RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after
Client-Error and Notification messages. Convert the direct jumps to the
FAILURE state with a notification round before sending out EAP-Failure.
Signed-hostap: Jouni Malinen <j@w1.fi>
The AT_NONCE_S value needs to be used in AT_MAC calculation for
SIM/Re-authentication response even if re-authentication is rejected
with AT_COUNTER_TOO_SMALL.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If the peer rejects re-authentication with AT_COUNTER_TOO_SMALL, fall
back to full authentication to allow the authentication session to be
completed.
Signed-hostap: Jouni Malinen <j@w1.fi>
These fields are used only as the search key, so the value is already
known and does not need to be copied from the database.
Signed-hostap: Jouni Malinen <j@w1.fi>
Store permanent username (i.e., including prefix character) instead of
IMSI in the SQLite DB. Convert the string to a string since the EAP-AKA
prefix can start with zero. This cleans up the field names since the
value was already with the prefix included instead of just IMSI. In
addition, this explicitly removes some theoretical cases where the
different identity types could have been mixed.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since the EAP-SIM/AKA identities are ASCII strings, there is no need to
use more complex way for storing and passing them. In addition, be more
strict about enforcing username (i.e., no realm part) to be used in the
EAP-SIM DB API. Similarly, require specific username type instead of any
of the types to be used as the key in the pseudonym and reauth
operations. This allows simpler lookup operations to be used.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since we always request an identity in the request, the response
has to include AT_IDENTITY. This allows the AKA/Identity response
processing to be simplified a bit.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no need to use eap_sim_db_identity_known() here since a new
AKA/Identity message is built only if the identity in the previous
response was not recognized. The first round is always used to request
AT_ANY_ID_REQ to meet the RFC 4187 recommendation on EAP method specific
identity request.
Signed-hostap: Jouni Malinen <j@w1.fi>
Since we always request an identity in the request, the response
has to include AT_IDENTITY. This allows the SIM/Start response
processing to be simplified a bit.
Signed-hostap: Jouni Malinen <j@w1.fi>
There is no need to use eap_sim_db_identity_known() here since a new
SIM/Start message is built only if the identity in the previous response
was not recognized. The first round will always request AT_ANY_ID_REQ to
meet the RFC 4186 recommendation on EAP method specific identity request
being used.
Signed-hostap: Jouni Malinen <j@w1.fi>
The reauth_id prefix can be used to determine which AKA version is used,
so there is no need to store the aka_prime information in a separate
field.
Signed-hostap: Jouni Malinen <j@w1.fi>
If hostapd is built and configured to use SQLite database, store
EAP-SIM/AKA reauth data into the database to allow this to persist
over hostapd restarts.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows hostapd to use an SQLite database for storing EAP-SIM/AKA
pseudonyms over process restarts. CONFIG_SQLITE=y build option adds
support for this and the SQLite database file is specified in eap_sib_db
configuration parameter.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Try to share most of the cipher information like key and RSC lengths and
suite selector conversions, etc. in wpa_common.c to avoid having similar
code throughout the WPA implementation for handling cipher specific
behavior.
Signed-hostap: Jouni Malinen <j@w1.fi>
wpa_cli p2p_serv_disc_req command can now be used to request WSD
request to be sent to specified or all peers who support WSD.
format: wifi-display <list of roles> <list of subelements>
examples:
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source] 2,3,4,5
p2p_serv_disc_req 02:01:02:03:04:05 wifi-display [pri-sink] 3
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [sec-source] 2
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source+sink] 2,3,4,5
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source][pri-sink] 2,3,4,5
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This commit adds control interface commands and internal storage of
Wi-Fi Display related configuration. In addition, WFD IE is now added
to various P2P frames, Probe Request/Response, and (Re)Association
Request/Response frames. WFD subelements from peers are stored in the
P2P peer table.
Following control interface commands are now available:
SET wifi_display <0/1>
GET wifi_display
WFD_SUBELEM_SET <subelem> [hexdump of length+body]
WFD_SUBELEM_GET <subelem>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This allows both hostapd and wpa_supplicant to be used to derive and
configure keys for GCMP. This is quite similar to CCMP key
configuration, but a different cipher suite and somewhat different rules
are used in cipher selection. It should be noted that GCMP is not
included in default parameters at least for now, so explicit
pairwise/group configuration is needed to enable it. This may change in
the future to allow GCMP to be selected automatically in cases where
CCMP could have been used.
This commit does not included changes to WPS or P2P to allow GCMP to be
used.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Use the NL80211_IFACE_COMB_NUM_CHANNELS value > 1 as a trigger for
enabling support for P2P multichannel channel concurrency. This does not
handle all possible details of enforcing driver capabilities, but it is
a good first step for allowing nl80211 drivers to enable multichannel
concurrency.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new gas_request and gas_response_get commands can be used to request
arbitary GAS queries to be performed. These can be used with ANQP or
with other (including vendor specific) advertisement protocols.
gas_request <BSSID> <AdvProtoID> [Query]
gas_response_get <addr> <dialog token> [offset,length]
For example, ANQP query for Capability list in interactive wpa_cli
session:
> gas_request 02:00:00:00:01:00 00 000102000101
<3>GAS-RESPONSE-INFO addr=02:00:00:00:01:00 dialog_token=0
status_code=0 resp_len=32
> gas_response_get 02:00:00:00:01:00 00
01011c00010102010501070108010c01dddd0c00506f9a110200020304050607
> gas_response_get 02:00:00:00:01:00 00 0,10
01011c00010102010501
> gas_response_get 02:00:00:00:01:00 00 10,10
070108010c01dddd0c00
> gas_response_get 02:00:00:00:01:00 00 20,10
506f9a11020002030405
> gas_response_get 02:00:00:00:01:00 00 30,2
0607
It should be noted that the maximum length of the response buffer is
currently 4096 bytes which allows about 2000 bytes of the response data
to be fetched with a single gas_response_get command. If the response is
longer, it can be fetched in pieces as shown in the example above.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The new vendor_elements parameter in hostapd.conf can be used to add new
vendor specific element(s) into Beacon and Probe Response frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Maintain state of WPS APs during iteration to find the correct AP for
WPS PIN operation when no specific BSSID is specified. This information
can be used for optimizing the order in which the APs are tried. This
commit is only adding the collection of the information and more
detailed debug information to make debug logs more helpful in figuring
out how the AP selection order could be improved.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If 4-way handshake fails due to likely PSK failure or if EAP
authentication fails, disable the network block temporarily. Use longer
duration if multiple consecutive failures are seen.
Signed-hostap: Jouni Malinen <j@w1.fi>
Replace the Venue Name specific data structure and parser with a
generic mechanism that can be used with other fields that use the
same format.
Signed-hostap: Jouni Malinen <j@w1.fi>
The anqp_3gpp_cell_net parameter can be used to configure hostapd
to advertise 3GPP Cellular Network ANQP information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
These function pointers are going to be the same for each interface so
there is no need to keep them in struct hostapd_iface. Moving them to
struct hapd_interfaces makes it easier to add interfaces at run time.
Signed-hostap: Jouni Malinen <j@w1.fi>
The driver_test.c data structures had been changed to use a separate
BSS structure, but the P2P commands were not using the new design.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 488f4a7108 configures a timer
before p2p_send_action(). This may result in the timer getting fired
earlier to the off channel transmission of the frame and thus another PD
request being retransmitted. This shall lead to the new PD request with
an incremented dialog token being transmitted. For the cases where the
later PD request might not be transmitted as the host driver is busy
transmitting the earlier frame, the received PD response could be
dropped for the dialog token mismatch. Remove the timer configuration to
avoid this behavior.
Signed-hostap: Sunil Dutt Undekari <duttus@codeaurora.org>
intended-for: hostap-1
Previously, all station mode scan operations were either skipped or
delayed while any P2P operation was in progress. To make concurrent
operations easier to use, reduce this limitation by allowing a scan
operation to be completed in the middle of a p2p_find. In addition,
allow station mode association to be completed. When the station mode
operation is run to its completion (scan results not acted on,
connection to an AP completed, connection failed), resume the p2p_find
operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
A new optional delay=<search delay in milliseconds> parameter can now be
used with p2p_find command to request an extra delay between search
iterations. This can be used, e.g., to make p2p_find friendlier to
concurrent operations by avoiding it from taking 100% of the radio
resources.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.
The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.
Signed-hostap: Jouni Malinen <j@w1.fi>
The previous implementation was able to re-open the connection to an
external program (e.g., hlr_auc_gw) when needed, but required the
connection to be available during startup. Extend this to allow the
initial failure, so that hlr_auc_gw can be started after hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
Explicitly validate seed_len to skip memset call with zero length of
copied data at the end of the buffer. This is not really needed, but it
makes the code a bit easier for static analyzers. This is identical to
the commit a9ea17491a but for the OpenSSL
version of the function.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit bfc62fe133 moved the code that
using crypto/random.h, but forgot to remove the inclusion of that header
file.
Signed-hostap: Jouni Malinen <j@w1.fi>
All the TNC base64 operations are within tncs.c, so there is no point in
including base64.h into eap_server_tnc.c.
Signed-hostap: Jouni Malinen <j@w1.fi>
All the other places processing EVENT_RX_MGMT events assume that the
event data is included, so not much point in verifying that here.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use an explicit pointer to the beginning of the buffer and a flag
to indicate whether that is to external data or not. This avoids
a branch whenever accessing the buffer and helps some static
analyzers to understand the wpabuf memory uses better.
Signed-hostap: Jouni Malinen <j@w1.fi>
If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Commit c9e08af24f removed the only user of
the special case MD5 use that would be allowed in FIPS mode in
tls_prf_sha1_md5(). Commit 271dbf1594
removed the file from the build, but left the implementation into the
repository. To clean things up even further, remove this functionality
completely since it is not expected to be needed for FIPS mode anymore.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows User-Name and Chargeable-User-Identity attributes to be
passed from Access-Accept into Accounting messages even when IEEE 802.1X
is not used.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
The mechanism to figure out key block size based on ssl->read_hash
does not seem to work with OpenSSL 1.0.1, so add an alternative
mechanism to figure out the NAC key size that seems to work at
least with the current OpenSSL 1.0.1 releases.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).
Signed-hostap: Jouni Malinen <j@w1.fi>
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to implement workaround for authentication servers that
do not handle TLS extensions in ClientHello properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
The PKCS5_PBKDF2_HMAC_SHA1() function in OpenSSL 0.9.7 did not mark
the salt parameter const even though it was not modified. Hide the
compiler warning with a type cast when an old OpenSSL version is
used.
Signed-hostap: Jouni Malinen <j@w1.fi>
When CONFIG_FIPS=y is used, do not include MD5 in the build and disable
EAPOL-Key frames that use MD5 (WPA/TKIP and dynamic WEP with IEEE
802.1X).
Signed-hostap: Jouni Malinen <j@w1.fi>
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use SSL_export_keying_material() if possible, i.e., if OpenSSL is
version 1.0.1 or newer and if client random value is used first. This
allows MSK derivation with TLS-based EAP methods (apart from EAP-FAST)
without exporting the master key from OpenSSL.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, CONFIG_EAP_MSCHAPV2=y was assumed to be set for
CONFIG_EAP_TTLS=y. Avoid this dependency by making including the
MSCHAPv2 parts in EAP-TTLS conditionally.
Signed-hostap: Jouni Malinen <j@w1.fi>
In theory, the SHA1 operation may fail (e.g., if SHA1 becomes disallowed
in some security policies), so better check the return code from
challenge_hash().
Signed-hostap: Jouni Malinen <j@w1.fi>
Do not leave the tls_global context allocated if the global OpenSSL
initialization fails. This was possible in case of FIPS builds if
the FIPS mode cannot be initialized.
Signed-hostap: Jouni Malinen <j@w1.fi>
Increase GO config timeout if HT40 is used since it takes some time
to scan channels for coex purposes before the BSS can be started.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add optional "ht40" argument for p2p_group_add command to enable 40 MHz
in 5GHz band. This configures the secondary channel, when HT support is
enabled and if the HW supports 40 MHz channel width.
Signed-hostap: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
This function can be used as a wrapper for os_realloc(ptr, nmemb * size)
when a reallocation is used for an array. The main benefit over
os_realloc() is in having an extra check to catch integer overflows in
multiplication. This is similar to the os_zalloc() to os_calloc() move.
Signed-hostap: Jouni Malinen <j@w1.fi>
This function can be used as a wrapper for os_zalloc(nmemb * size) when
an allocation is used for an array. The main benefit over os_zalloc() is
in having an extra check to catch integer overflows in multiplication.
Signed-hostap: Jouni Malinen <j@w1.fi>
Multiple memcmps of nonces were actually comparing only the first byte
instead of all 16 bytes. [Bug 462]
Signed-hostap: Eyal Shapira <eyal@wizery.com>
intended-for: hostap-1
There is no need to mandate admission control (ACM=1) by default, so
clear that flag in the case the configuration file does not specify
wmm_ac_{vo,vi}_acm value. This gets closer to the values mentioned
in the sample hostapd.conf file and reduces the need to specify WMM
parameters in the configuration file for most common use cases.
Signed-hostap: Jouni Malinen <j@w1.fi>
p2p_set_timeout() calls in GO Neg Req/Resp TX callbacks used timeout of
100 ms which is the value given in the P2P specification for GO
Negotiation, but this was actually shorter than the
wait-for-offchannel-TX value (200 ms) used for the driver call. In
addition, it looks like some devices (e.g., Galaxy Nexus with JB image)
can take longer time to reply to GO Negotiation Response (somewhere
between 200 and 250 ms has been observed).
Increase the wait-for-GO-Neg-Resp timeout from 100 ms to 200 ms if GO
Negotiation Request frame was acknowledged (this matches with the
offchannel wait timeout that used previously). The no-ack case is left
at 100 ms since we use GO Negotiation Request frame also to discover
whether the peer is on its Listen channel.
Increase the wait-for-GO-Neg-Conf timeout from 100 ms to 250 ms (and
increase the offchannel wait timeout to matching 250 ms) as a workaround
for devices that take over 200 ms to reply to GO Negotiation Response.
Signed-hostap: Jouni Malinen <j@w1.fi>
The commit b5fd8b1833
"VHT: Do not allow use of TKIP with VHT" introduced
an off-by-one regression: a WPA/RSN 11n AP would no
longer accept stations to connect, instead it would
produce a bogus error message:
... Station tried to use TKIP with HT association.
Signed-hostapd: Christian Lamparter <chunkeey@googlemail.com>
cur_pmksa was left to NULL during the initial association. This can
result in unexpected behavior, e.g., in expiring PMKSA cache entries
since the current entry is not locked in that case. Fix this by updated
cur_pmksa when adding the initial PMKSA entry during msg 1/4 processing.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If the PMKSA cache is full (i.e., 32 candidates have been seen in scan
results and have not yet expired) then any additional entries can
potentially evict the current/active entry (if it is the oldest entry),
which triggers a pointless local deauthentication. The supplicant
shouldn't replace the current/active entry if it is still valid, but
instead the oldest entry that is *not* the current/active one.
Signed-hostap: Dan Williams <dcbw@redhat.com>
intended-for: hostap-1
When using multiple VLANs, GKeyDoneStations counter is not updated
properly since wpa_auth_for_each_sta() call in wpa_group_setkeys() ends
up iterating through all STAs and not just the STAs of a specific
wpa_group (VLAN). Consequently, GTK rekeying gets initialized multiple
times if more than a single group state machine exists. Fix this by
iterating only through the STAs in the specific wpa_group.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
intended-for: hostap-1
CONFIG_VLAN_NETLINK=y build option can now be used to replace the
ioctl()-based interface for creating and removing VLAN interfaces
with netlink-based interface.
Signed-hostap: M. Braun <michael-dev@fami-braun.de>
Commit a11241fa11 removed the 802.11b rate
enabling/disabling code from wpa_driver_nl80211_set_mode() and while
doing that, removed the only place where drv->disabled_11b_rates was
set. Fix this by updating the flag in nl80211_disable_11b_rates(). In
addition, re-enable the 802.11b rates when changing to non-P2P mode.
Signed-hostap: Jouni Malinen <j@w1.fi>
Right now 11b rates are masked out while creating a P2P interface,
but this is always failing as the interface is down. Most drivers
allow to configure rates only when the interface is UP and running.
So let us disable 11b rates when interface type is changed into a
P2P type and it is UP and running.
Signed-hostap: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
These validation steps are already done in the EAP parsing code and in
the EAP methods, but the additional check is defensive programming and
can make the validation of received EAP messages more easier to
understand.
Signed-hostap: Jouni Malinen <j@w1.fi>
These checks would not really be needed since eapol_sm_rx_eapol()
validates the length fields. Anyway, these makes it more obvious to
anyone reviewing the code that there are no integer underflow issues in
processKey().
Signed-hostap: Jouni Malinen <j@w1.fi>
These checks would not really be needed since radius_msg_parse()
validates the attribute header fields. Anyway, these makes it more
obvious to anyone reviewing the code that there are no integer underflow
issues in the functions processing RADIUS attributes.
Signed-hostap: Jouni Malinen <j@w1.fi>
This simplifies the implementation by using the buffer type to which the
returned data will be converted anyway. This avoids one memory
allocation for each processed RADIUS message.
Signed-hostap: Jouni Malinen <j@w1.fi>
Couple of functions did not verify that nla_put_nested() succeeded. Fix
these by checking the return value and handling error cases cleanly.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new ssid2 parameter can be used as an alternative mechanism for
configuring SSID for hostapd. It uses the same formats that
wpa_supplicant uses in the configuration file for strings.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of masking out non-ASCII characters with underscores, espace the
SSID data using rules compatible with printf.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to build ASCII strings from binary data that is
more likely to use ASCII (i.e., text format is more natural
option than hexdump, but there is possibility of some non-ASCII
characters).
Signed-hostap: Jouni Malinen <j@w1.fi>
When CONFIG_CTRL_IFACE=udp-remote is used, print user frendly PS in
wpa_cli. E.g.,
localhost/wlan0>
192.168.1.1/p2p-wlan-0-0>
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
wpa_cli can be used now as a client for remote access to ctrl_interface
of wpa_supplicant when UDP and remote options are used.
You can simply run:
wpa_cli -i <hostname>:[port]
wpa_cli -i <IP>:[port]
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Add new option for ctrl iface: CONFIG_CTRL_IFACE=udp-remote. This
enables remote access to control interface via UDP port(s). This should
be used for testing purpose only since there is no authentication or
access control on the commands.
Signed-hostap: Janusz Dziedzic <janusz.dziedzic@tieto.com>
This bit is set in the code path that handles keys and certs from places
other than OpenSSL authentication engines. Setting this bit causes
authentication to fail when the server provides certificates that don't
match the client certificate authority.
Commit 05ab9712b9 added support for
fetching WPA PSK from an external RADIUS server and changed
hostapd_wpa_auth_get_psk() to always return the RADIUS supplied PSK (if
set) and ignore the prev_psk parameter for iteration. Fix this by
appending the RADIUS supplied PSK to the list iterated by
hostapd_get_psk and thus returning NULL when prev_psk == sta->psk
(RADIUS).
Signed-hostap: M. Braun <michael-dev@fami-braun.de>
This allows the password parameter for EAP methods to be fetched
from an external storage.
Following example can be used for developer testing:
ext_password_backend=test:pw1=password|pw2=testing
network={
key_mgmt=WPA-EAP
eap=TTLS
identity="user"
password=ext:pw1
ca_cert="ca.pem"
phase2="auth=PAP"
}
Signed-hostap: Jouni Malinen <j@w1.fi>
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows the SA Query mechanism in hostapd to be used with drivers
that implement authentication and association MLME/SME.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
disable_dgaf=1 in hostapd.conf can now be used to disable downstream
group-addressed forwarding (DGAF). In this configuration, a unique
GTK (and IGTK) is provided to each STA in the BSS to make sure the
keys do not match and no STA can forge group-addressed frames.
An additional mechanism in the AP needs to be provided to handle some
group-addressed frames, e.g., by converting DHCP packets to unicast
IEEE 802.11 frames regardless of their destination IP address and by
providing Proxy ARP functionality.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Allow the user to configure an RSSI threshold in dBm below which the
nl80211 driver won't report scan results. Currently only supported
during scheduled (PNO) scans.
Signed-off-by: Thomas Pedersen <c_tpeder@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 6b56cc2d97 added retries of
provision discovery request frames in IDLE state. However, it did not
make the p2p_find case behave consistently with the new limitied retry
behavior. This can result in way too many and frequent PD retries. Fix
this by extending the previous commit to address PD retries and maximum
retry limit consistently regardless of whether p2p_find is running.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Commit 1b487b8b1e added CH_SWITCH
event for nl80211, but ended up using hostapd_hw_get_channel()
regardless of build configuration for driver interfaces. This
function is not always available, so make its use conditional
on NEED_AP_MLME.
Signed-hostap: Jouni Malinen <j@w1.fi>
Commit d9cc4646eb added
crypto_hash_{init,update,finish}() wrappers for OpenSSL, but it
assumed the current HMAC API in OpenSSL. This was changed in 0.9.9
to return error codes from the functions while older versions used
void functions. Add support for the older versions, too.
Signed-hostap: Jouni Malinen <j@w1.fi>
This patch adds a check of the return value of wpabuf_dup() in a large
Service Discovery Response.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
This updates the license notification to use only the BSD license. The
changes were acknowledged by email (Gunter Burchardt, tmisu@gmx.de,
Mon, 02 Jul 2012 17:54:28 +0200).
Signed-hostap: Jouni Malinen <j@w1.fi>
This updates the license notification to use only the BSD license. The
changes were acknowledged by email (Jouke Witteveen
<j.witteveen@gmail.com>, Mon, 2 Jul 2012 11:38:34 +0200).
Signed-hostap: Jouni Malinen <j@w1.fi>
This functionality could be shared for other commands, too, so move
it to a common function. In addition, implement the validation in a
bit more strict way to avoid accepting values like '-123' as a valid
PIN.
Signed-hostap: Jouni Malinen <j@w1.fi>
There are separate states for these, so we can't really get into this
situation unless somebody tries to do multiple things at the same
time. p2p_connect stops find and CONNECT state is used to probe the peer
on its Listen channel with GO Negotiation Request frames. Similarly,
p2p_invite() stops find and INVITE state is used to probe the peer on
its Listen channel with Invitation Request frames. The older mechanism
of using Search state functionality to find the peer can be removed.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This updates these files to use the license notification that uses only
the BSD license. The changes were acknowledged by email (Sam Leffler
<sam@errno.com>, Sat, 30 Jun 2012 07:57:53 -0700).
Signed-hostap: Jouni Malinen <j@w1.fi>
At least some error paths (e.g., hitting the limit on hunt-and-peck
iterations) could have resulted in double-freeing of some memory
allocations. Avoid this by setting the pointers to NULL after they have
been freed instead of trying to free the data structure in a location
where some external references cannot be cleared. [Bug 453]
Signed-hostap: Jouni Malinen <j@w1.fi>
The previously used limit (10) is too small for practical purposes since
it can result in about 1 out of 1000 authentication attempts failing.
Increase the limit to 30 to avoid such issues. [Bug 453]
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
os_random() may not be seeded properly, so use stronger mechanism for
generating the password id for NFC password tokens.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new hostapd ctrl_iface command WPS_NFC_TOKEN can now be used to
manage AP-as-Enrollee operations with NFC password token. WPS/NDEF
parameters to this command can be used to generate a new NFC password
token. enable/disable parameters can be used to enable/disable use of
NFC password token (instead of AP PIN) for external Registrars.
A preconfigured NFS password token can be used by providing its
parameters with new hostapd.conf fields wps_nfc_dev_pw_id,
wps_nfc_dh_pubkey, wps_nfc_dh_privkey, and wps_nfc_dev_pw. This use
will also depend on WPS_NFC_TOKEN enable/disable commands, i.e., the
configured NFS password token is disabled by default.
Signed-hostap: Jouni Malinen <j@w1.fi>
The AP PIN on wps_reg command can now be replaced with special value
"nfc-pw" to use device password from a NFC password token from the AP.
Signed-hostap: Jouni Malinen <j@w1.fi>
WPS_ER_NFC_CONFIG_TOKEN command can now be used to build a NFC
configuration token based on AP Settings learnt with WPS_ER_LEARN
or set with WPS_ER_CONFIG.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new wpa_supplicant ctrl_iface command WPS_NFC_TAG_READ can now be
used to process NFC tags read by external programs to initiate
wpa_supplicant to use NFC Configuration Token to create a new network.
Signed-hostap: Jouni Malinen <j@w1.fi>
The new hostapd ctrl_iface command WPS_NFC_CONFIG_TOKEN can now be used
to fetch payload for an NFC configuration token so that an external
program can be used to write this on an NFC tag.
Signed-hostap: Jouni Malinen <j@w1.fi>
This adds a cleaner mechanism for handling NFC Password Tokens in the
WPS Registrar. There could be more than one active NFC Password Token in
use and as such, a list of tokens needs to be maintained. The old
WPS_OOB interface is still using the old mechanism that supports only a
single active NFC Password Token.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd ctrl_iface can now be used to deliver payload from read
operation of an NFC tag. This allows operations without having to have
low-level NFC code within hostapd. For now, the new wps_nfc_tag_read
command can be used with NFC password tokens for the case where the AP
has an NFC device that is used to read an NFC tag from the station
Enrollee.
Signed-hostap: Jouni Malinen <j@w1.fi>
Instead of requiring low-level access to an NFC device and synchronous
operations, the new WPS_NFC_TOKEN and WPS_NFC ctrl_iface commands can be
used to build a NFC password token and initiate WPS protocol run using
that token (or pre-configured values) as separate commands. The
WPS_NFC_TOKEN output can be written to a NFC tag using an external
program, i.e., wpa_supplicant does not need to have low-level code for
NFC operations for this.
Signed-hostap: Jouni Malinen <j@w1.fi>
The OOB Device Password is passed in as a hexdump of the real Device
Password (16..32 octets of arbitrary binary data). The hexdump needs to
be converted to binary form before passing it for WPS processing.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, only the maximum length 32 octets for OOB device password
was accepted. Since the specification allows a shorter password to be
used with limited OOB mechanism (e.g., small NFC tag), we should accept
lengths 16..32.
Signed-hostap: Jouni Malinen <j@w1.fi>
The earlier WPS 2.0 changes did not increase the wpabuf size when
adding a new attribute to the NFC password token. This could result
in aborting the application on wpabuf overflow if NFC out-of-band
mechanism is used with WPS 2.0 enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Some drivers may independently decide to switch channels. Handle this by
updating the hostapd and wpa_supplicant AP and GO configuration.
Signed-hostap: Thomas Pedersen <c_tpeder@qca.qualcomm.com>
Previously, the STA entry was removed only from the driver and the STA
entry within hostapd was just marked disassociated. However, this left
the WPA authenticator state machine with an entry and the session was
not terminated properly. In addition, the STA entry could have remaining
indefinitely if the STA did not reconnect after TKIP countermeasures.
Fix this by removing the STA entry from hostapd instead of just leaving
it disassociated.
Signed-hostap: Jouni Malinen <j@w1.fi>
In AP which supports WPSv2 with only virtual push button, when PBC is
called, the WSC IE should include Selected Registrar Configuration
Methods attribute with the bit of the physical push button not set.
Signed-hostap: Yoni Divinsky <yoni.divinsky@ti.com>
Without this, we can get into a tight loop because the
code in general doesn't add eloop exception handlers,
so socket reporting the POLLERR would never be read.
With this change, any socket with POLLERR or POLLHUP
asserted will be handled by the read logic.
Signed-hostap: Ben Greear <greearb@candelatech.com>
The control message received from the kernel needs some space, but
there's no need for the strange typing that breaks clang compilation.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Maintain a copy of Chargeable-User-Identity in the PMKSA cache to allow
it to be included in accounting messages even if full authentication was
not completed.
Signed-hostap: Jouni Malinen <j@w1.fi>
Calling-Station-Id, Acct-Session-Id, and User-Name attributes in a
Disconnect-Request message can now be used to indicate which station is
to be disconnected.
Signed-hostap: Jouni Malinen <j@w1.fi>
DAS will now validate Event-Timestamp value to be within an acceptable
time window (300 seconds by default; can be set using
radius_das_time_window parameter). In addition, Event-Timestamp can be
required in Disconnect-Request and CoA-Request messages with
radius_das_require_event_timestamp=1.
Signed-hostap: Jouni Malinen <j@w1.fi>
Currently, FullMAC Persistent GO can't use p2p_client_list because its
own hapd->p2p_group is NULL at ap_sta_set_authorized(). This patch
changes the processing to use sta->p2p_ie instead of
p2p_group_get_dev_addr() on FullMAC GO.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
The P2P Client Discoverability bit is reserved in most frames and its
value in the local P2P peer table should only be updated based on P2P
Group Info attribute from a GO. Fix this by avoiding changes to this
dev_capab bit based on other P2P frames. It would be more correct to
track this separately for each group in which the peer is a member, but
since we do not do that for the other group specific information either,
this can do for now.
It should be noted that prior to commit
18485b5469 wpa_supplicant set this bit in
all P2P frames. However, that commit changed this to match the
specification, i.e., the bit is not set in frames which are received
from P2P Device role. As such, this fix is needed to be able to figure
out that a peer supports client discoverability capability after that
commit.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
In the P2P specification v1.1, the P2P Client Discoverability bit is
described in Table 12 "Device Capability Bitmap definition". The table
says "Within a P2P Group Info attribute and a (Re)association request
frame the P2P Client Discoverability field shall be set to 1 when the
P2P Device supports P2P Client Discoverability, and is set to 0
otherwise. This field shall be reserved and set to 0 in all other frames
or uses.". To match with this, filter out P2P Client Discoverability bit
from frames where its use is reserved.
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
If the peer uses an unknown reauth id, it would still be possible to use
pseudonym instead of permanent id. Allow this by changing the
AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is
used in EAP-Response/Identity.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
There is a race condition in GO Negotiation Request frame sending and
processing that may end up with both devices sending GO Negotiation
Response. This response frame was previously accepted even if a response
had already been sent. This could result in two GO Negotiation Confirm
frames being exchanged and consequently, with two separate GO
Negotiations completing concurrently. These negotiations could result in
getting mismatching parameters (e.g., both device could believe it was
the GO).
Fix this by ignoring GO Negotiation Response from the peer if twe have
already sent a GO Negotiation Response frame and we have the higher P2P
Device Address. This is similar to the rule used to determine whether to
reply to GO Negotiation Request frame when Request was already sent,
i.e., the same direction of GO Negotiation is maintained here to enforce
that only the negotiation initiated by the device with smaller P2P
Device Address is completed.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
If both peers initiate GO Negotiation at about the same time, it is
possible for the GO Negotiation Request frame from the peer to be
received between the local attempt to send the GO Negotiation Request
and TX status event for that. This could result in both devices sending
GO Negotiation Response frames even though one of them should have
skipped this based which device uses a higher MAC address.
Resolve this race by incrementing go_neg_req_sent when p2p_send_action()
returns success instead of doing this from the TX status callback. If
the frame is not acknowledged, go_neg_req_sent is cleared in TX status
handler.
Signed-off-by: Neeraj Garg <neerajkg@broadcom.com>
Stop the connection attempt if GO Negotiation Confirm is not received
within 100 ms of the GO Negotiation Response getting acknowledged.
Previously, we would have continued trying to connect to the peer even
in this case which could result in confusing second GO Negotiation
Request frame and unnecessarily long wait before indicating failure.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The GO Negotiation Confirm frame doesn't need to be sent with a wait
since we don't expect a response to it.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Concurrent Operation bit was not set for GO even if the device
supports concurrent operations. Make sure the Device Capability
value is consistent with other P2P use cases by using the value
determined in p2p_init().
Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
Send an "EAP" signal via the new DBus interface under various
conditions during EAP authentication:
- During method selection (ACK and NAK)
- During certificate verification
- While sending and receiving TLS alert messages
- EAP success and failure messages
This provides DBus callers a number of new tools:
- The ability to probe an AP for available EAP methods
(given an identity).
- The ability to identify why the remote certificate was
not verified.
- The ability to identify why the remote peer refused
a TLS connection.
Signed-hostap: Paul Stewart <pstew@chromium.org>
In certain cases like PBC session overlap it appears to be possible that
an interface is removed due to an event handled on it, this leads to
list corruption. Use safe iteration to prevent this issue.
Reported-by: Nirav Shah <nirav.j2.shah@intel.com>
Reported-by: Neeraj Kumar Garg <neerajkg@broadcom.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
intended-for: hostap-1
When hostapd (or wpa_supplicant AP mode) limits the maximum number
of STA entries with a driver that implements SME, the driver needs
to be notified of the failed STA addition. Disassociate the STA if
the driver notifies of an association that would go beyond the
maximum number of STAs.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
If WNM is enabled for the build (CONFIG_WNM=y), add BSS max idle period
information to the (Re)Association Response frame from the AP and parse
this information on the station. For SME-in-wpa_supplicant case, add a
timer to handle periodic transmission of the keep-alive frame. The
actual request for the driver to transmit a frame is not yet
implemented.
Signed-hostap: Jouni Malinen <j@w1.fi>
When sending an offchannel frame (mainly, P2P Invitation Request), the
wait_time parameter was hardcoded to 0 for drivers that implement AP
mode SME. This is not correct and can cause problems for drivers that
support offloading of off-channel operations with driver/firmware based
AP SME.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is a workaround for interoperability issues with some deployed P2P
implementations that require a Provision Discovery exchange to be used
before GO Negotiation. The new provdisc parameter for the p2p_connect
command can be used to request this behavior without having to run a
separate p2p_prov_disc command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>