Sunil Dutt [Tue, 8 Jan 2019 12:21:23 +0000 (17:51 +0530)]
Clarify documentation of avoid channels expectations
The vendor command QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY was defined
to carry the list of avoid frequencies that aim to avoid any
interference with other coexistencies. This recommendation was followed
strictly by trying to prevent WLAN traffic on the impacted channels.
This commit refines the expectation of the interface by defining this
avoid channel list to allow minimal traffic but not heavier one. For
example, P2P may still be able to use avoid list frequencies for P2P
discovery and GO negotiation if the actual group can be set up on a not
impact channel.
Jouni Malinen [Wed, 9 Jan 2019 22:47:04 +0000 (00:47 +0200)]
HS 2.0 server: Log new username in eventlog for cert reenroll
Make it easier to find the new username (and the new serial number from
it) when a user entry is renamed at the conclusion of client certificate
re-enrollment sequence.
Mike Siedzik [Tue, 8 Jan 2019 03:49:54 +0000 (22:49 -0500)]
mka: New MI should only be generated when peer's key is invalid
Two recent changes to MKA create a situation where a new MI is generated
every time a SAK Use parameter set is decoded. The first change moved
invalid key detection from ieee802_1x_decode_basic_body() to
ieee802_1x_kay_decode_mpkdu():
commit db9ca18bbff1 ("mka: Do not ignore MKPDU parameter set decoding failures")
The second change forces the KaY to generate a new MI when an invalid
key is detected:
commit a8aeaf41df95 ("mka: Change MI if key invalid")
The fix is to move generation of a new MI from the old invalid key
detection location to the new location.
Fixes: a8aeaf41df95 ("mka: Change MI if key invalid") Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
nl80211: Indicate 802.1X 4-way handshake offload in connect
Upon issuing a connect request we need to indicate that we want the
driver to offload the 802.1X 4-way handshake for us. Indicate it if
the driver capability supports the offload.
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
drivers: Add separate driver flags for 802.1X and PSK 4-way HS offloads
Allow drivers to indicate support for offloading 4-way handshake for
either IEEE 802.1X (WPA2-Enterprise; EAP) and/or WPA/WPA2-PSK
(WPA2-Personal) by splitting the WPA_DRIVER_FLAGS_4WAY_HANDSHAKE flag
into two separate flags.
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Zefir Kurtisi [Mon, 7 Jan 2019 10:58:08 +0000 (11:58 +0100)]
DFS: Restart pending CAC on interface enable
When an interface is re-enabled after it was disabled during CAC, it
won't ever get active since hostapd is waiting for a CAC_FINISHED while
kernel side is waiting for a CMD_RADAR_DETECT to start a CAC.
This commit checks for a pending CAC when an interface is enabled and if
so restarts its DFS processing.
Ben Greear [Fri, 24 Aug 2018 19:01:28 +0000 (12:01 -0700)]
Use freq_list to constrain supported operating class information
If a station is configured to allow only a subset of frequencies for an
association, the supported operating classes may need to be more limited
than what the hardware supports.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Bo Chen [Thu, 10 May 2018 07:48:41 +0000 (07:48 +0000)]
RADIUS client: Cease endless retry for message for multiple servers
In the previous RADIUS client implementation, when there are multiple
RADIUS servers, we kept trying the next server when the current message
can not be acked. It leads to endless retry when all the RADIUS servers
are down.
Fix this by keeping a counter for the accumulated retransmit attempts
for the message, and guarantee that after all the servers failover
RADIUS_CLIENT_MAX_FAILOVER times the message will be dropped.
Another issue with the previous code was that the decision regarding
whether the server should fail over was made immediately after we send
out the message. This patch guarantees we consider whether a server
needs failover after pending ack times out.
QCA vendor commands to configure HE +HTC capability and OM control Tx
Define QCA vendor command attributes to configure HE +HTC support and
HE operating mode control transmission. This is used to configure the
testbed device.
Jouni Malinen [Mon, 7 Jan 2019 15:26:40 +0000 (17:26 +0200)]
Avoid forward references to enum types in ieee802_11_common.h
These are not allowed in ISO C++ (and well, not really in ISO C either,
but that does not result in compiler warning without pedantic
compilation).
Since ieee802_11_common.h may end up getting pulled into C++ code for
some external interfaces, it is more convenient to keep it free of these
cases. Pull in ieee802_11_defs.h to get enum phy_type defined and move
enum chan_width to common/defs.h (which was already pulled in into
src/drivers/driver.h and src/common/ieee802_11_common.h).
Peter Oh [Wed, 18 Apr 2018 21:14:19 +0000 (14:14 -0700)]
mesh: Implement use of VHT20 config in mesh mode
Mesh in VHT mode is supposed to be able to use any bandwidth that VHT
supports, but there was no way to set VHT20 although there are
parameters that are supposed to be used. This commit along then previous
commit for VHT_CHANWIDTH_USE_HT makes mesh configuration available to
use any bandwidth with combinations of existing parameters like shown
below.
VHT80:
default
do not set any parameters
VHT40:
max_oper_chwidth = 0
VHT20:
max_oper_chwidth = 0
disable_ht40 = 1
HT40:
disable_vht = 1
HT20:
disable_ht40 = 1
disable HT:
disable_ht = 1
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Peter Oh [Wed, 18 Apr 2018 21:14:18 +0000 (14:14 -0700)]
mesh: Add VHT_CHANWIDTH_USE_HT to max_oper_chwidth
Channel width in VHT mode refers HT capability when the width goes down
to below 80 MHz, hence add checking HT channel width to its max
operation channel width. So that mesh has capability to select bandwidth
below 80 MHz.
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Janusz Dziedzic [Mon, 5 Mar 2018 14:37:10 +0000 (15:37 +0100)]
hostapd: Work around an interop connection issue in FT-PSK + WPA-PSK
While the AP is configured to enable both FT-PSK and WPA-PSK, an HP
printer request both AKMs (copied from AP?) in Association Request
frame, but don't add MDIE and don't use FT. This results in the
connection failing.
Next in logs we see:
RSN: Trying to use FT, but MDIE not included
IE - hexdump(len=26): 30 18 01 00 00 0f ac 04 01 00 00 0f ac 04
02 00 00 0f ac 02 00 0f ac 04 00 00
This is seen with some HP and Epson printers. Work around this by
stripping FT AKM(s) when MDE is not present and there is still a non-FT
AKM available.
Signed-off-by: Janusz Dziedzic <janusz@plumewifi.com>
This provides similar features to what was already available for HT
overrides. Probe Request frames look correct, and VHT capabilities shown
in debugfs look as expected.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Jouni Malinen [Sun, 6 Jan 2019 18:28:04 +0000 (20:28 +0200)]
Use lchown() instead of chown() for self-created files
There is no need to allow symlink dereferencing in these cases where a
file (including directories and sockets) are created by the same
process, so use the safer lchown() variant to avoid leaving potential
windows for something external to replace the file before the chown()
call. The particular locations used here should not have write
permissions enabled for processes with less privileges, so this may not
be needed, but anyway, it is better to make these more restrictive
should there be cases where directory permissions are not as expected
for a good deployment.
Jouni Malinen [Sun, 6 Jan 2019 18:01:09 +0000 (20:01 +0200)]
Android: Harden wpa_ctrl_open2() against potential race conditions
The Android-specific chmod and chown operations on the client socket
(for communication with wpa_supplicant) did not protect against file
replacement between the bind() and chmod()/chown() calls. If the
directory in which the client socket is created (depends a bit on the
version and platform, but /data/misc/wifi/sockets is commonly used)
allows write access to processes that are different (less privileged)
compared to the process calling wpa_ctrl_open2(), it might be possible
to delete the socket file and replace it with something else (mainly, a
symlink) before the chmod/chown operations occur. This could have
resulted in the owner or permissions of the target of that symlink being
modified.
In general, it would be safest to use a directory which has more limited
write privileges (/data/misc/wifi/sockets normally has 'wifi' group
(AID_WIFI) with write access), but if that cannot be easily changed due
to other constraints, it is better to make wpa_ctrl_open2() less likely
to enable this type of race condition between the operations.
Replace chown() with lchown() (i.e., a version that does not dereference
symlinks) and chmod() with fchmod() on the socket before the bind() call
which is also not going to dereference a symlink (whereas chmod()
would). lchown() is a standard operation, but the fchmod() on the socket
is less so (unspecified behavior in some systems). However, it seems to
work on Linux and in particular, on Android, where this code is
executed.
Jouni Malinen [Sun, 6 Jan 2019 11:21:19 +0000 (13:21 +0200)]
tests: More workarounds for cfg80211 regulatory state clearing (ap_open)
Add even more workarounds for cfg80211 regulatory state clearing since
these DFS test cases seem to be the most likely ones to fail due to
country=98 issues.
Jouni Malinen [Sun, 6 Jan 2019 10:28:11 +0000 (12:28 +0200)]
tests: More workarounds for cfg80211 regulatory state clearing (DFS)
Add even more workarounds for cfg80211 regulatory state clearing since
these DFS test cases seem to be the most likely ones to fail due to
country=98 issues.
Dmitry Lebed [Thu, 1 Mar 2018 11:49:29 +0000 (14:49 +0300)]
DFS: Add supported channel bandwidth checking
While selecting a new channel as a reaction to radar event we need to
take into account supported bandwidth for each channel provided via
nl80211. Without this modification hostapd might select an unsupported
channel that would fail during AP startup.
Dmitry Lebed [Thu, 1 Mar 2018 11:49:28 +0000 (14:49 +0300)]
ACS: Add supported channel bandwidth checking
While doing automatic channel selection we need to take into account
supported bandwidth for each channel provided via nl80211. Without this
modification hostapd might select an unsupported channel which would
fail during AP startup.
This adds checks to common code to verify supported bandwidth options
for each channel using nl80211-provided info. No support of additional
modes is added, just additional checks. Such checks are needed because
driver/hardware can declare more strict limitations than declared in the
IEEE 802.11 standard. Without this patch hostapd might select
unsupported channel and that will fail because Linux kernel does check
channel bandwidth limitations.
Jouni Malinen [Sat, 5 Jan 2019 20:06:03 +0000 (22:06 +0200)]
tests: More workarounds for cfg80211 regulatory state clearing (WNM)
Add even more workarounds for cfg80211 regulatory state clearing since
these WNM test cases seem to be the most likely ones to fail due to
country=98 issues.
Jouni Malinen [Sat, 5 Jan 2019 15:02:33 +0000 (17:02 +0200)]
OpenSSL: Allow systemwide policies to be overridden
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.
Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.
In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.
In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]
Jouni Malinen [Sat, 5 Jan 2019 14:52:05 +0000 (16:52 +0200)]
OSEN: Disable TLS v1.3 by default
TLS v1.3 was already disabled by default for EAP-FAST, EAP-TTLS,
EAP-PEAP, and EAP-TLS, but the unauthenticated client cases of EAP-TLS
-like functionality (e.g., the one used in OSEN) were missed. Address
those EAP types as well in the same way of disabling TLS v1.3 by default
for now to avoid functionality issues with TLS libraries that enable TLS
v1.3 by default.
Jouni Malinen [Sat, 5 Jan 2019 09:33:40 +0000 (11:33 +0200)]
OpenSSL: Fix build with OpenSSL 1.0.2
SSL_use_certificate_chain_file() was added in OpenSSL 1.1.0, so need to
maintain the old version using SSL_use_certificate_file() for backwards
compatibility.
Jouni Malinen [Fri, 4 Jan 2019 22:21:41 +0000 (00:21 +0200)]
tests: Split mbo_supp_oper_classes into multiple test cases
In addition, add even more workarounds for cfg80211 regulatory state
clearing since this test case seems to be the most likely one to fail
due to country=98 issues.
Jouni Malinen [Fri, 4 Jan 2019 20:58:56 +0000 (22:58 +0200)]
FT: Allow STA entry to be removed/re-added with FT-over-the-DS
FT-over-the-DS has a special case where the STA entry (and as such, the
TK) has not yet been configured to the driver depending on which driver
interface is used. For that case, allow add-STA operation to be used
(instead of set-STA). This is needed to allow mac80211-based drivers to
accept the STA parameter configuration. Since this is after a new
FT-over-DS exchange, a new TK has been derived after the last STA entry
was added to the driver, so key reinstallation is not a concern for this
case.
Fixes: 0e3bd7ac684a ("hostapd: Avoid key reinstallation in FT handshake") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 4 Jan 2019 18:28:56 +0000 (20:28 +0200)]
FT: Do not try to use FT-over-air if reassociation cannot be used
There is no point in going through FT authentication if the next step
would have to use association exchange which will be rejected by the AP
for FT, so only allow FT-over-air if previous BSSID is set, i.e., if
reassociation can be used.
Jouni Malinen [Fri, 4 Jan 2019 21:19:30 +0000 (23:19 +0200)]
tests: Split ap_ft_oom into separate test cases
ap_ft_oom seemed to depend on undesired wpa_supplicant behavior of
trying to do FT protocol even without being ready for reassociation.
This is going to be fixed in wpa_supplicant which would make this test
case fail, so split it into separate test cases for each failure item to
be able to avoid incorrect test failures.
Jouni Malinen [Fri, 4 Jan 2019 18:27:40 +0000 (20:27 +0200)]
tests: Verify that roaming attempts do not get rejected
The previous roam() and roam_over_ds() checks would have ignored failing
association rejection if a consecutive attempt to connect succeeds
within the initial time limit. This can miss incorrect behavior, so
check explicitly for association rejection.
Jouni Malinen [Fri, 4 Jan 2019 11:18:26 +0000 (13:18 +0200)]
P2PS: Notify D-Bus about removal of a stale/empty persistent group
During P2PS PD Request processing wpa_supplicant removes stale and empty
persistent groups, but it did not notify D-Bus to unregister object. Fix
this by adding the missing notifications.
Amit Khatri [Thu, 3 Jan 2019 15:47:26 +0000 (21:17 +0530)]
P2PS: Notify D-Bus about removal of a stale persistent group
During P2PS PD Request processing wpa_supplicant removes stale
persistent groups, but it did not notify D-Bus to unregister object.
This can result in leaving behind objects pointing to freed memory and
memory leaks. Sometime it can cause a crash in wpa_config_get_all()
function and DBUS_ERROR_OBJECT_PATH_IN_USE errors.
Fix this by adding the missed notification to D-Bus code to unregister
the object.
Signed-off-by: Amit Khatri <amit7861234@gmail.com>
Peter Oh [Mon, 27 Aug 2018 21:28:39 +0000 (14:28 -0700)]
mesh: Reflect country setting to mesh configuration for DFS
wpa_supplicant configuration has country parameter that is supposed to
be used in AP mode to indicate supporting IEEE 802.11h and 802.11d.
Reflect this configuration to Mesh also since Mesh is required to
support 802.11h and 802.11d to use DFS channels.
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Peter Oh [Mon, 27 Aug 2018 21:28:37 +0000 (14:28 -0700)]
mesh: Relocate RSN initialization
RSN initialization should work together with mesh join when it's used.
Since mesh join could be called at a different stage if DFS channel is
used, relocate the RSN initialization call to mesh join. It is still the
same call flow of mesh join before this if non-DFS channels are used,
hence no significant side effect will occur.
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Peter Oh [Mon, 27 Aug 2018 21:28:34 +0000 (14:28 -0700)]
mesh: Factor out mesh join function
Mesh join function consists of two parts which are preparing
configurations and sending join event to the driver. Since physical mesh
join event could happen either right after mesh configuration is done or
after CAC is done in case of DFS channel is used, factor out the
function into two parts to reduce redundant calls.
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Peter Oh [Mon, 27 Aug 2018 21:28:35 +0000 (14:28 -0700)]
mesh: Factor out RSN initialization
RSN initialization can be used in different phases if mesh
initialization and mesh join don't happen in sequence such as DFS CAC is
done in between, hence factor it out to help convering the case. This
can also get rid of unnecessary indentation by handling the
mconf->security != MESH_CONF_SEC_NONE functionality in a helper
function.
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
Setting mem_only_psk=1 in the wpa_supplicant configuration prevents the
passphrase from being stored in the configuration file. wpa_supplicant
will request the PSK passphrase over the control interface in such case
and this new wpa_cli command can be used to set the psk_passphrase.
wpa_supplicant currently logs CTRL-EVENT-AUTH-FAILED errors when
authentication fails, but doesn't expose any property to the D-Bus
interface related to this.
This change adds the "AuthStatusCode" property to the interface, which
contains the IEEE 802.11 status code of the last authentication.
Signed-off-by: Alex Khouderchah <akhouderchah@chromium.org>
Matthew Wang [Fri, 4 May 2018 18:16:18 +0000 (11:16 -0700)]
dbus: Export BSS Transition Management status
Add new Interface properties "BSSTMStatus", which carries the status of
the most recent BSS Transition Management request. This property will be
logged in UMA to measure 802.11v success.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Matthew Wang [Wed, 20 Jun 2018 23:42:45 +0000 (16:42 -0700)]
dbus: Export roam time, roam complete, and session length
Add new Interface properties "RoamTime", "RoamComplete", and
"SessionLength". "RoamTime" carries the roam time of the most recent
roam in milliseconds. "RoamComplete" carries True or False corresponding
to the success status of the most recent roam. "SessionLength" carries
the number of milliseconds corresponding to how long the connection to
the last AP was before a roam or disconnect happened.
Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
Nils Nieuwejaar [Wed, 30 May 2018 21:09:01 +0000 (14:09 -0700)]
Allow remote RADIUS authentication with local VLAN management
The documentation in the hostapd.conf file says that the dynamic_vlan
variable is used to control whether VLAN assignments are accepted from a
RADIUS server. The implication seems to be that a static VLAN assignment
will come from the accept_mac_file if dynamic_vlan is set to 0, and a
dynamic assignment will come from the RADIUS server if dynamic_vlan is
set to 1. Instead, I'm seeing that the static settings from the
accept_mac_file are ignored if dynamic_vlan is set to 0, but used if
dynamic_vlan is set to 1. If dynamic_vlan is set to 1 and the RADIUS
server does not provide a VLAN, then the accept_mac_file assignment is
overridden and the STA is assigned to the default non-VLANed interface.
If my understanding of the expected behavior is correct, then I believe
the problem is in ap_sta_set_vlan(). That routine checks the
dynamic_vlan setting, but has no way of determining whether the incoming
vlan_desc is static (i.e., from accept_mac_file) or dynamic (i.e., from
a RADIUS server).
I've attached a patch that gets hostapd working as I believe it's meant
to, and updates the documentation to make the implicit behavior
explicit.
The functional changes are:
- hostapd_allowed_address() will always extract the vlan_id from the
accept_macs file. It will not update the vlan_id from the RADIUS cache
if dynamic_vlan is DISABLED.
- hostapd_acl_recv_radius() will not update the cached vlan_id if
dynamic_vlan is DISABLED.
- ieee802_1x_receive_auth() will not update the vlan_id if dynamic_vlan
is DISABLED.
More cosmetic:
Most of the delta is just moving code out of ieee802_1x_receive_auth()
into a new ieee802_1x_update_vlan() routine. While I initially did this
because the new DISABLED check introduced excessive indentation, it has
the added advantage of eliminating the vlan_description allocation and
os_memset() call for all DYNAMIC_VLAN_DISABLED configs.
I've done a couple rounds of review offline with Michael Braun (who has
done much of the work in this part of the code) and incorporated his
feedback.
If dynamic_vlan=0 (disabled), vlan assignments will be managed using the
local accept_mac_file ACL file, even if a RADIUS server is being used
for user authentication. This allows us to manage users and devices
independently.
Signed-off-by: Nils Nieuwejaar <nils.nieuwejaar@gmail.com>
Jouni Malinen [Wed, 2 Jan 2019 15:56:41 +0000 (17:56 +0200)]
Use a helper function for checking Extended Capabilities field
The new ieee802_11_ext_capab() and wpa_bss_ext_capab() functions can be
used to check whether a specific extended capability bit is set instead
of having to implement bit parsing separately for each need.
Mikael Kanstrup [Tue, 19 Jun 2018 11:52:29 +0000 (13:52 +0200)]
crypto internal: Make MD4 PADDING array const
The PADDING array used when adding padding bits in MD4 never change
so can be made const. Making it const puts the array in .rodata
section and can save a few bytes of RAM for systems running without
virtual memory.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
Markus Theil [Mon, 20 Aug 2018 12:20:44 +0000 (14:20 +0200)]
RRM: Update own neighbor report on channel switch
After performing a successful channel switch, the AP should update its
own neighbor report element, so do this from src/ap/drv_callbacks.c
after a successful switch.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Markus Theil [Mon, 20 Aug 2018 12:20:44 +0000 (14:20 +0200)]
RRM: Move neighbor report functions
Move functions corresponding to neighbor report elements to
src/ap/neighbor_db.[c,h] in preparation to using them after channel
switch from src/ap/drv_callbacks.c.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Ilan Peer [Wed, 22 Aug 2018 16:49:08 +0000 (19:49 +0300)]
crypto: Reduce the size of sha512_compress() stack frame
The function sha512_compress() has a local variable that consumes 640
bytes. This is very heavy for embedded devices that have limited stack
resources. Handle this by replacing the static allocation with a dynamic
one.
Avraham Stern [Wed, 22 Aug 2018 13:46:19 +0000 (16:46 +0300)]
RRM: Support for Last Beacon Report Indication subelement
IEEE P802.11-REVmd/D2.0, 9.4.2.20.7 (Beacon request) and 9.4.2.21.7
(Beacon report) add the Last Beacon Report Indication subelement to
Beacon Request and Beacon Report elements.
Add the Last Beacon Report Indication subelement to all Beacon Report
elements if the Beacon Request indicated that this subelement is
requested.
Avraham Stern [Wed, 22 Aug 2018 13:46:18 +0000 (16:46 +0300)]
tests: Beacon report frame body fragmentation
Verify that when the frame body subelement causes the
measurement report element to exceed the maximum element size,
the beacon report is fragmented and the frame body fragment ID
subelement is added with the correct fragment number.
Avraham Stern [Wed, 22 Aug 2018 13:46:17 +0000 (16:46 +0300)]
RRM: Add support for beacon report fragmentation
When the frame body subelement would cause the measurement report
element to exceed the maximum element size, the frame body subelement
used to be truncated. In addition, some elements were always truncated
in order to keep the reported frame body short (e.g. RSN IE).
Alternatively, IEEE P802.11-REVmd/D2.0, 9.4.2.21.7 extension to Beacon
reporting can be used: The frame body subelement is fragmented across
multiple beacon report elements, and the reported frame body fragment ID
subelement is added.
Use beacon report fragmentation instead of truncating the frame body
as this method gives the AP a more complete information about the
reported APs.
Nishant Chaprana [Fri, 16 Feb 2018 12:02:39 +0000 (17:32 +0530)]
dbus: Add vendor specific information element in peer properties
Make vendor specific information elements (VSIE) available in peer
properties, so that VSIE of a specific peer can be retrieved using
peer's object path.
Jouni Malinen [Wed, 2 Jan 2019 10:28:16 +0000 (12:28 +0200)]
tests: Data connectivity after REAUTHENTICATE
Verify that not updating GTK (i.e., only update PTK) in the driver does
not break connectivity. This case is different after the check for
"already in-use GTK" and rejection of GTK reinstallation.
Jouni Malinen [Wed, 2 Jan 2019 10:11:52 +0000 (12:11 +0200)]
eloop: Fix kqueue event deletion filter
EV_SET() for EV_ADD used a specific filter type, but that same filter
type was not provided to the matching EV_DELETE case. This resulted in
the kernel rejecting the deletion with "Invalid argument". Fix this by
setting the same filter type for both operations.
Fixes: f9982b321222 ("Implement kqueue(2) support via CONFIG_ELOOP_KQUEUE") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 2 Jan 2019 09:57:00 +0000 (11:57 +0200)]
eloop: Fix fd_table allocation for epoll and kqueue
The previous implementation did not work if the first registered socket
had fd > 16 or if the fd was more than double the largest value used in
previous registrations. Those cases could result in too small a memory
allocation being used and writes/reads beyond the end of that buffer.
This fix is applicable to CONFIG_ELOOP_EPOLL=y and CONFIG_ELOOP_KQUEUE=y
builds.
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:
"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."
An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.
It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).
Ben Greear [Mon, 4 Dec 2017 17:18:26 +0000 (09:18 -0800)]
wpa_ctrl: Make wpa_cli ping/pong work more reliably
In 2013 or so, IFNAME=foo was prepended to at least the Unix socket
communication from wpa_supplicant to wpa_cli. This broke the (fragile)
logic that made ping/pong work more often when wpa_supplicant is busy
sending logging info to wpa_cli.
Adding check for IFNAME=foo makes this work better.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Isaac Boukris [Sun, 21 Jan 2018 01:36:44 +0000 (01:36 +0000)]
OpenSSL: Load chain certificates from client_cert file
This helps the server to build the chain to trusted CA when PEM encoding
of client_cert is used with multiple listed certificates. This was
already done for the server certificate configuration, but the client
certificate was limited to using only the first certificate in the file.
Jouni Malinen [Tue, 1 Jan 2019 21:30:16 +0000 (23:30 +0200)]
tests: Use different country in p2p_go_move_reg_change
Use of country=00 (world roaming) seemed to not work anymore with the
current cfg80211 regulatory implementation since the existing channel is
left enabled when moving to country=00. Use a specific country code that
does enforce the selected channel from being used anymore to make this
test case pass again.
The change in cfg80211 behavior is from the kernel commit 113f3aaa81bd
("cfg80211: Prevent regulatory restore during STA disconnect in
concurrent interfaces").
Jouni Malinen [Tue, 1 Jan 2019 19:27:54 +0000 (21:27 +0200)]
Use internal EAP server identity as dot1xAuthSessionUserName
If the internal EAP server is used instead of an external RADIUS server,
sm->identity does not get set. Use the identity from the internal EAP
server in such case to get the dot1xAuthSessionUserName value in STA MIB
information.
Ben Greear [Tue, 12 Sep 2017 17:43:36 +0000 (10:43 -0700)]
HTTP (curl): Fix build with newer OpenSSL versions
The SSL_METHOD patching hack to get proper OCSP validation for Hotspot
2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the
SSL_METHOD structure is not exposed anymore. Fall back to using the
incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build.
Signed-off-by: Ben Greear <greearb@candelatech.com>
projects / thirdparty / hostap.git / log
