path: root/src/ap
Commit message (Collapse)AuthorAgeFilesLines
* Fix a typo in a commentHEADpendingmasterJouni Malinen14 hours1-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Resolved compiler uninitialized warningKarthikeyan Kathirvel14 hours1-1/+1
| | | | | | | | | | | | | | | Resolved the below warning ../src/ap/ieee802_11.c:4535:25: warning: 'reply_res' may be used uninitialized in this function [-Wmaybe-uninitialized] if (sta && ((reply_res != WLAN_STATUS_SUCCESS && ^ Since reply_res is been assigned inside an if condition and so compiler treats reply_res as uninitalized variable Initialize reply_res with WLAN_STATUS_UNSPECIFIED_FAILURE. Fixes: 5344af7d22ac ("FT: Discard ReassocReq with mismatching RSNXE Used value") Signed-off-by: Karthikeyan Kathirvel <kathirve@codeaurora.org>
* Do not start SA Query procedure without keysRohan14 hours2-8/+12
| | | | | | | | | | | | | | | The AP mode condition for initiating the SA Query procedure when receiving a new (Re)Association Request frame used only association state and MFP negotiation result without checking that the key exchange has been completed. This can give rise to a corner case where the SA Query procedure may get started after open association but before the 4-way handshake has been completed, resulting in open SA query frames over the air. Fix this by adding station authorized check in hostapd_notif_assoc() and check_assoc_ies(). Signed-off-by: Rohan <drohan@codeaurora.org>
* SAE-PK: Add support to skip sae_pk password check for testing purposesShaakir Mohamed12 days2-1/+10
| | | | | | | | Add support to skip sae_pk password check under compile flag CONFIG_TESTING_OPTIONS which allows AP to be configured with sae_pk enabled but a password that is invalid for sae_pk. Signed-off-by: Shaakir Mohamed <smohamed@codeaurora.org>
* OCV: Allow connecting MFP incapable OCV STA when OCV is disabled in APVeerendranath Jakkam12 days1-1/+1
| | | | | | | | | Skip check to mandate MFP capability for OCV enabled STA when OCV is disabled in AP. This is to improve interoperability with STAs in which OCV capability is advertised incorrectly without advertising MFP when OCV is disabled in AP. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* OCV: Use more granular error codes for OCI validation failuresVeerendranath Jakkam12 days5-6/+11
| | | | | | | Enhance the return values of ocv_verify_tx_params with enum to indicate different OCI verification failures to caller. Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
* DPP2: Support QR mutual auth scan-during-auth-exchange (hostapd)Jouni Malinen2020-08-251-0/+4
| | | | | | | | | Extend DPP authentication session search for the DPP_QR_CODE command to cover the ongoing exchanges in Controller/Responder. This was previously done for wpa_supplicant, but not for hostapd, so complete this support on the hostapd side. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Controller support in hostapdJouni Malinen2020-08-252-0/+40
| | | | | | | | Extend hostapd support for DPP Controller to cover the DPP_CONTROLLER_* cases that were previously implemented only in wpa_supplicant. This allows hostapd/AP to be provisioned using DPP over TCP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Do not add DH Params element in AssocResp with PMKSA cachingChittur Subramanian Raman2020-08-221-1/+2
| | | | | | | | | | | | | | | | As per RFC 8110 (Opportunistic Wireless Encryption), if the AP has the PMK identified by the PMKID and wishes to perform PMK caching, it will include the PMKID in the Association Response frame RSNE but does not include the Diffie-Hellman Parameter element. This was already addressed for most cases with owe_process_assoc_req() not setting sta->owe_ecdh in case PMKSA caching is used. However, it was possible to an old STA entry to maintain the initial sta->owe_ecdh value if reassociation back to the same AP was used to initiate the PMKSA caching attempt. Cover that case by adding an explicit check for the time when the Association Response frame is being generated. Signed-off-by: Chittur Subramanian Raman <craman@maxlinear.com>
* DPP: Add process_conf_obj into TCP connection data structJouni Malinen2020-08-141-1/+21
| | | | | | | This is needed to avoid issues with hostapd not having set this function pointer in dpp_global. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add msg_ctx into TCP connection data structJouni Malinen2020-08-141-1/+1
| | | | | | | This is needed to avoid issues with hostapd not having set msg_ctx in dpp_global. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: hostapd/AP as Enrollee/Initiator over TCPJouni Malinen2020-08-141-14/+45
| | | | | | | Extend DPP support in hostapd to allow AP Enrollee role when initiating the exchange using TCP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Derive seg0_idx and seg1_idx for 6 GHz when processing channel switchRohan2020-08-131-2/+11
| | | | | | | | | | The function hostapd_event_ch_switch() derived the seg0_idx and seg1_idx values only for the 5 GHz and 2.4 GHz bands and the 6 GHz case ended up using incorrect calculation based on the 5 GHz channel definitions. Fix this by adding support for 6 GHz frequencies. Signed-off-by: Rohan <drohan@codeaurora.org>
* DPP2: Add E-id in Reconfig AnnouncementJouni Malinen2020-08-071-3/+7
| | | | | | | | | Add an encrypted Enrollee identifier into Reconfig Announcement frames and decrypt that on the Configurator side. The actual E-id value is currently not used for anything, but it can be used in the future to provide better control over reconfiguration. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Add Enrollee netAccessKey group into Reconfig AnnouncementJouni Malinen2020-08-071-3/+14
| | | | | | | | | | This was added to the protocol design to support cases where the C-sign-key uses a different group than the netAccessKey. The Enrollee now indicates its netAccessKey group in Reconfig Announcement and the Configurator builds it own reconfig Connector using that group instead of the group used for the C-sign-key. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Allow SAE-PK style wpa_passphrase if SAE-PK is enabled with sameJouni Malinen2020-08-061-2/+6
| | | | | | | | This prevents use of a SAE-PK style password as the WPA-PSK passphrase only if the same password is not also enabled through sae_password for use with SAE-PK. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Rename temporary blocking of nonresponsive R0KHJouni Malinen2020-07-241-2/+2
| | | | | | Avoid use of the "blacklist" term here to reduce undesired connotations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow HE-without-VHT to add the Channel Switch Wrapper elementMuna Sinada2020-06-102-3/+10
| | | | | | | | | | Modify the check for VHT to include an option for HE in hostapd_eid_wb_chsw_wrapper() and its callers to allow the Channel Switch Wrapper element with the Wide Bandwidth Channel Switch subelement to be included in Beacon and Probe Response frames when AP is operating in HE mode without VHT. Signed-off-by: Muna Sinada <msinada@codeaurora.org>
* Move hostapd_eid_wb_chsw_wrapper() to non-VHT-specific fileMuna Sinada2020-06-102-53/+52
| | | | | | | | | Move hostapd_eid_wb_chsw_wrapper() from VHT specific ieee802_11_vht.c to ieee802_11.c since this can be used for both HE and VHT. This commit does not change any functionality to enable the HE use case, i.e., the function is just moved as-is. Signed-off-by: Muna Sinada <msinada@codeaurora.org>
* AP: Reject association request upon invalid HE capabilitiesRajkumar Manoharan2020-06-101-0/+7
| | | | | | | | Operation in the 6 GHz band mandates valid HE capabilities element in station negotiation. Reject association request upon receiving invalid or missing HE elements. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* AP: Restrict Vendor VHT to 2.4 GHz onlyRajkumar Manoharan2020-06-101-1/+3
| | | | | | | | | Vendor VHT IE is used only on the 2.4 GHz band. Restrict the use of vendor VHT element to 2.4 GHz. This will ensure that invalid/wrong user configuration will not impact beacon data in other than the 2.4 GHz band. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* HE: Use device HE capability instead of HT/VHT for 6 GHz IEsRajkumar Manoharan2020-06-101-27/+8
| | | | | | | | | | | | Previously, 6 GHz Band Capability element was derived from HT and VHT capabilities of the device. Removes such unnecessary dependency by relying directly on the HE capability. In addition, clean up the struct ieee80211_he_6ghz_band_cap definition to use a 16-bit little endian field instead of two 8-bit fields to match the definition in P802.11ax. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) groupJouni Malinen2020-06-101-31/+4
| | | | | | | | | This was clarified in the draft specification to not be a mandatory requirement for the AP and STA to enforce, i.e., matching security level is a recommendation for AP configuration rather than a protocol requirement. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move local TX queue parameter parser into a common fileSubrat Dash2020-06-081-9/+0
| | | | | | | This allows the same implementation to be used for wpa_supplicant as well. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Testing functionality to allow behavior overridesJouni Malinen2020-06-083-0/+22
| | | | | | | | The new sae_commit_status and sae_pk_omit configuration parameters and an extra key at the end of sae_password pk argument can be used to override SAE-PK behavior for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow transition_disable updates during the lifetime of a BSSJouni Malinen2020-06-072-0/+10
| | | | | | | This is mainly for testing purposes to allow more convenient checking of station behavior when a transition mode is disabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Move H2E and PK flags to main sae_dataJouni Malinen2020-06-062-8/+8
| | | | | | | | | This maintains knowledge of whether H2E or PK was used as part of the SAE authentication beyond the removal of temporary state needed during that authentication. This makes it easier to use information about which kind of SAE authentication was used at higher layer functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: AP functionalityJouni Malinen2020-06-027-24/+185
| | | | | | | | This adds AP side functionality for SAE-PK. The new sae_password configuration parameters can now be used to enable SAE-PK mode whenever SAE is enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Extend SAE functionality for AP validationJouni Malinen2020-06-021-1/+1
| | | | | | | | | This adds core SAE functionality for a new mode of using SAE with a specially constructed password that contains a fingerprint for an AP public key and that public key being used to validate an additional signature in SAE confirm from the AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Allow OCI channel to be overridden for testing (AP)Jouni Malinen2020-05-297-7/+115
| | | | | | | | | Add hostapd configuration parameters oci_freq_override_* to allow the OCI channel information to be overridden for various frames for testing purposes. This can be set in the configuration and also updated during the runtime of a BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OSEN: Do not send the actual BIGTK to OSEN STAsJouni Malinen2020-05-292-3/+31
| | | | | | | | OSEN STAs are not authenticated, so do not send the actual BIGTK for them so that they cannot generate forged protected Beacon frames. This means that OSEN STAs cannot enable beacon protection. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Do not expose GTK/IGTK in FT Reassociation Response frame in OSENJouni Malinen2020-05-291-5/+37
| | | | | | | | | | | Do not include the actual GTK/IGTK value in FT protocol cases in OSEN or with DGAF disabled (Hotspot 2.0). This was already the case for the EAPOL-Key cases of providing GTK/IGTK, but the FT protocol case was missed. OSEN cannot really use FT, so that part is not impacted, but it would be possible to enable FT in a Hotspot 2.0 network that has DGAF disabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WNM: Do not expose GTK/IGTK in WNM Sleep Mode Response frame in OSENJouni Malinen2020-05-291-0/+18
| | | | | | | | | Do not include the actual GTK/IGTK value in WNM Sleep Mode Response frame if WNM Sleep Mode is used in OSEN or in a network where use of GTK is disabled. This was already the case for the EAPOL-Key cases of providing GTK/IGTK, but the WNM Sleep Mode exit case was missed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: Skip beacon update of transition BSS if it is not yet enabledHu Wang2020-05-261-0/+7
| | | | | | | | | | | | | | | | When a single hostapd process manages both the OWE and open BSS for transition mode, owe_transition_ifname can be used to clone the transition mode information (i.e., BSSID/SSID) automatically. When both BSSs use ACS, the completion of ACS on the 1st BSS sets state to HAPD_IFACE_ENABLED and the OWE transition mode information is updated for all the other BSSs. However, the 2nd BSS is still in the ACS phase and the beacon update messes up the state for AP startup and prevents proper ACS competion. If 2nd BSS is not yet enabled (e.g., in ACS), skip beacon update and defer OWE transition information cloning until the BSS is enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Disconnect STAs that do not use SA Query after CSAJouni Malinen2020-05-255-2/+54
| | | | | | | | Verify that all associated STAs that claim support for OCV initiate an SA Query after CSA. If no SA Query is seen within 15 seconds, deauthenticate the STA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Report validation errors for (Re)Association Request framesJouni Malinen2020-05-252-0/+10
| | | | | | | Add the OCV-FAILURE control interface event to notify upper layers of OCV validation issues in FT and FILS (Re)Association Request frames. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Report validation errors for EAPOL-Key messages in AP modeJouni Malinen2020-05-253-1/+14
| | | | | | | Add the OCV-FAILURE control interface event to notify upper layers of OCV validation issues in EAPOL-Key msg 2/4 and group 2/2. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Report validation errors for SA Query Request/Response in AP modeJouni Malinen2020-05-251-1/+6
| | | | | | | | Add a new OCV-FAILURE control interface event to notify upper layers of OCV validation issues. This commit adds this for SA Query processing in AP mode. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Move "OCV failed" prefix to callersJouni Malinen2020-05-255-8/+10
| | | | | | | | | Make reporting of OCV validation failure reasons more flexible by removing the fixed prefix from ocv_verify_tx_params() output in ocv_errorstr so that the caller can use whatever prefix or encapsulation that is most appropriate for each case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Debug print PMK-R0/R1 and PMKR0/R1Name in the helper functionsJouni Malinen2020-05-232-18/+1
| | | | | | There is no need to have all callers debug print these separately. Signed-off-by: Jouni Malinen <j@w1.fi>
* HE: Process HE 6 GHz band capab from associating HE STARajkumar Manoharan2020-05-177-2/+45
| | | | | | | Process HE 6 GHz band capabilities in (Re)Association Request frames and pass the information to the driver. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* HE: Add 6 GHz Band Capabilities element in Beacon and response framesRajkumar Manoharan2020-05-174-0/+58
| | | | | | | | | Construct HE 6 GHz Band Capabilities element (IEEE 802.11ax/D6.0, from HT and VHT capabilities and add it to Beacon, Probe Response, and (Re)Association Response frames when operating on the 6 GHz band. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
* ACS: Channel selection based freqlistneo_jou2020-05-161-0/+20
| | | | | | When doing ACS, check freqlist also if it is specified. Signed-off-by: neojou <neojou@gmail.com>
* Rename WPA_ALG_IGTK to use the correct cipher name for BIPJouni Malinen2020-05-161-1/+1
| | | | | | | | | IGTK is the key that is used a BIP cipher. WPA_ALG_IGTK was the historical name used for this enum value when only the AES-128-CMAC based BIP algorithm was supported. Rename this to match the style used with the other BIP options. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Extend RESET_PN for BIGTKJohannes Berg2020-05-162-5/+18
| | | | | | | Extend the RESET_PN command to allow resetting the BIGTK PN for testing. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* Ignore Management frames while AP interface is not fully enabledJouni Malinen2020-05-161-0/+5
| | | | | | | | | | | | It is possible for drivers to report received Management frames while AP is going through initial setup (e.g., during ACS or DFS CAC). hostapd and the driver is not yet ready for actually sending out responses to such frames at this point and as such, it is better to explicitly ignore such received frames rather than try to process them and have the response (e.g., a Probe Response frame) getting dropped by the driver as an invalid or getting out with some incorrect information. Signed-off-by: Jouni Malinen <j@w1.fi>
* Move deauthentication at AP start to be after beacon configurationJouni Malinen2020-05-161-2/+16
| | | | | | | | | | | | | | | This allows nl80211-based drivers to get the frame out. The old earlier location resulted in the driver operation getting rejected before the kernel was not ready to transmit the frame in the BSS context of the AP interface that has not yet been started. While getting this broadcast Deauthentication frame transmitted at the BSS start is not critical, it is one more chance of getting any previously associated station notified of their previous association not being valid anymore had they missed previous notifications in cases where the AP is stopped and restarted. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove unnecessary key clearing at AP start with nl80211Jouni Malinen2020-05-163-1/+9
| | | | | | | cfg80211 takes care of key removal when link/association is lost, so there is no need to explicitly clear old keys when starting AP. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Chirping in hostapd EnrolleeJouni Malinen2020-05-133-0/+338
| | | | | | | | | | | | Add a new hostapd control interface command "DPP_CHIRP own=<BI ID> iter=<count>" to request chirping, i.e., sending of Presence Announcement frames, to be started. This follows the model of similar wpa_supplicant functionality from commit 562f77144cd2 ("DPP2: Chirping in wpa_supplicant Enrollee"). The hostapd case requires the AP to be started without beaconing, i.e., with start_disabled=1 in hostapd configuration, to allow iteration of channels needed for chirping. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Handle hostapd_for_each_interface() at the process terminationJouni Malinen2020-05-131-0/+2
| | | | | | | | | | Clean struct hapd_interfaces pointers and interface count during deinitialization at the end of theh ostapd process termination so that a call to hostapd_for_each_interface() after this does not end up dereferencing freed memory. Such cases do not exist before this commit, but can be added after this, e.g., for DPP needs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>