| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Chargeable-User-Identity can now be used in Disconnect-Request to
identify the station to be disconnected.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
| |
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
| |
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
| |
Calling-Station-Id, Acct-Session-Id, and User-Name attributes in a
Disconnect-Request message can now be used to indicate which station is
to be disconnected.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
| |
Reject Disconnect-Request if it includes unsupported attributes.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
| |
DAS will now validate Event-Timestamp value to be within an acceptable
time window (300 seconds by default; can be set using
radius_das_time_window parameter). In addition, Event-Timestamp can be
required in Disconnect-Request and CoA-Request messages with
radius_das_require_event_timestamp=1.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
| |
This adds the basic DAS mechanism to enable hostapd to be configured
to request dynamic authorization requests (Disconnect-Request and
CoA-Request). This commit does not add actual processing of the
requests, i.e., this will only receive and authenticate the requests
and NAK them regardless of what operation is requested.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
| |
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
| |
ieee802_1x_encapsulate_radius() frees the RADIUS message if
radius_client_send() returns error. This could have resulted in use of
freed memory and double freeing of the RADIUS message if send() fails
since the message is also left in the retransmit list. Avoid this by not
returning error to the caller in such a case.
Signed-off-by: Alexander Couzens <lynxis@c-base.org>
|
| |
|
|
|
|
|
| |
Remove the GPL notification text from the files that were
initially contributed by myself.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows per-device PSK to be configured for WPA-Personal using a
RADIUS authentication server. This uses RADIUS-based MAC address ACL
(macaddr_acl=2), i.e., Access-Request uses the MAC address of the
station as the User-Name and User-Password. The WPA passphrase is
returned in Tunnel-Password attribute in Access-Accept. This
functionality can be enabled with the new hostapd.conf parameter,
wpa_psk_radius.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Testing code can now be enabled in the hostapd RADIUS server to dump
each derived MSK into a text file (e.g., to be used as an input to
wlantest). This functionality is not included in the default build
and can be enabled by adding the following line to hostapd/.config:
CFLAGS += -DCONFIG_RADIUS_TEST
The MSK dump file is specified with dump_msk_file parameter in
hostapd.conf (path to the dump file). If this variable is not set,
MSK dump mechanism is not enabled at run time.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
|
| |
Explicitly validate data_len so that static analyzers do not get
confused about the padlen validation. This is not really needed, but it
makes the code a bit easier for static analyzers.
Signed-hostap: Jouni Malinen <j@w1.fi>
|
| |
|
|
|
|
|
| |
The internal pointer to RADIUS client configuration needs to be
updated whenever a new hostapd configuration is loaded. Without
this, freed memory may be dereferenced and this can result in
segmentation faults.
|
| |
|
|
|
| |
This adds an initial EAP-pwd (RFC 5931) implementation. For now,
this requires OpenSSL.
|
| |
|
|
|
|
| |
There are no subdirectories in any of these directories or plans
for adding ones. As such, there is no point in running the loop
that does not do anything and can cause problems with some shells.
|
| | |
|
| | |
|
| |
|
|
|
| |
This needs to be used consistently in order to get correct size for
struct hostapd_ip_addr.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This is internal data structure for RADIUS message handling and
external code should not touch it directly.
|
| | |
|
| |
|
|
|
| |
Since all callers were freeing the buffer immediately anyway, move
this operation into radius_msg_free() to reduce code size.
|
| | |
|
| | |
|
| |
|
|
|
| |
Make it responsibility of the src/radius user to handle conditional
build rules.
|
| | |
|
| |
|
|
|
|
| |
In addition, start ordering header file includes to be in more
consistent order: system header files, src/utils, src/*, same
directory as the *.c file.
|
| |
|
|
|
|
|
|
|
|
| |
This makes it clearer which files are including header from src/common.
Some of these cases should probably be cleaned up in the future not to
do that.
In addition, src/common/nl80211_copy.h and wireless_copy.h were moved
into src/drivers since they are only used by driver wrappers and do not
need to live in src/common.
|
| |
|
|
|
| |
No more warnings from Doxygen about missing documentation from
radius_client.[ch].
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is not actually used at all and it looks like the rules for
maintaining the old/new RADIUS configuration are not very clear in the
case the RADIUS client configuration did not change. Consequently, it
is better to just remove this for now and if similar functionality is
ever needed, redesign it to be easier to use without causing hard to
find issues with using freed memory.
Simpler approach to reconfiguring the RADIUS client would involve
just deinitializing the old context unconditionally and initializing
a new one whenever the configuration could have changed.
|
| |
|
|
|
| |
This is not used at all inside RADIUS client and as such, it belongs
into hostapd configuration.
|
| | |
|
| |
|
|
|
|
| |
While the actual use here would be unlikely to be broken by any C
optimization, it is better to use explicit union construction to let
gcc know about the aliasing and avoid warnings from gcc 4.4.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
radius_server_encapsulate_eap() resets sess->eap->if->eap{Success,Fail}
to FALSE, such that the completion condition is never true.
The net effect is that completed sessions would linger for
RADIUS_SESSION_TIMEOUT seconds.
Signed-off-by: Alex Badea <vamposdecampos@gmail.com>
Previously, the default settings allowed 100 sessions in 60 seconds.
With this fix, the default limit is now 100 sessions per 10 seconds.
[Bug 329]
|
| |
|
|
|
|
|
|
|
|
|
| |
When Linux has Path MTU discovery enabled, it sets by default the DF bit
on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger
than the smallest MTU size to the target, it will be discarded.
This effectively limits RADIUS messages to ~ 1500 Bytes, while they can
be up to 4k according to RFC2865. In practice, this can mean trouble
when doing EAP-TLS with many RADIUS attributes besides the EAP-Message.
[Bug 326]
|
| |
|
|
|
|
|
|
|
|
|
| |
When Linux has Path MTU discovery enabled, it sets by default the DF bit
on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger
than the smallest MTU size to the target, it will be discarded.
This effectively limits RADIUS messages to ~ 1500 Bytes, while they can
be up to 4k according to RFC2865. In practice, this can mean trouble
when doing EAP-TLS with many RADIUS attributes besides the EAP-Message.
[Bug 326]
|
| |
|
|
|
|
| |
This removes need for local configuration to ignore *.o and *~
and allows the src/*/.gitignore files to be removed (subdirectories
will inherit the rules from the root .gitignore).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
CONFIG_NO_ACCOUNTING=y and CONFIG_NO_RADIUS=y build options can now be
used to remove RADIUS support from the hostapd build.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, only the delivery option 1 from RFC 4284
(EAP-Request/Identity from the AP) was supported. Now option 3
(subsequent EAP-Request/Identity from RADIUS server) can also be used
when hostapd is used as a RADIUS server. The eap_user file will need to
have a Phase 1 user entry pointing to Identity method in order for this
to happen (e.g., "* Identity" in the end of the file). The identity hint
is configured in the same was as for AP/Authenticator case (eap_message
in hostapd.conf).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.
Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
|
| |
|
|
|
|
|
| |
Changed EAP-FAST configuration to use separate fields for A-ID and
A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed
16-octet len binary value for better interoperability with some peer
implementations; eap_fast_a_id is now configured as a hex string.
|
| |
|
|
|
| |
The hardcoded values in eap_fast.c were replaced with values read from
hostapd.conf.
|
