Thomas Pedersen [Wed, 25 Jul 2012 13:56:43 +0000 (16:56 +0300)]
nl80211: Support setting sched scan RSSI threshold
Allow the user to configure an RSSI threshold in dBm below which the
nl80211 driver won't report scan results. Currently only supported
during scheduled (PNO) scans.
Signed-off-by: Thomas Pedersen <c_tpeder@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
P2P group is only going to use a single GO, so we can leave the fixed
BSSID parameter set for the actual data connection in addition to the
initial WPS provisionign step. This can speed up operations with drivers
that select BSS internally by allowing them to skip an extra scan when
the BSSID and frequency of the GO is already known.
P2P: Fix provision discovery retries during p2p_find
Commit 6b56cc2d97fe9efd1feea8d418714b4658b056f1 added retries of
provision discovery request frames in IDLE state. However, it did not
make the p2p_find case behave consistently with the new limitied retry
behavior. This can result in way too many and frequent PD retries. Fix
this by extending the previous commit to address PD retries and maximum
retry limit consistently regardless of whether p2p_find is running.
Commit 1b487b8b1e95e1fbd9e00d52d883ba0ac4c2e4bf added CH_SWITCH
event for nl80211, but ended up using hostapd_hw_get_channel()
regardless of build configuration for driver interfaces. This
function is not always available, so make its use conditional
on NEED_AP_MLME.
OpenSSL: Add support for HMAC functions with 0.9.8 and older
Commit d9cc4646eb0255be31f11d8a8edad857431fdf49 added
crypto_hash_{init,update,finish}() wrappers for OpenSSL, but it
assumed the current HMAC API in OpenSSL. This was changed in 0.9.9
to return error codes from the functions while older versions used
void functions. Add support for the older versions, too.
autoscan: Fix potential freeing of uninitialized pointer
Commit 7c865c68536825d91e64e1545a1f6ed51526ebff introduced a code
path that can skip extra_ie initialization in wpa_supplicant_scan().
This could result in semi-random crashes when using the autoscan
mechanism. Fix this by initializing extra_ie to NULL.
This updates the license notification to use only the BSD license. The
changes were acknowledged by email (Gunter Burchardt, tmisu@gmx.de,
Mon, 02 Jul 2012 17:54:28 +0200).
Update license notification in signalbar implementation
This updates the license notification to use only the BSD license. The
changes were acknowledged by email (Kel Modderman <kel@otaku42.de>,
Mon, 2 Jul 2012 20:02:37 +1000).
Update license notification in roboswitch interface file
This updates the license notification to use only the BSD license. The
changes were acknowledged by email (Jouke Witteveen
<j.witteveen@gmail.com>, Mon, 2 Jul 2012 11:38:34 +0200).
Update license notification in D-Bus interface files
This updates these files to use the license notification that uses only
the BSD license. The changes were acknowledged by email (Dan Williams
<dcbw@redhat.com>, Sun, 01 Jul 2012 15:53:36 -0500).
Jouni Malinen [Sat, 30 Jun 2012 18:27:32 +0000 (21:27 +0300)]
Move p2p_connect PIN format validation into a separate function
This functionality could be shared for other commands, too, so move
it to a common function. In addition, implement the validation in a
bit more strict way to avoid accepting values like '-123' as a valid
PIN.
Masashi Honma [Sat, 30 Jun 2012 18:19:12 +0000 (21:19 +0300)]
P2P: Add error message for invalid PIN
Reject invalid PIN value in p2p_connect command. Before this, typos
like "pbd" as the third parameter could have resulted in OK return
value since this parameter was interpreted as the PIN.
Jouni Malinen [Sat, 30 Jun 2012 17:30:40 +0000 (20:30 +0300)]
Do not share special scan results with virtual interfaces
When a special scan_res_handler is used the scan parameters may not have
been suitable for other purposes (e.g., during a p2p_find operation). As
such, do not indicate such scan results to other virtual interfaces
using the same radio.
Johannes Berg [Sat, 30 Jun 2012 17:18:07 +0000 (20:18 +0300)]
P2P: Remove GO neg/invite special cases from search
There are separate states for these, so we can't really get into this
situation unless somebody tries to do multiple things at the same
time. p2p_connect stops find and CONNECT state is used to probe the peer
on its Listen channel with GO Negotiation Request frames. Similarly,
p2p_invite() stops find and INVITE state is used to probe the peer on
its Listen channel with Invitation Request frames. The older mechanism
of using Search state functionality to find the peer can be removed.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sat, 30 Jun 2012 16:36:04 +0000 (19:36 +0300)]
Update license notification in files initially contributed by Sam
This updates these files to use the license notification that uses only
the BSD license. The changes were acknowledged by email (Sam Leffler
<sam@errno.com>, Sat, 30 Jun 2012 07:57:53 -0700).
Gary Morain [Sat, 30 Jun 2012 13:43:50 +0000 (16:43 +0300)]
Export disconnect reason code to dbus
In the properties changed signal, added a new property
"DisconnectReason", which carries the IEEE 802.11 reason code of the
most recent disassociation or deauthentication event. The reason code is
negative if it is locally generated. The property is sent to the DBUS
immediately so as to prevent it from being coalesced with other
disconnect events.
Jouni Malinen [Sat, 30 Jun 2012 13:16:32 +0000 (16:16 +0300)]
EAP-pwd: Avoid double-frees on some error paths
At least some error paths (e.g., hitting the limit on hunt-and-peck
iterations) could have resulted in double-freeing of some memory
allocations. Avoid this by setting the pointers to NULL after they have
been freed instead of trying to free the data structure in a location
where some external references cannot be cleared. [Bug 453]
Jouni Malinen [Sat, 30 Jun 2012 13:12:41 +0000 (16:12 +0300)]
EAP-pwd: Increase maximum number of hunting-and-pecking iterations
The previously used limit (10) is too small for practical purposes since
it can result in about 1 out of 1000 authentication attempts failing.
Increase the limit to 30 to avoid such issues. [Bug 453]
Michael Naumov [Sat, 30 Jun 2012 10:11:26 +0000 (13:11 +0300)]
P2P: Add dbus python scripts to perform p2p_find and p2p_connect
Two DBUS scripts using python glib are added to perform p2p_find and
p2p_connect operations respectively. p2p_connect script just performs
the traditional connect to create a new p2p group. Additional updates
will be required to perform join, auth etc. al.
Signed-hostap: Michael Naumov <michael.naumov@intel.com>
Signed-hostap: Nirav Shah <nirav.j2.shah@intel.com>
Jouni Malinen [Thu, 28 Jun 2012 17:42:50 +0000 (20:42 +0300)]
WPS: Add a standalone tool for building NFC password tokens
nfc_pw_token can be used to build random NFC password token for WPS.
This tool prints out the wpa_supplicant.conf (or hostapd.conf)
parameters and the hexdump of the WPS password token (with and without
NDEF encapsulation) so that it can be written to a NFC tag with an
external program.
Jouni Malinen [Thu, 28 Jun 2012 16:43:29 +0000 (19:43 +0300)]
WPS: Add support for NCF password token from AP
The new hostapd ctrl_iface command WPS_NFC_TOKEN can now be used to
manage AP-as-Enrollee operations with NFC password token. WPS/NDEF
parameters to this command can be used to generate a new NFC password
token. enable/disable parameters can be used to enable/disable use of
NFC password token (instead of AP PIN) for external Registrars.
A preconfigured NFS password token can be used by providing its
parameters with new hostapd.conf fields wps_nfc_dev_pw_id,
wps_nfc_dh_pubkey, wps_nfc_dh_privkey, and wps_nfc_dev_pw. This use
will also depend on WPS_NFC_TOKEN enable/disable commands, i.e., the
configured NFS password token is disabled by default.
Jouni Malinen [Thu, 28 Jun 2012 13:35:51 +0000 (16:35 +0300)]
WPS ER: Add support for building NFC configuration token
WPS_ER_NFC_CONFIG_TOKEN command can now be used to build a NFC
configuration token based on AP Settings learnt with WPS_ER_LEARN
or set with WPS_ER_CONFIG.
Jouni Malinen [Thu, 28 Jun 2012 10:59:29 +0000 (13:59 +0300)]
WPS: Add support for NFC configuration token from external program
The new wpa_supplicant ctrl_iface command WPS_NFC_TAG_READ can now be
used to process NFC tags read by external programs to initiate
wpa_supplicant to use NFC Configuration Token to create a new network.
Jouni Malinen [Thu, 28 Jun 2012 10:25:48 +0000 (13:25 +0300)]
WPS: Add new mechanism for generation NFC configuration token
The new hostapd ctrl_iface command WPS_NFC_CONFIG_TOKEN can now be used
to fetch payload for an NFC configuration token so that an external
program can be used to write this on an NFC tag.
Jouni Malinen [Wed, 27 Jun 2012 19:15:55 +0000 (22:15 +0300)]
WPS: Use separate list of NFC Password Tokens in the Registrar
This adds a cleaner mechanism for handling NFC Password Tokens in the
WPS Registrar. There could be more than one active NFC Password Token in
use and as such, a list of tokens needs to be maintained. The old
WPS_OOB interface is still using the old mechanism that supports only a
single active NFC Password Token.
Jouni Malinen [Wed, 27 Jun 2012 17:54:56 +0000 (20:54 +0300)]
WPS: Add new mechanism for communicating NFC tag read events
hostapd ctrl_iface can now be used to deliver payload from read
operation of an NFC tag. This allows operations without having to have
low-level NFC code within hostapd. For now, the new wps_nfc_tag_read
command can be used with NFC password tokens for the case where the AP
has an NFC device that is used to read an NFC tag from the station
Enrollee.
Jouni Malinen [Wed, 27 Jun 2012 15:56:41 +0000 (18:56 +0300)]
WPS: Add new mechanism for NFC config method using password token
Instead of requiring low-level access to an NFC device and synchronous
operations, the new WPS_NFC_TOKEN and WPS_NFC ctrl_iface commands can be
used to build a NFC password token and initiate WPS protocol run using
that token (or pre-configured values) as separate commands. The
WPS_NFC_TOKEN output can be written to a NFC tag using an external
program, i.e., wpa_supplicant does not need to have low-level code for
NFC operations for this.
Jouni Malinen [Wed, 27 Jun 2012 18:15:29 +0000 (21:15 +0300)]
WPS: Fix OOB Device Password use for EAP-WSC peer
The OOB Device Password is passed in as a hexdump of the real Device
Password (16..32 octets of arbitrary binary data). The hexdump needs to
be converted to binary form before passing it for WPS processing.
Jouni Malinen [Wed, 27 Jun 2012 15:28:13 +0000 (18:28 +0300)]
WPS: Add support for OOB dev password lengths 16..31
Previously, only the maximum length 32 octets for OOB device password
was accepted. Since the specification allows a shorter password to be
used with limited OOB mechanism (e.g., small NFC tag), we should accept
lengths 16..32.
Jouni Malinen [Wed, 27 Jun 2012 15:19:29 +0000 (18:19 +0300)]
WPS: Fix NFC password token building with WPS 2.0
The earlier WPS 2.0 changes did not increase the wpabuf size when
adding a new attribute to the NFC password token. This could result
in aborting the application on wpabuf overflow if NFC out-of-band
mechanism is used with WPS 2.0 enabled.
Jouni Malinen [Tue, 26 Jun 2012 16:57:03 +0000 (19:57 +0300)]
Cancel pending scan request on DISCONNECT command
Previously, a pending scan request could be left running when processing
DISCONNECT command from control interface. This can result in unexpected
scan, so cancel the request to avoid this.
Jouni Malinen [Tue, 26 Jun 2012 16:52:46 +0000 (19:52 +0300)]
Start autoscan for first connection attempt
Use wpa_supplicant_set_state() to initialize state to DISCONNECT so that
autoscan gets initialized properly. This needs a change in
autoscan_init() to avoid extra scan request that would postpone the
first scan request when an interface is added.
Tomasz Bursztyka [Tue, 26 Jun 2012 15:55:41 +0000 (18:55 +0300)]
Add automatic scanning support
Like bgscan, autoscan is an optional module based feature to automate
scanning but while disconnected or inactive.
Instead of requesting directly a scan, it only sets the scan_interval
and the sched_scan_interval. So, if the driver supports sched_scan,
autoscan will be able to tweak its interval. Otherwise, the tweaked
scan_interval will be used. If scan parameters needs to be tweaked, an
autoscan_params pointer in wpa_s will provide those. So req_scan /
req_sched_scan will not set the scan parameters as they usually do, but
instead will use this pointer.
Modules will not have to request a scan directly, like bgscan does.
Instead, it will need to return the interval it wants after each
notification.
Signed-hostap: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Jouni Malinen [Mon, 25 Jun 2012 11:23:25 +0000 (14:23 +0300)]
Set state to DISCONNECTED on auth/assoc failures
Some of the authentication/association failure paths left wpa_state to
its previous value. This can result in unexpected behavior when
wpa_supplicant tries to find an AP to connect to since the uncleared
state can result the in the selected BSS being ignored if it is same as
the previously used BSS. This could happen, e.g., when wpa_supplicant
SME was used and the AP rejected authentication. Fix this by explicitly
setting state to DISCONNECTED on auth/assoc failures that did not yet do
this.
Jouni Malinen [Mon, 25 Jun 2012 10:53:24 +0000 (13:53 +0300)]
Remove STA entry from AP when starting TKIP countermeasures
Previously, the STA entry was removed only from the driver and the STA
entry within hostapd was just marked disassociated. However, this left
the WPA authenticator state machine with an entry and the session was
not terminated properly. In addition, the STA entry could have remaining
indefinitely if the STA did not reconnect after TKIP countermeasures.
Fix this by removing the STA entry from hostapd instead of just leaving
it disassociated.
Yoni Divinsky [Mon, 25 Jun 2012 09:20:37 +0000 (12:20 +0300)]
hostapd: Fix PBC config method of WSC IE in Beacon/Probe Response
In AP which supports WPSv2 with only virtual push button, when PBC is
called, the WSC IE should include Selected Registrar Configuration
Methods attribute with the bit of the physical push button not set.
Ben Greear [Sun, 24 Jun 2012 10:19:34 +0000 (13:19 +0300)]
eloop/poll: Handle POLLER | POLLHUP in read logic
Without this, we can get into a tight loop because the
code in general doesn't add eloop exception handlers,
so socket reporting the POLLERR would never be read.
With this change, any socket with POLLERR or POLLHUP
asserted will be handled by the read logic.
Signed-hostap: Ben Greear <greearb@candelatech.com>
P2P: Fix fallback to GO Negotiation to avoid PD-before-join timeout
The wpas_p2p_pd_before_join_timeout could be left behind if the PD
Request in p2p_connect-auto case does not succeed. This timeout can
result in unexpected operations since it could trigger join operation
while going through GO Negotiation. Fix this by canceling the timeout
when falling back to GO Negotiation.
Jouni Malinen [Sun, 17 Jun 2012 16:51:57 +0000 (19:51 +0300)]
Copy Chargeable-User-Identity in PMKSA caching case
Maintain a copy of Chargeable-User-Identity in the PMKSA cache to allow
it to be included in accounting messages even if full authentication was
not completed.
Jouni Malinen [Sun, 17 Jun 2012 16:30:01 +0000 (19:30 +0300)]
RADIUS DAS: Add support for Disconnect-Request
Calling-Station-Id, Acct-Session-Id, and User-Name attributes in a
Disconnect-Request message can now be used to indicate which station is
to be disconnected.
Jouni Malinen [Sun, 17 Jun 2012 14:43:36 +0000 (17:43 +0300)]
RADIUS DAS: Validate Event-Timestamp
DAS will now validate Event-Timestamp value to be within an acceptable
time window (300 seconds by default; can be set using
radius_das_time_window parameter). In addition, Event-Timestamp can be
required in Disconnect-Request and CoA-Request messages with
radius_das_require_event_timestamp=1.
Masashi Honma [Sun, 17 Jun 2012 08:58:46 +0000 (11:58 +0300)]
P2P: Add p2p_client_list support for FullMAC Persistent GO
Currently, FullMAC Persistent GO can't use p2p_client_list because its
own hapd->p2p_group is NULL at ap_sta_set_authorized(). This patch
changes the processing to use sta->p2p_ie instead of
p2p_group_get_dev_addr() on FullMAC GO.
Jouni Malinen [Sat, 16 Jun 2012 17:17:39 +0000 (20:17 +0300)]
P2P: Fix P2P Client Discoverability bit updates
The P2P Client Discoverability bit is reserved in most frames and its
value in the local P2P peer table should only be updated based on P2P
Group Info attribute from a GO. Fix this by avoiding changes to this
dev_capab bit based on other P2P frames. It would be more correct to
track this separately for each group in which the peer is a member, but
since we do not do that for the other group specific information either,
this can do for now.
It should be noted that prior to commit 18485b5469c5eeea6a552264fbfaabb089a0a557 wpa_supplicant set this bit in
all P2P frames. However, that commit changed this to match the
specification, i.e., the bit is not set in frames which are received
from P2P Device role. As such, this fix is needed to be able to figure
out that a peer supports client discoverability capability after that
commit.
Masashi Honma [Sat, 16 Jun 2012 16:54:47 +0000 (19:54 +0300)]
P2P: Fix setting of P2P Client Discoverability bit
In the P2P specification v1.1, the P2P Client Discoverability bit is
described in Table 12 "Device Capability Bitmap definition". The table
says "Within a P2P Group Info attribute and a (Re)association request
frame the P2P Client Discoverability field shall be set to 1 when the
P2P Device supports P2P Client Discoverability, and is set to 0
otherwise. This field shall be reserved and set to 0 in all other frames
or uses.". To match with this, filter out P2P Client Discoverability bit
from frames where its use is reserved.
Jouni Malinen [Fri, 15 Jun 2012 15:49:54 +0000 (18:49 +0300)]
EAP-SIM/AKA server: Allow pseudonym to be used after unknown reauth id
If the peer uses an unknown reauth id, it would still be possible to use
pseudonym instead of permanent id. Allow this by changing the
AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is
used in EAP-Response/Identity.