Commit graph

141 commits

Author SHA1 Message Date
Jouni Malinen
de94be0acd Enforce that IEEE 802.1X EAPOL-Key Replay Counter increases
While this should not happen in practical use cases,
wpa_get_ntp_timestamp() could return the same value when called twice in
a row quickly. Work around that case by enforcing a new Replay Counter
value based on stored last value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-05-05 00:57:37 +03:00
Jouni Malinen
a40bd06e9b FILS: Fix PTK rekeying
The PMK and PMKID information from FILS ERP and FILS PMKSA caching needs
to be stored within struct wpa_state_machine for PTK to work. Without
this, PTK derivation would fail and attempt to go through rekeying would
result in disconnection. Furthermore, wpa_rekey_ptk() timer needs to be
started at the completion of FILS association since the place where it
was done for non-FILS cases at the end of 4-way handshake is not reached
when FILS authentication is used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-18 21:55:39 +03:00
Andrei Otcheretianski
6bb9d9a8db AP: Avoid NULL use with snprintf string
identity_buf may be NULL here. Handle this case explicitly by printing
"N/A" instead relying on snprintf converting this to "(null)" or some
other value based on unexpected NULL pointer.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-04-06 18:49:26 +03:00
Nils Nieuwejaar
ba4f3224ae Allow remote RADIUS authentication with local VLAN management
The documentation in the hostapd.conf file says that the dynamic_vlan
variable is used to control whether VLAN assignments are accepted from a
RADIUS server. The implication seems to be that a static VLAN assignment
will come from the accept_mac_file if dynamic_vlan is set to 0, and a
dynamic assignment will come from the RADIUS server if dynamic_vlan is
set to 1. Instead, I'm seeing that the static settings from the
accept_mac_file are ignored if dynamic_vlan is set to 0, but used if
dynamic_vlan is set to 1. If dynamic_vlan is set to 1 and the RADIUS
server does not provide a VLAN, then the accept_mac_file assignment is
overridden and the STA is assigned to the default non-VLANed interface.

If my understanding of the expected behavior is correct, then I believe
the problem is in ap_sta_set_vlan(). That routine checks the
dynamic_vlan setting, but has no way of determining whether the incoming
vlan_desc is static (i.e., from accept_mac_file) or dynamic (i.e., from
a RADIUS server).

I've attached a patch that gets hostapd working as I believe it's meant
to, and updates the documentation to make the implicit behavior
explicit.

The functional changes are:

- hostapd_allowed_address() will always extract the vlan_id from the
  accept_macs file. It will not update the vlan_id from the RADIUS cache
  if dynamic_vlan is DISABLED.

- hostapd_acl_recv_radius() will not update the cached vlan_id if
  dynamic_vlan is DISABLED.

- ieee802_1x_receive_auth() will not update the vlan_id if dynamic_vlan
  is DISABLED.

More cosmetic:

Most of the delta is just moving code out of ieee802_1x_receive_auth()
into a new ieee802_1x_update_vlan() routine. While I initially did this
because the new DISABLED check introduced excessive indentation, it has
the added advantage of eliminating the vlan_description allocation and
os_memset() call for all DYNAMIC_VLAN_DISABLED configs.

I've done a couple rounds of review offline with Michael Braun (who has
done much of the work in this part of the code) and incorporated his
feedback.

If dynamic_vlan=0 (disabled), vlan assignments will be managed using the
local accept_mac_file ACL file, even if a RADIUS server is being used
for user authentication. This allows us to manage users and devices
independently.

Signed-off-by: Nils Nieuwejaar <nils.nieuwejaar@gmail.com>
2019-01-02 23:27:49 +02:00
Jouni Malinen
28ab9344b5 Use internal EAP server identity as dot1xAuthSessionUserName
If the internal EAP server is used instead of an external RADIUS server,
sm->identity does not get set. Use the identity from the internal EAP
server in such case to get the dot1xAuthSessionUserName value in STA MIB
information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-01 21:27:54 +02:00
Jouni Malinen
6ae04d7b34 HS 2.0: Allow Hotspot 2.0 release number to be configured
The new hostapd configuration parameter hs20_release can be used to
configure the AP to advertise a specific Hotspot 2.0 release number
instead of the latest supported release. This is mainly for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:54 +02:00
Jouni Malinen
adbce7443d HS 2.0: Update HS2.0 AP version RADIUS attribute Version field
Use HS20_VERSION macro to determine if R3 should be indicated instead of
R2.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-11-09 23:38:31 +02:00
Jouni Malinen
d4e39c51f8 HS 2.0: Move Terms and Conditions Server URL generation from AP to AS
This makes it more convenient to generate the URL in a way that
interoperates between different vendors. The AP is simply copying the
already constructed URL as-is from Access-Accept to WNM-Notification.
This means that the HO AAA can generate the URL in a manner that works
for the associated T&C Server without having to coordinate with each AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-06-21 20:50:54 +03:00
Dan Harkins
d52ead3db7 EAP-pwd server: Add support for salted password databases
These changes add support for salted password databases to EAP-pwd per
RFC 8146. This commits introduces the framework for enabling this and
the salting mechanisms based on SHA-1, SHA256, and SHA512 hash
algorithms.

Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:08:51 +03:00
Jouni Malinen
f456940ef3 HS 2.0: CoA-Request processing for Terms and Conditions filtering
Extend RADIUS DAS to support CoA-Request packets for the case where the
HS 2.0 Terms And Conditions filtering VSA is used to remove filtering.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-25 12:57:46 +03:00
Jouni Malinen
8760b9848c HS 2.0: Send Terms and Conditions Acceptance notification
This extends hostapd Access-Accept processing to check if the RADIUS
server indicated that Terms and Conditions Acceptance is required. The
new hs20_t_c_server_url parameter is used to specify the server URL
template that the STA is requested to visit.

This commit does not enable any kind of filtering, i.e., only the part
of forwarding a request from Access-Accept to the STA using
WNM-Notification is covered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
6cb8f4f382 HS 2.0: Terms and Conditions attributes in Access-Request messages
This extends hostapd with two new configuration parameters
(hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify
that the Terms and Conditions attributes are to be added into all
Access-Request messages for Hotspot 2.0 STAs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
67cca34645 HS 2.0: Copy Roaming Consortium OI from (Re)AssocReq to Access-Request
This extends hostapd processing of (Re)Association Request frames to
store a local copy of the Consortium OI within the Roaming Consortium
Selection element, if present, and then add that in HS 2.0 Roaming
Consortium attribute into RADIUS Access-Request messages.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Michael Braun
13f118dc59 Convert STA session_timeout to os_reltime
This is needed to allow the remaining session time to be computed for FT
(when sending PMK-R1 to another AP).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:48:11 +03:00
Michael Braun
17010c38d0 FT: Add IEEE VLAN support (including tagged VLANs)
This uses set_vlan()/get_vlan() callbacks to fetch and configure the
VLAN of STA. Transmission of VLAN information between APs uses new TLVs.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-06 19:01:13 +03:00
Jouni Malinen
5d5ee699a5 Copy WLAN-Reason-Code value from Access-Reject to Deauthentication
This makes hostapd use the WLAN-Reason-Code value from Access-Reject
when disconnecting a station due to IEEE 802.1X authentication failure.
If the RADIUS server does not include this attribute, the default value
23 (IEEE 802.1X authentication failed) is used. That value was the
previously hardcoded reason code.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-01-12 20:55:33 +02:00
Jouni Malinen
6418400db9 Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
567da5bbd0 DPP: Add new AKM
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
a1ea1b4522 OWE: Define and parse OWE AKM selector
This adds a new RSN AKM "OWE".

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
95de34a10a Remove trailing whitespace
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:31:42 +02:00
Jouni Malinen
0f5eb69f85 Use eloop timeout for post-EAP-Failure wait before disconnection
Previously, os_sleep() was used to block the hostapd (or wpa_supplicant
AP/P2P GO mode) processing between sending out EAP-Failure and
disconnecting the STA. This is not ideal for couple of reasons: it
blocks all other parallel operations in the process and it leaves a
window during which the station might deauthenticate and the AP would
have no option for reacting to that before forcing out its own
Deauthentication frame which could go out after the STA has already
started new connection attempt.

Improve this design by scheduling an eloop timeout of 10 ms instead of
the os_sleep() call and perform the delayed operations from the eloop
callback function. This eloop timeout is cancelled if the STA
disconnects or initiates a new connection attempt before the 10 ms time
is reached. This gets rid of the confusing extra Deauthentication frame
in cases where the STA reacts to EAP-Failure by an immediate
deauthentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-08 18:56:02 +02:00
Ilan Peer
4ec1fd8e42 FT: Differentiate between FT for station and for AP in build
Previously, CONFIG_IEEE80211R enabled build that supports FT for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode FT is required and there is no need for AP mode FT.

Add support to differentiate between station mode FT and AP mode FT in
wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used
when AP mode FT support is required in addition to station mode FT. This
allows binary size to be reduced for builds that require only the
station side FT functionality.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2016-10-29 22:14:54 +03:00
Jouni Malinen
ff338fab92 FILS: Setup EAPOL state machines properly after FILS association (AP)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-26 00:41:04 +03:00
Jouni Malinen
c4fd6d8aa8 FILS: Process FILS Authentication frame (AP)
This implements processing of FILS Authentication frame for FILS shared
key authentication with ERP and PMKSA caching.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:27:01 +03:00
Jouni Malinen
c30bd28b14 FILS: Export IEEE 802.1X helper functions
ieee802_1x_encapsulate_radius() and ieee802_1x_alloc_eapol_sm() need to
be called from FILS processing.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Jouni Malinen
a6228b8ed6 ERP: Update client identity based on EAP-Initiate/Re-auth
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-22 23:13:17 +03:00
Nick Lowe
8468189e90 Do not include NAS-Port attribute with AID 0
Do not include a NAS-Port attribute in Access-Request and
Accounting-Request packets where the Association ID (AID) is 0, i.e.,
not yet assigned or known.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-08-13 10:28:01 +03:00
Eliad Peller
f2accfe708 AP: Save EAPOL received before Association Response ACK
There is a race condition in which AP might receive the EAPOL-Start
frame (from the just-associated station) before the TX completion of the
Association Response frame. This in turn will cause the EAPOL-Start
frame to get dropped, and potentially failing the connection.

Solve this by saving EAPOL frames from authenticated-but-not-associated
stations, and handling them during the Association Response frame TX
completion processing.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2016-03-06 17:08:12 +02:00
Nick Lowe
8c676b5056 Add RADIUS Service-Type attribute with a value of Framed
This seems to be the common value used by APs and also mentioned in RFC
3580.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-19 18:44:39 +02:00
Nick Lowe
1492fbb90c Print Acct-Session-Id and Acct-Multi-Session-Id 64-bit values
These are now 64-bit variables and the printf formats and type casts
need to be updated to match.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-18 20:58:21 +02:00
Michael Braun
8e44c192da radius: Add tagged VLAN parsing
1. Add tagged VLAN to struct vlan_description
    (compile limited number of tagged VLANs per description)
    For k tagged VLANs, the first k entries in vlan_description.tagged
    are used. They are sorted in ascending order. All other entries are
    zero. This way os_memcmp() can find identical configurations.
2. Let tagged VLANs be parsed from RADIUS Access-Accept
3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set
4. Select an unused vlan_id > 4096 for new tagged VLAN configurations
5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Michael Braun
1889af2e0f VLAN: Separate station grouping and uplink configuration
Separate uplink configuration (IEEE 802.1q VID) and grouping of stations
into AP_VLAN interfaces.

The int vlan_id will continue to identify the AP_VLAN interface the
station should be assigned to. Each AP_VLAN interface corresponds to an
instance of struct hostapd_vlan that is uniquely identified by int
vlan_id within an BSS.

New: Each station and struct hostapd_vlan holds a struct
vlan_description vlan_desc member that describes the uplink
configuration requested. Currently this is just an int untagged IEEE
802.1q VID, but can be extended to tagged VLANs and other settings
easily.

When the station was about to be assigned its vlan_id, vlan_desc and
vlan_id will now be set simultaneously by ap_sta_set_vlan(). So
sta->vlan_id can still be tested for whether the station needs to be
moved to an AP_VLAN interface.

To ease addition of tagged VLAN support, a member notempty is added to
struct vlan_description. Is is set to 1 if an untagged or tagged VLAN
assignment is requested and needs to be validated. The inverted form
allows os_zalloc() to initialize an empty description.

Though not depended on by the code, vlan_id assignment ensures:
  * vlan_id = 0 will continue to mean no AP_VLAN interface
  * vlan_id < 4096 will continue to mean vlan_id = untagged vlan id
    with no per_sta_vif and no extra tagged vlan.
  * vlan_id > 4096 will be used for per_sta_vif and/or tagged vlans.

This way struct wpa_group and drivers API do not need to be changed in
order to implement tagged VLANs or per_sta_vif support.

DYNAMIC_VLAN_* will refer to (struct vlan_description).notempty only,
thus grouping of the stations for per_sta_vif can be used with
DYNAMIC_VLAN_DISABLED, but not with CONFIG_NO_VLAN, as struct
hostapd_vlan is still used to manage AP_VLAN interfaces.

MAX_VLAN_ID will be checked in hostapd_vlan_valid and during setup of
VLAN interfaces and refer to IEEE 802.1q VID. VLAN_ID_WILDCARD will
continue to refer to int vlan_id.

Renaming vlan_id to vlan_desc when type changed from int to struct
vlan_description was avoided when vlan_id was also used in a way that
did not depend on its type (for example, when passed to another
function).

Output of "VLAN ID %d" continues to refer to int vlan_id, while "VLAN
%d" will refer to untagged IEEE 802.1q VID.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:11 +02:00
Nick Lowe
2cbc6ffb3a RADIUS: Redesign Request Authenticator generation
Simplify and make properly random the generation of the Request
Authenticator.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:19:35 +02:00
Nick Lowe
b71a64aa01 Send an Acct-Multi-Session-Id attribute in Access-Request packets
Previously, this was included only in Accounting-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:13:21 +02:00
Nick Lowe
d72a00539c RADIUS: Use more likely unique accounting Acct-{,Multi-}Session-Id
Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to
give better global and temporal uniqueness. Previously, only 32-bits of
the Acct-Session-Id would contain random data, the other 32-bits would
be incremented. Previously, the Acct-Multi-Session-Id would not use
random data. Switch from two u32 variables to a single u64 for the
Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves
no legitimate purpose. Exclusively use os_get_random() to get quality
random numbers, do not use or mix in the time. Inherently take a
dependency on /dev/urandom working properly therefore. Remove the global
Acct-Session-Id and Acct-Multi-Session-Id values that serve no
legitimate purpose.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:10:19 +02:00
Jouni Malinen
d689317ddb EAPOL auth: Move radius_cui/identity freeing to eapol_auth_free()
These can get allocated within eapol_auth_alloc(), so it is more logical
to free them in eapol_auth_free() instead of ieee802_1x_free_station()
that ends up calling eapol_auth_free().

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-06 16:32:22 +02:00
Jouni Malinen
d7c3347f59 HS 2.0: Postpone WNM-Notification sending by 100 ms
This makes it somewhat easier for the station to be able to receive and
process the encrypted WNM-Notification frames that the AP previously
sentt immediately after receiving EAPOL-Key msg 4/4. While the station
is supposed to have the TK configured for receive before sending out
EAPOL-Key msg 4/4, not many actual implementations do that. As such,
there is a race condition in being able to configure the key at the
station and the AP sending out the first encrypted frame after EAPOL-Key
4/4. The extra 100 ms time here makes it more likely for the station to
have managed to configure the key in time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-31 21:46:08 +02:00
Jouni Malinen
5bd9be4d17 Fix RADIUS Called-Station-Id to not escape SSID
Commit 986de33d5c ('Convert remaining SSID
routines from char* to u8*') started using wpa_ssid_txt() to print out
the SSID for the Called-Station-Id attribute in RADIUS messages. This
was further modified by commit 6bc1f95613
('Use printf escaping in SSID-to-printable-string conversion') to use
printf escaping (though, even without this, wpa_ssid_txt() would have
masked characters).

This is not desired for Called-Station-Id attribute. While it is defined
as a "String", RFC 2865 indicates that "a robust implementation SHOULD
support the field as undistinguished octets.".

Copy the SSID as an array of arbitrary octets into Called-Station-Id to
avoid any kind of masking or escaping behavior. This goes a step further
from the initial implementation by allowing even the possible (but
unlikely in practical use cases) 0x00 octet in the middle of an SSID.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-24 12:15:36 +02:00
Jouni Malinen
f68d491b0a FT auth: Fix EAPOL reauthentication after FT protocol run
The EAPOL AUTH_PAE state machine was left in incomplete state at the
completion of FT protocol. Set portValid = TRUE to allow the state
machine to proceed from AUTHENTICATING to AUTHENTICATED state, so that a
new EAPOL reauthentication can be triggered.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-11-19 21:16:06 +02:00
Jouni Malinen
207976f053 Fix Suite B 192-bit AKM to use proper PMK length
In addition to the PTK length increasing, the length of the PMK was
increased (from 256 to 384 bits) for the 00-0f-ac:12 AKM. This part was
missing from the initial implementation and a fixed length (256-bit) PMK
was used for all AKMs.

Fix this by adding more complete support for variable length PMK and use
384 bits from MSK instead of 256 bits when using this AKM. This is not
backwards compatible with the earlier implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 18:43:26 +03:00
Jouni Malinen
ae7d9fbd3d Remove unreachable PMKSA cache entry addition on Access-Accept
The previous implementation used an obsolete sm->eapol_key_crypt pointer
which was not set anywhere (i.e., was always NULL). In addition, the
condition of sm->eap_if->eapKeyAvailable was not valid here since this
is the case of MSK from an external authentication server and not the
internal EAP server. Consequently, the wpa_auth_pmksa_add() call here
was never used.

The PMKSA cache was still added, but it happened at the completion of
the 4-way handshake rather than at the completion of EAP authentication.
That later location looks better, so delete the unreachable code in
Access-Accept handling. In addition, remove the now complete unused
struct eapol_state_machine eapol_key_* variables.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 18:43:26 +03:00
Jouni Malinen
1b822f52e6 hostapd: Fix WPA, IEEE 802.1X, and WPS deinit in cases where init fails
With driver wrappers that implement set_privacy(), set_generic_elem(),
set_ieee8021x(), or set_ap_wps_ie(), it was possible to hit a NULL
pointer dereference in error cases where interface setup failed and
the network configuration used WPA/WPA2, IEEE 802.1X, or WPS.

Fix this by skipping the driver operations in case the driver interface
is not initialized.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-14 18:42:07 +03:00
Jouni Malinen
681e199dfb EAP server: Add tls_session_lifetime configuration
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Jouni Malinen
7cb53ded11 Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.

This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-02 16:52:56 +03:00
Jouni Malinen
e03e56c3d6 Comment out EAPOL-Key WEP support in CONFIG_FIPS=y build
This avoids a call to hmac_md5() to fix the build. The EAPOL-Key frame
TX code is not applicable for any FIPS mode operation, so the simplest
approach is to remove this from the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:49:34 +03:00
Jouni Malinen
bfc284c5c7 Make ieee802_1x_tx_key() static
This is used only within ieee802_1x.c.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-01 15:45:18 +03:00
Jouni Malinen
c99df20192 Remove redundant NULL check in ieee802_1x_encapsulate_radius()
The eap argument to this function is never NULL and the earlier
ieee802_1x_learn_identity() call is dereferencing it anyway, so there is
no point in checking whether it is NULL later in the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-23 18:18:25 +03:00
Jouni Malinen
3dce85ceb0 HS 2.0: Add WLAN RADIUS attributes in OSEN case
Previously, the common WLAN-* RADIUS attributes were added only when WPA
or WPA2 was used. These can be of use for OSEN as well, so include them
in that case, too.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-20 23:04:32 +03:00
Jouni Malinen
a6da824b19 Do not use C++ reserved words as variable names
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-26 13:36:55 +03:00