Commit graph

530 commits

Author SHA1 Message Date
Jouni Malinen
edbd2a191e Move cipher suite selection into common helper functions
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-13 16:58:54 +02:00
Jouni Malinen
b4fd3613d3 SAE: Free temporary buffers when moving to Accepted state
Most of the variables are not needed anymore once the SAE instance
has entered Accepted state. Free these to save memory.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:54 +02:00
Jouni Malinen
6917c9e829 Allow AP mode deauth/disassoc reason code to be overridden
The optional "reason=<reason code>" parameter to the ctrl_iface
deauthenticate and disassociate commands can now be used to change the
reason code used in the disconnection frame. This can be used, e.g., by
P2P GO to disconnect a single P2P client from the group by sending it an
indication of the group getting terminated (Deauthentication frame with
reason code 3). It needs to be noted that the peer device is still in
possession on the PSK, so it can still reconnect to the group after this
if it does not follow the group termination indication.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-12 17:51:54 +02:00
Jouni Malinen
5bfc46bb55 Extra validation to keep static analyzers happy
Use of two variables to track bounds checking seems to be a bit too much
for some static analyzers, so add an extra condition for buffer padding
to avoid incorrect warnings.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
559cdabb0f Use more explicit way of copying pointer value to a buffer
The code initializing GMK Counter uses the group pointer value as extra
entropy and to distinguish different group instances. Some static
analyzers complain about the sizeof(pointer) with memcpy, so use a more
explicit type casting to make it more obvious what the code is doing.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
a50414c322 SAE: Check random_get_bytes() return value
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
625f202a74 SAE: Allow enabled groups to be configured
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
a46d72d7d7 SAE: Maintain EC group context in struct sae_data
This can be used to share same EC group context through the SAE
exchange.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
d136c376f2 SAE: Add support for Anti-Clogging mechanism
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
dd43026a19 SAE: Rename state variables to match IEEE 802.11 standard
The enum values for struct sae_data::state now match the protocol
instance states as defined in IEEE Std 802.11-2012, 11.3.8.2.2

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
47b55a3ef5 SAE: Use PMK in 4-way handshake
Use the PMK that is derived as part of the SAE authentication in the
4-way handshake instead of the PSK.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
f2e9818f73 SAE: Add processing of the confirm message
This adds validation of the received confirm messages for SAE.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
fb8fcc2950 SAE: Add generation of the confirm message fields
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
146f6c9a00 SAE: Add processing of the commit message
This adds validation of the received commit messages and key derivation
for SAE.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
8e31e9550a SAE: Add generation of the commit message fields
This adds derivation of PWE and the needed commit values so that the
full SAE commit message can be built.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
750efe6ea6 SAE: Move related operations next to each other
There is no need to keep the two SAE steps separated from each other.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
98efcc4176 SAE: Use a shared data structure for AP and station
This makes it easier to share common functions for both roles.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Johannes Berg
a9a1d0f08a hostapd: Pass VHT capabilities to driver wrapper
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-01-12 17:51:52 +02:00
Johannes Berg
fa4763369a hostapd: Allow configuring driver to VHT
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-01-12 17:51:52 +02:00
Jouni Malinen
2e8483bf12 Fix authenticator PMKSA cache expiration timer setup
The PMKSA cache expiration timer was not actually ever initialized since
the only place for registering the timeout was in the timeout handler.
Fix this by initializing the timer whenever a new PMKSA cache entry is
added to the beginning of the list (i.e., when it was the first entry or
expires before the entry that was previously going to expire first).
[Bug 393]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:21:50 +02:00
Jouni Malinen
af220315e6 Fix EAPOL frame sending to non-QoS STAs
Commit 4378fc14eb started using QoS Data
frames for QoS STAs. It used the correct flags value for WPA/RSN
EAPOL-Key frames, but wrong flags for IEEE 802.1X EAPOL frames. The
WPA_STA_WMM value used in driver_nl80211.c happens to be identical to
WLAN_STA_ASSOC in sta->flags and this makes driver_nl80211.c try to use
QoS header for all STAs. Fix this by properly converting the flags from
WLAN_STA_* to WPA_STA_*. [Bug 426]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:01:54 +02:00
Jouni Malinen
2049a875bc WNM: Additional BSS Transition Management capability
Add some more functionality for BSS Transition Management:
- advertise support for BSS Transition Management in extended
  capabilities element
- add hostapd.conf parameter bss_transition=1 for enabling support
  for BSS Transition Management
- add "hostapd_cli disassoc_imminent <STA> <num TBTTs>" for sending
  disassociation imminent notifications for testing purposes
- wpa_supplicant: trigger a new scan to find another BSS if the
  current AP indicates disassociation imminent (TODO: the old AP needs
  to be marked to use lower priority to avoid re-selecting it)

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-22 20:27:30 +02:00
Jouni Malinen
8b24861154 Add Acct-Session-Id into Access-Request messages
This optional attribute may make it easier to bind together the
Access-Request and Accounting-Request messages. The accounting session
identifier is now generated when the STA associates instead of waiting
for the actual session to start after successfull authentication.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-18 18:13:31 +02:00
Vladimir Kondratiev
7829894c21 Introduce 60 GHz band
Basic support for the 60 GHz band. Neither P2P nor WPS are yet taken
care off. Allows to start AP with very simple config:

network={
        ssid="test"
        mode=2
        frequency=60480
        key_mgmt=NONE
}

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-18 11:50:35 +02:00
Sven Eckelmann
f1b44874c2 Fix initialization of ap_table_{max_size,expiration_time}
The config says that the default for ap_table_max_size is 255 and the
default for ap_table_expiration_time is 60. But the code doesn't reflect
the default values mentioned in the sample config file.

These variables completely disable the code for Overlapping Legacy BSS
Condition by default when they are not correctly initialized. WFA
certification requires this feature and therefore an AP would have
failed the certification process unless they were initialized manually
using the configuration file.

Signed-hostap: Sven Eckelmann <sven@open-mesh.com>
Signed-hostap: Simon Wunderlich <simon@open-mesh.com>
2012-12-17 17:54:21 +02:00
Jouni Malinen
cd6be5c246 WPS: Use wps_rf_bands parameter to determine dualband functionality
If separate hostapd processes are used for different RF bands, the
dualband parameter for WPS was not set correctly. Allow dualband
indication (mainly, addition of RF bands attribute for PBC session
overlap detection) also based on wps_rf_bands value (if set to "ag").

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-17 16:06:10 +02:00
Jouni Malinen
0a66ce3c49 WNM: Add support for SSID List element matching
This allows Probe Request frame processing to compare the configured
SSID to the SSID List element in addition to the SSID element.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 21:22:24 +02:00
Jouni Malinen
b93c8509cc Add support for advertising UTF-8 SSID extended capability
This field can be used to indicate that UTF-8 encoding is used in the
SSID field.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 20:46:51 +02:00
Jouni Malinen
a8e93a1a01 WNM: Skip os_memcpy in wnmtfs_ie is NULL
It is cleaner to skip the memcpy call instead of trusting on the
length parameter being 0 in this case.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:48:39 +02:00
Jouni Malinen
835822d404 WNM: Fix GTK/IGTK encoding in WNM-Sleep Mode Exit frame
These subelements do not use AES key wrap (MFP is used instead).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:46:10 +02:00
Jouni Malinen
4da10640a7 WNM: Fix AP logic on when to include GTK/IGTK in WNM-Sleep Mode exit
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:27:09 +02:00
Jouni Malinen
615a5d559d WNM: Use defined macros for WNM-Sleep Mode Action Type values (AP)
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:24:06 +02:00
Jouni Malinen
c79938a584 WNM: Enable WNM-Sleep Mode configuration with hostapd SME/MLME
This allows hostapd to process WNM-Sleep Mode Request when using the
internal SME/MLME.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:16:17 +02:00
Jouni Malinen
ad3872a372 WNM: Use CONFIG_WNM more consistently
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. Previously it was possible to
define CONFIG_IEEE80211V without CONFIG_WNM which would break the build.
In addition, IEEE 802.11v has been merged into IEEE Std 802.11-2012 and
WNM is a better term to use for this new functionality anyway.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 18:22:54 +02:00
Jouni Malinen
b7593d35c1 Remove unnecessary PMKSA cache list modification
pmksa_cache_free_entry() takes care of updated the list head pointer
(pmksa->pmksa), so no need to do this change in the caller.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 19:45:54 +02:00
Jouni Malinen
f2a14be798 Use a shared function for freeing PSK list
There is no need to duplicate this code in multiple locations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 18:01:55 +02:00
Jouni Malinen
fc5550a1c2 Use RADIUS shared secret consistently in RX handler
Use the shared_secret pointer from RADIUS client implementation instead
of getting this from hostapd configuration data.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:57:16 +02:00
Michael Braun
5ee56c4e19 Keep and use list of PSKs per station for RADIUS-based PSK
This adds support for multiple PSKs per station when using a RADIUS
authentication server to fetch the PSKs during MAC address
authentication step. This can be useful if multiple users share a
device but each user has his or her own private passphrase.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
2ad3e6c858 Cache a list of PSK entries for RADIUS-based PSK delivery
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:57:16 +02:00
Michael Braun
14e919478e Extend radius_msg_get_tunnel_password() to support multiple passwords
The new function parameter can now be used to specify which password to
return.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2012-11-25 17:19:04 +02:00
Jouni Malinen
1a2d22a242 Remove unneeded header file inclusion
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-25 17:06:38 +02:00
Johannes Berg
3117ad4283 hostapd: Add second VHT frequency segment config
Add the configuration option vht_oper_centr_freq_seg1_idx
for the second segment of an 80+80 MHz channel and use it
when building the VHT operation IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 18:02:29 +02:00
Johannes Berg
202d97d477 hostapd: Add VHT PHY selector if VHT is required
If VHT is required, add the VHT PHY selector to
the (extended) supported rates IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 17:27:16 +02:00
Jouni Malinen
f403dcd648 HS 2.0: Maintain a copy of HS 2.0 Indication from Association Request
This allows the AP to figure out whether a station is a HS 2.0 STA
during the association and access any information that the STA may have
included in this element.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-11-24 12:24:31 +02:00
Jouni Malinen
ee431d77a5 Add preliminary support for using SQLite for eap_user database
CONFIG_SQLITE=y option can now be used to allow the eap_user_file text
file to be replaced with a SQLite database
(eap_user_file=sqlite:/path/to/sqlite.db). hostapd.eap_user_sqlite
shows an example of how the database tables can be created for this
purpose. This commit does not yet include full functionality of the
text file format, but at least basic EAP-TTLS/MSCHAPv2 style
authentication mechanisms with plaintext passwords can be used for
tests.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-21 00:47:47 +02:00
Jouni Malinen
c772d054c2 hostapd: Fix a regression in TKIP countermeasures processing
Commit 296a34f0c1 changed hostapd to
remove the internal STA entry at the beginning of TKIP countermeasures.
However, this did not take into account the case where this is triggered
by an EAPOL-Key error report from a station. In such a case, WPA
authenticator state machine may continue processing after having
processed the error report. This could result in use of freed memory.
Fix this by stopping WPA processing if the STA entry got removed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-18 13:06:03 +02:00
Jouni Malinen
8cd93a01a9 Check hapd_iface more consistently in hostapd_disable_iface()
There is no point in the hapd_iface == NULL validate after this pointer
has been dereferences, so move the code dereferencing hapd_iface after
the check.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:11:15 +02:00
Jouni Malinen
207fb86411 WPS: Remove deprecated UFD config method and OOB ctrl_iface
The UFD (USB flash drive) configuration method was deprecated in WSC
2.0. Since this is not known to be used, remove the UFD implementation
from hostapd and wpa_supplicant to allow the WPS implementation to be
cleaned up. This removes the now unused OOB operations and ctrl_iface
commands that had already been deprecated by the new NFC operations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-11 13:01:06 +02:00
Jouni Malinen
9f36eac6e5 WPS: Remove old OOB NFC interface
The old WPS interface for using NFC has no known deployments and even
the binary libraries referenced here are not easily available anymore.
Since the new interface for using NFC with WPS covers the same
functionality, remove the old implementation to clean up WPS
implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-10-28 18:20:03 +02:00
David Bird
f826635c2d Fix EAPOL processing when STA switches between multi-BSSes
There was an issue with EAPOL frame exchanges in a multi-BSS
configuration when a station switches between the BSSes controlled by
the same hostapd process. When processing the EAPOL packet, the array of
virtual APs (iface->bss) is searched looking for the station that sent
the packet in order to identify which signal context should be used
during processing. The first match of the station in its list gets used
in the ieee802_1x_receive() function. However, even after a station has
disassociated, it remains in the list of stations pending an inactivity
timeout. This leads to the wrong hapd context (one where the station had
already disassociated) being used in some cases (if the current/active
bss entry appears in the list after one where the station has just
disassociated from) for EAPOL processing.

Fix this by checking the WLAN_STA_ASSOC flag before assuming the right
hapd context was found for the given station.

Signed-hostap: David Bird <dbird@powercloudsystems.com>
intended-for: hostap-1
2012-10-25 09:20:15 +03:00