path: root/src/ap/ieee802_11_auth.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix possible memory leak of RADIUS data in handle_auth()Michael Braun2019-12-291-28/+4
| | | | | | | | | | When returning from handle_auth() after ieee802_11_allowed_address() returned HOSTAPD_ACL_ACCEPT, but before ieee802_11_set_radius_info() has been called, identity, radius_cui, and psk might not have been consumed. Fix this by avoiding the need to free these variables at all. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Make hostapd_copy_psk_list() non-staticMichael Braun2019-12-291-13/+13
| | | | Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Move the RADIUS cached attributes into a structMichael Braun2019-12-291-93/+67
| | | | | | This makes it easier to pass these around and to add new attributes. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Allow remote RADIUS authentication with local VLAN managementNils Nieuwejaar2019-01-021-7/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The documentation in the hostapd.conf file says that the dynamic_vlan variable is used to control whether VLAN assignments are accepted from a RADIUS server. The implication seems to be that a static VLAN assignment will come from the accept_mac_file if dynamic_vlan is set to 0, and a dynamic assignment will come from the RADIUS server if dynamic_vlan is set to 1. Instead, I'm seeing that the static settings from the accept_mac_file are ignored if dynamic_vlan is set to 0, but used if dynamic_vlan is set to 1. If dynamic_vlan is set to 1 and the RADIUS server does not provide a VLAN, then the accept_mac_file assignment is overridden and the STA is assigned to the default non-VLANed interface. If my understanding of the expected behavior is correct, then I believe the problem is in ap_sta_set_vlan(). That routine checks the dynamic_vlan setting, but has no way of determining whether the incoming vlan_desc is static (i.e., from accept_mac_file) or dynamic (i.e., from a RADIUS server). I've attached a patch that gets hostapd working as I believe it's meant to, and updates the documentation to make the implicit behavior explicit. The functional changes are: - hostapd_allowed_address() will always extract the vlan_id from the accept_macs file. It will not update the vlan_id from the RADIUS cache if dynamic_vlan is DISABLED. - hostapd_acl_recv_radius() will not update the cached vlan_id if dynamic_vlan is DISABLED. - ieee802_1x_receive_auth() will not update the vlan_id if dynamic_vlan is DISABLED. More cosmetic: Most of the delta is just moving code out of ieee802_1x_receive_auth() into a new ieee802_1x_update_vlan() routine. While I initially did this because the new DISABLED check introduced excessive indentation, it has the added advantage of eliminating the vlan_description allocation and os_memset() call for all DYNAMIC_VLAN_DISABLED configs. I've done a couple rounds of review offline with Michael Braun (who has done much of the work in this part of the code) and incorporated his feedback. If dynamic_vlan=0 (disabled), vlan assignments will be managed using the local accept_mac_file ACL file, even if a RADIUS server is being used for user authentication. This allows us to manage users and devices independently. Signed-off-by: Nils Nieuwejaar <nils.nieuwejaar@gmail.com>
* Extend ACL check for Probe Request framesTamizh chelvam2018-03-021-1/+9
| | | | | | | | | | Extend ACL check to deny Probe Request frames for the client which does not pass ACL check. Skip this check for the case where RADIUS ACL is used to avoid excessive load on the RADIUS authentication server due to Probe Request frames. This patch add wpa_msg event for auth and assoc rejection due to acl reject. Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
* Use os_memdup()Johannes Berg2017-03-071-2/+1
| | | | | | | | | | | | | | | | | | | | | | This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* Fix MAC ACL query freeing on deinitJouni Malinen2017-02-081-0/+2
| | | | | | | | | | | | | | | | hapd->acl_cache and hapd->acl_queries were not reset back to NULL in hostapd_acl_deinit() when cached results and pending ACL queries were freed. This left stale pointers to freed memory in hapd. While this was normally followed by freeing of the hapd data, it is possible to re-use that hapd when disabling and re-enabling an interface. That sequence could result in use of freed memory if done while there were cached results or pending ACL operations with a RADIUS server (especially, if that server did not reply). Fix this by setting hapd->acl_queries to NULL when the pending entries are freed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* RADIUS: Fix possible memory leak when parsing per-STA passphraseAyala Beker2016-04-081-1/+2
| | | | | | | Fix a possible memory leak in decode_tunnel_passwords() if an invalid passphrase is received from the RADIUS server. Signed-off-by: Ayala Beker <ayala.beker@intel.com>
* RADIUS: Allow RADIUS server to provide PSK instead of passphraseMichael Braun2016-02-281-4/+24
| | | | | | | | | | | | | If the AP is slow, passphrase hashing takes too long to serve the client before timeout. Extend the Tunnel-Password design to allow a 64 character value to be interpreted as a PSK and send SSID to RADIUS server. This allows the RADIUS server to either take care of passphrase hashing or to use raw PSK without such hashing. This is especially important for FT-PSK with FT-over-air, where hashing cannot be deferred. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Cache hashed passphrase in RADIUS-based PSK deliveryMichael Braun2016-02-281-17/+13
| | | | | | | | | Instead of copying the full struct hostapd_sta_wpa_psk_short, share the existing entry and use reference counting to check when it needs to be freed. This allows caching of PSKs derived from passphrases to avoid having to perform the heavy hashing operation multiple times. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Defer passphrase-to-PSK hashing out of 802.11 authentication ACL checkMichael Braun2016-02-281-10/+6
| | | | | | | | | | | | | | Hashing takes quite some time (can be about one second on a low-power CPU for each passphrase provided), so hostapd can easily hit the 900 ms Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can be fixed by storing the passphrase instead of PSK with the STA and defer the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs. This applies for the case where a RADIUS server is used to store the per-STA passphrases and this passphrase is delivered as part of the MAC ACL check during IEEE 802.11 Authentication frame processing. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* radius: Add tagged VLAN parsingMichael Braun2016-02-171-4/+10
| | | | | | | | | | | | | | 1. Add tagged VLAN to struct vlan_description (compile limited number of tagged VLANs per description) For k tagged VLANs, the first k entries in vlan_description.tagged are used. They are sorted in ascending order. All other entries are zero. This way os_memcmp() can find identical configurations. 2. Let tagged VLANs be parsed from RADIUS Access-Accept 3. Print VLAN %d+ with %d=untagged VID if tagged VLANs are set 4. Select an unused vlan_id > 4096 for new tagged VLAN configurations 5. Add EGRESS_VLAN RADIUS attribute parsing also for untagged VLANs Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* VLAN: Separate station grouping and uplink configurationMichael Braun2016-02-171-12/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Separate uplink configuration (IEEE 802.1q VID) and grouping of stations into AP_VLAN interfaces. The int vlan_id will continue to identify the AP_VLAN interface the station should be assigned to. Each AP_VLAN interface corresponds to an instance of struct hostapd_vlan that is uniquely identified by int vlan_id within an BSS. New: Each station and struct hostapd_vlan holds a struct vlan_description vlan_desc member that describes the uplink configuration requested. Currently this is just an int untagged IEEE 802.1q VID, but can be extended to tagged VLANs and other settings easily. When the station was about to be assigned its vlan_id, vlan_desc and vlan_id will now be set simultaneously by ap_sta_set_vlan(). So sta->vlan_id can still be tested for whether the station needs to be moved to an AP_VLAN interface. To ease addition of tagged VLAN support, a member notempty is added to struct vlan_description. Is is set to 1 if an untagged or tagged VLAN assignment is requested and needs to be validated. The inverted form allows os_zalloc() to initialize an empty description. Though not depended on by the code, vlan_id assignment ensures: * vlan_id = 0 will continue to mean no AP_VLAN interface * vlan_id < 4096 will continue to mean vlan_id = untagged vlan id with no per_sta_vif and no extra tagged vlan. * vlan_id > 4096 will be used for per_sta_vif and/or tagged vlans. This way struct wpa_group and drivers API do not need to be changed in order to implement tagged VLANs or per_sta_vif support. DYNAMIC_VLAN_* will refer to (struct vlan_description).notempty only, thus grouping of the stations for per_sta_vif can be used with DYNAMIC_VLAN_DISABLED, but not with CONFIG_NO_VLAN, as struct hostapd_vlan is still used to manage AP_VLAN interfaces. MAX_VLAN_ID will be checked in hostapd_vlan_valid and during setup of VLAN interfaces and refer to IEEE 802.1q VID. VLAN_ID_WILDCARD will continue to refer to int vlan_id. Renaming vlan_id to vlan_desc when type changed from int to struct vlan_description was avoided when vlan_id was also used in a way that did not depend on its type (for example, when passed to another function). Output of "VLAN ID %d" continues to refer to int vlan_id, while "VLAN %d" will refer to untagged IEEE 802.1q VID. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* RADIUS: Redesign Request Authenticator generationNick Lowe2016-02-061-1/+4
| | | | | | | Simplify and make properly random the generation of the Request Authenticator. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* hostapd: Process MAC ACLs on a station association event (SME in driver)Anton Nayshtut2015-11-171-16/+34
| | | | | | | | | | Now hostapd will use station MAC-based permissions according to the macaddr_acl policy also for drivers which use AP SME offload, but do not support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It should be noted that in this type of case the association goes through and the station gets disconnected immediately after that. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Move hostapd_acl_expire() to use common AP periodic cleanup mechanismJouni Malinen2015-07-201-10/+2
| | | | | | | This reduces number of periodic eloop timeouts when AP mode operations are in progress. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* vlan: Verify RADIUS returned VLAN-ID and dynamic_vlan=requiredMichael Braun2015-04-251-0/+13
| | | | | | | This extends dynamic_vlan=required checks to apply for WPA-PSK with macaddr_acl=2 (RADIUS) case. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Use monotonic clock for RADIUS cache timeoutsJohannes Berg2013-12-081-19/+19
| | | | | | Use monotonic clock for both cache and query timeouts. Signed-hostap: Johannes Berg <johannes.berg@intel.com>
* Use a shared function for freeing PSK listJouni Malinen2012-11-251-6/+11
| | | | | | There is no need to duplicate this code in multiple locations. Signed-hostap: Jouni Malinen <j@w1.fi>
* Use RADIUS shared secret consistently in RX handlerJouni Malinen2012-11-251-4/+5
| | | | | | | Use the shared_secret pointer from RADIUS client implementation instead of getting this from hostapd configuration data. Signed-hostap: Jouni Malinen <j@w1.fi>
* Cache a list of PSK entries for RADIUS-based PSK deliveryMichael Braun2012-11-251-40/+89
| | | | Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Extend radius_msg_get_tunnel_password() to support multiple passwordsMichael Braun2012-11-251-1/+1
| | | | | | | The new function parameter can now be used to specify which password to return. Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Copy User-Name/CUI from RADIUS ACL to STA entryMichael Braun2012-08-191-3/+35
| | | | Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Store User-Name and CUI in RADIUS ACL cacheMichael Braun2012-08-191-2/+27
| | | | | | These can be used for Accounting messages when IEEE 802.1X is not used. Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Remove an extra level of indentation in hostapd_acl_cache_get()Jouni Malinen2012-08-191-21/+18
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Use shared function for adding common RADIUS attributesJouni Malinen2012-08-071-39/+4
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Convert remaining SSID routines from char* to u8*Jouni Malinen2012-08-071-1/+3
| | | | | | | This makes it more explicit that the SSID is not a null terminated C string. Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix validation of PSK-from-RADIUS-server required responseJouni Malinen2012-04-211-1/+1
| | | | | | | cache->psk is an array and never NULL. The check here needs to check the cache->has_psk flag instead. Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix memory leaks on radius_client_send error pathsJouni Malinen2012-04-011-1/+2
| | | | | | | In case this function returns an error, the RADIUS message needs to freed in the caller. Signed-hostap: Jouni Malinen <j@w1.fi>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Allow WPA passphrase to be fetched with RADIUS Tunnel-Password attributeMichael Braun2011-12-111-3/+47
| | | | | | | | | | | | This allows per-device PSK to be configured for WPA-Personal using a RADIUS authentication server. This uses RADIUS-based MAC address ACL (macaddr_acl=2), i.e., Access-Request uses the MAC address of the station as the User-Name and User-Password. The WPA passphrase is returned in Tunnel-Password attribute in Access-Accept. This functionality can be enabled with the new hostapd.conf parameter, wpa_psk_radius. Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Remove references to time_t/time()Per Ekman2011-09-121-2/+6
| | | | Use os_time() in AP mode instead of direct time() calls.
* Remove references to time_t/time()/random()Per Ekman2011-04-111-11/+12
| | | | Replace direct calls in AP mode code with os_*() wrappers.
* hostapd_driver_ops reductionJouni Malinen2010-11-241-5/+4
| | | | | | send_eapol, set_key, read_sta_data, sta_clear_stats, set_radius_acl_auth, set_radius_acl_expire, and set_beacon to use inline functions instead of extra abstraction.
* Fix Windows compilation issues with AP mode codeJouni Malinen2010-04-041-4/+0
* Rename some src/ap files to avoid duplicate file namesJouni Malinen2009-12-251-7/+7
| | | | | | Doxygen and some build tools may get a bit confused about same file name being used in different directories. Clean this up a bit by renaming some of the duplicated file names in src/ap.
* Move generic AP functionality implementation into src/apJouni Malinen2009-12-241-0/+528
This code can be shared by both hostapd and wpa_supplicant and this is an initial step in getting the generic code moved to be under the src directories. Couple of generic files still remain under the hostapd directory due to direct dependencies to files there. Once the dependencies have been removed, they will also be moved to the src/ap directory to allow wpa_supplicant to be built without requiring anything from the hostapd directory.