sartura.hr>
2023-02-21 17:33:03 +02:00
Jouni Malinen
242c3ad990 FT: Store PTKSA from FT protocol
PTKSA was stored for the 4-way handshake and FILS cases, but not when it
was being derived through the use of the FT protocol.

Fixes: f2f8e4f458 ("Add PTKSA cache to hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-21 17:21:52 +02:00
Jouni Malinen
ba6954874e Mark wpa_auth_remove_ptksa() static
This function is not used outside wpa_auth.c and it is not mentioned in
any header file either, so it should have been marked static.

Fixes: f2f8e4f458 ("Add PTKSA cache to hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-21 17:21:52 +02:00
Shiva Sankar Gajula
3b1ad1334a FT: Include KDK in FT specific PTK derivation on the AP
FT AP was silently ignoring EAPOL-Key msg 2/4 due to Key MIC mismatch
when the STA advertises support for Secure LTF and derives the KDK while
the AP implementation did not derive KDK.

Fix this to include KDK while deriving PTK for FT cases on the AP.

Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
2023-02-21 16:54:10 +02:00
Yi-Chia Hsieh
faa4102926 WNM: Event report handling for BSS color collision and in-use
Add support for WNM event report handling for the BSS color collision
and in use events.

Co-developed-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Yi-Chia Hsieh <yi-chia.hsieh@mediatek.com>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2023-02-20 22:00:13 +02:00
Antonio Prcela
ec02a0e936 hostapd: Output hw_mode when using STATUS
Adding the hw_mode config parameter to the STATUS output to easier
determine the current hw_mode of an hostapd access-point. Currently
neither STATUS, GET hw_mode, nor GET_CONFIG output it.

Useful if the hostapd access point has been created with
wpa_ctrl_request() without using a *.conf file, like hostapd.conf.

Signed-off-by: Antonio Prcela <antonio.prcela@gmail.com>
Signed-off-by: Antonio Prcela <antonio.prcela@sartura.hr>
2023-02-20 19:38:02 +02:00
Hari Chandrakanthan
6c75f1dfaf Send broadcast Probe Response frames on the 6 GHz band
Change Probe Response frames to be sent as broadcast for 6 GHz band per
IEEE Std 802.11ax‐2021, 26.17.2.3.2: "If a 6 GHz AP receives a Probe
Request frame and responds with a Probe Response frame (per 11.1.4.3.4),
the Address 1 field of the Probe Response frame shall be set to the
broadcast address, unless the AP is not indicating its actual SSID in
the SSID element of its Beacon frames."

Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
2023-02-17 16:05:37 +02:00
Jouni Malinen
ba150059d1 FT: Store PMK-R0/PMK-R1 after EAPOL-Key msg 2/4 MIC validation
hostapd was previously storing the derived PMK-R0 and PMK-R1 as soon as
these keys were derived. While that is fine for most purposes, it is
unnecessary to do that so quickly and if anything were to fail before
the supplicant is able to return a valid EAPOL-Key msg 2/4, there would
not really be any real use for the derived keys.

For the special case of FT-PSK and VLAN determination based on the
wpa_psk file, the VLAN information is set in the per-STA data structures
only after the EAPOL-Key msg 2/4 MIC has been verified. This ended up
storing the PMK-R0/PMK-R1 entries without correct VLAN assignment and as
such, any use of the FT protocol would not be able to transfer the VLAN
information through RRB.

Split local storing of the FT key hierarchy for the cases using the FT
4-way handshake so that PMK-R0 and PMK-R1 are first derived and then
stored as a separate step after having verified the MIC in the EAPOL-Key
msg 2/4 (i.e., after having confirmed the per-STA passphrase/PSK was
selected) and VLAN update. This fixes VLAN information for the
wpa_psk_file cases with FT-PSK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-14 11:47:25 +02:00
Jouni Malinen
72b8193f41 MACsec: Remove EAP Session-Id length constraint
The initial MACsec implementation required the EAP Session-Id to be at
least 65 octets long and by truncating the value to that length, the
practical limit of functional cases was limited to that exact length of
65 octets. While that happens to work with EAP method that use TLS, it
does not work with most other EAP methods.

Remove the EAP Session-Id length constraint and allow any length of the
Session-Id as long as the EAP method provides one. In addition, simplify
this be removing the unnecessary copying of the Session Id into a new
allocated buffer.

Fixes: dd10abccc8 ("MACsec: wpa_supplicant integration")
Fixes: a93b369c17 ("macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-02-10 12:31:01 +02:00
Shivani Baranwal
2e47ea22cc P2P: Fix handling Service Discovery Response received by GO device
The received Service Discovery Response frame follows the ap_mgmt_rx()
path in P2P GO mode. If gas_query_rx_frame() doesn't process the frame,
call the Public Action frame callbacks if any are registered for further
processing of the RX frame.

Fixes: 9c2b8204e6 ("DPP: Integration for hostapd")
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
2023-01-25 23:47:33 +02:00
Michal Kazior
d9d5e55c54 DPP: Respond to GAS on the same channel it was received on
When I was testing dpp_auth_init on an AP with Enrollee on a different
channel from the AP I was getting failures. This happened on hwsim in
UML with time-travel for me. I don't recall seeing this with real
devices, presumably because of lax offchan implementation.

The DPP authentication would succeed. However the station would then try
to get configuration through a GAS request and fail.

The AP reported the following logs (grepped):

> 1614762426.860212: RX_ACTION category 4 action 10 sa 02:00:00:00:01:00 da 02:00:00:00:00:00 len 227 freq 2412
> 1614762426.860212: wlan0: GAS: GAS Initial Request from 02:00:00:00:01:00 (dialog token 239)
> 1614762426.860233: DPP: Wait for Configuration Result
> 1614762426.860234: nl80211: Send Action frame (ifindex=5, freq=2462 MHz wait=0 ms no_cck=0 offchanok=0)
> 1614762428.861186: DPP: Timeout while waiting for Configuration Result
> 1614762428.861186: wlan0: DPP-CONF-FAILED

While the STA reported the following logs (grepped):

> 1614762426.860193: wlan1: DPP-AUTH-SUCCESS init=0
> 1614762426.860195: DPP: Stop listen on 2412 MHz
> 1614762426.860202: wlan1: GAS-QUERY-START addr=02:00:00:00:00:00 dialog_token=239 freq=2412
> 1614762428.861185: GAS: No response received for query to 02:00:00:00:00:00 dialog token 239
> 1614762428.861189: DPP: GAS query did not succeed
> 1614762428.861189: wlan1: DPP-CONF-FAILED

AP would still receive the GAS request on ch1 but would then try to
respond on ch11 while STA was waiting on ch1.

Signed-off-by: Michal Kazior <michal@plume.com>
2022-12-18 21:07:56 +02:00
Jouni Malinen
3a2d275522 Make MFPR value from an associated STA available as hostapdMFPR
This can be helpful for testing purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-12-18 21:07:56 +02:00
Jouni Malinen
f4096e7cd5 EHT: Update EHT Operation element to P802.11be/D2.3 in AP settings
IEEE P802.11be/D2.0 added a 4-octet Basic EHT-MCS And Nss Set field into
the EHT Operation element. cfg80211 is now verifying that the EHT
Operation element has large enough payload and that check is failing
with the previous version. This commit does not really set the correct
Basic EHT-MCS And Nss Set values, but the IE length check is now passing
to allow initial mac80211_hwsim testing to succeed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-12-17 20:32:15 +02:00
Andrei Otcheretianski
694a1c6873 SAE: Make sme_sae_auth() return IE offset
Authentication frames include several fixed body parts (see Table 9-68
(Authentication frame body) and Table 9-69 (Presence of fields and
elements in Authentication frames) in IEEE P802.11-REVme/D2.0).

To be able to parse the IE part, these fields need to be skipped. Since
SAE logic already implements this parsing, change SAE authentication
handling functions to return the offset to the IE part. This preparation
is needed for future MLD patches that need to parse out the ML related
elements in the Authentication frames.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-17 17:11:16 +02:00
Andrei Otcheretianski
3d798ff2a4 PASN: Align RSNXE with IEEE P802.11az/D7.0 definitions
RSNXE bits were modified, so update the relevant places accordingly.
Please note, WLAN_RSNX_CAPAB_PROT_RANGE_NEG was renamed to
WLAN_RSNX_CAPAB_URNM_MFPR and the bit position is changed to 15 instead
of 10, while BIT 10 is used for WLAN_RSNX_CAPAB_URNM_MFPR_X20 and is not
supported yet.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-16 22:35:19 +02:00
Johannes Berg
054fcfab6f hostapd: Add require_he configuration
Add the ability to require HE, advertising that via the
BSS membership selector as well as rejecting association
without HE.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-16 20:31:14 +02:00
Qiwei Cai
c46351d10e DFS: Clear cac_started when AP is disabled
When AP is started on a DFS channel and DFS is offloaded to the driver,
AP setup will be separated to two stages. In the first stage, hostapd
will set frequency and initialize BSS, then waits the driver CAC to
complete. Once CAC done, in the second stage,
hostapd_setup_interface_complete() will be called again from a callback
to continue AP/channel setup.

But the driver will fail to restart AP if it is disabled/reenabled
during a driver CAC procedure because some steps such as setting
freq/beacon in the first stage are skipped due to cac_started not
cleared when the AP is disabled.

Avoid this by clearing cac_started when the AP is disabled.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-12-15 18:43:43 +02:00
Aloka Dixit
3df42cf3c7 EHT: Use HE operating channel width in MCS length calculation
Channel width in HE Capabilities element added to management frames is
calculated in hostapd_eid_he_capab() by intersecting the driver
capabilities and the operating channel width. Kernel uses this value
from the Beacon frames to verify EHT capabilities length. However, EHT
MCS length calculation uses only the driver capabilities which results
in EHT AP bring up failure in some cases dues to different lengths.

Modify the EHT code to use the HE operating channel width as well to
determine matching length for the information.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2022-12-15 18:41:31 +02:00
David Ruth
ad4fa5dd3c Add more nl80211 info to struct wpa_signal_info
Facilitate emitting more station information over D-Bus for use by the
connection manager.

* Add storage for more NL80211_STA_INFO_* fields to data structures, and
  move them through the system.
* Reorder NL80211_STA_INFO_* fields in driver_nl80211.c to match the
  ordering in nl80211.h.
* Convert signal field to an integer to support holding WPA_INVALID_NOISE
  and avoid changing logging.

* Add fields to hostap_sta_driver_data to capture more information
	* fcs_error_count
	* beacon_loss_count
	* expected_throughput
	* rx_drop_misc
	* rx_mpdus
	* rx_hemcs
	* tx_hemcs
	* rx_he_nss
	* tx_he_nss
	* avg_signal
	* avg_beacon_signal
	* avg_ack_signal
* Add struct hostap_sta_driver_data to struct wpa_signal_info and remove
  redundant fields and redundant attribute parsing
	* Change logging when printing txrate to handle unsigned long
	  value

Signed-off-by: David Ruth <druth@chromium.org>
2022-12-03 10:42:16 +02:00
Jouni Malinen
090f0f8c70 mbssid: Indicate MBSSID information in RNR
Indicate whether the collocated BSS in the RNR is a part of a multiple
BSSID set and whether it is a transmited BSSID.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-12-02 23:06:32 +02:00
Aloka Dixit
54b1352efd mbssid: Make the AID space shared
As described in IEEE Std 802.11-2020, 11.1.3.8 Multiple BSSID procedure,
set the lowest AID value assigned to any client equal to 2^n, where n is
the maximum BSSID indicator of the MBSSID set.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
2022-12-02 20:47:49 +02:00
Aloka Dixit
10749c3c48 mbssid: Process Known BSSID element
Process the Known BSSID elements if included by non-AP stations. The
format is described in IEEE Std 802.11ax-2021, 9.4.2.261.

Non-AP stations may include this element in directed Probe Request
frames to indicate which of the multiple BSSIDs they have already
discovered. AP should exclude these profiles from the Probe Response
frame.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2022-12-02 20:45:05 +02:00
Aloka Dixit
15690faada mbssid: Add MBSSID Configuration element
Add Multiple BSSID Configuration element data per IEEE Std
802.11ax-2021, 9.4.2.260 when enhanced multiple BSSID advertisement
(EMA) is enabled. This element informs the stations about the EMA
profile periodicity of the multiple BSSID set.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2022-12-02 20:37:33 +02:00
Aloka Dixit
fc2e4bac5a mbssid: Set extended capabilities
Set extended capabilities as described in IEEE Std 802.11ax-2021,
9.4.2.26. Reset the capability bits to 0 explicitly if MBSSID and/or EMA
is not enabled because otherwise some client devices fail to associate.

Bit 80 (complete list of non-tx profiles) is set for all Probe Response
frames, but for Beacon frames it is set only if EMA is disabled or if
EMA profile periodicity is 1.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
2022-12-02 20:21:11 +02:00
Aloka Dixit
a004bf2cd0 mbssid: Configure parameters and element data
Add helper functions to retrieve the context for the transmitting
interfaces of the MBSSID set and the index of a given BSS.

Set device parameters: BSS index and the transmitting BSS.

Include Multiple BSSID elements in Beacon and Probe Response frames.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
2022-12-02 19:53:15 +02:00
Aloka Dixit
c5a09b051a mbssid: Add Non-Inheritance element
Add data per IEEE Std 802.11-2020, 9.4.2.240. Current implementation is
added for the security and extended supported rates only.

For the Extended rates element, add a new member 'xrates_supported'
which is set to 1 only if hostapd_eid_ext_supp_rates() returns success.
Without this change, there are cases where this function returns before
adding the element for the transmitting interface resulting in incorrect
addition of this element inside the MBSSID Non-Inheritance element.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Signed-off-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
2022-12-02 19:40:49 +02:00
Aloka Dixit
920b56322d mbssid: Functions for building Multiple BSSID elements
Add Multiple BSSID element data per IEEE Std 802.11ax-2021, 9.4.2.45.
Split the BSSes into multiple elements if the data does not fit in
the 255 bytes allowed for a single element.

Store the total count of elements created and the offset to the start
of each element in the provided buffer.

Set the DTIM periods of non-transmitted profiles equal to the EMA
profile periodicity if those are not a multiple of the latter already as
recommended in IEEE Std 802.11ax-2021, Annex AA (Multiple BSSID
configuration examples).

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
2022-12-02 19:25:40 +02:00
Aloka Dixit
931e5d4f9e mbssid: Configure all BSSes before beacon setup
When multiple BSSID advertisement feature is enabled in IEEE 802.11ax
mode or later, Beacon frames are not transmitted per interface, instead
only one of the interfaces transmits Beacon frames that include one or
more Multiple BSSID elements with configuration for the remaining
interfaces on the same radio.

Change the existing logic such that all configuration details for all
the interfaces are available while building the Beacon frame template
for the transmitting interface itself.

Do not change the flow for the cases where multiple BSSID advertisement
is not enabled.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2022-12-02 19:05:11 +02:00
Aloka Dixit
78d0b98995 mbssid: Retrieve driver capabilities
Retrieve driver capabilities for the maximum number of interfaces for
MBSSID and the maximum allowed profile periodicity for enhanced MBSSID
advertisement.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2022-12-02 16:43:59 +02:00
Aloka Dixit
7452e54477 mbssid: Add new configuration option
Add configuration option 'mbssid' used to enable multiple BSSID (MBSSID)
and enhanced multiple BSSID advertisements (EMA) features.

Reject the configuration if any of the BSSes have hidden SSID enabled.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
2022-12-02 16:36:19 +02:00
Daniel Gabay
bb67d5b52b AP: Add testing option to delay EAPOL Tx
Add a testing option to delay EAPOL-Key messages 1/4 and 3/4. By setting
delay_eapol_tx=1, the actual EAPOL Tx will occur on the last possible
attempt (wpa_pairwise_update_count) thus all previous attempts will fail
on timeout which is the wanted delay.

In addition, add an hwsim test that uses this testing option to verify
that non protected Robust Action frames are dropped prior to keys
installation in MFP.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-12-02 13:07:03 +02:00
Jouni Malinen
1a800a9400 EAP-TEAP server: Allow tunneled EAP method sequence to be optimized
Include the start of the next EAP method in an EAP Payload TLV in the
same message with the Crypto-Binding TLV for the previous EAP method to
get rid of one roundtrip when using more than a single EAP
authentication method within the tunnel. The previous, not optimized,
sequence can still be used with eap_teap_method_sequence=1 for more
complete testing coverage.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-12-01 17:53:05 +02:00
Jouni Malinen
bbd5a4689b SAE: Add an enum for defining sae_pwe parameter values
Make this more readable by replacing magic numbers with enum values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-29 20:37:23 +02:00
Nicolas Escande
20bfd4feb3 AP: Enable H2E on 6 GHz when SAE is used
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz. So lets automatically enable it by
setting sae_pwe=2. This will allow both the hunting-and-pecking and
hash-to-element to work (and be backward compatible).

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-11-29 18:56:47 +02:00
Michal Kazior
043dedee83 DPP: Expose enrollee pubkey hash for identification
Just like with WPA-PSK and keyids it may be desired to identify
connecting clients to provide additional network filtering.

This does:

 - extend DPP_EVENT_AUTH_SUCCESS to expose public
   key hash of the peer so the system can pick it
   up and use for identification later

 - store public key hash in PMKSA from DPP Network
   Intro for later use

 - extend sta mib to print out the dpp_pkhash
   from PMKSA if present

 - extend AP_STA_CONNECTED to include the
   dpp_pkhash from PMKSA if present

Signed-off-by: Michal Kazior <michal@plume.com>
2022-11-29 13:55:53 +02:00
Michal Kazior
2d8974e314 DPP: Move DPP_EVENT_AUTH_SUCCESS to a helper
This event is generated in a couple of places. It'll be easier to extend
the event with additional metadata if it's generated in a single place.

Signed-off-by: Michal Kazior <michal@plume.com>
2022-11-29 13:55:36 +02:00
Nicolas Escande
4cb23b66d6 ACS: Allow selecting a better channel when using 40/80/160 MHz
When considering a channel for a bandwidth of 40/80/160 MHZ on the 5 GHz
or 6 GHz band, allow selecting one of the other channels in the segment
instead of the first one. This is done only if the other channel's
interference_factor is lower than the first one's.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-11-28 23:31:33 +02:00
Nicolas Escande
472101684b ACS: introduce acs_adjust_secondary
When using 40/80/160 MHz bandwidth on the 5 GHz or 6 GHz band, enforce
the secondary channel to be the other channel of the corresponding 40
MHz segment.

Even if this is useless for now, this is preparatory work to allow ACS
to select a primary channel which is not the first of its segment.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-11-28 23:23:13 +02:00
Nicolas Escande
60e2934cbf ACS: Introduce acs_get_bw_center_chan()
When using 40/80/160 MHz bandwidth, instead of computing the index of
the segment center freq based on the selected channel, lets look it up
in the bw_desc[] table.

This is preparative work to allow selecting a primary channel which is
not the first of the segment.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-11-28 23:22:35 +02:00
Nicolas Escande
ed8e13decc ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan()
This extracts the 3 lists of allowed channels for 40/80/160 MHz
bandwidth out of their respective functions. It also adds for each
segment the frequency of the segment's last channel and the index of the
segment's "center" channel.

This is preparative work to allow selecting a channel which is not the
first of its segment for 40/80/160 MHz. In addition, this adds the 5 GHz
160 MHz channel defined for 5735-5895 MHz (channels 149-177).

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-11-28 23:22:30 +02:00
Raphaël Mélotte
af1528a128 hostapd: Add RELOAD_BSS
When using multiple BSSes on a single radio, it is sometimes desirable
to reconfigure one BSS, without disconnecting the stations already
connected to other BSSes on the same radio.

When a BSS is reconfigured using the SET command, there is no "old"
configuration we can compare to (so we cannot compare a hash of the
configuration for example).

One possible solution would be to make the current RELOAD command
reload only the current BSS. However, that could break the workflow of
existing users. Instead, introduce a new RELOAD_BSS command, which
reloads only the current BSS.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2022-11-27 15:49:48 +02:00
Raphaël Mélotte
b37c3fbad4 hostapd: Add config_id parameter
Add a new configuration parameter: config_id.

If set, only do hostapd_clear_old() for the BSSes for which the
config_id changed.

This makes it possible to reconfigure specific BSSes on a radio,
without disconnecting clients connected to other, unchanged BSSes of
the same radio.

This patch adapted from a patch authored by John Crispin in the
OpenWrt repository:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/network/services/hostapd/patches/700-wifi-reload.patch;h=c5ba631a0fc02f70714cb081b42fcf6cb9694450;hb=60fb4c92b6b0d1582d31e02167b90b424185f3a2

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2022-11-27 15:41:19 +02:00
Raphaël Mélotte
46f6a32775 Split BSS-specific hostapd_clear_old_bss() from hostapd_clear_old()
In hostapd_clear_old() multiple steps are needed to clear a BSS.
There are some places where it would be desirable to clear only some
BSSes and not all.

To make it easier to clear only some BSSes, split hostapd_clear_old()
with hostapd_clear_old_bss(), which does the same actions but on a
single BSS.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2022-11-27 15:35:26 +02:00
Jouni Malinen
1d42dafce6 RSN: Do not include RC4 use in FIPS builds
CONFIG_NO_RC4=y could have been used to remove this functionality, but
it might as well be done automatically based on CONFIG_FIPS=y as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-26 11:34:30 +02:00
Mert Ekren
c823197bde SAE: Use Challenge Failure status code in confirm message failure cases
IEEE Std 802.11-2020, 12.4.7.6 says that status code CHALLENGE_FAILURE,
needs to be sent in case the verification action fails for SAE Confirm
message frame from a STA: "An SAE Confirm message, with a status code
not equal to SUCCESS, shall indicate that a peer rejects a previously
sent SAE Confirm message. An SAE Confirm message that was not
successfully verified is indicated with a status code of
CHALLENGE_FAILURE."

hostapd, however, did not use this status code for this case. In
ieee802_11.c the function sae_check_confirm() is called and in case of
verification failure (-1 is returned), the response is set to
WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). Fix this to use
CHALLENGE_FAILURE.

Signed-off-by: Koen Van Oost <koen.vanoost@airties.com>
Signed-off-by: Mert Ekren <mert.ekren@airties.com>
2022-11-24 12:09:38 +02:00
Jouni Malinen
e91ac53d53 DFS: Do not allow channel checks to go beyond the channel list
Explicitly check for invalid cases where the configured channel and
bandwidth might result in the full channel number range going beyond the
list of supported channels to avoid reading beyond the end of the
channel buffer.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-23 22:51:50 +02:00
Qiwei Cai
b6c38cee93 Skip CAC if the driver switches channel to non-DFS
If an AP is started on a DFS channel (or any channels within its
bandwidth require DFS) and DFS is offloaded to the driver, hostapd needs
to wait for CAC to complete. But the driver may not do CAC and just
switches to a non-DFS channel instead. This would result in a failure to
start the AP because hostapd fails to receive a CAC complete event and
cannot finish interface setup.

Skip CAC and complete AP setup in the channel switch event handler for
this case.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-23 18:32:46 +02:00
Jouni Malinen
34d93b0c9d HS 2.0: Deauthenticate STA on deauth-imminent more quickly if no URL
When the RADIUS server requests a STA to be deauthenticated imminently
without providing a reason URL, there is no need to allow the STA spend
any additional time associated. Deauthenticate the STA immediately after
it has ACK'ed the WNM-Notification frame indicating imminent
deauthentication or at latest two seconds after having processes the
Access-Accept message.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-21 22:57:38 +02:00
Jouni Malinen
40a42613e6 FT: Simplify FTE parsing for FT-SAE-EXT-KEY using MIC Length subfield
Commit 25b52e5f83 ("FT: Extend FTE parsing for FT-SAE-EXT-KEY") used
possible MIC length iteration to try to figure out the length of the MIC
field in FTE. That was the only option available at the time, but FTE is
now being extended in IEEE 802.11-REVme to explicitly indicate the
length of the MIC field for the new FT-SAE-EXT-KEY AKM to make this
easier.

Use the new design from the approved comment resolution (*) in
REVme/D2.0 ballot CID 3135 to simplify implementation. This gets rid of
the need to pass in key length and the somewhat strange need_{r0kh,r1kh}
parameters to wpa_ft_parse_ies().

(*)
https://mentor.ieee.org/802.11/dcn/22/11-22-1991-02-000m-proposed-resolutions-to-some-lb270-comments.docx

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-20 11:43:53 +02:00
Vinay Gannevaram
309765eb66 PASN: Use separate variables for BSSID and peer address
Using separate variables for BSSID and peer address is needed to support
Wi-Fi Aware (NAN) use cases where the group address is used as the BSSID
and that could be different from any other peer address. The
infrastructure BSS cases will continue to use the AP's BSSID as both the
peer address and BSSID for the PASN exchanges.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-10 21:12:50 +02:00
Veerendranath Jakkam
08512e5f35 MLD STA: Extend key configuration functions to support Link ID
Add support to specify a Link ID for set key operation for MLO
connection. This does not change the existing uses and only provides the
mechanism for extension in following commits.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-11-06 23:36:49 +02:00
Jouni Malinen
1ca5c2ec2a PASN: Fix spelling of RSNE in debug messages
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 17:11:47 +02:00
Jouni Malinen
a43536a72b PASN: Verify explicitly that elements are present before parsing
Make sure the elements were present before trying to parse them. This
was already done for most cases, but be consistent and check each item
explicitly before use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-11-06 17:10:45 +02:00
Vinay Gannevaram
ea241cbe9d PASN: Rename struct wpas_pasn to pasn_data
struct wpas_pasn is common to both initiator and responder, so rename it
to pasn_data to avoid the "wpas_" prefix that could be seen as a
reference to wpa_supplicant (PASN initiator).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 12:59:29 +02:00
Vinay Gannevaram
78c5bb7f50 PASN: Move responder functionality into a separate file
PASN responder validates auth 1 frame and sends auth 2 frame to the
initiator. It analyses the auth 3 frame and verifies successful
authentication. Wi-Fi Aware modules can reuse this functionality through
a shared library libpasn.so generated from this code. Move the PASN
functionality that is now decoupled from the hapd context into a
separate file in a common directory to make it easier to build such a
library.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
975b7a02cb Move SAE comeback token functionality into a separate file
This is helpful in being able to get the functionality needed for SAE
into a separate library (libpasn.so) without needing all of the
ieee802_11.c functionality.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
1711fe9121 PASN: Compute MIC from RSNE and RSNXE of the frame for Wi-Fi Aware
Wi-Fi Aware R4 specification defines Beacon RSNE/RSNXE to be same as
RSNE/RSNXE present in Auth2 frame. So, MIC validation should be done
with the RSNE and RSNXE received in Auth2 frame.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
6f80014b10 PASN: Allow custom PMKID in Authentication frames for Wi-Fi Aware
Wi-Fi Aware R4 specification introduces a custom PMKID derived from
Nonce and TAG. This custom PMKID is included in PASN Authentication
frames during pairing verification. So, allow use of a custom PMKID in
PASN frames and validate it using a function handler. Wi-Fi Aware
component that uses libpasn.so should take care of validating the custom
PMKID.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
e99047da2b PASN: Add a handler func to send mgmt frames to the driver from AP
Introduce a function handler to transmit PASN Authentication frames to
the driver. This removes the hapd dependency for sending the frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
4022ffc5db PASN: Store AKMP in the PTKSA cache
PTK is stored in the PTKSA cache following a successful PASN handshake,
however AKMP is removed upon a WPA PASN reset. The PASN handshake is
used in the Wi-Fi Aware R4 specification to define the pairing setup
process. KDK is used to generate a new set of keys, while AKMP is
required for key derivation for pairing. So, keep AKMP in the PTKSA
cache.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
c55eadede7 PASN: Remove hapd dependency in processing PASN Authentication frames
Remove hapd dependency in processing PASN M1/M3 frames and build PASN M2
frame. Initialize required pasn parameters from hapd before passing
Authentication frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
6dc833bc5c PASN: Remove hapd dependency for PASN and SAE comeback
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
1861f57162 PASN: Remove hapd dependency for pasn_derive_keys()
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
1fa266e99d PASN: Remove hapd dependency for SAE and FILS wrapped data
This makes hostapd use the struct defines from pasn_common.h so that the
same struct is shared with wpa_supplicant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Vinay Gannevaram
bc9fbe1b24 PASN: Common wpas_pasn structure for initiator and responder
Make struct wpas_pasn common for both the initiator and the responder by
adding required parameters for responder to the existing struct
wpas_pasn. This makes both hostapd and wpa_supplicant share the same
structure definitions in preparation for allowing PASN functionality to
be built into a separate library.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-04 00:52:17 +02:00
Jouni Malinen
2c55c9273c More debug prints for EAPOL-Key message generation (Authenticator)
AES-WRAP(KEK) protection of the Key Data field did not include all the
details in the log. Extend that to cover the details that were already
present for the AES-SIV case to make the debug log more useful for
analyzing issues in this area. Furthermore, print the full EAPOL-Key
frame in the log.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-11-03 12:38:06 +02:00
Jouni Malinen
883e33594d FT: Authentication request frame processing for FT-SAE-EXT-KEY
Figure out the correct hash algorithm based on which MIC field length
assumption results in successful parsing. This is needed since the key
length is not yet known at this point on the AP when using the new
FT-SAE-EXT-KEY AKM.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 17:43:15 +03:00
Jouni Malinen
879363bbc1 FT: Reassociation Request frame parsing for FT-SAE-EXT-KEY
Handle the new MIC field length option for the SHA512-based variant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 17:43:15 +03:00
Jouni Malinen
e8f23c9480 FT: Association Response frame FTE generation for FT-SAE-EXT-KEY
Add the SHA512-based variant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 17:43:15 +03:00
Jouni Malinen
a76a314c15 FT: Extend PMK-R0 derivation for FT-SAE-EXT-KEY
Provide AKM to the helper function to cover the SHA512-based derivation
case.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 17:43:11 +03:00
Jouni Malinen
25b52e5f83 FT: Extend FTE parsing for FT-SAE-EXT-KEY
Provide AKM, key length, and information about needed subelements to the
parser function so that the variable length MIC field cases can be
recognized for FT-SAE-EXT-KEY. Knowledge about R0KH-ID/R1KH-ID being
needed is required to be able to iterate over possible MIC field lengths
for the case where the AP does not yet know the correct key length at
the beginning of FT protocol.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 17:17:49 +03:00
Jouni Malinen
4f58afee9a FT: Extend MIC derivation for FT-SAE-EXT-KEY
Provide AKM to the helper function so that the new SHA256 and SHA512
options can be covered for FT-SAE-EXT-KEY.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 17:07:54 +03:00
Jouni Malinen
dcd46edf5f FT: Extend PMKR1Name derivation for FT-SAE-EXT-KEY
Provide key length instead of SHA384/SHA256 selection to the helper
function so that the new SHA512 option can be covered for
FT-SAE-EXT-KEY.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 17:03:10 +03:00
Jouni Malinen
9fd2455642 FT: Support longer SAE PMK for FT in INITPSK AP
This is needed for the new FT-SAE-EXT-KEY AKM that uses variable length
PMK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 16:54:21 +03:00
Jouni Malinen
c41bd98be3 FT: AP mode FTE writing to support FT-SAE-KEY-EXT
Provide enough information to allow the FTE to be built using the
correct MIC field length based on the used AKM and key length.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 16:51:12 +03:00
Jouni Malinen
efa0f51d33 FT: Accept 512-bit PMK-R1 from RRB
This will be needed for FT-SAE-KEY-EXT.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-10-16 16:41:12 +03:00
Chaoli Zhou
f8a05de669 Move default action from after switch to within
Move from this type of constructions:

switch (val) {
case 1:
	something;
	break;
}
default-action;

into following:

switch (val) {
case 1:
	something;
	break;
default:
	default-action;
	break
}

for cases where the switch statement is not expected to contain a full
set of enum values and as such, does not lose value from not having the
default target.

This makes the intent of default behavior clearer for static analyzers like
gcc with -Wswitch-default.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-10-14 16:08:20 +03:00
Vishal Miskin
7614fcebe0 ACS: Filter out 6 GHz channels if HE or EHT is not enabled
Do not include 6 GHz channels in the ACS possible channel list if
neither HE (ieee80211ax=1) nor EHT (ieee80211be=1) is enabled since
those channels cannot be used in such combination.

Signed-off-by: Vishal Miskin <quic_vmiskin@quicinc.com>
2022-10-13 21:21:51 +03:00
Sunil Ravi
a7684a21c7 Update hw mode after ACS selects the channel
hostapd based automatic channel selection doesn't update the hardware
mode after the channel is selected. This change specifically helps
channel 14 which can operate only in IEEE 802.11b mode.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-09-23 00:23:56 +03:00
Shay Bar
01944c0957 Fix RNR BSSID setting for own interfaces
bss->conf->bssid may be kept unset and will cause an empty BSSID field
in RNR. Fix this to use own_addr instead.

Signed-off-by: Shay Bar <shay.bar@celeno.com>
Signed-off-by: moran.daori <moran.daori@celeno.com>
2022-09-16 22:15:56 +03:00
stijn@linux-ipv6.be
f77c0f914a ACS: Include frequency in info messages
The ACS info messages frequently appear for multiple channels. Without
the actual frequency in the messages, they are not very informative.
Add the frequency to them to improve this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-09-16 21:39:47 +03:00
Sergey Matyukevich
0c7b3814ca Use a less generic name for IEEE802.11 CRC-32 routine
Hostapd uses 'crc32' name for IEEE802.11 CRC-32 routine. This name is
too generic. Buildroot autobuilder detected build configuration that
failed to build due to the naming conflict: static linking with openssl
using zlib-ng as a zlib provider, e.g. see:
- http://autobuild.buildroot.net/results/9901df820d3afa4cde78e8ad6d62cb8ce7e69fdb/
- http://autobuild.buildroot.net/results/ac19975f0bf77f4a8ca574c374092ba81cd5a332/

Use a less generic name ieee80211_crc32 for IEEE802.11 CRC-32 routine
to avoid such naming conflicts.

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
2022-09-16 21:39:47 +03:00
David Bauer
7ed17eee3a ACS: Don't select indoor channel on outdoor operation
Don't select channels designated for exclusive indoor use when the
country string is set for outdoor operation (country3=0x4f, i.e., the
third character of the country string is 'O').

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-09-16 21:00:21 +03:00
Chaoli Zhou
7974d80531 Configure RRM elements to the driver in the driver-AP-SME case
Support updating the RRM IEs to the driver for Probe Response and
(Re)Association response frames in the AP mode when the SME is
implemented in the driver.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-09-14 21:32:23 +03:00
Manaswini Paluri
122cdd5925 Enable TWT responder AP role only if IEEE 802.11ax/HE is enabled
Set TWT responder configurator in the driver parameters only when the AP
is configured with HE enabled. This was already done for the extended
capability bit generation in commit 8de0ff0fa1 ("HE: Add TWT responder
extended capabilities field"), but this parameter for the driver command
to start the AP in _ieee802_11_set_beacon() missed the condition.

Move the ieee80211ax check into the common helper function to cover both
cases. In addition, add a check for disable_11ax to cover the case where
HE is disabled for a specific BSS.

Fixes: ab8c55358e ("HE: Dynamically turn on TWT responder support")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-13 04:24:03 +03:00
Vinay Gannevaram
85e28a79ba PASN: Set secure ranging context to driver after association
After the secure association and PTK derivation are completed, if the
device supports LTF keyseed, generate the LTF keyseed using KDK and set
the ranging context to the driver by using the command
QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 17:07:56 +03:00
Vinay Gannevaram
9b62b61c68 PASN: Configure secure ranging context to the driver in AP mode
AP as a responder, on successful completion of PASN authentication
configures the required keys by using the command
QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT to the driver.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 16:25:20 +03:00
Vinay Gannevaram
24929543ba PASN: Deauthenticate on PTKSA cache entry expiration
Add an option for an alternative processing of PTKSA life time expiry.

Register a callback in wpa_supplicant to handle the life time expiry of
the keys in PTKSA cache. Send PASN deauthentication when a PTKSA cache
entry expires.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-02 16:18:14 +03:00
Vinay Gannevaram
580bd04cf3 Add own MAC address used for key derivation to PTKSA cache
On successful PASN handshake or 4-way handshake with a peer, PTK is
derived using the local and peer MAC addresses as input. Store the own
MAC address that is used for key derivation in PTKSA cache to maintain
that state over potential MAC addresses changes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 19:01:21 +03:00
Vinay Gannevaram
96a604128b Use separate PASN capabilities for AP and STA modes
Use separate capabilities for AP and STA modes for P802.11az security
parameters secure LTF support, secure RTT measurement exchange support,
and protection of range negotiation and measurement management frames
support.

P802.11az security parameters are considered to be supported for both
station and AP modes if the driver sets NL80211_EXT_FEATURE_SECURE_LTF,
NL80211_EXT_FEATURE_SECURE_RTT, and
NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE flags. The driver can
advertize capabilities specific to each mode using
QCA_WLAN_VENDOR_FEATURE_SECURE_LTF*,
QCA_WLAN_VENDOR_FEATURE_SECURE_RTT*, and
QCA_WLAN_VENDOR_FEATURE_PROT_RANGE_NEGO_AND_MEASURE* flags.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-09-01 18:59:52 +03:00
Jouni Malinen
1f9a988f1f DPP3: Do not initiate PKEX for PB if no configuration is available
Reorder PKEX initiation function to send out the PKEX Exchange Request
frame at the end after all possible error cases have been checked. This
prevents Enrollee from seeing a PKEX frame when the session is about to
fail.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-27 00:50:05 +03:00
Jouni Malinen
54706957e3 DPP: Fix DPP_RELAY_ADD_CONTROLLER command parsing
hostapd_dpp_add_controller() ended up trying to parse the IP address
without nul terminating it. This might work with some C libraries, but
not all. And anyway, this was already supposed to nul terminate the
string since a temporary copy is created of the constant string. Fix
this by adding the missed replacement of the space with nul.

Fixes: bfe3cfc382 ("DPP: Allow Relay connections to Controllers to be added and removed")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-08-26 17:27:45 +03:00
Jouni Malinen
89de431f23 DPP: Add config response status value to DPP-CONF-SENT
This can be helpful for upper layers to be able to determine whether the
configuration was rejected.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-29 18:55:37 +03:00
Jouni Malinen
e81ec0962d SAE: Use H2E unconditionally with the new AKM suites
The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
f8eed2e8b8 SAE: Store PMK length and AKM in SAE data
These are needed to be able to support new AKM suites with variable
length PMK.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:31:51 +03:00
Jouni Malinen
91df8c9c65 SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
d22dfe9187 DPP: Event message for indicating when Relay would need a Controller
The new DPP-RELAY-NEEDS-CONTROLLER control interface event can be used
to trigger mDNS discovery of a Controller to see if such a connection
can be established automatically at the time an Enrollee is trying to
initiate an operation.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
bfe3cfc382 DPP: Allow Relay connections to Controllers to be added and removed
The new control interface commands "DPP_RELAY_ADD_CONTROLLER <IP addr>
<PK hash>" and "DPP_RELAY_REMOVE_CONTROLLER <IP addr>" can now be used
to dynamically add and remove connections to Controllers for the cases
where the connection is initialized through a DPP Public Action frame
(i.e., Controller as the Responder).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
f7763880bd DPP: Advertise Configurator connectivity on Relay automatically
Instead of requiring explicit configuration through
dpp_configurator_connectivity=1, advertise Configurator connectivity
automatically if a Relay is configured with a Controller that can
operate as a Responder.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-25 00:23:31 +03:00
Jouni Malinen
ca682f80a9 DPP: Dynamic Controller initiated connection on Relay
Accept an incoming TCP connection from a Controller in a Relay that is
configured with dpp_relay_port even if that Controller is not configured
with a dpp_controller parameter. This allows more dynamic Controller
initiated operations, e.g., when using mDNS to discover a Relay.

This type of a dynamic Controller entry will not be used for exchanges
that are initiated by an Enrollee (i.e., based on a DPP Public Action
frame received by the Relay).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-23 16:57:54 +03:00
Jouni Malinen
d2388bcca5 DPP: Strict validation of PKEX peer bootstrapping key during auth
Verify that the peer does not change its bootstrapping key between the
PKEX exchange and the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:08:08 +03:00
Jouni Malinen
a7b8cef8b7 DPP3: Fix push button boostrapping key passing through PKEX
When PKEX was started through the push button mechanism, the own
bootstrapping key was not bound correctly to the Authentication phase
information and that ended up in incorrectly generating a new
bootstrapping key for the Authentication exchange. Fix this by added the
needed own=<id> parameter into the cached parameters when using push
button.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:06:04 +03:00
Jouni Malinen
69d7c8e6bb DPP: Add peer=id entry for PKEX-over-TCP case
The peer=<id> information about the specific boostrapping key provided
through PKEX was added for Public Action frame cases, but the TCP
variant did not do same. Add the same information there to maintain
knowledge of the specific peer bootstrapping key from PKEX to
Authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 21:04:08 +03:00
Jouni Malinen
1ff9251a83 DPP3: Push button Configurator in wpa_supplicant
Extend DPP push button support in wpa_supplicant to allow the role of
the Configurator to be used. This provides similar functionality to the
way the DPP_PUSH_BUTTON command in hostapd worked when providing the
configuration parameters with that command (instead of building the
config object based on current AP configuration).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-22 12:28:18 +03:00
Jouni Malinen
e9137950fa DPP: Recognize own PKEX Exchange Request if it ends up being received
It is possible for a Controller to receive a copy of its own PKEX
Exchange Request in the case where the Controller is initiating a PKEX
exchange through a Relay. The Configurator role in the device would have
a matching PKEX code in that case and the device might reply as a PKEX
responder which would result in going through the exchange with the
Controller device itself. That is clearly not desired, so recognize this
special case by checking whether the Encrypted Key attribute value
matches a pending locally generated one when processing a received PKEX
Exchange Request.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-21 20:30:07 +03:00
Jouni Malinen
15af83cf18 DPP: Delete PKEX code and identifier on success completion of PKEX
We are not supposed to reuse these without being explicitly requested to
perform PKEX again. There is not a strong use case for being able to
provision an Enrollee multiple times with PKEX, so this should have no
issues on the Enrollee. For a Configurator, there might be some use
cases that would benefit from being able to use the same code with
multiple Enrollee devices, e.g., for guess access with a laptop and a
smart phone. That case will now require a new DPP_PKEX_ADD command on
the Configurator after each completion of the provisioning exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 23:28:33 +03:00
Jouni Malinen
148de3e0dc DPP3: Private Peer Introduction protocol
Add a privacy protecting variant of the peer introduction protocol to
allow the station device to hide its Connector from 3rd parties. The new
wpa_supplicant network profile parameter dpp_connector_privacy=1 can be
used to select this alternative mechanism to the peer introduction
protocol added in the initial release of DPP.

It should be noted that the new variant does not work with older DPP APs
(i.e., requires support for release 3). As such, this new variant is
disabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-19 00:14:41 +03:00
Jouni Malinen
0e2217c95b DPP: Allow 3rd party information to be added into config request obj
This allows the DPP Configuration Request Object from an Enrollee to be
extended with 3rd party information. The new dpp_extra_conf_req_name and
dpp_extra_conf_req_value configuration parameters specify the name of
the added JSON node and its contents. For example:
dpp_extra_conf_req_name=org.example
dpp_extra_conf_req_value={"a":1,"b":"test"}

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-16 17:22:23 +03:00
Jouni Malinen
451ede2c31 DPP: Allow AP/Relay to be configured to listed for new TCP connections
This extends Relay functionality to allow a Controller to intitiate a
new DPP exchange in addition to the previously supported case where the
exchange was initiated through a DPP Public Action frame.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-09 13:09:04 +03:00
Jouni Malinen
7bbe859873 DPP3: Allow external configuration to be specified on AP for PB
While the most likely production use case for DPP push button is to
provision the AP's current configuration, there might be some use cases
for providing different configuration. Add possibility for doing this by
extending the DPP_PUSH_BUTTON command to accept an optional set of
parameters similarly to the other DPP commands for the Configurator.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-08 00:14:06 +03:00
Jouni Malinen
37bccfcab8 DPP3: Push button bootstrap mechanism
Add support to use a push button -based bootstrap mechanism with DPP.
The new DPP_PUSH_BUTTON control interface command enables this mode on
the AP/hostapd and station/wpa_supplicant. This goes through the
following sequence of events: a suitable peer in active push button mode
is discovered with session overlap detection, PKEX is executed with
bootstrap key hash validation, DPP authentication and configuration
exchanges are performed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-07-07 00:31:30 +03:00
Veerendranath Jakkam
085a3fc76e EHT: Add 320 channel width support
Add initial changes to support 320 MHz channel width.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
2022-06-20 14:39:26 +03:00
Aleti Nageshwar Reddy
bafe35df03 Move CHANWIDTH_* definitions from ieee80211_defs.h to defs.h
Move most of CHANWIDTH_* definitions from ieee80211_defs.h to defs.h as
the definitions are getting used mostly for internal purpose only. Also
change prefix of the definitions to CONF_OPER_CHWIDTH_* and update in
all the files accordingly.

Leave the couple of VHT-specific exceptions to use the old defines (the
reason why they were originally added as VHT values), to avoid use of
clearly marked configuration values in information elements. In
addition, use the defines instead of magic values where appropriate.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2022-06-20 14:39:18 +03:00
Jouni Malinen
e4015440af ProxyARP: Clear bridge parameters on deinit only if hostapd set them
Skip the x_snoop_deinit() operations if hostapd did not actually
configure the parameters in the first place. While clearing these
specific parameters is unlikely to change how they were set outside the
scope of hostapd, it is better to leave them as-is to avoid surprises if
hostapd was not configured to use ProxyARP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-31 11:53:05 +03:00
Jouni Malinen
ed325ff0f9 DPP: Allow TCP destination (address/port) to be used from peer URI
tcp_addr=from-uri can now be used as a special case for initiating
DPP-over-TCP to the destination indicated in the peer bootstrapping URI.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-19 22:53:36 +03:00
Jouni Malinen
1142b6e415 EHT: Do not check HE PHY capability info reserved fields
Only use the bandwidth bits that are applicable for the current
operating band. This avoids use of reserved bits when determining the
length of the Support EHT-MCS And NSS Set field length.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 19:39:57 +03:00
Jouni Malinen
bc36991791 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
IEEE Std 802.11-2020 is ambiguous on how the Secure bit is set in
EAPOL-Key msg 1/4 and 2/4 in the case where 4-way handshake is use to
rekey the PTK. 12.7.2 describes this with "set to 1 once the initial key
exchange is complete" while 12.7.6 shows EAPOL-Key msg 1/4 and 2/4 using
Secure=0 without any consideration on whether the handshake is for
rekeying.

TGme seems to be moving towards clarifying this to use Secure=1 based on
there being a shared PTKSA between the Authenticator and the Supplicant.
In other words, this would use Secure=1 in EAPOL-Key msg 1/4 and 2/4 in
the case of rekeying. Change implementation to match that. This bit was
already practically ignored on the reception side, so this should not
have impact on actual functionality beyond this one bit changing its
value in the frame.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 17:47:17 +03:00
Jouni Malinen
fc9648a6a1 DPP: Debug print if not relay is available for PKEX exchange
This makes it easier to see what happened with the received PKEX frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:25:09 +03:00
Jouni Malinen
77bb12a604 P2P: Maintain ip_pool bitfield index separately
Avoid the somewhat confusing mechanism of determining the bitfield index
from the assigned IP address to make this easier for static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:59:31 +03:00
Jouni Malinen
6e8518749f GAS: Limit maximum comeback delay value
Limit the GAS comeback delay to 60000 TUs, i.e., about 60 seconds. This
is mostly to silence static analyzers that complain about unbounded
value from external sources even though this is clearly bounded by being
a 16-bit value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:41:37 +03:00
Jouni Malinen
469528a6e5 BSS coloring: Fix bitmap check
BIT(r) is not sufficient here since it does not cover 64 bit values.
Write this out with 1ULL to be large enough for the shift operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:36:09 +03:00
Jouni Malinen
993eb12407 FST: Make sure get_hw_modes() callback is set for hostapd
It looks like fst_wpa_obj::get_hw_modes would have been left
uninitialized in hostapd. It is not obviously clear why this would not
have caused issues earlier, but in any case, better make this set
properly to allow unexpected behavior should that function pointer ever
be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 00:27:51 +03:00
MeiChia Chiu
96a7f38329 hostapd: Add the destination address of unsolicited Probe Response frame
Without this, hostapd generates Probe Response frames with the null
destination address when hostapd enables unsolicited Probe Response
frame transmission. Fix this to use the broadcast address instead.

Fixes: 024b4b2a29 ("AP: Unsolicited broadcast Probe Response configuration")
Signed-off-by: MeiChia Chiu <meichia.chiu@mediatek.com>
2022-05-07 21:37:08 +03:00
Jouni Malinen
8690374439 Discard unencrypted EAPOL/EAP when TK is set and PMF is enabled (AP)
RSN design is supposed to encrypt all Data frames, including EAPOL
frames, once the TK has been configured. However, there are deployed
implementations that do not really follow this design and there are
various examples from the older uses of EAPOL frame where those frames
were not encrypted. As such, strict filtering of unencrypted EAPOL
frames might results in undesired interoperation issues.

However, some of the most important cases of missing EAPOL frame
encryption should be possible to handle without causing too significant
issues. These are for cases where an attacker could potentially cause an
existing association to be dropped when PMF is used. EAPOL-Start and
EAPOL-Logoff are potential candidate for such attacks since those frames
could be used to terminate an authentication or initiate a new EAP
authentication. Such an attack could result in the station ending up
disconnecting or at minimum, getting into somewhat mismatching state
with the AP.

Drop EAPOL-Start/Logoff/EAP frames on the AP/Authenticator when it is
known that it was not encrypted but should have been and when PMF is
enabled. While it would be correct to drop this even without PMF, that
does not provide any significant benefit since it is trivial to force
disconnection in no-PMF cases. It should also be noted that not all
drivers provide information about the encryption status of the EAPOL
frames and this change has no impact with drivers that do not indicate
whether the frame was encrypted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:08 +03:00
Jouni Malinen
18c0ac8901 Provide information about the encryption status of received EAPOL frames
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:03 +03:00
Jouni Malinen
7ee814201b FILS: Set pairwise_set when configuring TK after association
sm->pairwise_set needs to be set whenever the TK has been configured to
the driver to request following EAPOL frames to be encrypted (or more
specifically, not to request them to not be encrypted). The FILS case
missed this setting and that could result in rekeying or
reauthentication in an associated started with FILS not working
correctly.

Fixes: da24c5aa1c ("FILS: Set TK after association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 20:36:49 +03:00
Jouni Malinen
7a7a4ea578 Check need for SA Query/assoc comeback before updating RSNE parameters
wpa_validate_wpa_ie() might update sm->* values, so it should not be
allowed for an existing STA entry if that STA has negotiated MFP to be
used for the association. Fix this by first checking whether an SA Query
procedure needs to be initiated. In particular, this prevents a
potential bypass of the disconnection protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-07 18:52:13 +03:00
Veerendranath Jakkam
27e828d728 ACS: Send EHT enabled info to driver
The driver can consider EHT specific parameters such as the puncture
pattern for ACS when this flag attribute is indicated by userspace.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:25:44 +03:00
Veerendranath Jakkam
43fe1ce35d EHT: Add [EHT] flag into AP mode STA command
This indicates whether an associated stations supports EHT.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:21:35 +03:00
Veerendranath Jakkam
4994c41f22 EHT: Indicate ieee80211be configuration in hostapd STATUS output
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:20:15 +03:00
Veerendranath Jakkam
50d8837106 EHT: Fix invalid length checking for EHT Capability element
Do not consider optional octets maximum lengths when validating EHT
fixed fields length. Furthermore, do not use the first two octets of the
PPE Thresholds field without explicitly confirming that these octets
were included in the element and fix PPE Thresholds field length
calculation.

Fixes: a6d1b4c46c ("EHT: Process (Re)Association Request frame capabilities")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-05-05 13:19:56 +03:00
Sunil Ravi
2c78f11a9f Fix compilation due to forward declaration of macaddr_acl
enum macaddr_acl is forward declared in wpa_supplicant/ap.h.
c++ compiler doesn't allow forward declaration. So to fix the
compilation error, moved the enum macaddr_acl declaration out
of struct hostapd_bss_config.

Signed-off-by: Sunil Ravi <sunilravi@google.com>
2022-05-05 13:04:13 +03:00
Jouni Malinen
a561d12d24 EAP peer status notification for server not supporting RFC 5746
Add a notification message to indicate reason for TLS handshake failure
due to the server not supporting safe renegotiation (RFC 5746).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-05 00:21:46 +03:00
Juliusz Sosinowicz
ca26224815 Check the return of pbkdf2_sha1() for errors
pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:13:31 +03:00
Jouni Malinen
21098e39fe EAP-SIM/AKA server: IMSI privacy
Add support for IMSI privacy in the EAP-SIM/AKA server implementation.
If the new hostapd configuration parameter imsi_privacy_key is used to
specify an RSA private key, that key will be used to decrypt encrypted
permanent identity.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:16 +03:00
Muna Sinada
c3d389b72f EHT: Channel switch command support
Add option to hostapd control interface CHAN_SWITCH command to allow
switch in EHT mode.

Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:44:18 +03:00
Muna Sinada
dae7940a48 EHT: Additions to hostapd_set_freq_params()
Modify hostapd_set_freq_params() to include EHT parameters and update
the calling functions to match.

Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:40:13 +03:00
Aloka Dixit
e646b11fea EHT: Indicate EHT support in Neighbor Report element
Set bit 21 in the neighbor report for an EHT AP as described in IEEE
P802.11be/D1.5, 9.4.2.36. Also move the check for HE outside the check
for HT as neither HT nor VHT are enabled in the 6 GHz band.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:30:26 +03:00
Aloka Dixit
f915d52dee EHT: Provide EHT capabilities in STA addition path
Add support for EHT capabilities in the addition of a new station entry
to the driver.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
a6d1b4c46c EHT: Process (Re)Association Request frame capabilities
Parse EHT capabilities sent by a non-AP STA in (Re)Association Request
frames. Validate the length of the element, matching MCS rates between
AP TX and STA RX. Store the capabilities in the station info structure.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
d54e3d0495 EHT: Add operation element in AP mode Management frames
Add EHT Operation element in Beacon, Probe Response, and (Re)Association
Response frames using the format described in IEEE P802.11be/D1.5,
9.4.2.311.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
9b7202d665 EHT: Add capabilities element in AP mode Management frames
Add EHT Capabilities element in Beacon, Probe Response, and
(Re)Association Response frames.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
a7ea721889 EHT: Add configuration options for beamforming capabilities
Add configuration options to set EHT SU/MU beamforming capabilities.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Aloka Dixit
8db3881c76 EHT: Add operating channel width configuration
Add new configuration options to configure EHT operating channel
width and center frequency.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Aloka Dixit
8dcc2139ff EHT: AP mode configuration options to enable/disable the support
Add compilation support for IEEE 802.11be along with options to enable
EHT support per radio and disable per interface.

Enabling HE is mandatory to enable EHT mode.

Tested-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Jouni Malinen
86310c2202 Set hostapd hw_mode automatically based on 6 GHz op_class
Allow hostapd configuration to specify use of the 6 GHz band with the
specific op_class values without having to set the hw_mode=a parameter
explicitly.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-29 11:19:43 +03:00
Ben Greear
f1686d7761 hostapd: Allow enabling background radar
This feature does not work on all radios that advertise this feature
with the current driver implementation, and possibly some users don't
want to use it even if it works fine, so disable it by default for now,
but let users enable it as desired with enable_background_radar=1.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2022-04-23 23:38:58 +03:00
Nicolas Escande
3a759dcc8c ACS: Honor acs_exclude_dfs with hostapd's ACS implementation
The acs_exclude_dfs parameter is documented as a way to exclude DFS
channels when performing ACS without disabling DFS altogether. The
problem is this parameter is only enforced when ACS is offloaded to the
driver (WPA_DRIVER_FLAGS_ACS_OFFLOAD). So from now on, lets also check
acs_exclude_dfs in the internal ACS implementation to exclude channels
marked with radar detection.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-04-17 19:50:23 +03:00
John Crispin
33c4dd26cd BSS coloring: Handle the collision and CCA events coming from the kernel
This commit activates the functionality of the previous commits by
handling the actual events that will trigger the CCA process.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:30:30 +03:00
John Crispin
86bd90eb37 BSS coloring: Disable BSS color during CCA
While we are doing CCA the BSS Color Disabled field inside the HE
Operation Parameters field needs to be set.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:13:51 +03:00
John Crispin
f7d0b740e7 BSS coloring: BSS Color Change Announcement element generation
This information element is similar to the CSA one. It contains a
counter and the target color. Once the counter expired, the change to
the new color happens.

Just note the current implementation is based on CCA counter attributes
that only take Beacon and Probe Response framesinto account.
(Re)Association Response frames do not currently have kernel APIs to
decrement the CCA counter since mediatek mcu firmware does not support
it yet and it will be added in future firmware release.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:13:08 +03:00
John Crispin
654d2395dd BSS coloring: Handling of collision events and triggering CCA
Add the core code for handling BSS color collision events and triggering
CCA inside the kernel. The caller of hostapd_switch_color() will be
added in the following commits.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:06:06 +03:00
Jouni Malinen
b94371af84 RADIUS attributes for EAPOL-Key message details
Use vendor specific RADIUS attributes for sending ANonce and EAPOL-Key
msg 2/4 for the wpa_psk_radius=3 case. The vendor specific attributes
for this are defined in FreeRADIUS as follows:

BEGIN-VENDOR    FreeRADIUS      format=Extended-Vendor-Specific-5
ATTRIBUTE       FreeRADIUS-802.1X-Anonce        1       octets[32]
ATTRIBUTE       FreeRADIUS-802.1X-EAPoL-Key-Msg 2       octets
END-VENDOR      FreeRADIUS

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-15 18:40:55 +03:00
Jouni Malinen
dacb6d278d Update IEEE P802.11ax draft references to published amendment
Get rid of the old references to drafts since the amendment has been
published.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-08 19:50:32 +03:00
Pradeep Kumar Chitrapu
8128ea76af Add Transmit Power Envelope element in 6 GHz
Add Transmit Power Envelope element for 6 GHz per IEEE Std
802.11ax-2021.

Currently, this uses hard coded EIRP/PSD limits which are applicable to
6 GHz operation in United states, Japan, and Korea. Support to extract
power limits from kernel data will be added after complete regulatory
support is added for the 6 GHz band.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 19:50:26 +03:00
Pradeep Kumar Chitrapu
bc3dc72a3a Extend 6 GHz Operation Info field in HE Operation element
Add new field definitions for the 6 GHz Operation Information field in
the HE Operation element per IEEE Std 802.11ax-2021, 9.4.2.249. These
will be used for TPC operation in the 6 GHz band.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 13:22:31 +03:00
Pradeep Kumar Chitrapu
0eb686637d hostapd: Add config option to specify 6 GHz regulatory AP type
IEEE Std 802.11ax-2021 introduces Regulatory Info subfield to specify
the 6 GHz access point type per regulatory. Add a user config option for
specifying this.

When not specified, Indoor AP type is selected for the 6 GHz AP by
default.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 13:19:10 +03:00
Pradeep Kumar Chitrapu
ee06165e96 hostapd: Extend Country element to support 6 GHz band
Add support for the Country element for the 6 GHz band per IEEE Std
802.11ax-2021, 9.4.2.8 (Country element).

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 12:57:46 +03:00
Jouni Malinen
f5ad972455 PASN: Fix build without CONFIG_TESTING_OPTIONS=y
force_kdk_derivation is defined within CONFIG_TESTING_OPTIONS, so need
to use matching condition when accessing it.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:47:31 +03:00
Jouni Malinen
7114e56060 EAP-TLS: Testing functionality to skip protected success indication
This server side testing functionality can be used to test EAP-TLSv1.3
peer behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:43:12 +03:00
Jouni Malinen
95fd54b862 Disconnect STA on continuous EAP reauth without 4-way handshake completion
It could have been possible to get into an endless loop of retried EAP
authentication followed by failing or not completed 4-way handshake if
there was a different interpretation of EAP authentication result
(success on AP, failure on STA). Avoid this by limiting the number of
consecutive EAPOL reauth attempts without completing the following 4-way
handshake.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:28:49 +03:00
Karthikeyan Kathirvel
d27f7bd946 FILS: Fix config check to allow unsolicited broadcast Probe Response
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.

Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
2022-04-05 00:33:33 +03:00
Jouni Malinen
65a3a273cd OWE: Reuse own DH private key in AP if STA tries OWE association again
This is a workaround for mac80211 behavior of retransmitting the
Association Request frames multiple times if the link layer retries
(i.e., seq# remains same) fail. The mac80211 initiated retransmission
will use a different seq# and as such, will go through duplicate
detection. If we were to change our DH key for that attempt, there would
be two different DH shared secrets and the STA would likely select the
wrong one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
576662d277 ieee802_11_auth: Coding style cleanup - NULL comparison
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
945acf3ef0 ieee802_11_auth: Coding style cleanup - no string constant splitting
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
1c3438fec4 RADIUS ACL/PSK check during 4-way handshake
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:32 +03:00
Jouni Malinen
5b5c954c04 Fix AP config check to recognize all PSK AKMs
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 16:26:02 +03:00
Chaoli Zhou
fd0d738ff4 Add return value to ACL functions
While these do not return error code within the current hostapd
implementation, matching functions in wpa_supplicant AP functionality
will have an error case and using consistent return type will make the
control interface code more consistent.

In addition, export hostapd_set_acl() in preparation for the
wpa_supplicant control interface implementation extension.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:28 +02:00
Chaoli Zhou
f5ac428116 Move ACL control interface commands into shared files
This is a step towards allowing these commands to be used from
wpa_supplicant.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 14:22:24 +02:00
Chaoli Zhou
9306956626 Add BSS-TM-QUERY event to indicate reception of BSS TM Query
This allows upper layers to learn about associated stations requesting
BSS transition management from the AP.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Chaoli Zhou
0f8c6e9955 Move BTM control interface commands into shared file
This is a step towards allowing these commands to be used from
wpa_supplicant.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Chaoli Zhou
e059d8ece8 Update the Extended Capability element to struct sta_info
Only the SME-in-hostapd case updated sta->ext_capability while the
SME-in-the-driver case updated sta->qos_map_enabled, but not other items
related to the extended capabilities. This resulted in reduced
information being available through the control interface.

Use the shared helper function for both cases to get matching
information available regardless of the SME architecture.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 00:56:53 +02:00
Jouni Malinen
ce86f2446f DFS: Remove unnecessary variable
This was not used for anything else than checking the value returned by
the called function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-13 21:23:54 +02:00
Lorenzo Bianconi
760a5ae26b DFS: Switch to background radar channel if available
On radar detection on the main chain switch to the channel monitored
by the background chain if we have already performed the CAC there.
If a radar pattern is reported on the background chain, just select a
new random channel according to the regulations for monitoring.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:23:10 +02:00
Lorenzo Bianconi
b63d953feb DFS: Enable CSA for background radar detection
Rely on hostapd_dfs_request_channel_switch() to enable CSA for
background radar detection switching back to the selected channel.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:15:48 +02:00
Lorenzo Bianconi
25663241c5 DFS: Introduce hostapd_dfs_request_channel_switch()
This is a preliminary patch to add Channel Switch Announcement for
background radar detection.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:12:43 +02:00
Lorenzo Bianconi
316a9dc63b DFS: Configure background radar/CAC detection
Introduce the capability to perform radar/CAC detection on an offchannel
radar chain available on some hardware (e.g., mt7915). This feature
allows to avoid CAC downtime switching on a different channel during CAC
detection on the selected radar channel.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 21:06:51 +02:00
Lorenzo Bianconi
effd6111b8 DFS: Rely on channel_type in dfs_downgrade_bandwidth()
Add the capability to specify all 3 channel type possibilities in
dfs_downgrade_bandwidth(). This is a preliminary change to introduce
radar/CAC background detection support.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-13 18:30:56 +02:00
Nicolas Escande
56a14cc720 DFS: Don't let cac_time_left_seconds overflow
There can be some discrepancy between the theorical dfs cac end (as
computed with the cac duration and cac start) and the actual cac end as
reported by the driver. During that window, the value of remaining time
outputed by the status command on the socket control interface will
display an overflowed, invalid value.
To mitigate this lets compute the remaining time as signed and display
it only when positive, otherwise defaulting it to 0.

Status command shows something like that when polling every seconds:

state=DFS
cac_time_seconds=60
cac_time_left_seconds=1
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=0
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967294
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967293
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967292
...
state=ENABLED
cac_time_seconds=60
cac_time_left_seconds=N/A

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-03-12 10:39:43 +02:00
Jouni Malinen
de64dfe98e DPP: Curve change for netAccessKey
Allow the Configurator to be configured to use a specific curve for the
netAccessKey so that it can request the Enrollee to generate a new key
during the configuration exchange to allow a compatible Connector to be
generated when the network uses a different curve than the protocol keys
used during the authentication exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-09 01:07:59 +02:00
Jouni Malinen
eeb72e7c9a DPP: Extend DPP_PKEX_ADD ver=<1/2> to cover Responder role
Allow PKEX v1-only or v2-only behavior to be specific for the Responder
role. This is mainly for testing purposes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-07 21:37:40 +02:00
Mario Hros
fcbdaae8a5 SAE: Add support for RADIUS passphrase as the SAE password
Allow the first Tunnel-Password RADIUS entry to be used for SAE in
addition to the sae_password entries and wpa_passphrase parameters from
the static configuration file.

Signed-off-by: Mario Hros <git@reversity.org>
2022-03-04 12:25:14 +02:00
Baligh Gasmi
3d86fcee07 cleanup: Remove unreachable code
There is no need for unreachable code in these places, so remove it.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2022-03-04 12:07:46 +02:00
Lorenzo Bianconi
0a73649b64 DFS: Add capability to select radar-only channels
Introduce type parameter to dfs_get_valid_channel() routine to allow
selection of a radar-only channel where the CAC detection has not been
performed yet. This is a preliminary patch to enable background
radar/CAC detection.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-04 01:16:01 +02:00
Lorenzo Bianconi
f39765369a DFS: Introduce dfs_set_valid_channel() utility routine
This is a preliminary change to introduce radar/CAC background detection
support.

Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
2022-03-04 00:22:15 +02:00
Jouni Malinen
dec626109e HE: Fix invalid length checking for HE Capability element
Do not use the first octet of the PPE Thresholds field without
explicitly confirming that that octet was included in the element.
Furthermore, allow the received element to have additional octets in the
end since IEEE Std 802.11ax-2021 defines this to be an extensible
element and new fields could be added to the end of it in the future.

Fixes: 0497e41481 ("HE: Fix HE Capabilities element size")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-03 01:31:39 +02:00
Shiva Sankar Gajula
53be64f7d9 HE: Fix calculation of the PPE Threshold field length
The previously used calculation was not correct for the cases where the
extra padding field was needed. Fix this by properly calculating the
number of full octets in the field.

Fixes: 0497e41481 ("HE: Fix HE Capabilities element size")
Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
2022-03-03 01:31:39 +02:00
Jouni Malinen
738fef2f0b Clear PSK explicitly from memory in couple more cases on deinit
Couple of the WPS/P2P/RADIUS-PSK cases were freeing heap memory
allocations without explicitly clearing the PSK value. Add such clearing
for these to avoid leaving the PSK in memory after it is not needed
anymore.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
567b9764fb Clear PMK explicitly even without FT support in AP build
Unlike the other keys that were cleared here, the PMK is available
without FT support built into hostapd and as such, should be cleared in
all cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
0bd29c1768 Remove duplicated pointer check
The following if statement verifies the exact same thing here.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
1364f322bf Remove GTK/IGTK/BIGTK from memory explicitly in AP mode
Make sure these keys do not remain in memory beyond the time they are
needed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
Jouni Malinen
af1f0694e1 Clear last set keys (for testing purposes) from memory explicitly
This makes it easier to scan process memory for key information that is
not supposed to remain there after the last use.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-26 19:12:11 +02:00
leiwei
46c635910a MACsec: Support GCM-AES-256 cipher suite
Allow macsec_csindex to be configured and select the cipher suite when
the participant acts as a key server.

Signed-off-by: leiwei <quic_leiwei@quicinc.com>
2022-02-16 22:54:49 +02:00
Narasimha Rao PVS
a91072503c OCV: Don't start SA Query timer on CSA when SA Query is offloaded
Check driver support for SA Query offload in AP mode and skip starting
SA Query timer on CSA for OCV enabled STAs when the driver indicates
support for offloading SA Query procedures.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-02-09 20:32:17 +02:00
Jouni Malinen
33cb47cf01 DPP: Fix connection result reporting when using TCP
The TCP code path did not handle the postponed connection attempt on TX
status and the following result message from the Enrollee to the
Configurator. Fix this by adding TCP-versions of these operations to
match the way wpa_supplicant implemented this for the Public Action
frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-28 17:28:49 +02:00
Jouni Malinen
1822bd3789 DPP: Testing capability for invalid Protocol Version in Network Intro
This extends dpp_test functionality to allow DPP Network Introduction
exchanges to use an incorrect value in the Protocol Version attribute.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-27 18:44:07 +02:00
Jouni Malinen
d7be749335 DPP3: PKEX over TCP
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2022-01-26 00:40:09 +02:00
Jouni Malinen
bdcccbc275 DPP: Change PKEX version configuration design
Use a separate ver=<1|2> parameter to DPP_PKEX_ADD instead of
overloading init=1 with version indication. This allows additional
options for forcing v1-only and v2-only in addition to automatic mode
(start with v2 and fall back to v1, if needed).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-25 20:32:48 +02:00
Jouni Malinen
9d3f347a2b DPP3: Add PKEX initiator retries and fallback from v2 to v1 for hostapd
This extends hostapd with the design used in wpa_supplicant for PKEX
initiator retries and automatic version fallback from v2 to v1 (the
latter is enabled only with CONFIG_DPP3=y).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-24 22:58:38 +02:00
Jouni Malinen
3f67ab5871 DPP: Handle TX status events for broadcast DPP messages
Report TX status for DPP messages even if the destination address was
broadcast. This is needed to get appropriate trigger for PKEX retries.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-24 22:58:38 +02:00
Qiwei Cai
f32f99df11 P2P: Send response frame on channel where the request is received
The rx_freq of Public Action frame was not maintained by the GO and the
GO always sent the response on the operating channel. This causes
provision discovery failure when a P2P Device is sending a PD Request on
a 2.4 GHz social channel and the GO is responding on a 5 GHz operating
channel.

Save the rx_freq and use it for GO to sent the response. This extends
commit c5cc7a59ac ("Report offchannel RX frame frequency to hostapd")
to cover additional frame types.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-01-17 20:27:37 +02:00
peterhuang
bc24a8a09e Update supported channel width set (HT40) after channel switch
hostapd should update Supported Channel Width Set of HT Capability
Information field after channel switching done. Otherwise, it would
continue to use the old setting.

Signed-off-by: peterhuang <peterhuang@realtek.com>
2021-12-12 22:53:22 +02:00
peterhuang
ff7e403f06 Fix channel switch wrapper when switching from HT to VHT/HE
Because ieee80211ac and ieee80211ax were not updated before channel
switch is done, hostapd didn't build the Channel Switch Wrapper element
when it switched from HT to bandwidth more than 40 MHz of VHT/HE. fix
this by allowing hostapd_eid_wb_chsw_wrapper() to determine internally
when the element needs to be added based on the new channel instead of
the old configuration.

Signed-off-by: peterhuang <peterhuang@realtek.com>
2021-12-12 22:42:59 +02:00
peterhuang
5606ede121 Update ieee80211ac when channel switching
hostapd will build wrong beacon_after in hostapd_fill_csa_settings() if
it doesn't update ieee80211ac when channel switching.

Signed-off-by: peterhuang <peterhuang@realtek.com>
2021-12-12 22:36:51 +02:00
Daniel Golle
e6db1bc5da mesh: Make forwarding configurable
Allow mesh_fwding (dot11MeshForwarding) to be specified in a mesh BSS
config, pass that to the driver (only nl80211 implemented for now) and
announce forwarding capability accordingly.

Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-12-12 22:31:13 +02:00
Alan Young
5ef9277d0b ACS/DFS: Support min_tx_power configuration
If min_tx_power is specified (default 0 dBm, i.e., no constraint), ACS
and DFS will not consider channels whose available max_tx_power is less
than the configured value.

This may be useful to exclude SRD (Short Range Device) channels which
may be limited to 13.9 dBm (25 mW) in some regulatory domains.

Signed-off-by: Alan Young <consult.awy@gmail.com>
2021-12-12 22:20:18 +02:00
Jouni Malinen
b57273d069 DPP2: PKEXv2 core protocol changes
Add support for PKEXv2 core protocol. This defines a new PKEX Exchange
Request message type with protocol negotiation and different rules for
key derivation with PKEXv2 or newer is used.

This does not change existing behavior for PKEX, i.e., the PKEXv1
variant will still be used by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-07 23:26:29 +02:00
Jouni Malinen
b21b310148 DPP: Testing functionality to omit Protocol Version from Peer Discovery
Allow the dpp_test parameter to be used to request the Protocol Version
attributed to be omitted from the Peer Discovery Request/Response
message.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Jouni Malinen
341e7cd664 DPP3: Verify version match during Network Introduction
Verify that the Protocol Version attribute is used appropriate in Peer
Discovery Request/Response messages in cases where the signed Connector
includes the version information.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Jouni Malinen
f26fd5ee6c DPP3: Use Connector version instead of current version in Peer Discovery
Generate Peer Discovery Request/Response messages using the protected
version from the Connector, if present, instead of the currently
supported protocol version which might be higher than the one that got
included into the signed Connector during provisioning earlier.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2021-12-03 21:24:59 +02:00
Aloka Dixit
b16b88acdb RNR: Do not allow FILS Discovery and unsolicited Probe Response simultaneously
Reduced neighbor report has a field to indicate whether unsolicited
Probe Response transmission is active. Add a check to return failure if
both FILS discovery and unsolicited Probe Response are enabled at the
same time to ensure that RNR includes valid data.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 18:02:02 +02:00
Muna Sinada
15f099ec70 RNR: Allow Probe Response frame for a colocated 6 GHz AP
When a Probe Request frame from a station includes an SSID matching that
of a co-located 6 GHz AP, AP should respond with a Probe Response frame
that includes Reduced Neighbor Report element containing information
regarding the requested BSS.

Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:55:45 +02:00
Aloka Dixit
f17f7ca4e0 RNR: Update Beacon frames for 6 GHz colocation
Update 2.4/5 GHz Beacon frames every time Beacon frames for co-located 6
GHz AP(s) are set. This is required for 6 GHz out-of-band discovery so
that lower band Beacon frames will include RNR element with 6 GHz AP
information irrespective of the AP bring-up order. Similarly, RNR is
included in FILS Discovery frames by default in 6 GHz-only mode,
updating the Beacon frames will remove it when co-located 2.4/5 GHz
interfaces are brought up.

This change also ensures that the changes in 6 GHz AP configuration such
as new channel and bandwidth get reflected in the lower bands Beacon
frames.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:50:02 +02:00
John Crispin
01efcc2929 RNR: Addition in Beacon, Probe Response, and FILS Discovery frames
Add Reduced Neighbor Report element in Beacon, Probe Response, and FILS
Discovery frames.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:44:45 +02:00
John Crispin
0c9457ee23 RNR: Additions for a 6 GHz AP
Include Reduced Neighbor Report element in Beacon and Probe Response
frames by default if the reporting AP is 2.4/5 GHz and it is co-located
with a 6 GHz AP. Similarly, include RNR by default in FILS Discovery
frames if the AP is a standalone 6 GHz AP.

Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 17:33:14 +02:00
John Crispin
b2bbedcb21 RNR: Add co-located BSSes
Calculate the length and include data for the BSSes active on the same
radio as the reporting BSS in the Reduced Neighbor Report element. This
element is included in Beacon and Probe Response frames.

Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Co-developed-by: Muna Sinada <msinada@codeaurora.org>
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 00:21:29 +02:00
John Crispin
a7c152d6b8 RNR: Add data from neighbor database
Include data from the existing neighbor database in the Reduced Neighbor
Report element in Beacon frames if the configuration option 'rnr' is
enabled for the BSS.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-09 00:16:12 +02:00
John Crispin
847f76760a RNR: Add configuration option
Adds configuration option 'rnr' to enable the reduced neighbor report
elements in Beacon and Probe Response frames.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-08 23:57:43 +02:00
John Crispin
1b8eb39757 RNR: Add bss_parameters to the neighbor_db
Add a new field to include BSS Parameter subfield in the neighbor
database as described in IEEE Std 802.11ax-2021, Figure 9-632a (BSS
Parameters subfield format). This field holds information related to
multiple BSSID, access point co-location, and 20 TU probe response
active/inactive state.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-08 23:39:46 +02:00
John Crispin
9d0948ecc9 RNR: Short SSID assignment
Calculate and store short SSID in hostapd_data context during config
load time and in neighbor report.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-11-08 23:34:02 +02:00
David Bauer
979f197165 WNM: Allow specifying dialog token for BSS transition request
Adds the ability to specify the dialog token of a WNM BSS Transition
Management Request frame via the hostapd control interface.

For this, the new 'dialog_token' option can be used with the BSS_TM_REQ
command. It accepts values as an 8 bit unsigned integer. If not
specified, the dialog token is set to 1 like before.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-22 17:11:36 +03:00
Jouni Malinen
5bac420e5e DPP2: Clean up Controller on hostapd interface removal
Stop the DPP Controller instance, if one is started, when the hostapd
interface that was used to start that Controller is removed. This is
needed to remove the control pointers that point to the soon-to-be-freed
hostapd structures. This fixes an issue where a Controller operation
with multiple interfaces could have resulted in references to freed
memory if an interface is removed without explicitly stopping the DPP
Controller.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-19 00:32:02 +03:00
David Bauer
08bdf4f90d proxyarp: Fix compilation with Hotspot 2.0 disabled
The disable_dgaf config field is only available in case hostapd is
compiled with Hotspot 2.0 support (CONFIG_HS20=y), however Proxy-ARP
(CONFIG_PROXYARP=y) does not depend on Hotspot 2.0.

Only add the code related to this config field when Hotspot 2.0 is
enabled to fix compilation with the aformentioned preconditions.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-18 21:24:59 +03:00
Masashi Honma
973f3e244f Fix hostapd segfault on WPS_CONFIG control interface command to non-WPS AP
Execution of "hostapd_cli wps_config" to non-WPS AP causes segmentation
fault in hostapd.

$ hostapd_cli wps_config test WPA2PSK CCMP 12341234

wlp11s0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlp11s0: interface state COUNTRY_UPDATE->ENABLED
wlp11s0: AP-ENABLED
WPA_TRACE: eloop SIGSEGV - START
[1]: ./git/hostap/hostapd/hostapd(+0x6c196) [0x55b270245196]
     eloop_sigsegv_handler() ../src/utils/eloop.c:123
[2]: /lib/x86_64-linux-gnu/libc.so.6(+0x46210) [0x7f87574a7210]
[3]: ./git/hostap/hostapd/hostapd(hostapd_wps_config_ap+0x1a9) [0x55b2702ce349]
     hostapd_wps_config_ap() ../src/ap/wps_hostapd.c:1970
[4]: ./git/hostap/hostapd/hostapd(+0x90a9f) [0x55b270269a9f]
     hostapd_ctrl_iface_receive_process() ctrl_iface.c:3606
[5]: ./git/hostap/hostapd/hostapd(+0x94069) [0x55b27026d069]
     hostapd_ctrl_iface_receive() ctrl_iface.c:4093
[6]: ./git/hostap/hostapd/hostapd(+0x6c6d3) [0x55b2702456d3]
     eloop_sock_table_dispatch() ../src/utils/eloop.c:606
[7]: ./git/hostap/hostapd/hostapd(eloop_run+0x251) [0x55b2702461c1]
     eloop_sock_table_dispatch() ../src/utils/eloop.c:597
     eloop_run() ../src/utils/eloop.c:1229
[8]: ./git/hostap/hostapd/hostapd(main+0xd53) [0x55b270205773]
     hostapd_global_run() main.c:447
     main() main.c:892
[9]: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7f87574880b3]
[10]: ./git/hostap/hostapd/hostapd(_start+0x2e) [0x55b2702058fe]
     _start() (null):0
WPA_TRACE: eloop SIGSEGV - END
Aborted

Reported-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-10-14 16:37:49 +03:00
Arowa Suliman
77dd712432 Replace "dummy" with "stub" in Authenticator group keys
Replace the word "dummy" with the inclusive word "stub".

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:52:06 +03:00
Arowa Suliman
7b50f2f04c Replace "sanity" with "validity"
Replaced the word "sanity" with the inclusive word "validity". The
comment in acs_survey_interference_factor() was referring a function
that does not exist, so remove it instead of trying rename the function.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-11 20:25:21 +03:00
Hu Wang
41ec97cd09 HE: Use a random BSS Color if not defined in the config file
Commit 0cb39f4fd5 ("HE: Extend BSS color support") sets the BSS Color
default value to 1 as "Interoperability testing showed that stations
will require a BSS color to be set even if the feature is disabled."

A new interop issue was observed with hardcoded BSS color value of 1:
- REF device using one interface (e.g., wlan0) to connect to an HE
  AP, whose BSS color is enabled and value is 1.
- REF device using another interface (e.g., p2p0) to connect to a
  P2P GO using BSS color default settings.
  (i.e., BSS color disabled and value is 1).
- REF device checks both AP's and P2P GO's BSS Color values even though
  GO's BSS color is disabled. This causes collision of the BSS
  color somehow causing RX problems.

For DUT as a P2P GO, its firmware uses default BSS color value 1 from
wpa_supplicant, then triggers a timer (e.g., 120 s) to update its BSS
color values based on its neighboring BSSes. To reduce the likelihood of
BSS color collision with REF device before that, use a random BSS Color
if not defined in the config file.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-28 11:04:08 +03:00
Ben Wang
61c0757618 EDMG: Validate pri channel lookup result before using it
At least in theory, hw_get_channel_freq() could return NULL, so add
error handling for that.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-09-02 18:45:09 +03:00
David Bauer
2341585c34 ACS: Fix channel 100 frequency
Channel 100 is a valid channel to choose for 80 MHz operation. However,
it was converted to 5500 MHz, not 5550 MHz, for the 80 MHz case while
the conversion to other bandwidths was done correctly. In fact, there is
no channel assigned to this frequency 5550 MHz.

Fix this obvious typo to allow ACS to select channel 100 for 80 MHz
operation again.

Fixes: bef5eee4f7 ("Convert channel to frequency based selection for AP mode ACS")
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-08-26 16:10:26 +03:00
Shay Bar
f02ac5140c HE: Option to disable HE ER SU in HE operation in AP mode
Add option to disable 242-tone HE ER SU PPDU reception by the AP
in HE operation IE.

Signed-off-by: Shay Bar <shay.bar@celeno.com>
2021-08-25 12:45:14 +03:00
Gokul Sivakumar
63f043f4fd Generalize the function name as it is not dealing with only TX & RX params
For the function hostapd_get_sta_tx_rx(), the name
hostapd_get_sta_info() is more appropriate as it is also responsible for
getting many other STA specific params like RSSI, inactive milliseconds
along with TX and RX bytes.

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-08-25 12:27:17 +03:00
Gokul Sivakumar
3cdc6d381a mesh: Show peer connected time in the wpa_cli STA cmd output for Mesh mode
When a Mesh interface is managed by wpa_supplicant, include the peer
link connected time (secs) in the output of "sta <addr>", "all_sta"
wpa_cli cmds for each peer. This will be helpful to find when the peer
link connection got established. The NL80211_STA_INFO_CONNECTED_TIME
netlink attribute data is used for this purpose if available.

$ wpa_cli -i mesh0 all_sta
02:00:00:00:02:00
flags=[ASSOC][WMM][HT]
aid=1
capability=0x0
listen_interval=0
supported_rates=82 84 8b 96 8c 12 98 24 b0 48 60 6c
timeout_next=NULLFUNC POLL
rx_packets=77
tx_packets=3
rx_bytes=8510
tx_bytes=284
inactive_msec=104
signal=-30
rx_rate_info=65 mcs 0
tx_rate_info=65 mcs 0
ht_mcs_bitmask=ffff0000000000000000
connected_time=24
ht_caps_info=0x103c

The connected_time field in the output of "hostapd_cli -i ap0 all_sta"
cmd is not affected and it will continue to show the connected time
maintained by hostapd for each STA.

Signed-off-by: Gokul Sivakumar <gokulkumar792@gmail.com>
2021-08-25 12:26:25 +03:00
Masashi Honma
eddcd27534 Fix some compiler warnings on 32 bit platform
../src/ap/ieee802_11.c: In function ‘pasn_wd_handle_sae_commit’:
../src/ap/ieee802_11.c:2401:60: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
                                                          ~~^
                                                          %u
       buf_len);
       ~~~~~~~
../src/ap/ieee802_11.c: In function ‘pasn_wd_handle_sae_confirm’:
../src/ap/ieee802_11.c:2477:60: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   wpa_printf(MSG_DEBUG, "PASN: SAE buffer too short. len=%lu",
                                                          ~~^
                                                          %u
       buf_len);
       ~~~~~~~
../src/ap/ieee802_11.c: In function ‘pasn_wd_handle_fils’:
../src/ap/ieee802_11.c:2707:62: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
   wpa_printf(MSG_DEBUG, "PASN: FILS: Buffer too short. len=%lu",
                                                            ~~^
                                                            %u
       buf_len);
       ~~~~~~~

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-08-25 12:03:02 +03:00
Disha Das
1071f75395 DPP2: Fix channel 6 inclusion for chirping with non-2 GHz interfaces
When the driver provides a list of supported modes, hostapd ended up
adding channel 6 even if the 2.4 GHz mode was not included. This
resulted in incorrect behavior of trying to transmit on a not supported
channel in case of 5 GHz only radios.

Fix this by adding the channel 6 by default only if the driver does not
provide a list of supported modes. Whenever the supported modes are
available, only add this channel if it is explicitly listed as an
enabled channel.

This is similar to an earlier wpa_supplicant change in commit
8e5739c3ac ("DPP2: Check channel 6 validity before adding it to chirp
channel list").

Signed-off-by: Disha Das <dishad@codeaurora.org>
2021-07-29 20:07:52 +03:00
Jia Ding
9557ba336b AP: Don't increment auth_transaction upon SAE authentication failure
IEEE Std 802.11-2016, 12.4.7.6 specifies:

An SAE Commit message with a status code not equal to SUCCESS shall
indicate that a peer rejects a previously sent SAE Commit message.

An SAE Confirm message, with a status code not equal to SUCCESS, shall
indicate that a peer rejects a previously sent SAE Confirm message.

Thus when SAE authentication failure happens, authentication transaction
sequence number should not be incremented.

Signed-off-by: Jia Ding <jiad@codeaurora.org>
2021-07-14 18:18:47 +03:00
Jouni Malinen
84f8947735 PTKSA: Fix a potential hostapd memory leak during reconfiguration
Some of the reconfiguration cases (e.g., with WPS reconfiguration
enabling WPA/WPA2) might end up calling hostapd_setup_wpa() twice
without calling hostapd_deinit_wpa() in the middle. This would have
resulted in a memory leak since the PTKSA cache was being reinitialized
without freeing previous memory allocation.

Fix this by making PTKSA cachine initialization independent of
hapd->wpa_auth so that reinitialization does not happen in a manner that
would have overridden the old hapd->ptksa pointer without freeing the
referenced resources.

Fixes: f2f8e4f458 ("Add PTKSA cache to hostapd")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-06-25 00:20:02 +03:00
Sreeramya Soratkal
311091eb43 P2P: Use SAE+PMF for P2P connection in 6 GHz
Use WPA3-Personal (SAE+PMF) for P2P connections in the 6 GHz band to
enable the Wi-Fi Display use case on the 6 GHz band without having to
use WPA2-Personal (PSK) on that new band.

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-06-14 20:24:37 +03:00
Hu Wang
09fb9b0cb0 DFS offload: Use hostapd_is_dfs_required() to check if DFS required
hostapd_handle_dfs_offload() is the DFS handler for the offloaded case,
in which ieee80211_is_dfs() is used to check if the configured frequency
requires DFS or not.

When the configured channel width is not 20 (e.g., 160),
ieee80211_is_dfs() will not checked adjacent freqs, so it possibly makes
wrong conclusion for whether DFS is required.

hostapd_is_dfs_required() does similar thing with ieee80211_is_dfs()
except it supports checking whether the configured frequency and its
adjacent frequencies require DFS. So hostapd_is_dfs_required() is a more
robust and better option than ieee80211_is_dfs() to check DFS.

The issue is hostapd_is_dfs_required() is for non-offload case due to
the check of the configuration parameter ieee80211h. Add a check for
WPA_DRIVER_FLAGS_DFS_OFFLOAD to make it support the DFS offload case
(i.e., ieee80211h=0) as well.

For example, configuring the AP to start at freq=5240 with channel width
160:
- Existing hostapd checks freq=5240 is non-DFS, hence skip DFS CAC and
  transition to AP-Enabled which volatiles DFS-RADAR detection.

  LOG: "hostapd : hostapd_handle_dfs_offload: freq 5240 MHz does not
        require DFS. Continue channel/AP setup"

- This commit checks freq=5240 and its adjacent freqs are DFS required,
  hence remains in DFS state until DFS CAC completed.

  LOG: "hostapd : hostapd_handle_dfs_offload: freq 5240 MHz requires
        DFS for 4 chans"

Signed-off-by: Hu Wang <huw@codeaurora.org>
2021-06-07 17:42:56 +03:00
Hu Wang
c25b50306e hostapd: Reject 40 MHz channel config if regulatory rules do not allow it
When regulatory rules are configured not to support 40 MHz channels on
the 2.4 GHz band, hostapd_is_usable_chans() still allowed 40 MHz
channels (i.e., 1-9) to be used with ht_capab=[HT40+][HT40-].

Looking into hostapd_is_usable_chans():
1) Validate primary channel using hostapd_is_usable_chan()
2) Try to pick a default secondary channel if hostapd_is_usable_chan()
3) Try to pick a valid secondary channel if both HT40+/HT40- set, and
   further validate primary channel's allowed bandwidth mask.
4) Return channel not usable.

For example, for the 2.4 GHz channel 9 in Japan, its default secondary
channel is 13, which is valid per hostapd_is_usable_chan(), so step (2)
returns channel usable.

Add a more strict check to step (2) to clearly reject 40 MHz channel
configuration if regulatory rules do not allow the 40 MHz bandwidth,
which is similarly done in commit ce6d9ce15b ("hostapd: Add supported
channel bandwidth checking infrastructure").

Signed-off-by: Hu Wang <huw@codeaurora.org>
2021-06-02 00:06:20 +03:00
Mohammad Asaad Akram
20a522b9eb AP: Add user configuration for TWT responder role
Add user configuration he_twt_responder for enabling/disabling TWT
responder role, in addition to checking the driver's capability. The
default configuration is to enable TWT responder role when the driver
supports this.

Signed-off-by: Mohammad Asaad Akram <asadkrm@codeaurora.org>
2021-06-01 00:17:03 +03:00
Veerendranath Jakkam
e2e2655ce8 FILS: Fix PMKID derivation for OKC
FILS authentication derives PMK differently from the EAP cases. The PMK
value does not bind in the MAC addresses of the STAs. As such, the same
PMKID is used with different BSSIDs. Fix both the hostapd and
wpa_supplicant to use the previous PMKID as is for OKC instead of
deriving a new PMKID using an incorrect derivation method when using an
FILS AKM.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-05-21 21:05:41 +03:00
Jouni Malinen
7d2302f878 Add EAPOL-4WAY-HS-COMPLETED indication to AP
This makes it easier for test scripts to track completion of 4-way
handshake from hostapd, e.g., when going through PTK rekeying.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
1c5aa2579d Add EAPOL_TX command to extend ext_eapol_frame_io possibilities
This makes it convenient for an external test script to use
ext_eapol_frame_io=1 to delay and/or modify transmission of EAPOL-Key
msg 1/4 without having to use separate frame injection mechanisms.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
04283cf36b Add REKEY_PTK to allow upper layer request to force PTK rekeying
"REKEY_PTK <STA MAC address>" can now be used to force rekeying of the
PTK for the specified associated STA.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 21:13:56 +03:00
Jouni Malinen
82d8d631ec Skip GTK rekeying request if rekeying already in process
Do not start yet another rekeying of GTK when receiving an EAPOL-Key
request frame at the point when the GTK is already being rekeyed. This
fixes issues where the AP might end up configuring a different GTK than
the one it sends to the associated stations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-05-11 01:03:57 +03:00
Pradeep Kumar Chitrapu
6ae0d78b8e Determine 6 GHz bandwidth in AP mode ACS using op_class parameter
Determine bandwidth from op_class parameter when set in config. When not
configured, use he_oper_chwidth for determining 80 MHz or 160 MHz. When
both are not set, fall back to 20 MHz by default. This helps in removing
the dependency on op_class parameter in 6 GHz ACS.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-05-03 23:24:13 +03:00
Pradeep Kumar Chitrapu
0822de037c Add AP mode ACS support for the 6 GHz band
Add support for the 6 GHz frequencies using 40, 80, and 160 MHz
bandwidths in the AP mode ACS.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-05-03 23:22:25 +03:00
Pradeep Kumar Chitrapu
bef5eee4f7 Convert channel to frequency based selection for AP mode ACS
Convert channel based selection to frequency based selection for AP mode
ACS to accommodate for the 6 GHz band needs.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-05-03 23:19:03 +03:00
Pradeep Kumar Chitrapu
15742566fd 6 GHz: Fix operating class in Supported Operating Classes element
Previously, the secondary channel was set only in presence of HT
capabilities based on HT40+ or HT40-. As HT capabilities and
secondary_channel are not present for the 6 GHz bamd, this causes
incorrect operating class indication in the Supported Operating Classes
element.

Fix this by assigning the secondary channel for bandwidths greater than
20 MHz in the 6 GHz band.

Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
2021-05-03 23:04:55 +03:00
P Praneesh
79e8f0c164 hostapd: Update 160 MHz center freq calculation in 6 GHz
In the 6 GHz Operation Information field, the Channel Center Frequency
Segment 0 field indicates the channel center frequency index for
the 20 MHz, 40 MHz, 80 MHz, or 80+80 MHz channel on which the
BSS operates in the 6 GHz band. If the BSS channel width is 160 MHz
then the Channel Center Frequency Segment 0 field indicates the
channel center frequency index of the primary 80 MHz.

The Channel Center Frequency Segment 1 field indicates the channel
center frequency index of the 160 MHz channel on which the BSS operates
in the 6 GHz band or the channel center frequency of the secondary 80
MHz for the 80+80 MHz channel.

Since Channel Center Frequency Segment 1 was 0 for 160 MHz, 6 GHz STA
associated using 80 MHz. Update seg0 and seg1 fields per standard (IEEE
P802.11ax/D8.0: 9.4.2.249 HE Operation element).

Signed-off-by: P Praneesh <ppranees@codeaurora.org>
2021-05-03 17:35:59 +03:00
Lavanya Suresh
9c6b0a9416 hostapd: Disable VHT/HE when WMM is not enabled
When WMM is disabled, HT/VHT/HE capabilities should not be used for any
STA. If any STA advertises these capabilities, hostapd AP disables HT
capabilities in STA flags during STA assoc, but VHT/HE was not handled
similarly. This could allow a STA to associate in VHT/HE mode even in
WMM disable case.

To avoid this, disable VHT/HE capabilities similarly to HT during STA
association, if WMM is not enabled by the STA.

Signed-off-by: Lavanya Suresh <lavaks@codeaurora.org>
2021-05-03 17:27:22 +03:00
Kani M
1f2fbf41d0 Fix UPDATE_BEACON processing when disabled
The hostapd process crashed when the UPDATE_BEACON control interface
command was issue after the interface was disabled. Check for this case
and return an error if the interface is disabled.

Signed-off-by: Kani M <kanisumi@codeaurora.org>
2021-04-21 23:23:54 +03:00
Disha Das
80d9756956 DPP2: Get DPP Relay Controller context based on hostapd callback context
Get the DPP Relay Controller context from the list of configured
Controllers based on the correct hostapd callback context. This is
needed to pick the correct hostapd interface for sending out the
response over air, e.g., when the same hostapd process controls a 2.4
GHz only and a 5 GHz only interface.

Signed-off-by: Disha Das <dishad@codeaurora.org>
2021-04-21 23:06:00 +03:00
Jouni Malinen
d675d3b15b Add helper functions for parsing RSNXE capabilities
Simplify the implementation by using shared functions for parsing the
capabilities instead of using various similar but not exactly identical
checks throughout the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-04-10 12:43:38 +03:00
Jouni Malinen
663e190b72 SAE: Remove now unused password identifier argument from non-H2E case
IEEE Std 802.11-2020 mandates H2E to be used whenever an SAE password
identifier is used. While this was already covered in the
implementation, the sae_prepare_commit() function still included an
argument for specifying the password identifier since that was used in
an old test vector. Now that that test vector has been updated, there is
no more need for this argument anymore. Simplify the older non-H2E case
to not pass through a pointer to the (not really used) password
identifier.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-04-10 12:12:54 +03:00
Ilan Peer
79f87f4734 PASN: Change PASN flows to use SAE H2E only
Do so for both wpa_supplicant and hostapd. While this was not explicitly
required in IEEE P802.11az/D3.0, likely direction for the draft is to
start requiring use of H2E for all cases where SAE is used with PASN.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 12:12:22 +03:00
Ilan Peer
8c786e0687 PASN: Derive KDK only when required
When a PTK derivation is done as part of PASN authentication flow, a KDK
derivation should be done if and only if the higher layer protocol is
supported by both parties.

Fix the code accordingly, so KDK would be derived if and only if both
sides support Secure LTF.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-04-10 11:55:55 +03:00
Lavanya Suresh
e72e322539 hostapd: Enable WMM automatically when HE is configured
If WMM is not set explicitly in the configuration, it can be set based
on HT/HE config. As HE can be used without HT/VHT (which was introduced
as a special behavior for the 6 GHz band), add a similar automatic
enabling of WMM for HE without HT.

Signed-off-by: Lavanya Suresh <lavaks@codeaurora.org>
2021-03-26 00:21:18 +02:00
Jouni Malinen
4a841a218b Fix WNM-Sleep Mode exit debug print of BIGTK
Previous debug print used IGTK instead of BIGTK, so fix that to use the
correct key. Actual generation of the BIGTK subelement itself was using
the correct key, though, so this is only needed to fix the debug print.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-26 00:21:18 +02:00
Jouni Malinen
b8673baeab Add REGISTER_FRAME hostapd control interface command for testing purposes
This can be used to register reception of new types of Management frames
through nl80211.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-23 00:42:06 +02:00
Jouni Malinen
60974eb3f6 Allow AP mode extended capabilities to be overridden
The new hostapd configuration parameters ext_capa_mask and ext_capa can
now be used to mask out or add extended capability bits. While this is
not without CONFIG_TESTING_OPTIONS, the main use case for this is for
testing purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-22 11:58:21 +02:00
Jouni Malinen
8ca09293ea Simplify extended capability determination in AP mode
There is no need to determine the exact length of the element before
filling in the octets since this function is already capable of
truncated the fields based on what the actual values are.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-22 11:12:39 +02:00
Ilan Peer
ab623ac750 PASN: Add support for comeback flow in AP mode
Reuse the SAE anti-clogging token implementation to support similar
design with the PASN comeback cookie.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-21 18:01:27 +02:00
Jouni Malinen
4ed10754e8 DPP: Fix GAS client error case handling in hostapd
The GAS client processing of the response callback for DPP did not
properly check for GAS query success. This could result in trying to
check the Advertisement Protocol information in failure cases where that
information is not available and that would have resulted in
dereferencing a NULL pointer. Fix this by checking the GAS query result
before processing with processing of the response.

This is similar to the earlier wpa_supplicant fix in commit 931f7ff656
("DPP: Fix GAS client error case handling").

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-21 11:47:39 +02:00
Jouni Malinen
512d973cc2 DPP: Indicate authentication success on ConfReqRX if needed (hostapd)
It is possible to receive the Configuration Request frame before having
seen TX status for the Authentication Confirm. In that sequence, the
DPP-AUTH-SUCCESS event would not be indicated before processing the
configuration step and that could confuse upper layers that follow the
details of the DPP exchange. As a workaround, indicate DPP-AUTH-SUCCESS
when receiving the Configuration Request since the Enrollee/Responser
has clearly receive the Authentication Confirm even if the TX status for
it has not been received.

This was already done in wpa_supplicant in commit 422e73d623 ("DPP:
Indicate authentication success on ConfReqRX if needed") and matching
changes are now added to hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-20 16:09:19 +02:00
Jouni Malinen
6bbbd9729f DPP2: Fix connection status result wait in hostapd
The waiting_conn_status_result flag was not set which made hostapd
discard the Connection Status Result. Fix this to match the
wpa_supplicant implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-20 12:17:58 +02:00
Jouni Malinen
c0c74f0c6b Testing functionality for airtime policy
Add a new testing parameter to allow airtime policy implementation to be
tested for more coverage even without kernel driver support.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-20 12:03:01 +02:00
Ilan Peer
1ca1c3cfee AP: Handle deauthentication frame from PASN station
When a Deauthentication frame is received, clear the corresponding PTKSA
cache entry for the given station, to invalidate previous PTK
information.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 22:41:02 +02:00
Ilan Peer
166e357e63 AP: Enable anti clogging handling code in PASN builds without SAE
The anti-clogging code was under CONFIG_SAE. Change this so it can be
used both with CONFIG_SAE and CONFIG_PASN.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 17:58:10 +02:00
Ilan Peer
6fe0d56e88 AP: Rename SAE anti clogging variables and functions
PASN authentication mandates support for comeback flow, which
among others can be used for anti-clogging purposes.

As the SAE support for anti clogging can also be used for PASN,
start modifying the source code so the anti clogging support
can be used for both SAE and PASN.

As a start, rename some variables/functions etc. so that they would not
be SAE specific. The configuration variable is also renamed, but the old
version remains available for backwards compatibility.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 17:44:24 +02:00
Ilan Peer
b866786338 PASN: For testing purposes allow to corrupt MIC
For testing purposes, add support for corrupting the MIC in PASN
Authentication frames for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 17:19:12 +02:00
Ilan Peer
2efa60344e PASN: Encode the public key properly
When a public key is included in the PASN Parameters element, it should
be encoded using the RFC 5480 conventions, and thus the first octet of
the Ephemeral Public Key field should indicate whether the public key is
compressed and the actual key part starts from the second octet.

Fix the implementation to properly adhere to the convention
requirements for both wpa_supplicant and hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 12:31:31 +02:00
Ilan Peer
cd0813763a PASN: Include PMKID in RSNE in PASN response from AP
As defined in IEEE P802.11az/D3.0, 12.12.3.2 for the second PASN frame.
This was previously covered only for the case when the explicit PMKSA
was provided to the helper function. Extend that to cover the PMKID from
SAE/FILS authentication cases.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 11:45:12 +02:00
Ilan Peer
da3ac98099 PASN: Fix setting frame and data lengths in AP mode PASN response
Frame length and data length can exceed 256 so need to use size_t
instead of u8.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-03-16 11:38:51 +02:00
Jouni Malinen
17d85158cf Fix hostapd PMKSA_ADD with Authenticator disabled
This function can get called with hapd->wpa_auth == NULL from the
control interface handler, so explicitly check for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:33:30 +02:00
Jouni Malinen
147d6d3727 Update VHT capabilities info on channel switch event
This is needed to be able to move from 80 MHz or lower bandwidth to 160
or 80+80 MHz bandwidth (and back) properly without leaving the Beacon
frame VHT elements showing incorrect information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 01:35:25 +02:00
Jouni Malinen
7c5442e744 DPP: Clear hapd->gas pointer on deinit
While it does not look like the stale pointer could have been
dereferenced in practice, it is better not to leave the stale pointer to
freed memory in place to avoid accidental uses.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-06 11:56:00 +02:00
Jouni Malinen
076e0abddb SQLite: Fix temporary eap_user data freeing on interface restart
hapd->tmp_eap_user needs to be cleared on interface deinit to avoid
leaving stale pointers to freed memory.

Fixes: ee431d77a5 ("Add preliminary support for using SQLite for eap_user database")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-06 11:44:38 +02:00
Michael Braun
2da3105ac1 Fix use after free with hapd->time_adv on interface restart
When an interface is disabled, e.g. due to radar detected,
hapd->time_adv is freed by hostapd_free_hapd_data(), but later
used by ieee802_11_build_ap_params() calling hostapd_eid_time_adv().

Thus hapd->time_adv needs to be cleared as well.

Fixes: 39b97072b2 ("Add support for Time Advertisement")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2021-03-06 11:37:26 +02:00
Jouni Malinen
57fec19dab Use more consistent iface->conf checks
Commit f1df4fbfc7 ("mesh: Use setup completion callback to complete
mesh join") added a check for iface->conf being NULL into a debug print.
However, it is not clear how that could be NULL here. In any case,
setup_interface() could end up dereferencing iface->conf in the call to
hostapd_validate_bssid_configuration(), so better be consistent with the
checks and not get warnings from static analyzers regardless of whether
this can happen in practice.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:51:16 +02:00
Jouni Malinen
b8211e1e75 PASN: Avoid unreachable code with CONFIG_NO_RADIUS
There is no point in trying to build in rest of this function if in the
middle of it the CONFIG_NO_RADIUS case would unconditionally fail.
Simply make all of this be conditional on that build parameter not being
set to make things easier for static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:37:47 +02:00
Jouni Malinen
9a1136b7f1 FILS: Fix RSN info in FD frame for no-group-addressed
The value from the initial RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED check
ended up getting overridden with the following if. This was supposed to
be a single if statement to avoid that.

Fixes: 9c02a0f5a6 ("FILS: Add generation of FILS Discovery frame template")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:27:42 +02:00
Jouni Malinen
a826ff2d95 Ignore group-addressed SA Query frames
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:00 +02:00
Ben Greear
827b43b3ca RADIUS client: Support SO_BINDTODEVICE
Allow the RADIUS client socket to be bound to a specific netdev. This
helps hostapd work better in VRF and other fancy network environments.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
2021-02-27 10:51:15 +02:00
Sunil Dutt
3a05f89edc Android: Add DRIVER command support on hostapd and hostapd_cli
Add DRIVER command support on hostapd and hostapd_cli on Android
similarly to the way this previously enabled in wpa_supplicant and
wpa_cli.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-26 20:22:41 +02:00
Jouni Malinen
dc72854fe2 Fix handle_auth_cb() message length check regression
Reordering of code in handle_auth_cb() when adding support for full
station state messaged up frame length checks. The length was originally
tested before looking at the payload of the frame and that is obviously
the correct location for that check. The location after those full state
state changes was after having read six octets of the payload which did
not help at all since there was no addition accesses to the payload
after that check.

Move the payload length check to appropriate place to get this extra
level of protection behaving in the expected manner. Since this is a TX
status callback handler, the frame payload is from a locally generated
Authentication frame and as such, it will be long enough to include
these fields in production use cases. Anyway, better keep this check in
working condition.

Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:30:09 +02:00
Ilan Peer
6c7b0a9657 PASN: Correctly set RSNXE bits from AP
The capability bit index should not be shifted here as the shifting is
handled later below when building the RSNXE octets.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:26:21 +02:00
Veerendranath Jakkam
6f92f81dac AP: Check driver's capability to enable OCV when driver SME is used
When the driver SME is used, offloaded handshakes which need Operating
Channel Validation (OCV) such as SA Query procedure, etc. would fail if
hostapd enables OCV based on configuration but the driver doesn't
support OCV. To avoid this when driver SME is used, enable OCV from
hostapd only when the driver indicates support for OCV.

This commit also adds a capability flag to indicate whether driver SME
is used in AP mode.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Veerendranath Jakkam
d36d4209fd Enable beacon protection only when driver indicates support
Enabling beacon protection will cause STA connection/AP setup failures
if the driver doesn't support beacon protection. To avoid this, check
the driver capability before enabling beacon protection.

This commit also adds a capability flag to indicate beacon protection
support in client mode only.

Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
2021-02-16 00:47:43 +02:00
Jouni Malinen
b1c23d3f25 HE: Fall back to 20 MHz on 2.4 GHz if 40 MHz is not supported
At least the ACS case of an attempt to pick a 40 MHz channel on the 2.4
GHz band could fail if HE was enabled and the driver did not include
support for 40 MHz channel bandwidth on the 2.4 GHz band in HE
capabilities. This resulted in "40 MHz channel width is not supported in
2.4 GHz" message when trying to configure the channel and failure to
start the AP.

Avoid this by automatically falling back to using 20 MHz bandwidth as
part of channel parameter determination at the end of the ACS procedure.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-15 18:27:10 +02:00
Aloka Dixit
f1c6c9d3eb ACS: Allow downgrading to 20 MHz based on OBSS results
When auto channel selection (ACS) is used for HE 40 MHz in the 2.4 GHz
band, AP sets center frequency after finding a 40 MHz channel and then
runs a scan for overlapping BSSes in neighboring channels. Upon OBSS
detection, AP should downgrade to 20 MHz bandwidth.

This was broken because allowed_ht40_channel_pair() returns true in this
case and the steps to reset center frequency are not executed causing
failure to bring interface up.

Fix the condition to allow rollback to 20 MHz.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-15 18:16:33 +02:00
Aloka Dixit
024b4b2a29 AP: Unsolicited broadcast Probe Response configuration
Add hostapd configuration options for unsolicited broadcast
Probe Response transmission for in-band discovery in 6 GHz.
Maximum allowed packet interval is 20 TUs (IEEE P802.11ax/D8.0
26.17.2.3.2, AP behavior for fast passive scanning).
Setting value to 0 disables the transmission.

Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
2021-02-14 23:04:26 +02:00