Jouni Malinen [Fri, 31 Aug 2012 15:33:42 +0000 (18:33 +0300)]
Android: Add Wi-Fi Display into the makefile
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 31 Aug 2012 15:28:54 +0000 (18:28 +0300)]
Android: Include Hotspot 2.0 support in the default build
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 31 Aug 2012 15:25:54 +0000 (18:25 +0300)]
Android: Add new keystore include path for JB
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 31 Aug 2012 15:25:18 +0000 (18:25 +0300)]
Android: Sync with SHA256 hostapd makefile updates
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 30 Aug 2012 13:58:58 +0000 (16:58 +0300)]
Include notes on EAP SIM DB in hostapd using SQLite
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 30 Aug 2012 13:55:36 +0000 (16:55 +0300)]
EAP-SIM DB: Optional use of SQLite database for reauth data
If hostapd is built and configured to use SQLite database, store
EAP-SIM/AKA reauth data into the database to allow this to persist
over hostapd restarts.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 30 Aug 2012 13:04:52 +0000 (16:04 +0300)]
EAP-SIM DB: Optional use of SQLite database for pseudonyms
This allows hostapd to use an SQLite database for storing EAP-SIM/AKA
pseudonyms over process restarts. CONFIG_SQLITE=y build option adds
support for this and the SQLite database file is specified in eap_sib_db
configuration parameter.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 30 Aug 2012 08:53:54 +0000 (11:53 +0300)]
Move WPA cipher information into a shared location
Try to share most of the cipher information like key and RSC lengths and
suite selector conversions, etc. in wpa_common.c to avoid having similar
code throughout the WPA implementation for handling cipher specific
behavior.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 29 Aug 2012 21:37:59 +0000 (00:37 +0300)]
Move variable declaration into the beginning of function
The variables used within the #ifndef block here needs to be defined in
the beginning of the function to avoid issues with some compilers.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 29 Aug 2012 21:35:53 +0000 (00:35 +0300)]
Interworking: Fix build without CONFIG_PCSC=y
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 2 Mar 2012 20:31:04 +0000 (22:31 +0200)]
WFD: Add preliminary WSD request processing and response
This commit does not yet address support for different device roles,
i.e., the same set of subelements are returned regardless of which
role was indicated in the request.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 2 Mar 2012 19:48:57 +0000 (21:48 +0200)]
WFD: Add support for sending Wi-Fi Display service discovery requests
wpa_cli p2p_serv_disc_req command can now be used to request WSD
request to be sent to specified or all peers who support WSD.
format: wifi-display <list of roles> <list of subelements>
examples:
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source] 2,3,4,5
p2p_serv_disc_req 02:01:02:03:04:05 wifi-display [pri-sink] 3
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [sec-source] 2
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source+sink] 2,3,4,5
p2p_serv_disc_req 00:00:00:00:00:00 wifi-display [source][pri-sink] 2,3,4,5
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 2 Mar 2012 15:26:01 +0000 (17:26 +0200)]
WFD: Add wfd_subelems hexdump in BSS ctrl_iface command output
This makes it easier to parse the WFD subelements from scan results.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 2 Mar 2012 15:26:01 +0000 (17:26 +0200)]
WFD: Add Wi-Fi Display support
This commit adds control interface commands and internal storage of
Wi-Fi Display related configuration. In addition, WFD IE is now added
to various P2P frames, Probe Request/Response, and (Re)Association
Request/Response frames. WFD subelements from peers are stored in the
P2P peer table.
Following control interface commands are now available:
SET wifi_display <0/1>
GET wifi_display
WFD_SUBELEM_SET <subelem> [hexdump of length+body]
WFD_SUBELEM_GET <subelem>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 29 Aug 2012 08:52:15 +0000 (11:52 +0300)]
Add support for using GCMP cipher from IEEE 802.11ad
This allows both hostapd and wpa_supplicant to be used to derive and
configure keys for GCMP. This is quite similar to CCMP key
configuration, but a different cipher suite and somewhat different rules
are used in cipher selection. It should be noted that GCMP is not
included in default parameters at least for now, so explicit
pairwise/group configuration is needed to enable it. This may change in
the future to allow GCMP to be selected automatically in cases where
CCMP could have been used.
This commit does not included changes to WPS or P2P to allow GCMP to be
used.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Wei-Jen Lin [Tue, 28 Aug 2012 16:31:58 +0000 (19:31 +0300)]
nl80211: Set P2P multichan concurrency based on interface combinations
Use the NL80211_IFACE_COMB_NUM_CHANNELS value > 1 as a trigger for
enabling support for P2P multichannel channel concurrency. This does not
handle all possible details of enforcing driver capabilities, but it is
a good first step for allowing nl80211 drivers to enable multichannel
concurrency.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 28 Aug 2012 14:38:53 +0000 (17:38 +0300)]
wpa_cli: Add tab completion for p2p_find
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 28 Aug 2012 14:25:09 +0000 (17:25 +0300)]
wpa_cli: Fix tab completion
Commit
b49039bda906461ccee57a41a9012d3df2c9e6bc redesigned tab
completion, but added the new call to completion functions into wrong
location. This needs to be done within the loop to find the correct
completion function.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 28 Aug 2012 13:14:13 +0000 (16:14 +0300)]
Interworking: Add optional use of network selection on normal scans
auto_interworking=1 configuration parameter can be used to request
wpa_supplicant to use Interworking network selection automatically as a
part of the normal (non-Interworking) network selection if the scan
results do not match with enabled networks. This makes scanning work
similarly to the "interworking_select auto" command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 27 Aug 2012 15:13:10 +0000 (18:13 +0300)]
Add generic GAS request mechanism
The new gas_request and gas_response_get commands can be used to request
arbitary GAS queries to be performed. These can be used with ANQP or
with other (including vendor specific) advertisement protocols.
gas_request <BSSID> <AdvProtoID> [Query]
gas_response_get <addr> <dialog token> [offset,length]
For example, ANQP query for Capability list in interactive wpa_cli
session:
> gas_request 02:00:00:00:01:00 00
000102000101
<3>GAS-RESPONSE-INFO addr=02:00:00:00:01:00 dialog_token=0
status_code=0 resp_len=32
> gas_response_get 02:00:00:00:01:00 00
01011c00010102010501070108010c01dddd0c00506f9a110200020304050607
> gas_response_get 02:00:00:00:01:00 00 0,10
01011c00010102010501
> gas_response_get 02:00:00:00:01:00 00 10,10
070108010c01dddd0c00
> gas_response_get 02:00:00:00:01:00 00 20,10
506f9a11020002030405
> gas_response_get 02:00:00:00:01:00 00 30,2
0607
It should be noted that the maximum length of the response buffer is
currently 4096 bytes which allows about 2000 bytes of the response data
to be fetched with a single gas_response_get command. If the response is
longer, it can be fetched in pieces as shown in the example above.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 27 Aug 2012 13:20:10 +0000 (16:20 +0300)]
Add parameter for vendor specific elements into Beacon/Probe Response
The new vendor_elements parameter in hostapd.conf can be used to add new
vendor specific element(s) into Beacon and Probe Response frames.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 27 Aug 2012 10:51:35 +0000 (13:51 +0300)]
WPS: Allow AP that becomes active be tried immediately
Clear the possible blacklisting of a WPS AP during WPS PIN iteration if
the AP moves to selected registrar TRUE state or if it adds our MAC
address to the list of authorized MACs.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 27 Aug 2012 10:48:11 +0000 (13:48 +0300)]
WPS: Maintain more AP state during WPS PIN iteration
Maintain state of WPS APs during iteration to find the correct AP for
WPS PIN operation when no specific BSSID is specified. This information
can be used for optimizing the order in which the APs are tried. This
commit is only adding the collection of the information and more
detailed debug information to make debug logs more helpful in figuring
out how the AP selection order could be improved.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Sun, 26 Aug 2012 20:20:41 +0000 (23:20 +0300)]
Clear current_ssid and key_mgmt when disconnected
This makes wpa_supplicant state somewhat cleaner since the information
from previously used connection is not maintained after getting
disconnected.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 26 Aug 2012 20:19:32 +0000 (23:19 +0300)]
Clear idleWhile timer when EAP peer state machine is not in use
This allows the EAPOL tick timer to be stopped more quickly when
getting disconnected.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 26 Aug 2012 20:01:26 +0000 (23:01 +0300)]
Disable network block temporarily on authentication failures
If 4-way handshake fails due to likely PSK failure or if EAP
authentication fails, disable the network block temporarily. Use longer
duration if multiple consecutive failures are seen.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 26 Aug 2012 18:30:06 +0000 (21:30 +0300)]
wpa_cli: Add optional argument for the help command
"help <cmd>" can now be used to print the usage text for the
specified command (or set of commands matching the prefix).
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 26 Aug 2012 18:20:15 +0000 (21:20 +0300)]
wpa_cli: Add tab completion function into the command table
Instead of using a separate list of commands, use the main command table
to assign tab completion functions. In addition, use the existing BSS
and P2P peer completions functions with the commands that use BSSID or
P2P Device address the first argument.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 26 Aug 2012 17:52:19 +0000 (20:52 +0300)]
Interworking: Fix home SP check with real SIM card
The NAI building routine assumed that the credential included the IMSI,
but that is not the case when using a real SIM card. Build the NAI based
on the IMSI read for the card in such a case.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 26 Aug 2012 17:37:11 +0000 (20:37 +0300)]
Interworking: Fix PLMN matching with multiple entries
The pos variable was not advanced when comparing PLMN entries in
3GPP Cellular Network information and as such, only the first
entry was really used.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Jay Katabathuni [Sat, 25 Aug 2012 13:28:29 +0000 (16:28 +0300)]
HS 2.0: Add NAI Home Realm query
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jay Katabathuni [Sat, 25 Aug 2012 12:58:30 +0000 (15:58 +0300)]
Interworking: Add advertising of NAI Realm list
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jay Katabathuni [Sat, 25 Aug 2012 13:03:51 +0000 (16:03 +0300)]
HS 2.0: Add advertisement of Operator Friendly Name
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Sat, 25 Aug 2012 17:49:30 +0000 (20:49 +0300)]
Interworking: Use generic language,string parser
Replace the Venue Name specific data structure and parser with a
generic mechanism that can be used with other fields that use the
same format.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jay Katabathuni [Sat, 25 Aug 2012 13:09:01 +0000 (16:09 +0300)]
HS 2.0: Add advertisement of WAN Metrics
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jay Katabathuni [Sat, 25 Aug 2012 13:12:40 +0000 (16:12 +0300)]
HS 2.0: Add advertisement of Connection Capability
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jay Katabathuni [Sat, 25 Aug 2012 13:17:21 +0000 (16:17 +0300)]
HS 2.0: Add advertising of Operating Class Indication
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jay Katabathuni [Mon, 30 Jul 2012 19:07:35 +0000 (22:07 +0300)]
Interworking: Add advertising of 3GPP Cellular Network info
The anqp_3gpp_cell_net parameter can be used to configure hostapd
to advertise 3GPP Cellular Network ANQP information.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Shan Palanisamy [Mon, 18 Jun 2012 15:11:54 +0000 (18:11 +0300)]
Support no-config-file in WPS AP settings updates
This is required for WPS open mode with control interface -based
configuration.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Shan Palanisamy [Sat, 25 Aug 2012 08:42:30 +0000 (11:42 +0300)]
Allow hostapd to be started without interfaces
If the control interface is enabled, allow hostapd to be started
without any configuration files specific on the command line since
the interfaces can be added dynamically.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Shan Palanisamy [Sat, 25 Aug 2012 08:37:12 +0000 (11:37 +0300)]
hostapd: Add global ctrl_iface commands for adding/removing interfaces
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Shan Palanisamy [Fri, 16 Dec 2011 18:42:40 +0000 (20:42 +0200)]
hostapd: Add ctrl_iface for enabling/reloading/disabling interface
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Shan Palanisamy [Tue, 20 Dec 2011 15:10:47 +0000 (17:10 +0200)]
hostapd: Add global control interface
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Sat, 25 Aug 2012 09:43:27 +0000 (12:43 +0300)]
Move hostapd global callback functions into hapd_interfaces
These function pointers are going to be the same for each interface so
there is no need to keep them in struct hostapd_iface. Moving them to
struct hapd_interfaces makes it easier to add interfaces at run time.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 25 Aug 2012 10:33:29 +0000 (13:33 +0300)]
wpa_cli: Add a 'raw' command for sending unprocessed data
This can be used to test new control interface commands and to use
commands that may not yet be supported by wpa_cli.
Signed-hostap: Jouni Malinen <j@w1.fi>
Dmitry Shmidt [Sat, 25 Aug 2012 07:23:22 +0000 (10:23 +0300)]
wpa_supplicant: Add bss_flush command to invalidate scan results
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Jouni Malinen [Fri, 24 Aug 2012 17:45:22 +0000 (20:45 +0300)]
P2P: Fix memory leak with driver-based P2P management
If the P2P management operations are handled within the driver, the
P2P service entries were not freed when terminating wpa_supplicant.
Fix this by calling wpas_p2p_service_flush() even if the P2P module
within wpa_supplicant has not been initialized.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 24 Aug 2012 17:44:24 +0000 (20:44 +0300)]
test: Fix driver data pointer for the P2P commands
The driver_test.c data structures had been changed to use a separate
BSS structure, but the P2P commands were not using the new design.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Anirban Sirkhell [Fri, 24 Aug 2012 16:02:56 +0000 (19:02 +0300)]
Add wps_cancel to hostapd_cli help text
Commit
4c374cde2f0b789d5aa1180667173358b71d492c added a new wps_cancel
command, but didn't add it to the usage text in hostapd_cli. Add an
entry for this command.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Sunil Dutt [Fri, 24 Aug 2012 08:54:02 +0000 (11:54 +0300)]
P2P: Fix PD retries on delay in off channel transmission
Commit
488f4a7108e021be97fc1841fff9042d2b7d737f configures a timer
before p2p_send_action(). This may result in the timer getting fired
earlier to the off channel transmission of the frame and thus another PD
request being retransmitted. This shall lead to the new PD request with
an incremented dialog token being transmitted. For the cases where the
later PD request might not be transmitted as the host driver is busy
transmitting the earlier frame, the received PD response could be
dropped for the dialog token mismatch. Remove the timer configuration to
avoid this behavior.
Signed-hostap: Sunil Dutt Undekari <duttus@codeaurora.org>
intended-for: hostap-1
Jouni Malinen [Thu, 23 Aug 2012 21:23:44 +0000 (00:23 +0300)]
P2P: Limit maximum number of stored P2P clients to 100
This limits the maximum size of the p2p_client_list parameter that
is maintained at the GO for a persistent group. In other words, only
the 100 most recently seen P2P clients are kept in the list.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Jouni Malinen [Thu, 23 Aug 2012 20:56:51 +0000 (23:56 +0300)]
Improve p2p_client_list updates in configuration file
This list can get truncated due to too many addresses getting added.
Reorder the entries in a way that allows the most recently added values
to be maintained in the list and use better debug/error messages when
parsing the value.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Jouni Malinen [Thu, 23 Aug 2012 20:52:45 +0000 (23:52 +0300)]
Handle long configuration file lines more gracefully
Skip the end of long configuration lines that get truncated in
wpa_config_get_line(). Without this, the rest of the file was being
parsed as another line and that resulted in an unexpected error
message (wrong line number and wrong starting point).
In addition, increase the read buffer for network blocks from 256
to 2000 since p2p_client_list parameter can have long values. These
were supposed to truncated cleanly, but the unexpected processing of
the end of the file (which is now fixed in this commit) could cause
configuration file to be rejected.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
intended-for: hostap-1
Jouni Malinen [Thu, 23 Aug 2012 17:28:04 +0000 (20:28 +0300)]
P2P: Remove unnecessary call in resuming p2p_find
Commit
99fcd404091a90317f6619e466f544ee32128a23 added a call to update
search delay after failed authentication attempt. This change was
supposed to be only in p2p_supplicant.c for the successful case. The
extra call does not really do anything, but it's good to remove it to
avoid any confusion in the future.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 23 Aug 2012 16:42:53 +0000 (19:42 +0300)]
P2P: Allow scan operations during p2p_find
Previously, all station mode scan operations were either skipped or
delayed while any P2P operation was in progress. To make concurrent
operations easier to use, reduce this limitation by allowing a scan
operation to be completed in the middle of a p2p_find. In addition,
allow station mode association to be completed. When the station mode
operation is run to its completion (scan results not acted on,
connection to an AP completed, connection failed), resume the p2p_find
operation.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 23 Aug 2012 15:34:57 +0000 (18:34 +0300)]
P2P: Use 500 ms search delay by default during concurrent operations
If the p2p_find command is used without the delay parameter, a 500 ms
default search delay will now be used when any interface using the same
radio is in an concurrent operation. "p2p_find delay=0" can be used to
enforce the old behavior in such a case if needed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 23 Aug 2012 15:20:58 +0000 (18:20 +0300)]
P2P: Add option for adding extra delay to p2p_find
A new optional delay=<search delay in milliseconds> parameter can now be
used with p2p_find command to request an extra delay between search
iterations. This can be used, e.g., to make p2p_find friendlier to
concurrent operations by avoiding it from taking 100% of the radio
resources.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 22 Aug 2012 19:34:11 +0000 (22:34 +0300)]
Add UNAUTH-TLS vendor specific EAP type
This EAP type uses a vendor specific expanded EAP header to encapsulate
EAP-TLS with a configuration where the EAP server does not authenticate
the EAP peer. In other words, this method includes only server
authentication. The peer is configured with only the ca_cert parameter
(similarly to other TLS-based EAP methods). This method can be used for
cases where the network provides free access to anyone, but use of RSN
with a securely derived unique PMK for each station is desired.
The expanded EAP header uses the hostapd/wpa_supplicant vendor
code 39068 and vendor type 1 to identify the UNAUTH-TLS method.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 22 Aug 2012 18:37:19 +0000 (21:37 +0300)]
Use proper private enterprise number for EAP VENDOR-TEST
Now that the project has its own code, it should be used with the
VENDOR-TEST EAP method.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 22 Aug 2012 08:16:48 +0000 (11:16 +0300)]
wlantest: Fix couple of compiler warnings
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 22 Aug 2012 08:15:55 +0000 (11:15 +0300)]
Add sha256-prf.tls into libcrypto build
This was forgotten in commit
ab637dcb37057f433932ecc8d45e129cd2d14170.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 21 Aug 2012 18:30:37 +0000 (21:30 +0300)]
HS 2.0: Add preliminary documentation for Hotspot 2.0
This describes wpa_supplicant functionality for Interworking
(probe request parameters, network selection) and Hotspot 2.0.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Sun, 19 Aug 2012 19:59:30 +0000 (22:59 +0300)]
hlr_auc_gw: Add SQLite database support for Milenage information
An SQLite database can now be used to manage the Milenage information
instead of a text file. The new hlr_auc_gw.txt document describes how
this is configured and used.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 19:08:23 +0000 (22:08 +0300)]
hlr_auc_gw: Return FAILURE if IMSI for AKA is not known
Instead of no response, send a FAILURE response as AKA-RESP-AUTH if the
requested IMSI is not known.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 18:17:26 +0000 (21:17 +0300)]
EAP-SIM DB: Fix a memory leak on DB connection re-opening
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 17:51:21 +0000 (20:51 +0300)]
EAP-SIM DB: Do not require external program at startup
The previous implementation was able to re-open the connection to an
external program (e.g., hlr_auc_gw) when needed, but required the
connection to be available during startup. Extend this to allow the
initial failure, so that hlr_auc_gw can be started after hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 16:10:40 +0000 (19:10 +0300)]
WPS: Remove unused credential handlers for 802.1X
The WPA_AUTH_WPA and WPA_AUTH_WPA2 cases have already been rejected in
this function when execution comes here. In theory, support for
WPA-Enterprise could be added, but since that has not happened over the
years, there is no good reason to keep this dead code here.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:54:34 +0000 (18:54 +0300)]
OpenSSL: Make fips186_2_prf() easier for static analyzers
Explicitly validate seed_len to skip memset call with zero length of
copied data at the end of the buffer. This is not really needed, but it
makes the code a bit easier for static analyzers. This is identical to
the commit
a9ea17491a2c9e95bf9ac98fd36e56fde3faf188 but for the OpenSSL
version of the function.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:50:42 +0000 (18:50 +0300)]
Use os_strdup() instead of os_malloc() + os_memcpy()
It is simpler to use os_strdup() to copy strings even if the end results
end up being used as binary data with a separate length field.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:44:53 +0000 (18:44 +0300)]
Remove unnecessary header file inclusion
Commit
bfc62fe1331da4eca6dec70133c5d4cd1d6bc958 moved the code that
using crypto/random.h, but forgot to remove the inclusion of that header
file.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:41:45 +0000 (18:41 +0300)]
Remove unnecessary base64.h inclusion
All the TNC base64 operations are within tncs.c, so there is no point in
including base64.h into eap_server_tnc.c.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:38:27 +0000 (18:38 +0300)]
Handle EVENT_RX_MGMT validation consistently
All the other places processing EVENT_RX_MGMT events assume that the
event data is included, so not much point in verifying that here.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:34:16 +0000 (18:34 +0300)]
Show an error message if sending of Action frame fails
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:32:35 +0000 (18:32 +0300)]
RADIUS DAS: Verify that Error-Code attribute is added
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:28:55 +0000 (18:28 +0300)]
nl80211: Print an error if WDS STA interface cannot be set up
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:25:25 +0000 (18:25 +0300)]
wpabuf: Get rid of separate ext_data pointer
Use an explicit pointer to the beginning of the buffer and a flag
to indicate whether that is to external data or not. This avoids
a branch whenever accessing the buffer and helps some static
analyzers to understand the wpabuf memory uses better.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 15:01:04 +0000 (18:01 +0300)]
Clean up the closed stdin/stdout/stderr workaround to close sockets
Close the workaround sockets when wpa_supplicant exists to avoid
hitting resource leak warnings.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 14:52:41 +0000 (17:52 +0300)]
Use a shared helper function for merging supported rate lists
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 14:23:00 +0000 (17:23 +0300)]
Fix memory allocation failure handling in EAP-TTLS/MSCHAPv2 server
If the os_malloc() call for the User-Name value fails in EAP-TTLS
server, the inner MSCHAPv2 processing could have tried to dereference a
NULL pointer. Avoid this by handling this cleanly as an internal error
and reject the authentication attempt.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Jouni Malinen [Sun, 19 Aug 2012 13:53:15 +0000 (16:53 +0300)]
FIPS: Remove md5-non-fips.c
Commit
c9e08af24fd7dda3f21674cdc744579b8c38fa28 removed the only user of
the special case MD5 use that would be allowed in FIPS mode in
tls_prf_sha1_md5(). Commit
271dbf1594bea461ea2ea7946a773a30bfa254aa
removed the file from the build, but left the implementation into the
repository. To clean things up even further, remove this functionality
completely since it is not expected to be needed for FIPS mode anymore.
Signed-hostap: Jouni Malinen <j@w1.fi>
Michael Braun [Sun, 19 Aug 2012 11:27:30 +0000 (14:27 +0300)]
Add User-Name/CUI from RADIUS ACL in Accounting messages
This allows User-Name and Chargeable-User-Identity attributes to be
passed from Access-Accept into Accounting messages even when IEEE 802.1X
is not used.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Sun, 19 Aug 2012 11:23:20 +0000 (14:23 +0300)]
Initialize EAPOL auth identity/cui with STA entry data
If RADIUS ACL was used for the STA, identity/cui may already be
known at this point.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Sun, 19 Aug 2012 11:20:10 +0000 (14:20 +0300)]
Copy User-Name/CUI from RADIUS ACL to STA entry
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Michael Braun [Sun, 19 Aug 2012 11:09:28 +0000 (14:09 +0300)]
Store User-Name and CUI in RADIUS ACL cache
These can be used for Accounting messages when IEEE 802.1X is not used.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Jouni Malinen [Sun, 19 Aug 2012 10:46:23 +0000 (13:46 +0300)]
Remove an extra level of indentation in hostapd_acl_cache_get()
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 09:53:45 +0000 (12:53 +0300)]
HS 2.0: Do not allow AP hs20=1 configuration without RSN
Hotspot 2.0 networks are required to use WPA2-Enterprise/CCMP, so
enforce this while validating hostapd configuration.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 09:47:20 +0000 (12:47 +0300)]
Interworking: Do not match credentials without WPA2-Enterprise
Since we currently support only HS 2.0 networks with Interworking
network selection, do not indicate credential match unless the
network uses WPA2-Enterprise.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 09:39:39 +0000 (12:39 +0300)]
Interworking: Enforce WPA2-Enterprise/CCMP
Since we currently support only HS 2.0 networks with Interworking
network selection, enforce that WPA2-Enterprise/CCMP is used on the
AP instead of allowing any WPA-Enterprise combination.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 09:34:14 +0000 (12:34 +0300)]
HS 2.0: Do not indicate HS 2.0 status without WPA2-Enterprise
Hotspot 2.0 allows only WPA2-Enterprise to be used, so other types of
networks must not be indicated as Hotspot 2.0 networks even if they
(incorrectly) advertise HS 2.0 support.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 19 Aug 2012 09:26:21 +0000 (12:26 +0300)]
Interworking: Do not reconnect without "auto" parameter
When there was no credential match, but an enabled network block matched
with a scan result, wpa_supplicant reconnected at the end of
interworking_select command even if "auto" parameter was not used. Fix
this by running the reconnect only if requested to automatically select
a network.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 17 Aug 2012 20:55:14 +0000 (23:55 +0300)]
Fix EAP-FAST with OpenSSL 1.0.1
The mechanism to figure out key block size based on ssl->read_hash
does not seem to work with OpenSSL 1.0.1, so add an alternative
mechanism to figure out the NAC key size that seems to work at
least with the current OpenSSL 1.0.1 releases.
Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1
Jouni Malinen [Fri, 17 Aug 2012 19:27:29 +0000 (22:27 +0300)]
Document TLS options in phase1/phase2
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 17 Aug 2012 19:26:28 +0000 (22:26 +0300)]
Disable TLS Session Ticket extension by default for EAP-TLS/PEAP/TTLS
Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 17 Aug 2012 19:21:28 +0000 (22:21 +0300)]
Add phase1/phase2 parameter for disabling TLS Session Ticket extension
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 17 Aug 2012 19:18:54 +0000 (22:18 +0300)]
OpenSSL: Add mechanism for disabling TLS Session Ticket extension
This can be used to implement workaround for authentication servers that
do not handle TLS extensions in ClientHello properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
Yoni Divinsky [Fri, 17 Aug 2012 17:53:44 +0000 (20:53 +0300)]
Supply the connection scan results to bgscan after init
If bgscan is enabled, then bgscan is initiated after the connection,
with no bss scan result information. Since a scan was performed prior to
the connection, the information exists and can be used to initialize the
bgscan's cache.
Signed-hostap: Yoni Divinsky <yoni.divinsky@ti.com>
Avinash Patil [Fri, 17 Aug 2012 16:21:40 +0000 (19:21 +0300)]
hostapd: Disable WPS 2.0 when WPA-TKIP only configuration is set
WSC 2.0 deprecates use of WPA (TKIP) and does not allow WPA/TKIP only
configuration (i.e., WPA2/CCMP needs to be enabled in mixed mode for
WPA/TKIP to be acceptable). Enforce this by disabling WPS if
configuration enables WPA/TKIP without WPA2/CCMP.
Signed-off-by: Avinash Patil <patila@marvell.com>
Jouni Malinen [Thu, 16 Aug 2012 19:56:19 +0000 (22:56 +0300)]
OpenSSL: Silence a compiler warning with OpenSSL 0.9.7
The PKCS5_PBKDF2_HMAC_SHA1() function in OpenSSL 0.9.7 did not mark
the salt parameter const even though it was not modified. Hide the
compiler warning with a type cast when an old OpenSSL version is
used.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 16 Aug 2012 19:34:35 +0000 (22:34 +0300)]
OpenSSL: Implement SHA256 HMAC functions using HMAC API
Use the OpenSSL HMAC implementation instead of the internal sha256.c
implementation of HMAC with SHA256.
Signed-hostap: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 16 Aug 2012 19:24:11 +0000 (22:24 +0300)]
Move SHA256-based PRF function into a separate C file
This makes it easier to conditionally build in SHA256 functions based
on which TLS/crypto library is used.
Signed-hostap: Jouni Malinen <j@w1.fi>