Jouni Malinen [Sun, 18 Dec 2011 20:21:22 +0000 (22:21 +0200)]
P2P: Use hardcoded idle timeout of 10 seconds in P2P client role
The p2p_group_idle configuration parameter is much more useful for
GO role, so use a separate hardcoded value of 10 seconds in P2P
client role. In practice, this means that the P2P client role will
automatically tear down the group when the GO tears down the group.
The 10 second timeout is enough to recover from temporary disconnections
without unnecessary tearing down the group if the GO is still present
and allows the client to connect.
Jouni Malinen [Sun, 18 Dec 2011 20:18:42 +0000 (22:18 +0200)]
P2P: Fix disconnect event not to increase idle timeout
When P2P client is processing a disconnection event, make sure the P2P
idle timeout does not get increased, i.e., set a new timeout only if no
timeout is in use. wpa_state changes between DISCONNECTED and SCANNING
can generate multiple calls to wpas_p2p_notif_disconnect() and
previously this was enough to force the idle timeout never hit in
practice when in P2P client role.
Jouni Malinen [Sun, 18 Dec 2011 19:48:25 +0000 (21:48 +0200)]
Lower RX_MGMT driver event debug level for Beacon frames
This event can be very frequent in AP mode when Beacon frames from
neighboring BSSes are delivered to user space. Drop the debug
message priority from DEBUG to EXCESSIVE for Beacon frames.
P2P: Reduce the idle time in Wait peer connect state
When waiting for go_neg frame from the peer in WAIT_PEER_CONNECT state,
I have observed that sometimes it takes 20 to 30 secs for successful GO
negotiation. I also found out that it is because of 1 second idle time,
in WAIT_PEER_CONNECT state. While it is good to have 1 second idle time
[for doing power-save or doing some other legacy STA Scan or some other
useful stuff], this makes GO Negotiation process slow.
We wait for 1 second idle and then listen for a random time between
100(min)-300(max) ms. Assume P1 is in WAIT_PEER_CONNECT state and P2 is
the one which is now to send go_neg frame. If P2 sends GO Negotiation
frame just at the boundary of 300 ms of P1 and assume that P2 takes
close to 600-800 ms for one iteration of sending go_neg request (one
iteration is GO Negotiation Request frame time + dwell time +
listen_time), P2 needs to transmit at least 16-18 Action frames for
hitting the listen time of P1.
Following patch reduces the idle time to 500 ms. Alternatively we can
increase the listen time interval to 500 ms just for WAIT_PEER_CONNECT
state.
P2P: Fix PROBE_REQ_ONLY flag use for Provision Discovery Request
Provision discovery from a known peer should actually check for
dev->flags & P2P_DEV_PROBE_REQ_ONLY. This is creating an issue of
updating the listen frequency of peer with the PD request frame
frequency. PD request frame will be sent by the peer on our local listen
frequency. This patch fixes that error. Suggested check has already been
implemented in the invitation req receive path.
Jouni Malinen [Sun, 18 Dec 2011 15:21:25 +0000 (17:21 +0200)]
P2P: Fix Provision Discovery channel for some join-GO cases
The Provision Discovery Request needs to be sent on the operating
channel of the GO and as such, the frequency from the BSS table
(scan results) need to override the frequency in the P2P peer
table that could be based on the Listen channel of the GO.
wpa_supplicant/dbus AP: Add support for WPS Internal Registrar
When in AP mode, wpa_supplicant is now enabling WPS (only Internal
Registrar). WPS.Start() call can be used to initiate WPS negotiation
similarly to how this is done in station mode.
Reinette Chatre [Sun, 18 Dec 2011 14:52:33 +0000 (16:52 +0200)]
P2P: Make GO negotiation peer and group information available over D-Bus
The GO negotiation response is very cryptic at the moment. For a success
message we only know on which interface the negotiation succeeded, not
which peer. For a failure we know the interface also and a status code
(number).
It will be very useful for clients to know upon receipt of such a message
which peer the negotiation occurred with.
Now that the peer information is available and the API is changed
already, the function composing the D-Bus message might as well include
all GO negotiation information. This is done with a dict to make things
easier on clients if this result information changes down the line.
Signed-hostap: Reinette Chatre <reinette.chatre@intel.com>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Marek Kwaczynski [Sun, 18 Dec 2011 14:38:48 +0000 (16:38 +0200)]
P2P: Do not include own information in the peer table
When the station is connected to P2P GO after calling p2p_find command
the device sees itself. It is related to lack of filtering itself from
clients connected to P2P GO.
Jouni Malinen [Sun, 18 Dec 2011 12:44:03 +0000 (14:44 +0200)]
PCSC: Accept 0x67 (Wrong length) as a response to READ RECORD
It looks like some USIM cards respond with 0x67 (Wrong length) instead
of 0x6c to 00 b2 01 04 ff. This was getting rejected in
scard_get_record_len(). ETSI TS 102 221 is not very clear on this
detail, but it looks fine to accept the 0x67 error value, too, to learn
the record length.
The whole wpa_supplicant_ctrl_iface_ctrl_rsp_handle() function operates
on the ssid->eap field which exists only if IEEE8021X_EAPOL has been
defined. Therefore the whole function body needs to be enclosed within
an #ifdef/endif block.
Signed-hostap: Antonio Quartulli <ordex@autistici.org>
Jouni Malinen [Wed, 14 Dec 2011 23:06:02 +0000 (01:06 +0200)]
Android: Fix PNO start function conversion
The wpa_hexdump_ascii() call did not get converted properly and this
was missed becaused of it getting defined out from the build. Anyway,
this better use the correct variable names should that debug print
ever be enabled for Android.
Johannes Berg [Sun, 11 Dec 2011 17:57:50 +0000 (19:57 +0200)]
IBSS: fix RSN key initialisation
Antonio reported that RSN IBSS failed to work.
We traced it down to a GTK failure, and he then
bisected it to commit bdffdc5ddb0c838af4c90d11:
"AP: Reorder WPA/Beacon initialization".
The reason this commit broke it is that the state
machine's GInit variable is never set to false as
wpa_init_keys() never gets called, and thus new
keys are generated every time the state machine
executes.
Fix this by calling wpa_init_keys() when the new
group has been initialised.
Reported-by: Antonio Quartulli <ordex@autistici.org> Tested-by: Antonio Quartulli <ordex@autistici.org>
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sun, 11 Dec 2011 16:30:47 +0000 (18:30 +0200)]
Disassociate when starting WPS search
Previously, the WPS scans could have been done in associated state if we
happened to be associated when the request to use WPS was received. This
can slow down scanning and end up in unexpected state if no WPS
association is tried. Avoid these issues by disconnecting when WPS
search is started.
Jouni Malinen [Sun, 11 Dec 2011 16:06:34 +0000 (18:06 +0200)]
P2P: Fix 32-bit compiler warnings on service discovery reference
Convert core wpa_supplicant code to use u64 instead of void * for the
P2P service discovery reference. Use uintptr_t in type casts in
p2p_supplicant.c to handle the conversion without warnings.
Note: This needs to be revisited for 128-bit CPU where sizeof(void *)
could be larger than sizeof(u64).
P2P: Remove unexpected pending Provision Discovery Request in Search
A Pending Provision Discovery Request was sent in SEARCH phase after a
previous provision discovery timeout. Fix this by resetting the config
method of P2P device in the pending PD reset function. This avoids the
sending of a pending Provision Discovery Request during the next P2P
search.
Michael Braun [Sun, 11 Dec 2011 11:01:57 +0000 (13:01 +0200)]
Allow WPA passphrase to be fetched with RADIUS Tunnel-Password attribute
This allows per-device PSK to be configured for WPA-Personal using a
RADIUS authentication server. This uses RADIUS-based MAC address ACL
(macaddr_acl=2), i.e., Access-Request uses the MAC address of the
station as the User-Name and User-Password. The WPA passphrase is
returned in Tunnel-Password attribute in Access-Accept. This
functionality can be enabled with the new hostapd.conf parameter,
wpa_psk_radius.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Vitaly Wool [Sun, 11 Dec 2011 10:03:18 +0000 (12:03 +0200)]
Skip WPS PBC overlap detection if P2P address is the same
WPS overlap detection can detect false overlap if a P2P peer
changes UUID while authentication is ongoing. Changing UUID
is of course wrong but this is what some popular devices do
so we need to work around it in order to keep compatibility
with these devices. There already is a mechanism in WPS
registrar to skip overlap detection if P2P addresses of two
sessions match but it wasn't really triggered because the
address wasn't filled in in the caller function.
Let's fill in this address and also clean up WPS PBC sessions
on WSC process completion if UUID was changed.
Arik Nemtsov [Sat, 10 Dec 2011 14:50:00 +0000 (16:50 +0200)]
nl80211: Propagate Probe Response offload capabilities from kernel
Translate nl80211 flags to wpa_supplicant flags for Probe Response
offload support. The existence of the nl80211 PROBE_RESP_OFFLOAD_SUPPORT
attribute means Probe Response offload is supported. The value of the
attribute is a bitmap of supported protocols.
Jouni Malinen [Sat, 10 Dec 2011 10:56:42 +0000 (12:56 +0200)]
P2P: Clean up group formation on network block removal
If a P2P group network block is removed for any reason (e.g., wps_cancel
command) while the interface is in group formation, remove the group
formation timeout and indicate failure immediately. Previously, this
type of operations could end up leaving the timeout running and result
in somewhat unexpected group formation failure events later.
Jithu Jance [Sat, 10 Dec 2011 10:26:00 +0000 (12:26 +0200)]
P2P: Append P2P Device Address to AP-STA-DISCONNECTED event
Append "p2p_dev_addr" parameter to AP-STA-DISCONNECTED event for P2P
connections. In addition, for AP-STA-CONNECTED event during P2P
connection, the "dev_addr=" print is replaced with "p2p_dev_addr=" to
be more consistent with other events.
Johannes Berg [Sat, 10 Dec 2011 09:56:31 +0000 (11:56 +0200)]
nl80211: Store own address in BSS
Storing the address in the BSS instead of the DRV struct makes it usable
for hostapd and thus gets rid of the linux_get_ifhwaddr() call when
receiving a spurious frame.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Thu, 8 Dec 2011 22:15:04 +0000 (00:15 +0200)]
Add MSK dump mechanism into hostapd RADIUS server for testing
Testing code can now be enabled in the hostapd RADIUS server to dump
each derived MSK into a text file (e.g., to be used as an input to
wlantest). This functionality is not included in the default build
and can be enabled by adding the following line to hostapd/.config:
CFLAGS += -DCONFIG_RADIUS_TEST
The MSK dump file is specified with dump_msk_file parameter in
hostapd.conf (path to the dump file). If this variable is not set,
MSK dump mechanism is not enabled at run time.
Jouni Malinen [Tue, 6 Dec 2011 19:57:17 +0000 (21:57 +0200)]
P2P: Add group ifname to P2P-PROV-DISC-* events
If Provision Discovery Request is sent for GO role (i.e., P2P Group ID
attribute is included), add the group interface name to the control
interface event on the GO. This makes it easier to figure out which
ctrl_iface needs to be used for wps_pbc/wps_pin command to authorize
the joining P2P client.
Jithu Jance [Tue, 6 Dec 2011 19:28:02 +0000 (21:28 +0200)]
P2P: Add optional "join" argument for p2p_prov_disc command
This can be used to request Provision Discovery Request to be sent
for the purpose of joining a running group, e.g., to request the GO
to display a PIN that we can then use with p2p_connect join command.
Jouni Malinen [Tue, 6 Dec 2011 19:13:54 +0000 (21:13 +0200)]
Remove documentation for label option in p2p_connect
P2P use cases do not allow use of Label config method and the earlier
code for this has already been removed, but this documentation was not
updated at the same time.
Since the nl_cache is not used anymore, there is no need for maintaining
the struct nl80211_handles wrapper for struct nl_handle. Clean this up
by using nl_handle directly.
Johannes Berg [Tue, 6 Dec 2011 16:39:57 +0000 (18:39 +0200)]
nl80211: Register for Beacon frames in AP mode
When running AP mode, we need to receive beacons over overlapping BSSes
to handle protection. Use the new nl80211 command for this. As the
command works per wiphy (and we don't want to receive the Beacon frames
multiple times) add an abstraction that keeps track of per-wiphy data.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Tue, 6 Dec 2011 16:24:00 +0000 (18:24 +0200)]
nl80211: Use nl80211 for mgmt TX/RX in AP mode
To achieve this, multiple things are needed:
1) since hostapd needs to handle *all* action frames,
make the normal registration only when in a non-AP
mode, to be able to do this use the new socket
2) store the frequency in each BSS to be able to give
the right frequency to nl80211's mgmt-tx operation
3) make TX status processing reject non-matched cookie
only in non-AP mode
The whole thing depends on having station-poll support
in the kernel. That's currently a good indicator since
the kernel patches are added together.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Tue, 6 Dec 2011 10:47:17 +0000 (12:47 +0200)]
Revert "EAP server: Force identity request after INITIALIZE for passthrough"
This reverts commit 204dd3f420bb1ddce02d13d7a366169e0bda914d.
start_reauth was not supposed to be used in this way and setting it
to TRUE in INITIALIZE breaks internal EAP server.
Jouni Malinen [Sun, 4 Dec 2011 20:28:30 +0000 (22:28 +0200)]
nl80211: Use driver event to indicate failure on authentication retry
When using authentication retry within driver_nl80211.c, a failure on the
second attempt has to be indicated with a driver event since the return
code from wpa_driver_nl80211_authenticate() is not actually delivered to
the core code in that case.
Jouni Malinen [Sun, 4 Dec 2011 19:57:14 +0000 (21:57 +0200)]
Try to reconnect to the same BSS on recoverable disconnection
If the AP disconnects us with a reason code that indicates that it has
dropped the association, but could allow us to connect again, try to
reconnect to the same BSS without going through the full scan. This can
save quite a bit of time in some common use cases, e.g., when inactivity
timeout is used on the AP (and especially, when waking up from suspend
which has likely triggered some timeout on the AP).
Jouni Malinen [Sun, 4 Dec 2011 19:53:56 +0000 (21:53 +0200)]
nl80211: Recover from auth req ENOENT with a scan
cfg80211 rejects NL80211_CMD_AUTHENTICATE with ENOENT if the BSS entry
for the target BSS is not available. This can happen if the cfg80211
entry has expired before wpa_supplicant entry (e.g., during a suspend).
To recover from this quickly, run a single channel scan to get the
cfg80211 entry back and then retry authentication command again. This
is handled within driver_nl80211.c to keep the core wpa_supplicant
implementation cleaner.
Jouni Malinen [Sun, 4 Dec 2011 19:04:24 +0000 (21:04 +0200)]
SME: Fix processing of Authentication request failure
The wpa_state needs to be dropped back to DISCONNECTED to allow scan
results to trigger a new authentication attempt. In addition, we can use
wpas_connection_failed() instead of requesting a scan after a fixed time
to make this error case more consistent with other similar error paths
in sme.c.
Simon Baatz [Sun, 4 Dec 2011 15:15:16 +0000 (17:15 +0200)]
EAP-SIM: Keep pseudonym identity
The pseudonym is a temporary identity, but is no one-time identifier (like
the fast re-authentication identity). Thus, do not forget it if the server
does not include it in every challenge. There are servers that include the
pseudonym identity only at full-auth. [Bug 424]
Arik Nemtsov [Sun, 4 Dec 2011 10:10:11 +0000 (12:10 +0200)]
Allow Action frames with unknown BSSID in GO mode
P2P invitation responses are transmitted with the BSSID set to the peer
address. Pass these action frames up to allow the GO to receive the
Invitation Response (and avoid sending the Invitation Request multiple
times).
Johannes Berg [Sat, 3 Dec 2011 17:55:22 +0000 (19:55 +0200)]
nl80211: Store frequency in bss struct
Storing the frequency in the bss struct allows using it for frame
commands in AP mode and not relying on the driver struct as much, which
is good for hostapd mode.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sat, 3 Dec 2011 15:37:48 +0000 (17:37 +0200)]
EAP server: Force identity request after INITIALIZE for passthrough
Previously, sm->start_reauth was set to TRUE in SUCCESS2 state to force
reauthentication to start with EAP identity request. This works fine for
the case of EAP success through the AAA passthrough authentication, but
is not enough to handle passthrough authentication failure. sm->identity
is set in that case and getDecision would return PASSTHROUGH instead of
CONTINUE (to Identity method).
Jouni Malinen [Sat, 3 Dec 2011 11:20:40 +0000 (13:20 +0200)]
Update internal MAC address on EVENT_INTERFACE_ENABLED events
This allows the MAC address of the interface to be changed when the
interface is set down even if the interface does not get completed
removed and re-added.
Johan Hedlund [Sat, 3 Dec 2011 11:02:57 +0000 (13:02 +0200)]
Update RSN supplicant MAC address on driver reinitialization
I have a test case where I remove and insert another network adapter
between two connections to AP. The interface get the same interface name
but switches macadresses between the connections. When running WPA2 I
got a failure in EAPOL negotiation and found out that the reason for
this was that the supplicant did not update the MAC address in the
correct place.
Jouni Malinen [Thu, 1 Dec 2011 20:12:03 +0000 (22:12 +0200)]
wpa_supplicant AP: Allows passphrase to be fetched
"wpa_cli status wps" can now be used to fetch the WPA2-Personal
passphrase from AP mode operation with wpa_supplicant to make it
easier to meet WPS requirements for legacy STA support.
Jouni Malinen [Thu, 1 Dec 2011 19:46:19 +0000 (21:46 +0200)]
WPS: Disable WPS(v2) in WPA/TKIP-only configuration
When using wpa_supplicant AP mode, WPS support is enabled by default for
WPA/WPA2-Personal. Change this to enforce the WPS2 rules on not allowing
WPS to be used with WPA/TKIP-only configuration (i.e., at minimum, mixed
mode with WPA/TKIP and WPA2/CCMP has to be used for WPS to be enabled).
Jouni Malinen [Thu, 1 Dec 2011 16:22:56 +0000 (18:22 +0200)]
Call wpas_connection_failed() only if actually trying to connect
A disconnection event from the driver may end up getting delivered at a
time when wpa_supplicant is not even trying to connect (e.g., during a
scan that was already started after WPS provisioning step). In such a
case, there is not much point calling wpas_connection_failed() and
skipping this avoids confusing attempts of re-starting scanning while
the previous scan is still in progress.
projects / thirdparty / hostap.git / log
