p2p_get_pref_freq() went through the full list only if the channels
arguments was provided. If no channel list contraint was in place, the
first pref_chan item was picked regardless of whether it is valid
channel and as such, a later valid entry could have been ignored. Allow
this to loop through all the entries until a valid channel is found or
the end of the pref_chan list is reached. As an extra bonus, this
simplifies the p2p_get_pref_freq() implementation quite a bit.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Before starting a 20/40 MHz BSS on the 2.4 GHz band, a 40-MHz-capable HT
AP is required by the rules defined in IEEE Std 802.11-2012 10.15.5 to
examine the channels of the current operational regulatory domain to
determine whether the operation of a 20/40 MHz BSS might unfairly
interfere with the operation of existing 20 MHz BSSs. The AP (or some of
its associated HT STAs) is required to scan all of the channels of the
current regulatory domain in order to ascertain the operating channels
of any existing 20 MHz BSSs and 20/40 MHz BSSs. (IEEE 802.11-2012 S.5.2
Establishing a 20/40 MHz BSS).
Add the check for an overlapping 20 MHz BSS to the initial AP scan for
the P == OT_i case in 10.15.3.2.
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
scard_gsm_auth() used SIM_CMD_GET_RESPONSE for both SIM and USIM. Convert
the command into USIM_CMD_GET_RESPONSE for USIM.
Since commit eb32460029 ("Fix switching from EAP-SIM to EAP-AKA/AKA'")
EAP-SIM is using the USIM if available. This triggers a probably ancient
bug in scard_gsm_auth(), which results in sending the wrong get response
command to the USIM. Thus, EAP-SIM stopped to work after this change on
USIMs that expect the proper command.
Signed-off-by: Simon Baatz <gmbnomis@gmail.com>
If WPS isn't enabled, hostapd_cli returns 'OK' even though WPS doesn't
get activated because WPS context is not valid:
$ hostapd_cli wps_pbc
Selected interface 'wlan0'
OK
$ hostapd_cli wps_cancel
Selected interface 'wlan0'
OK
Fix this by returning appropriate error when WPS fails to activate:
$ hostapd_cli wps_pbc
Selected interface 'wlan0'
FAIL
$ hostapd_cli wps_cancel
Selected interface 'wlan0'
FAIL
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
CC: Luka Perkov <luka.perkov@sartura.hr>
Peer should handle a GO Negotiation exchange correctly when the
responding device does not have WSC credentials available at the
time of receiving the GO Negotiation Request. WSC Credentials
(e.g., Pushbutton) can be entered within the 120 second timeout.
Presently, if concurrent session is not active, the peer would wait for
GO Negotiation Request frame from the other device for approximately one
minute due to the earlier optimization change in commit
a2d6365760. To meet the two minute
requirement, replace this design based on number of iterations with a
more appropriate wait for the required number of seconds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend the previous commit 0f1034e388 to
skip extended listen also based on ongoing provision discovery operation
(which does not show up as a separate P2P module state and as such, was
not coveraged by the previous commit).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
bss->freq was not updated for IBSS, so whatever old value was stored
from a previous AP mode operation could end up having been used as the
channel when trying to send Authentication frames in an RSN IBSS. This
resulted in the frame not sent (cfg80211 rejects it) and potentially not
being able to re-establish connection due to 4-way handshake failing
with replay counter mismatches. Fix this by learning the operating
channel of the IBSS both when join event is received and when a
management frame is being transmitted since the IBSS may have changed
channels due to merges.
Signed-off-by: Jouni Malinen <j@w1.fi>
RFC 5106 is not exactly clear on the requirements for the "no data"
packet that is used to acknowledge a fragmented message. Allow it to be
processed without the integrity checksum data field since it is possible
to interpret the RFC as this not being included. This fixes reassembly
of fragmented frames after keys have been derived.
Signed-off-by: Jouni Malinen <j@w1.fi>
If invalid group was negotiated, compute_password_element() left some of
the data->grp pointer uninitialized and this could result in
segmentation fault when deinitializing the EAP method. Fix this by
explicitly clearing all the pointer with eap_zalloc(). In addition,
speed up EAP failure reporting in this type of error case by indicating
that the EAP method execution cannot continue anymore on the peer side
instead of waiting for a timeout.
Signed-off-by: Jouni Malinen <j@w1.fi>
The extra data (nonce_s) used in this message was pointing to the
parsed, decrypted data and that buffer was previously freed just before
building the new message. This resulted in use of freed data and
possibly incorrect extra data value that caused the authentication
attempt to fail. Fix this by reordering the code to free the decrypted
data only after the new message has been generated. This was already the
case for EAP-AKA/AKA', but somehow missing from EAP-SIM.
Signed-off-by: Jouni Malinen <j@w1.fi>
The current position pointer was not updated when issuerUniqueID or
subjectUniqueID were present. This could result in extensions being
ignored.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not perform extended listen period operations when either a P2P
connection is in progress. This makes the connection more robust should
an extended listen timer trigger during such an operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Propagate max associated STAs in AP mode advertised by the driver to
core wpa_supplicant implemantion. This allows wpa_supplicant to update
the P2P GO group limit information automatically without having to
configure this limit manually. The information (if available) is also
used in the generic AP implementation to control maximum number of STA
entries.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a new wowlan_triggers option to wpa_supplicant.conf. The triggers in
this key will be used to configure the kernel wowlan configuration.
For now, support only simple flags. More complex triggers can be added
later on.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Disabling the link only clears the local state. The remote peer will
still think we are connected and disallow the setup.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
When de-authenticating from the AP, disable each TDLS link after
sending the teardown packet. Postpone the reset of the peer state
data until after the link disable request.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Indicate to cfg80211 that interfaces created by the wpa_supplicant
or hostapd are owned by them, and that in case that the socket that
created them closes, these interfaces should be removed.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Got segfault, when freeing drv and there exists registered timeout for
blocked rfkill. This patch adds cancel timeout to avoid this.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
Commit 96ecea5eb1 did not consider
to pass the VHT/HT/WMM capabilities of the peer for BSS with
open mode.
Address this issue by passing the capabilities irrespective of
the security mode.
Signed-off-by: Pradeep Reddy POTTETI <c_ppotte@qti.qualcomm.com>
If a driver wrapper misbehaves and does not indicate a frame body in the
event, core hostapd code should handle this consistently since that case
was already checked for in one location.
Signed-off-by: Jouni Malinen <j@w1.fi>
sta == NULL check is already done above based on category !=
WLAN_ACTION_PUBLIC, but that seems to be too complex for some static
analyzers, so avoid invalid reports by explicitly checking for this
again in the WLAN_ACTION_FT case.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous check for dl_list_len() or having an entry from the list is
sufficient, but some static analyzers cannot figure out that
dl_list_first() and dl_list_last() will return non-NULL in this type of
cases. Avoid invalid reports by explicitly checking for NULL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Checking sm->pmksa is sufficient here, but that seems to be too
difficult for static analyzers to follow, so avoid false reports by
explicitly checking pmkid as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
clang scan-build does not seem to like the 'd' suffix on floating
constants and ends up reporting analyzer failures. Since this suffix
does not seem to be needed, get rid of it to clear such warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
p2p_freq_to_channel() could return an error if the GO or P2P Client
operating channel is not valid. Check for this before generating the NFC
handover message.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is not of any real use anymore with nl80211_set_channel() taking
care of channel setting operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Configure driver with the new channel parameters (mainly, HT 20/40 MHz
bandwidth changes) as part of set_ap().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes the initial OBSS scans in AP mode before starting 40 MHz BSS
more robust. In addition, HT20 can be used as a backup option if none of
the scans succeed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a 2.4 GHz band AP receives a 20/40 Coexistence management frame from
a connected station with 20/40 BSS Intolerant Channel Report element
containing the channel list in which any legacy AP are detected or AP
with 40 MHz intolerant bit set in HT Cap IE is detected in the affected
range of the BSS, the BSS will be moved from 40 to 20 MHz channel width.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Extend the minimal HT 20/40 co-ex support to include dynamic changes
during the lifetime of the BSS. If any STA connects to a 2.4 GHz AP with
40 MHz intolerant bit set then the AP will switch to 20 MHz operating
mode.
If for a period of time specified by OBSS delay factor and OBSS scan
interval AP does not have any information about 40 MHz intolerant STAs,
the BSS is switched from HT20 to HT40 mode.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This provides information to allow the driver to be configured for
updated channel parameters, e.g., when dynamically changing HT20/HT40
bandwidth.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like the demangle.h from binutils-dev is not installed that
commonly anymore. Since we need only two defines from that file, replace
the header file with those defines to make it easier to build with
WPA_TRACE_BFD=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some trailing whitespace and spaces for indentation were present in the
driver wrapper and header files.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Move the definitions that depended in common.h into a separate header
file so that qca-vendor.h can be copied and used as-is in other
projects.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allocates a QCA vendor subcmd for extended statistics
functionality and also an attribute for delivering the payload
for extended statistics.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These functions are not standard and do not exist in all systems, e.g.,
variants of Android. Instead use the macros defined in common.h.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
With hidden SSID (ignore_broadcast_ssid), an IOS device trying to
connect to the AP will send a probe request with ANT == 2. If
interworking support is just compiled (not enabled), we will drop the
probe request since default ANT is 0.
Check that interworking is enabled before filtering based on ANT or
HESSID to match the behavior of code without CONFIG_INTERWORKING.
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
This allows the specific SIM to be identified for authentication
purposes in multi-SIM devices. This SIM number represents the index of
the SIM slot. This SIM number shall be used for the authentication using
the respective SIM for the Wi-Fi connection to the corresponding
network.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Sometimes function hostapd_is_dfs_required() returns -1 which indicates
that it was not possible to check if DFS was required. This happens for
channels from the 2.4 GHz band where DFS checking should not happen.
This can be fixed by returning DFS-not-required for mode different from
IEEE80211A and when DFS support is not available (ieee80211h not set).
Signed-off-by: Marek Puzyniak <marek.puzyniak@tieto.com>
Some of the buffers used to keep a copy of PTK/TPTK/GTK in the
supplicant implementation maintained a copy of the keys longer than
necessary. Clear these buffers to zero when the key is not needed
anymore to minimize the amount of time key material is kept in memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
The sample code here ended up trying to register an eloop socket with fd
== -1. This was not really ever supposed to be used, but it is now also
hitting an assert in eloop. Skip the unnecessary
eloop_register_read_sock() to avoid this.
This was causing issues for hostapd since CONFIG_L2_PACKET is not set by
default. If CONFIG_RSN_PREAUTH=y was not used for CONFIG_L2_PACKET was
not set in .config explicitly, the defaul use of l2_packet_none.c ended
up hitting the newly added assert() in eloop.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rather than ignoring packets with a minimal 8-byte radiotap
header, which may occur elsewhere, tag generated (decrypted)
packets with an empty vendor namespace tag and ignore those.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Update the radiotap parser to the latest version of the
http://git.sipsolutions.net/radiotap.git/ library to get
parsing for vendor namespaces.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This was already done for the disconnect event, but
SME-in-wpa_supplicant case needs to do same with the deauth event to
avoid getting extra events during WPS disconnect-and-reconnect sequence.
This can speed up WPS processing by removing unnecessary failures or
retries due to the extra event being processed during the next
association attempt.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows external programs to monitor driver signal change events
through wpa_supplicant when bgscan is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The first combination may allow single-channel concurrency for
P2P + managed, but there may be others that allow multi-channel
concurrency. Parse all of them to find the maximum number of channels.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
wpa_supplicant now retries for P2P_GO_NEG_CNF_MAX_RETRY_COUNT times if
it doesn't receive acknowledgement for GO Negotiation Confirmation
frame. Currently, P2P_GO_NEG_CNF_MAX_RETRY_COUNT is set to 1.
While this is not strictly speaking following the P2P specification,
this can improve robustness of GO Negotiation in environments with
interference and also with peer devices that do not behave properly
(e.g., by not remaining awake on the negotiation channel through the
full GO Negotiation).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
NL80211_CMD_LEAVE_IBSS was used only with wpa_supplicant-based SME.
Extend this to drivers that implement SME internally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some OpenSSL versions have vulnerability in TLS heartbeat request
processing. Check the processed message to determine if the attack has
been used and if so, do not send the response to the peer. This does not
prevent the buffer read overflow within OpenSSL, but this prevents the
attacker from receiving the information.
This change is an additional layer of protection if some yet to be
identified paths were to expose this OpenSSL vulnerability. However, the
way OpenSSL is used for EAP-TLS/TTLS/PEAP/FAST in hostapd/wpa_supplicant
was already rejecting the messages before the response goes out and as
such, this additional change is unlikely to be needed to avoid the
issue.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Only the Neighbor Report element should be included here, so verify that
the element id matches. In addition, verify that each subelement has
valid length before using the data.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes the definitions match the terminology used in IEEE Std
802.11-2012 and makes it easier to understand how the HT Operation
element subfields are used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
QCA vendor extension is used for NAN functionality. This defines the
subcommand and attribute to address this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Now that WPS 2.0 support is enabled unconditionally, WEP and Shared auth
type are not allowed. This made some of the older code unused and that
can now be removed to clean up the implementation. There is still one
place where WEP is allowed for testing purposes: wpa_supplicant as
Registrar trying to configure an AP to use WEP. That is now only allowed
in CONFIG_TESTING_OPTIONS=y builds, though.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is somewhat of a corner case since there is no real point in using
so short a fragmentation threshold that it would result in this message
getting fragmented. Anyway, it is better be complete and support this
case as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
If fragmentation is used, the temporary inbuf/outbuf could have been
leaked in error cases (e.g., reaching maximum number of roundtrips).
Signed-off-by: Jouni Malinen <j@w1.fi>
"SET tdls_testing 0x800" can be used to enable a special test mode that
forces the FTIE MIC in TDLS setup messages to be incorrect.
Signed-off-by: Jouni Malinen <j@w1.fi>
Following events are now sent to ctrl_iface monitors to indicate if
credential blocks have been added, modified, or removed:
CRED-ADDED <id>
CRED-MODIFIED <id> <field>
CRED-REMOVE <id>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_supplicant and wpa_cli had already moved to allowing up to 4096 byte
buffer size to be used for control interface commands. This was limited
by the line edit buffer in interactive mode. Increase that limit to
match the other buffers to avoid artificially truncating long commands.
Signed-off-by: Jouni Malinen <j@w1.fi>
"user" MACACL "password" style lines in the eap_user file can now be
used to configured user entries for RADIUS-based MAC ACL.
Signed-off-by: Jouni Malinen <j@w1.fi>
p2p_dev_addr was not NULL, so the all zeros case was printed as well.
Clean this up by printing p2p_dev_addr in debug prints only if it is a
real P2P Device Address.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support of vendor command to hostapd ctrl_iface.
Vendor command's format:
VENDOR <vendor id> <sub command id> [<hex formatted data>]
The 3rd argument will be converted to binary data and then passed as
argument to the sub command.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When primary and secondary channel were switched and config was
reloaded, secondary channel was incorrectly overwritten.
Proceed as for other settings that should not be changed and don't
allow to overwrite.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
While framing the TDLS Setup Confirmation frame, the driver needs to
know if the TDLS peer is VHT/HT/WMM capable and thus shall construct the
VHT/HT operation / WMM parameter elements accordingly. Supplicant
determines if the TDLS peer is VHT/HT/WMM capable based on the presence
of the respective IEs in the received TDLS Setup Response frame.
The host driver should not need to parse the received TDLS Response
frame and thus, should be able to rely on the supplicant to indicate
the capability of the peer through additional flags while transmitting
the TDLS Setup Confirmation frame through tdls_mgmt operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When hostapd choose to reuse an existing interface, it does not add it
to the set of interfaces from which we accept EAPOL packets.
Make sure we always add it to that set.
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
This allows drivers that build the WPA/RSN IEs internally to use similar
design for building the OSEN IE.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is not much point in building devices with WPS 1.0 only supported
nowadays. As such, there is not sufficient justification for maintaining
extra complexity for the CONFIG_WPS2 build option either. Remove this by
enabling WSC 2.0 support unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Scan for GO on the negotiated operating channel for few iterations
before searching on all the supported channels during persistent group
reinvocation. In addition, use the already known SSID of the group in
the scans. These optimizations reduce group formation time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Especially when multiple BSSes are used with ACS, number of the error
paths were not cleaning up driver initialization properly. This could
result in using freed memory and crashing the process if ACS failed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the PMK-R1 needs to be pulled for the R0KH, the previous
implementation ended up rejecting the over-the-air authentication and
over-the-DS action frame unnecessarily while waiting for the RRB
response. Improve this by postponing the Authentication/Action frame
response until the pull response is received.
Signed-off-by: Jouni Malinen <j@w1.fi>
This moves some of the p2p_prepare_channel_best() functionality into
separate helper functions to make the implementation easier to read.
Signed-off-by: Jouni Malinen <j@w1.fi>