Commit message (Collapse)AuthorAgeFilesLines
* FST: Fix a compiler warningJouni Malinen2016-03-201-1/+2
| | | | | | | | | FST_MAX_PRIO_VALUE is unsigned (u32) and some gcc versions warning about comparisong to long int val at least on 32-bit builds. Get rid of this warning by type casesing val to unsigned long int after having verified that it is positive. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix nfc_pw_token build with CONFIG_FST=yJouni Malinen2016-03-201-0/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add CONFIG_VLAN_NETLINK=y to hostapd build configurationJouni Malinen2016-03-201-0/+1
| | | | | | | | This is needed for ap_vlan_tagged_wpa2_radius_id_change to pass. The ioctl-based vlan_add() function does not use the vlan_if_name parameter at all. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Use appropriate BLOCKED state durationMasashi Honma2016-03-202-9/+5
| | | | | | | | | | | | | | Previously, BLOCKED state duration slightly increased up to 3600. Though the BLOCKED state could be canceled by ap_handle_timer(). Because the timer timeouts in ap_max_inactivity(default=300sec) and remove STA objects (the object retains BLOCKED state). This patch re-designs my commit bf51f4f82bdb50356de5501acac53fe1b91a7b86 ('mesh: Fix remaining BLOCKED state after SAE auth failure') to replace mesh_auth_block_duration by ap_max_inactivity and remove incremental duration. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* tests: Secure mesh network and PMKSA cachingJouni Malinen2016-03-201-0/+158
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: PMKSA cache control interface operationsJouni Malinen2016-03-202-0/+58
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Add support for PMKSA cachingMasashi Honma2016-03-2013-18/+147
| | | | | | | | | | | | | | | | | | | | | | | | | This patch add functionality of mesh SAE PMKSA caching. If the local STA already has peer's PMKSA entry in the cache, skip SAE authentication and start AMPE with the cached value. If the peer does not support PMKSA caching or does not have the local STA's PMKSA entry in the cache, AMPE will fail and the PMKSA cache entry of the peer will be removed. Then STA retries with ordinary SAE authentication. If the peer does not support PMKSA caching and the local STA uses no_auto_peer=1, the local STA can not retry SAE authentication because NEW_PEER_CANDIDATE event cannot start SAE authentication when no_auto_peer=1. So this patch extends MESH_PEER_ADD command to use duration(sec). Throughout the duration, the local STA can start SAE authentication triggered by NEW_PEER_CANDIDATE even though no_auto_peer=1. This commit requires commit 70c93963edefa37ef84b73efb9d04ea10268341c ('SAE: Fix PMKID calculation for PMKSA cache'). Without that commit, chosen PMK comparison will fail. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* PMKSA: Flush AP/mesh PMKSA cache by PMKSA_FLUSH commandMasashi Honma2016-03-2011-1/+65
| | | | | | | | | This extends the wpa_supplicant PMKSA_FLUSH control interface command to allow the PMKSA list from the authenticator side to be flushed for AP and mesh mode. In addition, this adds a hostapd PMKSA_FLUSH control interface command to flush the PMKSA entries. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* PMKSA: Show AP/mesh PMKSA list in PMKSA commandMasashi Honma2016-03-2011-2/+132
| | | | | | | | | This extends the wpa_supplicant PMKSA control interface command to allow the PMKSA list from the authenticator side to be listed for AP and mesh mode. In addition, this adds a hostapd PMKSA control interface command to show the same list for the AP case. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Add MESH_PEER_ADD commandMasashi Honma2016-03-206-0/+77
| | | | | | | | This allows a mesh peer connection to be initiated manually in no_auto_peer mesh networks. Signed-off-by: Natsuki Itaya <Natsuki.Itaya@jp.sony.com> Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* mesh: Add MESH_PEER_REMOVE commandMasashi Honma2016-03-206-2/+56
| | | | | | | This command allows the specified mesh peer to be disconnected. Signed-off-by: Natsuki Itaya <Natsuki.Itaya@jp.sony.com> Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* P2P: Advertise IP Address Allocation only if it is enabled on GOJouni Malinen2016-03-203-1/+10
| | | | | | | | | | | | This group capability bit was previously added unconditionally which could result in the P2P Client assuming the functionality is available even though the GO would always reject the request (not reply to it with an assigned IP address) during the 4-way handshake. Fix this by advertising the capability only if the GO configuration allow IP address assignment to be completed. Signed-off-by: Jouni Malinen <j@w1.fi>
* BSD: Only down the interface once we are sure we can work with itRoy Marples2016-03-201-4/+4
| | | | Signed-off-by: Roy Marples <roy@marples.name>
* Handle OSEN IE in Assoc Request info if req_ies existsDaisuke Niwa2016-03-201-0/+2
| | | | | | | | | | The 4-way handshake fails with the error "WPA: No wpa_ie set - cannot generate msg 2/4" while connecting to OSEN network with drivers that indicate used Association Request frame elements because OSEN IE is not handled in wpa_supplicant_event_associnfo() if data->assoc_info.req_ies is not NULL. Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
* tests: Return result from WpaSupplicant::global_request() in all casesJouni Malinen2016-03-201-1/+1
| | | | | | | | | The no self.global_iface case was not returning the result from the self.request() case. While this is not really a path that is supposed to be used, make it return the response since it is at least theoretically possible to get here. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Fix error path in if_indices_reason reallocationJouni Malinen2016-03-181-1/+1
| | | | | | | | | | | | | Commit 732b1d20ec06ab92fd22dbdea4609a6528bcf50a ('nl80211: Clean up ifidx properly if interface in a bridge is removed') added drv->if_indices_reason array similarly to the previously used drv->if_indices. However, it had a copy-paste error here on the error path where a reallocation failure after at least one successful reallocation would result in the drv->if_indices being overridden instead of restoring drv->if_indices_reason to the old value. Fix this by setting the correct variable on the error path. (CID 138514) Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: wpa_supplicant AP mode - open network and HT disabledJouni Malinen2016-03-181-0/+15
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* nl80211: Do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabledJouni Malinen2016-03-181-17/+19
| | | | | | | | | SMPS mode is applicable only for HT and including an attribute to configure it when HT is disabled could result in the AP start operation failing. Fix this by adding the attribute only in cases where HT is enabled. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Assign QCA vendor command and attribute for Tx/Rx aggregationSunil Dutt2016-03-171-0/+19
| | | | | | | | Assign nl80211 vendor command QCA_NL80211_VENDOR_SUBCMD_SET_TXRX_AGGREGATION and corresponding attributes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* libxml2: Check for xmlDocDumpFormatMemory() error caseJouni Malinen2016-03-161-0/+2
| | | | | | | | Since this function needs to allocate memory, it might fail. Check that the returned memory pointer is not NULL before trying to parse the output. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* BoringSSL: Keep static analyzers happier with X509_get0_pubkey_bitstr()Jouni Malinen2016-03-161-1/+2
| | | | | | | | | | While this function could return NULL if the parameter issued to it were NULL, that does not really happen here. Anyway, since this can result in a warning from a static analyzer that does can see the return NULL without fully understanding what it means here, check the return value explicitly against NULL to avoid false warnings. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hs20-osu-client: Fix pol_upd command line parsingJouni Malinen2016-03-161-6/+3
| | | | | | | | This command was documented as having the Server URL parameter as optional, but the implementation did not match that. Allow this parameter to be left out. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hs20-osu-client: Remove dead code from sub_rem command line parsingJouni Malinen2016-03-161-8/+3
| | | | | | | | The error print could not have been reached since the exact same condition was verified above and exit(0) is called if the command line is invalid. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: EAP-SIM and check fast reauth with bssid changeJouni Malinen2016-03-161-0/+41
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Do not invalidate EAP session cache on all network block parameter changesJouni Malinen2016-03-161-7/+9
| | | | | | | | | | | The bssid and priority parameters in a network block do not have any effect on the validity of an EAP session entry, so avoid flushing the cached session when only these parameters are changed. This is mainly to allow forced roaming or network selection changes without causing fast reauthentication to be disabled if the changes are done during RSN association that used EAP. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wlantest: Fix bip_protect() memory allocationJouni Malinen2016-03-141-1/+1
| | | | | | | | | The addition operator is of higher precedence than the ternary conditional and the construction here needs to use parentheses to calculate the buffer length properly when generating test frames with BIP protection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Interworking: Add credential realm to EAP-TLS identityJouni Malinen2016-03-111-1/+18
| | | | | | | | | | | If the configured credential includes a username without '@' (i.e., no realm) in it and a realm, combine these to form the EAP-Request/Identity value as "<username>@<realm>" for EAP-TLS. This was already done for EAP-TTLS as part of the anonymous NAI conversion, but EAP-TLS could have ended up using a username without any realm information which would be unlikely to work properly with roaming cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Accept "user@example.com" as user identity similarly to "user"Jouni Malinen2016-03-111-0/+1
| | | | | | | This is needed to allow updated Interworking behavior that adds the realm to the EAP-Response/Identity value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* nl80211: Support network hierarchy of a master interface under bridgeDedy Lansky2016-03-091-0/+8
| | | | | | | | | | | | Since commit cb05808c46539922cf02e9e8527a062e90637ff9 ('nl80211: Generic Linux master interface support for hostapd'), hostapd is listening for EAPOL frames on any master which the interface is enslaved under. This commit allows hostapd to support network hierarchy in which the interface is enslaved under some master which in turn is enslaved under a bridge. Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
* tests: Set ocsp_stapling_response_multi in as2.confJouni Malinen2016-03-091-0/+1
| | | | | | This keeps the as.conf and as2.conf more consistent. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Fix root_ocsp() for multi-OCSP test casesJouni Malinen2016-03-091-22/+3
| | | | | | | | | | | Incorrect path and file name was used in the openssl command to generate one of the OCSP responses. Also fix ap_wpa2_eap_tls_intermediate_ca_ocsp_multi to expect success rather than failure due to OCSP response. Based on the test description, this was supposed to succeed, but apparently that root_ocsp() bug prevented this from happening. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Reserve QCA vendor specific nl80211 commands 116..118Jouni Malinen2016-03-081-0/+1
| | | | | | These are reserved for QCA use. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Handle running out of DFS channelsZefir Kurtisi2016-03-081-4/+10
| | | | | | | | | | | | | | | | | | | | | In scenarios where only DFS channels are available (e.g., outdoor, special country codes), hostapd must be able to handle situations where all are unavailable. The two possibilities to get there are 1) while operating on the last available DFS channel a radar is detected 2) hostapd is started while all channels are unavailable In both cases, hostapd instead of terminating should better wait for the NOPs to pass and re-try operation after the CAC. This patch provides that feature by using the condition (iface->state == HAPD_IFACE_DFS && !iface->cac_started) as NOP mode signature to retry operation from within hostapd_dfs_nop_finished(). Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
* FST: Fix session setup failure with peer without MB IEDedy Lansky2016-03-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Upon receiving FST setup request on old band, the peer is searched on new band. The assumption is that MB IE from this peer on new band previously received either in assoc event or in FST setup request. There are cases in which above assumption doesn't work, peer is not found and session setup fails. For example: - STA connects over 11ac. Due to driver limitation, MB IE is not included in assoc event - STA connects over 11ad. MB IE included in assoc event. - FST session established on 11ac band, with AP as initiator. i.e. FST setup request sent in AP=>STA direction. STA searches for peer's (AP) MB IE on 11ad band which exists. - FST switch occur - FST session established on 11ad band, with STA as initiator. i.e. FST setup request sent in STA=>AP direction. AP searches for peer's (STA) MB IE on 11ac band which are absent. For fixing the above, consider also peers without MB IE as candidates in the search algorithm. Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
* P2P: Add optional op_class argument to P2P_SET listen_channelLior David2016-03-072-3/+15
| | | | | | | | | | | The existing implementation in p2p_ctrl_set used a hard-coded operating class 81 which is only suitable for the social channels in the 2.4 GHz band, and will not work for the social channel in the 60 GHz band. Extend this by adding an optional op_class argument to P2P_SET listen_channel. If not specified, use the default value of 81 to match existing behavior. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* P2P: Adjust service discovery maximum fragment size for 60 GHzLior David2016-03-071-4/+16
| | | | | | | | | | | | | In the 60 GHz band, service discovery management frames are sent over the control PHY and have a smaller maximum frame size (IEEE Std 802.11ad-2012, Fix the code to use sufficiently small fragment size when operating in the 60 GHz band. The 60 GHz fragment size (928) is derived from the maximum frame size for control PHY (1023) and subtracting 48 bytes of header size, and some spare so we do not reach frames with the absolute maximum size. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* tests: Add tests for HS 2.0 frame filteringJohannes Berg2016-03-072-4/+221
| | | | Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* tests: Add a test for mesh gate forwardingBob Copeland2016-03-071-0/+51
| | | | | | | This test checks that mesh nodes forward frames for unknown destinations to the mesh gates. Signed-off-by: Bob Copeland <me@bobcopeland.com>
* tests: D-Bus AssocStatusCodeJouni Malinen2016-03-061-0/+51
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* D-Bus: Add association response status code property for failure casesNaveen Singh2016-03-069-0/+52
| | | | | | | | | | (Re)Association Response frame with status code other than 0 is now notified over DBUS as a part of PropertiesChanged signal. This can be used by application in case AP is denying association with status code 17 (band steering) so that it does not interfere in the BSSID selection logic of wpa_supplicant. Signed-off-by: Naveen Singh <nasingh@google.com>
* hostapd: Use ifname of the current context in debug messagesEliad Peller2016-03-061-3/+2
| | | | | | | In case of multiple BSS configuration, return the current interface name, instead of the first one. Signed-off-by: Eliad Peller <eliad@wizery.com>
* hostapd: Allow use of driver-generated interface addressesEliad Peller2016-03-064-7/+26
| | | | | | | | | Add a new 'use_driver_iface_addr' configuration parameter to allow use of the default interface address generated by the driver on interface creation. This can be useful when specific MAC addresses were allocated to the device and we want to use them for multi-BSS operation. Signed-off-by: Eliad Peller <eliad@wizery.com>
* AP: Save EAPOL received before Association Response ACKEliad Peller2016-03-063-0/+62
| | | | | | | | | | | | | There is a race condition in which AP might receive the EAPOL-Start frame (from the just-associated station) before the TX completion of the Association Response frame. This in turn will cause the EAPOL-Start frame to get dropped, and potentially failing the connection. Solve this by saving EAPOL frames from authenticated-but-not-associated stations, and handling them during the Association Response frame TX completion processing. Signed-off-by: Eliad Peller <eliad@wizery.com>
* tests: Add hostapd.py helpers for various radio parametersJanusz Dziedzic2016-03-051-0/+49
| | | | | | | Add support for generating hostapd parameters for b_only/g_only/a_only/HT20/HT40/VHT80. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
* tests: Add terminate support for hostapd/wpa_supplicantJanusz Dziedzic2016-03-052-0/+27
| | | | Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
* wpaspy: Add support for TERMINATE commandJanusz Dziedzic2016-03-051-0/+10
| | | | | | This can be used to terminate the wpa_supplicant/hostapd process. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
* tests: Add HostapdGlobal.get_ctrl_iface_port()Janusz Dziedzic2016-03-051-3/+25
| | | | | | This adds a method to get the UDP port for an interface. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
* tests: Add UDP ctrl_iface support to hostapd.pyJanusz Dziedzic2016-03-051-17/+29
| | | | | | | Allow use of a remote host using wpaspy.Ctrl with UDP ctrl_iface support. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
* tests: Add UDP ctrl_iface support to wpasupplicant.pyJanusz Dziedzic2016-03-051-8/+39
| | | | | | | Allow use of a remote host using wpaspy.Ctrl with UDP ctrl_iface support. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
* wpaspy: Add support for UDP connectionJanusz Dziedzic2016-03-052-18/+67
| | | | | | | | | | hostname and port can now be specified when using wpaspy.Ctrl, so we can connect to remote clients now. This can also be tested using test.py application with ./test.py <hostname> <port> Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>