Commit graph

1444 commits

Author SHA1 Message Date
Jouni Malinen
6554237f38 FT: Share IE parser implementation for Authenticator and Supplicant
These are almost identical, so there is no point in using separate
implementations.
2011-07-16 11:13:39 +03:00
Hong Wu
c284b46141 FT: Fix the calculation of MIC Control field in FTIE
Reassociation Request/Response frame validation need to count all IEs in
the RIC. In addition, TIE is not protected, so it should not be included
in the count.

Signed-off-by: Hong Wu <hong.wu@dspg.com>
2011-07-16 10:57:17 +03:00
Jouni Malinen
04a85e4401 P2P: Filter Probe Request frames based on DA and BSSID in Listen state
Only accept Probe Request frames that have a Wildcard BSSID and a
destination address that matches with our P2P Device Address or is the
broadcast address per P2P specification 3.1.2.1.1.
2011-07-15 20:28:46 +03:00
Arik Nemtsov
d83ab1fe37 hostapd: Set STA flags when adding a new station
When adding a new station, set the STA flags as part of the sta_add()
command. This ensures the flags are up to date when the station is added
by lower level drivers.

Signed-off-by: Arik Nemtsov <arik@wizery.com>
2011-07-12 20:26:52 +03:00
Jouni Malinen
cb465555d4 Allow PMKSA caching to be disabled on Authenticator
A new hostapd configuration parameter, disable_pmksa_caching=1, can now
be used to disable PMKSA caching on the Authenticator. This forces the
stations to complete EAP authentication on every association when WPA2
is being used.
2011-07-05 17:13:04 +03:00
Yogesh Ashok Powar
a3e685a04b hostapd: Clear keys configured when hostapd reloads configuration
Data path is broken when hostapd reloads its configuration
disabling the security which was previously enabled (WEP/WPA),
using kill -1, as old keys were not cleared.

The patch clears the keys configured when hostapd reloads
its configuration.

Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
2011-07-05 11:39:26 +03:00
Helmut Schaa
d4744189b7 hostapd: Don't mask out non-symmetric STA HT caps
Previously hostapd just masked the STAs HT caps with its own. However,
some HT caps are not symmetric and as such need to be handled
different.

hostapd shouldn't overwrite the STAs SMPS mode as otherwise the driver
cannot know it has to use RTS/CTS to wake the receiver from dynamic
SMPS for MCS rates > 7.

hostapd shouldn't mask the RX and TX STBC caps with it's own. They are
already handled in a special case below.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
2011-06-23 20:18:21 +03:00
Jouni Malinen
7cc7307d90 Fix hostapd build without NEED_AP_MLME=y 2011-06-22 21:45:14 +03:00
Jouni Malinen
9e2704c3a2 Add EVENT_RX_ACTION handler for hostapd
This fixes an issue with SA Query Response frames not being processed
anymore after wpa_supplicant started registering a handler for those.
This handler registration is in generic driver_nl80211.c code, so
hostapd uses it, too.
2011-06-21 20:55:46 +03:00
Jouni Malinen
55e632df72 Remove a compiler warning on uninitialized variable
This is not really ever used, but better keep the compiler output
cleaner.
2011-06-21 20:54:17 +03:00
Jouni Malinen
6b98a33c86 Fix a compiler warning on WPS-AP-without-UPnP builds 2011-05-31 20:11:25 +03:00
Ken Zhu
41fd1d9e9a atheros: Fix auth_alg configuration for static WEP
When IEEE 802.1X is not enabled, driver_atheros.c needs to know how
to set authentication algorithms for static WEP.
2011-05-20 18:27:53 +03:00
Vinay Adella
86795546f7 WPS UPnP: Fix UPnP initialization for non-bridge case with some drivers
If the driver wrapper is setting up the interface up only at commit(),
UPnP initialization fails. Fix that by moving UPnP setup to happen after
the driver commit() call.
2011-05-19 12:55:47 +03:00
Jouni Malinen
fa5165586f WPS: Add a workaround for Windows 7 capability discovery for PBC
Windows 7 uses incorrect way of figuring out AP's WPS capabilities by
acting as a Registrar and using M1 from the AP. The config methods
attribute in that message is supposed to indicate only the configuration
method supported by the AP in Enrollee role, i.e., to add an external
Registrar. For that case, PBC shall not be used and as such, the
PushButton config method is removed from M1 by default. If pbc_in_m1=1
is included in the configuration file, the PushButton config method is
left in M1 (if included in config_methods parameter) to allow Windows 7
to use PBC instead of PIN (e.g., from a label in the AP).
2011-05-17 19:53:02 +03:00
Ben Greear
60eda5e47d Better messages when channel cannot be used in AP mode
Log messages letting user know that the channel cannot
be used because it is flagged unusable.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2011-05-16 22:01:11 +03:00
Jouni Malinen
b8281964af Add workaround for race condition with AssocResp TX status
It may take some time for the TX status to be delivered for a
(Re)Association Response frame and if any Data frames are received
during that time, they may end up getting dropped as Class 3 frames in
not-associated state. This results in a Disassociation frame being sent
to the station and it assuming that the association has been lost.

Work around the issue by remembering that the (Re)Association Request
has already been accepted and skip the Deauth/Disassoc sending because
of the possible Class 3 frames before the TX status callback is
received.
2011-04-15 19:26:28 +03:00
Jouni Malinen
6e432d3f10 WPS: Use strict validation of (Re)AssocReq only if IEs are known 2011-04-14 02:58:35 +03:00
Jouni Malinen
b211f3eb71 Add sanity checks to EVENT_RX_PROBE_REQ event data
Both the SA and IEs from the received Probe Request frames must be
included and the Probe Request RX callback functions may assume that
these are not NULL.
2011-04-14 02:39:25 +03:00
Jouni Malinen
df13a1cdff Fix WPS AP mode regression
Commit 03d3f28a69 broke initialization of
EAPOL authenticator state machines since an error value from
wpa_auth_sta_key_mgmt() (-1) was not handled properly and the fixed
wpa_key_mgmt_wpa_psk() identified the value as a PSK-based AKM because
of all bits being set to 1. The special error value needs to handled
separately to avoid skipping EAPOL state machine initialization.
2011-04-11 19:22:49 +03:00
Per Ekman
0b04889f0d Remove references to time_t/time()/random()
Replace direct calls in AP mode code with os_*() wrappers.
2011-04-11 18:33:48 +03:00
Mahesh Palivela
a1ca02927a atheros: Add support for IEEE 802.11w configuration 2011-04-08 12:06:27 +03:00
Jouni Malinen
d9040cdb10 Fix a typo in a MIB variable in hostapd ctrl_interface 2011-04-05 01:21:27 +03:00
Felix Fietkau
4378fc14eb nl80211: Send EAPOL frames as QoS data frames for QoS aware clients
This should fix EAPOL reauthentication and rekeying timeout issues
with Intel clients when using WMM (e.g., with IEEE 802.11n). These
stations do not seem to be able to handle EAPOL data frames as
non-QoS Data frames after the initial setup.

This adds STA flags to hapd_send_eapol() driver op to allow
driver_nl80211.c to mark the EAPOL frames as QoS Data frame
when injecting it through the monitor interface.
2011-04-02 22:03:05 +03:00
Jouni Malinen
e4bf4db907 Work around SNonce updates on EAPOL-Key 1/4 retransmission
Some deployed supplicants update their SNonce for every receive
EAPOL-Key message 1/4 even when these messages happen during the
same 4-way handshake. Furthermore, some of these supplicants fail
to use the first SNonce that they sent and derive an incorrect PTK
using another SNonce that does not match with what the authenticator
is using from the first received message 2/4. This results in
failed 4-way handshake whenever the EAPOL-Key 1/4 retransmission
timeout is reached. The timeout for the first retry is fixed to
100 ms in the IEEE 802.11 standard and that seems to be short
enough to make it difficult for some stations to get the response
out before retransmission.

Work around this issue by increasing the initial EAPOL-Key 1/4
timeout by 1000 ms (i.e., total timeout of 1100 ms) if the station
acknowledges reception of the EAPOL-Key frame. If the driver does
not indicate TX status for EAPOL frames, use longer initial
timeout (1000 ms) unconditionally.
2011-03-29 17:39:12 +03:00
Jouni Malinen
2fee890af7 Add driver capa flag for EAPOL TX status and store capa in hostapd 2011-03-29 17:36:06 +03:00
Jouni Malinen
3c183894d4 Make GKeyDoneStations counting able to recover from mismatches
Previously, a bug in GKeyDoneStations count would remain in effect
until the authenticator is restarted. Make this more robust by
clearing the station count before each rekeying setup. While this
is not really supposed to be needed, there has been bugs in this
area in the past and it is safer to make the implementation recover
from such an issue automatically.
2011-03-23 17:06:17 +02:00
Jouni Malinen
2ade8ef296 Decrement GKeyDoneStations in WPA authenticator when STA is freed
If the STA to be freed is still included in GKeyDoneStations count,
decrement the count when the STA is freed. This does not happen in
AP mode since there is enough time to go through the authenticator
state machine to clear the STA. However, in the current RSN IBSS
implementation, the authenticator state for the STA is freed in a
way that does not allow the state machine to go through the clearing.
To address this, make sure that wpa_free_sta_sm() decrements the
GKeyDoneStations count if the STA happened to be in the process of
GTK rekeying.
2011-03-23 17:00:18 +02:00
Jouni Malinen
cd9fc7869a hostapd: Add testing mode for RSN element extensions
CFLAGS += -DCONFIG_RSN_TESTING in .config and rsn_testing=1 in
hostapd.conf can now be used to enable a testing mode that adds
extensions to RSN element. This can be used to check whether
station implementations are incompatible with future extensions
to the RSN element.
2011-03-21 13:59:05 +02:00
Johannes Berg
c76e5d7f9b wpa_s AP mode: complete only when setup is complete
The AP code might, currently only in the case of HT40, defer actual
enabling to after a scan. In this case, the wpa_s AP code gets confused.
Add a callback for it to use and make it use it to finish only when the
setup has actually completed.

With appropriate hacks in place this allows using HT40 in P2P mode.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-03-19 13:11:15 +02:00
Jean-Michel Bachot
4028a7fd43 WPS: Add support for adding WPS Vendor Extensions
This adds the ability to add WPS vendor extensions to an AP (or GO).
They will be added to the WSC IE(s) in Beacon and Probe Response frames.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-03-19 12:22:16 +02:00
Johannes Berg
2f646b6e83 WPS: Store (secondary) device type as binary
Instead of converting back and forth from the string representation,
always use the binary representation internally.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-03-17 18:50:22 +02:00
Helmut Schaa
4f6bd86d07 hostapd: Don't force HT Mixed Mode for non-GF STAs
Currently hostapd will force HT Mixed Mode if at least one non-GF STA is
associated. This will force _all_ HT transmissions to be protected.

802.11n-2009 doesn't require HT Mixed Mode to be used in case of non-GF
STAs but instead the HT information element contains a flag if non-GF
STAs are present. All STAs are required to protect GF transmissions in
that case. Hence, setting HT Mixed mode if non-GF STAs are present is
superfluous.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
2011-03-16 11:56:39 +02:00
Sujith Manoharan
ec2b890981 HT: Skip ht_capab validation if ieee80211n=0
There is no point in running through the 40 MHz scan if HT is
actually disabled regardless of whether the ht_capab parameter
is set.
2011-03-16 11:22:40 +02:00
Jouni Malinen
e17a2477db nl80211: Extend bridge add/del operations for secondary BSSes
Previously, only the main interface was added to a bridge. Extend this
to apply to all configured BSSes.
2011-03-15 13:02:49 +02:00
Shan Palanisamy
39b08b5fc0 Indicate assoc vs. reassoc in association event
This allows driver wrappers to indicate whether the association was
done using Association Request/Response or with Reassociation
Request/Response frames.
2011-03-06 14:31:46 +02:00
Shan Palanisamy
d7956add9c FT: Make FT-over-DS configurable (hostapd.conf ft_over_ds=0/1) 2011-03-06 14:31:42 +02:00
Iain Hibbert
8ce58ceb25 Avoid preprocessor directives in macro arguments
os_snprintf() can be a preprocessor macro and according to
C99 (6.10.3 clause 11) the results of having preprocessor directives
inside the macro arguments is undefined.
2011-02-27 18:59:26 +02:00
Helmut Schaa
e926bcffd8 hostapd: Inherit correct MAC address for AP VLAN interfaces
When using multiple vifs and dynamic vlan tagging is enabled on any
interface, the created AP VLAN interfaces get the BSSID of the first
AP mode interface instead of the BSSID of the corresponding AP mode
interface.

Example:

wlan0 - xx:xx:xx:xx:x0
wlan1 - xx:xx:xx:xx:x1

Assume a STA connects to the AP interface wlan1 and gets a dynamic
VLAN tag 100 assigned by the RADIUS server. Hostapd will create an AP
VLAN interface wlan1.100 but doesn't set an address for this interface
which results in wlan1.100 getting the same address as wlan0:

wlan1.100 - xx:xx:xx:xx:x0

As a result the STA that was moved to wlan1.100 isn't able to finish its
4-way handshake since mac80211 won't pass its frames to wlan1.100 due to
the different address.

To fix this issue make use of the address of the AP interface when
creating an AP VLAN interface.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
2011-02-24 21:25:40 +02:00
Ben Greear
24d75245bd AP: Update logging related to inactivity and disassociation
Add MAC addresses for stations and use wpa_msg instead of printf
methods to make it easier to grep logs and find messages for the
station in question.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2011-02-24 17:44:45 +02:00
Ben Greear
1aae01fc04 Add more wpa_auth debugging messages 2011-02-24 17:35:59 +02:00
Helmut Schaa
f39b07d7ed hostapd: Allow coexistance of HT BSSes with WEP/TKIP BSSes
In multi BSS setups it wasn't possible to set up an HT BSS in
conjunction with a WEP/TKIP BSS. HT needed to be turned off entirely
to allow WEP/TKIP BSSes to be used.

In order to allow HT BSSes to coexist with non-HT WEP/TKIP BSSes add a
new BSS conf attribute "disable_11n" which disables HT capabilities on a
single BSS by suppressing HT IEs in the beacon and probe response
frames. Furthermore, mark all STAs associated to a WEP/TKIP BSS as
non-HT STAs. The disable_11n parameter is used internally; no new entry
is parsed from hostapd.conf.

This allows a non-HT WEP/TKIP BSS to coexist with a HT BSS without
having to disable HT mode entirely. Nevertheless, all STAs associated to
the WEP/TKIP BSS will only be served as if they were non-HT STAs.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
2011-02-21 17:27:16 +02:00
Jouni Malinen
55bce124e5 FT: Fix FT-EAP to set EAPOL Authenticator into authenticated state
This is needed to avoid the EAPOL Authenticator from trying to start
new authentication when FT protocol is used. [Bug 384]
2011-02-20 21:56:56 +02:00
Jouni Malinen
7e0318505c FT: Specify source MAC address for RRB messages
Use l2_packet with Ethernet header included so that the source
address for RRB packets can be forced to be the local BSSID. This
fixes problems where unexpected bridge interface address may end
up getting used and the recipient of the frame dropping it as
unknown R0KH/R1KH.
2011-02-20 17:50:11 +02:00
Jouni Malinen
6603a96602 Flush STA entries in hostapd when clearing STAs from kernel
This is needed to keep kernel and hostapd in sync. In addition,
the obsolete entry in hostapd prevented use of Deauthentication
or Disassociation frame with reason code 6/7 mechanism to indicate
to the STA that there is no association if the STA missed the
broadcast Deauthentication frame for any reason.
2011-02-10 22:31:32 +02:00
Jouni Malinen
e3e52e364e hostapd: Fix RADIUS client configuration update on reconfig
The internal pointer to RADIUS client configuration needs to be
updated whenever a new hostapd configuration is loaded. Without
this, freed memory may be dereferenced and this can result in
segmentation faults.
2011-02-10 22:12:29 +02:00
Jouni Malinen
810f08bab4 Make sure reserved field in WMM IE is set to 0
This was previously left uninitialized for Beacon frames and could
potentially have any value.
2011-02-10 22:10:40 +02:00
Jouni Malinen
2944824315 hostapd: Add require_ht configuration parameter
This can be used to configure hostapd to reject association with
any station that does not support HT PHY.
2011-02-09 15:08:47 +02:00
Jouni Malinen
e67b55fb11 wpa_s AP: Deliver EVENT_RX_PROBE_REQ events to AP processing
This is needed to allows WPS PBC session overlap detection to work
with drivers that process Probe Request frames internally. This
code is is run in hostapd, but the wpa_supplicant AP mode did not
have call to the hostapd_probe_req_rx() function even though it
registered handlers for hostapd Probe Request RX callbacks.
2011-02-08 14:32:35 +02:00
Jouni Malinen
d601247ca9 P2P: Allow WPS_PBC command on GO to select on P2P Device Address
An optional parameter, p2p_dev_addr, can now be given to WPS_PBC
command on P2P GO to indicate that only the P2P device with the
specified P2P Device Address is allowed to connect using PBC. If
any other device tries to use PBC, a session overlap is indicated
and the negotiation is rejected with M2D. The command format for
specifying the address is "WPS_PBC p2p_dev_addr=<address>", e.g.,
WPS_PBC p2p_dev_addr=02:03:04:05:06:07

In addition, show the PBC session overlap indication as a WPS failure
event on an AP/GO interface. This particular new case shows up as
"WPS-FAIL msg=4 config_error=12".
2011-02-07 18:28:36 +02:00
Johannes Berg
0661eed204 AP: Add callback for STA authorized transitions
Add a callback for station's authorized transitions
to allow wpa_supplicant to emit events in DBus.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-02-02 16:56:59 +02:00
Johannes Berg
6905dcb1e0 AP: Introduce sta authorized wrappers
To enable making state change notifications on the WLAN_STA_AUTHORIZED
flag, introduce ap_sta_set_authorized(), and to reduce use of the flag
itself also add a wrapper for testing the flag: ap_sta_is_authorized().

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2011-02-02 16:52:32 +02:00
Jouni Malinen
7615078caf AP: Make sure ieee80211n_allowed_ht40_channel_pair() gets called
We need to call this function after having completed the neighboring
channel scan to figure out whether HT40 can be used and if so, which
channel is the secondary channel.
2011-02-01 16:09:26 +02:00
Nishant Sarmukadam
1b4d379366 AP: Ensure ieee80211n_supported_ht_capab() gets called to check ht caps
ieee80211n_supported_ht_capab is called after ieee80211n_check_40mhz in
function hostapd_check_ht_capab. ieee80211n_check_40mhz can return 1 in
a valid scenario where the initialization is completed in a callback. In
this case ieee80211n_supported_ht_capab is skipped and hostapd does not
check the ht capabilities reported by the driver. Fix this issue making
sure ieee80211n_supported_ht_capab gets called.

Signed-off-by: Nishant Sarmukadam <nishants@marvell.com>
2011-02-01 16:04:59 +02:00
Johannes Berg
d2da224948 AP: Enable WMM with default parameters by default for HT
If WMM is not disabled explicitly (wmm_enabled=0 in hostapd.conf),
enable WMM automatically whenever HT (ieee80211n) is enabled. Use
the default WMM parameters for AP TX queues and the EDCA parameters
advertised for stations in WMM IE if no overriding values are
included in the configuration.
2011-02-01 14:34:12 +02:00
Jouni Malinen
1161ff1ef5 hostapd: Allow TDLS use to be prohibited in the BSS
tdls_prohibit=1 and tdls_prohibit_chan_switch=1 and now be used to
disable use of TDLS or TDLS channel switching in the BSS using
extended cabilities IE as defined in IEEE 802.11z.
2011-01-28 19:21:59 +02:00
Jouni Malinen
cbcf92b42f AP: Validate management frame length
Make sure that received management frames are long enough before
processing them. This avoids a potential segmentation fault if a
driver delivers an invalid frame all the way to hostapd.
2011-01-17 12:21:29 +02:00
Jouni Malinen
bc8318acbc WPA: Add more info for EAPOL-Key Nonce/MIC debugging 2011-01-15 16:57:08 +02:00
Chao-Wen Yang
c5cf0a18f1 WPS: Add mechanism for indicating non-standard WPS errors
Previously, only the Configuration Error values were indicated in
WPS-FAIL events. Since those values are defined in the specification
it is not feasible to extend them for indicating other errors. Add
a new error indication value that is internal to wpa_supplicant and
hostapd to allow other errors to be indicated.

Use the new mechanism to indicate if negotiation fails because of
WEP or TKIP-only configurations being disallows by WPS 2.0.
2011-01-13 17:50:59 +02:00
Jouni Malinen
0382097ef3 Use set_key addr to distinguish default and multicast keys
Previously, both NULL and ff:ff:ff:ff:ff:ff addr were used in various
places to indicate default/broadcast keys. Make this more consistent
and useful by defining NULL to mean default key (i.e., used both for
unicast and broadcast) and ff:ff:ff:ff:ff:ff to indicate broadcast
key (i.e., used only with broadcast).
2011-01-09 19:44:28 +02:00
Jouni Malinen
4d379f1243 Move hostap driver specific workaround into the driver wrapper 2011-01-09 12:50:57 +02:00
Jouni Malinen
dff99f8ec1 Do not use set_tx=1 when clearing keys with set_key 2011-01-09 12:18:36 +02:00
Jouni Malinen
260832214e Use key=NULL when clearing PTK with set_key
The key clearing operations are using NULL everywhere else, so make
this consistent with other callers.
2011-01-09 12:12:48 +02:00
Johannes Berg
0d7e5a3a29 Allow AP mode to disconnect STAs based on low ACK condition
The nl80211 driver can report low ACK condition (in fact it reports
complete loss right now only). Use that, along with a config option, to
disconnect stations when the data connection is not working properly,
e.g., due to the STA having went outside the range of the AP. This is
disabled by default and can be enabled with disassoc_low_ack=1 in
hostapd or wpa_supplicant configuration file.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2010-12-28 17:15:01 +02:00
Jouni Malinen
1df492df34 Do not send Deauth/Disassoc to unknown STA if SA is invalid
The frame needs to be sent from an individual (non-group) address,
so drop invalid frames before sending Deauth/Disassoc frames to
not associated STAs.
2010-12-04 17:40:36 -08:00
Jouni Malinen
7392f11e96 Convert most commonly used drv ops to real function calls
Getting rid of these inline functions seems to reduce the code size
quite a bit, so convert the most commonly used hostapd driver ops to
function calls.
2010-11-24 17:01:21 +02:00
Jouni Malinen
0e8a96a911 Get rid of struct hostapd_driver_ops abstraction
This is not needed anymore and just makes things more difficult
to understand, so move the remaining function pointers to direct
function calls and get rid of the struct hostapd_driver_ops.
2010-11-24 16:50:06 +02:00
Jouni Malinen
3acdf771b8 hostapd_driver_ops reduction
send_eapol, set_key, read_sta_data, sta_clear_stats,
set_radius_acl_auth, set_radius_acl_expire, and set_beacon
to use inline functions instead of extra abstraction.
2010-11-24 16:34:49 +02:00
Jouni Malinen
51e2a27a21 hostapd_driver_ops reduction
set_sta_vlan, get_inact_sec, sta_deauth, sta_disassoc, and sta_remove
to use inline functions instead of extra abstraction.
2010-11-24 15:36:02 +02:00
Jouni Malinen
b5b1b18f39 hostapd_driver_ops reduction: set_countermeasures 2010-11-24 15:26:44 +02:00
Jouni Malinen
cee7d66b1d hostapd: Start removing struct hostapd_driver_ops abstraction
Commit bf65bc638f started the path to
add this new abstraction for driver operations in AP mode to allow
wpa_supplicant to control AP mode operations. At that point, the
extra abstraction was needed, but it is not needed anymore since
hostapd and wpa_supplicant share the same struct wpa_driver_ops.

Start removing the unneeded abstraction by converting
send_mgmt_frame() to an inline function, hostapd_drv_send_mlme().
This is similar to the design that is used in wpa_supplicant and
that was used in hostapd in the past (hostapd_send_mgmt_frame()
inline function).
2010-11-24 15:19:50 +02:00
Jouni Malinen
08704cd885 hostapd: Verify availability of random data when using WPA/WPA2
On Linux, verify that the kernel entropy pool is capable of providing
strong random data before allowing WPA/WPA2 connection to be
established. If 20 bytes of data cannot be read from /dev/random,
force first two 4-way handshakes to fail while collecting entropy
into the internal pool in hostapd. After that, give up on /dev/random
and allow the AP to function based on the combination of /dev/urandom
and whatever data has been collected into the internal entropy pool.
2010-11-24 13:08:03 +02:00
Masashi Honma
dbb6ed7e75 Fix memory leak on EAPOL Authenticator error path
wlan0: RADIUS No authentication server configured
MEMLEAK[0x999feb8]: len 1040
WPA_TRACE: memleak - START
[3]: ./hostapd(radius_msg_new+0x33) [0x8074f43]
     radius_msg_new() ../src/radius/radius.c:117
[4]: ./hostapd() [0x806095e]
     ieee802_1x_encapsulate_radius() ../src/ap/ieee802_1x.c:439
     ieee802_1x_aaa_send() ../src/ap/ieee802_1x.c:1496

For example, this error occured when I used WPS hostapd without
"eap_server=1" definition in configuration file.
2010-11-24 01:42:50 +02:00
Jouni Malinen
bbb921daaa Maintain internal entropy pool for augmenting random number generation
By default, make hostapd and wpa_supplicant maintain an internal
entropy pool that is fed with following information:

hostapd:
- Probe Request frames (timing, RSSI)
- Association events (timing)
- SNonce from Supplicants

wpa_supplicant:
- Scan results (timing, signal/noise)
- Association events (timing)

The internal pool is used to augment the random numbers generated
with the OS mechanism (os_get_random()). While the internal
implementation is not expected to be very strong due to limited
amount of generic (non-platform specific) information to feed the
pool, this may strengthen key derivation on some devices that are
not configured to provide strong random numbers through
os_get_random() (e.g., /dev/urandom on Linux/BSD).

This new mechanism is not supposed to replace proper OS provided
random number generation mechanism. The OS mechanism needs to be
initialized properly (e.g., hw random number generator,
maintaining entropy pool over reboots, etc.) for any of the
security assumptions to hold.

If the os_get_random() is known to provide strong ramdom data (e.g., on
Linux/BSD, the board in question is known to have reliable source of
random data from /dev/urandom), the internal hostapd random pool can be
disabled. This will save some in binary size and CPU use. However, this
should only be considered for builds that are known to be used on
devices that meet the requirements described above. The internal pool
is disabled by adding CONFIG_NO_RANDOM_POOL=y to the .config file.
2010-11-24 01:29:40 +02:00
Jouni Malinen
3642c4313a Annotate places depending on strong random numbers
This commit adds a new wrapper, random_get_bytes(), that is currently
defined to use os_get_random() as is. The places using
random_get_bytes() depend on the returned value being strong random
number, i.e., something that is infeasible for external device to
figure out. These values are used either directly as a key or as
nonces/challenges that are used as input for key derivation or
authentication.

The remaining direct uses of os_get_random() do not need as strong
random numbers to function correctly.
2010-11-24 01:05:20 +02:00
Jouni Malinen
1bdb7ab3af Re-initialize GMK and Key Counter on first station connection
This adds more time for the system entropy pool to be filled before
requesting random data for generating the WPA/WPA2 encryption keys.
This can be helpful especially on embedded devices that do not have
hardware random number generator and may lack good sources of
randomness especially early in the bootup sequence when hostapd is
likely to be started.

GMK and Key Counter are still initialized once in the beginning to
match the RSN Authenticator state machine behavior and to make sure
that the driver does not transmit broadcast frames unencrypted.
However, both GMK (and GTK derived from it) and Key Counter will be
re-initialized when the first station connects and is about to
enter 4-way handshake.
2010-11-24 00:52:46 +02:00
Jouni Malinen
3c7302c219 Report errors from key derivation/configuration
Eventually, these should be acted on, so at least get the return
values passed one layer up.
2010-11-23 01:05:26 +02:00
Jouni Malinen
5cb9d5c3d1 Mix in more data to GTK/IGTK derivation
The example GMK-to-GTK derivation described in the IEEE 802.11 standard
is marked informative and there is no protocol reason for following it
since this derivation is done only on the AP/Authenticator and does not
need to match with the Supplicant. Mix in more data into the derivation
process to get more separation from GMK.
2010-11-23 00:57:14 +02:00
Jouni Malinen
f3b87561d7 Share WPA IE parser function for RSN authenticator/supplicant
There is no point in maintaining two almost identical versions
of this parser. Move WPA IE parser into wpa_common.c similarly
to what was already the case with RSN IE parse.
2010-11-12 21:52:14 +02:00
Jouni Malinen
8ea3dd21d2 AP: Verify that HT40 secondary channel is supported
Refuse to enable HT40 mode AP unless both the primary and secondary
channels are enabled for AP use.
2010-11-12 18:31:56 +02:00
Jouni Malinen
fd806bac5f WPS: Change concurrent radio AP to use only one WPS UPnP instance
WPS external Registrars can get confused about multiple UPnP
instances (one per radio) on a dual-concurrent APs. Simplify the
design by sharing a single UPnP state machine for all wireless
interfaces controlled by hostapd. This matches with the previous
changes that made a single command enable WPS functionality on
all interfaces.

This is relatively minimal change to address the sharing of the
state among multiple struct hostapd_data instances. More cleanup
can be done separately to remove unnecessary copies of information.
2010-11-11 14:50:13 +02:00
Felix Fietkau
c2aa25fb34 hostapd: Fix config reload for multi-BSS
Secondary BSS interfaces need to be activated after the config has
been reloaded.
2010-11-09 16:35:49 +02:00
Felix Fietkau
d3b4286967 Allow client isolation to be configured (ap_isolate=1)
Client isolation can be used to prevent low-level bridging of frames
between associated stations in the BSS. By default, this bridging is
allowed.
2010-11-09 16:27:15 +02:00
Felix Fietkau
5a5009dc92 Fix rate table handling
With the nl80211 driver, the rate table is mode dependent, so it
must be initialized after the hardware mode has been selected.
2010-11-09 16:17:50 +02:00
Felix Fietkau
d38ae2ea85 Add bridge handling for WDS STA interfaces
By default, add them to the configured bridge of the AP interface
(if present), but allow the user to specify a separate bridge.
2010-11-09 16:12:42 +02:00
Felix Fietkau
7826ceae91 Fix WDS STA reassociation
If the STA entry is present in hostapd, but not in the kernel driver, its
WDS status needs to be restored when the STA reassociates
2010-11-09 16:00:09 +02:00
Jouni Malinen
6fc58a89e1 Fix EAP standalone server
Commit c3fc47ea8e fixed EAP passthrough
server to allow Logoff/Re-authentication to be used. However, it
broke EAP standalone server while doing that. Fix this by reverting
the earlier fix and by clearing the EAP Identity information in the
EAP server code whenever an EAPOL-Start or EAPOL-Logoff packet is
received.
2010-11-07 16:25:35 +02:00
Jouni Malinen
7e3c178142 Remove unused TX queue parameters related to Beacon frames
These are not used by any driver wrapper, i.e., only the four
data queues (BK, BE, VI, VO) are configurable. Better remove these
so that there is no confusion about being able to configure
something additional.
2010-11-05 01:23:17 +02:00
Jouni Malinen
8dcb61ce5d WPS: Comment out WEP configuration lines on reconfig 2010-11-04 17:02:16 +02:00
Jouni Malinen
c926593119 Allow EAPOL frames from pre-authenticating station to be processed 2010-10-27 11:34:29 +03:00
Jouni Malinen
e11f5a2cbc hostapd: Set operstate UP when initializing AP mode
This is needed to avoid problems with other applications setting and
leaving the interface to IF_OPER_DORMANT state. In AP mode, the interface
is ready immediately after the keys are set, so we better make sure the
DORMANT state does not prevent normal operations after that.
2010-10-26 16:30:28 +03:00
Jouni Malinen
3e7533b399 WPS ER: Show SetSelectedRegistrar events as ctrl_iface events
This makes it easier to figure out if something goes wrong in
preparing the AP for enrolling a station.
2010-10-25 21:29:22 +03:00
Jouni Malinen
1f4c7b6b2a hostapd: Fix compiler warning
Commit 83e843e830 copied a workaround
without updating the return value to match with the void function.
2010-10-25 13:38:06 +03:00
Jouni Malinen
83e843e830 hostapd: Avoid crashing on station mode disassoc event
Some driver wrappers may end up indicating a disassociation or
deauthentication event without the address of the station, e.g.,
based on a previous non-AP mode event. Avoid crashing hostapd
by verifying that the require address parameter is available in
the event before processing it.
2010-10-22 17:43:23 +03:00
Jouni Malinen
450eddcfae hostapd: Add wps_config ctrl_interface command for configuring AP
This command can be used to configure the AP using the internal
WPS registrar. It works in the same way as new AP settings received
from an ER.
2010-10-21 16:49:41 +03:00
Jouni Malinen
cbbf4a1cc3 WPS: Fix a compiler warning in hostapd_wps_update_ie() 2010-10-20 13:35:55 +03:00
Jouni Malinen
2c8a4eef41 WPS: Update Beacon/ProbeResp IE on wps_version_number changes
This test command is supposed to change the WPS version number in all
places immediately, so make sure that the IEs used in management
frames get updated immediately.
2010-10-19 19:57:01 +03:00
Jouni Malinen
3f4ce13fde P2P: Track non-P2P members in the group and set Group Limit bit
The P2P group component is now tracking of associated stations
in the group and the Group Limit bit in the Group Capabilities
is updated based on whether there is room for new clients in
the group.
2010-10-19 18:10:28 +03:00
Anil Gathala Sudha
a0dee79709 P2P: Send AP mode WPS-FAIL event to parent interface
The AP operation with wpa_supplicant requires an additional callback
to get the needed event information from hostapd side so that
wpa_msg() can be called for wpa_s->parent if needed.
2010-10-14 20:57:00 +03:00
Jouni Malinen
fc215bfe86 WPS: Add WPS-FAIL ctrl_interface event for hostapd 2010-10-14 20:50:46 +03:00
Jouni Malinen
4e698e5c30 WPS: Fix WPS commands in wpa_supplicant AP mode
Commit 9290cc1800 broke this by moving
to use for_each_interface() which is not available in wpa_supplicant
AP mode.
2010-10-10 17:43:42 +03:00
Jouni Malinen
dce044cce5 P2P: Extend P2P manager functionality to work with driver MLME
Add P2P IE into Beacon, Probe Response, and (Re)Association Request
frames for drivers that generate this frames internally.
2010-10-08 18:16:07 +03:00
Jouni Malinen
2f7d9f2dd9 Apply WPS configuration changes to all interfaces that use WPS
When a single hostapd process is controlling multiple interfaces,
apply the received or auto-generated configuration changes to all
interfaces that have enabled WPS.
2010-10-08 17:32:10 +03:00
Jouni Malinen
e55f98f4b8 Disable AP PIN on all interfaces controlled by the same process
When a single hostapd process is used to manage multiple interfaces,
disable AP PIN on all interfaces if an attack is detected on any
interface.
2010-10-08 17:24:58 +03:00
Jouni Malinen
9290cc1800 Apply hostapd WPS commands to all interfaces on concurrent APs
When the same hostapd process is controlling multiple interfaces,
apply WPS commands (push button, add PIN, change AP PIN) to all
interfaces that are configured to use WPS.
2010-10-08 17:15:16 +03:00
Jouni Malinen
0314e26a61 Fix wpa_supplicant AP mode with WPS not to crash
Commit 3379a3a795 added a direct
iface->for_each_interface use without verification whether the
function is available. This works with hostapd, but not
wpa_supplicant (which crashes on segfault).
2010-10-06 16:46:43 +03:00
Jouni Malinen
416192628d Fix AP mode 40 MHz pri/sec channel parsing in overlap determination
The previous implementation ended up incorrectly assuming that all
40 MHz use cases have secondary channel above the primary one. Fix this
by properly masking the secondary channel offset field and checking its
value.
2010-10-06 14:09:44 +03:00
Jouni Malinen
fa37511fa7 WPS: Fix hostapd reconfig to update WPS UPnP string pointers
This is needed to update the pointers maintained within WPS code
to use the new configuration data instead of maintaining pointers
to the old configuration which will be freed. This fixes strings in
UPnP discovery after reconfig (they used to be random freed memory..).
2010-09-22 19:34:32 -07:00
Jouni Malinen
70153d385c hostapd: Add virt/phy flag for Display/PushButton if needed (WPS 2.0)
This seems to be the easiest way of making sure the Config Methods
value is compliant with the WSC 2.0 specification without having
to modify the configuration file. However, this will only add the
virtual flag, so the configuration files should really be updated
to specify values that match the AP design.
2010-09-22 17:45:43 -07:00
Jouni Malinen
0e2e565a44 WPS 2.0: Provide (Re)Association Response WPS IE to driver
WPS 2.0 mandates the AP to include WPS IE in (Re)Association Response
if the matching (Re)Association Request included WPS IE. Provide the
needed WPS IE information to the driver_ops API for drivers that
process association frames internally.

Note: This modifies the driver_ops API by adding a new argument to
set_ap_wps_ie().
2010-09-22 10:46:44 -07:00
Jouni Malinen
baf7081ccd WPS: Add MAC address to validation error message for Probe Request
This makes it easier to figure out which device is sending invalid
Probe Request frames.
2010-09-22 10:07:20 -07:00
Jouni Malinen
3379a3a795 WPS: Fix Beacon WPS IE on concurrent dualband AP in PBC mode
The Beacon frame must include UUID-E and RF Bands attributes when
in active PBC mode to allow stations to figure out that two BSSes in
PBC mode is not a PBC session overlap.
2010-09-20 15:32:29 -07:00
Jouni Malinen
e0369e3664 WPS: Use same UUID in multi-interface case
When generating the UUID based on MAC address, share the same UUID
with all interfaces. This fixes a potential issue with concurrent
dualband APs where the UUID needs to be same for PBC to work properly.
2010-09-20 14:28:43 -07:00
Dan Harkins
df684d82ff EAP-pwd: Add support for EAP-pwd server and peer functionality
This adds an initial EAP-pwd (RFC 5931) implementation. For now,
this requires OpenSSL.
2010-09-14 21:51:40 -10:00
Jouni Malinen
812bf56ab1 Fix build without CONFIG_P2P=y 2010-09-09 07:20:28 -07:00
Jouni Malinen
5548ddc217 P2P: Allow P2P IE without Device Info in (Re)Assoc Req
This can happen, e.g., when a P2P client connects to a P2P group
using the infrastructure WLAN interface instead of P2P group
interface. In that case, the P2P client may behave as if the GO
would be a P2P Manager WLAN AP.
2010-09-09 07:17:21 -07:00
Jouni Malinen
6c6915f3db P2P: Add defined values for P2P Manageability Bitmap 2010-09-09 07:17:20 -07:00
Jouni Malinen
aefb53bd5d P2P: Disable periodic NoA when non-P2P STA is connected
For now, this applies to the test command that can be used to set
periodic NoA (p2p_set noa). The value are stored and periodic NoA
is enabled whenever there are no non-P2P STAs connected to the GO.
2010-09-09 07:17:20 -07:00
Jouni Malinen
962473c136 P2P: Add preliminary P2P Manager AP support for hostapd 2010-09-09 07:17:18 -07:00
Jouni Malinen
ef7963917c P2P: Add group notification from (re)association request 2010-09-09 07:17:18 -07:00
Jouni Malinen
f684e608af P2P: Use PSK format in WPS Credential 2010-09-09 07:17:17 -07:00
Jouni Malinen
8ccbe415ba P2P: Add group notifications 2010-09-09 07:17:17 -07:00
Jouni Malinen
e44f8bf20a P2P: Add P2P configuration and callbacks in hostapd code 2010-09-09 07:17:17 -07:00
Jouni Malinen
b22128efdc P2P: Add initial version of P2P Module 2010-09-09 07:17:17 -07:00
Jouni Malinen
c2af2afb3b P2P: Preparations for adding P2P IE into Beacon/Probe Response frames 2010-09-09 07:17:17 -07:00
Jouni Malinen
b305c684b8 P2P: Save a copy of P2P IE(s) data from (Re)Association Request 2010-09-09 07:17:17 -07:00
Jouni Malinen
62281bc690 P2P: Do no process Probe Request with P2P wildcard SSID in WPS
The Probe Request frames used in P2P Device Discovery should not be
processed by the WPS implementation.
2010-09-09 07:17:16 -07:00
Jouni Malinen
54f489be45 WPS 2.0: Validate WPS attributes in management frames and WSC messages
If CONFIG_WPS_STRICT is set, validate WPS IE(s) in management frames and
reject the frames if any of the mandatory attributes is missing or if an
included attribute uses an invalid value. In addition, verify that all
mandatory attributes are included and have valid values in the WSC
messages.
2010-09-09 06:07:48 -07:00
Jouni Malinen
dcc4d8be75 WPS 2.0: Disable WPS workarounds if CONFIG_WPS_STRICT is defined 2010-09-09 06:07:47 -07:00
Jouni Malinen
31fcea931d WPS 2.0: Add support for AuthorizedMACs attribute
Advertize list of authorized enrollee MAC addresses in Beacon and
Probe Response frames and use these when selecting the AP. In order
to provide the list, the enrollee MAC address should be specified
whenever adding a new PIN. In addition, add UUID-R into
SetSelectedRegistrar action to make it potentially easier for an AP
to figure out which ER sent the action should there be multiple ERs
using the same IP address.
2010-09-09 06:07:47 -07:00
Jouni Malinen
a0fad21014 Indicate Barker Preamble Mode in ERP IE also based on local configuration
While this is not strictly speaking required based on dynamic
configuration (i.e., dot11ShortPreambleOptionImplemented is static
value based on implementation, not runtime configuration), it is better
to follow local configuration parameter for short preamble in addition
to the associated station capabilities.
2010-09-05 13:11:42 +03:00
Jouni Malinen
8421e95c71 Fix segfault in hostapd_eid_ht_capabilities() with some drivers
This function is not really needed in case of drivers that build the
HT IEs internally. However, since this can get called if ieee80211n=1
is set in hostapd.conf, we better not segfault even if the driver
does not provide hw info (hapd->iface->current_mode == NULL).
2010-09-05 12:47:16 +03:00
Jouni Malinen
0caf077bc1 WPS: Fix hostapd build without CONFIG_WPS_UPNP
Commit 5a1cc30f1a added code that was
assuming CONFIG_WPS_UPNP is enabled whenever CONFIG_WPS is. Fix this
by making the UPnP calls conditional on CONFIG_WPS_UPNP define.
2010-09-05 12:34:04 +03:00
Helmut Schaa
36af1c7d31 hostapd: enable STBC only for STBC capable STAs
hostapd simply used its own STBC configuration in the STA's HT caps. This
resulted in TX STBC being used for STAs not supporting RX STBC, which in
turn resulted in the STA not receiving anything.

Fix this by handling the STBC flags in the same way mac80211 does. Mask
out RX STBC if we don't support TX STBC and vice versa.

Tested only with the nl80211 driver and a STBC incapable STA.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
2010-08-28 12:25:44 +03:00
Jouni Malinen
31fa4c6d98 Remove unused ieee802_11_send_deauth() 2010-08-25 21:18:54 +03:00
Jouni Malinen
5a1cc30f1a WPS: Add support for dynamic AP PIN management
A new hostapd_cli command, wps_ap_pin, can now be used to manage
AP PIN at runtime. This can be used to generate a random AP PIN and
to only enable the AP PIN for short period (e.g., based on user
action on the AP device). Use of random AP PIN that is only enabled
for short duration is highly recommended to avoid security issues
with a static AP PIN.
2010-08-24 16:35:37 +03:00
Jouni Malinen
944814106e WPS: Do not disable AP PIN permanently, only slow down attacks
As a compromise between usability and security, do not disable
AP PIN permanently based on failed PIN validations. Instead, go to
AP Setup Locked state for increasing amount of time between each
failure to slow down brute force attacks against the AP PIN.

This avoids problems with some external Registrars that may try
to use the same PIN multiple times without user input. Now, the
user will still be able to fix the PIN and try again later while
a real attack is delayed enough to make it impractical.
2010-08-24 15:24:05 +03:00
Jouni Malinen
43dd46b3bc Fix memory leak in AP WEP key configuration 2010-08-17 21:04:07 +03:00
Jouni Malinen
6195adda9b WPS: Allow AP to start in Enrollee mode without AP PIN for probing
In theory, this should not really be needed, but Windows 7 uses
Registrar mode to probe AP's WPS capabilities before trying to use
Enrollee and fails if the AP does not allow that probing to happen.
This allows the AP to start as an Enrollee and send M1, but refuse
to continue beyond that (M3 will not be sent if AP PIN is not known).
2010-07-26 18:12:08 -07:00
Jouni Malinen
67ccef7e6c FT: Send RRB data directly when managed by same hostapd process
This makes it easier (and a bit faster) to handle multiple local
radios with FT. There is no need to depend on l2_packet in that
case since the frame can be delivered as a direct function call.
2010-07-25 20:30:12 -07:00
Jouni Malinen
7f6ec672ea EAP server: Add support for configuring fragment size 2010-07-20 22:56:10 -07:00
Jouni Malinen
4e22adb4d1 WPS: Move from WLAN_STA_MAYBE_WPS to WLAN_STA_WPS based on EAP messages
If the station does not include WSC IE in Association Request, it
is marked with WLAN_STA_MAYBE_WPS flag. We can update that to
WLAN_STA_WPS if the station uses either of the WPS identity strings.
This enables some workarounds for WPS stations.
2010-07-18 16:10:08 -07:00
Jouni Malinen
3239706303 WPS: Force disconnection after provisioning step
This works around some problems where the station is unable to disconnect
for some reason (e.g., if EAP-Failure gets dropped).
2010-07-18 16:08:52 -07:00
Jouni Malinen
e9501a07c6 FT: Fix RRB messages to use correct endianness
The pairwise cipher field is supposed to be little endian, but the
message building functions did not swap the bytes on big endian
hosts while the message processing functions did. Fix this by using
little endian byte order in both places.
2010-07-17 17:48:32 -07:00
Jouni Malinen
2d8bf73298 Add new debug message level for excessive information
Some frequent debug prints are of limited use and make debug output
difficult to read. Make them use a new debug level so that -dd
provides more readable output (-ddd can now be used to enable
the excessive debug prints).
2010-07-05 12:21:48 -07:00
Jouni Malinen
9776475fb9 WPS: Do not proxy Probe Request frames to foreign SSIDs to Registrars
We must only indicate stations that are either probing the wildcard SSID
or our own SSID.
2010-06-10 22:36:34 -07:00
Jouni Malinen
84b2f9909f Fix driver operation order in configuration reloading
Some of the driver wrappers need to get set_ieee8021x() call before
they can configure keys. Reorder the operations in the reloading
of configuration case to match with that expectation.
2010-05-29 22:27:27 +03:00
Jouni Malinen
ed7a09f914 Add WPS IE into (Re)Association Response frame if WPS is used
If the associating station indicates that it is intents to use WPS
by including WPS IE in (Re)Association Request frame, include WPS IE
in (Re)Association Response frame.
2010-05-26 18:46:08 +03:00
Jouni Malinen
16e46ec043 Reassemble WPS IE(s) in (Re)Association Request if needed
Use a function that will take care of possible (though, very unlikely)
fragmentation of WPS TLVs in (Re)Association Request frames.
2010-05-26 18:17:13 +03:00
Andriy Tkachuk
6deb41e73f Update WPS IE on hostapd reconfiguration
This is needed to handle cases where WPS state may have changed and
hostapd is reloading its configuration.
2010-05-02 11:21:19 +03:00
Jouni Malinen
1bc774a12a hostapd: Reorder some IEs to get closer to IEEE 802.11 standard
Vendor-specific IEs are supposed to be in the end of the frame, so move
WMM into the end of Beacon, Probe Response, and (Re)Association Response
frames. In addition, move HT IEs to be later in (Re)Association
Response to match the correct order.

hostapd_eid_wpa() adds multiple IEs and the end result may not always be
correct. If WPA is enabled, WPA IE (vendor-specific) gets added in the
middle of the frame and not in the end. This would require a larger
change to spliut the IEs from WPA module into separate locations when
constructing Beacon and Probe Response frames. This is not yet addressed.
2010-05-02 10:53:01 +03:00
Jouni Malinen
439d4bf960 Fix EAPOL_SM_USES_WPA flag to be set correctly
Commit c02d52b405 removed direct calls
to the WPA authenticator, but the change here was incorrect.
EAPOL_SM_USES_WPA was supposed to be set based on sta->wpa_sm being
set, i.e., no need to check for PMKSA entries for that.

While this could potentially change EAPOL Key TX state machine behavior,
no clear problems have been identified so far. Anyway, better fix this
to get the correct flags set for EAPOL authenticator state machine.
2010-05-01 17:12:59 +03:00
Jouni Malinen
3ab72b626b Fix WPA state machine initialization on WPA_REAUTH if needed
When using WPS, we may end up here if the STA manages to re-associate
without the previous STA entry getting removed. Consequently, we need to
make sure that the WPA state machines gets initialized properly at this
point.
2010-04-23 16:49:50 +03:00
Jouni Malinen
2de5a860a3 Fix build without CONFIG_FULL_DYNAMIC_VLAN 2010-04-17 21:01:35 +03:00
Jouni Malinen
7992b07f6a Remove unnecessary SUBDIRS loops from src/*/Makefile
There are no subdirectories in any of these directories or plans
for adding ones. As such, there is no point in running the loop
that does not do anything and can cause problems with some shells.
2010-04-17 17:10:31 +03:00
Jouni Malinen
e34ce1683c VLAN: Reorder init to get same behavior for all VLAN interfaces
Both the wildcard VLAN entry and the statically configured VLAN
interfaces should behave in the same way. Initializing the
full dynamic VLAN code before adding the statically configured VLAN
interfaces allows the same processing to be applied to both statically
and dynamically added VLAN interface (i.e., also the statically
configured ones will be added to a bridge).
2010-04-17 09:48:27 +03:00
Jouni Malinen
0249c988bb VLAN: Set statically configured VLAN interfaces up
This is needed to be able to bind stations to them with mac80211.
2010-04-17 09:45:18 +03:00
Jouni Malinen
b9c3e576cb VLAN: Fix bridge interface clean up for no tagged_interface case 2010-04-16 01:13:46 +03:00
M. Braun
20e2cb0ae0 VLAN: Decrease bridge forwarding delay to avoid EAPOL timeouts 2010-04-16 00:48:32 +03:00
M. Braun
37ba0928d5 VLAN: Set dynamic VLAN up to fix STA bind and key setup 2010-04-15 23:54:41 +03:00
Jouni Malinen
4254100d6c Stop processing if STA VLAN bind fails 2010-04-15 23:44:10 +03:00
Jouni Malinen
91faf6b948 VLAN: Clean up debug code and error messages 2010-04-15 20:35:51 +03:00
Jouni Malinen
c47cf42e4b WPS: Fix association when both WPS and WPA/RSN IE are included
The WPS IE was overriding the WPA/RSN IE in driver based MLME case
(hostapd_notif_assoc), but the MLME code here was not using WPS IE
correctly, i.e., it allowed the WPA/RSN IE override the operation.
2010-04-15 12:55:34 +03:00
Jouni Malinen
843123590a Fix hostapd build without WPS 2010-04-12 15:15:17 +03:00
Jouni Malinen
c706d5aa17 Add wpa_supplicant AP mode events for Public Action frames 2010-04-11 20:33:33 +03:00
Jouni Malinen
195420b8d1 Add WPS Registrar success callback 2010-04-11 20:21:08 +03:00
Jouni Malinen
b3db190fa2 Started to make set_ap_wps_ie() capable of adding multiple IEs
This mechanism can be used to add various IEs to Beacon and Probe
Response frames and it should be made clear that it is not reserved
only for WPS IE.
2010-04-11 20:16:43 +03:00
Jouni Malinen
f3585c8a85 Simplify driver_ops for virtual interface add/remove
There is no absolute requirement for separating address allocation
into separate functions, so simplify the driver wrapper interface
to use just if_add and if_remove instead of adding the new
alloc_interface_addr() and release_interface_addr() functions.

if_add() can now indicate if the driver forced a different interface
name or address on the virtual interface.
2010-04-11 19:23:09 +03:00
Yogesh Ashok Powar
721abef9b3 Allow advertising of U-APSD functionality in Beacon
hostapd does not implement UAPSD functionality. However, if U-APSD
functionality is implemented outside hostapd, add support to advertise
the functionality in beacon.

Signed-off-by: yogeshp@marvell.com
2010-04-11 11:32:15 +03:00
Jouni Malinen
0f857f43df FT: Validate MDIE and FTIE in FT 4-way handshake message 2/4 2010-04-10 22:40:35 +03:00
Jouni Malinen
86dfabb809 FT: Add FTIE, TIE[ReassocDeadline], TIE[KeyLifetime] to EAPOL-Key 3/4
These are mandatory IEs to be included in the FT 4-Way Handshake
Message 3.
2010-04-10 21:42:54 +03:00
Jouni Malinen
1566ec4685 Parse EAPOL-Key msg 2/4 Key Data IEs/KDEs before checking RSN/WPA IE
This is needed to avoid incorrect validation errors on RSN/WPA IE
when using FT since there may be more than a single IE in the
Key Data field.
2010-04-10 16:46:17 +03:00
Jouni Malinen
0ae145cde8 FT: Validate FTIE fields in Reassociation Request
ANonce, SNonce, R0KH-ID, and R1KH-ID must match with the values
used in the previous FT authentication sequence message per
IEEE Std 802.11r-2008, 11A.8.4.
2010-04-09 17:14:27 +03:00
Jouni Malinen
8aaf894de2 FT: Validate protect IE count in FTIE MIC Control 2010-04-09 17:08:16 +03:00
Jouni Malinen
6e80516ab9 FT: Fix Reassociation Response in FT Protocol to include ANonce/SNonce
These values are required to be included in the frame per
IEEE Std 802.11r-2008, 11A.8.5.
2010-04-09 13:36:06 +03:00
Jouni Malinen
1f6e69e07b FT: Do not add MIC to FTIE during initial MD association
We do not have any keys set at this point so there is no point in
adding the MIC. In addition, IEEE Std 802.11r-2008, 11A.4.2
describes this frame to have MIC IE count of 0 and MIC of 0.
2010-04-09 13:30:49 +03:00
Jouni Malinen
39eb4d0877 FT: Fix GTK subelement format in FTIE
The Key Info field was changed from 1-octet field to 2-octet field
in 802.11r/D7.0, but that had not been updated in the implementation.
2010-04-07 23:57:39 +03:00
Jouni Malinen
26e23750b9 FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3
IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain
association in an RSN to include PMKR1Name in the PMKID-List field
in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be
bitwise identical with the values used in Beacon, Probe Response,
(Re)association Request frames.

The previous versions of wpa_supplicant and hostapd did not add the
PMKR1Name value in EAPOL-Key frame and did not accept it if added
(due to bitwise comparison of RSN IEs). This commit fixes the
implementation to be compliant with the standard by adding the
PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and
by verifying that the received value matches with the value derived
locally.

This breaks interoperability with previous wpa_supplicant/hostapd
versions.
2010-04-07 21:04:13 +03:00
Jouni Malinen
738a1cb286 FT: Do not include RSN IE in (Re)Assoc Resp during initial MD association
RSN IE is only supposed to be included in Reassociation Response frames
and only when they are part of a fast BSS transition.
2010-04-07 17:27:46 +03:00
Gregory Detal
bb437f282b AP: Add wpa_msg() events for EAP server state machine 2010-04-07 11:13:14 +03:00
Jouni Malinen
68532a9ceb Avoid hostapd segfault on invalid driver association event
Running hostapd and wpa_supplicant on the same interface at the same
time is not expected to work, but it should not cause hostapd to crash.
Ignore station mode association events (no addr field) to avoid this.
2010-04-07 10:01:49 +03:00
Andriy Tkachuk
99f4ae67b7 Fix WPA/RSN IE update on reconfig with set_generic_elem()
IF WPA/RSN parameters were changed or WPA/RSN was disabled, the
WPA/RSN IE in Beacon/Probe Response frames was only update with
set_beacon(). We need to do this with set_generic_elem(), too, to
work with all driver wrappers.
2010-04-06 20:44:26 +03:00
Jouni Malinen
643743e215 WPS: Fix WPS IE update in Beacon frames for nl80211
Call ieee802_11_set_beacon() in addition to set_ap_wps_ie() when
processing WPS IE updates. This is needed with drivers that use
set_beacon() instead of set_ap_wps_ie() (i.e., nl80211).
2010-04-06 18:04:30 +03:00
Jouni Malinen
81a658d754 FT: Re-set PTK on reassociation
It turns out that this is needed for both FT-over-DS and FT-over-air
when using mac80211, so it looks easiest to just unconditionally
re-configure the keys after reassociation when FT is used.
2010-04-04 09:34:14 +03:00
Jouni Malinen
2220821113 FT: Use bridge interface (if set) for RRB connection
This fixes receiving of RRB messages between FT APs
2010-04-04 09:31:13 +03:00
Jouni Malinen
21c9b6903e FT: Set WLAN_AUTH_FT auth_alg on FT-over-DS case
This is needed to allow reassociation processing to skip 4-way handshake
when FT-over-DS is used with an AP that has a previous association state
with the STA.
2010-04-04 09:17:57 +03:00
Jouni Malinen
d8ad6cb966 FT: Force key configuration after association in FT-over-DS
This seems to be needed at least with mac80211 when a STA is using
FT-over-DS to reassociate back to the AP when the AP still has the
previous association state.
2010-04-04 09:16:11 +03:00
Jouni Malinen
9a3cb18d74 Add AP-STA-DISCONNECT event for driver-based MLME 2010-04-04 08:14:22 +03:00
Jouni Malinen
c41a1095b5 Allow hostapd_notif_assoc() to be called with all IEs
This makes the call simpler for driver wrappers since there is no need
to parse the IEs anymore before indicating association. In addition,
this allows association processing to be extended to use other IEs
in the future.
2010-04-04 08:14:18 +03:00
Jouni Malinen
0823031750 Fix Windows compilation issues with AP mode code 2010-04-04 08:14:14 +03:00
Jouni Malinen
7b1080dadd MFP: Fix IGTK PN in group rekeying
IGTK get_seqnum needs to be skipped in the same way as GTK one when
rekeying group keys. Previously, the old PN value (the one from the
previous key) was indicated and that resulted in MMIE replay detection
at the station.
2010-03-29 22:57:10 -07:00
Jouni Malinen
358c3691cf MFP: Add SA Query Request processing in AP mode 2010-03-29 14:05:25 -07:00
Jouni Malinen
a042f8447d Fix ctrl_iface get-STA-MIB for WPS disabled case
The previous version would crash here on NULL pointer dereference if
WPS was disabled.
2010-03-29 09:59:16 -07:00
Jouni Malinen
03bcb0af0d Fix wpa_auth_iface_iter() to skip BSSes without Authenticator
This could cause NULL pointer deference if multi-BSS configuration
was used with OKC in some cases.
2010-03-26 23:26:24 -07:00
Jouni Malinen
ef580012d1 FT: Fix Authorized flag setting for FT protocol
4-way handshake or EAPOL is not used in this case, so we must
force Authorized flag to be set at the conclusion of successful
FT protocol run.
2010-03-13 21:43:00 +02:00
Jouni Malinen
0e84c25434 FT: Fix PTK configuration in authenticator
Must update sm->pairwise when fetching PMK-R1 SA.
Add a workaround for drivers that cannot set keys before association
(e.g., cfg80211/mac80211): retry PTK configuration after association.
2010-03-13 21:11:26 +02:00
Jouni Malinen
1b484d60e5 FT: Include pairwise cipher suite in PMK-R0 SA and PMK-R1 SA
This is needed to fix PTK derivation to use correct length. Previously,
64-octet PTK may have been derived if the authenticator did not already
have a STA entry. Now, the correct pairwise cipher suite is learned when
then PMK-R1 SA is received.
2010-03-07 22:18:33 +02:00
Jouni Malinen
0ebdf62735 Remove unnecessary ifname parameter from set_ap_wps_ie() driver op 2010-03-07 11:51:50 +02:00
Jouni Malinen
d3e3a20565 Remove unnecessary ifname parameter from set_ht_params() driver op 2010-03-07 11:49:27 +02:00
Jouni Malinen
3234cba40e Remove unnecessary ifname parameter to sta_set_flags() driver op 2010-03-07 11:45:41 +02:00
Jouni Malinen
62847751e4 Remove unnecessary ifname parameter from sta_add() driver op 2010-03-07 11:42:41 +02:00
Jouni Malinen
8709de1ae8 Remove unnecessary ifname parameter from hapd_get_ssid/hapd_set_ssid 2010-03-07 11:36:45 +02:00
Jouni Malinen
aa48451698 Remove unnecessary ifname parameter from set_generic_elem() driver op 2010-03-07 11:33:06 +02:00
Jouni Malinen
d5dd016a8a Remove unneeded ifname parameter from set_privacy() driver op 2010-03-07 11:29:17 +02:00
Jouni Malinen
70a8419f26 Avoid crash after driver init failure
hostapd_flush_old_stations() needs to check whether the driver
initialization was successful since it gets called on an error path.
2010-03-07 11:25:28 +02:00
Jouni Malinen
7ab68865c0 Remove unneeded iface parameter from if_add() driver op 2010-03-07 10:05:05 +02:00
Jouni Malinen
8b897f5a17 Remove unnecessary ifname parameter from set_beacon()
The new per-BSS driver context makes this unnecessary.
2010-03-06 22:36:40 +02:00
Felix Fietkau
53f3d6f3e6 hostapd: allow stations to move between different bss interfaces
With this patch, a client gets kicked out of the last BSS it was
attached to, when it is associating to a different one.
While mac80211 does allow a station to be present on multiple bss
interfaces, this does seem to cause problems both for the stack
and for hostapd.
2010-03-06 22:30:25 +02:00
Felix Fietkau
a2e40bb650 hostapd: Fix interface selection for the nl80211 driver
This patch allows the nl80211 driver to create its own per-bss context
and pass it to the drv_priv pointer of the hostapd bss state.
With this and the following patch, stations can associate to and switch
between multiple BSS interfaces of a single wiphy.
This obsoletes a few instances of passing ifname to a callback, those
can be removed in a separate patch.
It might also be useful to move more fields from the driver data to the
per-bss data structure in the future.
2010-03-06 22:22:56 +02:00
Felix Fietkau
39f42d1193 hostapd: fix bogus nl80211 interface remove messages for STA WDS 2010-03-06 20:52:22 +02:00
Felix Fietkau
4c32757d22 hostapd: add ifname to the sta_set_flags callback
This fixes multi-BSS STA operations (e.g., setting AUTHORIZED flag) with
nl80211-based drivers.
2010-03-06 20:44:31 +02:00
Jouni Malinen
6fa2ec2d2b Make EAPOL Authenticator buildable with Microsoft compiler 2010-02-19 18:35:40 +02:00
Christian Lamparter
43a7fe2e0e ap: Reorder authsrv_init() to fix IEEE 802.1X initialization
This patch moves the authentication server setup before
IEEE 802.1X initialization. It's because 802.1X already
needs to have a valid SSL context.

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
2010-01-17 12:14:17 +02:00
Jouni Malinen
6f9b5d1696 IBSS RSN: Check explicitly that WPA auth sm assoc call succeeded
Verify that association processing did not end up freeing the state
machine. This should not really happen in practice, but better verify
it anyway.
2010-01-10 21:45:44 +02:00
Jouni Malinen
e4a6ea1d9c Avoid a theoretical use-after-free in WPA auth sm init
wpa_sm_step() could theoretically free the statemachine, but it does
not do it in this particular case. Anyway, the code can be cleaned to
verify whether the state machine data is still available after the
wpa_sm_step() call.
2010-01-10 18:54:41 +02:00
Jouni Malinen
1ce77dcc66 Fix memory leak on RSN preauth init error path 2010-01-06 21:14:09 +02:00
Lennert Buytenhek
594cf8b9ef Fix WMM default parameters
wmm_ac_??_cw{min,max} parameters are in log form

When the wme_ac_??_cw{min,max} parameters aren't specified in
hostapd.conf, hostapd uses an incorrect set of default values, as the
defaults are in 2^x-1 form instead of in log form.  This patch changes
them over to the expected log form.
2010-01-06 20:48:29 +02:00
Jouni Malinen
70f8cc8ec8 Share the same enum for MFP configuration
The three existing enums were already depending on using the same
values in couple of places and it is just simpler to standardize on
one of these to avoid need for mapping between different enums for
the exact same thing.
2010-01-03 21:02:51 +02:00
Jouni Malinen
d1f9c410c1 Remove src/drivers/scan_helpers.c
Most of this file was already moved into wpa_supplicant/scan.c and
we can remove the file completely by having couple of small helper
functions copied to the remaining users outside core wpa_supplicant
code.
2010-01-03 20:27:32 +02:00
Jouni Malinen
1d041bec84 Use generic driver event notification for AP mode assoc/disassoc 2010-01-03 18:22:22 +02:00
Jouni Malinen
a8e0505bf0 Use driver event, EVENT_EAPOL_RX, for EAPOL frame indication 2010-01-03 17:44:40 +02:00
Jouni Malinen
a70a5d6d06 Replace hostapd_notif_new_sta() with new driver event, EVENT_NEW_STA 2010-01-03 16:46:18 +02:00
Jouni Malinen
9646a8ab8b Remove unnecessary wpa_event_type typedef 2010-01-03 13:10:12 +02:00
Jouni Malinen
2a8b74163e Move struct hostapd_frame_info definition away from driver API
This is internal data structure for hostapd/AP functionality and does
not need to be defined in driver.h.
2010-01-03 12:37:02 +02:00
Jouni Malinen
0d9fc3d8bd Remove struct ieee80211_hdr dependency from EVENT_RX_FROM_UNKNOWN
It is simpler to just pass in u8* to the beginning of the header.
2010-01-03 12:17:20 +02:00
Jouni Malinen
a0e0d3bb15 Replace hostapd_probe_req_rx() with EVENT_RX_PROBE_REQ driver event 2010-01-03 12:11:44 +02:00
Jouni Malinen
c2f5126941 WPS: Add Enrollee-seen event message and wpa_gui-qt4 Peers entry
This can be used to show active Enrollees in AP mode to make it
easier to provision a new device.
2009-12-28 16:24:04 +02:00
Jouni Malinen
cd7d80f373 Allow Probe Request callbacks to terminate iteration 2009-12-28 13:14:58 +02:00
Jouni Malinen
1c08f8c0f0 Allocate Probe Response and Beacon buffers based on WPS IE length
This IE is of variable length and it is better to allocate the frame
buffer taking this length into account to prepare for future
additions.
2009-12-28 12:58:27 +02:00
Jouni Malinen
f7c4783379 Split hostapd_interface_deinit() into deinit and free parts
This allows the driver interface to be deinitialized before
struct hostapd_data instance gets freed. This needs to be done so
that the driver wrapper does not maintain a context pointer to
freed memory.
2009-12-27 21:31:13 +02:00
Jouni Malinen
719347511a Get rid of unnecessary typedefs for enums. 2009-12-26 10:35:08 +02:00
Jouni Malinen
81f4f6195e Include header files explicitly in *.c, not via header files 2009-12-26 00:31:51 +02:00
Jouni Malinen
6e6e8c31ff Replace src/ap/driver_i.h with non-inlined functions in ap_drv_ops.c 2009-12-26 00:21:22 +02:00
Jouni Malinen
8b06c1ed0d Remove ap_config.h dependency from driver_i.h
This adds explicit #include line for ap_config.h into the src/ap/*.c
files that actually use the definitions from there.
2009-12-26 00:12:25 +02:00
Jouni Malinen
6226e38d00 Rename some src/ap files to avoid duplicate file names
Doxygen and some build tools may get a bit confused about same file
name being used in different directories. Clean this up a bit by
renaming some of the duplicated file names in src/ap.
2009-12-26 00:05:40 +02:00
Jouni Malinen
1b56c26c40 Get rid of direct hostapd_for_each_interface() calls
src/ap/*.c must not call functions in hostapd or wpa_supplicant
directories directly, so avoid this by using a callback function
pointer.
2009-12-25 20:12:26 +02:00
Jouni Malinen
70db2ab308 Move rest of the generic AP mode functionality into src/ap 2009-12-25 20:06:07 +02:00
Jouni Malinen
a4f2110934 Clean up some of the hostapd.h function prototype definitions
Not all prototypes in hostapd.h really belong there. This is an initial
step in cleaning that up.
2009-12-25 14:20:35 +02:00
Jouni Malinen
0aef3ec832 Move hostapd_prune_associations() into ap/utils.c 2009-12-25 14:06:26 +02:00
Jouni Malinen
2586bc64d0 Move authentication server setup into separate file 2009-12-25 13:43:43 +02:00
Jouni Malinen
ad44e244b1 Move iapp.c into src/ap 2009-12-25 13:04:45 +02:00
Jouni Malinen
0e2d35c614 Move ctrl_iface_ap.c into src/ap 2009-12-25 12:25:55 +02:00
Jouni Malinen
65668bfb77 Add forgotten src/ap/utils.c file
Commit 32da61d9c9 was supposed to add
this file.
2009-12-25 01:31:28 +02:00
Jouni Malinen
32da61d9c9 Move wps_hostapd.c into src/ap 2009-12-25 01:26:37 +02:00
Jouni Malinen
1057d78eb8 Move generic AP functionality implementation into src/ap
This code can be shared by both hostapd and wpa_supplicant and this
is an initial step in getting the generic code moved to be under the
src directories. Couple of generic files still remain under the
hostapd directory due to direct dependencies to files there. Once the
dependencies have been removed, they will also be moved to the src/ap
directory to allow wpa_supplicant to be built without requiring anything
from the hostapd directory.
2009-12-25 01:12:50 +02:00