Jouni Malinen [Sat, 25 Aug 2012 09:43:27 +0000 (12:43 +0300)]
Move hostapd global callback functions into hapd_interfaces
These function pointers are going to be the same for each interface so
there is no need to keep them in struct hostapd_iface. Moving them to
struct hapd_interfaces makes it easier to add interfaces at run time.
Jouni Malinen [Fri, 24 Aug 2012 17:45:22 +0000 (20:45 +0300)]
P2P: Fix memory leak with driver-based P2P management
If the P2P management operations are handled within the driver, the
P2P service entries were not freed when terminating wpa_supplicant.
Fix this by calling wpas_p2p_service_flush() even if the P2P module
within wpa_supplicant has not been initialized.
Anirban Sirkhell [Fri, 24 Aug 2012 16:02:56 +0000 (19:02 +0300)]
Add wps_cancel to hostapd_cli help text
Commit 4c374cde2f0b789d5aa1180667173358b71d492c added a new wps_cancel
command, but didn't add it to the usage text in hostapd_cli. Add an
entry for this command.
Sunil Dutt [Fri, 24 Aug 2012 08:54:02 +0000 (11:54 +0300)]
P2P: Fix PD retries on delay in off channel transmission
Commit 488f4a7108e021be97fc1841fff9042d2b7d737f configures a timer
before p2p_send_action(). This may result in the timer getting fired
earlier to the off channel transmission of the frame and thus another PD
request being retransmitted. This shall lead to the new PD request with
an incremented dialog token being transmitted. For the cases where the
later PD request might not be transmitted as the host driver is busy
transmitting the earlier frame, the received PD response could be
dropped for the dialog token mismatch. Remove the timer configuration to
avoid this behavior.
Jouni Malinen [Thu, 23 Aug 2012 21:23:44 +0000 (00:23 +0300)]
P2P: Limit maximum number of stored P2P clients to 100
This limits the maximum size of the p2p_client_list parameter that
is maintained at the GO for a persistent group. In other words, only
the 100 most recently seen P2P clients are kept in the list.
Jouni Malinen [Thu, 23 Aug 2012 20:56:51 +0000 (23:56 +0300)]
Improve p2p_client_list updates in configuration file
This list can get truncated due to too many addresses getting added.
Reorder the entries in a way that allows the most recently added values
to be maintained in the list and use better debug/error messages when
parsing the value.
Jouni Malinen [Thu, 23 Aug 2012 20:52:45 +0000 (23:52 +0300)]
Handle long configuration file lines more gracefully
Skip the end of long configuration lines that get truncated in
wpa_config_get_line(). Without this, the rest of the file was being
parsed as another line and that resulted in an unexpected error
message (wrong line number and wrong starting point).
In addition, increase the read buffer for network blocks from 256
to 2000 since p2p_client_list parameter can have long values. These
were supposed to truncated cleanly, but the unexpected processing of
the end of the file (which is now fixed in this commit) could cause
configuration file to be rejected.
Jouni Malinen [Thu, 23 Aug 2012 17:28:04 +0000 (20:28 +0300)]
P2P: Remove unnecessary call in resuming p2p_find
Commit 99fcd404091a90317f6619e466f544ee32128a23 added a call to update
search delay after failed authentication attempt. This change was
supposed to be only in p2p_supplicant.c for the successful case. The
extra call does not really do anything, but it's good to remove it to
avoid any confusion in the future.
Jouni Malinen [Thu, 23 Aug 2012 16:42:53 +0000 (19:42 +0300)]
P2P: Allow scan operations during p2p_find
Previously, all station mode scan operations were either skipped or
delayed while any P2P operation was in progress. To make concurrent
operations easier to use, reduce this limitation by allowing a scan
operation to be completed in the middle of a p2p_find. In addition,
allow station mode association to be completed. When the station mode
operation is run to its completion (scan results not acted on,
connection to an AP completed, connection failed), resume the p2p_find
operation.
Jouni Malinen [Thu, 23 Aug 2012 15:34:57 +0000 (18:34 +0300)]
P2P: Use 500 ms search delay by default during concurrent operations
If the p2p_find command is used without the delay parameter, a 500 ms
default search delay will now be used when any interface using the same
radio is in an concurrent operation. "p2p_find delay=0" can be used to
enforce the old behavior in such a case if needed.
Jouni Malinen [Thu, 23 Aug 2012 15:20:58 +0000 (18:20 +0300)]
P2P: Add option for adding extra delay to p2p_find
A new optional delay=<search delay in milliseconds> parameter can now be
used with p2p_find command to request an extra delay between search
iterations. This can be used, e.g., to make p2p_find friendlier to
concurrent operations by avoiding it from taking 100% of the radio
resources.
Jouni Malinen [Wed, 22 Aug 2012 19:34:11 +0000 (22:34 +0300)]
Add UNAUTH-TLS vendor specific EAP type
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.
The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.
Jouni Malinen [Sun, 19 Aug 2012 19:59:30 +0000 (22:59 +0300)]
hlr_auc_gw: Add SQLite database support for Milenage information
An SQLite database can now be used to manage the Milenage information
instead of a text file. The new hlr_auc_gw.txt document describes how
this is configured and used.
Jouni Malinen [Sun, 19 Aug 2012 17:51:21 +0000 (20:51 +0300)]
EAP-SIM DB: Do not require external program at startup
The previous implementation was able to re-open the connection to an
external program (e.g., hlr_auc_gw) when needed, but required the
connection to be available during startup. Extend this to allow the
initial failure, so that hlr_auc_gw can be started after hostapd.
Jouni Malinen [Sun, 19 Aug 2012 16:10:40 +0000 (19:10 +0300)]
WPS: Remove unused credential handlers for 802.1X
The WPA_AUTH_WPA and WPA_AUTH_WPA2 cases have already been rejected in
this function when execution comes here. In theory, support for
WPA-Enterprise could be added, but since that has not happened over the
years, there is no good reason to keep this dead code here.
Jouni Malinen [Sun, 19 Aug 2012 15:54:34 +0000 (18:54 +0300)]
OpenSSL: Make fips186_2_prf() easier for static analyzers
Explicitly validate seed_len to skip memset call with zero length of
copied data at the end of the buffer. This is not really needed, but it
makes the code a bit easier for static analyzers. This is identical to
the commit a9ea17491a2c9e95bf9ac98fd36e56fde3faf188 but for the OpenSSL
version of the function.
Jouni Malinen [Sun, 19 Aug 2012 15:25:25 +0000 (18:25 +0300)]
wpabuf: Get rid of separate ext_data pointer
Use an explicit pointer to the beginning of the buffer and a flag
to indicate whether that is to external data or not. This avoids
a branch whenever accessing the buffer and helps some static
analyzers to understand the wpabuf memory uses better.
Jouni Malinen [Sun, 19 Aug 2012 14:23:00 +0000 (17:23 +0300)]
Fix memory allocation failure handling in EAP-TTLS/MSCHAPv2 server
If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.
Jouni Malinen [Sun, 19 Aug 2012 13:53:15 +0000 (16:53 +0300)]
FIPS: Remove md5-non-fips.c
Commit c9e08af24fd7dda3f21674cdc744579b8c38fa28 removed the only user of
the special case MD5 use that would be allowed in FIPS mode in
tls_prf_sha1_md5(). Commit 271dbf1594bea461ea2ea7946a773a30bfa254aa
removed the file from the build, but left the implementation into the
repository. To clean things up even further, remove this functionality
completely since it is not expected to be needed for FIPS mode anymore.
Michael Braun [Sun, 19 Aug 2012 11:27:30 +0000 (14:27 +0300)]
Add User-Name/CUI from RADIUS ACL in Accounting messages
This allows User-Name and Chargeable-User-Identity attributes to be
passed from Access-Accept into Accounting messages even when IEEE 802.1X
is not used.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Jouni Malinen [Sun, 19 Aug 2012 09:47:20 +0000 (12:47 +0300)]
Interworking: Do not match credentials without WPA2-Enterprise
Since we currently support only HS 2.0 networks with Interworking
network selection, do not indicate credential match unless the
network uses WPA2-Enterprise.
Jouni Malinen [Sun, 19 Aug 2012 09:39:39 +0000 (12:39 +0300)]
Interworking: Enforce WPA2-Enterprise/CCMP
Since we currently support only HS 2.0 networks with Interworking
network selection, enforce that WPA2-Enterprise/CCMP is used on the
AP instead of allowing any WPA-Enterprise combination.
Jouni Malinen [Sun, 19 Aug 2012 09:34:14 +0000 (12:34 +0300)]
HS 2.0: Do not indicate HS 2.0 status without WPA2-Enterprise
Hotspot 2.0 allows only WPA2-Enterprise to be used, so other types of
networks must not be indicated as Hotspot 2.0 networks even if they
(incorrectly) advertise HS 2.0 support.
Jouni Malinen [Sun, 19 Aug 2012 09:26:21 +0000 (12:26 +0300)]
Interworking: Do not reconnect without "auto" parameter
When there was no credential match, but an enabled network block matched
with a scan result, wpa_supplicant reconnected at the end of
interworking_select command even if "auto" parameter was not used. Fix
this by running the reconnect only if requested to automatically select
a network.
Jouni Malinen [Fri, 17 Aug 2012 20:55:14 +0000 (23:55 +0300)]
Fix EAP-FAST with OpenSSL 1.0.1
The mechanism to figure out key block size based on ssl->read_hash
does not seem to work with OpenSSL 1.0.1, so add an alternative
mechanism to figure out the NAC key size that seems to work at
least with the current OpenSSL 1.0.1 releases.
Jouni Malinen [Fri, 17 Aug 2012 19:26:28 +0000 (22:26 +0300)]
Disable TLS Session Ticket extension by default for EAP-TLS/PEAP/TTLS
Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).
Jouni Malinen [Fri, 17 Aug 2012 19:21:28 +0000 (22:21 +0300)]
Add phase1/phase2 parameter for disabling TLS Session Ticket extension
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.
Yoni Divinsky [Fri, 17 Aug 2012 17:53:44 +0000 (20:53 +0300)]
Supply the connection scan results to bgscan after init
If bgscan is enabled, then bgscan is initiated after the connection,
with no bss scan result information. Since a scan was performed prior to
the connection, the information exists and can be used to initialize the
bgscan's cache.
Avinash Patil [Fri, 17 Aug 2012 16:21:40 +0000 (19:21 +0300)]
hostapd: Disable WPS 2.0 when WPA-TKIP only configuration is set
WSC 2.0 deprecates use of WPA (TKIP) and does not allow WPA/TKIP only
configuration (i.e., WPA2/CCMP needs to be enabled in mixed mode for
WPA/TKIP to be acceptable). Enforce this by disabling WPS if
configuration enables WPA/TKIP without WPA2/CCMP.
Jouni Malinen [Thu, 16 Aug 2012 19:56:19 +0000 (22:56 +0300)]
OpenSSL: Silence a compiler warning with OpenSSL 0.9.7
The PKCS5_PBKDF2_HMAC_SHA1() function in OpenSSL 0.9.7 did not mark
the salt parameter const even though it was not modified. Hide the
compiler warning with a type cast when an old OpenSSL version is
used.
Jouni Malinen [Thu, 16 Aug 2012 16:38:15 +0000 (19:38 +0300)]
Do not export TLS keys in FIPS mode
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.
Jouni Malinen [Thu, 16 Aug 2012 16:29:34 +0000 (19:29 +0300)]
OpenSSL: Use internal keying material exporter when possible
Use SSL_export_keying_material() if possible, i.e., if OpenSSL is
version 1.0.1 or newer and if client random value is used first. This
allows MSK derivation with TLS-based EAP methods (apart from EAP-FAST)
without exporting the master key from OpenSSL.
Jouni Malinen [Thu, 16 Aug 2012 16:02:44 +0000 (19:02 +0300)]
EAP-TTLS: Allow TTLS to be built without MSCHAPv2 support
Previously, CONFIG_EAP_MSCHAPV2=y was assumed to be set for
CONFIG_EAP_TTLS=y. Avoid this dependency by making including the
MSCHAPv2 parts in EAP-TTLS conditionally.
Jouni Malinen [Thu, 16 Aug 2012 15:38:11 +0000 (18:38 +0300)]
MSCHAPv2: Check challenge_hash() failures
In theory, the SHA1 operation may fail (e.g., if SHA1 becomes disallowed
in some security policies), so better check the return code from
challenge_hash().
Jouni Malinen [Thu, 16 Aug 2012 14:53:05 +0000 (17:53 +0300)]
Add "make fips" for wpa_supplicant builds with OpenSSL
This can be used for convenience to build wpa_supplicant with OpenSSL
FIPS object module. CONFIG_FIPS=y is expected to be used in
wpa_supplicant/.config when using this option.
Jouni Malinen [Thu, 16 Aug 2012 14:38:46 +0000 (17:38 +0300)]
OpenSSL: Fix memory leak on FIPS error paths
Do not leave the tls_global context allocated if the global OpenSSL
initialization fails. This was possible in case of FIPS builds if
the FIPS mode cannot be initialized.
P2P: Enable 40 MHz support for autonomous P2P group addition
Add optional "ht40" argument for p2p_group_add command to enable 40 MHz
in 5GHz band. This configures the secondary channel, when HT support is
enabled and if the HW supports 40 MHz channel width.
Jouni Malinen [Wed, 15 Aug 2012 16:34:04 +0000 (19:34 +0300)]
Allow non-WPA IEEE 802.1X to be select even if WPA is also enabled
If key_mgmt was set to allow both WPA and non-WPA IEEE 802.1X (i.e., to
IEEE8021X WPA-EAP), non-WPA IEEE 802.1X was rejected while preparing
association parameters. Allow this special case to be handled by
selecting non-WPA case if the scan results for the AP do not include
either WPA or RSN elements.
Eyal Shapira [Mon, 13 Aug 2012 18:48:55 +0000 (21:48 +0300)]
Fix adding extra IEs in sched scan
Refactoring done in commit 46ee0427b13d64dc4695fda24f4f228c99822c11
(IEEE 802.11u: Allow Interworking and HESSID to be configured)
broke adding extra IEs in sched scan. The IEs stopped being added
to the scan params within wpa_supplicant_extra_ies() but no code
was added to add them in wpa_supplicant_req_sched_scan().
Fix this and remove unused params arg in wpa_supplicant_extra_ies().
Jouni Malinen [Mon, 13 Aug 2012 18:33:00 +0000 (21:33 +0300)]
GAS: Fix reporting of GAS query timeouts
GAS_QUERY_TIMEOUT value was used for two different things - enum for
status callback and #define for internal eloop timeout). The latter
overwrites the former and as such, the timeout reported ended up going
out with value 5 which matches with GAS_QUERY_CANCELLED instead of
GAS_QUERY_TIMEOUT. This value was not used in existing code, so this
should not modify the current behavior. Anyway, the correct reason for
the failure should be reported. Rename the internal #define for the
timeout period to avoid the name conflict. [Bug 463]
Jouni Malinen [Mon, 13 Aug 2012 18:20:09 +0000 (21:20 +0300)]
Add os_realloc_array() wrapper
This function can be used as a wrapper for os_realloc(ptr, nmemb * size)
when a reallocation is used for an array. The main benefit over
os_realloc() is in having an extra check to catch integer overflows in
multiplication. This is similar to the os_zalloc() to os_calloc() move.
Jouni Malinen [Mon, 13 Aug 2012 17:42:24 +0000 (20:42 +0300)]
Add os_calloc() wrapper
This function can be used as a wrapper for os_zalloc(nmemb * size) when
an allocation is used for an array. The main benefit over os_zalloc() is
in having an extra check to catch integer overflows in multiplication.
Jouni Malinen [Sun, 12 Aug 2012 08:36:45 +0000 (11:36 +0300)]
Remove default ACM=1 from AC_VO and AC_VI
There is no need to mandate admission control (ACM=1) by default, so
clear that flag in the case the configuration file does not specify
wmm_ac_{vo,vi}_acm value. This gets closer to the values mentioned
in the sample hostapd.conf file and reduces the need to specify WMM
parameters in the configuration file for most common use cases.
In case of P2P GO and AP mode, wpa_supplicant uses the default hostapd
parameters for WMM. In the default parameters the ACM bit for video and
voice are set to 1, meaning, P2P devices and stations which are
connected to the GO cannot pass voice or video data packets. Allow this
to be changed through wpa_supplicant configuration file with wmm_ac_*
parameters.
Jouni Malinen [Sat, 11 Aug 2012 18:14:57 +0000 (21:14 +0300)]
P2P: Increase GO Negotiation timeouts
p2p_set_timeout() calls in GO Neg Req/Resp TX callbacks used timeout of
100 ms which is the value given in the P2P specification for GO
Negotiation, but this was actually shorter than the
wait-for-offchannel-TX value (200 ms) used for the driver call. In
addition, it looks like some devices (e.g., Galaxy Nexus with JB image)
can take longer time to reply to GO Negotiation Response (somewhere
between 200 and 250 ms has been observed).
Increase the wait-for-GO-Neg-Resp timeout from 100 ms to 200 ms if GO
Negotiation Request frame was acknowledged (this matches with the
offchannel wait timeout that used previously). The no-ack case is left
at 100 ms since we use GO Negotiation Request frame also to discover
whether the peer is on its Listen channel.
Increase the wait-for-GO-Neg-Conf timeout from 100 ms to 250 ms (and
increase the offchannel wait timeout to matching 250 ms) as a workaround
for devices that take over 200 ms to reply to GO Negotiation Response.
However, a device driver could return EINVAL for get_bssid() because it
recognizes it has already been disconnected. When the wpa_supplicant
received EINVAL, the bssid field could be used uninitialized in the
following flow:
Arik Nemtsov [Sat, 11 Aug 2012 14:08:54 +0000 (17:08 +0300)]
SME: Correctly check mode HT caps for enabling OBSS scan
Don't assume the 11g mode is always first in the list of mode (sometimes
it isn't). Traverse the array of modes and check the HT40 capability is
turned on for 11g.
projects / thirdparty / hostap.git / log
