diff options
| author | Anton Nayshtut <qca_antonn@qca.qualcomm.com> | 2015-10-22 16:48:04 +0000 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2015-12-02 23:52:51 +0530 |
| commit | 8738a7762e2f0e829b5d42918baa0fa302f92c9f (patch) | |
| tree | 4c9cb970c454483179ae58bbeaf0612e8c11d427 /src | |
| parent | 272a91bcb9634c3048d3de74691f13c5d753d373 (diff) | |
| download | android_external_wpa_supplicant_8-8738a7762e2f0e829b5d42918baa0fa302f92c9f.tar.gz android_external_wpa_supplicant_8-8738a7762e2f0e829b5d42918baa0fa302f92c9f.tar.bz2 android_external_wpa_supplicant_8-8738a7762e2f0e829b5d42918baa0fa302f92c9f.zip | |
hostapd: Process MAC ACLs on a station association event (SME in driver)
now hostapd will use station MAC-based permissions according to the
macaddr_acl policy also for drivers which use AP SME offload, but do not
support NL80211_CMD_SET_MAC_ACL for offloading MAC ACL processing. It
should be noted that in this type of case the association goes through
and the station gets disconnected immediately after that.
Change-Id: I88044e351c27dc5af0fc44a6e26c33c550fb84b0
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Git-commit: 0603bcb7fe8babf183362518238c142afe8e2036
Git-repo: git://w1.fi/srv/git/hostap.git
CRs-Fixed: 934469
Diffstat (limited to 'src')
| -rw-r--r-- | src/ap/drv_callbacks.c | 9 | ||||
| -rw-r--r-- | src/ap/ieee802_11_auth.c | 50 | ||||
| -rw-r--r-- | src/ap/ieee802_11_auth.h | 1 |
3 files changed, 44 insertions, 16 deletions
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 7094bacc..fbbfe12c 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -22,6 +22,7 @@ #include "wnm_ap.h" #include "hostapd.h" #include "ieee802_11.h" +#include "ieee802_11_auth.h" #include "sta_info.h" #include "accounting.h" #include "tkip_countermeasures.h" @@ -114,6 +115,14 @@ int hostapd_notif_assoc(struct hostapd_data *hapd, const u8 *addr, } sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2); + res = hostapd_check_acl(hapd, addr, NULL); + if (res != HOSTAPD_ACL_ACCEPT) { + wpa_printf(MSG_INFO, "STA " MACSTR " not allowed to connect", + MAC2STR(addr)); + reason = WLAN_REASON_UNSPECIFIED; + goto fail; + } + #ifdef CONFIG_P2P if (elems.p2p) { wpabuf_free(sta->p2p_ie); diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c index 0238257d..10d744d5 100644 --- a/src/ap/ieee802_11_auth.c +++ b/src/ap/ieee802_11_auth.c @@ -213,6 +213,32 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr, /** + * hostapd_check_acl - Check a specified STA against accept/deny ACLs + * @hapd: hostapd BSS data + * @addr: MAC address of the STA + * @vlan_id: Buffer for returning VLAN ID + * Returns: HOSTAPD_ACL_ACCEPT, HOSTAPD_ACL_REJECT, or HOSTAPD_ACL_PENDING + */ + int hostapd_check_acl(struct hostapd_data *hapd, const u8 *addr, int *vlan_id) +{ + if (hostapd_maclist_found(hapd->conf->accept_mac, + hapd->conf->num_accept_mac, addr, vlan_id)) + return HOSTAPD_ACL_ACCEPT; + + if (hostapd_maclist_found(hapd->conf->deny_mac, + hapd->conf->num_deny_mac, addr, vlan_id)) + return HOSTAPD_ACL_REJECT; + + if (hapd->conf->macaddr_acl == ACCEPT_UNLESS_DENIED) + return HOSTAPD_ACL_ACCEPT; + if (hapd->conf->macaddr_acl == DENY_UNLESS_ACCEPTED) + return HOSTAPD_ACL_REJECT; + + return HOSTAPD_ACL_PENDING; +} + + +/** * hostapd_allowed_address - Check whether a specified STA can be authenticated * @hapd: hostapd BSS data * @addr: MAC address of the STA @@ -235,6 +261,8 @@ int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr, struct hostapd_sta_wpa_psk_short **psk, char **identity, char **radius_cui) { + int res; + if (session_timeout) *session_timeout = 0; if (acct_interim_interval) @@ -248,18 +276,9 @@ int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr, if (radius_cui) *radius_cui = NULL; - if (hostapd_maclist_found(hapd->conf->accept_mac, - hapd->conf->num_accept_mac, addr, vlan_id)) - return HOSTAPD_ACL_ACCEPT; - - if (hostapd_maclist_found(hapd->conf->deny_mac, - hapd->conf->num_deny_mac, addr, vlan_id)) - return HOSTAPD_ACL_REJECT; - - if (hapd->conf->macaddr_acl == ACCEPT_UNLESS_DENIED) - return HOSTAPD_ACL_ACCEPT; - if (hapd->conf->macaddr_acl == DENY_UNLESS_ACCEPTED) - return HOSTAPD_ACL_REJECT; + res = hostapd_check_acl(hapd, addr, vlan_id); + if (res != HOSTAPD_ACL_PENDING) + return res; if (hapd->conf->macaddr_acl == USE_EXTERNAL_RADIUS_AUTH) { #ifdef CONFIG_NO_RADIUS @@ -268,10 +287,9 @@ int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr, struct hostapd_acl_query_data *query; /* Check whether ACL cache has an entry for this station */ - int res = hostapd_acl_cache_get(hapd, addr, session_timeout, - acct_interim_interval, - vlan_id, psk, - identity, radius_cui); + res = hostapd_acl_cache_get(hapd, addr, session_timeout, + acct_interim_interval, vlan_id, psk, + identity, radius_cui); if (res == HOSTAPD_ACL_ACCEPT || res == HOSTAPD_ACL_ACCEPT_TIMEOUT) return res; diff --git a/src/ap/ieee802_11_auth.h b/src/ap/ieee802_11_auth.h index 2bc1065a..30327104 100644 --- a/src/ap/ieee802_11_auth.h +++ b/src/ap/ieee802_11_auth.h @@ -16,6 +16,7 @@ enum { HOSTAPD_ACL_ACCEPT_TIMEOUT = 3 }; +int hostapd_check_acl(struct hostapd_data *hapd, const u8 *addr, int *vlan_id); int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr, const u8 *msg, size_t len, u32 *session_timeout, u32 *acct_interim_interval, int *vlan_id, |