The 5 GHz channels are stored in one hw_features set with mode
HOSTAPD_MODE_IEEE80211A while the 6 GHz channels will need to stored in
a separate hw_features set (but with same mode HOSTAPD_MODE_IEEE80211A)
due to possibility of different HE capabilities being available between
the 5 GHz and 6 GHz bands.
Iterate through all hw_features sets and populate channels from all
hw_features sets whose hardware mode is matching the configured hardware
mode while preparing the channel list for ACS.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows a P2P connection over P802.11ay EDMG channels to achieve the
highest link speed that the standard allows for channel bonding (CB) up
to CB4.
Let each P2P peer add its EDMG channels to the Supported Channels IE
advertised in P2P GO negotiation. Give EDMG channels priority when peers
negotiate for operating channel.
User may add 'edmg' parameter to p2p_connect, p2p_add_group, and
p2p_invite commands to prefer an EDMG channel for the P2P link. User may
also set p2p_go_edmg=1 in wpa_supplicant configuration file to prefer
EDMG.
When EDMG is used, P2P will try to find the highest channel bonding
supported channel that matches the frequency parameter, if the devices
do not support EDMG, the P2P connection will use a legacy (1-6) 60 GHz
channel.
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Update new channels in Channel Bonding (CB2 ... CB4) in the 60 GHz band
for different regulatory regions according to the latest draft amendment
IEEE P802.11ay/D5.0.
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Add EDMG bandwidth to CHANWIDTH_ defines.
Update API ieee80211_freq_to_channel_ext() to support EDMG bandwidth
for EDMG channels.
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
This is mainly for testing purposes to be able to check which groups
a STA reports as having been rejected when using SAE H2E.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The netRole enum is more generic and can be extended to include new
roles (e.g., Configurator) more easily.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This new hostapd configuration parameter rsnxe_override_eapol=<hexdump>
can be used to override RSNXE value in EAPOL-Key msg 3/4 for testing
purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, this case was ignored silently in AP mode. While that could
be a reasonable approach for an unexpected condition, it would be fine
to reject this case explicitly as well. This makes it somewhat easier to
test unexpected SAE H2E vs. looping behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
check_sae_rejected_groups() returns 1, not -1, in case an enabled group
is rejected. The previous check for < 0 could not have ever triggered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, this case was ignored silently in AP mode. While that could
be a reasonable approach for an unexpected condition, it would be fine
to reject this case explicitly as well. This makes it somewhat easier to
test unexpected SAE H2E vs. looping behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
freq_list is built in allocated heap memory and it needs to be freed
before returning from this function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Clean up do_acs interface to not pass ch_list to drivers as the same
information is available in freq_list. The channel numbers are
duplicated between 2.4 GHz and 5 GHz bands and the 6 GHz band. So, use
the QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST to populate only 2.4 GHz and 5 GHz
channels to ensure backwards compatibility with old drivers which do not
have support to decode the newer QCA_WLAN_VENDOR_ATTR_ACS_FREQ_LIST
attribute.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Skip DFS checks and CAC operation for 6 GHz channels. AFC checks
will be added for 6 GHz channels later.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
HT capability check is not required when starting AP on 6 GHz band as
only HE operation mode is allowed in the 6 GHz band.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd and wpa_supplicant DPP implementation to allow the
bootstrapping URI to be generated for and parsed from an NFC Tag with an
NFC URI Record. This is similar to the way the bootstrapping URI is used
with QR Code for unidirectional authentication.
The DPP_BOOTSTRAP_GEN command uses "type=nfc-uri" to request the URI to
be assigned for NFC URI Record. In practice, the URI is generated
identically to the QR Code case, but the internal entry maintains the
NFC-URI type.
A new command "DPP_NFC_URI <uri>" can now be used to parse the URI read
from an NFC Tag with the NFC URI Record. This is similar to the
DPP_QR_CODE command.
Other commands (mainly, DPP_LISTEN and DPP_AUTH_INIT) are used for NFC
URI in the same way as they are used for QR Code.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 844dfeb804 ("QCA vendor command support to set band to driver")
added a vendor command to pass 'SET setband' command information to the
driver in wpa_supplicant. Add similar changes to hostapd control
interface.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, nonzero sae_h2e parameter values were used to perform SAE
H2E specific operations (deriving PT, adding RSNXE, adding H2E-only BSS
membership selector) in AP mode even if SAE was not enabled for the
network. This could result in unexpected behavior if sae_pwe=1 or
sae_pwe=2 were set in the configuration. Fix this by making the SAE
operations conditional on SAE being actually enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows Configurator to be configured to use the ssid64 option in
the discovery object for a station Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The discovery object is now allowed to use either the UTF-8 encoded
string ssid or base64url encoded ssid64.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no use case for adding padding into the base64url encoded
strings, so remove the unneeded add_pad argument that was hardcoded to 0
in all callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The UTF-8 encoded ssid string was replaced with base64url encoded ssid64
string, so update the implementation to match.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The WMM TSPEC processor used the input buffer for processing the request
and building the response. This was fine for the FT case, but for the
WMM Action frame case, the input buffer is marked const, so it should
not really be modified. This modification could not really cause any
noticeable harm, but it can result in error reports from fuzzing and
potentially even from some static analyzers.
Fix this by marking the input arguments const more consistently (the
parsed IE was able to drop the const) and copy the const input data to a
temporary buffer for processing and modification instead of allowing the
input data to be modified.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19050
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 947b5a1532 ("P2P: Stop listen state if Action frame TX is
needed on another channel") added an optimization for P2P response
transmission in certain concurrent operation cases. However, it did not
take into account possibility of the driver not being in listen
state (p2p->drv_in_listen == 0) and could end up getting stuck with the
P2P state machine in a manner that made the device not listen for
following messages. This showed up in following manner in the debug log:
P2P: Starting short listen state (state=SEARCH)
P2P: Driver ended Listen state (freq=2437)
process received frame and send a response
P2P: Stop listen on 0 MHz to allow a frame to be sent immediately on 2437 MHz
P2P: Clear timeout (state=SEARCH)
--> state machine stuck
Fix this by adding drv_in_listen > 0 condition for the optimization to
stop the listen operation in send_action() resulting in scheduled TX.
Fixes: 947b5a1532 ("P2P: Stop listen state if Action frame TX is needed on another channel")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update center frequency and center frequency2's DFS channel status in
VHT80+80 mode. Otherwise it will cause AP failed to start on a DFS
channel.
Tested: qca9984 with firmware ver 10.4-3.10-00047
Signed-off-by: Rick Wu <rwu@codeaurora.org>
Signed-off-by: Lei Wang <leiwa@codeaurora.org>
wpa_validate_wpa_ie() was already extended to cover these cases with
WPA_INVALID_PMKID return value, but hostapd_notif_assoc() did not have
code for mapping this into the appropriate status code
(STATUS_INVALID_PMKID) and ended up using the default
(WLAN_STATUS_INVALID_IE) instead. This caused AP SME-in-driver cases
returning incorrect status code when the AP did not have a matching
PMKSA cache entry. This could result in unexpected station behavior
where the station could continue trying to use a PMKSA cache entry that
the AP does not have and not being able to recover this.
Fix this by adding the previously missed mapping of validation errors to
status/reason codes.
Fixes: 567da5bbd0 ("DPP: Add new AKM")
Fixes: 458d8984de ("SAE: Reject request with mismatching PMKID (no PMKSA cache entry)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This array can be freed either from the scan parameters or from
clearing the MAC address randomization parameters from the
wpa_supplicant struct. To make this ownership more clear, we have
each struct own its own copy of the parameters.
Signed-off-by: Eric Caruso <ejcaruso@chromium.org>
The "\\u%04x" printf string did not really work in the correct way if
char is signed. Fix this by type casting this to unsigned char.
Signed-off-by: Jouni Malinen <j@w1.fi>
SUITE_B_192 AKM capability was indicated for all devices using the
nl80211 driver (without the QCA vendor specific AKM capability
indication). However, some devices can't handle Suite B 192 due to
insufficient ciphers supported. Add a check for CCMP-256 or GCMP-256
cipher support and only indicate SUITE_B_192 capability when such cipher
is supported. This allows compiling with CONFIG_SUITEB192 and still get
proper response to the 'GET_CAPABILITY key_mgmt' command. Under Android
it can also serve as a dynamic way for HAL to query platform for
WPA3-Enterprise 192-bit support.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
Addi STA node details in AP through QCA vendor subcommand
QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE vendor when processing FT
protocol roaming.
Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
To config BT coex chain mode, add a new QCA sub command
QCA_NL80211_VENDOR_SUBCMD_BTC_CHAIN_MODE.
This new command has two attributes:
1. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE: u32 attribute. Indicates the
BT coex chain mode, are 32-bit values from enum qca_btc_chain_mode.
2. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE_RESTART: flag attribute.
If set, vdev should be restarted once BT coex chain mode is updated.
Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
The QCA_NL80211_VENDOR_SUBCMD_OEM_DATA command was previously defined
only to pass data blobs from user space to kernel (application to
firmware) but there was no mechanism to send the data blobs from
firmware to application. Extend this to define use of the same
subcommand and attributes as vendor events.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If hostapd had existing STA SAE state, e.g., from a previously completed
SAE authentication, a new start of a separate SAE authentication (i.e.,
receiving of a new SAE commit) ended up using some of the previous
state. This is problematic for determining whether to H2E vs. looping
since the STA is allowed (even if not really expected to) to change
between these two alternatives. This could result in trying to use H2E
when STA was using looping to derive PWE and that would result in SAE
confirm failing.
Fix this by determining whether to use H2E or looping for the restarted
authentication based on the Status Code in the new SAE commit message
instead of previously cached state information.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This wrapper function is not used anymore, so drop it instead of trying
to figure out good way of implementing it in constant time with various
crypto libraries.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Remove support for performing full sqrt(), i.e., only support curves
that use prime with p = 3 mod 4. In practice, this drops only group 26
with SAE H2E. This seems acceptable since there does not seem to be any
strong use case for that group taken into account the limits being
placed on acceptable prime lengths.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The IE minimum length determination in hostapd_eid_ext_capab() was not
fully up to date with the hostapd_ext_capab_byte() conditions. This
could result in omitting some of the capability octets depending on
configuration. Fix this by adding the missing conditions.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If there are no post-provision discovery operations, we should continue
in find mode to avoid getting the p2p_find operation stopped (stuck in
SEARCH state) unexpectedly.
Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
Protect RSNXE, if present, in FT Reassociation Request/Response frames.
This is needed for SAE H2E with FT.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a single struct definition and a single shared implementation for
parsing EAPOL-Key KDEs and IEs instead of maintaining more or less
identical functionality separately for wpa_supplicant and hostapd.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
the AP configuration, require H2E to be used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the STA advertises RSN Extension element, it has to be advertised
consistently in the unprotected ((Re)Association Request) and protected
(EAPOL-Key msg 2/4) frames. Verify that this is the case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to be able to compare the received RSNXE to a protected
version in EAPOL-Key msg 2/4.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg
2/4 when using SAE with hash-to-element mechanism enabled. This allows
the AP to verify that there was no downgrade attack when both PWE
derivation mechanisms are enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE with
attributes qca_wlan_vendor_attr_add_sta_node_params to add STA peer
entries in AP mode. This vendor sub command is used in FT roaming
scenario to send STA node information from application/service to
driver/firmware. The attributes defined in enum
qca_wlan_vendor_attr_add_sta_node_params are used to deliver the
parameters.
Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
The OEM data binary blobs from application/service will be routed to the
appropriate device based on this attribute value. This optional
attribute is used to specify whether the device type is virtual or
physical. This attribute can be omitted when the command is for a
virtual device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some chipsets don't have the capability to run agile spectral scan with
160/80+80 MHz modes. Add separate agile spectral scanning capability
flags for 160, 80+80, and non-160 MHz modes to cover such cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In the SME-in-driver case, wpa_supplicant used only the selected SAE
auth_alg value as the trigger for enabling external authentication
support for SAE. This prevented the driver from falling back to full SAE
authentication if PMKSA caching was attempted (Open auth_alg selected)
and the cached PMKID had been dropped.
Enable external auth based on SAE/FT-SAE key_mgmt, rather than doing
this based on SAE auth_alg, so that the driver can go through full SAE
authentication in cases where PMKSA caching is attempted and it fails.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When operating on the 6 GHz band, add 6 GHz Operation Information inside
the HE Operation element and don't publish HT/VHT IEs.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
- Replace HOSTAPD_MODE_IEEE80211AX mode checks with is_6ghz_op_class()
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
Add support for new hardware mode for 6 GHz band. 6 GHz operation is
defined in IEEE P802.11ax/D4.3. 6 GHz band adds global operating classes
131-135 that define channels in frequency range from 5940 MHz to 7105
MHz.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
- Remove HOSTAPD_MODE_IEEE80211AX mode
- Replace check for HOSTAPD_MODE_IEEE80211AX with is_6ghz_freq()
- Move center_idx_to_bw_6ghz() to ieee802_11_common.c file
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
If the AP advertises RSN Extension element, it has to be advertised
consistently in the unprotected (Beacon and Probe Response) and
protected (EAPOL-Key msg 3/4) frames. Verify that this is the case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If hostapd is configured to enable only the hash-to-element version of
SAE PWE derivation (sae_pwe=1), advertise BSS membership selector to
indicate this.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This parameter can be used to specify which PWE derivation mechanism(s)
is enabled. This commit is only introducing the new parameter; actual
use of it will be address in separate commits.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These are the defined values/identifiers for SAE hash-to-element
mechanism from IEEE P802.11-REVmd/D3.0.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The initial crypto wrapper implementation for wolfSSL seems to have
included a copy-paste error in crypto_bignum_sub() implementation that
was identical to crypto_bignum_add() while mp_sub() should have been
used instead of mp_add().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The logic for displaying the message about no configuration being
available for the Enrollee was reversed when support for multiple Config
Objects was added. This was supposed to be shown only if the first
Config Object fails (i.e., when no configuration is available); not when
second attempt fails (since the first one had already been successful in
that case).
Fixes: 7eb06a3369 ("DPP2: Allow multiple Config Objects to be build on Configurator")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
hostapd is by default waiting STA to send SAE Confirm before sending the
SAE Confirm. This can now be configured with sae_confirm_immediate=1
resulting in hostapd sending out SAE Confirm immediately after sending
SAE Commit.
These are the two different message sequences:
sae_confirm_immediate=0
STA->AP: SAE Commit
AP->STA: SAE Commit
STA->AP: SAE Confirm
AP->STA: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response
sae_confirm_immediate=1
STA->AP: SAE Commit
AP->STA: SAE Commit
AP->STA: SAE Confirm
STA->AP: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add two new configuration parameters for hostapd:
enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band
edmg_channel: Configure channel bonding for AP mode in the 60 GHz band
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
IEEE P802.11ay defines Enhanced Directional Multi-Gigabit (EDMG) STA and
AP which allow channel bonding of 2 channels and more.
nl80211 provides the driver's EDMG capabilities from the kernel
using two new attributes:
NL80211_BAND_ATTR_EDMG_CHANNELS - bitmap field that indicates the 2.16
GHz channel(s) that are supported by the driver.
NL80211_BAND_ATTR_EDMG_BW_CONFIG - represents the channel bandwidth
configurations supported by the driver.
The driver's EDMG capabilities are stored inside struct hostapd_hw_modes.
As part of the connect request and starting AP, EDMG parameters are
passed as part of struct hostapd_freq_params.
The EDMG parameters are sent to the kernel by using two new attributes:
NL80211_ATTR_WIPHY_EDMG_CHANNEL and NL80211_ATTR_WIPHY_EDMG_BW_CONFIG
which specify channel and bandwidth configuration for the driver to use.
This implementation is limited to CB2 (channel bonding of 2 channels)
and the bonded channels must be adjacent.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
The new use_akm_selector=1 value to Configurator parameters can now be
used to request a list of AKM suite selectors to be used in the
Configuration Object if the Enrollee supports version 2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process all received DPP Configuration Object attributes from
Configuration Result in Enrollee STA case. If wpa_supplicant is
configured to add networks automatically, this results in one network
being added for each included Configuration Object.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Special @CONF-OBJ-SEP@ string can now be used as a DPP configuration
string value to split the string into two different components to
configure two Config Objects for an Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit e820cf952f ("MFP: Add MFPR flag into station RSN IE if 802.11w
is mandatory") added indication of MFPR flag in non-FT cases and was
further extended to cover FT protocol in commit ded56f2faf ("FT: Fix
MFPR flag in RSNE during FT protocol"). Similar fix is needed for
FILS+FT as well.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows Data frames to be fully processed for the case where VLAN
tags are used on the wireless link.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Linux 2.6.32 (December 2009) introduced alternate netlink messages
for setting and installing keys, deprecating the older ones.
To allow hostapd/wpa_supplicant to use new features only provided via
the new API this patch migrates all netlink messages to the current ones.
Since the nl80211 driver was sometimes already using the new format this
is only unifying the netlink API usage and not changing the minimal
kernel requirement.
The following netlink attributes have been retired for key installs:
NL80211_ATTR_KEY_DATA
NL80211_ATTR_KEY_TYPE
NL80211_ATTR_KEY_SEQ
NL80211_ATTR_KEY_IDX
NL80211_ATTR_KEY_CIPHER
NL80211_ATTR_KEY_DEFAULT
NL80211_ATTR_KEY_DEFAULT_MGMT
NL80211_ATTR_KEY_DEFAULT_TYPES
And replaced by the following attributes nested in NL80211_ATTR_KEY:
NL80211_KEY_DATA
NL80211_KEY_TYPE
NL80211_KEY_SEQ
NL80211_KEY_IDX
NL80211_KEY_CIPHER
NL80211_KEY_DEFAULT
NL80211_KEY_DEFAULT_MGMT
NL80211_KEY_DEFAULT_TYPES
When getting Michael MIC failure notifications or querying a key
sequence number the kernel continues to use the old attributes:
NL80211_ATTR_KEY_TYPE
NL80211_ATTR_KEY_SEQ
NL80211_ATTR_KEY_IDX
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
PTKINITNEGOTIATING in the WPA state machine calls wpa_send_eapol() and
hands over the GTK instead of the PTK keyid.
Besides a confusing debug message this does not have any negative side
effects: The variable is only set to a wrong value when using WPA2 but
then it's not used.
With this patch PTKINITNEGOTIATING sets the PTK keyid unconditionally to
zero for EAPOL-Key msg 3/4 and differentiates more obviously between GTK
and PTK keyids.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
hostapd is only interested in RTM_IEEE80211.
wpa_supplicant is only interested in RTM_IEEE80211, RTM_IFINFO and
RTM_IFANNOUNCE.
This supports the NetBSD RO_MSGFILTER interface and the alternative
DragonFlyBSD/OpenBSD interface ROUTE_MSGFILTER.
Signed-off-by: Roy Marples <roy@marples.name>
When we set "channel=0" in hostapd.conf to enable ACS function, and set
a wrong channel list, e.g., chanlist=222-999 on purpose, hostapd would
still start ACS process to compute the ideal channel, even when there
are no available channels with such configuration.
Though there is no problem since hostapd fails to initialize interface,
it spends time going through the scan and the debug log entries may make
it more difficult to tell what was behind the failure.
Thus, check if there are any available channels in acs_request_scan(),
and return -1 if no available channel, then it will fail at acs_init(),
without doing ACS computation. It will show the following in the log:
Could not select hw_mode and channel. (-3)
wlan0: interface state UNINITIALIZED->DISABLED
Then we can know the setting is incorrect already in
hostapd_select_hw_mode(), instead of waiting for scan callback function
to know if the setting is ok for ACS or not. This can save time and help
to tell if the setting is correct at the initial function at the first.
This will also allow the ENABLE control interface command to return FAIL
when adding an interface dynamically.
Signed-off-by: Neo Jou <neojou@gmail.com>
Go through the received bandSupport JSON array and print its contents in
the debug log. This information might be exposed to upper layer
configuration generation/use somehow in the future.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Most of the time is spent in the CP state machine RETIRE state where LKI
is not set and OKI is the currently used SAK so OLPN needs to be checked
for PN exhaustion.
hostapd/wpa_supplicant implemented an interpretation of the standard as
described in a proposed amendment titled "MKA pending PN exhastion"
which was deemed to be wrong. This amendment was included in IEEE Std
802.1Xck-2018.
Signed-off-by: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
Most of the time is spent in the CP state machine RETIRE state where LKI
is not set and OKI is the currently used SAK, so OLPN needs to be
checked for PN exhaustion.
hostapd/wpa_supplicant implemented an interpretation of the standard as
described in a proposed amendment titled "MKA pending PN exhastion"
which was deemed to be wrong. This amendment was included in IEEE Std
802.1Xck-2018.
Signed-off-by: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
The associated SAs have been deleted and the key server has changed so
there's no point in keeping the key values.
Note that this isn't specified in IEEE Std 802.1X-2010.
Signed-off-by: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
Previously the ABANDON->RECEIVE state change was impossible and did not
match the CP state machine in IEEE Std 802.1X-2010 Figure 12-2.
Signed-off-by: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
The RECEIVE and RETIRE states were incorrect which can result in
incorrect information being advertised in SAKuse MKPDUs. Change these to
match IEEE Std 802.1X-2010, Figure 12-2 (CP state machine).
hostapd/wpa_supplicant implemented an interpretation of the standard as
described in a proposed amendment titled "MKA pending PN exhastion"
which was deemed to be wrong. This amendment was included in IEEE Std
802.1Xck-2018.
Signed-off-by: Thomas Winter <Thomas.Winter@alliedtelesis.co.nz>
This code block with dependency on PCSC_FUNCS was missed when conf->pin
was moved to conf->cert.pin. Fix this to get rid of compilation issues
with CONFIG_PCSC=y builds.
Fixes: b99c4cadb7 ("EAP peer: Move certificate configuration params into shared struct")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use the same rules for dropping driver notifications for Data frames
from unassociated stations as were added for Management frame reception.
This results in more consistent behavior in sending out Deauthentication
frames with Reason Code 6/7.
This case was already checking for unexpected multicast addresses, so
there was no issue for the PMF protections for unexpected disconnection.
Anyway, better avoid unnecessary Deauthentication frames consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be
used to set Configurator to request a station Enrollee to report
connection result after a successfully completed provisioning step. If
the peer supports this, the DPP-CONF-SENT event indicates this with a
new argument (wait_conn_status=1) and the Configurator remains waiting
for the connection result for up to 16 seconds.
Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event
is generated with arguments result, ssid, and channel_list indicating
what the Enrollee reported. result=0 means success while non-zero codes
are for various error cases as specified in the DPP tech spec. If no
report is received from the Enrollee, the event with "timeout" argument
is generated locally.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is more consistent with the use of CONFIG_DPP2 since the
Configuration Result message is sent only when using version 2 or newer.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If only one of the allocations fails, the successful allocation needs to
be freed on the error path.
Fixes: 22f90b32f1 ("DPP2: Configuration Result message generation and processing")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previous support in the 60 GHz band was for channels 1-4.
Add support for channels 5 and 6.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been
maintained nor is there any expectation of the withdrawn trial-use
recommended practice to be maintained in the future. Furthermore,
implementation of IAPP in hostapd was not complete, i.e., only parts of
the recommended practice were included. The main item of some real use
long time ago was the Layer 2 Update frame to update bridges when a STA
roams within an ESS, but that functionality has, in practice, been moved
to kernel drivers to provide better integration with the networking
stack.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not process any received Management frames with unexpected/invalid SA
so that we do not add any state for unexpected STA addresses or end up
sending out frames to unexpected destination. This prevents unexpected
sequences where an unprotected frame might end up causing the AP to send
out a response to another device and that other device processing the
unexpected response.
In particular, this prevents some potential denial of service cases
where the unexpected response frame from the AP might result in a
connected station dropping its association.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows us to send the OBSS PD settings to the kernel, such that the
driver can propagate them to the hardware/firmware.
Signed-off-by: John Crispin <john@phrozen.org>
uClibc-ng optionally disabled deprecated POSIX functions like usleep,
causing compilation failures. This switches to nanosleep while retaining
support for older libcs that do not support nanosleep.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Update the documentation of QCA_ATTR_ROAM_CONTROL_SCAN_FREQ_LIST
to make it a nested attribute to carry frequencies of type u32.
This is to be in sync with the nl80211 attribute
NL80211_ATTR_SCAN_FREQUENCIES.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
With DFS offloaded to the driver, hostapd state and CAC info was not
updated in DFS-CAC-START event, so STATUS output showed wrong info. Fix
this by updating the CAC related state when processing the driver event.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to allow clean transition from one inner EAP
authentication method to another one if EAP method negotiation is needed
within Phase 2.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows EAP-TLS to be used within an EAP-TEAP tunnel when there is
an explicit request for machine credentials. The network profile
parameters are otherwise same as the Phase 1 parameters, but each one
uses a "machine_" prefix for the parameter name.
Signed-off-by: Jouni Malinen <j@w1.fi>
OCSP configuration is applicable to each instance of TLS-based
authentication and as such, the configuration might need to be different
for Phase 1 and Phase 2. Move ocsp into struct eap_peer_cert_config and
add a separate ocsp2 network profile parameter to set this for Phase 2.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow the previously hardcoded maximum numbers of EAP message rounds to
be configured in hostapd EAP server. This can be used, e.g., to increase
the default limits if very large X.509 certificates are used for EAP
authentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
These parameters for certificate authentication are identical for the
Phase 1 (EAP-TLS alone) and Phase 2 (EAP-TLS inside a TLS tunnel).
Furthermore, yet another copy would be needed to support separate
machine credential in Phase 2. Clean this up by moving the shared
parameters into a separate data struct that can then be used for each
need without having to define separate struct members for each use.
Signed-off-by: Jouni Malinen <j@w1.fi>
Set the max value of optional bytes inside the data structure. This
requires us to calculate the actually used size when copying the
HE capabilities and generating the IE.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
OSEN element was getting added both through the Authenticator IEs
(before some non-vendor elements) and separately at the end of the
frames with other vendor elements. Fix this by removing the separate
addition of the OSEN element and by moving the Authenticator IE addition
for OSEN to match the design used with WPA so that the vendor element
gets added in the proper place in the sequence of IEs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Even though the station is not supposed to include Hotspot 2.0
Indication element in the Association Request frame when connecting to
the open OSU BSS, some station devices seem to do so. With the strict
PMF-required-with-Hotspot-2.0-R2 interpretation, such connection
attempts were rejected. Relax this to only perform the PMF check if the
local AP configuration has PMF enabled, i.e., for the production BSS.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Merge the separate debug print with the text name of the EAP code into
the same debug line with the numerical value to clean up debug log.
Signed-off-by: Jouni Malinen <j@w1.fi>
Need to leave EAP-TEAP methodState == MAY_CONT when marking decision =
FAIL based on inner EAP method failure since this message will be
followed by protected failure indication.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new eap_teap_id=5 hostapd configuration parameter value can be used
to configure EAP-TEAP server to request and require user and machine
credentials within the tunnel. This can be done either with Basic
Password Authentication or with inner EAP authentication methods.
Signed-off-by: Jouni Malinen <j@w1.fi>
Track PMK-R0/PMK-R0-Name from the initial mobility domain association
and derive PMK-R1/PTK when the station uses FT protocol. This allows
frames from additional roaming cases to be decrypted.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows a separate machine credential to be used for authentication
if the server requests Identity-Type = 2 (machine).
Signed-off-by: Jouni Malinen <j@w1.fi>
This is an initial step in adding support for configuring separate user
and machine credentials. The new wpa_supplicant network profile
parameters machine_identity and machine_password are similar to the
existing identity and password, but explicitly assigned for the purpose
of machine authentication.
This commit alone does not change actual EAP peer method behavior as
separate commits are needed to determine when there is an explicit
request for machine authentication. Furthermore, this is only addressing
the username/password credential type, i.e., additional changes
following this design approach will be needed for certificate
credentials.
Signed-off-by: Jouni Malinen <j@w1.fi>
Be more consistent on checking all parameter allocation and copying
steps within radius_server_init() and abort startup if anything fails
instead of trying to continue with other parts of the configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use struct eap_config as-is within RADIUS server to avoid having to
duplicate all the configuration variables at each interface. This
continues cleanup on struct eap_config duplication in hostapd.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Crypto-Binding TLV is included without Intermediate-Result TLV in
this sequence since the server is skipping all inner authentication
methods and is only sending out Result TLV with the Crypto-Binding TLV.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter eap_teap_id can be used to
configure the expected behavior for used identity type.
Signed-off-by: Jouni Malinen <j@w1.fi>