aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2010-08-24 13:35:37 (GMT)
committerJouni Malinen <j@w1.fi>2010-08-24 13:35:37 (GMT)
commit5a1cc30f1a04eb19d315680928927651024e172e (patch)
tree82e65c10383abadbbb918711c46c2a22672ca8d7 /hostapd
parent944814106ec9c9f502ce4329783dd47c6f3d5fbd (diff)
downloadhostap-5a1cc30f1a04eb19d315680928927651024e172e.zip
hostap-5a1cc30f1a04eb19d315680928927651024e172e.tar.gz
hostap-5a1cc30f1a04eb19d315680928927651024e172e.tar.bz2
WPS: Add support for dynamic AP PIN management
A new hostapd_cli command, wps_ap_pin, can now be used to manage AP PIN at runtime. This can be used to generate a random AP PIN and to only enable the AP PIN for short period (e.g., based on user action on the AP device). Use of random AP PIN that is only enabled for short duration is highly recommended to avoid security issues with a static AP PIN.
Diffstat (limited to 'hostapd')
-rw-r--r--hostapd/README-WPS27
-rw-r--r--hostapd/ctrl_iface.c56
-rw-r--r--hostapd/hostapd.conf8
-rw-r--r--hostapd/hostapd_cli.c23
4 files changed, 112 insertions, 2 deletions
diff --git a/hostapd/README-WPS b/hostapd/README-WPS
index b5fa86b..74f2113 100644
--- a/hostapd/README-WPS
+++ b/hostapd/README-WPS
@@ -195,6 +195,33 @@ which will generate a new WPA PSK in the same way as the PIN method
described above.
+When an external Registrar is used, the AP can act as an Enrollee and
+use its AP PIN. A static AP PIN (e.g., one one a label in the AP
+device) can be configured in hostapd.conf (ap_pin parameter). A more
+secure option is to use hostapd_cli wps_ap_pin command to enable the
+AP PIN only based on user action (and even better security by using a
+random AP PIN for each session, i.e., by using "wps_ap_pin random"
+command with a timeout value). Following commands are available for
+managing the dynamic AP PIN operations:
+
+hostapd_cli wps_ap_pin disable
+- disable AP PIN (i.e., do not allow external Registrars to use it to
+ learn the current AP settings or to reconfigure the AP)
+
+hostapd_cli wps_ap_pin random [timeout]
+- generate a random AP PIN and enable it
+- if the optional timeout parameter is given, the AP PIN will be enabled
+ for the specified number of seconds
+
+hostapd_cli wps_ap_pin get
+- fetch the current AP PIN
+
+hostapd_cli wps_ap_pin set <PIN> [timeout]
+- set the AP PIN and enable it
+- if the optional timeout parameter is given, the AP PIN will be enabled
+ for the specified number of seconds
+
+
Credential generation and configuration changes
-----------------------------------------------
diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 9ef576d..9c47ba8 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -313,6 +313,59 @@ static int hostapd_ctrl_iface_wps_oob(struct hostapd_data *hapd, char *txt)
return hostapd_wps_start_oob(hapd, txt, path, method, name);
}
#endif /* CONFIG_WPS_OOB */
+
+
+static int hostapd_ctrl_iface_wps_ap_pin(struct hostapd_data *hapd, char *txt,
+ char *buf, size_t buflen)
+{
+ int timeout = 300;
+ char *pos;
+ const char *pin_txt;
+
+ pos = os_strchr(txt, ' ');
+ if (pos)
+ *pos++ = '\0';
+
+ if (os_strcmp(txt, "disable") == 0) {
+ hostapd_wps_ap_pin_disable(hapd);
+ return os_snprintf(buf, buflen, "OK\n");
+ }
+
+ if (os_strcmp(txt, "random") == 0) {
+ if (pos)
+ timeout = atoi(pos);
+ pin_txt = hostapd_wps_ap_pin_random(hapd, timeout);
+ if (pin_txt == NULL)
+ return -1;
+ return os_snprintf(buf, buflen, "%s", pin_txt);
+ }
+
+ if (os_strcmp(txt, "get") == 0) {
+ pin_txt = hostapd_wps_ap_pin_get(hapd);
+ if (pin_txt == NULL)
+ return -1;
+ return os_snprintf(buf, buflen, "%s", pin_txt);
+ }
+
+ if (os_strcmp(txt, "set") == 0) {
+ char *pin;
+ if (pos == NULL)
+ return -1;
+ pin = pos;
+ pos = os_strchr(pos, ' ');
+ if (pos) {
+ *pos++ = '\0';
+ timeout = atoi(pos);
+ }
+ if (os_strlen(pin) > buflen)
+ return -1;
+ if (hostapd_wps_ap_pin_set(hapd, pin, timeout) < 0)
+ return -1;
+ return os_snprintf(buf, buflen, "%s", pin);
+ }
+
+ return -1;
+}
#endif /* CONFIG_WPS */
@@ -426,6 +479,9 @@ static void hostapd_ctrl_iface_receive(int sock, void *eloop_ctx,
if (hostapd_ctrl_iface_wps_oob(hapd, buf + 8))
reply_len = -1;
#endif /* CONFIG_WPS_OOB */
+ } else if (os_strncmp(buf, "WPS_AP_PIN ", 11) == 0) {
+ reply_len = hostapd_ctrl_iface_wps_ap_pin(hapd, buf + 11,
+ reply, reply_size);
#endif /* CONFIG_WPS */
} else {
os_memcpy(reply, "UNKNOWN COMMAND\n", 16);
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index e948c20..56b54cf 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -916,9 +916,13 @@ own_ip_addr=127.0.0.1
# nfc_interface push_button keypad
#config_methods=label display push_button keypad
-# Access point PIN for initial configuration and adding Registrars
+# Static access point PIN for initial configuration and adding Registrars
# If not set, hostapd will not allow external WPS Registrars to control the
-# access point.
+# access point. The AP PIN can also be set at runtime with hostapd_cli
+# wps_ap_pin command. Use of temporary (enabled by user action) and random
+# AP PIN is much more secure than configuring a static AP PIN here. As such,
+# use of the ap_pin parameter is not recommended if the AP device has means for
+# displaying a random PIN.
#ap_pin=12345670
# Skip building of automatic WPS credential
diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c
index 889018a..589530e 100644
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -94,6 +94,7 @@ static const char *commands_help =
#ifdef CONFIG_WPS_OOB
" wps_oob <type> <path> <method> use WPS with out-of-band (UFD)\n"
#endif /* CONFIG_WPS_OOB */
+" wps_ap_pin <cmd> [params..] enable/disable AP PIN\n"
#endif /* CONFIG_WPS */
" help show this usage help\n"
" interface [ifname] show interfaces/select interface\n"
@@ -405,6 +406,27 @@ static int hostapd_cli_cmd_wps_oob(struct wpa_ctrl *ctrl, int argc,
return wpa_ctrl_command(ctrl, cmd);
}
#endif /* CONFIG_WPS_OOB */
+
+
+static int hostapd_cli_cmd_wps_ap_pin(struct wpa_ctrl *ctrl, int argc,
+ char *argv[])
+{
+ char buf[64];
+ if (argc < 1) {
+ printf("Invalid 'wps_ap_pin' command - at least one argument "
+ "is required.\n");
+ return -1;
+ }
+ if (argc > 2)
+ snprintf(buf, sizeof(buf), "WPS_AP_PIN %s %s %s",
+ argv[0], argv[1], argv[2]);
+ else if (argc > 1)
+ snprintf(buf, sizeof(buf), "WPS_AP_PIN %s %s",
+ argv[0], argv[1]);
+ else
+ snprintf(buf, sizeof(buf), "WPS_AP_PIN %s", argv[0]);
+ return wpa_ctrl_command(ctrl, buf);
+}
#endif /* CONFIG_WPS */
@@ -567,6 +589,7 @@ static struct hostapd_cli_cmd hostapd_cli_commands[] = {
#ifdef CONFIG_WPS_OOB
{ "wps_oob", hostapd_cli_cmd_wps_oob },
#endif /* CONFIG_WPS_OOB */
+ { "wps_ap_pin", hostapd_cli_cmd_wps_ap_pin },
#endif /* CONFIG_WPS */
{ "help", hostapd_cli_cmd_help },
{ "interface", hostapd_cli_cmd_interface },