path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Fix EAPOL supplicant port authorization with PMKSA cachingJouni Malinen2012-10-271-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | The previous eapol_sm_notify_cached() implementation forced the port to be authorized when receiving EAPOL-Key msg 1/4 that included a matching PMKID in cases when PMKSA caching is used. This is too early since the port should really be authorized only after the PTK has been configured which is the case when PMKSA caching is not used. Fix this by using the EAPOL supplicant PAE state machine to go through the AUTHENTICATING and AUTHENTICATED states instead of forcing a jump to AUTHENTICATED without performing full state machine steps. This can be achieved simply by marking eapSuccess TRUE at least with the current version of EAP and EAPOL state machines (the earlier commits in this function seemed to indicate that this may have not been that easy in the older versions due to the hacks needed here). This addresses an issue with nl80211-based driver interface when the driver depends on the STA Authorized flag being used to prevent unprotected frames from being accepted (both TX and RX) prior to PTK configuration. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* P2P: Allow all channels with multi-channel concurrencyJouni Malinen2012-10-263-16/+30
| | | | | | | | | | If the driver indicates support for multi-channel concurrency, change the p2p_connect behavior to not force the current operating channel, but instead, just mark it as preferred for GO Negotiation. This change applies only for the case when the freq parameter is not used with the p2p_connect command. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix EAPOL processing when STA switches between multi-BSSesDavid Bird2012-10-251-3/+6
| | | | | | | | | | | | | | | | | | | | | There was an issue with EAPOL frame exchanges in a multi-BSS configuration when a station switches between the BSSes controlled by the same hostapd process. When processing the EAPOL packet, the array of virtual APs (iface->bss) is searched looking for the station that sent the packet in order to identify which signal context should be used during processing. The first match of the station in its list gets used in the ieee802_1x_receive() function. However, even after a station has disassociated, it remains in the list of stations pending an inactivity timeout. This leads to the wrong hapd context (one where the station had already disassociated) being used in some cases (if the current/active bss entry appears in the list after one where the station has just disassociated from) for EAPOL processing. Fix this by checking the WLAN_STA_ASSOC flag before assuming the right hapd context was found for the given station. Signed-hostap: David Bird <dbird@powercloudsystems.com> intended-for: hostap-1
* nl80211: Add support for SAE operationsJouni Malinen2012-10-241-0/+13
| | | | | | | This uses the recent cfg80211 changes to allow SAE authentication to be implemented with the nl80211 driver interface. Signed-hostap: Jouni Malinen <j@w1.fi>
* Sync with linux/nl80211.h in wireless-testing.gitJouni Malinen2012-10-241-0/+48
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* P2P: Improve robustness against lost ctrl::ack framesJouni Malinen2012-10-131-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | P2P includes two use cases where one of the devices is going to start a group and likely change channels immediately after processing a frame. This operation may be fast enough to make the device leave the current channel before the peer has completed layer 2 retransmission of the frame in case the ctrl::ack frame was lost. This can result in the peer not getting TX status success notification. For GO Negotiation Confirm frame, p2p_go_neg_conf_cb() has a workaround that ignores the TX status failure and will continue with the group formation with the assumption that the peer actually received the frame even though we did not receive ctrl::ack. For Invitation Response frame to re-invoke a persistent group, no such workaround is used in p2p_invitation_resp_cb(). Consequently, TX status failure due to lost ctrl::ack frame results in one of the peers not starting the group. Increase the likelihood of layer 2 retransmission getting acknowledged and ctrl::ack being received by waiting a short duration after having processed the GO Negotiation Confirm and Invitation Response frames for the re-invocation case. For the former, use 20 ms wait since this case has been worked around in deployed devices. For the latter, use 50 ms wait to get even higher likelihood of getting ctrl::ack through since deployed devices (and the current wpa_supplicant implementation) do not have a workaround to ignore TX status failure. 20 ms is long enough to include at least couple of retries and that should increase likelihood of getting ctrl::ack through quite a bit. The longer 50 ms wait is likely to include full set of layer 2 retries. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix regression in LEAPJouni Malinen2012-10-111-1/+4
| | | | | | | | | Commit 458cb3019108b6cb8c0c1cab94ae6ebf244eda27 broke LEAP since it rejects EAP-Success packet that is used within LEAP and this frame does not have a payload. Fix LEAP by relaxing the generic EAP packet validation if LEAP has been negotiated. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Limit number of active wildcard PINs to oneJouni Malinen2012-10-101-0/+20
| | | | | | | | | | | Previously, WPS Registrar allowed multiple wildcard PINs to be configured. This can get confusing since these PINs get assigned to any Enrollee that does not have a specific PIN and as such, cannot really be used with different PIN values in reasonable ways. To avoid confusion with multiple enabled PINs, invalidate any previously configured wildcard PIN whenever adding a new one. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-TLS: Add extra validation for TLS Message LengthJouni Malinen2012-10-072-0/+15
| | | | | | | | | | | | While the existing code already addresses TLS Message Length validation for both EAP-TLS peer and server side, this adds explicit checks and rejection of invalid messages in the functions handling reassembly. This does not change externally observable behavior in case of EAP server. For EAP peer, this starts rejecting invalid messages instead of addressing them by reallocating the buffer (i.e., ignoring TLS Message Length in practice). Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-TLS server: Fix TLS Message Length validationJouni Malinen2012-10-071-0/+8
| | | | | | | | | | | | | | | | | | | | EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS Message Length value properly and could end up trying to store more information into the message buffer than the allocated size if the first fragment is longer than the indicated size. This could result in hostapd process terminating in wpabuf length validation. Fix this by rejecting messages that have invalid TLS Message Length value. This would affect cases that use the internal EAP authentication server in hostapd either directly with IEEE 802.1X or when using hostapd as a RADIUS authentication server and when receiving an incorrectly constructed EAP-TLS message. Cases where hostapd uses an external authentication are not affected. Thanks to Timo Warns for finding and reporting this issue. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* SAE: Add Finite Cyclic Group negotiation and Send-ConfirmJouni Malinen2012-10-062-8/+100
| | | | | | | | This replaces the previously used bogus test data in SAE messages with the first real field. The actual SAE authentication mechanism is still missing and the Scaler, Element, and Confirm fields are not included. Signed-hostap: Jouni Malinen <j@w1.fi>
* 60 GHz: Fix error while processing scan resultsVladimir Kondratiev2012-10-041-1/+1
| | | | | | | | Channel frequency for 60 GHz band do not fit into 'short int', as was used. Expand it to 'int' Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com> Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Fix a potential memory leak on wps_init() error pathJouni Malinen2012-10-021-0/+1
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Reserve AKM and cipher suite valuesJouni Malinen2012-09-307-4/+60
| | | | | | | | These values are used with WAPI and CCX and reserving the definitions here reduces the number of merge conflicts with repositories that include these functions. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add initial parts for SAEJouni Malinen2012-09-3011-4/+141
| | | | | | | | | | | | | This introduces new AKM for SAE and FT-SAE and adds the initial parts for going through the SAE Authentication frame exchange. The actual SAE algorithm and new fields in Authentication frames are not yet included in this commit and will be added separately. This version is able to complete a dummy authentication with the correct authentication algorithm and transaction values to allow cfg80211/mac80211 drivers to be tested (all the missing parts can be handled with hostapd/wpa_supplicant changes). Signed-hostap: Jouni Malinen <j@w1.fi>
* Sync with linux/nl80211.h in wireless-testing.gitJouni Malinen2012-09-301-4/+50
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* nl80211: Don't send BSSID with disconnect commandMykyta Iziumtsev2012-09-291-57/+10
| | | | | | | NL80211_CMD_DISCONNECT doesn't need BSSID, because cfg80211 uses locally saved value. Signed-hostap: Mykyta Iziumtsev <mykyta.iziumtsev@gmail.com>
* Include connected time in AP mode STA-* commandsRaja Mani2012-09-264-2/+34
| | | | | | | This allows hostapd_cli and wpa_cli all_sta command to be used to display connected time (in seconds) of each station in AP mode. Signed-hostap: Raja Mani <rmani@qca.qualcomm.com>
* P2P: Fix ignoring of PD Response due to dialog token mismatchJouni Malinen2012-09-251-5/+5
| | | | | | | | | | | | | | | Commit 6b56cc2d97fe9efd1feea8d418714b4658b056f1 added clearing of the p2p->pending_action_state too early in this function. This should not be done if we are going to silently ignore the frame due to dialog token mismatch. Fix this by moving the code around to check the dialog token first. This issue resulted in PD Request retries getting stopped too early if the peer is sending out an unexpected PD Response (e.g., because of it being excessively slow with the response so that the response is received only after the next TX attempt with a new dialog token). Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Allow peer to propose channel in invitation processJouni Malinen2012-09-243-9/+78
| | | | | | | | | | | | | | Make Invitation process for re-invoking a persistent group behave similarly to GO Negotiation as far as channel negotiation is concerned. The Operating Channel value (if present) is used as a starting point if the local device does not have a forced operating channel (e.g., due to concurrent use). Channel lists from devices are then compared to check that the selected channel is in the intersection. If not, channel is selected based on GO Negotiation channel rules (best channel preferences etc.). Invitation Request is rejected if no common channel can be selected. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Show own channel list in debug logJouni Malinen2012-09-241-1/+2
| | | | | | This makes it easier to debug channel negotiation mechanisms. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* nl80211: Use the monitor interface if socket tx status is not supportedFelix Fietkau2012-09-231-3/+3
| | | | | | Fixes hostapd on recent compat-wireless builds with older kernels. Signed-hostap: Felix Fietkau <nbd@openwrt.org>
* hostapd: Add check for the wds sta flag before creating 4addr VLANsFelix Fietkau2012-09-231-0/+3
| | | | Signed-hostap: Felix Fietkau <nbd@openwrt.org>
* hostapd: Clear WLAN_STA_ASSOC_REQ_OK if sending the assoc response failedFelix Fietkau2012-09-231-12/+13
| | | | | | | | | As long as WLAN_STA_ASSOC_REQ_OK is set in sta->flags, Class 3 frames do not trigger a disassoc/deauth. If it is still set even after the assoc response tx has already failed, it may take somewhat longer for clients to realize that the connection wasn't fully established. Signed-hostap: Felix Fietkau <nbd@openwrt.org>
* hostapd: Send EAPOL frames from the VO queue if WMM is activeFelix Fietkau2012-09-161-2/+2
| | | | | | | This avoids extra latency caused by establishing an aggregation session and makes the initial connection attempt more reliable Signed-hostap: Felix Fietkau <nbd@openwrt.org>
* hostapd: Fix WDS VLAN bridge handlingFelix Fietkau2012-09-161-7/+9
| | | | | | | This patch fixes an issue where removing a WDS VLAN interface also removed the main AP interface from the same bridge. Signed-hostap: Felix Fietkau <nbd@openwrt.org>
* hostapd: Fix CONFIG_INTERWORKING=y build without CONFIG_HS20=yJouni Malinen2012-09-161-0/+16
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Move AES-CCM implementation into src/cryptoJouni Malinen2012-09-093-0/+221
| | | | | | | | This is a generic AES CCM implementation that can be used for other purposes than just implementing CCMP, so it fits better in a separate file in src/crypto. Signed-hostap: Jouni Malinen <j@w1.fi>
* Enable 256-bit key AES in internal TLS implementationJouni Malinen2012-09-092-10/+0
| | | | | | | | Now that the internal AES implementation supports 256-bit keys, enable use of the TLS cipher suites that use AES-256 regardless of which crypto implementation is used. Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix AES block size handling for internal cipherJouni Malinen2012-09-091-21/+14
| | | | | | | | | | AES uses the same 128-bit block size with 128, 192, 256 bit keys, so use the fixed block size definition instead of trying to dynamically set the block size based on key length. This fixes use of 192-bit and 256-bit AES keys with crypto_cipher_*() API when using the internal AES implementation. Signed-hostap: Jouni Malinen <j@w1.fi>
* Share common GCM-AE and GCM-AD functionalityJouni Malinen2012-09-091-66/+72
| | | | | | | These operations are almost identical, so use common functions to share the same implementation. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add aes_gmac() as a wrapper for AES GMAC operations using GCMJouni Malinen2012-09-092-0/+11
| | | | | | | This is otherwise identical to aes_gcm_ae() but does not use the plain/crypt pointers since no data is encrypted. Signed-hostap: Jouni Malinen <j@w1.fi>
* Add support for using 192-bit and 256-bit keys with AES-GCMJouni Malinen2012-09-096-54/+138
| | | | | | | | This adds 192-bit and 256-bit key support to the internal AES implementation and extends the AES-GCM functions to accept key length to enable longer AES key use. Signed-hostap: Jouni Malinen <j@w1.fi>
* Support arbitrary IV length with AES-GCMJouni Malinen2012-09-082-24/+46
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Move AES-GCM implementation into src/cryptoJouni Malinen2012-09-083-1/+302
| | | | | | | | This is a generic AES GCM and GMAC implementation that can be used for other purposes than just implementing GCMP, so it fits better in a separate file in src/crypto. Signed-hostap: Jouni Malinen <j@w1.fi>
* AP: Configure basic rates from iface and not confArik Nemtsov2012-09-061-1/+1
| | | | | | | | | | The conf doesn't contain any basic rates in some cases. Most notably, when starting a P2P GO in 5 GHz. Use the iface rates which are initialized in hostapd_prepare_rates() to the conf rates or set to default values if no conf values exist. This fixes a bug introduced in commit e5693c4775bae65faa960f80889f98b0a6cb2e1c. Signed-hostap: Arik Nemtsov <arik@wizery.com>
* Make copies basic_rates list more usefulJouni Malinen2012-09-061-0/+2
| | | | | | | | | | | Commit e5693c4775bae65faa960f80889f98b0a6cb2e1c added a copy of the determined basic rate set into struct hostapd_iface, but did not actually copy the terminating -1 value. This could be problematic if something were to actually try to use this list since would be no way to know what is the last entry in the list. Fix this by copying the terminating value. Signed-hostap: Jouni Malinen <j@w1.fi>
* atheros: Fix RSN capabilities debug printBaruch Siach2012-09-051-2/+1
| | | | Signed-hostap: Baruch Siach <baruch@tkos.co.il>
* nl80211: Register read_sta_data() handler for station only buildsJouni Malinen2012-09-052-2/+6
| | | | | | | | This driver_op can now be used in station mode, too, to fetch information about the connection with the AP, so allow this to be used even if wpa_supplicant is built without AP mode support. Signed-hostap: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Add PKTCNT_POLL command to get TX/RX packet countersYuhao Zheng2012-09-051-0/+4
| | | | Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* WFD: Properly match group for WFD element in Invitation ResponseJouni Malinen2012-09-051-2/+2
| | | | | | | | | | | | | | The group matching should be done by comparing the P2P Interface Address (which the group_bssid here is) to the group's BSSID and not the group ID (which uses P2P Device Address and would have also needed the SSID). Though, it should be noted that this case cannot really happen since a GO in an active group would never be invited to join another group in its GO role (i.e., if it receives an Invitation Request, it will reply in P2P Device role). As such, this fix does not really change any observable behavior, but anyway, it is good to keep the implementation here consistent with the Invitation Request case. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* WFD: Properly match group for WFD element in Invitation RequestJouni Malinen2012-09-051-0/+3
| | | | | | | | | When building the Invitation Request for WFD use cases, match the BSSID, i.e., P2P Interface Address, of the group on the GO to avoid using information from another group should the device be operating multiple concurrent groups as GO. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-SIM/AKA: Store pseudonym identity in configurationJouni Malinen2012-09-027-19/+89
| | | | | | | | Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity so that this can be maintained between EAP sessions (e.g., after wpa_supplicant restart) even if fast re-authentication data was cleared. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM DB: Remove unnecessary username prefix checksJouni Malinen2012-09-021-10/+0
| | | | | | | | The EAP-SIM/AKA code is already validating the prefix and the following lookup would not find matches if the prefix is incorrect, so there is no need for the extra checks here. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-AKA server: Skip AKA/Identity exchange if EAP identity recognizedJouni Malinen2012-09-022-31/+99
| | | | | | | | If EAP-Response/Identity includes a known pseudonym or re-auth username, skip the AKA/Identity exchange since we already know the permanent username of the peer. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Move subtype validation from check into processJouni Malinen2012-09-011-3/+15
| | | | | | | This is needed to be able to use SIM-Notification round to indicate failure per RFC 4186, chapter 6.3.3. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM server: Use Notification before EAP-FailureJouni Malinen2012-09-011-20/+26
| | | | | | | | RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after Client-Error and Notification messages. Convert the direct jumps to the FAILURE state with a notification round before sending out EAP-Failure. Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA peer: Note sending of Client-Error in debug logJouni Malinen2012-09-012-0/+4
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* EAP-SIM peer: Fix AT_COUNTER_TOO_SMALL useJouni Malinen2012-09-011-4/+5
| | | | | | | | | The AT_NONCE_S value needs to be used in AT_MAC calculation for SIM/Re-authentication response even if re-authentication is rejected with AT_COUNTER_TOO_SMALL. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* EAP-SIM server: Add support for AT_COUNTER_TOO_SMALLJouni Malinen2012-09-011-0/+26
| | | | | | | | If the peer rejects re-authentication with AT_COUNTER_TOO_SMALL, fall back to full authentication to allow the authentication session to be completed. Signed-hostap: Jouni Malinen <j@w1.fi>