Commit graph

2703 commits

Author SHA1 Message Date
Jouni Malinen
9bb1025a2e EAP-AKA server: Fix fallback to full auth
Commit 68a41bbb44 broke fallback from
reauth id to fullauth id by not allowing a second AKA/Identity round to
be used after having received unrecognized reauth_id in the first round.
Fix this by allowing fullauth id to be requested in such a case.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-08 15:45:05 +02:00
Sunil Dutt
c0810ddb3c P2P: Use the same Dialog Token value for every PD retry
Commit 175171ac6c ensured that the PD
requests are retried in join-a-running group case and the Enrollee is
started on either receiving the PD response or after the retries. Each
PD request is retried with an unique dialog token and a PD response from
the GO with a mismatched dialog token is ignored. Thus, the P2P client
would continue retrying the PD requests till the response with a
matching dialog token is obtained. This would result in the GO getting
multiple PD requests and a corresponding user notification (POP UP) in
implementations where each PD request results in a POP UP, resulting in
a bad user experience. To avoid such behavior, the same dialog token
value is used for every retry in the same PD exchange.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-08 13:12:34 +02:00
Jouni Malinen
708bc8e0e4 nl80211: Restore previous nlmode if set_freq for AP mode fails
wpa_driver_nl80211_ap() returned error if set_freq failed, but left the
previously set nlmode to GO/AP. While this should not be issue for most
purposes, it leaves the interface in somewhat unexpected state and could
potentially affect operations prior to next connection attempt. Address
this by restoring the previous nlmode if AP mode cannot be started for
some reason.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-08 00:34:08 +02:00
Jouni Malinen
e28c226df0 Split p2p_prepare_channel() into multiple functions
This makes it easier to read the code for the two possible cases
(forced/preferred channel and automatic channel selection).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 08:37:13 +02:00
Jouni Malinen
a5830ede8e P2P: Document operating channel selection functions
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 08:27:11 +02:00
Arik Nemtsov
50285f5ca8 P2P: Always re-select operating channel if not hard coded
Since the operating channel is randomly set to 1/6/11 on init, which is
commonly included in the channel intersection, we were effectively
ignoring the set of P2P preferred channels when trying to improve
channel selection after having received peer information. Fix this by
trying to get the best channel we can, unless the user hard coded the
operating channel in the configuration file or p2p_connect command. Fall
back to the initial randomly selected channel if a better one cannot be
chosen.

Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-12-27 08:16:42 +02:00
Jouni Malinen
bd594ea0da P2P: Do not allow re-selection of GO channel if forced_freq in use
Even if the peer does not accept the forced channel, we should not allow
the forced_freq parameter to be be overridden, i.e., such a case needs
to result in GO Negotiation failure.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 08:06:55 +02:00
Jouni Malinen
92ac756c84 P2P: Set FORCE_FREQ flag as part of p2p_prepare_channel()
Both p2p_connect and p2p_authorize use the same functionality to select
the channel preferences for GO Negotiation. The part of setting this
device flag was copied to each function, but it can also be handled by
the shared function after some reordering of code.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 07:58:04 +02:00
Jouni Malinen
b1129f657c P2P: Share a single function for GO channel selection
The exact same mechanism was used for determining the operating channel
at the device that becomes the GO regardless of whether this was
triggered by reception of GO Negotiation Request of Response frame. Use
a shared function to avoid duplicated implementation and potential
differences in the future.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-27 07:39:57 +02:00
Arik Nemtsov
62120d59b4 P2P: Prefer operating channels where HT40 is possible
When no other user preference is specified, opt to use an operating
channel that allows HT40 operation. This way, if driver capabilities
and regulatory constraints allow, we might enjoy increased bandwidth.

Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-12-25 19:59:04 +02:00
Baruch Siach
50d405ec87 atheros: Release sock_raw and reset appfilter on hapd_init failure
Signed-hostap: Baruch Siach <baruch@tkos.co.il>
2012-12-25 13:50:41 +02:00
Yoni Divinsky
3dfd0484fc P2P: Consider age for the P2P scan results
cfg80211 caches the scan results according the channel number. Due to
the 15 sec aging this might cause the user mode to see more than one
scan result with the same BSSID, e.g. - one scan result for the
P2P Device and one for the P2P GO (once it's enabled).

Fix this by updating the device entry only if the new peer entry is
newer than the one previously stored.

Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com>
Signed-off-by: Victor Goldenshtein <victorg@ti.com>
Signed-off-by: Igal Chernobelsky <igalc@ti.com>
Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-12-25 11:22:42 +02:00
Jouni Malinen
2049a875bc WNM: Additional BSS Transition Management capability
Add some more functionality for BSS Transition Management:
- advertise support for BSS Transition Management in extended
  capabilities element
- add hostapd.conf parameter bss_transition=1 for enabling support
  for BSS Transition Management
- add "hostapd_cli disassoc_imminent <STA> <num TBTTs>" for sending
  disassociation imminent notifications for testing purposes
- wpa_supplicant: trigger a new scan to find another BSS if the
  current AP indicates disassociation imminent (TODO: the old AP needs
  to be marked to use lower priority to avoid re-selecting it)

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-22 20:27:30 +02:00
Sven Eckelmann
a5e1eb2092 nl80211: Run TKIP countermeasures in correct hostapd_data context
hostapd can run with different VIF when using nl80211. Events about MIC
failures have to be processed in context of the VIF which received it
and not in context of the primary VIF. Otherwise the station belonging
to this VIF may not be found in the primary VIF station hash and
therefore no countermeasures are started or the countermeasures are
started for the wrong VIF.

Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
2012-12-22 16:19:52 +02:00
Jouni Malinen
8b24861154 Add Acct-Session-Id into Access-Request messages
This optional attribute may make it easier to bind together the
Access-Request and Accounting-Request messages. The accounting session
identifier is now generated when the STA associates instead of waiting
for the actual session to start after successfull authentication.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-18 18:13:31 +02:00
Vladimir Kondratiev
7829894c21 Introduce 60 GHz band
Basic support for the 60 GHz band. Neither P2P nor WPS are yet taken
care off. Allows to start AP with very simple config:

network={
        ssid="test"
        mode=2
        frequency=60480
        key_mgmt=NONE
}

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-18 11:50:35 +02:00
Sven Eckelmann
f1b44874c2 Fix initialization of ap_table_{max_size,expiration_time}
The config says that the default for ap_table_max_size is 255 and the
default for ap_table_expiration_time is 60. But the code doesn't reflect
the default values mentioned in the sample config file.

These variables completely disable the code for Overlapping Legacy BSS
Condition by default when they are not correctly initialized. WFA
certification requires this feature and therefore an AP would have
failed the certification process unless they were initialized manually
using the configuration file.

Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
2012-12-17 17:54:21 +02:00
Jouni Malinen
9904ff876a WPS: Add RF bands attribute conditionally to Probe Response frame
WSC IE in Beacon and Probe Response frames should behave consistently
as far as the RF Bands attribute is concerned. Use the same dualband
condition for adding this into Probe Response frames since the value
is not really needed if the AP is not a dualband AP.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-17 16:08:23 +02:00
Jouni Malinen
cd6be5c246 WPS: Use wps_rf_bands parameter to determine dualband functionality
If separate hostapd processes are used for different RF bands, the
dualband parameter for WPS was not set correctly. Allow dualband
indication (mainly, addition of RF bands attribute for PBC session
overlap detection) also based on wps_rf_bands value (if set to "ag").

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-17 16:06:10 +02:00
Jouni Malinen
0a66ce3c49 WNM: Add support for SSID List element matching
This allows Probe Request frame processing to compare the configured
SSID to the SSID List element in addition to the SSID element.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 21:22:24 +02:00
Jouni Malinen
b93c8509cc Add support for advertising UTF-8 SSID extended capability
This field can be used to indicate that UTF-8 encoding is used in the
SSID field.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 20:46:51 +02:00
Jouni Malinen
a8e93a1a01 WNM: Skip os_memcpy in wnmtfs_ie is NULL
It is cleaner to skip the memcpy call instead of trusting on the
length parameter being 0 in this case.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:48:39 +02:00
Jouni Malinen
835822d404 WNM: Fix GTK/IGTK encoding in WNM-Sleep Mode Exit frame
These subelements do not use AES key wrap (MFP is used instead).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:46:10 +02:00
Jouni Malinen
4da10640a7 WNM: Fix AP logic on when to include GTK/IGTK in WNM-Sleep Mode exit
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:27:09 +02:00
Jouni Malinen
615a5d559d WNM: Use defined macros for WNM-Sleep Mode Action Type values (AP)
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:24:06 +02:00
Jouni Malinen
c79938a584 WNM: Enable WNM-Sleep Mode configuration with hostapd SME/MLME
This allows hostapd to process WNM-Sleep Mode Request when using the
internal SME/MLME.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:16:17 +02:00
Jouni Malinen
ad3872a372 WNM: Use CONFIG_WNM more consistently
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. Previously it was possible to
define CONFIG_IEEE80211V without CONFIG_WNM which would break the build.
In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and
WNM is a better term to use for this new functionality anyway.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 18:22:54 +02:00
Jouni Malinen
df80a0ccff WNM: Use defined macros for WNM-Sleep Mode Action Type values
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 12:57:38 +02:00
Jouni Malinen
68db9ab047 WNM: Fix GTK/IGTK parsing for WNM-Sleep Mode Response frame
These fields do not use AES keywrap. Instead, they are protected with
management frame protection (and not included if PMF is disabled).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:48:34 +02:00
Jouni Malinen
bd896433af nl80211: Register to process WNM-Sleep Mode Response frames
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-16 12:42:26 +02:00
Dan Williams
0639970d89 PMKSA: Clear current cache entry on disassociation
Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 21:53:55 +02:00
Dan Williams
6aaac006af PMKSA: Make deauthentication due to cache entry removal more granular
Expiry can always trigger a deauthentication, but otherwise,
deauthentication should only happen when the *current* cache entry is
removed and not being replaced. It should not happen when the current
PMK just happens to match the PMK of the entry being removed, since
multiple entries can have the same PMK when OKC is used and these
entries are often removed at different times.

This fixes an issue where eviction of the oldest inactive entry due to
adding a newer entry to a full cache caused a deauthentication when the
entry being removed had the same PMK as the current entry.

Signed-hostap: Dan Williams <dcbw@redhat.com>
2012-11-25 21:39:19 +02:00
Jouni Malinen
b7593d35c1 Remove unnecessary PMKSA cache list modification
pmksa_cache_free_entry() takes care of updated the list head pointer
(pmksa->pmksa), so no need to do this change in the caller.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 19:45:54 +02:00
Jouni Malinen
f2a14be798 Use a shared function for freeing PSK list
There is no need to duplicate this code in multiple locations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 18:01:55 +02:00
Jouni Malinen
fc5550a1c2 Use RADIUS shared secret consistently in RX handler
Use the shared_secret pointer from RADIUS client implementation instead
of getting this from hostapd configuration data.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:57:16 +02:00
Michael Braun
5ee56c4e19 Keep and use list of PSKs per station for RADIUS-based PSK
This adds support for multiple PSKs per station when using a RADIUS
authentication server to fetch the PSKs during MAC address
authentication step. This can be useful if multiple users share a
device but each user has his or her own private passphrase.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
2ad3e6c858 Cache a list of PSK entries for RADIUS-based PSK delivery
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
14e919478e Extend radius_msg_get_tunnel_password() to support multiple passwords
The new function parameter can now be used to specify which password to
return.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:19:04 +02:00
Jouni Malinen
1a2d22a242 Remove unneeded header file inclusion
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:06:38 +02:00
Jouni Malinen
13e1d2e292 Indicate if PMF was negotiated for the connection
Add pmf=1/2 to wpa_supplicant STATUS command output to indicate that PMF
was negotiated for the connect (1 = optional in this BSS, 2 = required
in this BSS).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:45:17 +02:00
Jouni Malinen
62d4980331 Allow PMF to be enabled by default
Previously, PMF (protected management frames, IEEE 802.11w) could be
enabled only with a per-network parameter (ieee80211w). The new global
parameter (pmf) can now be used to change the default behavior to be PMF
enabled (pmf=1) or required (pmf=2) for network blocks that do not
override this with the ieee80211w parameter.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 22:21:29 +02:00
Amitkumar Karwar
368b1957a6 Allow OBSS scan and 20/40 coex reports to non-SME drivers
We enable this feature for non-SME drivers as well if
they explicitly indicate need for it.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
2012-11-24 18:08:48 +02:00
Jouni Malinen
3d83a6b9b6 Sync with linux/nl80211.h in wireless-testing.git
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-24 18:04:55 +02:00
Johannes Berg
3117ad4283 hostapd: Add second VHT frequency segment config
Add the configuration option vht_oper_centr_freq_seg1_idx
for the second segment of an 80+80 MHz channel and use it
when building the VHT operation IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 18:02:29 +02:00
Johannes Berg
202d97d477 hostapd: Add VHT PHY selector if VHT is required
If VHT is required, add the VHT PHY selector to
the (extended) supported rates IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 17:27:16 +02:00
Pontus Fuchs
fb660a9431 Do not double free cfg struct if netlink_init() fails
If netlink_init() fails on socket create or bind the cfg struct
provided as parameter is freed by netlink_init(). Callers of
netlink_init() also free this struct on their error paths leading
to double free.

Signed-hostap: Pontus Fuchs <pontus.fuchs@gmail.com>
2012-11-24 16:47:20 +02:00
Jouni Malinen
f403dcd648 HS 2.0: Maintain a copy of HS 2.0 Indication from Association Request
This allows the AP to figure out whether a station is a HS 2.0 STA
during the association and access any information that the STA may have
included in this element.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-24 12:24:31 +02:00
Sunil Dutt
ffa45a1343 P2P: Increase the maximum number of PD Request retries
Change the maximum retry limit from 10 to 120 to match the behavior
used with GO Negotiation Request frames when trying to start GO
Negotiation with a peer that does not acknowledge frames (e.g., due
to being in sleep or on another channel most of the time).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 01:15:51 +02:00
Jouni Malinen
175171ac6c P2P: Retry PD Request in join-a-running-group case
The GO may be in sleep when we send a PD Request frame to indicate that
we are about to join a running group. Previously, this frame was not
retried more than normal low level retries. This can result in the GO
not getting the frame especially in cases where concurrent multi-channel
operations or aggressive sleep schedule is used since most drivers do
not yet synchronize with the GO's NoA before association.

Increase the likelihood of the GO receiving the PD Request frame by
retransmitting it similarly to the PD-for-GO-Negotiation case. Start
the actual join operation only after these retries have failed to get
an acknowledgment from the GO to give the connection attempt a chance
to succeed if the driver implements better NoA synchronization for it.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 00:53:42 +02:00
Sunil Dutt
6752716663 P2P: Set user_initiated_pd separately from the join parameter
p2p_prov_disc_req() used the join parameter to figure out whether the PD
request was a user initiated or not. This does not cover all use cases
of PD, so add a separate parameter to allow caller to indicate whether
the user requested the operation.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-23 00:48:58 +02:00
Jouni Malinen
ee431d77a5 Add preliminary support for using SQLite for eap_user database
CONFIG_SQLITE=y option can now be used to allow the eap_user_file text
file to be replaced with a SQLite database
(eap_user_file=sqlite:/path/to/sqlite.db). hostapd.eap_user_sqlite
shows an example of how the database tables can be created for this
purpose. This commit does not yet include full functionality of the
text file format, but at least basic EAP-TTLS/MSCHAPv2 style
authentication mechanisms with plaintext passwords can be used for
tests.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-21 00:47:47 +02:00
Jouni Malinen
6201b052c8 nl80211: Add support for TDLS request event from the driver
The NL80211_CMD_TDLS_OPER command can be used as an event based on a
recent cfg80211 commit, so add code to map that to internal
wpa_supplicant event to request TDLS link setup/teardown.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-19 17:00:07 +02:00
Jouni Malinen
c772d054c2 hostapd: Fix a regression in TKIP countermeasures processing
Commit 296a34f0c1 changed hostapd to
remove the internal STA entry at the beginning of TKIP countermeasures.
However, this did not take into account the case where this is triggered
by an EAPOL-Key error report from a station. In such a case, WPA
authenticator state machine may continue processing after having
processed the error report. This could result in use of freed memory.
Fix this by stopping WPA processing if the STA entry got removed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-18 13:06:03 +02:00
Jouni Malinen
6366a17ce3 WPS: Add a workaround for PBC session overlap detection
Some deployed station implementations implement WPS incorrectly and
end up causing PBC session overlap issues by indicating active PBC
mode in a scan after the WPS provisioning step. Work around this by
ignoring active PBC indication in a Probe Request from a station that
completed PBC provisioning during the last five seconds.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-15 19:59:04 +02:00
Jouni Malinen
1ce0aa044c Remove unused disassociate() driver_ops
Commits 07783eaaa0 and
3da372fae8 removed the only users of the
disassociate() driver operation, so these driver wrapper functions can
also be removed now.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-15 00:06:12 +02:00
Jouni Malinen
0779c227af Hide strict-aliasing warning with gcc 4.7
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 20:29:20 +02:00
Jouni Malinen
9d7a63dc20 nl80211: Avoid strict-aliasing warning with gcc 4.7
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 20:28:27 +02:00
Christopher Wiley
a8c5b43ad3 nl80211: Roam correctly through cfg80211 without SME
Change the nl80211 driver in wpa_supplicant to correctly handle
connecting to a new AP through cfg80211 without SME capability. As
before, the driver will disconnect from the previously associated AP,
but now we attempt to immediately connect to our intended AP. This
prevents us from blacklisting the AP we were trying to connect to
because of a semantic mismatch between cfg80211 and wpa_supplicant. The
disconnect/connect patch generates a local disconnect nl80211 event
which we discard because we're already correctly tracking the pending
association request.

In detail:

cfg80211 does not support connecting to a new BSS while already
connected to another BSS, if the underlying driver doesn't support
separate authenticate and associate commands. wpa_supplicant is written
to expect that this is a supported operation, except for a little error
handling that disconnects from the current BSS when roaming fails and
relies on autoconnect logic to reconnect later. However, this failure to
connect is incorrectly attributed to the new AP we attempted to
associate with, rather than a local condition in cfg80211.

The combined effect of these two conditions is that full-mac drivers
accessible through cfg80211 but without SME capability take a long time
to roam across BSS's because wpa_supplicant will:
1) Fail to associate for local reasons
2) Disconnect and return that the association request failed
3) Blacklist the association target (incorrectly)
4) Do a scan
5) Pick a less desirable AP to associate with

Signed-hostap: Christoper Wiley <wiley@chromium.org>
2012-11-11 16:15:29 +02:00
Baruch Siach
b49019dd3d atheros: Remove redundant l2_packet_get_own_addr call
Commit deca6eff74 added a redundant call
to l2_packet_get_own_addr. Use the information we already have in
atheros_init.

Signed-hostap: Baruch Siach <baruch@tkos.co.il>
2012-11-11 16:07:28 +02:00
Jouni Malinen
58fd49c05d EAP-SIM/AKA server: Fix memory leak in error path
If identity round limit is reached, EAP-SIM/AKA session is terminated.
This needs to free the allocated message.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:15:49 +02:00
Jouni Malinen
8cd93a01a9 Check hapd_iface more consistently in hostapd_disable_iface()
There is no point in the hapd_iface == NULL validate after this pointer
has been dereferences, so move the code dereferencing hapd_iface after
the check.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:11:15 +02:00
Jouni Malinen
207fb86411 WPS: Remove deprecated UFD config method and OOB ctrl_iface
The UFD (USB flash drive) configuration method was deprecated in WSC
2.0. Since this is not known to be used, remove the UFD implementation
from hostapd and wpa_supplicant to allow the WPS implementation to be
cleaned up. This removes the now unused OOB operations and ctrl_iface
commands that had already been deprecated by the new NFC operations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:01:06 +02:00
Masashi Honma
30c371e8a5 P2P: Reduce redundant PSK generation for GO
The PSK generation done by pbkdf2_sha1() is one of the longest CPU time
users according to our profiling from boot to GO started.

So I have reduced some steps.

I could boot a GO by this command sequence.
-------------
add_net
set_network 0 ssid '"DIRECT-XX"'
set_network 0 psk
'"123456789012345678901234567890123456789012345678901234567890123"'
set_network 0 proto RSN
set_network 0 key_mgmt WPA-PSK
set_network 0 pairwise CCMP
set_network 0 auth_alg OPEN
set_network 0 mode 3
set_network 0 disabled 2
p2p_group_add persistent=0 freq=2412
-------------

By this sequence, pbkdf2_sha1() was called three times and the function
calculates the same value each time. Reduce number of calls to
pbkdf2_sha1() from 3 to 1 by caching the previous result.

Signed-hostap: Masashi Honma <masashi.honma at gmail.com>
2012-11-11 11:39:24 +02:00
Jouni Malinen
1e8a6e7553 Remove unused wpa_supplicant_disassociate()
This function is now unused after the last couple of commits that
removed the last uses, so remove this to keep code simpler since all
places that disassociate, can use deauthentication instead.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-05 17:05:37 +02:00
Jouni Malinen
3da372fae8 Use deauthentication instead of disassociation on RSN element mismatch
Even though the standard currently describes disassociation to be used
for RSN element mismatch between Beacon/Probe Response frames and
EAPOL-Key msg 3/4, this is unnecessary difference from other cases that
deauthenticate. In addition, there is no point in leaving the 802.11
Authentication in place in this case. To keep things simpler, use
deauthentication here to get rid of the only use of
wpa_sm_disassociate().

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-05 17:01:07 +02:00
Jouni Malinen
7d81932d27 nl80211: Make debug log more readable for driver events
Print the full name of the nl80211 event message in the debug log to
make it easier to parse the debug log.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-03 13:54:43 +02:00
Jouni Malinen
b363121a20 WPS: Reject invalid credential more cleanly
If WPS Registrar tries to provision a WPA/WPA2-Personal network without
including a valid Network Key, the network block cannot be used to
connect to the network. Reject such credential without adding the
network block. This makes wpa_supplicant send WSC_NACK as a response to
the invalid Credential and stop the provisioning process immediately
rather than only after trying unsuccessfully to connect to the network.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-01 16:30:35 +02:00
Jouni Malinen
96beff11d1 P2P: Allow discoverable interval for p2p_find to be configured
The new P2P_SET parameter disc_int can now be used to configure
discoverable interval for p2p_find operations. The format of the command
for setting the values is "P2P_SET disc_int <minDiscoverableInterval>
<maxDiscoverableInterval> <max TUs for discoverable interval>". The
first two parameters are given in units of 100 TUs (102.4 ms). The third
parameter can be used to further limit the interval into a specific TU
amount. If it is set to -1, no such additional limitation is enforced.
It should be noted that the P2P specification describes the random
Listen state interval to be in units of 100 TUs, so setting the max TU
value to anything else than -1 is not compliant with the specification
and should not be used in normal cases. The default parameters can be
set with "P2P_SET disc_int 1 3 -1".

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-30 15:12:04 +02:00
Jouni Malinen
9f36eac6e5 WPS: Remove old OOB NFC interface
The old WPS interface for using NFC has no known deployments and even
the binary libraries referenced here are not easily available anymore.
Since the new interface for using NFC with WPS covers the same
functionality, remove the old implementation to clean up WPS
implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-28 18:20:03 +02:00
Jouni Malinen
bd3a373767 WPS: Use AP Channel attribute in credential to speed up scan
When WPS is used with NFC connection handover, the AP may indicate its
operating channel within the credential information. Use this
informatiom, if present, to speed up the scan process.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-28 18:02:04 +02:00
Jouni Malinen
e65552ddf2 WPS: Add preliminary NFC connection handover support for Enrollee
This commit adds new wpa_supplicant ctrl_iface commands to allow
external programs to go through NFC connection handover mechanism
with wpa_supplicant taking care of the WPS processing. This version
includes only the case where wpa_supplicant is operating as a
station/Enrollee.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-28 17:39:46 +02:00
Jouni Malinen
86cf382b80 Fix EAPOL supplicant port authorization with PMKSA caching
The previous eapol_sm_notify_cached() implementation forced the port
to be authorized when receiving EAPOL-Key msg 1/4 that included a
matching PMKID in cases when PMKSA caching is used. This is too early
since the port should really be authorized only after the PTK has been
configured which is the case when PMKSA caching is not used.

Fix this by using the EAPOL supplicant PAE state machine to go through
the AUTHENTICATING and AUTHENTICATED states instead of forcing a jump
to AUTHENTICATED without performing full state machine steps. This can
be achieved simply by marking eapSuccess TRUE at least with the current
version of EAP and EAPOL state machines (the earlier commits in this
function seemed to indicate that this may have not been that easy in
the older versions due to the hacks needed here).

This addresses an issue with nl80211-based driver interface when the
driver depends on the STA Authorized flag being used to prevent
unprotected frames from being accepted (both TX and RX) prior to PTK
configuration.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-10-27 11:52:43 +03:00
Jouni Malinen
04a3e69dd1 P2P: Allow all channels with multi-channel concurrency
If the driver indicates support for multi-channel concurrency, change
the p2p_connect behavior to not force the current operating channel, but
instead, just mark it as preferred for GO Negotiation. This change
applies only for the case when the freq parameter is not used with the
p2p_connect command.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-26 18:10:46 +03:00
David Bird
f826635c2d Fix EAPOL processing when STA switches between multi-BSSes
There was an issue with EAPOL frame exchanges in a multi-BSS
configuration when a station switches between the BSSes controlled by
the same hostapd process. When processing the EAPOL packet, the array of
virtual APs (iface->bss) is searched looking for the station that sent
the packet in order to identify which signal context should be used
during processing. The first match of the station in its list gets used
in the ieee802_1x_receive() function. However, even after a station has
disassociated, it remains in the list of stations pending an inactivity
timeout. This leads to the wrong hapd context (one where the station had
already disassociated) being used in some cases (if the current/active
bss entry appears in the list after one where the station has just
disassociated from) for EAPOL processing.

Fix this by checking the WLAN_STA_ASSOC flag before assuming the right
hapd context was found for the given station.

Signed-hostap: David Bird <dbird@powercloudsystems.com>
intended-for: hostap-1
2012-10-25 09:20:15 +03:00
Jouni Malinen
569fed9045 nl80211: Add support for SAE operations
This uses the recent cfg80211 changes to allow SAE authentication to be
implemented with the nl80211 driver interface.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-24 09:10:42 +03:00
Jouni Malinen
516059c753 Sync with linux/nl80211.h in wireless-testing.git
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-24 09:08:38 +03:00
Jouni Malinen
13ece96f70 P2P: Improve robustness against lost ctrl::ack frames
P2P includes two use cases where one of the devices is going to start a
group and likely change channels immediately after processing a frame.
This operation may be fast enough to make the device leave the current
channel before the peer has completed layer 2 retransmission of the
frame in case the ctrl::ack frame was lost. This can result in the peer
not getting TX status success notification.

For GO Negotiation Confirm frame, p2p_go_neg_conf_cb() has a workaround
that ignores the TX status failure and will continue with the group
formation with the assumption that the peer actually received the frame
even though we did not receive ctrl::ack. For Invitation Response frame
to re-invoke a persistent group, no such workaround is used in
p2p_invitation_resp_cb(). Consequently, TX status failure due to lost
ctrl::ack frame results in one of the peers not starting the group.

Increase the likelihood of layer 2 retransmission getting acknowledged
and ctrl::ack being received by waiting a short duration after having
processed the GO Negotiation Confirm and Invitation Response frames for
the re-invocation case. For the former, use 20 ms wait since this case
has been worked around in deployed devices. For the latter, use 50 ms
wait to get even higher likelihood of getting ctrl::ack through since
deployed devices (and the current wpa_supplicant implementation) do not
have a workaround to ignore TX status failure.

20 ms is long enough to include at least couple of retries and that
should increase likelihood of getting ctrl::ack through quite a bit. The
longer 50 ms wait is likely to include full set of layer 2 retries.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-13 17:33:16 +03:00
Jouni Malinen
ed61d2a5f9 Fix regression in LEAP
Commit 458cb30191 broke LEAP since it
rejects EAP-Success packet that is used within LEAP and this frame does
not have a payload. Fix LEAP by relaxing the generic EAP packet
validation if LEAP has been negotiated.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-11 21:50:57 +03:00
Jouni Malinen
3a643324c6 WPS: Limit number of active wildcard PINs to one
Previously, WPS Registrar allowed multiple wildcard PINs to be
configured. This can get confusing since these PINs get assigned to any
Enrollee that does not have a specific PIN and as such, cannot really be
used with different PIN values in reasonable ways. To avoid confusion
with multiple enabled PINs, invalidate any previously configured
wildcard PIN whenever adding a new one.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-10 17:38:06 +03:00
Jouni Malinen
458cb30191 EAP-TLS: Add extra validation for TLS Message Length
While the existing code already addresses TLS Message Length validation
for both EAP-TLS peer and server side, this adds explicit checks and
rejection of invalid messages in the functions handling reassembly. This
does not change externally observable behavior in case of EAP server.
For EAP peer, this starts rejecting invalid messages instead of
addressing them by reallocating the buffer (i.e., ignoring TLS Message
Length in practice).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-07 20:18:10 +03:00
Jouni Malinen
586c446e0f EAP-TLS server: Fix TLS Message Length validation
EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS
Message Length value properly and could end up trying to store more
information into the message buffer than the allocated size if the first
fragment is longer than the indicated size. This could result in hostapd
process terminating in wpabuf length validation. Fix this by rejecting
messages that have invalid TLS Message Length value.

This would affect cases that use the internal EAP authentication server
in hostapd either directly with IEEE 802.1X or when using hostapd as a
RADIUS authentication server and when receiving an incorrectly
constructed EAP-TLS message. Cases where hostapd uses an external
authentication are not affected.

Thanks to Timo Warns for finding and reporting this issue.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-10-07 20:06:29 +03:00
Jouni Malinen
21af6d15a8 SAE: Add Finite Cyclic Group negotiation and Send-Confirm
This replaces the previously used bogus test data in SAE messages with
the first real field. The actual SAE authentication mechanism is still
missing and the Scaler, Element, and Confirm fields are not included.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-06 19:30:54 +03:00
Vladimir Kondratiev
c097652828 60 GHz: Fix error while processing scan results
Channel frequency for 60 GHz band do not fit into 'short int', as was
used. Expand it to 'int'

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-04 16:32:23 +03:00
Jouni Malinen
315dbfb11e WPS: Fix a potential memory leak on wps_init() error path
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-02 16:51:27 +03:00
Jouni Malinen
369c8d7bcd Reserve AKM and cipher suite values
These values are used with WAPI and CCX and reserving the definitions
here reduces the number of merge conflicts with repositories that
include these functions.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-30 20:26:55 +03:00
Jouni Malinen
c10347f246 Add initial parts for SAE
This introduces new AKM for SAE and FT-SAE and adds the initial parts
for going through the SAE Authentication frame exchange. The actual SAE
algorithm and new fields in Authentication frames are not yet included
in this commit and will be added separately. This version is able to
complete a dummy authentication with the correct authentication
algorithm and transaction values to allow cfg80211/mac80211 drivers to
be tested (all the missing parts can be handled with
hostapd/wpa_supplicant changes).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-30 19:51:07 +03:00
Jouni Malinen
905029097c Sync with linux/nl80211.h in wireless-testing.git
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-30 10:49:46 +03:00
Mykyta Iziumtsev
817762d9c4 nl80211: Don't send BSSID with disconnect command
NL80211_CMD_DISCONNECT doesn't need BSSID, because cfg80211
uses locally saved value.

Signed-hostap: Mykyta Iziumtsev <mykyta.iziumtsev@gmail.com>
2012-09-29 19:01:50 +03:00
Raja Mani
39b1572c41 Include connected time in AP mode STA-* commands
This allows hostapd_cli and wpa_cli all_sta command to be used to
display connected time (in seconds) of each station in AP mode.

Signed-hostap: Raja Mani <rmani@qca.qualcomm.com>
2012-09-26 13:52:19 +03:00
Jouni Malinen
213c1fa84d P2P: Fix ignoring of PD Response due to dialog token mismatch
Commit 6b56cc2d97 added clearing of the
p2p->pending_action_state too early in this function. This should not
be done if we are going to silently ignore the frame due to dialog
token mismatch. Fix this by moving the code around to check the dialog
token first.

This issue resulted in PD Request retries getting stopped too early if
the peer is sending out an unexpected PD Response (e.g., because of it
being excessively slow with the response so that the response is
received only after the next TX attempt with a new dialog token).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-25 21:41:52 +03:00
Jouni Malinen
2cd0758441 P2P: Allow peer to propose channel in invitation process
Make Invitation process for re-invoking a persistent group behave
similarly to GO Negotiation as far as channel negotiation is concerned.
The Operating Channel value (if present) is used as a starting point if
the local device does not have a forced operating channel (e.g., due to
concurrent use). Channel lists from devices are then compared to check
that the selected channel is in the intersection. If not, channel is
selected based on GO Negotiation channel rules (best channel preferences
etc.). Invitation Request is rejected if no common channel can be
selected.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-24 22:15:58 +03:00
Jouni Malinen
7759fba1c2 P2P: Show own channel list in debug log
This makes it easier to debug channel negotiation mechanisms.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-24 22:14:50 +03:00
Felix Fietkau
73a3c6ffca nl80211: Use the monitor interface if socket tx status is not supported
Fixes hostapd on recent compat-wireless builds with older kernels.

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-23 13:28:31 +03:00
Felix Fietkau
9974381109 hostapd: Add check for the wds sta flag before creating 4addr VLANs
Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-23 13:25:49 +03:00
Felix Fietkau
22b42372d0 hostapd: Clear WLAN_STA_ASSOC_REQ_OK if sending the assoc response failed
As long as WLAN_STA_ASSOC_REQ_OK is set in sta->flags, Class 3 frames do
not trigger a disassoc/deauth. If it is still set even after the assoc
response tx has already failed, it may take somewhat longer for clients
to realize that the connection wasn't fully established.

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-23 13:23:16 +03:00
Felix Fietkau
92d521d89c hostapd: Send EAPOL frames from the VO queue if WMM is active
This avoids extra latency caused by establishing an aggregation session
and makes the initial connection attempt more reliable

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-15 22:40:00 -07:00
Felix Fietkau
c34e618d47 hostapd: Fix WDS VLAN bridge handling
This patch fixes an issue where removing a WDS VLAN interface also
removed the main AP interface from the same bridge.

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-15 22:38:14 -07:00
Jouni Malinen
ce6ce7fb13 hostapd: Fix CONFIG_INTERWORKING=y build without CONFIG_HS20=y
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-15 22:37:27 -07:00
Jouni Malinen
4bf3910574 Move AES-CCM implementation into src/crypto
This is a generic AES CCM implementation that can be used for other
purposes than just implementing CCMP, so it fits better in a separate
file in src/crypto.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 18:07:19 +03:00
Jouni Malinen
071c6164ab Enable 256-bit key AES in internal TLS implementation
Now that the internal AES implementation supports 256-bit keys, enable
use of the TLS cipher suites that use AES-256 regardless of which crypto
implementation is used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 14:16:05 +03:00
Jouni Malinen
802bc4211b Fix AES block size handling for internal cipher
AES uses the same 128-bit block size with 128, 192, 256 bit keys, so use
the fixed block size definition instead of trying to dynamically set the
block size based on key length. This fixes use of 192-bit and 256-bit
AES keys with crypto_cipher_*() API when using the internal AES
implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 14:12:59 +03:00
Jouni Malinen
f90a4542b4 Share common GCM-AE and GCM-AD functionality
These operations are almost identical, so use common functions to
share the same implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 13:54:33 +03:00
Jouni Malinen
77b2c81275 Add aes_gmac() as a wrapper for AES GMAC operations using GCM
This is otherwise identical to aes_gcm_ae() but does not use the
plain/crypt pointers since no data is encrypted.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 13:37:50 +03:00
Jouni Malinen
d140db6adf Add support for using 192-bit and 256-bit keys with AES-GCM
This adds 192-bit and 256-bit key support to the internal AES
implementation and extends the AES-GCM functions to accept key length to
enable longer AES key use.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 13:30:51 +03:00
Jouni Malinen
af0963fab4 Support arbitrary IV length with AES-GCM
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 00:49:54 +03:00
Jouni Malinen
1cd7a5032a Move AES-GCM implementation into src/crypto
This is a generic AES GCM and GMAC implementation that can be used for
other purposes than just implementing GCMP, so it fits better in a
separate file in src/crypto.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-08 23:48:08 +03:00
Arik Nemtsov
4425645113 AP: Configure basic rates from iface and not conf
The conf doesn't contain any basic rates in some cases. Most notably,
when starting a P2P GO in 5 GHz. Use the iface rates which are
initialized in hostapd_prepare_rates() to the conf rates or set to
default values if no conf values exist. This fixes a bug introduced in
commit e5693c4775.

Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-09-07 00:22:40 +03:00
Jouni Malinen
f0898e9519 Make copies basic_rates list more useful
Commit e5693c4775 added a copy of the
determined basic rate set into struct hostapd_iface, but did not
actually copy the terminating -1 value. This could be problematic if
something were to actually try to use this list since would be no way to
know what is the last entry in the list. Fix this by copying the
terminating value.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-07 00:15:53 +03:00
Baruch Siach
ac947e2a83 atheros: Fix RSN capabilities debug print
Signed-hostap: Baruch Siach <baruch@tkos.co.il>
2012-09-05 19:01:11 +03:00
Jouni Malinen
d732463c47 nl80211: Register read_sta_data() handler for station only builds
This driver_op can now be used in station mode, too, to fetch
information about the connection with the AP, so allow this to be used
even if wpa_supplicant is built without AP mode support.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-05 17:07:03 +03:00
Yuhao Zheng
dc7785f845 wpa_supplicant: Add PKTCNT_POLL command to get TX/RX packet counters
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2012-09-05 17:02:02 +03:00
Jouni Malinen
a05126d620 WFD: Properly match group for WFD element in Invitation Response
The group matching should be done by comparing the P2P Interface Address
(which the group_bssid here is) to the group's BSSID and not the group
ID (which uses P2P Device Address and would have also needed the SSID).
Though, it should be noted that this case cannot really happen since a
GO in an active group would never be invited to join another group in
its GO role (i.e., if it receives an Invitation Request, it will reply
in P2P Device role). As such, this fix does not really change any
observable behavior, but anyway, it is good to keep the implementation
here consistent with the Invitation Request case.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-05 16:39:19 +03:00
Jouni Malinen
0e9c66c22d WFD: Properly match group for WFD element in Invitation Request
When building the Invitation Request for WFD use cases, match the BSSID,
i.e., P2P Interface Address, of the group on the GO to avoid using
information from another group should the device be operating multiple
concurrent groups as GO.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-05 16:29:44 +03:00
Jouni Malinen
e026159a8e EAP-SIM/AKA: Store pseudonym identity in configuration
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 13:04:18 +03:00
Jouni Malinen
50a7755735 EAP-SIM DB: Remove unnecessary username prefix checks
The EAP-SIM/AKA code is already validating the prefix and the following
lookup would not find matches if the prefix is incorrect, so there is no
need for the extra checks here.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 12:03:57 +03:00
Jouni Malinen
68a41bbb44 EAP-AKA server: Skip AKA/Identity exchange if EAP identity recognized
If EAP-Response/Identity includes a known pseudonym or re-auth username,
skip the AKA/Identity exchange since we already know the permanent
username of the peer.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 11:27:39 +03:00
Jouni Malinen
f585c6a6d6 EAP-SIM server: Move subtype validation from check into process
This is needed to be able to use SIM-Notification round to indicate
failure per RFC 4186, chapter 6.3.3.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 01:42:05 +03:00
Jouni Malinen
c95c8b1859 EAP-SIM server: Use Notification before EAP-Failure
RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after
Client-Error and Notification messages. Convert the direct jumps to the
FAILURE state with a notification round before sending out EAP-Failure.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 01:20:29 +03:00
Jouni Malinen
9343498989 EAP-SIM/AKA peer: Note sending of Client-Error in debug log
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 00:58:03 +03:00
Jouni Malinen
5d65ca514d EAP-SIM peer: Fix AT_COUNTER_TOO_SMALL use
The AT_NONCE_S value needs to be used in AT_MAC calculation for
SIM/Re-authentication response even if re-authentication is rejected
with AT_COUNTER_TOO_SMALL.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-09-02 00:39:48 +03:00
Jouni Malinen
31a3de8af3 EAP-SIM server: Add support for AT_COUNTER_TOO_SMALL
If the peer rejects re-authentication with AT_COUNTER_TOO_SMALL, fall
back to full authentication to allow the authentication session to be
completed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 00:38:39 +03:00
Jouni Malinen
f24630d26a EAP-SIM DB: Use pointer to struct eap_sim_db_data instead of void*
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:48:48 +03:00
Jouni Malinen
2c22668c8f EAP-SIM DB: Add debug print for AKA reauth identity addition
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:41:23 +03:00
Jouni Malinen
60123b6430 EAP-AKA server: Remove unnecessary protocol version check
This validation is done automatically as part of the prefix value
use in the username.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:38:25 +03:00
Jouni Malinen
3e43a8ec4f EAP-SIM DB: Get rid of unnecessary wrapper functions
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:37:17 +03:00
Jouni Malinen
e95ffe0465 EAP-SIM DB: Return pseudonym username instead of structure with it
This cleans up the implemenation a bit.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:32:22 +03:00
Jouni Malinen
741596a817 EAP-SIM DB: Remove unneeded SQLite value copying
These fields are used only as the search key, so the value is already
known and does not need to be copied from the database.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:26:26 +03:00
Jouni Malinen
6d49d9ecb8 EAP-SIM DB: Store permanent username as string in SQLite DB
Store permanent username (i.e., including prefix character) instead of
IMSI in the SQLite DB. Convert the string to a string since the EAP-AKA
prefix can start with zero. This cleans up the field names since the
value was already with the prefix included instead of just IMSI. In
addition, this explicitly removes some theoretical cases where the
different identity types could have been mixed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:22:15 +03:00
Jouni Malinen
3961dffc13 EAP-SIM DB: Rename valid_pseudonym_string to valid_db_string
This will be used with other strings, too, so use a more generic
function name.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:17:48 +03:00
Jouni Malinen
61e181db86 EAP-SIM DB: Use char* strings instead of u8* pointer and length
Since the EAP-SIM/AKA identities are ASCII strings, there is no need to
use more complex way for storing and passing them. In addition, be more
strict about enforcing username (i.e., no realm part) to be used in the
EAP-SIM DB API. Similarly, require specific username type instead of any
of the types to be used as the key in the pseudonym and reauth
operations. This allows simpler lookup operations to be used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:10:19 +03:00
Jouni Malinen
4e9015a225 EAP-SIM DB: Remove unused eap_sim_db_identity_known()
This function is not used anymore, so remove it.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 20:12:40 +03:00
Jouni Malinen
8a9f58f2cc EAP-AKA server: Store permanent username in session data
This allows identity use to be cleaned up in various operations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 20:09:07 +03:00
Jouni Malinen
ccea4fb107 EAP-AKA server: Split fullauth setup into a separate function
This is an initial cleanup step for AKA/Identity processing.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 19:37:49 +03:00
Jouni Malinen
02a0ce13bc EAP-AKA server: Require AKA/Identity response to include identity
Since we always request an identity in the request, the response
has to include AT_IDENTITY. This allows the AKA/Identity response
processing to be simplified a bit.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 19:23:14 +03:00
Jouni Malinen
b4569a3bd8 EAP-AKA server: Use simpler AKA/Identity request determination
There is no need to use eap_sim_db_identity_known() here since a new
AKA/Identity message is built only if the identity in the previous
response was not recognized. The first round is always used to request
AT_ANY_ID_REQ to meet the RFC 4187 recommendation on EAP method specific
identity request.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 19:19:45 +03:00
Jouni Malinen
9bf403b920 EAP-SIM server: Store permanent username in session data
This allows identity use to be cleaned up in various operations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 19:15:01 +03:00
Jouni Malinen
15cfe2b40f EAP-SIM server: Require SIM/Start response to include identity
Since we always request an identity in the request, the response
has to include AT_IDENTITY. This allows the SIM/Start response
processing to be simplified a bit.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 18:56:35 +03:00
Jouni Malinen
336a46aeda EAP-SIM server: Use simpler SIM/Start identity request determination
There is no need to use eap_sim_db_identity_known() here since a new
SIM/Start message is built only if the identity in the previous response
was not recognized. The first round will always request AT_ANY_ID_REQ to
meet the RFC 4186 recommendation on EAP method specific identity request
being used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 18:51:09 +03:00
Jouni Malinen
e87982ea4c EAP-SIM DB: Remove unnecessary aka_prime parameter
The reauth_id prefix can be used to determine which AKA version is used,
so there is no need to store the aka_prime information in a separate
field.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 18:41:35 +03:00
Jouni Malinen
29813cfdc0 EAP-SIM DB: Optional use of SQLite database for reauth data
If hostapd is built and configured to use SQLite database, store
EAP-SIM/AKA reauth data into the database to allow this to persist
over hostapd restarts.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-30 16:55:36 +03:00
Jouni Malinen
66979bb833 EAP-SIM DB: Optional use of SQLite database for pseudonyms
This allows hostapd to use an SQLite database for storing EAP-SIM/AKA
pseudonyms over process restarts. CONFIG_SQLITE=y build option adds
support for this and the SQLite database file is specified in eap_sib_db
configuration parameter.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-30 16:04:52 +03:00
Jouni Malinen
c3550295fb Move WPA cipher information into a shared location
Try to share most of the cipher information like key and RSC lengths and
suite selector conversions, etc. in wpa_common.c to avoid having similar
code throughout the WPA implementation for handling cipher specific
behavior.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-30 11:53:54 +03:00
Jouni Malinen
347d6a5b76 WFD: Add support for sending Wi-Fi Display service discovery requests
wpa_cli p2p_serv_disc_req command can now be used to request WSD
request to be sent to specified or all peers who support WSD.

format: wifi-display <list of roles> <list of subelements>
examples:
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source] 2,3,4,5
p2p_serv_disc_req 02:01:02:03:04:05 wifi-display [pri-sink] 3
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [sec-source] 2
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source+sink] 2,3,4,5
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source][pri-sink] 2,3,4,5

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-29 19:51:29 +03:00
Jouni Malinen
337c781f9c WFD: Add wfd_subelems hexdump in BSS ctrl_iface command output
This makes it easier to parse the WFD subelements from scan results.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-29 19:51:29 +03:00
Jouni Malinen
9675ce354a WFD: Add Wi-Fi Display support
This commit adds control interface commands and internal storage of
Wi-Fi Display related configuration. In addition, WFD IE is now added
to various P2P frames, Probe Request/Response, and (Re)Association
Request/Response frames. WFD subelements from peers are stored in the
P2P peer table.

Following control interface commands are now available:
SET wifi_display <0/1>
GET wifi_display
WFD_SUBELEM_SET <subelem> [hexdump of length+body]
WFD_SUBELEM_GET <subelem>

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-29 19:51:29 +03:00
Jouni Malinen
eb7719ff22 Add support for using GCMP cipher from IEEE 802.11ad
This allows both hostapd and wpa_supplicant to be used to derive and
configure keys for GCMP. This is quite similar to CCMP key
configuration, but a different cipher suite and somewhat different rules
are used in cipher selection. It should be noted that GCMP is not
included in default parameters at least for now, so explicit
pairwise/group configuration is needed to enable it. This may change in
the future to allow GCMP to be selected automatically in cases where
CCMP could have been used.

This commit does not included changes to WPS or P2P to allow GCMP to be
used.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-29 11:52:15 +03:00
Wei-Jen Lin
e3e234fa35 nl80211: Set P2P multichan concurrency based on interface combinations
Use the NL80211_IFACE_COMB_NUM_CHANNELS value > 1 as a trigger for
enabling support for P2P multichannel channel concurrency. This does not
handle all possible details of enforcing driver capabilities, but it is
a good first step for allowing nl80211 drivers to enable multichannel
concurrency.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-28 19:31:58 +03:00
Jouni Malinen
b1f122964e Add generic GAS request mechanism
The new gas_request and gas_response_get commands can be used to request
arbitary GAS queries to be performed. These can be used with ANQP or
with other (including vendor specific) advertisement protocols.

gas_request <BSSID> <AdvProtoID> [Query]
gas_response_get <addr> <dialog token> [offset,length]

For example, ANQP query for Capability list in interactive wpa_cli
session:

> gas_request 02:00:00:00:01:00 00 000102000101
<3>GAS-RESPONSE-INFO addr=02:00:00:00:01:00 dialog_token=0
status_code=0 resp_len=32
> gas_response_get 02:00:00:00:01:00 00
01011c00010102010501070108010c01dddd0c00506f9a110200020304050607
> gas_response_get 02:00:00:00:01:00 00 0,10
01011c00010102010501
> gas_response_get 02:00:00:00:01:00 00 10,10
070108010c01dddd0c00
> gas_response_get 02:00:00:00:01:00 00 20,10
506f9a11020002030405
> gas_response_get 02:00:00:00:01:00 00 30,2
0607

It should be noted that the maximum length of the response buffer is
currently 4096 bytes which allows about 2000 bytes of the response data
to be fetched with a single gas_response_get command. If the response is
longer, it can be fetched in pieces as shown in the example above.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-27 18:13:10 +03:00
Jouni Malinen
b52f084cfa Add parameter for vendor specific elements into Beacon/Probe Response
The new vendor_elements parameter in hostapd.conf can be used to add new
vendor specific element(s) into Beacon and Probe Response frames.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-27 16:20:10 +03:00
Jouni Malinen
f9f0526bcd WPS: Maintain more AP state during WPS PIN iteration
Maintain state of WPS APs during iteration to find the correct AP for
WPS PIN operation when no specific BSSID is specified. This information
can be used for optimizing the order in which the APs are tried. This
commit is only adding the collection of the information and more
detailed debug information to make debug logs more helpful in figuring
out how the AP selection order could be improved.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-27 13:48:11 +03:00
Jouni Malinen
09bcf3be9c Clear idleWhile timer when EAP peer state machine is not in use
This allows the EAPOL tick timer to be stopped more quickly when
getting disconnected.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-26 23:35:08 +03:00
Jouni Malinen
00e5e3d509 Disable network block temporarily on authentication failures
If 4-way handshake fails due to likely PSK failure or if EAP
authentication fails, disable the network block temporarily. Use longer
duration if multiple consecutive failures are seen.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-26 23:35:07 +03:00
Jay Katabathuni
43f51e2aa0 HS 2.0: Add NAI Home Realm query
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-26 18:59:15 +03:00
Jay Katabathuni
8047b18691 Interworking: Add advertising of NAI Realm list
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-26 18:59:12 +03:00
Jay Katabathuni
a9277e85ca HS 2.0: Add advertisement of Operator Friendly Name
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 21:39:19 +03:00
Jouni Malinen
1792e58dbb Interworking: Use generic language,string parser
Replace the Venue Name specific data structure and parser with a
generic mechanism that can be used with other fields that use the
same format.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-25 21:39:00 +03:00
Jay Katabathuni
4065a3092b HS 2.0: Add advertisement of WAN Metrics
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 20:28:40 +03:00
Jay Katabathuni
5ccc54aae4 HS 2.0: Add advertisement of Connection Capability
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 19:16:09 +03:00
Jay Katabathuni
df5934f194 HS 2.0: Add advertising of Operating Class Indication
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 18:26:32 +03:00
Jay Katabathuni
7515adb2b1 Interworking: Add advertising of 3GPP Cellular Network info
The anqp_3gpp_cell_net parameter can be used to configure hostapd
to advertise 3GPP Cellular Network ANQP information.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 18:26:28 +03:00
Shan Palanisamy
78c4ef2184 Support no-config-file in WPS AP settings updates
This is required for WPS open mode with control interface -based
configuration.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 13:48:34 +03:00
Shan Palanisamy
06bb8c62ff hostapd: Add global ctrl_iface commands for adding/removing interfaces
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 13:47:49 +03:00
Shan Palanisamy
7554565299 hostapd: Add ctrl_iface for enabling/reloading/disabling interface
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 13:47:36 +03:00
Shan Palanisamy
c90fd48514 hostapd: Add global control interface
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-25 13:47:24 +03:00
Jouni Malinen
3776ac73b2 Move hostapd global callback functions into hapd_interfaces
These function pointers are going to be the same for each interface so
there is no need to keep them in struct hostapd_iface. Moving them to
struct hapd_interfaces makes it easier to add interfaces at run time.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-25 13:47:05 +03:00
Jouni Malinen
1e05192eec test: Fix driver data pointer for the P2P commands
The driver_test.c data structures had been changed to use a separate
BSS structure, but the P2P commands were not using the new design.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-24 20:44:24 +03:00
Sunil Dutt
1af1c9ceb6 P2P: Fix PD retries on delay in off channel transmission
Commit 488f4a7108 configures a timer
before p2p_send_action(). This may result in the timer getting fired
earlier to the off channel transmission of the frame and thus another PD
request being retransmitted. This shall lead to the new PD request with
an incremented dialog token being transmitted. For the cases where the
later PD request might not be transmitted as the host driver is busy
transmitting the earlier frame, the received PD response could be
dropped for the dialog token mismatch. Remove the timer configuration to
avoid this behavior.

Signed-hostap: Sunil Dutt Undekari <duttus@codeaurora.org>
intended-for: hostap-1
2012-08-24 11:54:02 +03:00
Jouni Malinen
99fcd40409 P2P: Allow scan operations during p2p_find
Previously, all station mode scan operations were either skipped or
delayed while any P2P operation was in progress. To make concurrent
operations easier to use, reduce this limitation by allowing a scan
operation to be completed in the middle of a p2p_find. In addition,
allow station mode association to be completed. When the station mode
operation is run to its completion (scan results not acted on,
connection to an AP completed, connection failed), resume the p2p_find
operation.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-23 19:42:53 +03:00
Jouni Malinen
37448ede31 P2P: Add option for adding extra delay to p2p_find
A new optional delay=<search delay in milliseconds> parameter can now be
used with p2p_find command to request an extra delay between search
iterations. This can be used, e.g., to make p2p_find friendlier to
concurrent operations by avoiding it from taking 100% of the radio
resources.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-23 18:20:58 +03:00
Jouni Malinen
065d2895b4 Add UNAUTH-TLS vendor specific EAP type
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.

The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-22 22:34:11 +03:00
Jouni Malinen
d13f9857f8 Use proper private enterprise number for EAP VENDOR-TEST
Now that the project has its own code, it should be used with the
VENDOR-TEST EAP method.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-22 21:37:19 +03:00
Jouni Malinen
0121126211 Add sha256-prf.tls into libcrypto build
This was forgotten in commit ab637dcb37.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-22 11:15:55 +03:00
Jouni Malinen
c13f0a3e00 EAP-SIM DB: Fix a memory leak on DB connection re-opening
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 21:17:26 +03:00
Jouni Malinen
704b8762a2 EAP-SIM DB: Do not require external program at startup
The previous implementation was able to re-open the connection to an
external program (e.g., hlr_auc_gw) when needed, but required the
connection to be available during startup. Extend this to allow the
initial failure, so that hlr_auc_gw can be started after hostapd.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 20:51:21 +03:00
Jouni Malinen
c7f1791970 OpenSSL: Make fips186_2_prf() easier for static analyzers
Explicitly validate seed_len to skip memset call with zero length of
copied data at the end of the buffer. This is not really needed, but it
makes the code a bit easier for static analyzers. This is identical to
the commit a9ea17491a but for the OpenSSL
version of the function.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:54:34 +03:00
Jouni Malinen
09ad3bb4d4 Remove unnecessary header file inclusion
Commit bfc62fe133 moved the code that
using crypto/random.h, but forgot to remove the inclusion of that header
file.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:44:53 +03:00
Jouni Malinen
997de7aa5c Remove unnecessary base64.h inclusion
All the TNC base64 operations are within tncs.c, so there is no point in
including base64.h into eap_server_tnc.c.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:41:45 +03:00
Jouni Malinen
34caf71a09 Handle EVENT_RX_MGMT validation consistently
All the other places processing EVENT_RX_MGMT events assume that the
event data is included, so not much point in verifying that here.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:38:27 +03:00
Jouni Malinen
41fe8b42b5 Show an error message if sending of Action frame fails
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:34:16 +03:00
Jouni Malinen
236a52fd1f RADIUS DAS: Verify that Error-Code attribute is added
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:32:35 +03:00
Jouni Malinen
75227f3ada nl80211: Print an error if WDS STA interface cannot be set up
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:28:55 +03:00
Jouni Malinen
1871f7116e wpabuf: Get rid of separate ext_data pointer
Use an explicit pointer to the beginning of the buffer and a flag
to indicate whether that is to external data or not. This avoids
a branch whenever accessing the buffer and helps some static
analyzers to understand the wpabuf memory uses better.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 18:25:25 +03:00
Jouni Malinen
3489cfb09c Use a shared helper function for merging supported rate lists
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 17:52:41 +03:00
Jouni Malinen
a2f94dbe62 Fix memory allocation failure handling in EAP-TTLS/MSCHAPv2 server
If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-08-19 17:23:00 +03:00
Jouni Malinen
44ec48ebfd FIPS: Remove md5-non-fips.c
Commit c9e08af24f removed the only user of
the special case MD5 use that would be allowed in FIPS mode in
tls_prf_sha1_md5(). Commit 271dbf1594
removed the file from the build, but left the implementation into the
repository. To clean things up even further, remove this functionality
completely since it is not expected to be needed for FIPS mode anymore.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 16:53:15 +03:00
Michael Braun
be9e8c293c Add User-Name/CUI from RADIUS ACL in Accounting messages
This allows User-Name and Chargeable-User-Identity attributes to be
passed from Access-Accept into Accounting messages even when IEEE 802.1X
is not used.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-08-19 14:27:30 +03:00
Michael Braun
1a819aa7d5 Initialize EAPOL auth identity/cui with STA entry data
If RADIUS ACL was used for the STA, identity/cui may already be
known at this point.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-08-19 14:23:20 +03:00
Michael Braun
2092597fee Copy User-Name/CUI from RADIUS ACL to STA entry
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-08-19 14:20:10 +03:00
Michael Braun
35eeaac324 Store User-Name and CUI in RADIUS ACL cache
These can be used for Accounting messages when IEEE 802.1X is not used.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-08-19 14:09:28 +03:00
Jouni Malinen
bd1410197e Remove an extra level of indentation in hostapd_acl_cache_get()
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-19 13:46:23 +03:00
Jouni Malinen
7f996409e7 Fix EAP-FAST with OpenSSL 1.0.1
The mechanism to figure out key block size based on ssl->read_hash
does not seem to work with OpenSSL 1.0.1, so add an alternative
mechanism to figure out the NAC key size that seems to work at
least with the current OpenSSL 1.0.1 releases.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-08-17 23:55:14 +03:00
Jouni Malinen
c22075e144 Disable TLS Session Ticket extension by default for EAP-TLS/PEAP/TTLS
Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:26:28 +03:00
Jouni Malinen
f210493b6e Add phase1/phase2 parameter for disabling TLS Session Ticket extension
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:21:28 +03:00
Jouni Malinen
e866f39fbe OpenSSL: Add mechanism for disabling TLS Session Ticket extension
This can be used to implement workaround for authentication servers that
do not handle TLS extensions in ClientHello properly.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-17 22:18:54 +03:00
Jouni Malinen
adb9b8edc4 OpenSSL: Silence a compiler warning with OpenSSL 0.9.7
The PKCS5_PBKDF2_HMAC_SHA1() function in OpenSSL 0.9.7 did not mark
the salt parameter const even though it was not modified. Hide the
compiler warning with a type cast when an old OpenSSL version is
used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 22:56:19 +03:00
Jouni Malinen
26a379224c OpenSSL: Implement SHA256 HMAC functions using HMAC API
Use the OpenSSL HMAC implementation instead of the internal sha256.c
implementation of HMAC with SHA256.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 22:34:35 +03:00
Jouni Malinen
ab637dcb37 Move SHA256-based PRF function into a separate C file
This makes it easier to conditionally build in SHA256 functions based
on which TLS/crypto library is used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 22:24:11 +03:00
Jouni Malinen
0b5e98557e FIPS: Use OpenSSL CMAC implementation instead of aes-omac1.c
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 22:19:53 +03:00
Jouni Malinen
982bafedaf FIPS: Mix in OpenSSL RAND_bytes() into random_get_bytes()
Make sure that the OpenSSL DRBG gets used when generating
random numbers in FIPS mode.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 21:49:41 +03:00
Jouni Malinen
105f5881d5 OpenSSL: Fix crypto_hash_init() to initialize HMAC context
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-16 20:39:46 +03:00