Commit 3962b65858ae5d5226fa504d2d1b4f63e7686a95 removed the Xcode
project files, but missed the defines in build_config.h. Remove these
since there are no users for them in the current snapshot.
Interworking: Relax 3GPP info PLMN matching for MNC
3GPP TS 24.232 Annex A.3 allows network operator to advertise only two
digits of MNC even if MNC has three digits. Allow such matches in
network selection. In addition, allow three digit matches of MNC even if
MNC length was assumed to be two to avoid missing networks if MNC length
cannot be determined reliably. Remove the '-' separator from simulated
SIM/USIM cases to allow the new matching rules to work.
Fix the PLMN List information element parsing loop to use the length of
the PLMN List instead of the length of the full 3GPP Cellular Info to
avoid unexpected matches should a new element ever be added by 3GPP.
Finally, add more debug prints from PLMN matching to make the logs
easier to understand.
WPS: Disconnect when removing existing WPS network block
wpas_clear_wps() was just clearing the current wpa_s->current_ssid
pointer when removing a WPS network block which with the device was
associated. This could leave the association up even though the network
block had already been removed. Prevent this by explicitly disconnecting
from the network instead of such clearing current_ssid.
The new server_id parameter in hostapd.conf can now be used to specify
which identity is delivered to the EAP peer with EAP methods that
support authenticated server identity.
Jouni Malinen [Sun, 30 Jun 2013 21:13:11 +0000 (00:13 +0300)]
tests: Use wpa_supplicant global control interface for P2P
This allows more consistent interface to be used regardless of which
P2P driver design is used (especially for P2P management operations
over netdev vs. dedicated P2P_DEVICE).
Jouni Malinen [Sun, 30 Jun 2013 20:32:13 +0000 (23:32 +0300)]
P2P: Do not add ctrl interface for P2P_DEVICE (p2p-dev-*)
Adding a new wpa_supplicant control interface for the dedicated
P2P_DEVICE would be quite confusing for programs that manage P2P
operations. Remove this control interface and require the global control
interface to be used since it will provide consistent interface for both
the new dedicated P2P_DEVICE (non-netdev) and old style P2P management
through a netdev.
Jouni Malinen [Sun, 30 Jun 2013 17:02:25 +0000 (20:02 +0300)]
P2P: Fix TDLS and l2_packet init without P2P Device interface
Commit c68f6200a72f2b33304f583859b09e57757b9d2a made these calls
conditional on !p2p_mgmt, but forced p2p_mgmt=1 for cases where the
driver does not use the dedicated P2P Device. Fix this by making the
!p2p_mgmt condition apply only if the driver does indicate use of a
dedicated P2P Device.
Jouni Malinen [Sun, 30 Jun 2013 09:55:52 +0000 (12:55 +0300)]
Fix build with older OpenSSL versions
Check that SSL_clear_options and SSL_CTX_clear_options are defined
before using them to avoid compilation failures with older OpenSSL
versions that did not include these macros.
Arend van Spriel [Sun, 30 Jun 2013 07:19:31 +0000 (10:19 +0300)]
P2P: Derive group interface name bit more sensibly
The interface name for the P2P group interface is derived from the
P2P management interface. When the P2P management interface is a
P2P Device interface, i.e., p2p-dev-wlanX, the name for the group
interface is abbreviated to p2p-X (X being group index). When the
P2P management interface starts with p2p-dev- use its postfix
instead. So P2P management interface p2p-dev-wlan3 results in group
interface name p2p-wlan3-0.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Arend van Spriel [Sun, 30 Jun 2013 07:17:47 +0000 (10:17 +0300)]
P2P: Create P2P Device interface if supported
If the capability flag of the driver indicates a dedicated P2P Device is
supported, a P2P Device interface is created.
Create the P2P Device in main interface creation loop when the added
interface flags support and P2P supplicant is not yet initialized
avoiding recursion of add_interface.
Do not register l2_packet for P2P Device interface (both for EAPOL and
for TDLS).
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Jouni Malinen [Sun, 30 Jun 2013 06:58:50 +0000 (09:58 +0300)]
nl80211: Do not indicate P2P_DEVICE support by default
Since the P2P_DEVICE support indication was added to kernel before
everything was working properly, there may be kernel versions in use
with the new mechanism breaking P2P functionality (especially with
mac80211_hwsim). For now, disable P2P_DEVICE support by default and
allow it to be enabled with driver_param=p2p_device=1 in the
configuration file. This default behavior may be changed in the future
once the kernel issues has been resolved in stable releases.
Arend van Spriel [Sun, 30 Jun 2013 07:48:44 +0000 (10:48 +0300)]
P2P: Ignore p2p_no_group_iface when driver advertizes P2P_DEVICE support
Setting p2p_no_group_iface means 'use P2P management interface as P2P
connection interface' because it attempts to change the interface type.
The P2P_DEVICE is a dedicated interface and can not be changed. As such
ignore the configuration option.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Arend van Spriel [Sun, 30 Jun 2013 07:34:48 +0000 (10:34 +0300)]
nl80211: Fix determining phy name for P2P Device
The phy name was determined using /sys/class/net/<ifname> but the P2P
Device is not listed there since it does not have an associated net
device. This patch changes name determination to obtain the name from
the wiphy information provide by nl80211.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Arend van Spriel [Sun, 30 Jun 2013 07:29:00 +0000 (10:29 +0300)]
nl80211: Fix nl80211_get_wiphy_index() for P2P Device
For P2P Device the netlink message should have wdev identifier
instead of the interface index. This fixes a failure which occurred
executing the P2P_GROUP_ADD command.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Jouni Malinen [Sat, 29 Jun 2013 21:54:24 +0000 (00:54 +0300)]
Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.
hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).
This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).
Arend van Spriel [Tue, 25 Jun 2013 10:56:28 +0000 (13:56 +0300)]
P2P: Remove a call to wpas_p2p_deinit_global()
In wpa_supplicant_deinit(), the function wpas_p2p_deinit_global()
was called. Remove it as it will be called from wpas_deinit_iface()
upon removal of the P2P management interface.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Arend van Spriel [Tue, 25 Jun 2013 10:52:58 +0000 (13:52 +0300)]
nl80211: Fix P2P group interface creating using P2P Device
When P2P Device is used as P2P management interface the creation of the
P2P group interface fails because MAC address retrieval fails for the
P2P Device interface.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Arend van Spriel [Tue, 25 Jun 2013 10:51:59 +0000 (13:51 +0300)]
nl80211: Use wdev_id in nl80211_create_iface_once()
For P2P an interface may be created for the P2P client/group. The
create request is done on the P2P management interface, which may
be a P2P Device interface. In that case it needs to use the wdev_id.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Arend van Spriel [Tue, 25 Jun 2013 10:51:14 +0000 (13:51 +0300)]
nl80211: Use wdev id to obtain P2P Device scan results
In order to get a P2P-DEVICE-FOUND event the supplicant needs to
see a peer device during SEARCH and LISTEN phase. The SEARCH
phase does a scan so obtaining the scan results for the P2P Device
interface needs to be supported, i.e., use the wdev_id.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Arend van Spriel [Tue, 25 Jun 2013 10:50:21 +0000 (13:50 +0300)]
nl80211: Add .get_mac_addr() callback for P2P Device
For P2P Device the MAC address is determined upon .init2(). The
wpa_s for this interface retrieves this address in
wpa_supplicant_update_mac_addr() using the .get_mac_addr() callback.
Signed-hostap: Arend van Spriel <arend@broadcom.com>
Johannes Berg [Tue, 25 Jun 2013 10:38:03 +0000 (13:38 +0300)]
nl80211: Allow Android P2P functionality
To support Android the kernel may have a "p2p0" netdev for a P2P Device
even though this isn't very useful, but Android requires a netdev. To
support this in the supplicant, if the interface mode is P2P_DEVICE,
re-set it to the same instead of STATION mode.
Note that this is only possible with a kernel that creates a
netdev for the P2P Device wdev.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
David Spinadel [Tue, 25 Jun 2013 10:35:05 +0000 (13:35 +0300)]
nl80211: Add a handler to create_interface
Add an option to pass a handler to nl80211_create_iface() and
nl80211_create_interface_once() that will be called after receiving the
message from the kernel. This handler will add the option to process the
message in different ways for different interfaces.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
David Spinadel [Tue, 25 Jun 2013 10:33:45 +0000 (13:33 +0300)]
nl80211: Hold wdev identification for P2P Device
Add wdev_id to i802_bss. wdev_id_set indicates whether this id is
available. Use wdev_id if assigned, instead of ifindex. Use wdev_id for
events that come from the kernel to identify the relevant interface.
This commit does not assign wdev_id value for the BSS yet, i.e., this is
only preparation for the value to be used in a future commit.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Nirav Shah [Tue, 25 Jun 2013 10:29:48 +0000 (13:29 +0300)]
nl80211: Identify if nl80211 is capable of P2P Device abstraction
Check the supported interfaces attribute to identify support for
a dedicated P2P Device interface type. If set, update the driver
capabilities flag to notify the supplicant.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Michael Braun [Tue, 25 Jun 2013 09:03:02 +0000 (12:03 +0300)]
VLAN: Avoid access to non-existing interfaces
Currently, hostapd_get_vlan_id_ifname() is used to determine if a given
vlan is valid *and* to actually determine the interface. This leads to
wpa_set_keys() sometimes setting the key on the wildcard interface name,
which does not make sense.
This patch therefore adds hostapd_vlan_id_valid() and makes
hostapd_get_vlan_id_ifname() not return a wildcard interface.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Tue, 25 Jun 2013 08:55:30 +0000 (11:55 +0300)]
bridge: Track inter-BSS usage
Currently, struct hostapd_vlan is a per-BSS data structure which
also contains informations about whether to remove the bridge
or clear wlan / tagged-vlan interface from the bridge.
In a multi-interface multi-BSS setup, this can lead to the following
race condition:
1. wlan0 creates VLAN A, sets DVLAN_CLEAN_BR and DVLAN_CLEAN_VLAN_PORT
2. wlan1 creates VLAN A, does not set DVLAN_CLEAN_BR and
DVLAN_CLEAN_VLAN_PORT as already there
3. wlan0 removes VLAN A, removes tagged-interface from the bridge
but not the bridge.
Now wlan1 VLAN A is unusable due to the missing uplink.
4. wlan1 removes VLAN A, does not cleanup
Solution:
This requires an inter-BSS inter-interface data structure to track the
bridge / bridge port usage within hostapd. This data structure could
also be used to track any other device-has-been-created-by-hostapd
information or when regarding interface freeing.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Tue, 25 Jun 2013 08:10:00 +0000 (11:10 +0300)]
bridge: Use safe default bridge interface
Currently by default, all BSS share the bridge brvlan%d.
While this is sane when no tagged-interface is given, this
is insane when different tagged interfaces are given, as
it would result in bridging those tagged interfaces.
This patch therefore uses br%s%d with %s=tagged_interface
and %d=VLAN ID as bridge name when a tagged-interface is given.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Johannes Berg [Sat, 22 Jun 2013 10:17:14 +0000 (13:17 +0300)]
wlantest: Always write radiotap pcap-ng
When writing pcap-ng files, always include a radiotap
header even if there wasn't one in the input. For now
just drop prism headers, I don't have any to test.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Chengyi Zhao [Sat, 22 Jun 2013 09:09:09 +0000 (12:09 +0300)]
D-Bus: Emit signal when a station is authorized or deauthorized
Add "StaAuthorized" and "StaDeauthorized" D-Bus interface in AP mode.
After enabling the AP mode of wpa_supplicant, the other process need to
get the MAC address and authorization status of every station, so
wpa_supplicant emits signal when the station is authorized or
deauthorized.
Alexander Bondar [Sat, 22 Jun 2013 08:28:33 +0000 (11:28 +0300)]
Remove 802.11b rates only in case of P2P group operation
11b rates removal have had impact on SoftAP functionality in
wpa_supplicant. This patch verifies that only in case of P2P group
operation 11b rates will be eliminated. Refer also to commit 4c2c30289305b67c09f464ba29352b008b5ec433.
Signed-hostap: Alexander Bondar <alexander.bondar@intel.com>
Signed-hostap: Ilan Peer <ilan.peer@intel.com>
Sunil Dutt [Thu, 20 Jun 2013 12:10:15 +0000 (15:10 +0300)]
TDLS: Validate ext_supp_rates in copy_supp_rates
The ext_supp_rates passed to merge_byte_arrays would be invalid if not
advertized by the TDLS peer. Thus, validate the argument to avoid
crashes in such cases.
Jouni Malinen [Wed, 19 Jun 2013 16:16:23 +0000 (19:16 +0300)]
P2P: Do not reply to 802.11b-only Probe Request frames as GO
If AP mode SME/MLME within wpa_supplicant is used for processing Probe
Request frames in GO mode, drop Probe Request frames that include only
802.11b rates per P2P spec section 2.4.1.
Kyeyoon Park [Tue, 18 Jun 2013 14:40:51 +0000 (17:40 +0300)]
Fix session timeout after ANQP dummy STA entry with SME-in-driver
Upon association, disable the timer that removes the dummy STA. This
timer caused the STA that associates within 5 seconds of doing an ANQP
query to disassociate, thinking it's a dummy STA. Similar call was
already there for the SME/MLME-in-hostapd case in handle_auth(), but the
SME-in-driver case was not previously addressed.
Jouni Malinen [Fri, 7 Jun 2013 17:13:25 +0000 (20:13 +0300)]
Remove CONFIG_NO_WPA2 build parameter
There is not much use for enabling WPA without WPA2 nowadays since most
networks have been upgraded to WPA2. Furthermore, the code size savings
from disabling just WPA2 are pretty small, so there is not much
justification for maintaining this build option. Remove it to get rid of
undesired complexity.
Jouni Malinen [Fri, 7 Jun 2013 17:02:50 +0000 (20:02 +0300)]
Fix WNM build without WPA2
Commit ae8535b6e1a98ca40ce87650a4179851e7cd13a7 added a new function
wpa_sm_pmf_enabled() which is called from WNM code without ifdefs.
Define a dummy wrapper for this function to fix build if WPA2 is
disabled.
Jouni Malinen [Fri, 7 Jun 2013 17:01:10 +0000 (20:01 +0300)]
Fix build without WPA2 or EAP
Commit 4033935dd9098938838d6d7934ceb65f92a1fa3c updated
pmksa_cache_flush() function arguments, but forgot to update the wrapper
function for cases where WPA2 or EAP has been disabled in the build.
Wei-Jen Lin [Tue, 4 Jun 2013 23:03:26 +0000 (02:03 +0300)]
P2P: Automatic channel selection at re-invocation of persistent GO
If the driver wrapper supports best operation channel indication, the
p2p_group_add command can now use special values (freq=2 and freq=5) to
indicate that the re-invoked persistent GO is to be started on the
specified band.
Vivek Natarajan [Mon, 3 Jun 2013 18:30:34 +0000 (21:30 +0300)]
P2P: Modify wait time in INVITE state based on Tx status of INV-REQ
In a noisy enviromment, some peers can be slow to respond to the
invitation request frames which may lead to unnecessary state timeout.
Increase this timeout to 350 ms to improve the probabilty of
successfully receiving the invitation response frames.
Jouni Malinen [Thu, 30 May 2013 07:25:23 +0000 (10:25 +0300)]
nl80211: Use NL80211_ATTR_PEER_AID to set TDLS peer AID
This is needed for TDLS with VHT to allow partial AID to be set
correctly for the direct link frames. cfg80211 validation rules
prevented NL80211_ATTR_STA_AID from being used for this in set_station
case, so the new attribute is used instead.
Jouni Malinen [Mon, 27 May 2013 21:35:47 +0000 (00:35 +0300)]
WPS: Allow Device Password Id changes between PIN methods
Commit b4a17a6ea74b2ffba082e05c84730e979513042c added support for the
WPS Registrar to change the Device Password based on WSC specification
design. However, this added validation for Registrar behavior which
resulted in preventing a common P2P use case from working. Relax the
validation rules for builds with P2P enabled to allow the Enrollee (P2P
client) accepting M1/M2 changes in Device Password Id between Default
and Registrar-specified PIN.
Jouni Malinen [Mon, 27 May 2013 17:10:57 +0000 (20:10 +0300)]
nl80211: Ignore deauth/disassoc event from old AP
It looks like cfg80211 can deliver a deauth/disassoc event during some
roaming cases while we are already in progress with a new
authentication/association. This happens at least with FT protocol.
Avoid issues with such disconnection event resulting in core
wpa_supplicant stopping the new connection attempt by tracking
auth/assoc BSSID more carefully within driver_nl80211.c and filtering
out events that do not apply for the current AP.
Jouni Malinen [Sun, 26 May 2013 18:46:54 +0000 (21:46 +0300)]
wlantest: Select correct TDLS context if multiple exists
Some corner cases may result in both directions of TDLS tracking context
existing. If that is the case, the incorrect one may end up getting
picked when figuring out which TK to use for decryption or fix
statistics counter to increment. Fix this by preferring the context that
has TDLS link up.
Jouni Malinen [Sun, 26 May 2013 16:39:48 +0000 (19:39 +0300)]
wlantest: Add support for writing pcapng files
The new -n<file> command line argument can be used to request wlantest
to write all read or captured frames into a pcapng file. This is similar
to the -w argument, but with pcapng allowing per-frame comments to be
embedded in the file.
Jouni Malinen [Fri, 24 May 2013 13:03:54 +0000 (16:03 +0300)]
FT: Fix TKIP group key configuration in FT protocol
The Michael MIC TX and RX keys needs to be swapped in the FT case just
like in all other TKIP key configuration cases. This fixes issues where
TKIP as group cipher resulted in Michael MIC failures being detected for
each received group-addressed frame after FT protocol use.
Jouni Malinen [Fri, 24 May 2013 10:37:22 +0000 (13:37 +0300)]
Do not set driver MAC ACL unless driver supports this
This cleans up debug log by not including comments about failed
operations in case the operation is known to fail due to not being
supported by the driver.
Vivek Natarajan [Thu, 23 May 2013 11:38:20 +0000 (14:38 +0300)]
hostapd: Support MAC address based access control list
Enable MAC address based ACL for the drivers which advertise
this capabilty with NL80211_ATTR_MAC_ACL_MAX. Either of blacklist
or whitelist is supported, though, not simultaneously.
Jouni Malinen [Thu, 23 May 2013 17:35:02 +0000 (20:35 +0300)]
wpa_cli: Support tab completion with ifname= prefix
Enable tab completion for the cases where ifname= prefix is used in
interactive mode by skipping over that prefix before running through the
per-command completion routines. The ifname= prefix itself is also
covered by adding the possible interface names to the command list.
Jouni Malinen [Thu, 23 May 2013 17:04:17 +0000 (20:04 +0300)]
wpa_cli: Allow IFNAME= prefix to be used
Strip out the IFNAME=<ifname> prefix from commands before parsing them
through the normal processing and then add the prefix back to the
beginning of the actual control interface command to make per-interface
commands work through the global control interface without having to use
the 'raw' command.
Jouni Malinen [Thu, 23 May 2013 12:57:13 +0000 (15:57 +0300)]
WNM: Fix ess_disassoc timeout to be specified in TBTTs
This was previously claimed to be in ms, but the field in BSS Transition
Management Request frame is in number of TBTTs (beacon interval). Use
that unit in the ESS_DISASSOC control interface command to be able to
specify any value and just modify the timeout value to be calculated
based on beacon interval.
WNM: Remove PMKSA cache entry on ESS disassoc imminent notification
This is needed to avoid allowing the STA to reconnect using a cached
PMKSA. ESS disassoc imminent notification is normally used to indicate
that the STA session will be terminated and as such, requiring full
authentication through the authentication server after this is needed.
Jouni Malinen [Tue, 21 May 2013 16:34:00 +0000 (19:34 +0300)]
Fix already-associated detection with driver-based BSS selection
wpa_s->pending_bssid is all zeros during connection attempt when
driver-based BSS selection is used. Take this into account when
determining whether new scan results should trigger a connection based
on wpa_s->current_ssid, i.e., a connection attempt with the selected
network instead of selected BSS.
Sean Lin [Wed, 22 May 2013 10:29:46 +0000 (13:29 +0300)]
P2P: Relax channel forcing for invitation processing with MCC support
When STA interface is connected and P2P interface gets invited in a
different channel from previous P2P group, the invitiation would fail
because of no common channel found. Fix this by using different logic
when device support multi channel concurrency.
Jouni Malinen [Wed, 22 May 2013 10:24:30 +0000 (13:24 +0300)]
Fix OKC-based PMKSA cache entry clearing
Commit c3fea272747f738f5723fc577371fe03711d988f added a call to clear
all other PMKSA cache entries for the same network if the PMKSA cache
entry of the current AP changed. This was needed to fix OKC cases since
the other APs would likely use the new PMK in the future. However, this
ended up clearing entries in cases where that is not desired and this
resulted in needing additional full EAP authentication with networks
that did not support OKC if wpa_supplicant was configured to try to use
it.
Make PMKSA cache entry flushing more limited so that the other entries
are removed only if they used the old PMK that was replaced for the
current AP and only if that PMK had previously been used successfully
(i.e., opportunistic flag was already cleared back to 0 in
wpa_supplicant_key_neg_complete()). This is still enough to fix the
issue described in that older commit while not causing problems for
standard PMKSA caching operations even if OKC is enabled in
wpa_supplicant configuration.
Sunil Dutt [Mon, 20 May 2013 10:07:24 +0000 (15:37 +0530)]
TDLS: Retry TDLS Setup Response more quickly
TDLS responder STA used to retransmit the TDLS Setup Response after 5
seconds if the TDLS Setup Confirm is not received. The initiator would
have enabled the TDLS link and started transmitting the data to the peer
on the TDLS link after transmitting the TDLS Setup Confirm frame. If the
TDLS Setup Confirm frame is not received by the receiver, the
transmissions from the initiator on the direct link would get failed for
the TDLS link not getting enabled on the receiver. This commit reduces
the data delivery failure duration by shortening the retry time of the
TDLS Setup Response frames. The retry limit of the TDLS Response frame
also is increased to ensure that the peer does not miss the frames in
the reduced time period.
Kyeyoon Park [Fri, 5 Apr 2013 15:41:26 +0000 (18:41 +0300)]
WNM: Add disassociation timeout processing for ESS_DISASSOC
The hostapd_cli ess_disassoc command now takes three arguments (STA MAC
address, timeout in ms, URL) and the STA is disconnected after the
specified timeout.