Jouni Malinen [Fri, 6 Jun 2008 13:55:42 +0000 (16:55 +0300)]
Added a preliminary nl80211/cfg80211 driver interface for wpa_supplicant
driver_nl80211.c is based on driver_wext.c and it is still using Linux
wireless extensions for many functions. Over time, the new driver interface
code should be modified to use nl80211/cfg80211 for everything.
Jouni Malinen [Fri, 6 Jun 2008 13:51:17 +0000 (16:51 +0300)]
Fixed a buffer overflow in nla_parse call
The first argument (tb) to nla_parse must have room for maxtype+1, not
maxtype, elements.
Pavel Roskin [Fri, 6 Jun 2008 11:17:03 +0000 (14:17 +0300)]
Fix compile warnings on 64-bit systems
Don't cast pointers to int in definitions of PRISM2_HOSTAPD_RID_HDR_LEN
and PRISM2_HOSTAPD_GENERIC_ELEMENT_HDR_LEN. Use size_t instead. That's
actually what the code needs.
Jouni Malinen [Fri, 6 Jun 2008 07:32:09 +0000 (10:32 +0300)]
Updated the LibTomMath reference to use 0.41 version
Jouni Malinen [Fri, 6 Jun 2008 07:30:43 +0000 (10:30 +0300)]
Removed the 20% estimate on faster bignum routines
This was not accurate since this was mostly based on total runtime of an
eapol_test run. The real improvement in the bignum routines is much larger
(mayby twice as fast as before).
Jouni Malinen [Fri, 6 Jun 2008 07:21:28 +0000 (10:21 +0300)]
Combined internal LibTomMath configuration into one option
CONFIG_INTERNAL_LIBTOMMATH_FAST=y in .config can now be used to enable all
optimized routines at a cost of about 4 kB. This is small enough increase
in size to justify simplified configuration.
Jouni Malinen [Fri, 6 Jun 2008 07:11:17 +0000 (10:11 +0300)]
Added an option to build internal LibTomMath with faster div routine
At the cost of about 1 kB of additional binary size, the internal
LibTomMath can be configured to include faster div routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_DIV=y in
.config.
Jouni Malinen [Thu, 5 Jun 2008 18:00:56 +0000 (21:00 +0300)]
Read Michael MIC keys through TK2 union instead of offset from TK1
This gets rid of potential warnings about buffer bounds errors. The earlier
code works fine, but it is not the cleanest way of using the struct wpa_ptk
definition for TK1/TK2.
Jouni Malinen [Thu, 5 Jun 2008 17:44:30 +0000 (20:44 +0300)]
Fixed potential NULL pointer dereference if memory allocation fails
Jouni Malinen [Thu, 5 Jun 2008 17:33:33 +0000 (20:33 +0300)]
Fixed RADIUS client local address forcing for IPv6 (eapol_test)
Need to use the IPv6 address data in bind() call if IPv6 is selected.
Jouni Malinen [Thu, 5 Jun 2008 15:33:46 +0000 (18:33 +0300)]
Add faster, optional sqr routine for internal LibTomMath
At the cost of about 0.5 kB of additional binary size, the internal
LibTomMath can be configured to include faster sqr routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_SQR=y in
.config.
Jouni Malinen [Thu, 5 Jun 2008 14:50:53 +0000 (17:50 +0300)]
Silence compiler warnings about out of array bounds indexes
struct wpa_ie_hdr had separate fields for 24-bit OUI and 8-bit oui_type
for WPA/RSN selectors. {WPA,RSN}_SELECTOR_{GET,PUT} access these four
octets through oui and the "out-of-bounds" access for the fourth octet is
actually reading/writing oui_type. This works fine, but some tools complain
about the array bounds "failure". Since oui_type is never accessed
separately, the simplest fix is to just combine these into a single 4-octet
field.
Dan Williams [Wed, 4 Jun 2008 18:00:09 +0000 (21:00 +0300)]
Give adhoc associations a bit more time
Depending on how the driver implements IBSS searching and creation, it
may need to perform one or more scans before successfully completing the
association operation. Therefore, increase the timeout for IBSS
association operations so that the supplicant doesn't interrupt the
driver as much.
Dan Williams [Wed, 4 Jun 2008 17:55:57 +0000 (20:55 +0300)]
wext: handle mode switches correctly for mac80211
Since mac80211 requires that the device be !IFF_UP to change the mode
(and I think the old prism54 fullmac driver does too), do that. This
shouldn't harm fullmac devices since they can handle mode switches on
the fly and usually don't care about up/down that much.
Jouni Malinen [Wed, 4 Jun 2008 08:59:45 +0000 (11:59 +0300)]
Updated the comments since Montgomery reduction is now included
Jouni Malinen [Wed, 4 Jun 2008 08:57:55 +0000 (11:57 +0300)]
Internal LibTomMath: add optional support for Montgomery reduction
Add a cost of about 2.5 kB of additional cost, the internal LibTomMath can
be configured to include fast exptmod routine to speed up DH and RSA.
This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_EXPTMOD=y in
.config.
Jouni Malinen [Wed, 4 Jun 2008 08:26:52 +0000 (11:26 +0300)]
Reduce integrated LibTomMath size by dropping negative exponent support
Current uses do not require support for negative exponent in exptmod, so we
can save about 1.5 kB in leaving out invmod.
Jouni Malinen [Tue, 3 Jun 2008 15:08:48 +0000 (18:08 +0300)]
Introduced new helper function is_zero_ether_addr()
Use this inline function to replace os_memcmp(addr,
"\x00\x00\x00\x00\x00\x00", ETH_ALEN) == 0.
Jouni Malinen [Tue, 3 Jun 2008 08:57:52 +0000 (11:57 +0300)]
Fix USE_KERNEL_HEADERS build with compat-wireless
compat-wireless does not include linux/compiler.h to define __user, so
define it in hostapd code before including linux/wireless.h.
Dan Williams [Tue, 3 Jun 2008 08:37:48 +0000 (11:37 +0300)]
Do not continually reschedule specific scans to help finding hidden SSIDs
In situations where the driver does background scanning and sends a
steady stream of scan results, wpa_supplicant would continually
reschedule the scan. This resulted in specific SSID scans never
happening for a hidden AP, and the supplicant never connecting to the AP
because it never got found. Instead, if there's an already scheduled
scan, and a request comes in to reschedule it, and there are enabled
scan_ssid=1 network blocks, let the scan happen anyway so the hidden
SSID has a chance to be found.
Jouni Malinen [Tue, 3 Jun 2008 08:31:42 +0000 (11:31 +0300)]
Include wireless_copy.h instead of linux/wireless.h to avoid conflicts
linux/wireless.h ends up including number of Linux kernel header files and
many of the definitions are conflicting with (or at least duplicating)
definitions in net/if.h.
Dan Williams [Mon, 2 Jun 2008 17:47:09 +0000 (20:47 +0300)]
wext: don't overwrite BSS frequency
mac80211 sends _both_ channel and frequency in it's scan results, with
frequency first and channel second (it's since been fixed to send
channel first and frequency second to work around this issue). This
results in wpa_supplicant getting the right value when the frequency
comes, but overwriting the value with '0' when the channel comes because
wpa_supplicant can't handle 5GHz channel numbers. So if a valid
previous SIOCGIWFREQ event came in, don't try to overwrite it.
Jouni Malinen [Mon, 2 Jun 2008 16:39:46 +0000 (19:39 +0300)]
Internal TLS: Added support for parsing PKCS #8 formatted private keys
The internal TLS implementation can now use both PKCS #1 RSA private key
and PKCS #8 encapsulated RSA private key. PKCS #8 encrypted private key is
not yet supported.
Jouni Malinen [Mon, 2 Jun 2008 15:45:45 +0000 (18:45 +0300)]
Fixed dbus build without OpenSSL.
Jouni Malinen [Fri, 30 May 2008 15:43:06 +0000 (18:43 +0300)]
Fixed build without CONFIG_IEEE8021X_EAPOL, but with CONFIG_CTRL_IFACE
Jouni Malinen [Thu, 29 May 2008 17:36:18 +0000 (20:36 +0300)]
Changed TLS server to use OpenSSL SSL_accept() instead of SSL_read()
The server handshake processing was still using SSL_read() to get OpenSSL
to perform the handshake. While this works for most cases, it caused some
issues for re-authentication. This is now changed to use SSL_accept() which
is more approriate here since we know that the handshake is still going on
and there will not be any tunneled data available. This resolves some of
the re-authentication issues and makes it possible for the server to notice
if TLS processing fails (SSL_read() did not return an error in many of
these cases while SSL_accept() does).
Set session id context to a unique value in order to avoid fatal errors
when client tries session resumption (SSL_set_session_id_context() must be
called for that to work), but disable session resumption with the unique
value for the time being since not all server side code is ready for it yet
(e.g., EAP-TTLS needs special Phase 2 processing when using abbreviated
handshake).
Changed EAP-TLS server not to call TLS library when processing the final
ACK (empty data) from the client in order to avoid starting a new TLS
handshake with SSL_accept().
Jouni Malinen [Thu, 29 May 2008 08:00:33 +0000 (11:00 +0300)]
Updated the EAP-FAST patch for the latest OpenSSL 0.9.9 snapshot
Jouni Malinen [Thu, 29 May 2008 07:47:03 +0000 (10:47 +0300)]
Added the EAP-FAST patch for OpenSSL 0.9.8h
Jouni Malinen [Wed, 28 May 2008 14:19:57 +0000 (17:19 +0300)]
Add eap_tls_state() to get closer to EAP-TTLS/PEAP/FAST code
Jouni Malinen [Wed, 28 May 2008 14:15:17 +0000 (17:15 +0300)]
Share EAP-TLS/PEAP/TTLS/FAST core process() functionality
Move the basic processing of received frames into eap_tls_common.c and use
callback functions to handle EAP type specific processing of the version
field and payload.
Jouni Malinen [Wed, 28 May 2008 06:59:55 +0000 (09:59 +0300)]
Do not refer to Flags::Version field as 'PEAP version'
This field is also used for EAP-TTLS and EAP-FAST, so it is clearer to use
a more generic term for it.
Jouni Malinen [Wed, 28 May 2008 06:57:17 +0000 (09:57 +0300)]
Redesigned EAP-TLS/PEAP/TTLS/FAST fragmentation/reassembly
Fragmentation is now done as a separate step to clean up the design and to
allow the same code to be used in both Phase 1 and Phase 2. This adds
support for fragmenting EAP-PEAP/TTLS/FAST Phase 2 (tunneled) data.
Jouni Malinen [Mon, 26 May 2008 13:51:40 +0000 (16:51 +0300)]
Fixed EAP-IKEv2 server fragment processing
Need to clear the state back to MSG after having processed all incoming
fragments. Without this, the server got stuck in sending the fragment ACK
even after having received the full message.
Jouni Malinen [Mon, 26 May 2008 09:33:04 +0000 (12:33 +0300)]
Added a workaround for handling TLS compression
Even though we try to disable TLS compression, it is possible that this
cannot be done with all TLS libraries. For example, OpenSSL 0.9.8 does not
seem to have a configuration item for disabling all compression (0.9.9 has
such an option). If compression is used, Phase 2 decryption may end up
producing more data than the input buffer due to compressed data. This
shows up especially with EAP-TNC that uses very compressible data format.
As a workaround, increase the decryption buffer length to (orig_len+500)*3.
This is a hack, but at least it handles most cases. TLS compression should
really be disabled for EAP use of TLS, but since this can show up with
common setups, it is better to handle this case.
Jouni Malinen [Mon, 26 May 2008 09:04:35 +0000 (12:04 +0300)]
Do not define tls_engine_get_cert() if OpenSSL engine is disabled
Jouni Malinen [Mon, 26 May 2008 09:00:18 +0000 (12:00 +0300)]
Added fragmentation support for EAP-TNC
Jouni Malinen [Fri, 23 May 2008 16:41:05 +0000 (19:41 +0300)]
Example configuration for EAP-TLS authentication using PKCS#11 TPM token
David Smith [Fri, 23 May 2008 07:55:30 +0000 (10:55 +0300)]
Add support to wpa_supplicant configuring eap_peer for client cert and CA
cert on smartcard, plus handling phase2 auth with smartcard same as phase1.
David Smith [Fri, 23 May 2008 07:52:49 +0000 (10:52 +0300)]
Add support to eap_peer for client cert and CA cert on smartcard and in
phase2 auth.
David Smith [Fri, 23 May 2008 07:49:59 +0000 (10:49 +0300)]
Add support to crypto/tls for client cert and CA cert from smartcard
Jouni Malinen [Wed, 21 May 2008 07:53:56 +0000 (10:53 +0300)]
Added instructions on how to create the DH parameters files.
Jouni Malinen [Wed, 21 May 2008 07:10:10 +0000 (10:10 +0300)]
Only use SSL_OP_NO_COMPRESSION if it is defined
It looks like this SSL_set_options() value was added in 0.9.9 and it does
not exist in stable releases of OpenSSL. Fix build by using #ifdef on this
variable before use.
Jouni Malinen [Thu, 15 May 2008 13:48:44 +0000 (16:48 +0300)]
Disable TLS compression since the EAP-TTLS/PEAP/FAST payload processing
does not support it currently and EAP-TLS RFC does not allow compression to
be negotiated for TLS.
Jouni Malinen [Wed, 7 May 2008 10:51:00 +0000 (13:51 +0300)]
Updated the comment on 'bridge' variable to mention nl80211 which needs
this parameter, too.
Jouni Malinen [Tue, 6 May 2008 18:29:14 +0000 (21:29 +0300)]
Fixed xsi:schemaLocation to use whitespace to separate members of the pair.
David Smith [Mon, 28 Apr 2008 14:15:56 +0000 (17:15 +0300)]
Add setSmartcardModules DBus message to set pkcs11 and opensc options
This will be used by most importantly network manager to set smartcard
options at run time.
Henrik Brix Andersen [Mon, 28 Apr 2008 14:06:43 +0000 (17:06 +0300)]
Fix compilation without IEEE8021X_EAPOL defined
Michael Bernhard [Wed, 16 Apr 2008 11:40:32 +0000 (14:40 +0300)]
Disable functionality in hostapd_deauth_all_stas for hostap driver only
Signed-off-by: Michael Bernhard <michael.bernhard@bfh.ch>
Jouni Malinen [Tue, 15 Apr 2008 14:24:06 +0000 (17:24 +0300)]
Fixed fallback to full handshake when server rejects PAC-Opaque
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
Jouni Malinen [Tue, 15 Apr 2008 14:08:15 +0000 (17:08 +0300)]
Fixed fallback to full handshake when server rejects PAC-Opaque
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
Jouni Malinen [Mon, 14 Apr 2008 17:11:49 +0000 (20:11 +0300)]
Fixed tls_prf() to handle keys with odd length
The middle byte of the secret (key for PRF) is shared with key halfs in
case the key length is odd. This does not happen in any of the current
tls_prf() uses, but it's better to fix this function to avoid future issues
should someone end up defining a use that uses an odd length for the key.
Jouni Malinen [Sun, 13 Apr 2008 09:48:59 +0000 (12:48 +0300)]
Small whitespace cleanup
Michael Bernhard [Sun, 13 Apr 2008 09:41:30 +0000 (12:41 +0300)]
driver_nl80211: Do not send nl80211 message if beacon is not set yet
Signed-off-by: Michael Bernhard <michael.bernhard at bfh.ch>
Michael Bernhard [Sun, 13 Apr 2008 09:40:24 +0000 (12:40 +0300)]
driver_nl80211: Return correct value
Signed-off-by: Michael Bernhard <michael.bernhard at bfh.ch>
Michael Bernhard [Sun, 13 Apr 2008 09:39:13 +0000 (12:39 +0300)]
driver_nl80211: Initialize local variable
This solves the problem with out-of-sync ACK messages.
Signed-off-by: Michael Bernhard <michael.bernhard at bfh.ch>
Michael Bernhard [Sun, 13 Apr 2008 09:37:49 +0000 (12:37 +0300)]
driver_nl80211: Clone netlink callbacks instead of creating new ones
This way the default callbacks are inherited.
Signed-off-by: Michael Bernhard <michael.bernhard at bfh.ch>
Bernhard Michael [Sun, 13 Apr 2008 09:36:23 +0000 (12:36 +0300)]
driver_nl80211: Use customizable netlink callbacks
This allows the use of NL_CB_VERBOSE or NL_CB_DEBUG.
Signed-off-by: Michael Bernhard <michael.bernhard at bfh.ch>
Michael Bernhard [Sun, 13 Apr 2008 09:33:59 +0000 (12:33 +0300)]
driver_nl80211: Use the correct nl80211 command to flush all stations
Signed-off-by: Michael Bernhard <michael.bernhard at bfh.ch>
Johannes Berg [Wed, 9 Apr 2008 07:11:04 +0000 (10:11 +0300)]
nl80211 driver: fix beacon interval setting
This removes the hard-coded beacon interval setting.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Jouni Malinen [Tue, 8 Apr 2008 13:15:56 +0000 (16:15 +0300)]
TNC: Added preliminary code for IF-TNCCS-SOH client side support
Process SoH Request in SoH EAP Extension method and reply with SoH TLV. The
contents of SSoH is not yet complete (i.e., some of the required attributes
are still missing). Use of SoH is disabled by default; it can be enabled
with tnc=soh in phase1 parameter for PEAP.
Jouni Malinen [Tue, 8 Apr 2008 11:57:39 +0000 (14:57 +0300)]
PEAPv0: Added crypto_binding configuration option (part of phase1)
crypto_binding=# in phase1 network parameter can now be used to change the
PEAPv0 cryptobinding behavior (0 = do not use, 1 = optional (default),
2 = required).
Artem Antonov [Tue, 8 Apr 2008 06:49:06 +0000 (09:49 +0300)]
Fix nl80211 driver to receive EAPOL response
This patch fixes nl80211 driver to receive EAPOL response if wlan0 was
added to bridge.
Pavel Roskin [Mon, 7 Apr 2008 07:09:37 +0000 (10:09 +0300)]
driver_wext: Fix missing bracket in [DORMANT]
Signed-off-by: Pavel Roskin <proski@gnu.org>
Daniel Wagner [Mon, 31 Mar 2008 09:39:52 +0000 (12:39 +0300)]
Rename NL80211_[ATTR]_STA_STAT_* to NL80211_[ATTR_]STA_INFO_
adapt to change
72141605e9f9d856418bbed9dc47e5ad42aabb42
nl80211/cfg80211: support for mesh, sta dumping
Signed-off-by: Daniel Wagner <wagi@monom.org>
Kel Modderman [Mon, 31 Mar 2008 08:51:49 +0000 (11:51 +0300)]
Remove the -w option from help output
Signed-off-by: Kel Modderman <kel@otaku42.de>
Kel Modderman [Mon, 31 Mar 2008 08:49:55 +0000 (11:49 +0300)]
Explain not all driver backends will be compiled into wpa_supplicant binary
Explain that wpa_supplicant supports a variety of drivers, but only a
subset of them are chosen at compile time.
Signed-off-by: Kel Modderman <kel@otaku42.de>
Tomasz Wolniewicz [Sun, 30 Mar 2008 15:15:52 +0000 (18:15 +0300)]
eapol_test: Allow client IP address to be specified
Allow the user to set the IP address of the eapol_test client. This if
very useful when you have a machine with many interfaces and want to use a
particular one for testing RADIUS connectivity. For instance when I run the
national eduroam proxy I can only connect to other server from a particular
address, an our machine happens to have several IPs. So if I want to run
connectivity tests, I must make sure that my test uses a particular
interface. The -A option allows one to set this).
(jm: cleaned up to use radius configuration structure instead of global
variable for the address and added IPv6 support)
Tomasz Wolniewicz [Sun, 30 Mar 2008 14:39:19 +0000 (17:39 +0300)]
Chargeable-User-Identity (RFC 4372) in eapol_test
Implements the Chargable-User-Identity (CUI), as defined in RFC 4372.
Option "-i" causes the eapol_test to send a NUL CUI - which is a request to
send a CUI back. Capital "-I" allows to specify the value of the CUI.
This has been defined for cases where the client wants to reauthenticate.
Jouni Malinen [Sun, 30 Mar 2008 14:10:44 +0000 (17:10 +0300)]
TNC: Added preliminary code for IF-TNCCS-SOH server side support
If TNC is enabled, PEAPv0 server is now sending out SoH request to initiate
IF-TNCCS-SOH (Microsoft NAP / Statement of Health) handshake. The results
are currently only shown in debug log and they do not affect authentication
or authorization result.
Jouni Malinen [Sun, 23 Mar 2008 10:07:59 +0000 (12:07 +0200)]
EAP-TTLS: Fixed implicit challenge derivation to use correct output length
The previous version was deriving unnecessarily large amount of output data
for the implicit challenge. With the TLS PRF, this was not causing any
problems because the output length is not explicitly bound into the
derivation. Anyway, it is better to use the correct output length should
the PRF be ever changed to a one that uses the output length to change the
beginning of the output data.
Jouni Malinen [Wed, 19 Mar 2008 14:58:06 +0000 (16:58 +0200)]
EAP-PEAP: Fixed interop issues in key derivation with cryptobinding
It looks like Microsoft implementation does not match with their
specification as far as PRF+ label usage is concerned.. IPMK|CMK is derived
without null termination on the label, but the label for CSK derivation
must be null terminated.
This allows cryptobinding to be used with PEAPv0 in a way that
interoperates with Windows XP SP3 (RC2) and as such, this functionality is
now enabled as an optional addition to PEAPv0.
Jouni Malinen [Tue, 18 Mar 2008 14:27:55 +0000 (16:27 +0200)]
EAP-PEAP: Swap MS-CHAP-v2 MPPE keys for EAP-PEAP ISK derivation
Microsoft uses reverse order for MS-MPPE keys in EAP-PEAP when compared to
EAP-FAST derivation of ISK. Swap the keys here to get the correct ISK for
EAP-PEAPv0 cryptobinding. This resolves the cryptobinding interop issue
with WinXP SP3 RC2. However, it looks like MSK derivation does not
interoperate when using cryptobinding, so this code remains disabled for
the time being.
Jouni Malinen [Tue, 18 Mar 2008 10:19:52 +0000 (12:19 +0200)]
EAP-PEAP: Added preliminary code for PEAPv0 and PEAPv2 cryptobinding
This implementation is complete for PEAPv0 (Microsoft extension), but the
use of cryptobinding is disabled in this version, i.e., this does not
change protocol behavior at all.
Interop tests between hostapd and wpa_supplicant work fine, but there are
some problems in getting hostapd to interoperate with Windows XP SP3 RC2
(peer replies with Result Failure to the attempted cryptobinding). The
implementation will remain disabled until this issue has been resolved.
Jouni Malinen [Tue, 18 Mar 2008 09:26:17 +0000 (11:26 +0200)]
EAP-PEAP: Moved EAP-TLV processing into eap_peap.c
EAP-PEAP was the only method that used the external eap_tlv.c peer
implementation. This worked fine just for the simple protected result
notification, but extending the TLV support for cryptobinding etc. is not
trivial with such separation. With the TLV processing integrated into
eap_peap.c, all the needed information is now available for using
additional TLVs.
Jouni Malinen [Tue, 18 Mar 2008 06:31:04 +0000 (08:31 +0200)]
EAP-PEAP: Moved EAP-TLV processing into eap_peap.c
EAP-PEAP was the only method that used the external eap_tlv.c server
implementation. This worked fine just for the simple protected result
notification, but extending the TLV support for cryptobinding etc. is not
trivial with such separation. With the TLV processing integrated into
eap_peap.c, all the needed information is now available for using
additional TLVs.
Jouni Malinen [Thu, 13 Mar 2008 17:05:45 +0000 (19:05 +0200)]
Some cleanup for the new driver wrapper for PS3
wpa_printf() does not use '\n'. Fixed set_wpa_key() to allocate buf for
ASCII passphrase case.
Masakazu Mokuno [Thu, 13 Mar 2008 17:00:37 +0000 (19:00 +0200)]
Add support for PS3 Linux wireless driver
This adds support for PS3 wireless to wpa_supplicant.
Although PS3 wireless driver is designed to conform the WEXT standard
as much as possible, unfortunately the wext driver wrapper of
wpa_supplicant can not support PS3 wireless fully because:
- PS3 wireless driver uses private WEXT ioctls for accepting PSK of
WPA-Personal from the userland.
WEXT does not specify the way to do it.
- The association and 4-way handshake are done by PS3 virtual
wireless device. The guest OSes can not interfere it.
- No EAPOL frames are allowed to go outside of the
hypervisor/firmware nor come from. They are eaten by the firmware.
Thus I needed to make a new driver wrapper for PS3 wireless.
This patch can be applied against the latest 0.6.x tree.
Signed-off-by: Masakazu Mokuno <mokuno@sm.sony.co.jp>
Chris Zimmermann [Wed, 12 Mar 2008 09:43:55 +0000 (11:43 +0200)]
Support for RADIUS ACLs with drivers that do not use hostapd MLME
Sam Leffler <sam@errno.com>:
Attached are changes from Chris Zimmerman (cc'd) to allow drivers to handle
radius ACL's. The patch is against 0.5.10 but I suspect will also apply to
your latest code. These mods enable radius acl support in freebsd w/ my
vap code.
You may want to do the changes to ieee802_11_auth.c differently as they
currently require all participating drivers to work the same. You might be
able to check the return value from hostapd_set_radius_acl_auth and use
that to decide whether the alternate code should be run so you can have 1
driver using this stuff while the other does not.
(jm: Added without more dynamic check for now; in addition, none of the
current in-tree driver wrappers actually implement these handlers, so this
is in preparation for future changes)
Chris Zimmermann [Wed, 12 Mar 2008 09:39:56 +0000 (11:39 +0200)]
hostapd_allowed_address() is called from hostapd_config_reload_sta() with
session_timeout and acct_interim_interval set to NULL. Without checking
these before accessing, we'd cause a NULL pointer access in this case. In
ieee802_11.c calls hostapd_allowed_address() with valid pointers.
Jouni Malinen [Wed, 12 Mar 2008 09:20:20 +0000 (11:20 +0200)]
FT: Use correct BSSID when deriving PTK and verifying MIC
The old version was using struct wpa_sm::bssid which is not necessarily
updated to point to the correct target address when doing over-the-air FT
since the address is used before the association has actually been
completed.
Jouni Malinen [Wed, 12 Mar 2008 09:18:57 +0000 (11:18 +0200)]
Delete PTK SA on (re)association if this is not part of a Fast BSS
Transition. This fixes a potential issue where an incorrectly behaving AP
could send a group key update using the old (now invalid after reassociate)
PTK. This could also happen if there is a race condition between reporting
received EAPOL frames and association events.
Ryan Hill [Wed, 12 Mar 2008 07:39:25 +0000 (09:39 +0200)]
The attached patch fixes a few build errors when compiling with GCC 4.3,
caused by a few missing header includes. It was done against 0.5.8, but
still applies to 0.5.10.
Jouni Malinen [Wed, 12 Mar 2008 07:33:18 +0000 (09:33 +0200)]
Silence gcc 4.3.0 warnings about invalid array indexes
Jouni Malinen [Sun, 9 Mar 2008 10:14:15 +0000 (12:14 +0200)]
TNC: Added TNC server support into documentation and ChangeLogs
Jouni Malinen [Sun, 9 Mar 2008 10:05:06 +0000 (12:05 +0200)]
TNC: Integrated TNC support into EAP-TTLS server
If TNC is enabled, EAP-TTLS will run a second EAP (TNC) inside the tunnel
after a successful authentication.
Jouni Malinen [Sun, 9 Mar 2008 10:04:10 +0000 (12:04 +0200)]
TNC: Fixed TNC when using EAP-TTLS with non-EAP Phase 2
Need to process EAP AVP after the non-EAP Phase 2 method. In addition,
EAP-TTLS/MSCHAPv2 needs special code for handling the starting of TNC after
extra roundtrip of MSCHAPv2 success message.
Jouni Malinen [Sun, 9 Mar 2008 09:22:17 +0000 (11:22 +0200)]
TNC: Integrated TNC support into EAP-FAST server
Tunneled EAP sequence is now used to perform both the authentication (e.g.,
using EAP-GTC) and TNC validation (EAP-TNC) inside the EAP-FAST tunnel if
TNC has been enabled.
Jouni Malinen [Sun, 9 Mar 2008 09:21:01 +0000 (11:21 +0200)]
TNC: Added support for using TNC with EAP-FAST
Jouni Malinen [Sun, 9 Mar 2008 08:42:53 +0000 (10:42 +0200)]
TNC: Provide 'tnc' configuration option for EAP server and methods
Jouni Malinen [Sun, 9 Mar 2008 08:37:18 +0000 (10:37 +0200)]
TNC: Added preliminary TNC implementation for hostapd
This adds EAP-TNC method and TNCS (IF-IMV and IF-TNCCS) functionality.
There is no integration with EAP-TTLS and EAP-FAST at this point, so this
version is not yet suitable for real use (i.e., EAP-TNC can only be tested
outside a tunnel which is not an allowed configuration for deployment).
However, the basic TNCS functionality is more or less complete and this
version seems to interoperate with wpa_supplicant.
Jouni Malinen [Thu, 6 Mar 2008 20:49:46 +0000 (22:49 +0200)]
Make the "invalid group" error show up with default verbosity level
Dan Williams [Wed, 5 Mar 2008 16:30:01 +0000 (18:30 +0200)]
Fix qt3 wpa_gui build
When a WpaMsg item to the QValueList WpaMsgList, there's no constructor
that the QValueList can call. This is a port of the fix from the stable
branch where it builds fine.
Dan Williams [Wed, 5 Mar 2008 14:15:10 +0000 (16:15 +0200)]
Fix potential use-after-free in dbus byte array demarshaling code
The byte array code should be clearing its own pointer, not the string
array pointer.
Jouni Malinen [Wed, 5 Mar 2008 14:06:43 +0000 (16:06 +0200)]
Added a missing '#' to indicate a comment.
Jouni Malinen [Wed, 5 Mar 2008 14:05:26 +0000 (16:05 +0200)]
Renamed local DBUS_VERSION define to avoid conflict with dbus 1.1 headers
Jouni Malinen [Thu, 28 Feb 2008 02:00:12 +0000 (18:00 -0800)]
EAP-FAST: Verify that identity from PAC-Opaque matches with Phase 2 (GTC)
Jouni Malinen [Thu, 28 Feb 2008 01:59:34 +0000 (17:59 -0800)]
EAP-FAST: Cleaned up TLV processing and added support for EAP Sequences
Number of TLVs were processed in groups and these cases were now separated
into more flexible processing of one TLV at the time. wpabuf_concat()
function was added to make it easier to concatenate TLVs. EAP Sequences are
now supported in both server and peer code, but the server side is not
enabled by default.
Jouni Malinen [Thu, 28 Feb 2008 01:58:46 +0000 (17:58 -0800)]
EAP-FAST: Define and use EAP_FAST_CMK_LEN
Jouni Malinen [Thu, 28 Feb 2008 01:58:13 +0000 (17:58 -0800)]
Removed extra '_' from struct eap_tlv_crypto_binding__tlv name
Jouni Malinen [Thu, 28 Feb 2008 01:57:49 +0000 (17:57 -0800)]
EAP-FAST: Divided eap_fast_process() into number of helper functions