Andrej Shadura [Sun, 7 Oct 2018 12:31:51 +0000 (14:31 +0200)]
dbus: Expose connected stations on D-Bus
Make it possible to list connected stations in AP mode over D-Bus, along
with some of their properties: rx/tx packets, bytes, capabilities, etc.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Rebased by Julian Andres Klode <juliank@ubuntu.com> and updated to use
the new getter API.
Further modified by Andrej Shadura to not error out when not in AP mode
and to send separate StationAdded/StationRemoved signals instead of
changing signatures of existing StaAuthorized/StaDeauthorized signals.
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
Jouni Malinen [Sun, 23 Dec 2018 10:13:04 +0000 (12:13 +0200)]
tests: Fix AP wait in ap_require_ht and ap_require_ht_limited_rates
These test cases seemed to have copy-paste errors where
wait_enabled=False was forgotten even though there was no additional
steps checking the AP mode startup results. This did not break the
tests, but could have resulted in slowing them down if the STAs did not
find the AP in the first scan.
Jouni Malinen [Sat, 22 Dec 2018 13:55:19 +0000 (15:55 +0200)]
tests: Work around cfg80211 reg.c intersection (country 98) issues
The Linux kernel commit 113f3aaa81bd ("cfg80211: Prevent regulatory
restore during STA disconnect in concurrent interfaces") broke the
regulatory clearing attempt in many test cases since
cfg80211_is_all_idle() is now returning false due to the AP interface
being up and that results in the Country IE -based regulatory
information not getting cleared back to defaults.
Work around this by stopping the AP interface first so that when the
station interface receives the disconnection, there are no other active
interfaces in the system. In addition, wait for REGDOM event for the
Country IE hint after association to avoid disconnection before the
regulatory events have been fully processed.
Jouni Malinen [Fri, 21 Dec 2018 22:55:26 +0000 (00:55 +0200)]
tests: Fix mbo_supp_oper_classes after cfg80211 change
The Linux kernel commit 113f3aaa81bd ("cfg80211: Prevent regulatory
restore during STA disconnect in concurrent interfaces") broke the
regulatory clearing attempt in this test case since
cfg80211_is_all_idle() is now returning false due to the AP interface
being up and that results in the Country IE -based regulatory
information not getting cleared back to defaults.
Work around this by stopping the AP interface first so that when the
station interface receives the disconnection, there are no other active
interfaces in the system. In addition, wait for REGDOM event for the
Country IE hint after association to avoid disconnection before the
regulatory events have been fully processed.
Jouni Malinen [Fri, 21 Dec 2018 19:27:59 +0000 (21:27 +0200)]
Add SAE to GET_CAPABILITY key_mgmt
Provide information about SAE AKM support in "GET_CAPABILITY key_mgmt"
for completeness. The "GET_CAPABILITY auth_alg" case is already
providing information about SAE support through user space SME.
Try to fetch the list of supported AKM suite selectors from the driver
through the vendor interface
QCA_NL80211_VENDOR_SUBCMD_GET_SUPPORTED_AKMS. If that command is
available and succeeds, use the returned list to populate the
wpa_driver_capa key_mgmt information instead of assuming all
cfg80211-based drivers support all AKMs. If the driver does not support
this command, the previous behavior is maintained.
Vendor command to query the supported AKMs from the driver
This new QCA vendor command is used to query the supported AKM suite
selectors from the driver. There has been no such capability indication
from the driver and thus the current user space has to assume the driver
to support all the AKMs. This may be the case with some drivers (e.g.,
mac80211-based ones) but there are cfg80211-based drivers that implement
SME and have constraints on which AKMs can be supported (e.g., such
drivers may need an update to support SAE AKM using
NL80211_CMD_EXTERNAL_AUTH). Allow such drivers to specify the exact set
of supported AKMs so that user space tools can determine what network
profile options should be allowed to be configured. This command returns
the list of supported AKM suite selectors in the attribute
NL80211_ATTR_AKM_SUITES.
Andrey Utkin [Tue, 11 Dec 2018 17:41:10 +0000 (17:41 +0000)]
Fix build with LibreSSL
When using LibreSSL instead of OpenSSL, linkage of hostapd executable
fails with the following error when using some LibreSSL versions
../src/crypto/tls_openssl.o: In function `tls_verify_cb':
tls_openssl.c:(.text+0x1273): undefined reference to `ASN1_STRING_get0_data'
../src/crypto/tls_openssl.o: In function `tls_connection_peer_serial_num':
tls_openssl.c:(.text+0x3023): undefined reference to `ASN1_STRING_get0_data'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1278: hostapd] Error 1
ASN1_STRING_get0_data is present in recent OpenSSL, but absent in some
versions of LibreSSL (confirmed for version 2.6.5), so fallback needs to
be defined in this case, just like for old OpenSSL.
This patch was inspired by similar patches to other projects, such as
spice-gtk, pjsip.
Felix Fietkau [Wed, 14 Nov 2018 16:50:23 +0000 (17:50 +0100)]
hostapd: Support for overriding the bridge name per VLAN via vlan_file
This makes it easier to integrate dynamic VLANs in custom network
configurations. The bridge name is added after the interface name in the
vlan_file line, also separated by whitespace.
DPP: Add self configuration command in hostapd_cli and wpa_cli
The back-end support for DPP self configuration was already present in
hostapd and wpa_supplicant. However, the command to invoke DPP self
configuration was not available in hostapd_cli and wpa_cli. Add the
command "dpp_configurator_sign" in them.
Johannes Berg [Mon, 3 Dec 2018 17:06:22 +0000 (19:06 +0200)]
nl80211: Add support for starting FTM responder
Add support for starting FTM responder when in AP mode. This just sends
the appropriate NEW/SET_BEACON command to the driver with the LCI/civic
location data.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Enable FTM responder and configure LCI and civic if ftm_responder
configuration option is set. Since ftm_responder configuration existed
before and was used to set extended capability bits, don't fail AP setup
flow if ftm_responder is set, but the driver doesn't advertise FTM
responder support.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add configuration options to enable FTM responder and configure LCI and
civic parameters. In addition, introduce WPA_DRIVER_FLAGS_FTM_RESPONDER
flag, which can be used to indicate FTM responder support in AP mode.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Thu, 20 Dec 2018 22:55:31 +0000 (00:55 +0200)]
tests: Be more careful in clearing REGDOM state
cfg80211 regulatory code gets into pretty inconvenient state if it needs
to intersect regulatory domain information from multiple regulations
(country=98). The existing mechanisms in the hwsim test cases are not
able to clear that up for the following test case and this can result in
large number of failures.
It looks like country=98 case is hit frequently in WNM test cases where
a station associates with an AP that advertises a specific country code
and that station is then asked to disconnect before the REGDOM events
have been received. Avoid this by waiting for the REGDOM events for the
init=COUNTRY_IE case before disconnecting.
Jouni Malinen [Thu, 20 Dec 2018 19:34:24 +0000 (21:34 +0200)]
tests: Connect attempt with transmitting/nontransmitting BSS
This adds some minimal testing for Multi-BSS connection attempts. The
part for nontransmitted BSS is limited since hostapd/mac80211 does not
yet have sufficient support for Multi-BSS in AP mode.
Advertise vendor specific Multi-AP IE in (Re)Association Request frames
and process Multi-AP IE from (Re)Association Response frames if the user
enables Multi-AP fuctionality. If the (Re)Association Response frame
does not contain the Multi-AP IE, disassociate.
This adds a new configuration parameter 'multi_ap_backhaul_sta' to
enable/disable Multi-AP functionality.
Enable 4-address mode after association (if the Association Response
frame contains the Multi-AP IE). Also enable the bridge in that case.
This is necessary because wpa_supplicant only enables the bridge in
wpa_drv_if_add(), which only gets called when an interface is added
through the control interface, not when it is configured from the
command line.
The purpose of Multi-AP specification is to enable inter-operability
across Wi-Fi access points (APs) from different vendors.
This patch introduces one new configuration parameter 'multi_ap' to
enable Multi-AP functionality and to configure the BSS as a backhaul
and/or fronthaul BSS.
Advertise vendor specific Multi-AP capabilities in (Re)Association
Response frame, if Multi-AP functionality is enabled through the
configuration parameter.
A backhaul AP must support receiving both 3addr and 4addr frames from a
backhaul STA, so create a VLAN for it just like is done for WDS, i.e.,
by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never
WEP), we can safely call hostapd_set_wds_encryption() as well and we can
reuse the entire WDS condition.
To parse the Multi-AP Extension subelement, we use get_ie(): even though
that function is meant for parsing IEs, it works for subelements.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:37 +0000 (15:46 -0400)]
OCV: Include and verify OCI in the AMPE handshake
Include and verify the OCI element in AMPE Open and Confirm frames. Note
that the OCI element is included even if the other STA didn't advertise
support of OCV. The OCI element is only required and verified if both
peers support OCV.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:35 +0000 (15:46 -0400)]
OCV: Perform an SA Query after a channel switch
After the network changed to a new channel, perform an SA Query with the
AP after a random delay if OCV was negotiated for the association. This
is used to confirm that we are still operating on the real operating
channel of the network. This commit is adding only the station side
functionality for this, i.e., the AP behavior is not changed to
disconnect stations with OCV that do not go through SA Query.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:34 +0000 (15:46 -0400)]
OCV: Include and verify OCI in SA Query frames
Include an OCI element in SA Query Request and Response frames if OCV
has been negotiated.
On Linux, a kernel patch is needed to let clients correctly handle SA
Query Requests that contain an OCI element. Without this patch, the
kernel will reply to the SA Query Request itself, without verifying the
included OCI. Additionally, the SA Query Response sent by the kernel
will not include an OCI element. The correct operation of the AP does
not require a kernel patch.
Without the corresponding kernel patch, SA Query Requests sent by the
client are still valid, meaning they do include an OCI element.
Note that an AP does not require any kernel patches. In other words, SA
Query frames sent and received by the AP are properly handled, even
without a kernel patch.
As a result, the kernel patch is only required to make the client properly
process and respond to a SA Query Request from the AP. Without this
patch, the client will send a SA Query Response without an OCI element,
causing the AP to silently ignore the response and eventually disconnect
the client from the network if OCV has been negotiated to be used.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:32 +0000 (15:46 -0400)]
OCV: Include and verify OCI in the FT handshake
Include and verify the the OCI element in (Re)Association Request and
Response frames of the FT handshake. In case verification fails, the
handshake message is silently ignored.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:38 +0000 (15:46 -0400)]
tests: OCI validation in the 4-way and group key handshakes (OCV)
Perform detailed tests with OCV enabled, for both the 4-way and group
key handshakes. These tests include establishing a working connection
with OCV enabled, assuring that a STA without OCV enabled can still
connect to a STA with OCV enabled (and vice versa), verifying that
invalid OCI elements get silently ignored, verifying that missing OCI
elements are reported, and so on.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:30 +0000 (15:46 -0400)]
OCV: Add function to derive Tx parameters to a specific STA
Use the information elements that were present in the (Re)Association
Request frame to derive the maximum bandwidth the AP will use to
transmit frames to a specific STA. By using this approach, we don't need
to query the kernel for this information, and avoid having to add a
driver API for that.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:27 +0000 (15:46 -0400)]
OCV: Insert OCI in 4-way and group key handshake
If Operating Channel Verification is negotiated, include the OCI KDE
element in EAPOL-Key msg 2/4 and 3/4 of the 4-way handshake and both
messages of the group key handshake.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:24 +0000 (15:46 -0400)]
Store the VHT Operation element of an associated STA
APs and mesh peers use the VHT Operation element to advertise certain
channel properties (e.g., the bandwidth of the channel). Save this
information element so we can later access this information.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:23 +0000 (15:46 -0400)]
Add functions to convert channel bandwidth to an integer
This adds two utility functions to convert both operating classes and
and the chan_width enum to an integer representing the channel
bandwidth. This can then be used to compare bandwidth parameters in an
uniform manner.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:22 +0000 (15:46 -0400)]
Add utility function to derive operating class and channel
This function can be used to easily convert the parameters returned
by the channel_info driver API, into their corresponding operating
class and channel number.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:21 +0000 (15:46 -0400)]
Make channel_info available to authenticator
This adds the necessary functions and callbacks to make the channel_info
driver API available to the authenticator state machine that implements
the 4-way and group key handshake. This is needed for OCV.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:20 +0000 (15:46 -0400)]
Make channel_info available to the supplicant state machine
This adds the necessary functions and callbacks to make the channel_info
driver API available to the supplicant state machine that implements the
4-way and group key handshake. This is needed for OCV.
Mathy Vanhoef [Mon, 6 Aug 2018 19:46:19 +0000 (15:46 -0400)]
Add driver API to get current channel parameters
This adds driver API functions to get the current operating channel
parameters. This encompasses the center frequency, channel bandwidth,
frequency segment 1 index (for 80+80 channels), and so on.
Jouni Malinen [Sat, 15 Dec 2018 16:00:12 +0000 (18:00 +0200)]
HS 2.0 server: SIM provisioning exchange
Support SIM provisioning exchange with SPP. This uses the
hotspot2dot0-mobile-identifier-hash value from the AAA server to allow
subscription registration through subscription remediation exchange.
Jouni Malinen [Fri, 14 Dec 2018 13:58:13 +0000 (15:58 +0200)]
HS 2.0 server: RADIUS server support for SIM provisioning
This adds support for hostapd-as-RADIUS-authentication-server to request
subscription remediation for SIM-based credentials. The new hostapd.conf
parameter hs20_sim_provisioning_url is used to set the URL prefix for
the remediation server for SIM provisioning. The random
hotspot2dot0-mobile-identifier-hash value will be added to the end of
this URL prefix and the same value is stored in a new SQLite database
table sim_provisioning for the subscription server implementation to
use.
Jouni Malinen [Sat, 8 Dec 2018 14:48:33 +0000 (16:48 +0200)]
WMM AC: Do not write ERROR level log entries when WMM AC is not in use
These two wpa_printf() calls with MSG_ERROR level could be reached when
connecting without (Re)Association Response frame elements being
available. That would be the case for wired connections and IBSS. Those
cases are not supposed to use WMM AC in the first place, so do not
confuse logs with ERROR messages in them for normal conditions.
Jouni Malinen [Sat, 8 Dec 2018 14:26:17 +0000 (16:26 +0200)]
OWE: Fix OWE network profile saving
key_mgmt=OWE did not have a config parameter writer and wpa_supplicant
was unable to save such a network profile correctly. Fix this by adding
the needed parameter writer.
DPP: Support DPP key_mgmt saving to wpa_supplicant configuration
In the existing code, there was no "DPP" string available to the DPP key
management type for configuration parser of wpa supplicant. When the
configuration is saved, the key management string was left out from the
config file. Fix this by adding support for writing key_mgmt=DPP option.
Jouni Malinen [Sat, 8 Dec 2018 11:57:51 +0000 (13:57 +0200)]
HS 2.0: Fix PMF-in-use check for ANQP Venue URL processing
The previous implementation did not check that we are associated with
the sender of the GAS response before checking for PMF status. This
could have accepted Venue URL when not in associated state. Fix this by
explicitly checking for association with the responder first.
This fixes an issue that was detected, e.g., with these hwsim test case
sequences:
gas_anqp_venue_url_pmf gas_anqp_venue_url
gas_prot_vs_not_prot gas_anqp_venue_url
Jouni Malinen [Sat, 8 Dec 2018 11:08:04 +0000 (13:08 +0200)]
tests: Fix ap_hs20_deauth_req_without_pmf
Now that hostapd starts mandating PMF for Hotspot 2.0 Release 2
association, this test case needs some more tweaks to work. Hardcode
Hotspot 2.0 Release 1 to be used and disable PMF explicitly.
Jouni Malinen [Sat, 8 Dec 2018 11:26:50 +0000 (13:26 +0200)]
tests: Fix ap_hs20_ft with PMF enabled
The Beacon loss event was not reported anymore, so remove that as an
unnecessary step in the test case. In addition, check the key_mgmt
values explicitly.
Jouni Malinen [Fri, 7 Dec 2018 22:51:04 +0000 (00:51 +0200)]
HS 2.0: As a STA, do not indicate release number greater than the AP
Hotspot 2.0 tech spec mandates mobile device to not indicate a release
number that is greater than the release number advertised by the AP. Add
this constraint to the HS 2.0 Indication element when adding this into
(Re)Association Request frame. The element in the Probe Request frame
continues to show the station's latest supported release number.
Jouni Malinen [Fri, 7 Dec 2018 22:39:00 +0000 (00:39 +0200)]
HS 2.0: Allow Hotspot 2.0 release number to be configured
The new hostapd configuration parameter hs20_release can be used to
configure the AP to advertise a specific Hotspot 2.0 release number
instead of the latest supported release. This is mainly for testing
purposes.
Jouni Malinen [Fri, 7 Dec 2018 14:03:40 +0000 (16:03 +0200)]
FILS: Do not process FILS HLP request again while previous one is pending
It is better not to process a new (most likely repeated) FILS HLP
request if a station retransmits (Re)Association Request frame before
the previous HLP response has either been received or timed out. The
previous implementation ended up doing this and also ended up
rescheduling the fils_hlp_timeout timer in a manner that prevented the
initial timeout from being reached if the STA continued retransmitting
the frame. This could result in failed association due to a timeout on
the station side.
Make this more robust by processing (and relaying to the server) the HLP
request once and then ignoring any new HLP request while the response
for the relayed request is still pending. The new (Re)Association
Request frames are otherwise processed, but they do not result in actual
state change on the AP side before the HLP process from the first
pending request is completed.
This fixes hwsim test case fils_sk_hlp_oom failures with unmodified
mac80211 implementation (i.e., with a relatively short retransmission
timeout for (Re)Association Request frame).
Yu Ouyang [Mon, 3 Dec 2018 06:18:53 +0000 (14:18 +0800)]
WPS NFC: Fix potential NULL pointer dereference on an error path
The NFC connection handover specific case of WPS public key generation
did not verify whether the two wpabuf_dup() calls succeed. Those may
return NULL due to an allocation failure and that would result in a NULL
pointer dereference in dh5_init_fixed().
Fix this by checking memory allocation results explicitly. If either of
the allocations fail, do not try to initialize wps->dh_ctx and instead,
report the failure through the existing error case handler below.
projects / thirdparty / hostap.git / log
