Jouni Malinen [Sun, 11 Oct 2009 19:23:05 +0000 (22:23 +0300)]
Fix EAP-AKA server build without EAP-SIM
Jouni Malinen [Sun, 11 Oct 2009 19:04:29 +0000 (22:04 +0300)]
Clean up crypto makefile segments
Reorganize the TLS/crypto library segments into a single set of blocks
for each library instead of multiple locations handling library-specific
operations. Group crypto functionality together and get wpa_supplicant
and hostapd Makefile closer to eachother in order to make it easier to
eventually move this into a shared makefile.
Jouni Malinen [Sun, 11 Oct 2009 17:34:26 +0000 (20:34 +0300)]
Move TLS_FUNCS and NEED_CRYPTO segment next to each other
Jouni Malinen [Sun, 11 Oct 2009 17:31:15 +0000 (20:31 +0300)]
Further crypto makefile unification
Jouni Malinen [Sun, 11 Oct 2009 17:19:12 +0000 (20:19 +0300)]
Fix crypto config for minimal builds
Jouni Malinen [Sun, 11 Oct 2009 16:42:04 +0000 (19:42 +0300)]
Cleaned up and unified some of the crypto Makefile code
Jouni Malinen [Sun, 11 Oct 2009 16:17:22 +0000 (19:17 +0300)]
Allow the internal DH implementation to be overridden
Crypto library wrappers can now override the internal DH (group 5)
implementation. As a starting point, this is done with OpenSSL. The
new mechanism is currently available only for WPS (i.e., IKEv2 still
depends on the internal DH implementation).
Jouni Malinen [Sun, 11 Oct 2009 12:24:40 +0000 (15:24 +0300)]
Include only the used DH groups in the build
This reduces the binary size by 3 kB or so when WPS is included in
the build, but IKEv2 is not.
Jouni Malinen [Thu, 1 Oct 2009 14:53:22 +0000 (17:53 +0300)]
nl80211: Add parsing of NL80211_BSS_SEEN_MS_AGO into scan results
Jouni Malinen [Thu, 1 Oct 2009 10:58:17 +0000 (13:58 +0300)]
nl80211: Recognize NL80211_CMD_TRIGGER_SCAN events
Replace "nl80211: Ignored unknown event (cmd=33)" with
"nl80211: Scan trigger" to make debug output clearer. We do not
currently do anything with this event apart from showing it in
the debug log.
Blaž Bačnik [Wed, 30 Sep 2009 17:44:04 +0000 (20:44 +0300)]
Fix VLAN ID validation check to use the new VLAN ID
When checking the validity of VLAN ID based on RADIUS-based ACL or
accept_mac_file, the assigned vlan_id, not the old sta->vlan_id
(likely zero) needs to be used.
Jouni Malinen [Wed, 30 Sep 2009 17:12:32 +0000 (20:12 +0300)]
NSS: Implement TLS PRF using new TLS extractor interface
This allows NSS to be used to derive EAP-TLS/PEAP/TTLS keying material.
NSS requires a patch from
https://bugzilla.mozilla.org/show_bug.cgi?id=507359
to provide the new API. In addition, that patch needs to be modified to
add the 16-bit context length value in SSL_ExportKeyingMaterial() only if
contextlen != 0 in order to match with the EAP-TLS/PEAP/TTLS use cases.
This issue seems to be coming from the unfortunate incompatibility in
draft-ietf-tls-extractor-07.txt (draft-ietf-tls-extractor-00.txt would
have used compatible PRF construction).
At this point, it is unclear how this will be resolved eventually, but
anyway, this shows a mechanism that can be used to implement EAP key
derivation with NSS with a small patch to NSS.
Author: Johannes Berg [Wed, 30 Sep 2009 16:23:52 +0000 (19:23 +0300)]
nl80211: Fix a typo in set_sta_vlan()
The VLAN interface index needs to use NL80211_ATTR_STA_VLAN. It was
adding a duplicate NL80211_ATTR_IFINDEX.
Jouni Malinen [Wed, 30 Sep 2009 16:14:43 +0000 (19:14 +0300)]
Fix wpa_passphrase build with NSS
Jouni Malinen [Tue, 29 Sep 2009 20:16:21 +0000 (23:16 +0300)]
wpa_gui-qt4: Add pending WPS PIN queries into peer dialog
Whenever running wpa_supplicant in AP mode with WPS enabled, the
notifications of missing WPS PIN are now shown on the peer dialog
to make it easier to provide the PIN.
Jouni Malinen [Tue, 29 Sep 2009 18:25:14 +0000 (21:25 +0300)]
Fix hostapd wpa_msg() calls ctx for wpa_supplicant AP mode
Need to use wpa_s pointer, not hapd pointer, for these calls.
Jouni Malinen [Tue, 29 Sep 2009 17:51:45 +0000 (20:51 +0300)]
wpa_gui-qt4: Fix peer_role_address for AP entry
Jouni Malinen [Tue, 29 Sep 2009 14:11:36 +0000 (17:11 +0300)]
Allow IBSS/AP mode networks to be created in ap_scan=1 mode
If no BSSes/IBSSes matching the enabled networks are found in the scan
results, IBSS/AP mode network (if configured) can be created in
ap_scan=1 mode instead of requiring ap_scan=2 mode to be used whenever
using IBSS or AP mode.
Jouni Malinen [Tue, 29 Sep 2009 11:30:11 +0000 (14:30 +0300)]
Split wpa_supplicant_event_scan_results() into helper functions
Jouni Malinen [Mon, 28 Sep 2009 22:21:09 +0000 (01:21 +0300)]
Add preliminary version of NSS TLS/crypto wrapper for wpa_supplicant
This brings in the first step in adding support for using NSS
(Mozilla Network Security Services) as the crypto and TLS library
with wpa_supplicant. This version is able to run through EAP-PEAP
and EAP-TTLS authentication, but does not yet implement any
certificate/private key configuration. In addition, this does not
implement proper key fetching functions either, so the end result
is not really of much use in real world yet.
Masashi Honma [Mon, 28 Sep 2009 13:10:02 +0000 (16:10 +0300)]
DragonFly BSD: Fix wired IEEE 802.1X
On DragonFly BSD, wired IEEE 802.1X fails with this message:
ioctl[SIOC{ADD/DEL}MULTI]: Invalid argument
This patch solves this issue.
I have tested with these:
OS : DragonFly BSD 2.4.0
EAP : EAP-TLS
Switch : Cisco Catalyst 2950
Jouni Malinen [Sat, 26 Sep 2009 18:30:43 +0000 (21:30 +0300)]
Remove the STA entry on reassociation to clear STA PS state
hostapd needs to remove the old STA entry if it exists when processing
reassociation back to the same AP. This removes the potentially PS
buffered frames and allows association parameters to be updated with
mac80211.
Masashi Honma [Sat, 26 Sep 2009 16:29:03 +0000 (19:29 +0300)]
Mac OS X: Fix wired IEEE 802.1X
Jouni Malinen [Tue, 15 Sep 2009 08:23:48 +0000 (11:23 +0300)]
nl80211: Use defines for NL80211_KEY_CIPHER values
Jouni Malinen [Tue, 15 Sep 2009 08:21:25 +0000 (11:21 +0300)]
Revert "nl80211: Share the same routine for NL80211_ATTR_KEY_CIPHER setup"
This reverts commit
5aa9cb5cca24268ae3a8cc35c85215b4a9a513b6.
The nested key attribute is using different attribute values
(NL80211_KEY_* vs. NL80211_ATTR_KEY_*), so cannot share the same routine
for these purposes..
Jouni Malinen [Tue, 15 Sep 2009 07:54:41 +0000 (10:54 +0300)]
nl80211: Share the same routine for NL80211_ATTR_KEY_CIPHER setup
Johannes Berg [Tue, 15 Sep 2009 07:48:30 +0000 (10:48 +0300)]
driver_nl80211: Fix MLME key settings for static WEP
Current wpa_supplicant has a bug with WEP keys, it adds a zero-length
sequence counter field to netlink which the kernel doesn't accept.
Additionally, the kernel API slightly changed to accept keys only when
connected, so we need to send it the keys after that. For that to work
with shared key authentication, we also include the default WEP TX key
in the authentication command.
To upload the keys properly _after_ associating, add a new flag
WPA_DRIVER_FLAGS_SET_KEYS_AFTER_ASSOC_DONE indicating that the driver
needs the keys at that point and not earlier.
Jouni Malinen [Mon, 14 Sep 2009 21:08:24 +0000 (00:08 +0300)]
Add preliminary background scan and roaming module design
This allows background scanning and roaming decisions to be contained in
a single place based on a defined set of notification events which will
hopefully make it easier to experiment with roaming improvements. In
addition, this allows multiple intra-ESS roaming policies to be used
(each network configuration block can configure its own bgscan module).
The beacon loss and signal strength notifications are implemented for
the bgscan API, but the actual events are not yet available from the
driver.
The included sample bgscan module ("simple") is an example of what can
be done with the new bgscan mechanism. It requests periodic background
scans when the device remains associated with an ESS and has couple of
notes on what a more advanced bgscan module could do to optimize
background scanning and roaming. The periodic scans will cause the scan
result handler to pick a better AP if one becomes available. This bgscan
module can be taken into use by adding bgscan="simple" (or
bgscan="simple:<bgscan interval in seconds>") into the network
configuration block.
Samuel Ortiz [Mon, 14 Sep 2009 14:25:03 +0000 (17:25 +0300)]
Getting back to DISCONNECTED afer SCANNING
After transitioning from DISCONNECTED to SCANNING, we never go back
to DISCONNECTED even though scanning is done or failed.
We're thus stuck in SCANNING while scanning is actually done.
Masashi Honma [Mon, 14 Sep 2009 13:50:53 +0000 (16:50 +0300)]
WPS: Fix CONFIG_WPS=y compilation of wpa_supplicant
The wpa_supplicant compilation failed with CONFIG_WPS=y option
if CONFIG_CLIENT_MLME and CONFIG_IEEE80211R are not used.
Witold Sowa [Sun, 13 Sep 2009 19:21:52 +0000 (22:21 +0300)]
Share same freeing and error checking code in get_scan_results
Convert wpa_supplicant_get_scan_results_old() to use the same return
style with the other get_scan_results options and clean up the code
by sharing the same scan result freeing and error checking code for
all the options.
Witold Sowa [Sun, 13 Sep 2009 18:16:43 +0000 (21:16 +0300)]
Use shared functions for network operations and param changes
Instead of implementing these separately in various control
interface handlers, use shared functions. These add some of the
previously missing notification calls, too, for the affected areas.
Jouni Malinen [Sun, 13 Sep 2009 17:53:32 +0000 (20:53 +0300)]
Add wpa_supplicant notification calls
This introduces a new mechanism for collecting notification calls into
a single place (notify.c). As a result of this, most of the
wpa_supplicant code does not need to know about dbus (etc. mechanisms
that could use the notifications). Some empty placeholder functions are
also added in preparation of new dbus code that needs more event
notifications.
Witold Sowa [Sun, 13 Sep 2009 17:27:54 +0000 (20:27 +0300)]
Remove extra whitespace
Jouni Malinen [Fri, 11 Sep 2009 16:06:38 +0000 (19:06 +0300)]
wpa_gui-qt4: Fix WPS AP detection for peer window
Jouni Malinen [Fri, 11 Sep 2009 15:37:16 +0000 (18:37 +0300)]
wpa_gui-qt4: Add scan results into the peer window
In addition, add a peer entry type for each peer entry. Currently,
this is only stored as an integer and visible in the context menu.
Eventually, different icons should be used based on this type.
Jouni Malinen [Fri, 11 Sep 2009 14:52:46 +0000 (17:52 +0300)]
wpa_gui-qt4: Handle UNKNOWN COMMAND reply during peer window update
Avoid an infinite loop if wpa_supplicant is not built with AP support.
Jouni Malinen [Fri, 11 Sep 2009 14:14:49 +0000 (17:14 +0300)]
Add parsed information from WPS IE(s) into scan results
This makes it easier for external programs to show WPS information
since they do not need to parse the WPS IE themselves anymore.
Jouni Malinen [Fri, 11 Sep 2009 14:13:59 +0000 (17:13 +0300)]
WPS: Add parsing of AP Setup Locked attribute
Jouni Malinen [Fri, 11 Sep 2009 13:45:34 +0000 (16:45 +0300)]
Fix driver_test for hostapd
Commit
0b55b934ee6243f2682524b0a733cc1468e20050 broke this by not
initializing drv->ap = 1 in hostapd case since the mode updating
code ended up unlinking the socket file. Setting drv->ap = 1
removes the mode change and as such, unlinking of the socket file.
Jouni Malinen [Fri, 11 Sep 2009 13:36:59 +0000 (16:36 +0300)]
Convert WPS IE concat routine to a generic helper
This may also be needed in wpa_supplicant and potentially for other
IE types, too.
Jouni Malinen [Thu, 10 Sep 2009 21:22:35 +0000 (00:22 +0300)]
driver_test: Update BSS data when using wpa_supplicant AP mode
Jouni Malinen [Thu, 10 Sep 2009 21:17:35 +0000 (00:17 +0300)]
driver_test: Implement set_mode for wpa_supplicant AP deinit
Jouni Malinen [Thu, 10 Sep 2009 14:41:29 +0000 (17:41 +0300)]
driver_test: Preliminary support for wpa_supplicant AP functionality
Jouni Malinen [Thu, 10 Sep 2009 14:03:51 +0000 (17:03 +0300)]
driver_test: Share the same deinit() for hostapd and wpa_supplicant
Jouni Malinen [Thu, 10 Sep 2009 13:52:03 +0000 (16:52 +0300)]
driver_test: Merge socket_dir into test_dir
Jouni Malinen [Thu, 10 Sep 2009 13:48:10 +0000 (16:48 +0300)]
driver_test: Some additional merging of send_mlme
Jouni Malinen [Thu, 10 Sep 2009 13:30:35 +0000 (16:30 +0300)]
driver_test: Claim AP mode capability for wpa_supplicant
Jouni Malinen [Thu, 10 Sep 2009 13:28:47 +0000 (16:28 +0300)]
driver_test: Build most of code in unconditionally
It is simpler to just build in all the test driver code regardless
of whether this is for hostapd or wpa_supplicant (which will eventually
get AP mode support with driver_test, too).
Jouni Malinen [Thu, 10 Sep 2009 13:18:04 +0000 (16:18 +0300)]
driver_test: Merge wpa_supplicant and hostapd data structures
There is no real need to keep these in separate data structures with
different names.
Jouni Malinen [Thu, 10 Sep 2009 11:43:08 +0000 (14:43 +0300)]
wpa_gui-qt4: Add context menu for peers dialog
Replace the clicked() event with more appropriate context menu
and add a WPS PIN entry as an example command.
Alex Badea [Wed, 9 Sep 2009 20:54:03 +0000 (23:54 +0300)]
radius_server: clean up completed sessions sooner
radius_server_encapsulate_eap() resets sess->eap->if->eap{Success,Fail}
to FALSE, such that the completion condition is never true.
The net effect is that completed sessions would linger for
RADIUS_SESSION_TIMEOUT seconds.
Signed-off-by: Alex Badea <vamposdecampos@gmail.com>
Previously, the default settings allowed 100 sessions in 60 seconds.
With this fix, the default limit is now 100 sessions per 10 seconds.
[Bug 329]
Jouni Malinen [Wed, 9 Sep 2009 08:11:42 +0000 (11:11 +0300)]
wpa_gui-qt4: Include cstdio to avoid some compiler issues
It looks like some build systems do not find snprintf() here unless
cstdio is included explicitly.
Jouni Malinen [Tue, 8 Sep 2009 13:28:41 +0000 (16:28 +0300)]
wpa_gui-qt4: Add a new window for showing peer information
This provides some initial functionality for showing peer information,
i.e., showing information about other devices that has been discovered.
Currently, information is only available in the AP mode (list of
associated stations), but this is expected to increase in the future
(e.g., show the current AP in station mode, other stations in IBSS,
etc.). Furthermore, there will be actions available for doing things
like providing a WPS PIN for a station.
Jouni Malinen [Tue, 8 Sep 2009 09:58:02 +0000 (12:58 +0300)]
Add station table query to wpa_supplicant AP ctrl_iface
"wpa_cli all_sta" and "wpa_cli sta <addr>" can now be used to fetch
information about stations associated with the
wpa_supplicant-controlled AP.
Jouni Malinen [Tue, 8 Sep 2009 09:56:07 +0000 (12:56 +0300)]
Move STA list ctrl_iface handlers to a separate file
This makes it easier to share the hostapd station table query
functionality with wpa_supplicant AP mode operations.
Jouni Malinen [Mon, 7 Sep 2009 19:09:13 +0000 (22:09 +0300)]
WPS: Store device info and make it available through AP ctrl_iface
Store a copy of device attributes during WPS protocol run and make it
available for external programs via the control interface STA MIB
command for associated stations. This gives access to device name and
type which can be useful when showing user information about associated
stations.
Jouni Malinen [Sun, 6 Sep 2009 10:58:15 +0000 (13:58 +0300)]
WPS: Add support for AP reconfiguration with wps_reg
wpa_supplicant can now reconfigure the AP by acting as an External
Registrar with the wps_reg command. Previously, this was only used
to fetch the current AP settings, but now the wps_reg command has
optional arguments which can be used to provide the new AP
configuration. When the new parameters are set, the WPS protocol run
is allowed to continue through M8 to reconfigure the AP instead of
stopping at M7.
Jouni Malinen [Sun, 6 Sep 2009 10:55:01 +0000 (13:55 +0300)]
Fix WPA reconfiguration to update GTK
The group key state machine needs to be re-initialized with possible
updated GTK length when restarting WPA (e.g., when WPS was used to
reconfigure the AP).
Jouni Malinen [Fri, 4 Sep 2009 15:04:41 +0000 (18:04 +0300)]
Delay processing of EAPOL frames when not associated
If an EAPOL frame is received while wpa_supplicant thinks the driver is
not associated, queue the frame for processing at the moment when the
association event is received. This is a workaround to a race condition
in receiving data frames and management events from the kernel.
The pending EAPOL frame will not be processed unless an association
event is received within 100 msec for the same BSSID.
Jouni Malinen [Fri, 4 Sep 2009 13:39:41 +0000 (16:39 +0300)]
nl80211: Ignore connect/roam/disconnect events when using SME
Getting double association/disassociation events can get core code
confused, so better filter out the extra events.
Zhu Yi [Thu, 3 Sep 2009 18:31:29 +0000 (21:31 +0300)]
nl80211: Connect API support
If the driver does not support separate authentication and association
steps, use the connect API instead.
Zhu Yi [Thu, 3 Sep 2009 17:39:59 +0000 (20:39 +0300)]
nl80211: Add connect/disconnect event processing
Zhu Yi [Thu, 3 Sep 2009 17:36:09 +0000 (20:36 +0300)]
nl80211: Check whether the driver support separate auth/assoc commands
This is an initial step in adding support for the new connect command.
For now, we just add the capability query. The actual use of the new
command will be added separately.
Zhu Yi [Thu, 3 Sep 2009 17:21:18 +0000 (20:21 +0300)]
nl80211: Use defines for cipher suite selectors
Chuck Tuffli [Wed, 26 Aug 2009 20:51:12 +0000 (23:51 +0300)]
Fix comment in wpa_supplicant_event_associnfo
Found what I think is a copy/paste error in the comments for the .11r
code.
Masashi Honma [Wed, 26 Aug 2009 20:40:51 +0000 (23:40 +0300)]
OpenBSD: wired IEEE 802.1X for OpenBSD
This is a patch for OpenBSD wired IEEE 802.1X. This is only for wired,
not wireless, because OpenBSD uses wpa_supplicant only on wired now.
http://www.openbsd.org/cgi-bin/cvsweb/ports/security/wpa_supplicant/
I have tested with these.
OS : OpenBSD 4.5
EAP : EAP-TLS
Switch : CentreCOM 8724SL
Masashi Honma [Wed, 26 Aug 2009 20:34:54 +0000 (23:34 +0300)]
WPS: Aggregate deinit calls in WPS OOB
In WPS OOB, deinit_func() is called from 3 locations.
This patch aggregates these to one.
Witold Sowa [Wed, 26 Aug 2009 17:18:24 +0000 (20:18 +0300)]
Fix a bug with ap_rx_from_unknown_sta() recursion
ap_rx_from_unknown_sta was going into infinite recursion,
or could even crash because of corrupted pointer cast.
Jouni Malinen [Wed, 26 Aug 2009 09:10:50 +0000 (12:10 +0300)]
nl80211: Use two sockets to avoid mixing command replies with events
Previously, both the command replies and unsolicited events were
received from the same socket. This could cause problems if an event
message is received between a command and the response to that command.
Using two sockets avoids this issue.
Jouni Malinen [Sun, 23 Aug 2009 18:32:27 +0000 (21:32 +0300)]
Disable PMTU discovery for RADIUS packets (sent them without DF)
When Linux has Path MTU discovery enabled, it sets by default the DF bit
on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger
than the smallest MTU size to the target, it will be discarded.
This effectively limits RADIUS messages to ~ 1500 Bytes, while they can
be up to 4k according to RFC2865. In practice, this can mean trouble
when doing EAP-TLS with many RADIUS attributes besides the EAP-Message.
[Bug 326]
Stefan Winter [Sun, 23 Aug 2009 18:21:25 +0000 (21:21 +0300)]
Disable PMTU discovery for RADIUS packets (sent them without DF)
When Linux has Path MTU discovery enabled, it sets by default the DF bit
on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger
than the smallest MTU size to the target, it will be discarded.
This effectively limits RADIUS messages to ~ 1500 Bytes, while they can
be up to 4k according to RFC2865. In practice, this can mean trouble
when doing EAP-TLS with many RADIUS attributes besides the EAP-Message.
[Bug 326]
Jouni Malinen [Sun, 23 Aug 2009 18:00:38 +0000 (21:00 +0300)]
Reject X.509 certificate strings with embedded NUL characters
These could, at least in theory, be used to generate unexpected common
name or subject alternative name matches should a CA sign strings with
NUL (C string termination) in them. For now, just reject the certificate
if an embedded NUL is detected. In theory, all the comparison routines
could be made to compare these strings as binary blobs (with additional
X.509 rules to handle some exceptions) and display NUL characters
somehow. Anyway, just rejecting the certificate will get rid of
potential problems with the C string getting terminated and it should
not really be used in certificates, so this should not break valid use
cases.
Jouni Malinen [Tue, 18 Aug 2009 08:33:40 +0000 (11:33 +0300)]
Sync with linux/nl80211.h from wireless-testing.git
Jouni Malinen [Mon, 17 Aug 2009 17:27:25 +0000 (20:27 +0300)]
Remove unneeded aes_i.h inclusion from number of places
The BLOCK_SIZE define can be made more specific by using AES_ prefix and
by moving it to aes.h. After this, most aes-*.c do not really need to
include anything from the internal aes_i.h header file. In other words,
aes_i.h can now be used only for the code that uses the internal AES
block operation implementation and none of the code that can use AES
implementation from an external library do not need to include this
header file.
Jouni Malinen [Sun, 16 Aug 2009 19:35:15 +0000 (22:35 +0300)]
Verify that EAPOL-Key MIC generation succeeds
This can now fail, e.g., if trying to use TKIP in FIPS mode.
Jouni Malinen [Sun, 16 Aug 2009 19:28:40 +0000 (22:28 +0300)]
Verify that RC4 operation succeeds
Jouni Malinen [Sun, 16 Aug 2009 19:26:59 +0000 (22:26 +0300)]
Fix crypto_cipher_init() EVP initialization
Better not specify EVP_CIPHER again for the second init call since that
will override key length with the default value. The previous version
was likely to work since most use cases would be likely to use the
default key length. Anyway, better make this handle variable length
ciphers (mainly, RC4), too, just in case it is needed in the future.
Jouni Malinen [Sun, 16 Aug 2009 19:26:13 +0000 (22:26 +0300)]
Use OpenSSL for RC4 instead of internal implementation
Jouni Malinen [Sun, 16 Aug 2009 17:13:14 +0000 (20:13 +0300)]
Move RC4 into crypto.h as a replaceable crypto function
This allows crypto library wrappers to override the internal RC4
implementation in the same way as can already be done for other crypto
algorithms.
Jouni Malinen [Sun, 16 Aug 2009 16:57:50 +0000 (19:57 +0300)]
Remove rc4() wrapper
This is not really of that much use since rc4_skip() can be used as
easily. In addition, rc4 has caused some symbol conflicts in the past,
so it is easier to live without that as an exported symbol.
Jouni Malinen [Sun, 16 Aug 2009 16:56:33 +0000 (19:56 +0300)]
Fix build with non-FIPS capable OpenSSL
Jouni Malinen [Sun, 16 Aug 2009 16:07:57 +0000 (19:07 +0300)]
Verify CHAP/MSCHAPv2 return code
Check the return code in some (but not yet all) places where the
functions from ms_funcs.c are used.
Jouni Malinen [Sun, 16 Aug 2009 16:05:29 +0000 (19:05 +0300)]
Fix OpenSSL build (internal SHA256 not used anymore)
Jouni Malinen [Sun, 16 Aug 2009 16:00:49 +0000 (19:00 +0300)]
Fix FIPS mode build of eapol_test
Jouni Malinen [Sun, 16 Aug 2009 15:56:48 +0000 (18:56 +0300)]
Allow non-FIPS MD5 to be used with TLS PRF even in FIPS mode
This is allowed per FIPS1402IG.pdf since the TLS PRF depends fully on
both MD5 and SHA-1.
Jouni Malinen [Sun, 16 Aug 2009 15:38:35 +0000 (18:38 +0300)]
Pass digest return value to CHAP/MSCHAPv2 caller
Jouni Malinen [Sun, 16 Aug 2009 11:24:22 +0000 (14:24 +0300)]
Preliminary support for FIPS mode operation with OpenSSL
wpa_supplicant can now be built with FIPS capable OpenSSL for FIPS mode
operation. Currently, this is only enabling the FIPS mode in OpenSSL
without providing any higher level enforcement in wpa_supplicant.
Consequently, invalid configuration will fail during the authentication
run. Proper configuration (e.g., WPA2-Enterprise with EAP-TLS) allows
the connection to be completed.
Jouni Malinen [Sun, 16 Aug 2009 11:18:59 +0000 (14:18 +0300)]
Pass error values from digest calls to ms_funcs callers
These function calls can now fail, so better let the caller know if that
happened.
Jouni Malinen [Sun, 16 Aug 2009 11:15:36 +0000 (14:15 +0300)]
OpenSSL: Use library version of SHA256
There is no need to use the internal SHA256 implementation when using
OpenSSL.
Jouni Malinen [Sun, 16 Aug 2009 11:12:06 +0000 (14:12 +0300)]
OpenSSL: Use EVP_Digest*() functions
Instead of using low level, digest-specific functions, use the generic
EVP interface for digest functions. In addition, report OpenSSL errors
in more detail.
Jouni Malinen [Sun, 16 Aug 2009 11:06:00 +0000 (14:06 +0300)]
Make hash functions return error value
Some crypto libraries can return in these functions (e.g., if a specific
hash function is disabled), so we better provide the caller a chance to
check whether the call failed. The return values are not yet used
anywhere, but they will be needed for future changes.
Jouni Malinen [Sun, 16 Aug 2009 07:25:13 +0000 (10:25 +0300)]
Enable SHA256 digest support in OpenSSL
This is needed to allow X.509 certificates with SHA256 digest to be
used. [Bug 323]
Bjarke Istrup Pedersen [Sun, 16 Aug 2009 06:47:56 +0000 (09:47 +0300)]
Use LDFLAGS in all linker commands
When building hostapd and wpa_supplicant, the build system does not
respect the LDFLAGS selected in the environment in some cases. [Bug 311]
Jouni Malinen [Sun, 16 Aug 2009 06:35:31 +0000 (09:35 +0300)]
Use PEM format RSA private key with eap_example
It looks like GnuTLS does not know how to parse the previously used
DER-formatted PKCS#1 private key (server.key). To work around this, use
a PEM-formatted version of the same key. This format can now be used by
OpenSSL, GnuTLS, and the internal TLS implementation.
Jouni Malinen [Sun, 16 Aug 2009 06:34:58 +0000 (09:34 +0300)]
Add GnuTLS build option for eap_example
Jouni Malinen [Sun, 16 Aug 2009 06:34:21 +0000 (09:34 +0300)]
Support PEM format RSA private key with internal TLS implementation
Witold Sowa [Sat, 15 Aug 2009 18:04:50 +0000 (21:04 +0300)]
Set current ssid when entering AP mode
After successful starting AP mode, current_ssid field is set to
ssid used to create AP.
Masashi Honma [Sat, 15 Aug 2009 17:59:16 +0000 (20:59 +0300)]
NetBSD: Fix wired IEEE 802.1X problem
On NetBSD 5.0, when I use wired 802.1X, "Invalid argument" occurs
on SIOCADDMULTI ioctl and 802.1X fails.
I tried FreeBSD code, but "Address family not supported by protocol family"
occurs on SIOCADDMULTI ioctl and 802.1X fails, too.
This patch solves this issue.
I have tested with these:
OS : NetBSD 5.0
EAP : EAP-MD5
Switch : CentreCOM 8724SL
Jouni Malinen [Sat, 15 Aug 2009 17:51:35 +0000 (20:51 +0300)]
Added new SHA1 files into VS project files to fix the build