diff options
author | Andrej Shadura <andrew.shadura@collabora.co.uk> | 2019-08-08 15:52:06 +0200 |
---|---|---|
committer | Andrej Shadura <andrew.shadura@collabora.co.uk> | 2019-08-08 15:52:06 +0200 |
commit | 330e83139b2e4f8e3c51965d372b6da17b142cf1 (patch) | |
tree | 22d4cc78e20d14368ddb650af0aec62544a9b067 /hostapd | |
parent | dd6df26b67af10e948e2bad6f92742c8be0cd669 (diff) |
New upstream version 2.9
Diffstat (limited to 'hostapd')
-rw-r--r-- | hostapd/ChangeLog | 24 | ||||
-rw-r--r-- | hostapd/config_file.c | 82 | ||||
-rw-r--r-- | hostapd/hostapd.conf | 18 |
3 files changed, 47 insertions, 77 deletions
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog index 327ee3b..6c4410e 100644 --- a/hostapd/ChangeLog +++ b/hostapd/ChangeLog @@ -1,5 +1,29 @@ ChangeLog for hostapd +2019-08-07 - v2.9 + * SAE changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * EAP-pwd changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * fixed FT-EAP initial mobility domain association using PMKSA caching + * added configuration of airtime policy + * fixed FILS to and RSNE into (Re)Association Response frames + * fixed DPP bootstrapping URI parser of channel list + * added support for regulatory WMM limitation (for ETSI) + * added support for MACsec Key Agreement using IEEE 802.1X/PSK + * added experimental support for EAP-TEAP server (RFC 7170) + * added experimental support for EAP-TLS server with TLS v1.3 + * added support for two server certificates/keys (RSA/ECC) + * added AKMSuiteSelector into "STA <addr>" control interface data to + determine with AKM was used for an association + * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and + fast reauthentication use to be disabled + * fixed an ECDH operation corner case with OpenSSL + 2019-04-21 - v2.8 * SAE changes - added support for SAE Password Identifier diff --git a/hostapd/config_file.c b/hostapd/config_file.c index df41f14..e09e6e1 100644 --- a/hostapd/config_file.c +++ b/hostapd/config_file.c @@ -24,14 +24,6 @@ #include "config_file.h" -#ifndef CONFIG_NO_RADIUS -#ifdef EAP_SERVER -static struct hostapd_radius_attr * -hostapd_parse_radius_attr(const char *value); -#endif /* EAP_SERVER */ -#endif /* CONFIG_NO_RADIUS */ - - #ifndef CONFIG_NO_VLAN static int hostapd_config_read_vlan_file(struct hostapd_bss_config *bss, const char *fname) @@ -660,75 +652,6 @@ hostapd_config_read_radius_addr(struct hostapd_radius_server **server, } -static struct hostapd_radius_attr * -hostapd_parse_radius_attr(const char *value) -{ - const char *pos; - char syntax; - struct hostapd_radius_attr *attr; - size_t len; - - attr = os_zalloc(sizeof(*attr)); - if (attr == NULL) - return NULL; - - attr->type = atoi(value); - - pos = os_strchr(value, ':'); - if (pos == NULL) { - attr->val = wpabuf_alloc(1); - if (attr->val == NULL) { - os_free(attr); - return NULL; - } - wpabuf_put_u8(attr->val, 0); - return attr; - } - - pos++; - if (pos[0] == '\0' || pos[1] != ':') { - os_free(attr); - return NULL; - } - syntax = *pos++; - pos++; - - switch (syntax) { - case 's': - attr->val = wpabuf_alloc_copy(pos, os_strlen(pos)); - break; - case 'x': - len = os_strlen(pos); - if (len & 1) - break; - len /= 2; - attr->val = wpabuf_alloc(len); - if (attr->val == NULL) - break; - if (hexstr2bin(pos, wpabuf_put(attr->val, len), len) < 0) { - wpabuf_free(attr->val); - os_free(attr); - return NULL; - } - break; - case 'd': - attr->val = wpabuf_alloc(4); - if (attr->val) - wpabuf_put_be32(attr->val, atoi(pos)); - break; - default: - os_free(attr); - return NULL; - } - - if (attr->val == NULL) { - os_free(attr); - return NULL; - } - - return attr; -} - static int hostapd_parse_das_client(struct hostapd_bss_config *bss, char *val) { @@ -2706,6 +2629,8 @@ static int hostapd_config_fill(struct hostapd_config *conf, bss->eap_sim_db_timeout = atoi(pos); } else if (os_strcmp(buf, "eap_sim_aka_result_ind") == 0) { bss->eap_sim_aka_result_ind = atoi(pos); + } else if (os_strcmp(buf, "eap_sim_id") == 0) { + bss->eap_sim_id = atoi(pos); #endif /* EAP_SERVER_SIM */ #ifdef EAP_SERVER_TNC } else if (os_strcmp(buf, "tnc") == 0) { @@ -2909,6 +2834,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, a = a->next; a->next = attr; } + } else if (os_strcmp(buf, "radius_req_attr_sqlite") == 0) { + os_free(bss->radius_req_attr_sqlite); + bss->radius_req_attr_sqlite = os_strdup(pos); } else if (os_strcmp(buf, "radius_das_port") == 0) { bss->radius_das_port = atoi(pos); } else if (os_strcmp(buf, "radius_das_client") == 0) { diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf index f2d5873..ce3ecdd 100644 --- a/hostapd/hostapd.conf +++ b/hostapd/hostapd.conf @@ -1205,6 +1205,13 @@ eap_server=0 # (default: 0 = disabled). #eap_sim_aka_result_ind=1 +# EAP-SIM and EAP-AKA identity options +# 0 = do not use pseudonyms or fast reauthentication +# 1 = use pseudonyms, but not fast reauthentication +# 2 = do not use pseudonyms, but use fast reauthentication +# 3 = use pseudonyms and use fast reauthentication (default) +#eap_sim_id=3 + # Trusted Network Connect (TNC) # If enabled, TNC validation will be required before the peer is allowed to # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other @@ -1384,6 +1391,17 @@ own_ip_addr=127.0.0.1 # Operator-Name = "Operator" #radius_acct_req_attr=126:s:Operator +# If SQLite support is included, path to a database from which additional +# RADIUS request attributes are extracted based on the station MAC address. +# +# The schema for the radius_attributes table is: +# id | sta | reqtype | attr : multi-key (sta, reqtype) +# id = autonumber +# sta = station MAC address in `11:22:33:44:55:66` format. +# type = `auth` | `acct` | NULL (match any) +# attr = existing config file format, e.g. `126:s:Test Operator` +#radius_req_attr_sqlite=radius_attr.sqlite + # Dynamic Authorization Extensions (RFC 5176) # This mechanism can be used to allow dynamic changes to user session based on # commands from a RADIUS server (or some other disconnect client that has the |