4 years agoFixes for Heimdal (macOS) builds from Stefan. master
Mark Donnelly [Wed, 30 Aug 2017 13:44:50 +0000 (09:44 -0400)]
Fixes for Heimdal (macOS) builds from Stefan.

4 years agoBump the release number in
Dan Breslau [Wed, 2 Aug 2017 18:40:24 +0000 (18:40 +0000)]
Bump the release number in

4 years agoFixes for building on Centos 7
Dan Breslau [Wed, 2 Aug 2017 02:00:19 +0000 (02:00 +0000)]
Fixes for building on Centos 7

4 years agoBump version number to 1.0.1
Dan Breslau [Tue, 1 Aug 2017 23:33:26 +0000 (23:33 +0000)]
Bump version number to 1.0.1

4 years agoMerge in workaround for broken Kerberos 10.x gssapi.h origin/master
Dan Breslau [Tue, 1 Aug 2017 18:20:48 +0000 (14:20 -0400)]
Merge in workaround for broken Kerberos 10.x gssapi.h

4 years agoFix for
Dan Breslau [Mon, 31 Jul 2017 16:32:02 +0000 (12:32 -0400)]
Fix for
(Crash in gss_get_mic in mech_eap on Debian 8)

Checking in patch submitted by Luke Howard (

4 years agoFix for building mech_eap on Centos 6. (This should also work for Debian 7.)
Dan Breslau [Fri, 28 Jul 2017 21:52:13 +0000 (17:52 -0400)]
Fix for building mech_eap on Centos 6. (This should also work for Debian 7.)
The version of gssapi.h that comes with krb5 10.x is broken: Some declarations
that should have been pointers were structs instead. This fix detects that
problem during configure, and provides #defines to redirect to the correct

4 years agoAvoid MIT compat API when building with Heimdal
Luke Howard [Tue, 25 Jul 2017 23:11:14 +0000 (09:11 +1000)]
Avoid MIT compat API when building with Heimdal

This enables linking against the OS X Heimdal.framework

4 years agoBumped version number to 1.0.0
Dan Breslau [Mon, 24 Jul 2017 22:20:28 +0000 (18:20 -0400)]
Bumped version number to 1.0.0

4 years agoFix for (Infinite loop in tids exit...
Dan Breslau [Fri, 21 Jul 2017 13:59:04 +0000 (09:59 -0400)]
Fix for (Infinite loop in tids exit handlers)

Refactored the C++ static object whose destructor was unloading the libraries.
The shibresolver library is now unloaded by a "smaller" static object that is
created after shibresolver is loaded. Creating that object late means that it
will be destroyed earlier, before the static objects in the log4shib library
are destroyed.

5 years agoMinor cleanups v0.9.6 v0.9.6.1 v0.9.6.2
Dan Breslau [Wed, 26 Oct 2016 01:13:23 +0000 (21:13 -0400)]
Minor cleanups

5 years agoIn eap_peer_tls_process_init, check (and ignore) data->ssl_ctx instead of
Dan Breslau [Wed, 26 Oct 2016 01:11:12 +0000 (21:11 -0400)]
In eap_peer_tls_process_init, check (and ignore) data->ssl_ctx instead of
sm->ssl_ctx. This is equivalent to what hostap_2.6 does, other than ignoring
the return value.

5 years agoMerged the hostap_2.6 updates, and the Leap of Faith work, from the hostap_update...
Dan Breslau [Tue, 25 Oct 2016 20:30:32 +0000 (16:30 -0400)]
Merged the hostap_2.6 updates, and the Leap of Faith work, from the hostap_update branch

5 years agoMinor cleanups hostap_update
Dan Breslau [Tue, 11 Oct 2016 21:12:36 +0000 (17:12 -0400)]
Minor cleanups

5 years agoUpdated to hostap_2_6
Dan Breslau [Mon, 10 Oct 2016 18:15:24 +0000 (14:15 -0400)]
Updated to hostap_2_6

5 years agoGSSAPI status codes are bit-encoded, so print them in hex
Dan Breslau [Mon, 10 Oct 2016 16:40:36 +0000 (12:40 -0400)]
GSSAPI status codes are bit-encoded, so print them in hex

5 years agoEnsure that we call the server_cert_cb, if present, for server certificates
Dan Breslau [Wed, 5 Oct 2016 17:30:52 +0000 (13:30 -0400)]
Ensure that we call the server_cert_cb, if present, for server certificates

5 years agoChange version number to v2.6 for the release hostap_2_6
Jouni Malinen [Sun, 2 Oct 2016 18:51:11 +0000 (21:51 +0300)]
Change version number to v2.6 for the release

Signed-off-by: Jouni Malinen <>
5 years agotests: Fix cfg80211_tx_frame test
Avraham Stern [Mon, 5 Sep 2016 14:33:11 +0000 (17:33 +0300)]
tests: Fix cfg80211_tx_frame test

In case that a dedicated P2P Device interface is used, a new interface
must be create for a P2P group. Thus, in order to send mgmt
frames, attach a new WpaSupplicant object to the newly created group
and use this object for sending the frames.

Signed-off-by: Avraham Stern <>
Signed-off-by: Andrei Otcheretianski <>
5 years agotests: Use global control interface to remove P2P networks
Ilan Peer [Mon, 5 Sep 2016 14:33:08 +0000 (17:33 +0300)]
tests: Use global control interface to remove P2P networks

Use the global control interface to remove P2P networks in
persistent_group_peer_dropped3 to support configurations that use a
dedicated P2P Device interface.

Signed-off-by: Ilan Peer <>
5 years agotests: Fix p2p_ext_vendor_elem_assoc test with P2P Device interface
Avraham Stern [Mon, 5 Sep 2016 14:33:06 +0000 (17:33 +0300)]
tests: Fix p2p_ext_vendor_elem_assoc test with P2P Device interface

For configurations that use a dedicated P2P Device interface, which
mandates that a separate interface is used for the P2P group, vendor
specific IE's must be added to the VENDOR_ELEM_P2P_* frame types in
order to be used by the P2P group interface. The VENDOR_ELEM_ASSOC_REQ
(13) parameter would need to be issued on the group interface which
would be challenging to do due to timing in case a separate group
interface gets used.

In case a dedicated P2P Device interface is used, don't include a test
for VENDOR_ELEM_ASSOC_REQ to avoid failing this part of the test case.

Signed-off-by: Avraham Stern <>
5 years agoFix PNO restart flow
Avraham Stern [Mon, 5 Sep 2016 14:33:03 +0000 (17:33 +0300)]
Fix PNO restart flow

PNO is sometimes restarted due to changes in scan parameters
(e.g., selected network changed or MAC randomization being
 enabled/disabled). Restart is done by stopping PNO and immediately
starting it again. This may result in the SCHED_SCAN_STOPPED event being
received after the request for new PNO, which will make wpa_supplicant
believe PNO is not active although it is actually is. As a result, the
next request to start PNO will fail because PNO is active and should be
stopped first.

Fix this by deferring the request to start PNO until the
SCHED_SCAN_STOPPED event is received in case sched_scan is being

Signed-off-by: Avraham Stern <>
5 years agoContinue scanning if sched_scan stops unexpectedly
Avraham Stern [Mon, 5 Sep 2016 14:32:59 +0000 (17:32 +0300)]
Continue scanning if sched_scan stops unexpectedly

When scheduled scan stops without the interface request (for example,
driver stopped it unexpectedly), start a regular scan to continue
scanning for networks and avoid being left with no scan at all.

Signed-off-by: Avraham Stern <>
5 years agoRemove disconnected APs from BSS table if likely out-of-range
David Spinadel [Mon, 5 Sep 2016 14:33:07 +0000 (17:33 +0300)]
Remove disconnected APs from BSS table if likely out-of-range

In some cases, after a sudden AP disappearing and reconnection to
another AP in the same ESS, if another scan occurs, wpa_supplicant might
try to roam to the old AP (if it was better ranked than the new one)
because it is still saved in BSS list and the blacklist entry was
cleared in previous reconnect. This attempt is going to fail if the AP
is not present anymore and it'll cause long disconnections.

Remove an AP that is probably out of range from the BSS list to avoid
such disconnections. In particular mac80211-based drivers use the
WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY reason code in locally generated
disconnection events for cases where the AP does not reply anymore.

Signed-off-by: David Spinadel <>
5 years agoUser should validate the server certificate, not the CA certificate
Dan Breslau [Fri, 30 Sep 2016 20:55:18 +0000 (16:55 -0400)]
User should validate the server certificate, not the CA certificate

5 years agotests: Fix ap_track_taxonomy to clear country code setting
Jouni Malinen [Fri, 30 Sep 2016 20:46:17 +0000 (23:46 +0300)]
tests: Fix ap_track_taxonomy to clear country code setting

This test case could have ended with the station devices still in US
regulatory domain and that could make a following test case fail in some
sequences. For example, "ap_track_taxonomy ibss_5ghz" sequence made
ibss_5ghz fail to see the regdom change event since there was not one
due to the US country code already being in use at the beginning of the
test case. Fix this by clearing the country code at the end of

Signed-off-by: Jouni Malinen <>
5 years agoRestart PNO/sched_scan on channel list update
Arik Nemtsov [Tue, 27 Sep 2016 10:09:58 +0000 (13:09 +0300)]
Restart PNO/sched_scan on channel list update

As the scan channels might need to change when the channel list has been
updated by the kernel. Use the simulated sched_scan timeout
(wpas_scan_restart_sched_scan()) to handle a possible race where an
ongoing sched_scan has stopped asynchronously while trying to restart a
new sched_scan.

Signed-off-by: Arik Nemtsov <>
5 years agoFix spelling mistakes in number of comments
Nishant Chaprana [Fri, 30 Sep 2016 10:06:36 +0000 (15:36 +0530)]
Fix spelling mistakes in number of comments

Signed-off-by: Nishant Chaprana <>
5 years agoAdd explicit enum values for QCA vendor config attributes
Sunil Dutt [Fri, 30 Sep 2016 10:30:31 +0000 (16:00 +0530)]
Add explicit enum values for QCA vendor config attributes

This makes it easier to copy a subset of definitions without
accidentally getting mismatching values.

Signed-off-by: Jouni Malinen <>
5 years agotests: Extend gas_anqp_get to cover MBO cases with non-MBO AP
Jouni Malinen [Thu, 29 Sep 2016 15:06:49 +0000 (18:06 +0300)]
tests: Extend gas_anqp_get to cover MBO cases with non-MBO AP

Signed-off-by: Jouni Malinen <>
5 years agoMBO: Add support to send ANQP request to get cellular preference
vamsi krishna [Fri, 9 Sep 2016 12:05:50 +0000 (17:35 +0530)]
MBO: Add support to send ANQP request to get cellular preference

This extends ANQP_GET command to support querying MBO cellular
preference also. The cellular preference can be requested along with
neigbor report by appending mbo:1 to the command arguments.

For example:
ANQP_GET <bssid> 272,mbo:1

Signed-off-by: Jouni Malinen <>
5 years agotests: Update server and user certificates (2015)
Jouni Malinen [Fri, 30 Sep 2016 19:03:40 +0000 (22:03 +0300)]
tests: Update server and user certificates (2015)

The previous versions expired, so need to re-sign these to fix number of
the EAP test cases.

Signed-off-by: Jouni Malinen <>
5 years agoImplemented callback in libeap/src/crypto to allow mech_eap / ID Selector to ask...
Dan Breslau [Wed, 28 Sep 2016 22:39:33 +0000 (18:39 -0400)]
Implemented callback in libeap/src/crypto to allow mech_eap / ID Selector to ask user to confirm an unknown CA certificate

5 years agotests: Long P2P_LISTEN and offchannel TX
Jouni Malinen [Mon, 26 Sep 2016 21:43:27 +0000 (00:43 +0300)]
tests: Long P2P_LISTEN and offchannel TX

Signed-off-by: Jouni Malinen <>
5 years agoShare a common helper function for restarting sched_scan
Jouni Malinen [Mon, 26 Sep 2016 21:09:33 +0000 (00:09 +0300)]
Share a common helper function for restarting sched_scan

This code sequence was already used at two different places (and an
additional one has been proposed), so add a common helper function to
avoid having to copy-paste this functionality in multiple locations.

Signed-off-by: Jouni Malinen <>
5 years agowpa_supplicant: Cancel sched_scan on SELECT_NETWORK initiated scan
Max Stepanov [Mon, 5 Sep 2016 14:32:58 +0000 (17:32 +0300)]
wpa_supplicant: Cancel sched_scan on SELECT_NETWORK initiated scan

If a scheduled scan is running on select network command,
cancel and reset it before kicking off a regular scan request.

Signed-off-by: Max Stepanov <>
5 years agoQCA vendor command for antenna diversity feature
lifeng [Tue, 20 Sep 2016 07:38:16 +0000 (15:38 +0800)]
QCA vendor command for antenna diversity feature

The user space app use QCA_NL80211_VENDOR_SUBCMD_GET_CHAIN_RSSI cmd to
get the corresponding antenna rssi value for the specific chain. And the
associcated attributes are added to configure the antenna diversity and
related selftest.

Signed-off-by: Li Feng <>
5 years agoUpdate ChangeLog files for v2.6
Jouni Malinen [Sun, 25 Sep 2016 18:08:18 +0000 (21:08 +0300)]
Update ChangeLog files for v2.6

This adds a summary of new changes since the last update.

Signed-off-by: Jouni Malinen <>
5 years agotests: WNM BSS Transition Management request getting rejected
Jouni Malinen [Sun, 25 Sep 2016 14:15:22 +0000 (17:15 +0300)]
tests: WNM BSS Transition Management request getting rejected

Signed-off-by: Jouni Malinen <>
5 years agotests: MBO and ignoring disallowed association
Jouni Malinen [Sun, 25 Sep 2016 14:06:23 +0000 (17:06 +0300)]
tests: MBO and ignoring disallowed association

Signed-off-by: Jouni Malinen <>
5 years agotests: Fix a typo in a debug message (mbo_assoc_disallow)
Jouni Malinen [Sun, 25 Sep 2016 13:56:18 +0000 (16:56 +0300)]
tests: Fix a typo in a debug message (mbo_assoc_disallow)

Signed-off-by: Jouni Malinen <>
5 years agotests: Update MBO test cases for non_pref_chan changes
Jouni Malinen [Sat, 24 Sep 2016 09:04:39 +0000 (12:04 +0300)]
tests: Update MBO test cases for non_pref_chan changes

The reason_detail field was removed from the implementation, so the test
cases need matching changes.

Signed-off-by: Jouni Malinen <>
5 years agoMBO: Do not parse reason_detail in non_pref_chan attr (AP)
vamsi krishna [Fri, 23 Sep 2016 12:54:13 +0000 (18:24 +0530)]
MBO: Do not parse reason_detail in non_pref_chan attr (AP)

The reason detail field was removed from non_pref_chan attr in MBO
v0.0_r25 draft. Don't parse for this element to be compliant with the
latest drafr.

Signed-off-by: Jouni Malinen <>
5 years agoMBO: Do not add reason_detail in non_pref_chan attr (STA)
vamsi krishna [Fri, 23 Sep 2016 12:36:37 +0000 (18:06 +0530)]
MBO: Do not add reason_detail in non_pref_chan attr (STA)

The reason detail field in non_pref_chan attribute was removed from MBO
draft v0.0_r25, so the STA should not include this field to be compliant
with the latest draft.

Signed-off-by: Jouni Malinen <>
5 years agoWNM: Add testing option to reject BSS Transition Management Request
vamsi krishna [Thu, 15 Sep 2016 08:35:53 +0000 (14:05 +0530)]
WNM: Add testing option to reject BSS Transition Management Request

For testing purposes, it is useful to have an option to be able to
reject BTM Request sent by AP in order to verify the AP behavior upon
BTM Request rejection.

Signed-off-by: Jouni Malinen <>
5 years agoMBO: Add QCA vendor option to configure driver to ignore assoc disallow
vamsi krishna [Fri, 23 Sep 2016 13:33:42 +0000 (19:03 +0530)]
MBO: Add QCA vendor option to configure driver to ignore assoc disallow

MBO capable APs can set association disallowed in the Beacon/Probe
Response frames. For testing purposes, the STA needs to be configured to
not ignore the association disallowed set by APs and continue to connect
to such AP like non-MBO enabled STA. Add a QCA vendor attribute for
configure the driver to ignore association disallowed functionality.

Signed-off-by: Jouni Malinen <>
5 years agoMBO: Add support to ignore association disallowed set by AP
vamsi krishna [Thu, 15 Sep 2016 07:40:58 +0000 (13:10 +0530)]
MBO: Add support to ignore association disallowed set by AP

Add a testing mechanism to allow association disallowed set by AP to be
ignored. This can be used to verify AP behavior for disallowing a
specific association.

Signed-off-by: Jouni Malinen <>
5 years agoAdd attributes for QCA_NL80211_VENDOR_SUBCMD_LL_STATS_EXT
Zhang Qian [Wed, 21 Sep 2016 09:23:08 +0000 (17:23 +0800)]
Add attributes for QCA_NL80211_VENDOR_SUBCMD_LL_STATS_EXT

More attributes are added for QCA_NL80211_VENDOR_SUBCMD_LL_STATS_EXT
1. Peer signal stats;
2. Peer TX stats;
3. Peer RX stats

Signed-off-by: Zhang Qian <>
5 years agoIEEE P802.11ah/D10.0 PV1 CCMP test vectors
Jouni Malinen [Tue, 26 Apr 2016 13:51:09 +0000 (16:51 +0300)]
IEEE P802.11ah/D10.0 PV1 CCMP test vectors

Extend wlantest test_vectors to calculate test vectors for P802.11ah
Annex J.6.4.

Signed-off-by: Jouni Malinen <>
5 years agotests: Add testcase for reconnect failure due to auth timeout
Mikael Kanstrup [Tue, 20 Sep 2016 06:40:06 +0000 (08:40 +0200)]
tests: Add testcase for reconnect failure due to auth timeout

Add testcase to verify a failed reconnect attempt due to authentication
timeout blacklists the correct AP. Driver capabilities are forced to
non-SME and driver roaming (BSS selection) mode.

Signed-off-by: Mikael Kanstrup <>
5 years agotests: Add testcase for (reassoc) roam failure due to auth timeout
Mikael Kanstrup [Tue, 20 Sep 2016 06:40:05 +0000 (08:40 +0200)]
tests: Add testcase for (reassoc) roam failure due to auth timeout

Add testcase to verify failed roaming attempt due to authentication
timeout blacklists the correct AP. Roaming attempt is performed
with the reassociate command and bssid_set=1. Driver capabilities
are forced to non-SME and driver roaming (BSS selection) mode.

Signed-off-by: Mikael Kanstrup <>
5 years agoAdd ignore_auth_resp control interface debug parameter
Mikael Kanstrup [Tue, 20 Sep 2016 06:40:04 +0000 (08:40 +0200)]
Add ignore_auth_resp control interface debug parameter

Implement "SET ignore_auth_resp <0/1>" command to simulate auth/assoc
response loss and EAPOL RX packet loss by ignoring corresponding
incoming events.

Signed-off-by: Mikael Kanstrup <>
5 years agonl80211: Remove unnecessary duplication from nl80211_set_param()
Jouni Malinen [Fri, 23 Sep 2016 09:19:57 +0000 (12:19 +0300)]
nl80211: Remove unnecessary duplication from nl80211_set_param()

There is no need to find bss->drv separately for each parameter, so do
this once at the beginning of the function.

Signed-off-by: Jouni Malinen <>
5 years agonl80211: Add driver parameter force_bss_selection
Mikael Kanstrup [Tue, 20 Sep 2016 06:40:03 +0000 (08:40 +0200)]
nl80211: Add driver parameter force_bss_selection

Add driver parameter command to force capability flag
WPA_DRIVER_FLAGS_BSS_SELECTION even if driver states otherwise. This is
mainly for testing purposes.

Signed-off-by: Mikael Kanstrup <>
5 years agoBlacklist correct BSSID on authentication timeout
Mikael Kanstrup [Tue, 20 Sep 2016 06:40:07 +0000 (08:40 +0200)]
Blacklist correct BSSID on authentication timeout

If authentication times out while reassociating to same ESS incorrect
BSSID may end up being blacklisted. Use pending_bssid field on
authentication timeout and deauthentication to ensure the correct AP
gets blacklisted. This is mainly to address cases related to Android
framework roaming behavior.

Signed-off-by: Mikael Kanstrup <>
5 years agotests: Make pmksa_cache_{,opportunistic_}multiple_sta more robust
Jouni Malinen [Fri, 23 Sep 2016 13:02:46 +0000 (16:02 +0300)]
tests: Make pmksa_cache_{,opportunistic_}multiple_sta more robust

Clear wpa_supplicant scan cache before starting these test cases since
the ROAM command depends on the correct BSS entry being found.
scan_for_bss() does not enforce that correct entry to be present if
there was an earlier BSS entry with the same BSSID.

Signed-off-by: Jouni Malinen <>
5 years agotests: Reset wlan5 device before RELOG command
Jouni Malinen [Fri, 23 Sep 2016 13:01:36 +0000 (16:01 +0300)]
tests: Reset wlan5 device before RELOG command

This moves the wpa_supplicant debug entries from the end of a test case
using a dynamically added wlan5 interface to the correct test case,
i.e., the test case that added the interface instead of whatever test
case happens to follow this.

Signed-off-by: Jouni Malinen <>
5 years agotests: WPA-PSK AP and only rsn_pairwise set
Jouni Malinen [Fri, 23 Sep 2016 08:45:55 +0000 (11:45 +0300)]
tests: WPA-PSK AP and only rsn_pairwise set

Signed-off-by: Jouni Malinen <>
5 years agoP2P: Fix common frequencies calculation for a group
Ilan Peer [Mon, 5 Sep 2016 14:33:01 +0000 (17:33 +0300)]
P2P: Fix common frequencies calculation for a group

Ignore group members for which there is no supported channels
information when calculating common group frequencies.

Signed-off-by: Ilan Peer <>
5 years agotests: Skip wpas_ap_dfs when MCC > 1
Ilan Peer [Tue, 6 Sep 2016 06:52:41 +0000 (09:52 +0300)]
tests: Skip wpas_ap_dfs when MCC > 1

Skip wpas_ap_dfs in case that multi-channel is used, as
DFS operation is not supported in such a case.

Signed-off-by: Ilan Peer <>
5 years agoP2P: Fix compilation warning in p2p_supplicant.c
Max Stepanov [Tue, 6 Sep 2016 06:44:33 +0000 (09:44 +0300)]
P2P: Fix compilation warning in p2p_supplicant.c

On some architectures unsigned int differs from size_t, and
some compilers warn about it.

Signed-off-by: Max Stepanov <>
5 years agoFlush the BSS (scan) entries when an interface becomes disabled
Moshe Benji [Mon, 5 Sep 2016 14:32:55 +0000 (17:32 +0300)]
Flush the BSS (scan) entries when an interface becomes disabled

When an interface becomes disabled (e.g., when RF-kill becomes blocked)
we should clear the stored scan results to avoid maintaining stale

Fix this by flushing the BSS entries when an interface becomes

Signed-off-by: Moshe Benji <>
5 years agodoc: Remove duplicate description for -t
Reiner Herrmann [Wed, 21 Sep 2016 19:54:01 +0000 (21:54 +0200)]
doc: Remove duplicate description for -t

Signed-off-by: Reiner Herrmann <>
5 years agotests: mode=mesh in STATUS
Jouni Malinen [Thu, 22 Sep 2016 20:20:48 +0000 (23:20 +0300)]
tests: mode=mesh in STATUS

Signed-off-by: Jouni Malinen <>
5 years agoShow mode=mesh in STATUS command
Saurav Babu [Wed, 21 Sep 2016 14:25:26 +0000 (19:55 +0530)]
Show mode=mesh in STATUS command

Signed-off-by: Saurav Babu <>
5 years agoDefine a QCA vendor command to validate encryption engine
Srinivas Dasari [Wed, 21 Sep 2016 07:37:32 +0000 (13:07 +0530)]
Define a QCA vendor command to validate encryption engine

This command carries 802.11 header and payload along with key (TK) and
PN for encryption/decryption purpose. Firmware/driver encrypts/decrypts
the given data and sends to userspace as a response to the command. User
space component can validate the data received from the driver to unit
test the hardware's encryption engine.

Signed-off-by: Jouni Malinen <>
5 years agotests: AP tracking STA taxonomy
Jouni Malinen [Wed, 21 Sep 2016 18:22:58 +0000 (21:22 +0300)]
tests: AP tracking STA taxonomy

Signed-off-by: Jouni Malinen <>
5 years agotaxonomy: Store Probe Request frames in hostapd_sta_info
Denton Gentry [Mon, 15 Aug 2016 04:42:49 +0000 (21:42 -0700)]
taxonomy: Store Probe Request frames in hostapd_sta_info

A weakness in the initial client taxonomy mechanism is from storing both
the Probe and Associate in struct sta_info. struct sta_info is created
after a client associates (or starts authentication frame exchange),
which means that any Probe Request frames sent prior to association are
not retained. The Associate Request frame has to be seen, and then
another Probe Request frame after association, before we have a
signature for the client.

Most clients send lots of Probe Request frames (lots and lots and lots
of Probes, actually), but a few do not. ChromeOS is notably sparing in
sending Probe Request frames, it can take a long time before a signature
for a ChromeOS device is available.

Store the most recent Probe Request frame in struct hostapd_sta_info
tracking list. When a struct sta_info is created, move the Probe Request
frame information from struct hostapd_sta_info to struct sta_info.

Signed-off-by: (Denton Gentry)
Signed-off-by: (Denton Gentry)
Signed-off-by: (Richard Frankel)
Signed-off-by: (Richard Frankel)
5 years agoPassive Client Taxonomy
Denton Gentry [Mon, 15 Aug 2016 04:42:48 +0000 (21:42 -0700)]
Passive Client Taxonomy

Implement the signature mechanism described in the paper
"Passive Taxonomy of Wifi Clients using MLME Frame Contents"
published by Denton Gentry and Avery Pennarun.

This involves:
1. Add a CONFIG_TAXONOMY compile option. Enabling taxonomy incurs
   a memory overhead of up to several kilobytes per associated
2. If enabled, store the Probe Request and (Re)Associate Request frame in
   struct sta_info.
3. Implement code to extract the ID of each Information Element,
   plus selected fields and bitmasks from certain IEs, into a
   descriptive text string. This is done in a new source file,
4. Implement a "signature qq:rr:ss:tt:uu:vv" command
   in hostapd_cli to retrieve the signature.

Signatures take the form of a text string. For example, a signature
for the Nexus 5X is:

Signed-off-by: (Denton Gentry)
Signed-off-by: (Denton Gentry)
Signed-off-by: (Richard Frankel)
Signed-off-by: (Richard Frankel)
5 years agoInitialize iface->sta_seen on allocation
Jouni Malinen [Wed, 21 Sep 2016 21:31:00 +0000 (00:31 +0300)]
Initialize iface->sta_seen on allocation

Previously, struct hostapd_iface sta_seen list head was initialized only
when completing interface setup. This left a window for operation that
could potentially iterate through the list before the list head has been
initialized. While the existing code checked iface->num_sta_seen to
avoid this case, it is much cleaner to initialize the list when struct
hostapd_iface is allocated to avoid any accidental missing of the extra
checks before list iteration.

Signed-off-by: Jouni Malinen <>
5 years agoP2P: Fix D-Bus persistent parameter in group started event on GO
Jouni Malinen [Tue, 20 Sep 2016 15:00:22 +0000 (18:00 +0300)]
P2P: Fix D-Bus persistent parameter in group started event on GO

When starting a P2P GO, the struct p2p_go_neg_results may use
persistent_group == 2 to indicate use of persistent reconnect. Setting
ssid->p2p_persistent_group based on this did not take into account this
special case and that ended up in D-Bus code trying to encode 2 as a
DBUS_TYPE_BOOLEAN value which results in an assert from the library. Fix
this by setting ssid->p2p_persistent_group to 0 or 1 instead of raw
params->persistent_group value without any filtering.

This is similar to an earlier fix in commit
112fdee738d28c4e8bfb66ad7202d4348c4e7771 ('P2P: Fix D-Bus persistent
parameter in group started event') that addressed another code path in
sending out this D-Bus signal.

Signed-off-by: Jouni Malinen <>
5 years agoRemove unused generation of Request Authenticator in Account-Request
Nick Lowe [Sun, 14 Aug 2016 14:40:11 +0000 (15:40 +0100)]
Remove unused generation of Request Authenticator in Account-Request

Do not generate an unused and invalid Request Authenticator (random
value) when constructing Accounting-Request packets. The correct Request
Authenticator is calculated subsequently in radius_msg_finish_acct()
using MD5(msg + shared secret).

Signed-off-by: Nick Lowe <>
5 years agoCommented out or removed various unused definitions
Dan Breslau [Wed, 21 Sep 2016 17:39:42 +0000 (13:39 -0400)]
Commented out or removed various unused definitions

5 years agoMove gssEapTraceStatus into its own C source file
Dan Breslau [Tue, 20 Sep 2016 23:09:09 +0000 (19:09 -0400)]
Move gssEapTraceStatus into its own C source file

5 years agotests: Setup wlantest once for qosmap tests
Jonathan Afek [Wed, 13 Jul 2016 17:06:05 +0000 (20:06 +0300)]
tests: Setup wlantest once for qosmap tests

Some tests call the check_qos_map() function more than once. Make sure
each test sets up wlantest only once before the first time the function
is called.

The wlantest setup sets the channel for the wlantest interface and
executes the wlantest executable. It is more efficient to do that only
once for each test.

Signed-off-by: Jonathan Afek <>
5 years agotests: Increase timeout for remote tests
Jonathan Afek [Wed, 13 Jul 2016 17:06:04 +0000 (20:06 +0300)]
tests: Increase timeout for remote tests

Some operations take longer time on real hardware than on hwsim. This
commit increases two timeouts so that the tests will pass on real
hardware, too.

Signed-off-by: Jonathan Afek <>
5 years agotests: Increase connection timeouts for remote tests
Jonathan Afek [Wed, 13 Jul 2016 17:06:03 +0000 (20:06 +0300)]
tests: Increase connection timeouts for remote tests

Use increased timeouts for connect and disconnect since these operations
take a longer time on real harware than they do on hwsim.

Signed-off-by: Jonathan Afek <>
5 years agoRevert "nl80211: Remove duplicated check in nl80211_setup_ap()"
Rafał Miłecki [Mon, 12 Sep 2016 17:28:22 +0000 (19:28 +0200)]
Revert "nl80211: Remove duplicated check in nl80211_setup_ap()"

This reverts commit 647862eb60c324015ea31293cc052558b5185ca4.

The second check of device_ap_sme looks like duplicated, but it isn't
actually. The trick is nl80211_create_monitor_interface may change that
variable value and the second evaluation may give a different result.

This definitely isn't a very clear code, but that change caused a
regression for drivers that:
1) Don't report NL80211_ATTR_DEVICE_AP_SME
2) Don't support monitor mode
3) Don't support subscribing for PROBE_REQ and/or ACTION frames
like brcmfmac. With such drivers hostapd doesn't start anymore.

Signed-off-by: Rafał Miłecki <>
5 years agoCorrections to merged Makefile. gss-server and client both work with the resulting... hostap_update_tmp
Dan Breslau [Thu, 15 Sep 2016 22:58:33 +0000 (18:58 -0400)]
Corrections to merged Makefile. gss-server and client both work with the resulting mech_eap.

5 years agoUpdates to try to fix undefined symbol errors
Dan Breslau [Mon, 12 Sep 2016 20:05:29 +0000 (16:05 -0400)]
Updates to try to fix undefined symbol errors

5 years agoFix typos in wpa_supplicant configuration parameter documentation
Jouni Malinen [Sat, 10 Sep 2016 18:09:36 +0000 (21:09 +0300)]
Fix typos in wpa_supplicant configuration parameter documentation

Signed-off-by: Jouni Malinen <>
5 years agonl80211: Use the monitor interface only without device_ap_sme support
Sunil Dutt [Thu, 1 Sep 2016 16:44:36 +0000 (22:14 +0530)]
nl80211: Use the monitor interface only without device_ap_sme support

The places using drv->use_monitor were already skipping creation of the
monitor interface if drv->device_ap_sme == 0. This means that the
monitor interface operations would not have worked anyway and it is safe
to set drv->use_monitor to zero for all such cases. This fixes an issue
with management frame subscription not happening properly for the case
where the AP SME is in the driver and the driver supports monitor
interfaces (for other purposes).

This commit also removes the check for monitor support and the
previously used workaround that cleared drv->use_monitor in
drv->device_ap_sme == 1 case if monitor interface was not supported
since that condition cannot occur anymore.

Signed-off-by: Jouni Malinen <>
5 years agotests: Dynamic Interworking element update
Jouni Malinen [Thu, 8 Sep 2016 16:48:44 +0000 (19:48 +0300)]
tests: Dynamic Interworking element update

Signed-off-by: Jouni Malinen <>
5 years agoFST: Fix search for peer's "other" connection
Dedy Lansky [Mon, 5 Sep 2016 11:41:00 +0000 (14:41 +0300)]
FST: Fix search for peer's "other" connection

Upon receiving FST Setup Request from some peer on some interface,
search is made to see if same peer is connected on other interface with
specific band_id. With multiple peers, bug in
fst_group_does_iface_appear_in_other_mbies() caused wrong peer address
to be returned sometimes.

Fix this with a modified, simplified search algorithm of peer's "other"

Signed-off-by: Dedy Lansky <>
5 years agoFix mistakes in definition of QCA vendor commands for indoor location
Lior David [Tue, 6 Sep 2016 13:16:42 +0000 (16:16 +0300)]
Fix mistakes in definition of QCA vendor commands for indoor location

Fix some mistakes in the previous commit for adding QCA vendor commands
for indoor location.

Note: The renamed enum value does not change the ABI, but the addition
of QCA_WLAN_VENDOR_ATTR_FTM_MEAS_INVALID in the beginning of enum
qca_wlan_vendor_attr_ftm_meas does renumber
QCA_WLAN_VENDOR_ATTR_FTM_MEAS_* values. The previous values were
committed yesterday and have not been used in any released code yet, so
this is a justifiable quick fix.

Signed-off-by: Lior David <>
5 years agoHandle NULL return from os_zalloc() in sta_track_add()
Joel Cunningham [Fri, 2 Sep 2016 20:38:47 +0000 (15:38 -0500)]
Handle NULL return from os_zalloc() in sta_track_add()

This adds handling for a memory allocation failure in sta_track_add().

Signed-off-by: Joel Cunningham <>
5 years agoAdd QCA vendor commands/attributes for indoor location
Lior David [Wed, 29 Jun 2016 14:05:39 +0000 (17:05 +0300)]
Add QCA vendor commands/attributes for indoor location

Assign QCA vendor specific commands, attributes, and events for
supporting indoor location features.

These features include:

1. Fine timing measurement (FTM) - allows measurement of distance
between two stations. Based on IEEE P802.11-REVmc/D7.0, 11.24.6 FTM is
performed between two stations: one is an initiator, typically a client
that wants to measure distance to another AP, and one is a responder,
typically an AP which responds to measurement requests from other
clients. The responder can be configured to report its location, either
in absolute coordinates (LCI) or free-form description (LCR).

2. Angle of arrival (AOA) - allows measurement of azimuth and elevation
between two stations.

The above features can be combined to allow a station to get an accurate
indoor location.

Signed-off-by: Lior David <>
5 years agotests: FTM capability indication
Jouni Malinen [Mon, 5 Sep 2016 18:43:36 +0000 (21:43 +0300)]
tests: FTM capability indication

Signed-off-by: Jouni Malinen <>
5 years agowpa_supplicant: Allow FTM functionality to be published
Lior David [Wed, 3 Aug 2016 14:53:21 +0000 (17:53 +0300)]
wpa_supplicant: Allow FTM functionality to be published

Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside wpa_supplicant. When
framework is activated, it will use wpa_supplicant to configure the
STA/AP to publish the FTM functionality. See IEEE P802.11-REVmc/D7.0,

Signed-off-by: Lior David <>
5 years agohostapd: Allow FTM functionality to be published
Lior David [Wed, 3 Aug 2016 14:41:53 +0000 (17:41 +0300)]
hostapd: Allow FTM functionality to be published

Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside hostapd. When framework is
activated, it will use hostapd to configure the AP to publish the FTM
functionality. See IEEE P802.11-REVmc/D7.0,

Signed-off-by: Lior David <>
5 years agotests: VHT with 80 MHz channel width and use_sta_nsts=1
Jouni Malinen [Mon, 5 Sep 2016 18:16:40 +0000 (21:16 +0300)]
tests: VHT with 80 MHz channel width and use_sta_nsts=1

Signed-off-by: Jouni Malinen <>
5 years agohostapd: Use stations nsts capability in (Re)Association Response frame
Tamizh chelvam [Wed, 31 Aug 2016 14:15:47 +0000 (19:45 +0530)]
hostapd: Use stations nsts capability in (Re)Association Response frame

Some deployed stations incorrectly consider nsts capability in
(Re)Association Response frame as required capability instead of maximum
capability and if it is greater than station's capability then beamform
will not happen in uplink traffic.

This commit adds support for an optional workaround to use station's
nsts capability in (Re)Association Response frame if the station's nsts
is less than AP by using the use_sta_nsts=1 configuration parameter.
This configuration is introduced in this commit and it is disabled by

Signed-off-by: Tamizh chelvam <>
5 years agoQCA vendor subcommand for LL_STATS extension
Zhang Qian [Mon, 5 Sep 2016 08:22:38 +0000 (16:22 +0800)]
QCA vendor subcommand for LL_STATS extension

Some user space monitor wants to offload link layer statistics to
firmware. A new command QCA_NL80211_VENDOR_SUBCMD_LL_STATS_EXT and
associcated attributes are added. The monitor will use this new command
to configure monitoring paramters and get link layer statistics.
Attributes added in this change:
1. Parameters for FW to trigger the statistics report
2. Peer STA power state
3. TX failure statistics

Signed-off-by: Zhang Qian <>
5 years agoMore things to ignore
Dan Breslau [Fri, 2 Sep 2016 17:04:41 +0000 (13:04 -0400)]
More things to ignore

5 years agoUpdated through tag hostap_2_5 from git://
Dan Breslau [Fri, 2 Sep 2016 17:02:24 +0000 (13:02 -0400)]
Updated through tag hostap_2_5 from git://

5 years agoD-Bus: Add ConfigFile parameter into the interface properties
Jose Blanquicet [Tue, 23 Aug 2016 12:16:00 +0000 (14:16 +0200)]
D-Bus: Add ConfigFile parameter into the interface properties

This patch aims to expose the configuration file path as an interface
property, like is done with the driver and the bridge name. Doing so,
higher layer programs become responsible to recreate interfaces with the
correct configuration file path when programs need to remove them.

Signed-off-by: Jose Blanquicet <>
5 years agomka: Clean up key allocation
Sabrina Dubroca [Fri, 12 Aug 2016 13:07:35 +0000 (15:07 +0200)]
mka: Clean up key allocation

Assign cs in ieee802_1x_mka_decode_dist_sak_body and reuse it.

Cleanup of key allocation: ieee802_1x_kay_generate_new_sak() and
ieee802_1x_mka_decode_dist_sak_body() both allocate a struct key_conf,
fill it, and ask ieee802_1x_kay_init_data_key() to allocate and set up a
struct data_key. They also allocate multiple key buffers and copy the
same data around. Stop moving data from buffer to buffer, and just
allocate what we really need.

Signed-off-by: Sabrina Dubroca <>
5 years agomka: Get rid of struct ieee802_1x_cp_conf
Sabrina Dubroca [Fri, 12 Aug 2016 13:07:35 +0000 (15:07 +0200)]
mka: Get rid of struct ieee802_1x_cp_conf

Instead of copying from kay to a temporary struct, and then from the
struct to the sm, just copy from kay to cp.

Signed-off-by: Sabrina Dubroca <>
5 years agomka: Store cipher suite ID in a u64 instead of u8 pointer
Sabrina Dubroca [Fri, 12 Aug 2016 13:07:35 +0000 (15:07 +0200)]
mka: Store cipher suite ID in a u64 instead of u8 pointer

Signed-off-by: Sabrina Dubroca <>
5 years agomka: Make csindex unsigned
Jouni Malinen [Mon, 22 Aug 2016 18:02:40 +0000 (21:02 +0300)]
mka: Make csindex unsigned

This avoids unnecessary typecasting while still being able to compare
the value to CS_TABLE_SIZE without compiler warnings.

Signed-off-by: Jouni Malinen <>