Commit graph

8144 commits

Author SHA1 Message Date
Swarn Singh
cd2f8151ee Add support to return bandwidth for channel 2 of the 6 GHz band
The 6 GHz band operating class 136 is defined to use 20 MHz bandwidth.
Return the value accordingly from center_idx_to_bw_6ghz() to cover this
special case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-12 00:12:16 +02:00
Mohammad Asaad Akram
6b4e32da89 New vendor attribute to configure TWT mantissa in microseconds
Define the following additional TWT attribute for
qca_wlan_vendor_attr_twt_setup:
QCA_WLAN_VENDOR_ATTR_TWT_SETUP_WAKE_INTVL2_MANTISSA to configure the
mantissa in microseconds.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-12 00:10:13 +02:00
Ben Greear
7fd2f24962 TWT: Support sending TWT Setup and Teardown Action frames
This adds new control interface commands TWT_SETUP and TWT_TEARDOWN. For
now, these are only for testing purposes to be able to trigger
transmission of the TWT Action frames without configuring any local
behavior for TWT in the driver.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-07 22:07:37 +02:00
Jouni Malinen
edbaffc4f6 wpabuf: Add helper functions for writing 64-bit integers
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 21:31:41 +02:00
Jouni Malinen
17d85158cf Fix hostapd PMKSA_ADD with Authenticator disabled
This function can get called with hapd->wpa_auth == NULL from the
control interface handler, so explicitly check for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:33:30 +02:00
Jouni Malinen
147d6d3727 Update VHT capabilities info on channel switch event
This is needed to be able to move from 80 MHz or lower bandwidth to 160
or 80+80 MHz bandwidth (and back) properly without leaving the Beacon
frame VHT elements showing incorrect information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 01:35:25 +02:00
Jouni Malinen
dc587c479c nl80211: Determine secondary channel offset for CS to 80+80 MHz
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 01:21:12 +02:00
Jouni Malinen
0a8095d729 nl80211: Debug print for channel switch request parameters
These can be helpful for debugging channel switch issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 01:11:18 +02:00
Jouni Malinen
a20ace3a1e nl80211: Add command-to-string mapping for previously missed commands
In addition, make the compiler warn if a new enum value is added without
defining the matching mapping to a string.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 01:06:00 +02:00
Jouni Malinen
0f37b8142b More specific set_freq_params debug prints for 80/80+80 MHz errors
It is more convenient to see the exact error in the debug log instead of
getting noted that something was invalid.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 00:54:36 +02:00
Avraham Stern
ab89291928 nl80211: Use process_bss_event() for the nl_connect handler
The nl_connect is initialized with the process_bss_event() handler.
However, it is used several times with the default valid handler. As a
result, if a message that is only valid for process_bss_event() is
received while the default handler is used, it will be dropped.

This has been observed in a case where during the 4-way handshake, a
Beacon frame is received on the AP side, which triggers a beacon update,
just before receiving the next EAPOL. When send_and_recv_msgs_owner() is
called for sending the NL80211_CMD_SET_BEACON command, the
NL80211_CMD_CONTROL_PORT_FRAME event is already pending. As a result, it
is received with the default handler, which drops it. Since the EAPOL
frame is dropped, the connection attempt fails.

Fix it by using the process_bss_event() handler when the nl_connect
handler is used.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2021-03-06 13:36:20 +02:00
Jouni Malinen
7c5442e744 DPP: Clear hapd->gas pointer on deinit
While it does not look like the stale pointer could have been
dereferenced in practice, it is better not to leave the stale pointer to
freed memory in place to avoid accidental uses.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-06 11:56:00 +02:00
Jouni Malinen
076e0abddb SQLite: Fix temporary eap_user data freeing on interface restart
hapd->tmp_eap_user needs to be cleared on interface deinit to avoid
leaving stale pointers to freed memory.

Fixes: ee431d77a5 ("Add preliminary support for using SQLite for eap_user database")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-06 11:44:38 +02:00
Michael Braun
2da3105ac1 Fix use after free with hapd->time_adv on interface restart
When an interface is disabled, e.g. due to radar detected,
hapd->time_adv is freed by hostapd_free_hapd_data(), but later
used by ieee802_11_build_ap_params() calling hostapd_eid_time_adv().

Thus hapd->time_adv needs to be cleared as well.

Fixes: 39b97072b2 ("Add support for Time Advertisement")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2021-03-06 11:37:26 +02:00
Kiran Kumar Lokere
800fb69970 QCA vendor attribute to allow 6 GHz connection with all security types
Add a QCA vendor attribute to configure the driver to allow the 6 GHz
connection with all security types. This attribute is used for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-04 18:05:06 +02:00
Kiran Kumar Lokere
1a60099f26 QCA vendor attribute to ignore SAE H2E requirement mismatch
Add a QCA vendor attribute to ignore SAE H2E requirement mismatch for 6
GHz connection. This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-04 18:04:07 +02:00
Jouni Malinen
b5e3d92ee4 OCV: Fix OCV-FAILURE event address for FT Reassociation Response frame
sm->bssid is still the BSSID of the previous AP at this point in the FT
protocol, so need to show the target AP's BSSID instead in the failure
message.

Fixes: 8c1f61e820 ("OCV: Report OCI validation failures with OCV-FAILURE messages (STA)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 23:50:50 +02:00
Jouni Malinen
4a5f6e88b2 SAE: Use more explicit IE payload validation steps
This is an attempt of making the code easier to understand for static
analyzers. The helper functions were already verifying that these IEs
are fully within the memory buffer, but that may not have been clear
enough for automated analysis.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 18:39:49 +02:00
Jouni Malinen
57fec19dab Use more consistent iface->conf checks
Commit f1df4fbfc7 ("mesh: Use setup completion callback to complete
mesh join") added a check for iface->conf being NULL into a debug print.
However, it is not clear how that could be NULL here. In any case,
setup_interface() could end up dereferencing iface->conf in the call to
hostapd_validate_bssid_configuration(), so better be consistent with the
checks and not get warnings from static analyzers regardless of whether
this can happen in practice.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:51:16 +02:00
Jouni Malinen
b8211e1e75 PASN: Avoid unreachable code with CONFIG_NO_RADIUS
There is no point in trying to build in rest of this function if in the
middle of it the CONFIG_NO_RADIUS case would unconditionally fail.
Simply make all of this be conditional on that build parameter not being
set to make things easier for static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:37:47 +02:00
Jouni Malinen
9a1136b7f1 FILS: Fix RSN info in FD frame for no-group-addressed
The value from the initial RSN_CIPHER_SUITE_NO_GROUP_ADDRESSED check
ended up getting overridden with the following if. This was supposed to
be a single if statement to avoid that.

Fixes: 9c02a0f5a6 ("FILS: Add generation of FILS Discovery frame template")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-28 11:27:42 +02:00
Jouni Malinen
6035969e0e Fix dynamic EAP library building
Build eap_*.so into the wpa_supplicant similarly with the wpa_supplicant
binary and include the shared helper functions from additional files
into the builds. This got broken at some point with the build system
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 23:42:21 +02:00
Jouni Malinen
a826ff2d95 Ignore group-addressed SA Query frames
These frames are used for verifying that a specific SA and protected
link is in functional state between two devices. The IEEE 802.11
standard defines only a case that uses individual MAC address as the
destination. While there is no explicit rule on the receiver to ignore
other cases, it seems safer to make sure group-addressed frames do not
end up resulting in undesired behavior. As such, drop such frames
instead of interpreting them as valid SA Query Request/Response.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-27 20:27:00 +02:00
Jouni Malinen
205c35ceff nl80211: Allow compilation with both vendor do_acs() handlers
Use a helper function as the do_acs() callback to allow builds to pull
in all the vendor specific operations into a single binary.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-27 17:57:08 +02:00
Xinrui Sun
61a258e784 nl80211: Add ACS support for Broadcom device
BRCM vendor command used to trigger ACS scan. After ACS finished,
DHD driver will send results by event BRCM_VENDOR_EVENT_ACS.

Signed-off-by: Xinrui Sun <xinrui.sun@broadcom.com>
2021-02-27 12:14:09 +02:00
Ben Greear
827b43b3ca RADIUS client: Support SO_BINDTODEVICE
Allow the RADIUS client socket to be bound to a specific netdev. This
helps hostapd work better in VRF and other fancy network environments.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
2021-02-27 10:51:15 +02:00
Sunil Dutt
3a05f89edc Android: Add DRIVER command support on hostapd and hostapd_cli
Add DRIVER command support on hostapd and hostapd_cli on Android
similarly to the way this previously enabled in wpa_supplicant and
wpa_cli.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-26 20:22:41 +02:00
Sreeramya Soratkal
50baf345b4 TDLS: Support TDLS operations in HE mode
Determine if the TDLS peer is HE capable based on HE Capability element
received in the TDLS Setup Response frame. Indicate the peer's HE
capabilities to the driver through sta_add().

Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
2021-02-26 20:16:48 +02:00
Jouni Malinen
184c824689 P2P: Add device address to the debug entry on oldest peer removal
This makes it easier to understand debug logs with large number of peer
entries.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-25 20:09:58 +02:00
Jouni Malinen
8460e32309 P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.

Fixes: 17bef1e97a ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-25 20:09:46 +02:00
Kiran Kumar Lokere
59e9794c7d QCA vendor attribute to configure Punctured Preamble Rx in HE cap
Add a QCA vendor attribute to enable/disable the Punctured Preamble Rx
support in HE PHY capabilities.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:37 +02:00
Kiran Kumar Lokere
875d7be38c QCA vendor attribute to disable data and management frame Tx
Add a QCA vendor attribute to configure the driver to disable data and
management response frame transmission to test the BSS max idle period
feature.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:31 +02:00
Kiran Kumar Lokere
ecb7590f34 QCA vendor attribute to configure RU 242 tone for data Tx
Add a QCA vendor attribute to configure the driver/firmware to use only
RU 242 tone for data frame transmission.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:27 +02:00
Kiran Kumar Lokere
8d23297128 QCA vendor attribute to configure BSS max idle period
Add a QCA vendor attribute to configure the driver with a specific BSS
max idle period value to advertise in (Re)Association Request frames.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:46:21 +02:00
Jouni Malinen
dc72854fe2 Fix handle_auth_cb() message length check regression
Reordering of code in handle_auth_cb() when adding support for full
station state messaged up frame length checks. The length was originally
tested before looking at the payload of the frame and that is obviously
the correct location for that check. The location after those full state
state changes was after having read six octets of the payload which did
not help at all since there was no addition accesses to the payload
after that check.

Move the payload length check to appropriate place to get this extra
level of protection behaving in the expected manner. Since this is a TX
status callback handler, the frame payload is from a locally generated
Authentication frame and as such, it will be long enough to include
these fields in production use cases. Anyway, better keep this check in
working condition.

Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-23 00:30:09 +02:00
Jouni Malinen
976c3c161f DPP2: Accept Config Result before GAS response TX status
The TX event for the next frame in the sequence might be received before
the TX status for the final GAS response frame is processed. This used
to result in the Config Result getting discarded and the negotiation not
completing successfully on the Configurator side.

Accept the Config Result message as an indication of the final GAS
response frame having went through fine even if the TX status has not
yet been processed to avoid this issue from a potential race condition
on kernel events.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 16:44:33 +02:00
Jouni Malinen
10502ad59f radiotap: Fix compiler issues with packed structures
Replace the Radiotap parser platform.h file with use of helper functions
from utils/common.h to avoid compiler issues with the updated design and
getting pointers to members of packet structs.

Silence the warning about _next_bitmap assignment. This pointer is
dereferenced only with operations that are safe for unaligned access, so
the compiler warning is not helpful here.

__packed might not be defined in this context, so use STRUCT_PACKED from
utils/common.h.

Fixes: e6ac269433 ("radiotap: Update radiotap parser")
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-02-21 12:40:58 +02:00
Alexander Clouter
0dee287c84 EAP server: Extend EAP-TLS Commitment Message use to PEAP and EAP-TTLS
Use the explicit Commitment Message per draft-ietf-emu-eap-tls13-13
Section 2.5 and extend this functionality to PEAP and EAP-TTLS when
using TLS 1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:53:52 +02:00
Alexander Clouter
fae4eafe4a EAP-TTLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:47:41 +02:00
Alexander Clouter
155125b02a EAP-TLS peer: Handle Commitment Message for TLS 1.3
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:47:39 +02:00
Alexander Clouter
3a457509db EAP: Extend Session-Id derivation with TLS 1.3 to PEAP and EAP-TTLS
This newer Session-Id/Method-Id derivation is used with PEAP and
EAP-TTLS when using TLS 1.3 per draft-ietf-emu-tls-eap-types-00, so do
not limit this to only EAP-TLS.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:36:57 +02:00
Alexander Clouter
647db6a6b5 EAP-TTLS: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for EAP-TTLS with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:35:51 +02:00
Alexander Clouter
c74f230200 EAP-PEAP: Key derivation per draft-ietf-emu-tls-eap-types-00
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for PEAP with TLS
1.3.

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:35:51 +02:00
Alexander Clouter
872609c151 EAP-TTLS/PEAP peer: Fix failure when using session tickets under TLS 1.3
EAP peer does not expect data present when beginning the Phase 2 in
EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the
handshake completes.

There are several strategies that can be used to handle this, but this
patch picks up from the discussion[1] and implements the proposed use of
SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by
default in OpenSSL 1.1.1, but it needs to be enabled for older versions.

The main OpenSSL wrapper change in tls_connection_decrypt() takes care
of the new possible case with SSL_MODE_AUTO_RETRY for
SSL_ERROR_WANT_READ to indicate that a non-application_data was
processed. That is not really an error case with TLS 1.3, so allow it to
complete and return an empty decrypted application data buffer.
EAP-PEAP/TTLS processing can then use this to move ahead with starting
Phase 2.

[1] https://www.spinics.net/lists/hostap/msg05376.html

Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
2021-02-20 17:02:35 +02:00
Andrei Otcheretianski
8265f84531 nl80211: Unconditionally clear nl_msg
Previously nl80211_nlmsg_clear() would be called under a special
condition when valid_handler is NULL and valid_data is -1. Such API is
not very convenient as it forces the handler to be NULL. Change the
send_and_recv() function to always clear the nl_msg, which will simplify
all this logic.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:34:42 +02:00
Ilan Peer
6c7b0a9657 PASN: Correctly set RSNXE bits from AP
The capability bit index should not be shifted here as the shifting is
handled later below when building the RSNXE octets.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-02-20 00:26:21 +02:00
Anusha Datar
8f248d1aca Check for message truncation in RADIUS client
The RADIUS client currently determines if a radius message is longer
than the supported maximum length by checking whether the size of the
received buffer and the length of the buffer (as returned by recv()) is
equal. This method fails to detect if the buffer has actually been
truncated. This change modifies the RADIUS client to instead use the
recvmsg() call and then check the message header flags to determine
whether or not the received message has been truncated and drop the
message if that is the case.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:15:15 +02:00
Anusha Datar
5cb25307e4 Set RADIUS message length to reflect RFC 2865
The current RADIUS server message maximum length limits the length of
each RADIUS message to 3000 bytes. As specified in RFC 2865 section 3
("Packet Format"), the RADIUS standard's maximum message size is 4096
bytes, so this change increases the RADIUS server's maximum message
size from 3000 to 4096 to match the standard.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:11:17 +02:00
Anusha Datar
7df089b567 Create RADIUS_MAX_MSG_LEN param in the shared radius.h
The RADIUS client currently uses a hardcoded value of 3000 for the
maximum length of a RADIUS message, and the RADIUS server currently
defines a constant value for the maximum length of the RADIUS message
within its source. The client and the server should use the same
maximum length value, so this change creates a shared parameter
RADIUS_MAX_MSG_LEN within the header file radius.h and modifies
both the client and the server to use that parameter instead of
a locally set value.

Signed-off-by: Anusha Datar <anusha@meter.com>
Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
Reviewed-by: Julian Squires <julian@cipht.net>
2021-02-20 00:08:17 +02:00
Sachin Ahuja
98a52b09ca Add new attributes in get_sta_info QCA vendor command
Add additional attributes for the QCA vendor command
QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO to get finer details on roaming
behavior, TSF out of sync count, and the latest TX rate, Rate Index used
for the transmission.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-02-16 00:47:43 +02:00