Commit graph

334 commits

Author SHA1 Message Date
Jouni Malinen
93a1e275a7 SAE: Determine H2E vs. looping when restarting SAE auth in AP mode
If hostapd had existing STA SAE state, e.g., from a previously completed
SAE authentication, a new start of a separate SAE authentication (i.e.,
receiving of a new SAE commit) ended up using some of the previous
state. This is problematic for determining whether to H2E vs. looping
since the STA is allowed (even if not really expected to) to change
between these two alternatives. This could result in trying to use H2E
when STA was using looping to derive PWE and that would result in SAE
confirm failing.

Fix this by determining whether to use H2E or looping for the restarted
authentication based on the Status Code in the new SAE commit message
instead of previously cached state information.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-25 19:29:53 +03:00
Jouni Malinen
cb99259775 Add RSNXE into (Re)Association Response frames
Add the new RSNXE into (Re)Association Response frames if any of the
capability bits is nonzero.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 15:49:32 +03:00
Jouni Malinen
898b6d58f3 SAE: Verify that STA negotiated H2E if it claims to support it
If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
the AP configuration, require H2E to be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 12:48:28 +03:00
Jouni Malinen
d3516cad7a Store a copy of Association Request RSNXE in AP mode for later use
This is needed to be able to compare the received RSNXE to a protected
version in EAPOL-Key msg 2/4.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-18 00:20:29 +03:00
Andrei Otcheretianski
49e95ee1ee AP: Publish only HE capabilities and operation IEs on 6 GHz band
When operating on the 6 GHz band, add 6 GHz Operation Information inside
the HE Operation element and don't publish HT/VHT IEs.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>

- Replace HOSTAPD_MODE_IEEE80211AX mode checks with is_6ghz_op_class()

Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
032c8264d4 SAE: Check that peer's rejected groups are not enabled in AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
a5dc2a5c1a SAE: H2E version of SAE commit message handling for AP
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
cc0da0ff4c SAE: Advertise BSS membership selector for H2E-only case
If hostapd is configured to enable only the hash-to-element version of
SAE PWE derivation (sae_pwe=1), advertise BSS membership selector to
indicate this.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
86f6084862 SAE: Tell sae_parse_commit() whether H2E is used
This will be needed to help parsing the received SAE commit.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-14 19:38:41 +03:00
Jouni Malinen
f7fe055224 SAE: Allow AP behavior for SAE Confirm to be configured
hostapd is by default waiting STA to send SAE Confirm before sending the
SAE Confirm. This can now be configured with sae_confirm_immediate=1
resulting in hostapd sending out SAE Confirm immediately after sending
SAE Commit.

These are the two different message sequences:

sae_confirm_immediate=0
STA->AP: SAE Commit
AP->STA: SAE Commit
STA->AP: SAE Confirm
AP->STA: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

sae_confirm_immediate=1
STA->AP: SAE Commit
AP->STA: SAE Commit
AP->STA: SAE Confirm
STA->AP: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-10 15:38:26 +03:00
Jouni Malinen
3394def5a8 More consistent SA check for unexpected Data frames
Use the same rules for dropping driver notifications for Data frames
from unassociated stations as were added for Management frame reception.
This results in more consistent behavior in sending out Deauthentication
frames with Reason Code 6/7.

This case was already checking for unexpected multicast addresses, so
there was no issue for the PMF protections for unexpected disconnection.
Anyway, better avoid unnecessary Deauthentication frames consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-17 12:38:15 +03:00
Jouni Malinen
d86d66dc07 AP: Silently ignore management frame from unexpected source address
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.

In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-11 12:28:37 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Jouni Malinen
a762ba8b1e HS 2.0 AP: Do not mandate PMF for HS 2.0 Indication in open OSU network
Even though the station is not supposed to include Hotspot 2.0
Indication element in the Association Request frame when connecting to
the open OSU BSS, some station devices seem to do so. With the strict
PMF-required-with-Hotspot-2.0-R2 interpretation, such connection
attempts were rejected. Relax this to only perform the PMF check if the
local AP configuration has PMF enabled, i.e., for the production BSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-30 15:22:42 +03:00
Sven Eckelmann
29d8bd1dec nl80211: Add driver multi iftype HE capability parsing
The HE capabilities are no longer per PHY but per iftype on this
specific PHY. It is therefore no longer enough to just parse the AP
capabilities.

The he_capabilities are now duplicated to store all information for
IEEE80211_MODE_* which hostap cares about. The nl80211 driver fills in
this information when the iftype supports HE. The rest of the code still
only uses the IEEE80211_HE_AP portion but can be extended later to also
use other HE capabilities.

Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
2019-06-23 18:03:51 +03:00
Liangwei Dong
ef60f0121f hostapd: Process OWE IE and update DH IE to the driver if needed
This implements the required functionality in hostapd to facilitate OWE
connection with the AP SME-in-driver cases. Stations can either send DH
IE or PMKID (in RSNE) (or both) in Association Request frame during the
OWE handshake. The drivers that use this offload mechanism do not
interpret this information and instead, pass the same to hostapd for
further processing. hostapd will either validate the PMKID obtained from
the STA or generate DH IE and further indicate the same to the driver.
The driver further sends this information in the Association Response
frame.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:51 +03:00
Srinivas Dasari
14d85a5af7 SAE: Do not send PMKID to the driver if PMKSA caching is disabled
External auth status to the driver includes the PMKID derived as part of
SAE authentication, but this is not valid if PMKSA caching is disabled.
Drivers might not be expecting PMKID when it is not valid. Do not send
the PMKID to the driver in such cases.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
2019-05-31 16:52:15 +03:00
Johannes Berg
d5d156bd92 AP: add station with basic rates configuration
When a new station is added, let it have some supported rates
(they're empty without this change), using the basic rates
that it must support to connect.

This, together with the kernel-side changes for client-side,
lets us finish the complete auth/assoc handshake with higher
rates than the mandatory ones, without any further config.

However, the downside to this is that a broken station that
doesn't check the basic rates are supported before it tries
to connect will possibly not get any response to its auth
frame.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2019-05-28 13:33:00 +03:00
John Crispin
78d35b16de HE: Add AP mode MLME/SME handling for HE stations
Process HE information in (Re)Association Request frames and add HE
elements into (Re)Association Response frames when HE is enabled in the
BSS.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:40:48 +03:00
Jouni Malinen
d70776098d VHT: Remove copying of VHT Operation element from (Re)Assoc Req
This copying attempt was added incorrectly since that element is never
actually present in (Re)Association Request frames. It is only valid to
copy that element from the mesh peering frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-26 18:03:40 +03:00
Jouni Malinen
831d8c9cf5 FILS: Add RSNE into (Re)Association Response frame
This AP behavior was missing from IEEE Std 802.11ai-2016, but it is
needed for the RSNE validation to work correctly and for a FILS STA to
be able to perform the mandatory check for RSNE matching when processing
the (Re)Association Response frame (as described in 802.11ai). REVmd
will be updating the standard to cover this AP case, so prepare the
implementation to match that. Without this, a FILS STA might reject
association whenever using FILS authentication.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-05-23 00:34:43 +03:00
Alex Khouderchah
9c95124418 Add 802.11 status code strings
Logs involving IEEE 802.11 Status Codes output the Status Code value,
but do not provide any explanation of what the value means. This change
provides a terse explanation of each status code using the latter part
of the Status Code #define names.

Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
2019-04-22 22:08:07 +03:00
Jouni Malinen
a40bd06e9b FILS: Fix PTK rekeying
The PMK and PMKID information from FILS ERP and FILS PMKSA caching needs
to be stored within struct wpa_state_machine for PTK to work. Without
this, PTK derivation would fail and attempt to go through rekeying would
result in disconnection. Furthermore, wpa_rekey_ptk() timer needs to be
started at the completion of FILS association since the place where it
was done for non-FILS cases at the end of 4-way handshake is not reached
when FILS authentication is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-18 21:55:39 +03:00
Jouni Malinen
10cf866bac mesh: Fix operations after SAE state machine removing the STA
It is possible for the SAE state machine to remove the STA and free the
sta pointer in the mesh use cases. handle_auth_sae() could have
dereferenced that pointer and used freed memory in some cases. Fix that
by explicitly checking whether the STA was removed.

Fixes: bb598c3bdd ("AP: Add support for full station state")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-15 22:09:12 +03:00
Jouni Malinen
153d4c501a mesh: Fix SAE reauthentication processing
ap_free_sta() frees the sta entry, so sta->addr cannot be used after
that call. Fix the sequence of these two calls to avoid use of freed
memory to determine which PMKSA cache entry to remove.

Fixes: 9f2cf23e2e ("mesh: Add support for PMKSA caching")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-15 21:57:58 +03:00
Jouni Malinen
dd1a8cef4c Remove unnecessary copying of SSID and BSSID for external_auth
The external authentication command and event does not need to copy the
BSSID/SSID values into struct external_auth since those values are used
before returning from the call. Simplify this by using const u8 * to
external data instead of the array with a copy of the external data.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-12 20:43:26 +03:00
Srinivas Dasari
4ffb0fefe4 hostapd: Support external authentication offload in AP mode
Extend commit 5ff39c1380 ("SAE: Support external authentication
offload for driver-SME cases") to support external authentication
with drivers that implement AP SME by notifying the status of
SAE authentication to the driver after SAE handshake as the
driver acts as a pass through for the SAE Authentication frames.

Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
2019-04-12 20:33:35 +03:00
Jouni Malinen
b750dde64d OWE: Move Association Response frame IE addition to appropriate place
This code was after the FILS handling that would have encrypted the
frame. While FILS and OWE are never used together, the OWE handling
should really be before the FILS handling since no IEs can be added
after the FILS encryption step. In addition, the Diffie-Hellman
Parameter element is not a Vendor Specific element, so it should be
before some of the Vendor Specific elements even though it is not
defined in IEEE 802.11.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-18 18:32:31 +02:00
Jouni Malinen
10ec6a5f38 DPP2: PFS for PTK derivation
Use Diffie-Hellman key exchange to derivate additional material for
PMK-to-PTK derivation to get PFS. The Diffie-Hellman Parameter element
(defined in OWE RFC 8110) is used in association frames to exchange the
DH public keys. For backwards compatibility, ignore missing
request/response DH parameter and fall back to no PFS in such cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-18 18:32:31 +02:00
Jouni Malinen
ff5f54e159 SAE: Reduce queue wait time for pending Authentication frames
The queue_len * 50 ms wait time was too large with the retransmission
timeouts used in the mesh case for SAE. The maximum wait of 750 ms was
enough to prevent successful completion of authentication after having
hit the maximum queue length. While the previous commit is enough to
allow this to complete successfully in couple of retries, it looks like
a smaller wait time should be used here even if it means potentially
using more CPU.

Drop the processing wait time to queue_len * 10 ms so that the maximum
wait time is 150 ms if the queue is full.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-15 00:31:09 +02:00
Jouni Malinen
5e3a759cd4 SAE: Improved queuing policy for pending authentication frames
The previous design of simply queuing all SAE commit messages was not
exactly good at allowing recovery from a flooding state if the valid
peer used frequent retransmissions of the SAE message. This could
happen, e.g., with mesh BSSs using SAE. The frequent retransmissions and
restarts of SAE authentication combined with SAE confirm messages
bypassing the queue ended up in not being able to finish SAE exchange
successfully.

Fix this by modifying the queuing policy to queue SAE confirm messages
if there is a queued SAE commit message from the same peer so that the
messages within the same exchange do not get reordered. In addition,
replace queued SAE commit/confirm message if a new matching message is
received from the same peer STA. This is useful for the case where the
peer restarts SAE more quickly than the local end has time to process
the queued messages.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-15 00:31:09 +02:00
Jouni Malinen
3653663933 FILS+FT: AP mode processing of PMKR1Name in initial MD association
Derive PMKR1Name during the FILS authentication step, verify that the
station uses matching PMKR1Name in (Re)Association Request frame, and
add RSNE[PMKR1Name] into (Re)Association Response frame when going
through FT initial mobility domain association using FILS. These steps
were missed from the initial implementation, but are needed to match the
IEEE 802.11ai requirements for explicit confirmation of the FT key
hierarchy (similarly to what is done in FT 4-way handshake when FILS is
not used).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 19:15:06 +02:00
Jouni Malinen
aabbdb818d FILS: Do not try to add PMKSA cache entry if caching is disabled
This gets rid of a confusing error message "FILS: Failed to add PMKSA
cache entry based on ERP" for cases where PMKSA caching is disabled in
hostapd (disable_pmksa_caching=1). Functionality remains unchanged,
i.e., no cache entry was added before this change either.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 16:34:48 +02:00
Jouni Malinen
700b3f395e Move SA Query frame length check to the shared handler function
Check the length in the common handler functions instead of both
callers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-03-09 12:41:49 +02:00
Jouni Malinen
96d6dfa8e4 SAE: Add Finite Cyclic Group field in status code 77 response
Copy the Finite Cyclic Group field value from the request to the
response Authentication frame if we end up rejecting the request due to
unsupported group.

IEEE Std 802.11-2016 has conflicting statements about this behavior.
Table 9-36 (Presence of fields and elements in Authentication frames)
indicates that the Finite Cyclic Group field is only included with
status code values 0 (success) and 76 (anti-clogging token request)
while SAE protocol description implying that the Finite Cyclic Group
field is set to the rejected group (12.4.8.6.3 and 12.4.8.6.4).

The standard language needs to cleaned up to describe this
unambiguously, but since it looks safe to add the field into the
rejection case and since there is desire to have the field present to be
able to implement what exactly is stated in 12.4.8.6.4, it looks
reasonable to move ahead with the AP mode implementation change. There
is no change in wpa_supplicant for now to modify its behavior based on
whether this field is present, i.e., wpa_supplicant will continue to
work with both the old and new hostapd behavior for SAE group
negotiation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-08 16:21:03 +02:00
Jouni Malinen
f214361581 SAE: Reuse previously generated PWE on a retry with the same STA
Do not start SAE authentication from scratch if a STA starts a new
attempt for the same group while we still have previously generated PWE
available. Instead, use the previously generated PWE as-is and skip
anti-clogging token exchange since the heavy processing is already
completed. This saves unnecessary processing on the AP side in case the
STA failed to complete authentication on the first attempt (e.g., due to
heavy SAE load on the AP causing a timeout) and makes it more likely for
a valid STA to be able to complete SAE authentication during a DoS
attack.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:07:20 +02:00
Jouni Malinen
a9af1da0b5 SAE: Enforce single use for anti-clogging tokens
Add a 16-bit token index into the anti-clogging token. This can be used
to enforce only a single use of each issued anti-clogging token request.
The token value is now token-index |
last-30-octets-of(HMAC-SHA256(sae_token_key, STA-MAC-address |
token-index)), i.e., the first two octets of the SHA256 hash value are
replaced with the token-index and token-index itself is protected as
part of the HMAC context data.

Track the used 16-bit token index values and accept received tokens only
if they use an index value that has been requested, but has not yet been
used. This makes it a bit more difficult for an attacker to perform DoS
attacks against the heavy CPU operations needed for processing SAE
commit since the attacker cannot simply replay the same frame multiple
times and instead, needs to request each token separately.

While this does not add significant extra processing/CPU need for the
attacker, this can be helpful in combination with the queued processing
of SAE commit messages in enforcing more delay during flooding of SAE
commit messages since the new anti-clogging token values are not
returned before the new message goes through the processing queue.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:07:03 +02:00
Jouni Malinen
ff9f40aee1 SAE: Process received commit message through a queue
This allows better control of processing new SAE sessions so that other
operations can be given higher priority during bursts of SAE requests,
e.g., during a potential DoS attack. The receive commit messages are
queued (up to maximum of 15 entries) and processed from eloop callback.
If the queue has multiple pending entries, more wait time is used to go
through the each new entry to reduce heavy CPU load from SAE processing.

Enable anti-clogging token use also based on the pending commit message
queue and not only based on the already started sessions.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:06:50 +02:00
Jouni Malinen
941bad5ef4 SAE: Enable only group 19 by default in AP mode
Change the AP mode default for SAE to enable only the group 19 instead
of enabling all ECC groups that are supported by the used crypto library
and the SAE implementations. The main reason for this is to avoid
enabling groups that are not as strong as the mandatory-to-support group
19 (i.e., groups 25 and 26). In addition, this disables heavier groups
by default.

In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 17:21:41 +02:00
Lior David
2c129a1b71 Fix cipher suite selector default value in RSNE for DMG
According to IEEE Std 802.11-2016, 9.4.2.25 when fields of an RSNE are
not included, the default values are used. The cipher suite defaults
were hardcoded to CCMP in the previous implementation, but the default
is actually different for DMG: GCMP (per 9.4.2.25.2).

It is not possible to find out from the RSNE if the network is non-DMG
or DMG, so callers of wpa_parse_wpa_ie_rsn() need to handle this case
based on context, which can be different for each caller.

In order to fix this issue, add flags to the wpa_ie_data indicating
whether pairwise/group ciphers were included in the RSNE. Callers can
check these flags and fill in the appropriate ciphers. The
wpa_parse_wpa_ie_rsn() function still initializes the ciphers to CCMP by
default so existing callers will not break. This change also fixes some
callers which need to handle the DMG network case.

Signed-off-by: Lior David <liord@codeaurora.org>
2019-02-21 12:42:24 +02:00
Arnout Vandecappelle (Essensium/Mind)
bfcdac1c8b Multi-AP: Don't reject backhaul STA on fronthaul BSS
The Multi-AP specification only specifies that information elements have
to be added to the Association Request and Association Response frame;
it doesn't specify anything about what should be done in case they are
missing. Previously, we rejected non-backhaul associations on a
backhaul-only BSS, and non-fronthaul associations on a fronthaul-only
BSS.

However, this makes WPS fail when fronthaul and backhaul are separate
SSIDs. Indeed, WPS for the backhaul link is performed on the *fronthaul*
SSID. Thus, the Association Request frmae used for WPS *will* contain
the Multi-AP IE indicating a backhaul STA. Rejecting that association
makes WPS fail.

Therefore, accept a multi-AP backhaul STA Association Request frame on a
fronthaul-only BSS. Still issue a warning about it, but only at level
DEBUG intead of INFO. Also change the condition checking to make it
clearer.

While we're at it, also fix the handling of unexpected bits in the
Multi-AP IE. 4 bits are reserved in the specification, so these
certainly have to be ignored. The specification also doesn't say that
setting one of the other bits is not allowed. Therefore, only report
unexpected values in the Multi-AP IE, don't reject because of it. Note
that a malformed IE (containing more than one byte) still triggers a
rejection.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-02-18 20:21:01 +02:00
Jouni Malinen
b0e91e3877 SAE: VLAN assignment based on SAE Password Identifier
The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to
assign stations to a specific VLAN based on which SAE Password
Identifier they use. This is similar to the WPA2-Enterprise case where
the RADIUS server can assign stations to different VLANs and the
WPA2-Personal case where vlanid parameter in wpa_psk_file is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-17 17:24:23 +02:00
Jouni Malinen
4cf5efece3 FT: Allow STA entry to be removed/re-added with FT-over-the-DS
FT-over-the-DS has a special case where the STA entry (and as such, the
TK) has not yet been configured to the driver depending on which driver
interface is used. For that case, allow add-STA operation to be used
(instead of set-STA). This is needed to allow mac80211-based drivers to
accept the STA parameter configuration. Since this is after a new
FT-over-DS exchange, a new TK has been derived after the last STA entry
was added to the driver, so key reinstallation is not a concern for this
case.

Fixes: 0e3bd7ac68 ("hostapd: Avoid key reinstallation in FT handshake")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-04 23:22:46 +02:00
Jouni Malinen
2ea1fce3d6 OCE: RSSI-based rejection to consider Authentication frames (AP)
Try to make RSSI-based rejection of associating stations a bit less
likely to trigger false rejections by considering RSSI from the last
received Authentication frame. Association is rejected only if both the
Authentication and (Re)Association Request frames are below the RSSI
threshold.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 18:18:53 +02:00
Beni Lev
076f1ea1d9 OCE: Add RSSI based association rejection support (AP)
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.

Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 18:18:50 +02:00
Venkateswara Naralasetty
9c06f0f6ae hostapd: Add Multi-AP protocol support
The purpose of Multi-AP specification is to enable inter-operability
across Wi-Fi access points (APs) from different vendors.

This patch introduces one new configuration parameter 'multi_ap' to
enable Multi-AP functionality and to configure the BSS as a backhaul
and/or fronthaul BSS.

Advertise vendor specific Multi-AP capabilities in (Re)Association
Response frame, if Multi-AP functionality is enabled through the
configuration parameter.

A backhaul AP must support receiving both 3addr and 4addr frames from a
backhaul STA, so create a VLAN for it just like is done for WDS, i.e.,
by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never
WEP), we can safely call hostapd_set_wds_encryption() as well and we can
reuse the entire WDS condition.

To parse the Multi-AP Extension subelement, we use get_ie(): even though
that function is meant for parsing IEs, it works for subelements.

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-12-20 01:04:14 +02:00
Mathy Vanhoef
99621dc16c OCV: Include and verify OCI in the FILS handshake
Include and verify the OCI element in FILS (Re)Association Request and
Response frames.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
f9da7505bf OCV: Include and verify OCI in SA Query frames
Include an OCI element in SA Query Request and Response frames if OCV
has been negotiated.

On Linux, a kernel patch is needed to let clients correctly handle SA
Query Requests that contain an OCI element. Without this patch, the
kernel will reply to the SA Query Request itself, without verifying the
included OCI. Additionally, the SA Query Response sent by the kernel
will not include an OCI element. The correct operation of the AP does
not require a kernel patch.

Without the corresponding kernel patch, SA Query Requests sent by the
client are still valid, meaning they do include an OCI element.
Note that an AP does not require any kernel patches. In other words, SA
Query frames sent and received by the AP are properly handled, even
without a kernel patch.

As a result, the kernel patch is only required to make the client properly
process and respond to a SA Query Request from the AP. Without this
patch, the client will send a SA Query Response without an OCI element,
causing the AP to silently ignore the response and eventually disconnect
the client from the network if OCV has been negotiated to be used.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:42:23 +02:00
Mathy Vanhoef
ad20a1367f Store the VHT Operation element of an associated STA
APs and mesh peers use the VHT Operation element to advertise certain
channel properties (e.g., the bandwidth of the channel). Save this
information element so we can later access this information.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 18:35:30 +02:00
Jouni Malinen
f3784a6b94 HS 2.0: Reject Hotspot 2.0 Rel 2 or newer association without PMF
Hotspot 2.0 Rel 2 requires PMF to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:58 +02:00