Accumulative patch from commit f5f37d3a4fc2df2a24676b4f95afca15ed793cba
Author: Jouni Malinen <j@w1.fi>
Date: Sun Nov 25 22:05:32 2012 +0200
Fix REAUTHENTICATE command after PMKSA caching
The current PMKSA cache entry needs to be clear to allow EAPOL
reauthentication to be started in case this association used PMKSA
caching.
- Remove old WPS_OOB NCF
- WPS: Add preliminary NFC connection handover support for Enrollee
- WPS: Reenable the networks disabled during wpa_wpas_reassoc
- P2P: Avoid multi-channel scans when they are not needed
- P2P: Allow discoverable interval for p2p_find to be configured
- P2P: Allow all channels with multi-channel concurrency
- Bonjour changes
- Remove disassociate
- HS 2.0 changes
- Add preliminary support for using SQLite for eap_user database
- Add SAE support
- Add disallow_aps parameter to disallow BSSIDs/SSIDs
Change-Id: I85358a05b39d46b8db49acdad667e771c580b05c
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index cea6aa1..4ef1b2e 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -87,6 +87,7 @@
OBJS += src/ap/authsrv.c
OBJS += src/ap/ieee802_1x.c
OBJS += src/ap/ap_config.c
+OBJS += src/ap/eap_user_db.c
OBJS += src/ap/ieee802_11_auth.c
OBJS += src/ap/sta_info.c
OBJS += src/ap/wpa_auth.c
@@ -215,6 +216,10 @@
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_SAE
+L_CFLAGS += -DCONFIG_SAE
+endif
+
ifdef CONFIG_IEEE80211V
L_CFLAGS += -DCONFIG_IEEE80211V
OBJS += src/ap/wnm_ap.c
@@ -402,25 +407,10 @@
NEED_MODEXP=y
CONFIG_EAP=y
-ifdef CONFIG_WPS_UFD
-L_CFLAGS += -DCONFIG_WPS_UFD
-OBJS += src/wps/wps_ufd.c
-NEED_WPS_OOB=y
-endif
-
ifdef CONFIG_WPS_NFC
L_CFLAGS += -DCONFIG_WPS_NFC
OBJS += src/wps/ndef.c
-OBJS += src/wps/wps_nfc.c
NEED_WPS_OOB=y
-ifdef CONFIG_WPS_NFC_PN531
-PN531_PATH ?= /usr/local/src/nfc
-L_CFLAGS += -DCONFIG_WPS_NFC_PN531
-L_CFLAGS += -I${PN531_PATH}/inc
-OBJS += src/wps/wps_nfc_pn531.c
-LIBS += ${PN531_PATH}/lib/wpsnfc.dll
-LIBS += ${PN531_PATH}/lib/libnfc_mapping_pn53x.dll
-endif
endif
ifdef NEED_WPS_OOB
@@ -536,10 +526,6 @@
ifdef TLS_FUNCS
OBJS += src/crypto/tls_gnutls.c
LIBS += -lgnutls -lgpg-error
-ifdef CONFIG_GNUTLS_EXTRA
-L_CFLAGS += -DCONFIG_GNUTLS_EXTRA
-LIBS += -lgnutls-extra
-endif
endif
OBJS += src/crypto/crypto_gnutls.c
HOBJS += src/crypto/crypto_gnutls.c
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index 9fc05f7..e739325 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -1,5 +1,95 @@
ChangeLog for hostapd
+????-??-?? - v2.0
+ * added AP-STA-DISCONNECTED ctrl_iface event
+ * improved debug logging (human readable event names, interface name
+ included in more entries)
+ * added number of small changes to make it easier for static analyzers
+ to understand the implementation
+ * added a workaround for Windows 7 Michael MIC failure reporting and
+ use of the Secure bit in EAPOL-Key msg 3/4
+ * fixed number of small bugs (see git logs for more details)
+ * changed OpenSSL to read full certificate chain from server_cert file
+ * nl80211: number of updates to use new cfg80211/nl80211 functionality
+ - replace monitor interface with nl80211 commands
+ - additional information for driver-based AP SME
+ * EAP-pwd:
+ - fix KDF for group 21 and zero-padding
+ - added support for fragmentation
+ - increased maximum number of hunting-and-pecking iterations
+ * avoid excessive Probe Response retries for broadcast Probe Request
+ frames (only with drivers using hostapd SME/MLME)
+ * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y)
+ * fixed WPS operation stopping on dual concurrent AP
+ * added wps_rf_bands configuration parameter for overriding RF Bands
+ value for WPS
+ * added support for getting per-device PSK from RADIUS Tunnel-Password
+ * added support for libnl 3.2 and newer
+ * increased initial group key handshake retransmit timeout to 500 ms
+ * added a workaround for 4-way handshake to update SNonce even after
+ having sent EAPOL-Key 3/4 to avoid issues with some supplicant
+ implementations that can change SNonce for each EAP-Key 2/4
+ * added a workaround for EAPOL-Key 4/4 using incorrect type value in
+ WPA2 mode (some deployed stations use WPA type in that message)
+ * added a WPS workaround for mixed mode AP Settings with Windows 7
+ * changed WPS AP PIN disabling mechanism to disable the PIN after 10
+ consecutive failures in addition to using the exponential lockout
+ period
+ * added support for WFA Hotspot 2.0
+ - GAS/ANQP advertisement of network information
+ - disable_dgaf parameter to disable downstream group-addressed
+ forwarding
+ * simplified licensing terms by selecting the BSD license as the only
+ alternative
+ * EAP-SIM: fixed re-authentication not to update pseudonym
+ * EAP-SIM: use Notification round before EAP-Failure
+ * EAP-AKA: added support for AT_COUNTER_TOO_SMALL
+ * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized
+ * EAP-AKA': fixed identity for MK derivation
+ * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this
+ breaks interoperability with older versions
+ * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id
+ * changed ANonce to be a random number instead of Counter-based
+ * added support for canceling WPS operations with hostapd_cli wps_cancel
+ * fixed EAP/WPS to PSK transition on reassociation in cases where
+ deauthentication is missed
+ * hlr_auc_gw enhancements:
+ - a new command line parameter -u can be used to enable updating of
+ SQN in Milenage file
+ - use 5 bit IND for SQN updates
+ - SQLite database can now be used to store Milenage information
+ * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms
+ and reauth data
+ * added support for Chargeable-User-Identity (RFC 4372)
+ * added radius_auth_req_attr and radius_acct_req_attr configuration
+ parameters to allow adding/overriding of RADIUS attributes in
+ Access-Request and Accounting-Request packets
+ * added support for RADIUS dynamic authorization server (RFC 5176)
+ * added initial support for WNM operations
+ - BSS max idle period
+ - WNM-Sleep Mode
+ * added new WPS NFC ctrl_iface mechanism
+ - removed obsoleted WPS_OOB command (including support for deprecated
+ UFD config_method)
+ * added FT support for drivers that implement MLME internally
+ * added SA Query support for drivers that implement MLME internally
+ * removed default ACM=1 from AC_VO and AC_VI
+ * changed VENDOR-TEST EAP method to use proper private enterprise number
+ (this will not interoperate with older versions)
+ * added hostapd.conf parameter vendor_elements to allow arbitrary vendor
+ specific elements to be added to the Beacon and Probe Response frames
+ * added support for configuring GCMP cipher for IEEE 802.11ad
+ * added support for 256-bit AES with internal TLS implementation
+ * changed EAPOL transmission to use AC_VO if WMM is active
+ * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length
+ correctly; invalid messages could have caused the hostapd process to
+ terminate before this fix [CVE-2012-4445]
+ * limit number of active wildcard PINs for WPS Registrar to one to avoid
+ confusing behavior with multiple wildcard PINs
+ * added a workaround for WPS PBC session overlap detection to avoid
+ interop issues with deployed station implementations that do not
+ remove active PBC indication from Probe Request frames properly
+
2012-05-10 - v1.0
* Add channel selection support in hostapd. See hostapd.conf.
* Add support for IEEE 802.11v Time Advertisement mechanism with UTC
diff --git a/hostapd/Makefile b/hostapd/Makefile
index f5dfce0..4cc3805 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -43,6 +43,7 @@
OBJS += ../src/ap/authsrv.o
OBJS += ../src/ap/ieee802_1x.o
OBJS += ../src/ap/ap_config.o
+OBJS += ../src/ap/eap_user_db.o
OBJS += ../src/ap/ieee802_11_auth.o
OBJS += ../src/ap/sta_info.o
OBJS += ../src/ap/wpa_auth.o
@@ -171,6 +172,10 @@
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_SAE
+CFLAGS += -DCONFIG_SAE
+endif
+
ifdef CONFIG_IEEE80211V
CFLAGS += -DCONFIG_IEEE80211V
OBJS += ../src/ap/wnm_ap.o
@@ -357,25 +362,10 @@
NEED_MODEXP=y
CONFIG_EAP=y
-ifdef CONFIG_WPS_UFD
-CFLAGS += -DCONFIG_WPS_UFD
-OBJS += ../src/wps/wps_ufd.o
-NEED_WPS_OOB=y
-endif
-
ifdef CONFIG_WPS_NFC
CFLAGS += -DCONFIG_WPS_NFC
OBJS += ../src/wps/ndef.o
-OBJS += ../src/wps/wps_nfc.o
NEED_WPS_OOB=y
-ifdef CONFIG_WPS_NFC_PN531
-PN531_PATH ?= /usr/local/src/nfc
-CFLAGS += -DCONFIG_WPS_NFC_PN531
-CFLAGS += -I${PN531_PATH}/inc
-OBJS += ../src/wps/wps_nfc_pn531.o
-LIBS += ${PN531_PATH}/lib/wpsnfc.dll
-LIBS += ${PN531_PATH}/lib/libnfc_mapping_pn53x.dll
-endif
endif
ifdef NEED_WPS_OOB
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 0a24ec3..8af8157 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -200,6 +200,12 @@
if (!fname)
return 0;
+ if (os_strncmp(fname, "sqlite:", 7) == 0) {
+ os_free(conf->eap_user_sqlite);
+ conf->eap_user_sqlite = os_strdup(fname + 7);
+ return 0;
+ }
+
f = fopen(fname, "r");
if (!f) {
wpa_printf(MSG_ERROR, "EAP user file '%s' not found.", fname);
@@ -624,6 +630,12 @@
else if (os_strcmp(start, "WPA-EAP-SHA256") == 0)
val |= WPA_KEY_MGMT_IEEE8021X_SHA256;
#endif /* CONFIG_IEEE80211W */
+#ifdef CONFIG_SAE
+ else if (os_strcmp(start, "SAE") == 0)
+ val |= WPA_KEY_MGMT_SAE;
+ else if (os_strcmp(start, "FT-SAE") == 0)
+ val |= WPA_KEY_MGMT_FT_SAE;
+#endif /* CONFIG_SAE */
else {
wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'",
line, start);
@@ -2512,6 +2524,9 @@
} else if (os_strcmp(buf, "vht_oper_centr_freq_seg0_idx") == 0)
{
conf->vht_oper_centr_freq_seg0_idx = atoi(pos);
+ } else if (os_strcmp(buf, "vht_oper_centr_freq_seg1_idx") == 0)
+ {
+ conf->vht_oper_centr_freq_seg1_idx = atoi(pos);
#endif /* CONFIG_IEEE80211AC */
} else if (os_strcmp(buf, "max_listen_interval") == 0) {
bss->max_listen_interval = atoi(pos);
diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index 1b8bede..ccc018e 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -250,30 +250,6 @@
}
-#ifdef CONFIG_WPS_OOB
-static int hostapd_ctrl_iface_wps_oob(struct hostapd_data *hapd, char *txt)
-{
- char *path, *method, *name;
-
- path = os_strchr(txt, ' ');
- if (path == NULL)
- return -1;
- *path++ = '\0';
-
- method = os_strchr(path, ' ');
- if (method == NULL)
- return -1;
- *method++ = '\0';
-
- name = os_strchr(method, ' ');
- if (name != NULL)
- *name++ = '\0';
-
- return hostapd_wps_start_oob(hapd, txt, path, method, name);
-}
-#endif /* CONFIG_WPS_OOB */
-
-
#ifdef CONFIG_WPS_NFC
static int hostapd_ctrl_iface_wps_nfc_tag_read(struct hostapd_data *hapd,
char *pos)
@@ -912,11 +888,6 @@
} else if (os_strcmp(buf, "WPS_CANCEL") == 0) {
if (hostapd_wps_cancel(hapd))
reply_len = -1;
-#ifdef CONFIG_WPS_OOB
- } else if (os_strncmp(buf, "WPS_OOB ", 8) == 0) {
- if (hostapd_ctrl_iface_wps_oob(hapd, buf + 8))
- reply_len = -1;
-#endif /* CONFIG_WPS_OOB */
} else if (os_strncmp(buf, "WPS_AP_PIN ", 11) == 0) {
reply_len = hostapd_ctrl_iface_wps_ap_pin(hapd, buf + 11,
reply, reply_size);
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 204aa76..b5ddca3 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -265,5 +265,5 @@
# Hotspot 2.0
#CONFIG_HS20=y
-# Enable SQLite database support in hlr_auc_gw
+# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
#CONFIG_SQLITE=y
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index edbd772..c839ad0 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -572,6 +572,12 @@
# which is channel 42 in 5G band
#
#vht_oper_centr_freq_seg0_idx=42
+#
+# center freq = 5 GHz + (5 * index)
+# So index 159 gives center freq 5.795 GHz
+# which is channel 159 in 5G band
+#
+#vht_oper_centr_freq_seg1_idx=159
##### IEEE 802.1X-2004 related configuration ##################################
@@ -629,6 +635,8 @@
eap_server=0
# Path for EAP server user database
+# If SQLite support is included, this can be set to "sqlite:/path/to/sqlite.db"
+# to use SQLite database instead of a text file.
#eap_user_file=/etc/hostapd.eap_user
# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
diff --git a/hostapd/hostapd.eap_user_sqlite b/hostapd/hostapd.eap_user_sqlite
new file mode 100644
index 0000000..f688327
--- /dev/null
+++ b/hostapd/hostapd.eap_user_sqlite
@@ -0,0 +1,17 @@
+CREATE TABLE users(
+ identity TEXT PRIMARY KEY,
+ methods TEXT,
+ password TEXT,
+ phase2 INTEGER
+);
+
+CREATE TABLE wildcards(
+ identity TEXT PRIMARY KEY,
+ methods TEXT
+);
+
+INSERT INTO users(identity,methods,password,phase2) VALUES ('user','TTLS-MSCHAPV2','password',1);
+INSERT INTO users(identity,methods,password,phase2) VALUES ('DOMAIN\mschapv2 user','TTLS-MSCHAPV2','password',1);
+
+INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS');
+INSERT INTO wildcards(identity,methods) VALUES ('0','AKA');
diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c
index 27bea2a..de1af3b 100644
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -72,9 +72,6 @@
" wps_check_pin <PIN> verify PIN checksum\n"
" wps_pbc indicate button pushed to initiate PBC\n"
" wps_cancel cancel the pending WPS operation\n"
-#ifdef CONFIG_WPS_OOB
-" wps_oob <type> <path> <method> use WPS with out-of-band (UFD)\n"
-#endif /* CONFIG_WPS_OOB */
#ifdef CONFIG_WPS_NFC
" wps_nfc_tag_read <hexdump> report read NFC tag with WPS data\n"
" wps_nfc_config_token <WPS/NDEF> build NFC configuration token\n"
@@ -410,40 +407,6 @@
}
-#ifdef CONFIG_WPS_OOB
-static int hostapd_cli_cmd_wps_oob(struct wpa_ctrl *ctrl, int argc,
- char *argv[])
-{
- char cmd[256];
- int res;
-
- if (argc != 3 && argc != 4) {
- printf("Invalid WPS_OOB command: need three or four "
- "arguments:\n"
- "- DEV_TYPE: use 'ufd' or 'nfc'\n"
- "- PATH: path of OOB device like '/mnt'\n"
- "- METHOD: OOB method 'pin-e' or 'pin-r', "
- "'cred'\n"
- "- DEV_NAME: (only for NFC) device name like "
- "'pn531'\n");
- return -1;
- }
-
- if (argc == 3)
- res = os_snprintf(cmd, sizeof(cmd), "WPS_OOB %s %s %s",
- argv[0], argv[1], argv[2]);
- else
- res = os_snprintf(cmd, sizeof(cmd), "WPS_OOB %s %s %s %s",
- argv[0], argv[1], argv[2], argv[3]);
- if (res < 0 || (size_t) res >= sizeof(cmd) - 1) {
- printf("Too long WPS_OOB command.\n");
- return -1;
- }
- return wpa_ctrl_command(ctrl, cmd);
-}
-#endif /* CONFIG_WPS_OOB */
-
-
#ifdef CONFIG_WPS_NFC
static int hostapd_cli_cmd_wps_nfc_tag_read(struct wpa_ctrl *ctrl, int argc,
char *argv[])
@@ -809,9 +772,6 @@
{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin },
{ "wps_pbc", hostapd_cli_cmd_wps_pbc },
{ "wps_cancel", hostapd_cli_cmd_wps_cancel },
-#ifdef CONFIG_WPS_OOB
- { "wps_oob", hostapd_cli_cmd_wps_oob },
-#endif /* CONFIG_WPS_OOB */
#ifdef CONFIG_WPS_NFC
{ "wps_nfc_tag_read", hostapd_cli_cmd_wps_nfc_tag_read },
{ "wps_nfc_config_token", hostapd_cli_cmd_wps_nfc_config_token },