Commit graph

708 commits

Author SHA1 Message Date
Jouni Malinen
00468b4650 Add TLS client events, server probing, and srv cert matching
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.

The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR

In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.

Authentication server probing can be done, e.g., with following
configuration options:
    eap=TTLS PEAP TLS
    identity=""
    ca_cert="probe://"

Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Server certificate matching is configured with ca_cert, e.g.:
    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
2010-02-13 11:14:23 +02:00
Jouni Malinen
c5674000a3 wpa_gui-qt4: Stop BSS fetch loop on error for Peers dialog
There is no need to continue the loop until the 1000 max BSS limit
if a BSS command fails.
2010-01-24 18:42:45 -08:00
Jouni Malinen
48563d86b2 Try to avoid some unnecessary roaming
When multiple APs are present in scan results with similar signal
strength, wpa_supplicant may end up bounching between them frequently
whenever new scan results are available (e.g., due to periodic scans
requested by NetworkManager). This can result in unnecessary roaming
and in case of the current cfg80211 version, to frequent network
disconnections.

Do not request a roam if the current BSS is still present in the scan
results and the selected BSS is in the same ESS and has only a slighly
stronger signal strength.
2010-01-24 18:19:50 -08:00
Jouni Malinen
b85e772449 SME: Request a new scan if SME association command fails
This handles some error cases without getting stuck waiting for new
events from the driver if association command fails for any reason.
2010-01-24 18:09:36 -08:00
Jouni Malinen
dff0f701d0 Preparations for v0.7.1 release 2010-01-16 19:04:38 +02:00
Jouni Malinen
3e674c063c Update VS 2005 project files with new/removed source files 2010-01-16 18:49:17 +02:00
Witold Sowa
7899e2f42d dbus: Change WPA/RSNIE byte array props to dicts
Expose RSN and WPA properties for BSS objects containing information
about key management and cipher suites. Get rid of WPA/RSN/WPSIE
byte array properties and add IEs byte array property with all IE data
instead.
2010-01-16 16:37:37 +02:00
Jouni Malinen
8c0906542c Fetch IEs from both Beacon and Probe Response frames if available
This allows the driver wrappers to return two sets of IEs, so that
the BSS code can use information from both Beacon and Probe Response
frames if needed. For example, some Cisco APs seem to include more
information in Wireless Provisioning Services IE when it is in the
Beacon frame.
2010-01-16 16:11:05 +02:00
Jouni Malinen
af47308823 Add deinit_ap driver op to help wpa_supplicant AP mode use 2010-01-16 12:20:51 +02:00
Jouni Malinen
e882899981 Add BSSID to TX/RX Action frame driver ops
This meets better the needs for various Public Action frame use cases.
2010-01-16 12:16:20 +02:00
Jouni Malinen
a2e4f66edc Remove completed to-do item 2010-01-16 09:44:41 +02:00
Jouni Malinen
20766f2007 Make wpa_bss_get_max_rate() a bit more readable with a local variable 2010-01-10 22:53:36 +02:00
Jouni Malinen
a416fb47eb IBSS RSN: Explicitly check addr != NULL before passing it to memcmp
idx == 0 should be enough to make sure that the addr is set, but
verify that this is indeed the case to avoid any potential issues if
auth_set_key() gets called incorrectly.
2010-01-10 21:53:17 +02:00
Jouni Malinen
6f9b5d1696 IBSS RSN: Check explicitly that WPA auth sm assoc call succeeded
Verify that association processing did not end up freeing the state
machine. This should not really happen in practice, but better verify
it anyway.
2010-01-10 21:45:44 +02:00
Jouni Malinen
f337f0e950 Remove unnecessary bss != NULL checks from sme_authenticate()
This is already verified in the beginning of the function, so no need
to repeat that multiple times.
2010-01-10 21:31:54 +02:00
Jouni Malinen
2b057028cb Fix client MLME test code for IBSS scan request
wpa_s->mlme.ssid is an array so it is always != NULL and this
comparision should really have used ssid_len instead.
2010-01-10 20:41:33 +02:00
Marcel Holtmann
097c5802da dbus: Fix value of BSS Privacy property
Checking for IEEE80211_CAP_PRIVACY needs to use & and not &&.
2010-01-10 18:18:08 +02:00
Jouni Malinen
728e776c09 Fix alloc validation in wpa_bss_get_bit_rates()
Need to check the value returned by os_malloc(), not the pointer to
this value.
2010-01-09 23:56:09 +02:00
Witold Sowa
8e5568f874 dbus: Change BSS, Network and some errors interface names
Remove ".Interface" part from BSS and Network objects and some
error names.
2010-01-09 11:41:09 +02:00
Masashi Honma
953f0f6333 bsd: Add support for WPA_TRACE and WPA_TRACE_BFD
On FreeBSD 8.0, WPA_TRACE and WPA_TRACE_BFD functionality build fails.
2010-01-09 11:01:12 +02:00
Jouni Malinen
d97572a40f dbus: Add a test script for D-Bus API signals 2010-01-06 21:33:54 +02:00
Jouni Malinen
c91278a5b4 dbus: Do not try to unregister not-yet-registered network object 2010-01-06 21:31:13 +02:00
Jouni Malinen
d58f4a8177 Remove forgotten script termination attempt 2010-01-06 20:23:47 +02:00
Witold Sowa
158c6c7467 dbus: Add BSS property change notifications 2010-01-06 20:03:01 +02:00
Jouni Malinen
c3299a8b74 dbus: Fix crash on property change if D-Bus API is disabled 2010-01-06 12:14:35 +02:00
Jouni Malinen
6c195cd507 dbus: Fix prop_changed_flags allocation to count properties correctly
There was an extra semicolon that broke the calculation of registered
properties and resulted in obj_desc->prop_changed_flags not being
allocated long enough for all the flags.
2010-01-06 11:55:21 +02:00
Jouni Malinen
e30020c7ab dbus: Fix flush_object_timeout_handler context to be consistent
The path pointer used as the timeout_ctx was not constant; the path
string itself may have been the same, but the pointer certainly was not
since it was sometimes from stack and sometimes from the dynamically
allocated buffer in obj_desc. This caused some of the eloop timeout
cancellations not to find the timeout. Fix this by using the obj_desc
as the timeout context data.
2010-01-06 11:50:43 +02:00
Witold Sowa
abd7a4e353 dbus: Aggregate PropertiesChanged signals
Instead of sending PropertiesChanged signals for each changed
property separately, mark properties as changed and send aggregated
PropertiesChanged signals for each interface in each object.
Aggregated PropertiesChanged signal is sent
- for all object after responding on DBus call
- for specified object after manual call to
  wpa_dbus_flush_object_changed_properties() function
- for each object separately after short timeout (currently 5 ms)
  which starts when first property in object is marked changed
2010-01-04 17:15:57 +02:00
Witold Sowa
75d328af50 dbus: Change BSS property MaxRate to Rates
Instead of exposing maximum BSS bit rate, expose sorted array
of all supported rates.
2010-01-04 16:52:30 +02:00
Jouni Malinen
58e1452474 dbus: Remove forgotten, unused functions from GetAll script 2010-01-04 16:35:38 +02:00
Jouni Malinen
777f07b62d dbus: Update example scripts to use PropertiesChanged
The StateChanged signal was removed, to use PropertiesChanged instead.
2010-01-04 16:34:06 +02:00
Marcel Holtmann
27f43d8de5 dbus: Replace StateChanged with PropertiesChanged signal
The actual supplicant state is exposed via a property on the interface
object. So having a separate signal StateChanged for notifying about
changes is a bad idea. The standard PropertiesChanged signal should be
used for this.

The advantage of StateChanged signal was that it includes the previous
state, but not even NetworkManager is making use of this. And tracking
the old state via the property and this signal is easily possible anyway.
2010-01-04 16:33:44 +02:00
Marcel Holtmann
a2753c285f dbus: Use simple strings for debug level
Instead of using some magic integer values that really only mean
something to WPA internal code, just use simple strings. Possible
values are "msgdump", "debug", "info", "warning" and "error" which
map directly to WPA debugging support.
2010-01-04 16:22:26 +02:00
Jouni Malinen
9c3a2284de Fix compiler warnings for non-WPS build 2010-01-03 21:21:03 +02:00
Jouni Malinen
abd9fafab6 Standardize on a single definition of auth_alg bitfield values 2010-01-03 21:14:40 +02:00
Jouni Malinen
70f8cc8ec8 Share the same enum for MFP configuration
The three existing enums were already depending on using the same
values in couple of places and it is just simpler to standardize on
one of these to avoid need for mapping between different enums for
the exact same thing.
2010-01-03 21:02:51 +02:00
Jouni Malinen
d1f9c410c1 Remove src/drivers/scan_helpers.c
Most of this file was already moved into wpa_supplicant/scan.c and
we can remove the file completely by having couple of small helper
functions copied to the remaining users outside core wpa_supplicant
code.
2010-01-03 20:27:32 +02:00
Jouni Malinen
9ba9fa07cc Move wpa_supplicant specific scan code away from src/drivers
This fits better in wpa_supplicant/scan.c. Couple of remaining
scan_helpers.c functions are currently used in driver wrappers,
but they can likely be removed in the future.
2010-01-03 18:48:11 +02:00
Jouni Malinen
1d041bec84 Use generic driver event notification for AP mode assoc/disassoc 2010-01-03 18:22:22 +02:00
Jouni Malinen
a8e0505bf0 Use driver event, EVENT_EAPOL_RX, for EAPOL frame indication 2010-01-03 17:44:40 +02:00
Jouni Malinen
55777702cd Add driver API functionality for off-channel Action frames
This adds new commands and events for allowing off-channel Action
frame exchanges to be requested. This functionality is not yet used
and is only fully supported by driver_test.c at this point.
driver_nl80211.c has support for the remain-on-channel commands, but
the Action frame TX/RX part is still pending review for the kernel
code and as such, is not yet included here.
2010-01-03 13:57:51 +02:00
Jouni Malinen
7bfc47c34f Add driver ops for allocating interface addresses
This adds placeholder code for allowing the virtual interfaces to be
pre-allocated a MAC address before the interface type is known with
drivers that do not handle interface type changes.
2010-01-03 13:42:06 +02:00
Jouni Malinen
504e905c6e Add a driver op for enabling Probe Request reporting in station mode 2010-01-03 13:30:22 +02:00
Jouni Malinen
9646a8ab8b Remove unnecessary wpa_event_type typedef 2010-01-03 13:10:12 +02:00
Jouni Malinen
fdbe50ed98 Fix CONFIG_AP=y build after driver API changes 2010-01-03 13:05:54 +02:00
Jouni Malinen
2a8b74163e Move struct hostapd_frame_info definition away from driver API
This is internal data structure for hostapd/AP functionality and does
not need to be defined in driver.h.
2010-01-03 12:37:02 +02:00
Jouni Malinen
245519e0cd Replace wpa_supplicant_sta_rx() call with driver event
Get rid of wpa_supplicant_sta_rx() and add a new driver event that is
marked to be used only with driver_test.c. In addition, remove this
functionality from privsep wrapper. This is only use for client mode
MLME testing with driver_test.c.
2010-01-03 11:50:26 +02:00
Jouni Malinen
7d7d57b2dc Use shared function for figuring out if BSS is in use
The BSS that is currently in use must not be freed even if it does
not show up in scan results.
2010-01-03 10:55:31 +02:00
Jouni Malinen
1c83b67efd Fix memory corruption on BSS entry reallocation
The wpa_s->bss_id list was being corrupted when the BSS entry needed
to be reallocated due to longer IE data. The entry has to be removed
from all lists before reallocation to avoid this (it was only removed
from the wpa_s->bss list).
2010-01-03 01:25:43 +02:00
Jouni Malinen
2f1a90188c dbus: Use free_dbus_object_desc() consistently to free object descriptor 2010-01-03 01:01:56 +02:00