path: root/src/ap
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: Update DFS status in VHT80+80 modeHEADpendingmasterLei Wang2 days1-0/+11
| | | | | | | | | | | Update center frequency and center frequency2's DFS channel status in VHT80+80 mode. Otherwise it will cause AP failed to start on a DFS channel. Tested: qca9984 with firmware ver 10.4-3.10-00047 Signed-off-by: Rick Wu <rwu@codeaurora.org> Signed-off-by: Lei Wang <leiwa@codeaurora.org>
* Fix status code in SAE/DPP association PMKID mismatch (driver-AP-SME)Jouni Malinen4 days1-0/+3
| | | | | | | | | | | | | | | | | | | wpa_validate_wpa_ie() was already extended to cover these cases with WPA_INVALID_PMKID return value, but hostapd_notif_assoc() did not have code for mapping this into the appropriate status code (STATUS_INVALID_PMKID) and ended up using the default (WLAN_STATUS_INVALID_IE) instead. This caused AP SME-in-driver cases returning incorrect status code when the AP did not have a matching PMKSA cache entry. This could result in unexpected station behavior where the station could continue trying to use a PMKSA cache entry that the AP does not have and not being able to recover this. Fix this by adding the previously missed mapping of validation errors to status/reason codes. Fixes: 567da5bbd027 ("DPP: Add new AKM") Fixes: 458d8984de1d ("SAE: Reject request with mismatching PMKID (no PMKSA cache entry)") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* nl80211: Add STA node details in AP through QCA vendor subcommandShiva Sankar Gajula2019-10-252-3/+13
| | | | | | | | Addi STA node details in AP through QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE vendor when processing FT protocol roaming. Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
* SAE: Determine H2E vs. looping when restarting SAE auth in AP modeJouni Malinen2019-10-251-10/+20
| | | | | | | | | | | | | | | | | If hostapd had existing STA SAE state, e.g., from a previously completed SAE authentication, a new start of a separate SAE authentication (i.e., receiving of a new SAE commit) ended up using some of the previous state. This is problematic for determining whether to H2E vs. looping since the STA is allowed (even if not really expected to) to change between these two alternatives. This could result in trying to use H2E when STA was using looping to derive PWE and that would result in SAE confirm failing. Fix this by determining whether to use H2E or looping for the restarted authentication based on the Status Code in the new SAE commit message instead of previously cached state information. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HE: Add 11ax info to ap mode ctrl iface STATUS commandPradeep Kumar Chitrapu2019-10-252-1/+18
| | | | Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
* Fix AP Extended Capability length determinationJouni Malinen2019-10-251-4/+12
| | | | | | | | | The IE minimum length determination in hostapd_eid_ext_capab() was not fully up to date with the hostapd_ext_capab_byte() conditions. This could result in omitting some of the capability octets depending on configuration. Fix this by adding the missing conditions. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT-SAE: Add RSNXE into FT MICJouni Malinen2019-10-181-0/+17
| | | | | | | Protect RSNXE, if present, in FT Reassociation Request/Response frames. This is needed for SAE H2E with FT. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add RSNXE into (Re)Association Response framesJouni Malinen2019-10-184-0/+26
| | | | | | | Add the new RSNXE into (Re)Association Response frames if any of the capability bits is nonzero. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Merge wpa_supplicant and hostapd EAPOL-Key KDE parsersJouni Malinen2019-10-182-183/+0
| | | | | | | | Use a single struct definition and a single shared implementation for parsing EAPOL-Key KDEs and IEs instead of maintaining more or less identical functionality separately for wpa_supplicant and hostapd. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Verify that STA negotiated H2E if it claims to support itJouni Malinen2019-10-182-0/+26
| | | | | | | If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in the AP configuration, require H2E to be used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RSN: Verify RSNXE match between (Re)AssocReq and EAPOL-Key msg 2/4Jouni Malinen2019-10-171-0/+16
| | | | | | | | If the STA advertises RSN Extension element, it has to be advertised consistently in the unprotected ((Re)Association Request) and protected (EAPOL-Key msg 2/4) frames. Verify that this is the case. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add RSNXE into AP KDE parserJouni Malinen2019-10-172-0/+5
| | | | | | This is needed for SAE hash-to-element implementation. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Store a copy of Association Request RSNXE in AP mode for later useJouni Malinen2019-10-176-1/+27
| | | | | | | This is needed to be able to compare the received RSNXE to a protected version in EAPOL-Key msg 2/4. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Publish only HE capabilities and operation IEs on 6 GHz bandAndrei Otcheretianski2019-10-155-8/+36
| | | | | | | | | | | When operating on the 6 GHz band, add 6 GHz Operation Information inside the HE Operation element and don't publish HT/VHT IEs. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> - Replace HOSTAPD_MODE_IEEE80211AX mode checks with is_6ghz_op_class() Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* AP: Add op_class config item to specify 6 GHz channels uniquelyLiangwei Dong2019-10-152-0/+7
| | | | | | | | | | Add hostapd config option "op_class" for fixed channel selection along with existing "channel" option. "op_class" and "channel" config options together can specify channels across 2.4 GHz, 5 GHz, and 6 GHz bands uniquely. Signed-off-by: Liangwei Dong <liangwei@codeaurora.org> Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* SAE: Check that peer's rejected groups are not enabled in APJouni Malinen2019-10-151-0/+53
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: H2E version of SAE commit message handling for APJouni Malinen2019-10-151-13/+43
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Derive H2E PT in AP when starting the APJouni Malinen2019-10-152-0/+50
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Advertise Extended RSN Capabilities when H2E is enabledJouni Malinen2019-10-152-0/+26
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Advertise BSS membership selector for H2E-only caseJouni Malinen2019-10-151-0/+15
| | | | | | | | If hostapd is configured to enable only the hash-to-element version of SAE PWE derivation (sae_pwe=1), advertise BSS membership selector to indicate this. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add sae_pwe configuration parameter for hostapdJouni Malinen2019-10-153-0/+3
| | | | | | | | This parameter can be used to specify which PWE derivation mechanism(s) is enabled. This commit is only introducing the new parameter; actual use of it will be address in separate commits. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Tell sae_parse_commit() whether H2E is usedJouni Malinen2019-10-141-1/+2
| | | | | | This will be needed to help parsing the received SAE commit. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Allow AP behavior for SAE Confirm to be configuredJouni Malinen2019-10-102-7/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | hostapd is by default waiting STA to send SAE Confirm before sending the SAE Confirm. This can now be configured with sae_confirm_immediate=1 resulting in hostapd sending out SAE Confirm immediately after sending SAE Commit. These are the two different message sequences: sae_confirm_immediate=0 STA->AP: SAE Commit AP->STA: SAE Commit STA->AP: SAE Confirm AP->STA: SAE Confirm STA->AP: Association Request AP->STA: Association Response sae_confirm_immediate=1 STA->AP: SAE Commit AP->STA: SAE Commit AP->STA: SAE Confirm STA->AP: SAE Confirm STA->AP: Association Request AP->STA: Association Response Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Show EDMG channel info in STATUS outputAlexei Avshalom Lazar2019-10-071-0/+4
| | | | Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* hostapd: Check EDMG configuration against capabilityAlexei Avshalom Lazar2019-10-073-0/+35
| | | | Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* hostapd: Check usability of EDMG channelAlexei Avshalom Lazar2019-10-071-0/+64
| | | | Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* Add EDMG parameters to set_freq functionsAlexei Avshalom Lazar2019-10-075-6/+16
| | | | | | | This updates the frequency parameter setting functions to include argument for EDMG. Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* hostapd: Add EDMG channel configuration parametersAlexei Avshalom Lazar2019-10-071-0/+2
| | | | | | | | Add two new configuration parameters for hostapd: enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band edmg_channel: Configure channel bonding for AP mode in the 60 GHz band Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* DPP2: Support multiple Config Objects in EnrolleeJouni Malinen2019-10-011-17/+18
| | | | | | | | | Process all received DPP Configuration Object attributes from Configuration Result in Enrollee STA case. If wpa_supplicant is configured to add networks automatically, this results in one network being added for each included Configuration Object. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Provide correct keyid to wpa_send_eapol() for EAPOL-Key msg 3/4Alexander Wetzel2019-09-191-10/+8
| | | | | | | | | | | | | | | PTKINITNEGOTIATING in the WPA state machine calls wpa_send_eapol() and hands over the GTK instead of the PTK keyid. Besides a confusing debug message this does not have any negative side effects: The variable is only set to a wrong value when using WPA2 but then it's not used. With this patch PTKINITNEGOTIATING sets the PTK keyid unconditionally to zero for EAPOL-Key msg 3/4 and differentiates more obviously between GTK and PTK keyids. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* ACS: Stop before scan if no channels in chanlist are availableNeo Jou2019-09-191-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | When we set "channel=0" in hostapd.conf to enable ACS function, and set a wrong channel list, e.g., chanlist=222-999 on purpose, hostapd would still start ACS process to compute the ideal channel, even when there are no available channels with such configuration. Though there is no problem since hostapd fails to initialize interface, it spends time going through the scan and the debug log entries may make it more difficult to tell what was behind the failure. Thus, check if there are any available channels in acs_request_scan(), and return -1 if no available channel, then it will fail at acs_init(), without doing ACS computation. It will show the following in the log: Could not select hw_mode and channel. (-3) wlan0: interface state UNINITIALIZED->DISABLED Then we can know the setting is incorrect already in hostapd_select_hw_mode(), instead of waiting for scan callback function to know if the setting is ok for ACS or not. This can save time and help to tell if the setting is correct at the initial function at the first. This will also allow the ENABLE control interface command to return FAIL when adding an interface dynamically. Signed-off-by: Neo Jou <neojou@gmail.com>
* DPP: Add bandSupport JSON array into config requestJouni Malinen2019-09-181-1/+1
| | | | | | | Indicate supported global operating classes when wpa_supplicant is operating as an Enrollee. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Allow name and mudurl to be configured for Config RequestJouni Malinen2019-09-183-10/+6
| | | | | | | | | | | The new hostapd and wpa_supplicant configuration parameters dpp_name and dpp_mud_url can now be used to set a specific name and MUD URL for the Enrollee to use in the Configuration Request. dpp_name replaces the previously hardcoded "Test" string (which is still the default if an explicit configuration entry is not included). dpp_mud_url can optionally be used to add a MUD URL to describe the Enrollee device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* More consistent SA check for unexpected Data framesJouni Malinen2019-09-171-2/+4
| | | | | | | | | | | | | Use the same rules for dropping driver notifications for Data frames from unassociated stations as were added for Management frame reception. This results in more consistent behavior in sending out Deauthentication frames with Reason Code 6/7. This case was already checking for unexpected multicast addresses, so there was no issue for the PMF protections for unexpected disconnection. Anyway, better avoid unnecessary Deauthentication frames consistently. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Connection status result (Configurator)Jouni Malinen2019-09-161-0/+72
| | | | | | | | | | | | | | | | | | A new argument to the DPP_AUTH_INIT command (conn_status=1) can now be used to set Configurator to request a station Enrollee to report connection result after a successfully completed provisioning step. If the peer supports this, the DPP-CONF-SENT event indicates this with a new argument (wait_conn_status=1) and the Configurator remains waiting for the connection result for up to 16 seconds. Once the Enrollee reports the result, a new DPP-CONN-STATUS-RESULT event is generated with arguments result, ssid, and channel_list indicating what the Enrollee reported. result=0 means success while non-zero codes are for various error cases as specified in the DPP tech spec. If no report is received from the Enrollee, the event with "timeout" argument is generated locally. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove IAPP functionality from hostapdJouni Malinen2019-09-116-603/+0
| | | | | | | | | | | | | | IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been maintained nor is there any expectation of the withdrawn trial-use recommended practice to be maintained in the future. Furthermore, implementation of IAPP in hostapd was not complete, i.e., only parts of the recommended practice were included. The main item of some real use long time ago was the Layer 2 Update frame to update bridges when a STA roams within an ESS, but that functionality has, in practice, been moved to kernel drivers to provide better integration with the networking stack. Signed-off-by: Jouni Malinen <j@w1.fi>
* AP: Silently ignore management frame from unexpected source addressJouni Malinen2019-09-112-0/+25
| | | | | | | | | | | | | | | Do not process any received Management frames with unexpected/invalid SA so that we do not add any state for unexpected STA addresses or end up sending out frames to unexpected destination. This prevents unexpected sequences where an unprotected frame might end up causing the AP to send out a response to another device and that other device processing the unexpected response. In particular, this prevents some potential denial of service cases where the unexpected response frame from the AP might result in a connected station dropping its association. Signed-off-by: Jouni Malinen <j@w1.fi>
* HE: Send the AP's OBSS PD settings to the kernelJohn Crispin2019-09-101-0/+7
| | | | | | | This allows us to send the OBSS PD settings to the kernel, such that the driver can propagate them to the hardware/firmware. Signed-off-by: John Crispin <john@phrozen.org>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-0822-138/+4
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* DFS offload: Fix hostapd state and CAC info in STATUS outputHu Wang2019-09-021-1/+8
| | | | | | | | With DFS offloaded to the driver, hostapd state and CAC info was not updated in DFS-CAC-START event, so STATUS output showed wrong info. Fix this by updating the CAC related state when processing the driver event. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP server: Configurable maximum number of authentication message roundsJouni Malinen2019-09-013-0/+7
| | | | | | | | | Allow the previously hardcoded maximum numbers of EAP message rounds to be configured in hostapd EAP server. This can be used, e.g., to increase the default limits if very large X.509 certificates are used for EAP authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* HE: Fix HE Capabilities element sizeJohn Crispin2019-08-301-1/+37
| | | | | | | | | Set the max value of optional bytes inside the data structure. This requires us to calculate the actually used size when copying the HE capabilities and generating the IE. Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
* HS 2.0: Do not add two copies of OSEN element into Beacon/Probe RespJouni Malinen2019-08-301-6/+8
| | | | | | | | | | | OSEN element was getting added both through the Authenticator IEs (before some non-vendor elements) and separately at the end of the frames with other vendor elements. Fix this by removing the separate addition of the OSEN element and by moving the Authenticator IE addition for OSEN to match the design used with WPA so that the vendor element gets added in the proper place in the sequence of IEs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0 AP: Do not mandate PMF for HS 2.0 Indication in open OSU networkJouni Malinen2019-08-301-1/+2
| | | | | | | | | | | Even though the station is not supposed to include Hotspot 2.0 Indication element in the Association Request frame when connecting to the open OSU BSS, some station devices seem to do so. With the strict PMF-required-with-Hotspot-2.0-R2 interpretation, such connection attempts were rejected. Relax this to only perform the PMF check if the local AP configuration has PMF enabled, i.e., for the production BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* IEEE 802.1X authenticator: Coding style cleanupJouni Malinen2019-08-241-138/+149
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Clean up IEEE 802.1X authentication debug messages for EAP codeJouni Malinen2019-08-241-19/+26
| | | | | | | Merge the separate debug print with the text name of the EAP code into the same debug line with the numerical value to clean up debug log. Signed-off-by: Jouni Malinen <j@w1.fi>
* RADIUS server: Use struct eap_config to avoid duplicated definitionsJouni Malinen2019-08-192-81/+64
| | | | | | | | Use struct eap_config as-is within RADIUS server to avoid having to duplicate all the configuration variables at each interface. This continues cleanup on struct eap_config duplication in hostapd. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Fix eap_teap_pac_no_inner configurationJouni Malinen2019-08-191-0/+1
| | | | | | | This was not passed correctly to the EAP server code when using hostapd internal EAP server. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Allow a specific Identity-Type to be requested/requiredJouni Malinen2019-08-193-0/+3
| | | | | | | The new hostapd configuration parameter eap_teap_id can be used to configure the expected behavior for used identity type. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Use struct eap_config to avoid duplicated definitionsJouni Malinen2019-08-182-30/+58
| | | | | | | | | Use struct eap_config as-is within struct eap_sm and EAPOL authenticator to avoid having to duplicate all the configuration variables at each interface. Split the couple of session specific variables into a separate struct to allow a single const struct eap_config to be used. Signed-off-by: Jouni Malinen <j@w1.fi>