www.project-moonshot.org Git - mech

PMKSA: Show AP/mesh PMKSA list in PMKSA command

This extends the wpa_supplicant PMKSA control interface command to allow
the PMKSA list from the authenticator side to be listed for AP and mesh
mode. In addition, this adds a hostapd PMKSA control interface command
to show the same list for the AP case.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

mesh: Add MESH_PEER_ADD command

This allows a mesh peer connection to be initiated manually in
no_auto_peer mesh networks.

Signed-off-by: Natsuki Itaya <Natsuki.Itaya@jp.sony.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

mesh: Add MESH_PEER_REMOVE command

This command allows the specified mesh peer to be disconnected.

Signed-off-by: Natsuki Itaya <Natsuki.Itaya@jp.sony.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>

P2P: Advertise IP Address Allocation only if it is enabled on GO

This group capability bit was previously added unconditionally which
could result in the P2P Client assuming the functionality is available
even though the GO would always reject the request (not reply to it with
an assigned IP address) during the 4-way handshake.

Fix this by advertising the capability only if the GO configuration
allow IP address assignment to be completed.

Signed-off-by: Jouni Malinen <j@w1.fi>

BSD: Only down the interface once we are sure we can work with it

Signed-off-by: Roy Marples <roy@marples.name>

Handle OSEN IE in Assoc Request info if req_ies exists

The 4-way handshake fails with the error "WPA: No wpa_ie set - cannot
generate msg 2/4" while connecting to OSEN network with drivers that
indicate used Association Request frame elements because OSEN IE is not
handled in wpa_supplicant_event_associnfo() if data->assoc_info.req_ies
is not NULL.

Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>

tests: Return result from WpaSupplicant::global_request() in all cases

The no self.global_iface case was not returning the result from the
self.request() case. While this is not really a path that is supposed to
be used, make it return the response since it is at least theoretically
possible to get here.

Signed-off-by: Jouni Malinen <j@w1.fi>

nl80211: Fix error path in if_indices_reason reallocation

Commit 732b1d20ec06ab92fd22dbdea4609a6528bcf50a ('nl80211: Clean up
ifidx properly if interface in a bridge is removed') added
drv->if_indices_reason array similarly to the previously used
drv->if_indices. However, it had a copy-paste error here on the error
path where a reallocation failure after at least one successful
reallocation would result in the drv->if_indices being overridden
instead of restoring drv->if_indices_reason to the old value. Fix this
by setting the correct variable on the error path. (CID 138514)

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: wpa_supplicant AP mode - open network and HT disabled

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

nl80211: Do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled

SMPS mode is applicable only for HT and including an attribute to
configure it when HT is disabled could result in the AP start operation
failing. Fix this by adding the attribute only in cases where HT is
enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Assign QCA vendor command and attribute for Tx/Rx aggregation

Assign nl80211 vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_TXRX_AGGREGATION and corresponding
attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

libxml2: Check for xmlDocDumpFormatMemory() error case

Since this function needs to allocate memory, it might fail. Check that
the returned memory pointer is not NULL before trying to parse the
output.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

BoringSSL: Keep static analyzers happier with X509_get0_pubkey_bitstr()

While this function could return NULL if the parameter issued to it were
NULL, that does not really happen here. Anyway, since this can result in
a warning from a static analyzer that does can see the return NULL
without fully understanding what it means here, check the return value
explicitly against NULL to avoid false warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

hs20-osu-client: Fix pol_upd command line parsing

This command was documented as having the Server URL parameter as
optional, but the implementation did not match that. Allow this
parameter to be left out.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

hs20-osu-client: Remove dead code from sub_rem command line parsing

The error print could not have been reached since the exact same
condition was verified above and exit(0) is called if the command line
is invalid.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP-SIM and check fast reauth with bssid change

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Do not invalidate EAP session cache on all network block parameter changes

The bssid and priority parameters in a network block do not have any
effect on the validity of an EAP session entry, so avoid flushing the
cached session when only these parameters are changed. This is mainly to
allow forced roaming or network selection changes without causing fast
reauthentication to be disabled if the changes are done during RSN
association that used EAP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

wlantest: Fix bip_protect() memory allocation

The addition operator is of higher precedence than the ternary
conditional and the construction here needs to use parentheses to
calculate the buffer length properly when generating test frames with
BIP protection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Interworking: Add credential realm to EAP-TLS identity

If the configured credential includes a username without '@' (i.e., no
realm) in it and a realm, combine these to form the EAP-Request/Identity
value as "<username>@<realm>" for EAP-TLS. This was already done for
EAP-TTLS as part of the anonymous NAI conversion, but EAP-TLS could have
ended up using a username without any realm information which would be
unlikely to work properly with roaming cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Accept "user@example.com" as user identity similarly to "user"

This is needed to allow updated Interworking behavior that adds the
realm to the EAP-Response/Identity value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

nl80211: Support network hierarchy of a master interface under bridge

Since commit cb05808c46539922cf02e9e8527a062e90637ff9 ('nl80211: Generic
Linux master interface support for hostapd'), hostapd is listening for
EAPOL frames on any master which the interface is enslaved under.

This commit allows hostapd to support network hierarchy in which the
interface is enslaved under some master which in turn is enslaved under
a bridge.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>

tests: Set ocsp_stapling_response_multi in as2.conf

This keeps the as.conf and as2.conf more consistent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Fix root_ocsp() for multi-OCSP test cases

Incorrect path and file name was used in the openssl command to generate
one of the OCSP responses. Also fix
ap_wpa2_eap_tls_intermediate_ca_ocsp_multi to expect success rather than
failure due to OCSP response. Based on the test description, this was
supposed to succeed, but apparently that root_ocsp() bug prevented this
from happening.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Reserve QCA vendor specific nl80211 commands 116..118

These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

hostapd: Handle running out of DFS channels

In scenarios where only DFS channels are available (e.g., outdoor,
special country codes), hostapd must be able to handle situations
where all are unavailable.

The two possibilities to get there are
1) while operating on the last available DFS channel a radar is
detected
2) hostapd is started while all channels are unavailable

In both cases, hostapd instead of terminating should better
wait for the NOPs to pass and re-try operation after the CAC.

This patch provides that feature by using the condition
(iface->state == HAPD_IFACE_DFS && !iface->cac_started)
as NOP mode signature to retry operation from within
hostapd_dfs_nop_finished().

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>

FST: Fix session setup failure with peer without MB IE

Upon receiving FST setup request on old band, the peer is searched on
new band. The assumption is that MB IE from this peer on new band
previously received either in assoc event or in FST setup request.

There are cases in which above assumption doesn't work, peer is not
found and session setup fails. For example:
- STA connects over 11ac. Due to driver limitation, MB IE is not included
in assoc event
- STA connects over 11ad. MB IE included in assoc event.
- FST session established on 11ac band, with AP as initiator. i.e. FST
setup request sent in AP=>STA direction. STA searches for peer's (AP)
MB IE on 11ad band which exists.
- FST switch occur
- FST session established on 11ad band, with STA as initiator. i.e. FST
setup request sent in STA=>AP direction. AP searches for peer's (STA)
MB IE on 11ac band which are absent.

For fixing the above, consider also peers without MB IE as candidates in
the search algorithm.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>

P2P: Add optional op_class argument to P2P_SET listen_channel

The existing implementation in p2p_ctrl_set used a hard-coded operating
class 81 which is only suitable for the social channels in the 2.4 GHz
band, and will not work for the social channel in the 60 GHz band.
Extend this by adding an optional op_class argument to P2P_SET
listen_channel. If not specified, use the default value of 81 to match
existing behavior.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>

P2P: Adjust service discovery maximum fragment size for 60 GHz

In the 60 GHz band, service discovery management frames are sent over
the control PHY and have a smaller maximum frame size (IEEE Std
802.11ad-2012, 21.4.3.2). Fix the code to use sufficiently small
fragment size when operating in the 60 GHz band.

The 60 GHz fragment size (928) is derived from the maximum frame size
for control PHY (1023) and subtracting 48 bytes of header size, and some
spare so we do not reach frames with the absolute maximum size.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>

tests: Add tests for HS 2.0 frame filtering

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

tests: Add a test for mesh gate forwarding

This test checks that mesh nodes forward frames for unknown
destinations to the mesh gates.

Signed-off-by: Bob Copeland <me@bobcopeland.com>

tests: D-Bus AssocStatusCode

Signed-off-by: Jouni Malinen <j@w1.fi>

D-Bus: Add association response status code property for failure cases

(Re)Association Response frame with status code other than 0 is now
notified over DBUS as a part of PropertiesChanged signal. This can be
used by application in case AP is denying association with status code
17 (band steering) so that it does not interfere in the BSSID selection
logic of wpa_supplicant.

Signed-off-by: Naveen Singh <nasingh@google.com>

hostapd: Use ifname of the current context in debug messages

In case of multiple BSS configuration, return the current interface
name, instead of the first one.

Signed-off-by: Eliad Peller <eliad@wizery.com>

hostapd: Allow use of driver-generated interface addresses

Add a new 'use_driver_iface_addr' configuration parameter to allow use
of the default interface address generated by the driver on interface
creation. This can be useful when specific MAC addresses were allocated
to the device and we want to use them for multi-BSS operation.

Signed-off-by: Eliad Peller <eliad@wizery.com>

AP: Save EAPOL received before Association Response ACK

There is a race condition in which AP might receive the EAPOL-Start
frame (from the just-associated station) before the TX completion of the
Association Response frame. This in turn will cause the EAPOL-Start
frame to get dropped, and potentially failing the connection.

Solve this by saving EAPOL frames from authenticated-but-not-associated
stations, and handling them during the Association Response frame TX
completion processing.

Signed-off-by: Eliad Peller <eliad@wizery.com>

tests: Add hostapd.py helpers for various radio parameters

Add support for generating hostapd parameters for
b_only/g_only/a_only/HT20/HT40/VHT80.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

tests: Add terminate support for hostapd/wpa_supplicant

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

wpaspy: Add support for TERMINATE command

This can be used to terminate the wpa_supplicant/hostapd process.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

tests: Add HostapdGlobal.get_ctrl_iface_port()

This adds a method to get the UDP port for an interface.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

tests: Add UDP ctrl_iface support to hostapd.py

Allow use of a remote host using wpaspy.Ctrl with UDP ctrl_iface
support.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

tests: Add UDP ctrl_iface support to wpasupplicant.py

Allow use of a remote host using wpaspy.Ctrl with UDP ctrl_iface
support.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

wpaspy: Add support for UDP connection

hostname and port can now be specified when using wpaspy.Ctrl, so we can
connect to remote clients now.

This can also be tested using test.py application with
./test.py <hostname> <port>

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

hostapd: Add global TERMINATE command

This will terminate the hostapd process.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

hostapd: Add INTERFACES ctrl_iface command

Return a list of the available interfaces (the main BSS) and optionally
with ctrl_iface when the optional "ctrl" parameter is included. This is
useful when using UDP ctrl_iface and add interfaces using the ADD
command. After that we need to know which UDP port was assigned for the
control interface for the added interface.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

hostapd: Update ctrl_interface for UDP to include the selected port

Set up the real ctrl_interface for UDP after having selected the port.
This is in format: udp:<port_no>. This is needed to get accurate
interface <-> udp_port mapping.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

wpa_supplicant: Add ctrl parameter to INTERFACES command

"INTERFACES ctrl" can now be used to fetch a list of network interfaces
and their control interfaces, e.g., to fetch the UDP port information
for the control interface.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

hostapd: Allow UDP ctrl_iface configuration to set the UDP port

This allows the UDP port to be set for the per-interface and global
control interfaces. The format is: udp:<port_no>

For example:
hostapd -ddt -g udp:8888

And in the configuration file:
ctrl_interface=udp:8877

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

hostapd: Add UDP support for ctrl_iface

Add UDP support for ctrl_iface:

New config option could be set:
CONFIG_CTRL_IFACE=udp
CONFIG_CTRL_IFACE=udp-remote
CONFIG_CTRL_IFACE=udp6
CONFIG_CTRL_IFACE=udp6-remote

And hostapd_cli usage:
hostapd_cli -i localhost:8877

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

ctrl_iface_common: Use sockaddr_storage instead of sockaddr_un

This is a step towards allowing UDP sockets to be used with the common
implementation.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

hostapd: Use common functions for ctrl_iface

Use the common functions, structures when UNIX socket ctrl_iface used.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

wpa_supplicant: Use common functions for ctrl_iface

Use the common functions, structures when UNIX socket ctrl_iface used.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

Add common ctrl_iface files

This is preparation for sharing a single implementation for ctrl_iface
functionality in wpa_supplicant and hostapd.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

wpa_supplicant: Add monitor support for global UDP ctrl_iface

Add monitor support (ATTACH/DETACH) for the global ctrl_iface when using
the UDP backend.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

wpa_supplicant: Share attach/detach/send UDP ctrl_iface functions

Extend the previously per-interface UDP ctrl_iface functions
(attach/detach/send) to support operations on the global interface as
well.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

wpa_supplicant: Allow UDP ctrl_iface configuration to set the UDP port

This allows the UDP port to be set for the per-interface and global
control interfaces. The format is: udp:<port_no>

For example:
wpa_supplicant -Dnl80211 -ddt -g udp:9888

And in the configuration file:
ctrl_interface=udp:9877

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>

P2P: Update peer WFD IE from PD Response and GO Negotiation Response

Update the peer WFD IE information based on WFD elements received in
Provision Discovery Response and GO Negotiation Response frames.

Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>

P2P: Respect p2p_ignore_shared_freq on p2p_group_add

Make sure wpas_p2p_init_go_params() respects the p2p_ignore_shared_freq
configuration option. Choose currently used frequencies only if this
option is not set, or if there are no unused channels left.

Signed-off-by: Eliad Peller <eliad@wizery.com>

P2P: Fix shared freq print in wpas_p2p_init_go_params()

"freq" contains the forced frequency, not the selected one. Print the
correct freq instead.

Signed-off-by: Eliad Peller <eliad@wizery.com>

P2P: Update peer listen channel from Probe Request frames

In case a Probe Request frame is received from a known peer P2P Device,
update the listen channel based on the P2P attributes in the Probe
Request frame. This can be useful for cases where the peer P2P Device
changed its listen channel, and the local P2P device is about to start a
GO Negotiation or invitation signaling with the peer.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

P2P: Abort ongoing scan when p2p_find is stopped

When p2p_find is stopped, send request to the driver
in order to cancel an ongoing scan if there is one.

Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>

nl80211: Abort an ongoing scan upon scan timeout indication

Currently, when scan is stuck in the kernel/driver/fw,
the nl80211 driver tries to recover by faking a SCAN_RESULTS flow.
However, the scan is still stuck in the kernel/driver/fw.

To avoid that stuck request, abort it upon scan timeout.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>

tests: Handle different delays in discovery_and_interface_disabled

Test different delay intervals between the INTERFACE_DISABLED event
and the INTERFACE_ENABLED event for discovery_and_interface_disabled.

Previously, only a delay of 1 second was used, in which case the
scan results for the P2P_FIND operation were received after the
interface was enabled again, and the case the scan results were
received while the interface was disabled was not covered.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

wpa_supplicant: Handle EVENT_SCAN_RESULTS when an interface is disabled

An interface can be disabled while it has an ongoing scan request.
In such a case, when the scan results notification is received,
it was being ignored (as the interface is already disabled) so the
scan state was not cleared. This can cause undetermined behavior
for the next scan request.

To handle this, clear the scan state when EVENT_SCAN_RESULTS is
received and the interface is disabled.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

WNM: Do not scan based on malformed BSS Transition Management Request

Verify that when the Candidate List Included bit is set in a BSS
Transition Management Request frame, the candidate list actually
includes at least one candidate. If no candidates are included, reject
the request without scanning.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>

tests: BTM Request Preferred Candidate List followed by vendor element

This goes through parsing code for a case that was interpreted
incorrectly in the past.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WNM: Fix candidates count in BSS Transition Management Request

In BSS Transition Management Request frame, it is possible that vendor
specific IEs are included after the candidate list. In this case the
candidates count was incremented for each IE although the candidate list
is already over which could result in adding all zeros candidates into
the neighbor list.

Fix that by incrementing the candidates count only for neighbor report
elements.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>

wpa_cli: Support running action script on global control interface

In case wpa_cli is started with an option to execute an action script,
but no interface is specified, wpa_cli might crash in wpa_cli_exec() if
arg1 == NULL. Fix this be setting arg1 = "global".

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

EAP-PWD peer: Fix possible memory leak on error path

Fix possible memory leak in eap_pwd_perform_commit_exchange().

Signed-off-by: Ilan Peer <ilan.peer@intel.com>

Android: Remove superfluous OpenSSL include paths

The libcrypto and libssl modules (and their respective static and host
versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module
is sufficient.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

HS 2.0R2: Clear fetch_anqp_in_progress if fopen fails

Clear wpa_s->fetch_anqp_in_progress when osu-providers.txt can't be
opened. An issue happens, for instance, when wpa_supplicant doesn't
have correct access permission to the directory specified by osu_dir.
If hs20_osu_fetch_done method returns without clearing the flag,
'FETCH_OSU' command will never work correctly.

Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>

Fix CONFIG_WPA_TRACE=y compilation without CONFIG_WPA_TRACE_BFD=y

syms is defined only for WPA_TRACE_BFD:

../src/utils/trace.c: In function ‘wpa_trace_deinit’:
../src/utils/trace.c:372:7: error: ‘syms’ undeclared (first use in this function)
free(syms);
^
../src/utils/trace.c:372:7: note: each undeclared identifier is reported only once for each function it appears in
make: *** [../src/utils/trace.o] Error 1
make: *** Waiting for unfinished jobs....

Add appropriate #ifdef.

Signed-off-by: Eliad Peller <eliad@wizery.com>

Add EAP-AKA' and EAP-pwd to wpa_supplicant README

The EAP methods were missing from the lists.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Update notes about OpenSSL versions

Obsolete OpenSSL versions 0.9.* are not supported anymore.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Fix some typos in wpa_supplicant README files

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

README-P2P: Fix a typo

Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>

P2P: Add Dev Info attribute to Probe Request frames in 60 GHz

When building P2P IE for Probe Request frames in P2P scan, add the
device information attribute if the 60 GHz band is included in the scan,
since this is required by the P2P specification.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>

wpa_supplicant: Expose wpas_get_bands() and related API

Expose the functions wpas_get_bands() and wpas_freq_to_band() and the
enum wpa_radio_work_band, since they will be needed outside
wpa_supplicant.c.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>

P2P: Change order of P2P IE and frequencies set up

When setting up parameters for P2P scan, calculate the frequencies
for the scan before calculating the scan IE. This is because
the scan IE calculation may need information about the scan
frequencies in use.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>

Android: Allow wpa_supplicant to write files to osu-info dir

This commit allows any process running with group id of AID_WIFI to
read/write files to osu-info directory. Also, it allows other users to
read and search the osu-info directory.

This fixes issues with hs20-osu-client creating a directory for
wpa_supplicant use without wpa_supplicant actually having privileges to
write there on Android where the wpa_supplicant process does not run as
root.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

FST: Enlarge State Transition Timeout (STT)

STT guards the exchange of FST Action frames with the peer station.
It was observed that sometimes Action frames sending is delayed at
driver/FW layers for few hundreds millisec.

Enlarge the STT to overcome such cases.

Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>

Add error handling for offloaded ACS with vendor command failures

In case vendor ACS command returns invalid channel or hardware mode,
complete the interface setup with an error code instead of simply
return, so that hostapd can properly clean up the interface setup.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Fix scan rescheduling from wpas_stop_pno to check postponed case

Commit 02e122a995dea947a2ad2c0d85190d709f9128b7 ('Reschedule scan from
wpas_stop_pno if it was postponed') uses wpa_s->scanning as the only
condition for automatically starting a postponed scan request from
EVENT_SCHED_SCAN_STOPPED event handler. However, wpa_s->scanning may be
set for sched_scan and as such, this can result in unexpected extra
scans without there having been any real postponed request.

Make this more accurate by verifying that there really is a pending
request for a scan before speeding up its start.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

nl80211: Add more address fields into RX frame debug message

This makes it easier to debug issues related to Public Action frame
addressing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: GAS query with another AP while associated

This is without PMF to cover the case of Public Action frame to another
AP while associated.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

RADIUS: Add Acct-Delay-Time into accounting messages

This tells to the server how long we have been trying to transmit the
message so that the actual time of the message generation can be
determined from receive time (ignoring network delays and only at
accuracy of one second).

For interim updates, only value 0 is used since there are no
retransmissions of the same message. For other accounting messages, the
initial attempt goes out with value 0 and the retransmissions, if
needed, show the number of seconds the message has been waiting in the
queue.

Update the Identifier and Authenticator in the messages whenever
updating the Acct-Delay-Time per RFC 2866, 4.1 requirements.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: RADIUS Accounting interim update retry

Signed-off-by: Jouni Malinen <j@w1.fi>

RADIUS: Update full message for interim accounting updates

Instead of using the RADIUS client retransmission design with the old
RADIUS message contents for each retry, trigger a completely new interim
accounting update instance more quickly (using the same schedule as
RADIUS message retransmissions) to improve accounting updates in cases
where RADIUS message delivery fails. This allows the server to get up to
date information from the time the "retry" message was sent instead of
the old information from the time the first failed attempt was sent.

Signed-off-by: Jouni Malinen <j@w1.fi>

Document nas_identifier requirements for RADIUS accounting

nas_identifier needs to be set to a unique value for RADIUS accounting
to work properly. This needs to be unique for each BSS.

Signed-off-by: Jouni Malinen <j@w1.fi>

Replace hostapd_mac_comp_empty() with is_zero_ether_addr()

There is no need to maintain two implementations of the functionality.
is_zero_ether_addr() is easier to understand, so use it.

Signed-off-by: Jouni Malinen <j@w1.fi>

VLAN: Avoid use of libnl cache

Using rtnl_link_alloc_cache() is expensive as it fills in all configured
links. Using rtnl_link_get_kernel() is much more lightweight.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

nl80211: Clean up ifidx properly if interface in a bridge is removed

When an interface is removed while it was in a bridge, the bridge was
not removed from the local ifidx list.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

FT: Check destination MAC address on RRB receive

As the Linux variant of l2_packet_init() does not use its own_addr
argument and l2_packet_receive() does not filter on destination MAC
address, this needs to be checked in the callback.

If there are multiple BSSes listening for FT RRB packets, all their
BSSIDs need to be local to the bridge interface. As l2_packet_init() is
going to receive all of them going for any local address, those RRB
messages started turning up on BSSes that were not destinated for and
cluttering logs.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

RADIUS: Allow RADIUS server to provide PSK instead of passphrase

If the AP is slow, passphrase hashing takes too long to serve the client
before timeout. Extend the Tunnel-Password design to allow a 64
character value to be interpreted as a PSK and send SSID to RADIUS
server. This allows the RADIUS server to either take care of passphrase
hashing or to use raw PSK without such hashing.

This is especially important for FT-PSK with FT-over-air, where hashing
cannot be deferred.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

Cache hashed passphrase in RADIUS-based PSK delivery

Instead of copying the full struct hostapd_sta_wpa_psk_short, share the
existing entry and use reference counting to check when it needs to be
freed. This allows caching of PSKs derived from passphrases to avoid
having to perform the heavy hashing operation multiple times.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

Defer passphrase-to-PSK hashing out of 802.11 authentication ACL check

Hashing takes quite some time (can be about one second on a low-power
CPU for each passphrase provided), so hostapd can easily hit the 900 ms
Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can
be fixed by storing the passphrase instead of PSK with the STA and defer
the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs.

This applies for the case where a RADIUS server is used to store the
per-STA passphrases and this passphrase is delivered as part of the MAC
ACL check during IEEE 802.11 Authentication frame processing.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

VLAN: Use stack instead of heap allocation for new interface name

The VLAN ifname is limited to the maximum length of IFNAMSIZ, so there
is no need to use heap allocation for it.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

FT: Use BSSID as r1_key_holder if no value is configured

r1_key_holder is an identifier that was always set to zero if unless
configured before.

See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
"R1KH-ID is a MAC address of the holder of the PMK-R1 in the
  Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
"Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
  identifier within the mobility domain."
"The R1KH-ID shall be set to a MAC address of the physical entity
  that stores the PMK-R1 ..."

Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

tests: FT RRB internal delivery to non-WPA BSS

A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL.

This test implements such a malicious request for regression testing.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>

FT: Check hapd->wpa_auth before RRB internal delivery

A malicious station could try to do FT-over-DS with a non WPA-enabled
BSS. When this BSS is located in the same hostapd instance, internal RRB
delivery will be used and thus the FT Action Frame will be processed by
a non-WPA enabled BSS. This processing used to crash hostapd as
hapd->wpa_auth is NULL. If the target BSS is on a different hostapd
instance, it will not listen for these packets and thus not crash.

Fix this by checking hapd->wpa_auth before delivery.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>