Commit graph

2470 commits

Author SHA1 Message Date
Jouni Malinen
315dbfb11e WPS: Fix a potential memory leak on wps_init() error path
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-10-02 16:51:27 +03:00
Jouni Malinen
369c8d7bcd Reserve AKM and cipher suite values
These values are used with WAPI and CCX and reserving the definitions
here reduces the number of merge conflicts with repositories that
include these functions.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-30 20:26:55 +03:00
Jouni Malinen
c10347f246 Add initial parts for SAE
This introduces new AKM for SAE and FT-SAE and adds the initial parts
for going through the SAE Authentication frame exchange. The actual SAE
algorithm and new fields in Authentication frames are not yet included
in this commit and will be added separately. This version is able to
complete a dummy authentication with the correct authentication
algorithm and transaction values to allow cfg80211/mac80211 drivers to
be tested (all the missing parts can be handled with
hostapd/wpa_supplicant changes).

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-30 19:51:07 +03:00
Jouni Malinen
905029097c Sync with linux/nl80211.h in wireless-testing.git
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-30 10:49:46 +03:00
Mykyta Iziumtsev
817762d9c4 nl80211: Don't send BSSID with disconnect command
NL80211_CMD_DISCONNECT doesn't need BSSID, because cfg80211
uses locally saved value.

Signed-hostap: Mykyta Iziumtsev <mykyta.iziumtsev@gmail.com>
2012-09-29 19:01:50 +03:00
Raja Mani
39b1572c41 Include connected time in AP mode STA-* commands
This allows hostapd_cli and wpa_cli all_sta command to be used to
display connected time (in seconds) of each station in AP mode.

Signed-hostap: Raja Mani <rmani@qca.qualcomm.com>
2012-09-26 13:52:19 +03:00
Jouni Malinen
213c1fa84d P2P: Fix ignoring of PD Response due to dialog token mismatch
Commit 6b56cc2d97 added clearing of the
p2p->pending_action_state too early in this function. This should not
be done if we are going to silently ignore the frame due to dialog
token mismatch. Fix this by moving the code around to check the dialog
token first.

This issue resulted in PD Request retries getting stopped too early if
the peer is sending out an unexpected PD Response (e.g., because of it
being excessively slow with the response so that the response is
received only after the next TX attempt with a new dialog token).

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-25 21:41:52 +03:00
Jouni Malinen
2cd0758441 P2P: Allow peer to propose channel in invitation process
Make Invitation process for re-invoking a persistent group behave
similarly to GO Negotiation as far as channel negotiation is concerned.
The Operating Channel value (if present) is used as a starting point if
the local device does not have a forced operating channel (e.g., due to
concurrent use). Channel lists from devices are then compared to check
that the selected channel is in the intersection. If not, channel is
selected based on GO Negotiation channel rules (best channel preferences
etc.). Invitation Request is rejected if no common channel can be
selected.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-24 22:15:58 +03:00
Jouni Malinen
7759fba1c2 P2P: Show own channel list in debug log
This makes it easier to debug channel negotiation mechanisms.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-24 22:14:50 +03:00
Felix Fietkau
73a3c6ffca nl80211: Use the monitor interface if socket tx status is not supported
Fixes hostapd on recent compat-wireless builds with older kernels.

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-23 13:28:31 +03:00
Felix Fietkau
9974381109 hostapd: Add check for the wds sta flag before creating 4addr VLANs
Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-23 13:25:49 +03:00
Felix Fietkau
22b42372d0 hostapd: Clear WLAN_STA_ASSOC_REQ_OK if sending the assoc response failed
As long as WLAN_STA_ASSOC_REQ_OK is set in sta->flags, Class 3 frames do
not trigger a disassoc/deauth. If it is still set even after the assoc
response tx has already failed, it may take somewhat longer for clients
to realize that the connection wasn't fully established.

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-23 13:23:16 +03:00
Felix Fietkau
92d521d89c hostapd: Send EAPOL frames from the VO queue if WMM is active
This avoids extra latency caused by establishing an aggregation session
and makes the initial connection attempt more reliable

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-15 22:40:00 -07:00
Felix Fietkau
c34e618d47 hostapd: Fix WDS VLAN bridge handling
This patch fixes an issue where removing a WDS VLAN interface also
removed the main AP interface from the same bridge.

Signed-hostap: Felix Fietkau <nbd@openwrt.org>
2012-09-15 22:38:14 -07:00
Jouni Malinen
ce6ce7fb13 hostapd: Fix CONFIG_INTERWORKING=y build without CONFIG_HS20=y
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-15 22:37:27 -07:00
Jouni Malinen
4bf3910574 Move AES-CCM implementation into src/crypto
This is a generic AES CCM implementation that can be used for other
purposes than just implementing CCMP, so it fits better in a separate
file in src/crypto.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 18:07:19 +03:00
Jouni Malinen
071c6164ab Enable 256-bit key AES in internal TLS implementation
Now that the internal AES implementation supports 256-bit keys, enable
use of the TLS cipher suites that use AES-256 regardless of which crypto
implementation is used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 14:16:05 +03:00
Jouni Malinen
802bc4211b Fix AES block size handling for internal cipher
AES uses the same 128-bit block size with 128, 192, 256 bit keys, so use
the fixed block size definition instead of trying to dynamically set the
block size based on key length. This fixes use of 192-bit and 256-bit
AES keys with crypto_cipher_*() API when using the internal AES
implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 14:12:59 +03:00
Jouni Malinen
f90a4542b4 Share common GCM-AE and GCM-AD functionality
These operations are almost identical, so use common functions to
share the same implementation.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 13:54:33 +03:00
Jouni Malinen
77b2c81275 Add aes_gmac() as a wrapper for AES GMAC operations using GCM
This is otherwise identical to aes_gcm_ae() but does not use the
plain/crypt pointers since no data is encrypted.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 13:37:50 +03:00
Jouni Malinen
d140db6adf Add support for using 192-bit and 256-bit keys with AES-GCM
This adds 192-bit and 256-bit key support to the internal AES
implementation and extends the AES-GCM functions to accept key length to
enable longer AES key use.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 13:30:51 +03:00
Jouni Malinen
af0963fab4 Support arbitrary IV length with AES-GCM
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-09 00:49:54 +03:00
Jouni Malinen
1cd7a5032a Move AES-GCM implementation into src/crypto
This is a generic AES GCM and GMAC implementation that can be used for
other purposes than just implementing GCMP, so it fits better in a
separate file in src/crypto.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-08 23:48:08 +03:00
Arik Nemtsov
4425645113 AP: Configure basic rates from iface and not conf
The conf doesn't contain any basic rates in some cases. Most notably,
when starting a P2P GO in 5 GHz. Use the iface rates which are
initialized in hostapd_prepare_rates() to the conf rates or set to
default values if no conf values exist. This fixes a bug introduced in
commit e5693c4775.

Signed-hostap: Arik Nemtsov <arik@wizery.com>
2012-09-07 00:22:40 +03:00
Jouni Malinen
f0898e9519 Make copies basic_rates list more useful
Commit e5693c4775 added a copy of the
determined basic rate set into struct hostapd_iface, but did not
actually copy the terminating -1 value. This could be problematic if
something were to actually try to use this list since would be no way to
know what is the last entry in the list. Fix this by copying the
terminating value.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-07 00:15:53 +03:00
Baruch Siach
ac947e2a83 atheros: Fix RSN capabilities debug print
Signed-hostap: Baruch Siach <baruch@tkos.co.il>
2012-09-05 19:01:11 +03:00
Jouni Malinen
d732463c47 nl80211: Register read_sta_data() handler for station only builds
This driver_op can now be used in station mode, too, to fetch
information about the connection with the AP, so allow this to be used
even if wpa_supplicant is built without AP mode support.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-05 17:07:03 +03:00
Yuhao Zheng
dc7785f845 wpa_supplicant: Add PKTCNT_POLL command to get TX/RX packet counters
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2012-09-05 17:02:02 +03:00
Jouni Malinen
a05126d620 WFD: Properly match group for WFD element in Invitation Response
The group matching should be done by comparing the P2P Interface Address
(which the group_bssid here is) to the group's BSSID and not the group
ID (which uses P2P Device Address and would have also needed the SSID).
Though, it should be noted that this case cannot really happen since a
GO in an active group would never be invited to join another group in
its GO role (i.e., if it receives an Invitation Request, it will reply
in P2P Device role). As such, this fix does not really change any
observable behavior, but anyway, it is good to keep the implementation
here consistent with the Invitation Request case.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-05 16:39:19 +03:00
Jouni Malinen
0e9c66c22d WFD: Properly match group for WFD element in Invitation Request
When building the Invitation Request for WFD use cases, match the BSSID,
i.e., P2P Interface Address, of the group on the GO to avoid using
information from another group should the device be operating multiple
concurrent groups as GO.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-09-05 16:29:44 +03:00
Jouni Malinen
e026159a8e EAP-SIM/AKA: Store pseudonym identity in configuration
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 13:04:18 +03:00
Jouni Malinen
50a7755735 EAP-SIM DB: Remove unnecessary username prefix checks
The EAP-SIM/AKA code is already validating the prefix and the following
lookup would not find matches if the prefix is incorrect, so there is no
need for the extra checks here.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 12:03:57 +03:00
Jouni Malinen
68a41bbb44 EAP-AKA server: Skip AKA/Identity exchange if EAP identity recognized
If EAP-Response/Identity includes a known pseudonym or re-auth username,
skip the AKA/Identity exchange since we already know the permanent
username of the peer.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 11:27:39 +03:00
Jouni Malinen
f585c6a6d6 EAP-SIM server: Move subtype validation from check into process
This is needed to be able to use SIM-Notification round to indicate
failure per RFC 4186, chapter 6.3.3.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 01:42:05 +03:00
Jouni Malinen
c95c8b1859 EAP-SIM server: Use Notification before EAP-Failure
RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after
Client-Error and Notification messages. Convert the direct jumps to the
FAILURE state with a notification round before sending out EAP-Failure.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 01:20:29 +03:00
Jouni Malinen
9343498989 EAP-SIM/AKA peer: Note sending of Client-Error in debug log
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 00:58:03 +03:00
Jouni Malinen
5d65ca514d EAP-SIM peer: Fix AT_COUNTER_TOO_SMALL use
The AT_NONCE_S value needs to be used in AT_MAC calculation for
SIM/Re-authentication response even if re-authentication is rejected
with AT_COUNTER_TOO_SMALL.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
2012-09-02 00:39:48 +03:00
Jouni Malinen
31a3de8af3 EAP-SIM server: Add support for AT_COUNTER_TOO_SMALL
If the peer rejects re-authentication with AT_COUNTER_TOO_SMALL, fall
back to full authentication to allow the authentication session to be
completed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 00:38:39 +03:00
Jouni Malinen
f24630d26a EAP-SIM DB: Use pointer to struct eap_sim_db_data instead of void*
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:48:48 +03:00
Jouni Malinen
2c22668c8f EAP-SIM DB: Add debug print for AKA reauth identity addition
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:41:23 +03:00
Jouni Malinen
60123b6430 EAP-AKA server: Remove unnecessary protocol version check
This validation is done automatically as part of the prefix value
use in the username.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:38:25 +03:00
Jouni Malinen
3e43a8ec4f EAP-SIM DB: Get rid of unnecessary wrapper functions
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:37:17 +03:00
Jouni Malinen
e95ffe0465 EAP-SIM DB: Return pseudonym username instead of structure with it
This cleans up the implemenation a bit.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:32:22 +03:00
Jouni Malinen
741596a817 EAP-SIM DB: Remove unneeded SQLite value copying
These fields are used only as the search key, so the value is already
known and does not need to be copied from the database.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:26:26 +03:00
Jouni Malinen
6d49d9ecb8 EAP-SIM DB: Store permanent username as string in SQLite DB
Store permanent username (i.e., including prefix character) instead of
IMSI in the SQLite DB. Convert the string to a string since the EAP-AKA
prefix can start with zero. This cleans up the field names since the
value was already with the prefix included instead of just IMSI. In
addition, this explicitly removes some theoretical cases where the
different identity types could have been mixed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:22:15 +03:00
Jouni Malinen
3961dffc13 EAP-SIM DB: Rename valid_pseudonym_string to valid_db_string
This will be used with other strings, too, so use a more generic
function name.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:17:48 +03:00
Jouni Malinen
61e181db86 EAP-SIM DB: Use char* strings instead of u8* pointer and length
Since the EAP-SIM/AKA identities are ASCII strings, there is no need to
use more complex way for storing and passing them. In addition, be more
strict about enforcing username (i.e., no realm part) to be used in the
EAP-SIM DB API. Similarly, require specific username type instead of any
of the types to be used as the key in the pseudonym and reauth
operations. This allows simpler lookup operations to be used.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 21:10:19 +03:00
Jouni Malinen
4e9015a225 EAP-SIM DB: Remove unused eap_sim_db_identity_known()
This function is not used anymore, so remove it.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 20:12:40 +03:00
Jouni Malinen
8a9f58f2cc EAP-AKA server: Store permanent username in session data
This allows identity use to be cleaned up in various operations.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 20:09:07 +03:00
Jouni Malinen
ccea4fb107 EAP-AKA server: Split fullauth setup into a separate function
This is an initial cleanup step for AKA/Identity processing.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-01 19:37:49 +03:00