path: root/src/ap/wpa_auth_glue.c
Commit message (Collapse)AuthorAgeFilesLines
* FT: Fix RRB for FT over-the-air caseGünther Kelleter2016-04-181-1/+1
| | | | | | | | | | Commit 66d464067d626cc64c5a543a8f91fe58727f4e5e ('FT: Register RRB l2_packet only if FT-over-DS is enabled') disabled RRB l2_packet socket if ft_over_ds is disabled, but this socket is required for FT over-the-air, too (FT key distribution). Enable the socket regardless of ft_over_ds setting if FT is enabled. Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
* FT: Check destination MAC address on RRB receiveMichael Braun2016-02-281-0/+3
| | | | | | | | | | | | | | As the Linux variant of l2_packet_init() does not use its own_addr argument and l2_packet_receive() does not filter on destination MAC address, this needs to be checked in the callback. If there are multiple BSSes listening for FT RRB packets, all their BSSIDs need to be local to the bridge interface. As l2_packet_init() is going to receive all of them going for any local address, those RRB messages started turning up on BSSes that were not destinated for and cluttering logs. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Defer passphrase-to-PSK hashing out of 802.11 authentication ACL checkMichael Braun2016-02-281-0/+8
| | | | | | | | | | | | | | Hashing takes quite some time (can be about one second on a low-power CPU for each passphrase provided), so hostapd can easily hit the 900 ms Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can be fixed by storing the passphrase instead of PSK with the STA and defer the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs. This applies for the case where a RADIUS server is used to store the per-STA passphrases and this passphrase is delivered as part of the MAC ACL check during IEEE 802.11 Authentication frame processing. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Check hapd->wpa_auth before RRB internal deliveryMichael Braun2016-02-281-0/+2
| | | | | | | | | | | | | A malicious station could try to do FT-over-DS with a non WPA-enabled BSS. When this BSS is located in the same hostapd instance, internal RRB delivery will be used and thus the FT Action Frame will be processed by a non-WPA enabled BSS. This processing used to crash hostapd as hapd->wpa_auth is NULL. If the target BSS is on a different hostapd instance, it will not listen for these packets and thus not crash. Fix this by checking hapd->wpa_auth before delivery. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* hostapd: Fix WPA, IEEE 802.1X, and WPS deinit in cases where init failsJouni Malinen2015-10-141-2/+3
| | | | | | | | | | | | With driver wrappers that implement set_privacy(), set_generic_elem(), set_ieee8021x(), or set_ap_wps_ie(), it was possible to hit a NULL pointer dereference in error cases where interface setup failed and the network configuration used WPA/WPA2, IEEE 802.1X, or WPS. Fix this by skipping the driver operations in case the driver interface is not initialized. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Add testing option to override own WPA/RSN IE(s)Jouni Malinen2015-08-081-0/+7
| | | | | | | | This allows the new own_ie_override=<hexdump> configuration parameter to be used to replace the normally generated WPA/RSN IE(s) for testing purposes in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Register RRB l2_packet only if FT-over-DS is enabledJouni Malinen2015-07-171-1/+2
| | | | | | | There is no need to waste resources for this packet socket if FT-over-DS is disabled or when operating P2P GO or AP mode in wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Replace SSID_LEN with SSID_MAX_LENJouni Malinen2015-04-221-2/+2
| | | | | | This makes source code more consistent. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add a AP mode event message for possible PSK/passphrase mismatchJouni Malinen2015-03-191-0/+10
| | | | | | | | | | If the AP/Authenticator receives an EAPOL-Key msg 2/4 for an association that negotiated use of PSK and the EAPOL-Key MIC does not match, it is likely that the station is trying to use incorrect PSK/passphrase. Report this with "AP-STA-POSSIBLE-PSK-MISMATCH <STA addr>" control interface event. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Debug messages for dodgy RADIUS serversBen Greear2015-01-221-2/+7
| | | | | | | These were helpful when tracking down why hostapd did not work properly with a RADIUS server. Signed-hostap: Ben Greear <greearb@candelatech.com>
* Add external EAPOL transmission option for testing purposesJouni Malinen2014-10-101-0/+30
| | | | | | | | | | The new ext_eapol_frame_io parameter can be used to configure hostapd and wpa_supplicant to use control interface for receiving and transmitting EAPOL frames. This makes it easier to implement automated test cases for protocol testing. This functionality is included only in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow management group cipher to be configuredJouni Malinen2014-03-141-0/+1
| | | | | | | | | | This allows hostapd to set a different management group cipher than the previously hardcoded default BIP (AES-128-CMAC). The new configuration file parameter group_mgmt_cipher can be set to BIP-GMAC-128, BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in IEEE Std 802.11ac-2013. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2 AP: Add OSEN implementationJouni Malinen2014-02-251-0/+13
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Add support for IP address assignment in 4-way handshakeJouni Malinen2014-01-271-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go= ip_addr_mask= ip_addr_start= ip_addr_end= DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Include driver.h in hostapd.hAndrei Otcheretianski2013-12-241-1/+0
| | | | | | | This allows use of structs (and not only pointers) defined in drivers.h. Remove also some not needed forward declarations and redundant includes. Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* hostapd: Fix couple of deinit path cases to clear pointersJouni Malinen2013-09-251-0/+1
| | | | | | | | This fixes some issues where dynamic interface enable/disable cycles could end up trying to free resources twice and crash the process while doing so. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Select PSK based on Device Address instead of Interface AddressJouni Malinen2013-09-011-1/+2
| | | | | | | | | When using per-device PSKs, select the PSK based on the P2P Device Address of the connecting client if that client is a P2P Device. This allows the P2P Interface Address to be changed between P2P group connections which may happen especially when using persistent groups. Signed-hostap: Jouni Malinen <j@w1.fi>
* P2P: Make peer's P2P Device Address available to authenticatorJouni Malinen2013-09-011-1/+1
| | | | | | | This can be used to implement per-device PSK selection based on the peer's P2P Device Address instead of P2P Interface Address. Signed-hostap: Jouni Malinen <j@w1.fi>
* hostapd: Add Key MIC in group EAPOL-Key frames corruption test optionJohannes Berg2013-05-041-2/+7
| | | | | | | | | For some testing it can be useful to force the Key MIC in group EAPOL-Key frames to be corrupt. Add an option to allow setting a probability for corrupting the Key MIC and use it in the WPA code, increasing the first byte of the MIC by one to corrupt it if desired. Signed-hostap: Johannes Berg <johannes.berg@intel.com>
* SAE: Use PMK in 4-way handshakeJouni Malinen2013-01-121-2/+13
| | | | | | | Use the PMK that is derived as part of the SAE authentication in the 4-way handshake instead of the PSK. Signed-hostap: Jouni Malinen <j@w1.fi>
* Keep and use list of PSKs per station for RADIUS-based PSKMichael Braun2012-11-251-3/+11
| | | | | | | | | This adds support for multiple PSKs per station when using a RADIUS authentication server to fetch the PSKs during MAC address authentication step. This can be useful if multiple users share a device but each user has his or her own private passphrase. Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* hostapd: Fix a regression in TKIP countermeasures processingJouni Malinen2012-11-181-2/+2
| | | | | | | | | | | | Commit 296a34f0c1730416bf2a61ab78690be43d82a3c0 changed hostapd to remove the internal STA entry at the beginning of TKIP countermeasures. However, this did not take into account the case where this is triggered by an EAPOL-Key error report from a station. In such a case, WPA authenticator state machine may continue processing after having processed the error report. This could result in use of freed memory. Fix this by stopping WPA processing if the STA entry got removed. Signed-hostap: Jouni Malinen <j@w1.fi>
* Move hostapd global callback functions into hapd_interfacesJouni Malinen2012-08-251-7/+9
| | | | | | | | These function pointers are going to be the same for each interface so there is no need to keep them in struct hostapd_iface. Moving them to struct hapd_interfaces makes it easier to add interfaces at run time. Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix endless loop in PSK fetching with PSK-from-RADIUSMichael Braun2012-08-041-3/+9
| | | | | | | | | | | | Commit 05ab9712b9977192b713f01f07c3b14ca4d1ba78 added support for fetching WPA PSK from an external RADIUS server and changed hostapd_wpa_auth_get_psk() to always return the RADIUS supplied PSK (if set) and ignore the prev_psk parameter for iteration. Fix this by appending the RADIUS supplied PSK to the list iterated by hostapd_get_psk and thus returning NULL when prev_psk == sta->psk (RADIUS). Signed-hostap: M. Braun <michael-dev@fami-braun.de>
* FT: Add FT AP support for drivers that manage MLME internallyShan Palanisamy2012-08-011-0/+14
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0: Add mechanism for disabling DGAFJouni Malinen2012-07-301-0/+3
| | | | | | | | | | | | | | disable_dgaf=1 in hostapd.conf can now be used to disable downstream group-addressed forwarding (DGAF). In this configuration, a unique GTK (and IGTK) is provided to each STA in the BSS to make sure the keys do not match and no STA can forge group-addressed frames. An additional mechanism in the AP needs to be provided to handle some group-addressed frames, e.g., by converting DHCP packets to unicast IEEE 802.11 frames regardless of their destination IP address and by providing Proxy ARP functionality. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Allow WPA passphrase to be fetched with RADIUS Tunnel-Password attributeMichael Braun2011-12-111-0/+3
| | | | | | | | | | | | This allows per-device PSK to be configured for WPA-Personal using a RADIUS authentication server. This uses RADIUS-based MAC address ACL (macaddr_acl=2), i.e., Access-Request uses the MAC address of the station as the User-Name and User-Password. The WPA passphrase is returned in Tunnel-Password attribute in Access-Accept. This functionality can be enabled with the new hostapd.conf parameter, wpa_psk_radius. Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
* Allow MLME frames to be sent without expecting an ACK (no retries)Helmut Schaa2011-11-191-1/+1
| | | | | | | | | | In some situations it might be benefical to send a unicast frame without the need for getting it ACKed (probe responses for example). In order to achieve this add a new noack parameter to the drivers send_mlme callback that can be used to advise the driver to not wait for an ACK for this frame. Signed-hostap: Helmut Schaa <helmut.schaa@googlemail.com>
* Include wpa_auth_glue.h to verify function prototypesJouni Malinen2011-11-181-0/+1
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix TKIP countermeasures stopping in deinit pathsJouni Malinen2011-10-301-0/+1
| | | | | | | The eloop timeout to stop TKIP countermeasures has to be canceled on deinit path to avoid leaving bogus timeouts behind. Signed-hostap: Jouni Malinen <j@w1.fi>
* Fix WPA authenticator configuration to not leave uninitialized fieldsJouni Malinen2011-10-281-0/+1
| | | | | | | | hostapd_wpa_auth_conf() is called on uninitialized memory and the conditional blocks in this function may leave some fields into uninitialized state. This can result in unexpected behavior elsewhere since some of the variables may be used without matching #ifdef blocks. Fix this by zeroing the memory.
* Fix hostapd_wpa_auth_send_ether() return valueJouni Malinen2011-10-231-1/+1
| | | | | This was not currently used for anything, but better return the correct value instead of hardcoded -1.
* Allow PMKSA caching to be disabled on AuthenticatorJouni Malinen2011-07-051-0/+1
| | | | | | | A new hostapd configuration parameter, disable_pmksa_caching=1, can now be used to disable PMKSA caching on the Authenticator. This forces the stations to complete EAP authentication on every association when WPA2 is being used.
* nl80211: Send EAPOL frames as QoS data frames for QoS aware clientsFelix Fietkau2011-04-021-1/+8
| | | | | | | | | | | This should fix EAPOL reauthentication and rekeying timeout issues with Intel clients when using WMM (e.g., with IEEE 802.11n). These stations do not seem to be able to handle EAPOL data frames as non-QoS Data frames after the initial setup. This adds STA flags to hapd_send_eapol() driver op to allow driver_nl80211.c to mark the EAPOL frames as QoS Data frame when injecting it through the monitor interface.
* Work around SNonce updates on EAPOL-Key 1/4 retransmissionJouni Malinen2011-03-291-0/+2
| | | | | | | | | | | | | | | | | | | | Some deployed supplicants update their SNonce for every receive EAPOL-Key message 1/4 even when these messages happen during the same 4-way handshake. Furthermore, some of these supplicants fail to use the first SNonce that they sent and derive an incorrect PTK using another SNonce that does not match with what the authenticator is using from the first received message 2/4. This results in failed 4-way handshake whenever the EAPOL-Key 1/4 retransmission timeout is reached. The timeout for the first retry is fixed to 100 ms in the IEEE 802.11 standard and that seems to be short enough to make it difficult for some stations to get the response out before retransmission. Work around this issue by increasing the initial EAPOL-Key 1/4 timeout by 1000 ms (i.e., total timeout of 1100 ms) if the station acknowledges reception of the EAPOL-Key frame. If the driver does not indicate TX status for EAPOL frames, use longer initial timeout (1000 ms) unconditionally.
* FT: Make FT-over-DS configurable (hostapd.conf ft_over_ds=0/1)Shan Palanisamy2011-03-061-0/+1
* FT: Specify source MAC address for RRB messagesJouni Malinen2011-02-201-12/+27
| | | | | | | | Use l2_packet with Ethernet header included so that the source address for RRB packets can be forced to be the local BSSID. This fixes problems where unexpected bridge interface address may end up getting used and the recipient of the frame dropping it as unknown R0KH/R1KH.
* hostapd_driver_ops reductionJouni Malinen2010-11-241-3/+4
| | | | | | send_eapol, set_key, read_sta_data, sta_clear_stats, set_radius_acl_auth, set_radius_acl_expire, and set_beacon to use inline functions instead of extra abstraction.
* hostapd: Start removing struct hostapd_driver_ops abstractionJouni Malinen2010-11-241-1/+1
| | | | | | | | | | | | | | Commit bf65bc638fe438b96f2986580ad167d5e276ef4c started the path to add this new abstraction for driver operations in AP mode to allow wpa_supplicant to control AP mode operations. At that point, the extra abstraction was needed, but it is not needed anymore since hostapd and wpa_supplicant share the same struct wpa_driver_ops. Start removing the unneeded abstraction by converting send_mgmt_frame() to an inline function, hostapd_drv_send_mlme(). This is similar to the design that is used in wpa_supplicant and that was used in hostapd in the past (hostapd_send_mgmt_frame() inline function).
* FT: Send RRB data directly when managed by same hostapd processJouni Malinen2010-07-261-0/+61
| | | | | | This makes it easier (and a bit faster) to handle multiple local radios with FT. There is no need to depend on l2_packet in that case since the frame can be delivered as a direct function call.
* Allow advertising of U-APSD functionality in BeaconYogesh Ashok Powar2010-04-111-0/+1
| | | | | | | | hostapd does not implement UAPSD functionality. However, if U-APSD functionality is implemented outside hostapd, add support to advertise the functionality in beacon. Signed-off-by: yogeshp@marvell.com
* FT: Use bridge interface (if set) for RRB connectionJouni Malinen2010-04-041-1/+3
| | | | This fixes receiving of RRB messages between FT APs
* FT: Set WLAN_AUTH_FT auth_alg on FT-over-DS caseJouni Malinen2010-04-041-1/+3
| | | | | | This is needed to allow reassociation processing to skip 4-way handshake when FT-over-DS is used with an AP that has a previous association state with the STA.
* Fix wpa_auth_iface_iter() to skip BSSes without AuthenticatorJouni Malinen2010-03-271-1/+2
| | | | | This could cause NULL pointer deference if multi-BSS configuration was used with OKC in some cases.
* Get rid of unnecessary typedefs for enums.Jouni Malinen2009-12-261-1/+1
* Replace src/ap/driver_i.h with non-inlined functions in ap_drv_ops.cJouni Malinen2009-12-251-1/+1
* Remove ap_config.h dependency from driver_i.hJouni Malinen2009-12-251-1/+3
| | | | | This adds explicit #include line for ap_config.h into the src/ap/*.c files that actually use the definitions from there.
* Rename some src/ap files to avoid duplicate file namesJouni Malinen2009-12-251-6/+6
| | | | | | Doxygen and some build tools may get a bit confused about same file name being used in different directories. Clean this up a bit by renaming some of the duplicated file names in src/ap.
* Get rid of direct hostapd_for_each_interface() callsJouni Malinen2009-12-251-2/+4
| | | | | | src/ap/*.c must not call functions in hostapd or wpa_supplicant directories directly, so avoid this by using a callback function pointer.