Commit message (Collapse)AuthorAgeFilesLines
* dbus: Export roam time, roam complete, and session lengthMatthew Wang2019-01-0210-0/+183
| | | | | | | | | | | Add new Interface properties "RoamTime", "RoamComplete", and "SessionLength". "RoamTime" carries the roam time of the most recent roam in milliseconds. "RoamComplete" carries True or False corresponding to the success status of the most recent roam. "SessionLength" carries the number of milliseconds corresponding to how long the connection to the last AP was before a roam or disconnect happened. Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
* tests: AP VLAN with WPA2-Enterprise and local file setting VLAN IDsJouni Malinen2019-01-021-0/+25
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow remote RADIUS authentication with local VLAN managementNils Nieuwejaar2019-01-024-56/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The documentation in the hostapd.conf file says that the dynamic_vlan variable is used to control whether VLAN assignments are accepted from a RADIUS server. The implication seems to be that a static VLAN assignment will come from the accept_mac_file if dynamic_vlan is set to 0, and a dynamic assignment will come from the RADIUS server if dynamic_vlan is set to 1. Instead, I'm seeing that the static settings from the accept_mac_file are ignored if dynamic_vlan is set to 0, but used if dynamic_vlan is set to 1. If dynamic_vlan is set to 1 and the RADIUS server does not provide a VLAN, then the accept_mac_file assignment is overridden and the STA is assigned to the default non-VLANed interface. If my understanding of the expected behavior is correct, then I believe the problem is in ap_sta_set_vlan(). That routine checks the dynamic_vlan setting, but has no way of determining whether the incoming vlan_desc is static (i.e., from accept_mac_file) or dynamic (i.e., from a RADIUS server). I've attached a patch that gets hostapd working as I believe it's meant to, and updates the documentation to make the implicit behavior explicit. The functional changes are: - hostapd_allowed_address() will always extract the vlan_id from the accept_macs file. It will not update the vlan_id from the RADIUS cache if dynamic_vlan is DISABLED. - hostapd_acl_recv_radius() will not update the cached vlan_id if dynamic_vlan is DISABLED. - ieee802_1x_receive_auth() will not update the vlan_id if dynamic_vlan is DISABLED. More cosmetic: Most of the delta is just moving code out of ieee802_1x_receive_auth() into a new ieee802_1x_update_vlan() routine. While I initially did this because the new DISABLED check introduced excessive indentation, it has the added advantage of eliminating the vlan_description allocation and os_memset() call for all DYNAMIC_VLAN_DISABLED configs. I've done a couple rounds of review offline with Michael Braun (who has done much of the work in this part of the code) and incorporated his feedback. If dynamic_vlan=0 (disabled), vlan assignments will be managed using the local accept_mac_file ACL file, even if a RADIUS server is being used for user authentication. This allows us to manage users and devices independently. Signed-off-by: Nils Nieuwejaar <nils.nieuwejaar@gmail.com>
* Use a helper function for checking Extended Capabilities fieldJouni Malinen2019-01-028-16/+108
| | | | | | | | The new ieee802_11_ext_capab() and wpa_bss_ext_capab() functions can be used to check whether a specific extended capability bit is set instead of having to implement bit parsing separately for each need. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: [UTF-8] flag in scan resultsJouni Malinen2019-01-021-0/+5
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Add [FST] and [UTF-8] flags to BSS command outputJouni Malinen2019-01-021-0/+16
| | | | | | | These flags were used in SCAN_RESULTS command output, but not BSS. Make these consistent by adding the flags to BSS as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* Show [UTF-8] flag if the SSID is reported as UTF-8Jouke Witteveen2019-01-021-0/+7
| | | | Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
* crypto internal: Make MD4 PADDING array constMikael Kanstrup2019-01-021-1/+1
| | | | | | | | | The PADDING array used when adding padding bits in MD4 never change so can be made const. Making it const puts the array in .rodata section and can save a few bytes of RAM for systems running without virtual memory. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
* RRM: Update own neighbor report on channel switchMarkus Theil2019-01-021-0/+5
| | | | | | | | After performing a successful channel switch, the AP should update its own neighbor report element, so do this from src/ap/drv_callbacks.c after a successful switch. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* RRM: Move neighbor report functionsMarkus Theil2019-01-023-122/+123
| | | | | | | | Move functions corresponding to neighbor report elements to src/ap/neighbor_db.[c,h] in preparation to using them after channel switch from src/ap/drv_callbacks.c. Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
* hostapd: Fix a typo in function nameJouni Malinen2019-01-023-3/+3
| | | | | | This was supposed to use "hostapd_" prefix. Signed-off-by: Jouni Malinen <j@w1.fi>
* crypto: Reduce the size of sha512_compress() stack frameIlan Peer2019-01-021-1/+7
| | | | | | | | | The function sha512_compress() has a local variable that consumes 640 bytes. This is very heavy for embedded devices that have limited stack resources. Handle this by replacing the static allocation with a dynamic one. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* hostapd_cli: Add option to send beacon report requestAvraham Stern2019-01-021-0/+9
| | | | | | This new 'req_beacon' command is useful for testing. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* tests: Beacon report last frame indicationAvraham Stern2019-01-021-0/+62
| | | | | | | Verify that the beacon report contains the last beacon report indication subelement when requested in the beacon request. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* RRM: Support for Last Beacon Report Indication subelementAvraham Stern2019-01-023-5/+83
| | | | | | | | | | | | IEEE P802.11-REVmd/D2.0, (Beacon request) and (Beacon report) add the Last Beacon Report Indication subelement to Beacon Request and Beacon Report elements. Add the Last Beacon Report Indication subelement to all Beacon Report elements if the Beacon Request indicated that this subelement is requested. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* tests: Beacon report frame body fragmentationAvraham Stern2019-01-021-0/+51
| | | | | | | | | Verify that when the frame body subelement causes the measurement report element to exceed the maximum element size, the beacon report is fragmented and the frame body fragment ID subelement is added with the correct fragment number. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* tests: Update rrm_beacon_req_table_rsne to expect full RSNEJouni Malinen2019-01-021-4/+4
| | | | | | | Now that wpa_supplicant is sending out full RSNE instead of the fragmented one, update this test case to match. Signed-off-by: Jouni Malinen <j@w1.fi>
* RRM: Add support for beacon report fragmentationAvraham Stern2019-01-022-55/+108
| | | | | | | | | | | | | | | | | | When the frame body subelement would cause the measurement report element to exceed the maximum element size, the frame body subelement used to be truncated. In addition, some elements were always truncated in order to keep the reported frame body short (e.g. RSN IE). Alternatively, IEEE P802.11-REVmd/D2.0, extension to Beacon reporting can be used: The frame body subelement is fragmented across multiple beacon report elements, and the reported frame body fragment ID subelement is added. Use beacon report fragmentation instead of truncating the frame body as this method gives the AP a more complete information about the reported APs. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* tests: D-Bus P2P peer information - VSIEJouni Malinen2019-01-021-0/+15
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* dbus: Add vendor specific information element in peer propertiesNishant Chaprana2019-01-023-0/+30
| | | | | | | | Make vendor specific information elements (VSIE) available in peer properties, so that VSIE of a specific peer can be retrieved using peer's object path. Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
* tests: Fix p2p_ext_discovery_go to write to logger, not stdoutJouni Malinen2019-01-021-1/+1
| | | | | | The error case debug print should go to logger. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Data connectivity after REAUTHENTICATEJouni Malinen2019-01-021-0/+1
| | | | | | | | Verify that not updating GTK (i.e., only update PTK) in the driver does not break connectivity. This case is different after the check for "already in-use GTK" and rejection of GTK reinstallation. Signed-off-by: Jouni Malinen <j@w1.fi>
* eloop: Fix kqueue event deletion filterJouni Malinen2019-01-021-11/+16
| | | | | | | | | | EV_SET() for EV_ADD used a specific filter type, but that same filter type was not provided to the matching EV_DELETE case. This resulted in the kernel rejecting the deletion with "Invalid argument". Fix this by setting the same filter type for both operations. Fixes: f9982b321222 ("Implement kqueue(2) support via CONFIG_ELOOP_KQUEUE") Signed-off-by: Jouni Malinen <j@w1.fi>
* eloop: Fix fd_table allocation for epoll and kqueueJouni Malinen2019-01-021-1/+1
| | | | | | | | | | | | | The previous implementation did not work if the first registered socket had fd > 16 or if the fd was more than double the largest value used in previous registrations. Those cases could result in too small a memory allocation being used and writes/reads beyond the end of that buffer. This fix is applicable to CONFIG_ELOOP_EPOLL=y and CONFIG_ELOOP_KQUEUE=y builds. Fixes: f0356ec85c46 ("eloop: Add epoll option for better performance") Signed-off-by: Jouni Malinen <j@w1.fi>
* crypto: Add option to use getrandom()Lubomir Rintel2019-01-015-17/+71
| | | | | | | | | | | | | | | | | | | | | According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
* wpa_ctrl: Make wpa_cli ping/pong work more reliablyBen Greear2019-01-011-1/+2
| | | | | | | | | | | In 2013 or so, IFNAME=foo was prepended to at least the Unix socket communication from wpa_supplicant to wpa_cli. This broke the (fragile) logic that made ping/pong work more often when wpa_supplicant is busy sending logging info to wpa_cli. Adding check for IFNAME=foo makes this work better. Signed-off-by: Ben Greear <greearb@candelatech.com>
* OpenSSL: Load chain certificates from client_cert fileIsaac Boukris2019-01-011-3/+2
| | | | | | | | | This helps the server to build the chain to trusted CA when PEM encoding of client_cert is used with multiple listed certificates. This was already done for the server certificate configuration, but the client certificate was limited to using only the first certificate in the file. Signed-off-by: Isaac Boukris <iboukris@gmail.com>
* vlan: Use new bridge ioctl()Sergey Matyukevich2019-01-013-15/+50
| | | | | | | | | | | Legacy ioctl() through SIOCDEVPRIVATE are deprecated. Follow the approach taken by bridge-utils and make use of new bridge ioctl's whenever possible. For example, using legacy ioctl() breaks dynamic VLAN mode on 32-bit Linux systems running 64-bit kernels. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* Update copyright notices for the new year 2019Jouni Malinen2019-01-0116-21/+21
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Use different country in p2p_go_move_reg_changeJouni Malinen2019-01-011-2/+10
| | | | | | | | | | | | | | Use of country=00 (world roaming) seemed to not work anymore with the current cfg80211 regulatory implementation since the existing channel is left enabled when moving to country=00. Use a specific country code that does enforce the selected channel from being used anymore to make this test case pass again. The change in cfg80211 behavior is from the kernel commit 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces"). Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: dot1xAuthSessionUserNameJouni Malinen2019-01-012-1/+32
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Use internal EAP server identity as dot1xAuthSessionUserNameJouni Malinen2019-01-011-2/+12
| | | | | | | | | If the internal EAP server is used instead of an external RADIUS server, sm->identity does not get set. Use the identity from the internal EAP server in such case to get the dot1xAuthSessionUserName value in STA MIB information. Signed-off-by: Jouni Malinen <j@w1.fi>
* browser: Replace deprecated gtk_window_set_wmclass()Jouni Malinen2019-01-011-2/+1
| | | | | | | Use gtk_window_set_role() instead of the deprecated gtk_window_set_wmclass(). Signed-off-by: Jouni Malinen <j@w1.fi>
* HTTP (curl): Replace deprecated ASN1_STRING_data()Jouni Malinen2019-01-011-4/+13
| | | | | | | Use ASN1_STRING_get0_data() instead of the older ASN1_STRING_data() that got deprecated in OpenSSL 1.1.0. Signed-off-by: Jouni Malinen <j@w1.fi>
* HTTP (curl): Fix build with newer OpenSSL versionsBen Greear2019-01-011-1/+5
| | | | | | | | | The SSL_METHOD patching hack to get proper OCSP validation for Hotspot 2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the SSL_METHOD structure is not exposed anymore. Fall back to using the incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HTTP (curl): Use DEFINE_STACK_OF() with newer OpenSSL versionsBen Greear2019-01-011-0/+8
| | | | | | | SKM_sk_num() is not available anymore, so use DEFINE_STACK_OF() to get the appropriate accessor functions. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HTTP (curl): Use SSL_get_SSL_CTX() helperBen Greear2019-01-011-2/+2
| | | | | | | The direct ssl->ctx access are not allowed anymore in newer OpenSSL versions, so use the SSL_get_SSL_CTX() helper for this. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HS 2.0: Fix EST compilation with OpenSSL 1.1.0 and newerBen Greear2019-01-011-0/+13
| | | | | | | SKM_sk_value() is not available anymore, so use DEFINE_STACK_OF() to get the appropriate accessor functions. Signed-off-by: Ben Greear <greearb@candelatech.com>
* hostap: Silence compiler warnings about IFNAMSIZ buffersJouni Malinen2019-01-011-2/+9
| | | | | | | Report interface name truncation and reject such cases in Host AP driver initialization of the AP interface. Signed-off-by: Jouni Malinen <j@w1.fi>
* OCE: RSSI-based rejection to consider Authentication frames (AP)Jouni Malinen2019-01-012-3/+10
| | | | | | | | | | Try to make RSSI-based rejection of associating stations a bit less likely to trigger false rejections by considering RSSI from the last received Authentication frame. Association is rejected only if both the Authentication and (Re)Association Request frames are below the RSSI threshold. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add RSSI based association rejection testsBeni Lev2019-01-011-0/+153
| | | | Signed-off-by: Beni Lev <beni.lev@intel.com>
* tests: Add a command for setting TX power/RSSIBeni Lev2019-01-011-0/+17
| | | | | | | | With this command, RSSI signal can be controlled. Due to restrictions in kernel, only values in the range of [-30, -50] can be used. The command is implemented by changing the TX power. Signed-off-by: Beni Lev <beni.lev@intel.com>
* OCE: Add RSSI based association rejection support (AP)Beni Lev2019-01-017-6/+66
| | | | | | | | | An AP might reject a STA association request due to low RSSI. In such case, the AP informs the STA the desired RSSI improvement and a retry timeout. The STA might retry to associate even if the RSSI hasn't improved if the retry timeout expired. Signed-off-by: Beni Lev <beni.lev@intel.com>
* OCE: Add RSSI based association rejection support (STA)Beni Lev2019-01-018-17/+88
| | | | | | | | | | | | | | An AP might refuse to connect a STA if it has a low RSSI. In such case, the AP informs the STA with the desired RSSI delta and a retry timeout. Any subsequent association attempt with that AP (BSS) should be avoided, unless the RSSI level improved by the desired delta or the timeout has expired. Defined in Wi-Fi Alliance Optimized Connectivity Experience technical specification v1.0, section 3.14 (RSSI-based association rejection information). Signed-off-by: Beni Lev <beni.lev@intel.com>
* tests: P2P cancel join-group using p2pdev and no separate group interfaceJouni Malinen2019-01-011-0/+23
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Set global->p2p_group_formation in wpas_p2p_join_start() for p2pdevAloni, Adiel2019-01-011-9/+10
| | | | | | | | | | | | | When a dedicated P2P device interface is used, the global->p2p_group_formation was not set in wpas_p2p_join_start() if no separate group interface is used. This would cause that in case of a failure in group formation, the cleaning of p2p_in_provisioning is done on the wrong interface. Furthermore, P2P_CANCEL command could not be used to stop such a group-join operation. Fix this by setting the global->p2p_group_formation correctly in case that the group interface is reusing wpa_s->parent. Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
* tests: Clear regdom state in go_neg_forced_freq_diff_than_bss_freqJouni Malinen2019-01-011-1/+3
| | | | | | Be more careful with cleaning up the regdom state in cfg80211. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Make dpp_pkex_no_responder handle enabled 5 GHz channelsJouni Malinen2019-01-011-5/+9
| | | | | | | | | | It was possible for the 5 GHz PKEX channels to be enabled, e.g., when running "ap_ht40_csa2 dpp_pkex_no_responder" test sequence, and that resulted in a failure in dpp_pkex_no_responder due to the unexpectedly long wait needed for the DPP-FAIL event. Increase the wait time to allow for 5 GHz PKEX channels to be probed. Signed-off-by: Jouni Malinen <j@w1.fi>
* Update wpa_supplicant channel list on FLUSHJouni Malinen2019-01-013-6/+13
| | | | | | | | Try to make sure the driver channel list state is synchronized with wpa_supplicant whenever explicitly clearing state (e.g., between hwsim test cases). Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Debug print channel listJouni Malinen2019-01-011-2/+61
| | | | | | | This makes it a bit easier to figure out how channel list update from the kernel is taken into use. Signed-off-by: Jouni Malinen <j@w1.fi>