Commit graph

9836 commits

Author SHA1 Message Date
Jouni Malinen
012783f1ab Fixed EAP-TLS message fragmentation for the last TLS message
It the message was large enough to require fragmentation (e.g., if a large
Session Ticket data is included), More Fragment flag was set, but no
more fragments were actually sent (i.e., Access-Accept was sent out).
2008-11-20 19:39:35 +02:00
Jouni Malinen
f32fe71a1f Fixed Milenage debug output to use correct length for IK and CK 2008-11-20 15:45:31 +02:00
Jouni Malinen
6cd4f02b03 Fixed EAPA-AKA warning message about AT_RES length to use bits 2008-11-20 15:23:51 +02:00
Jouni Malinen
c31a11c962 Changed PEAPv0 cryptobinding to be disabled by default
There are some interoperability issues with Windows Server 2008 NPS, so
better disable cryptobinding use by default for now.
2008-11-20 12:49:34 +02:00
Jouni Malinen
bd1d13c199 Fixed size_t printf format for 64-bit builds 2008-11-19 21:21:34 +02:00
Jouke Witteveen
ea6380e7c9 Fixed a bug in read -> _read cleanup; one missed change 2008-11-19 21:20:24 +02:00
Jouni Malinen
2d981c2fd0 EAP-PEAP: Copy Binding nonce from cryptobinding request to reply
It looks like [MS-PEAP] 3.2.5.6 points towards this being the expected
behavior (however, that chapter is very confusing).

In addition, remove Cryptobinding TLV from response if the received
Cryptobinding TLV is not valid. Add some more debug messages to the case
where the received Cryptobinding TLV is found invalid.
2008-11-19 19:25:14 +02:00
Carolin Latze
98842d51ec Separate OpenSSL engine configuration for Phase 2
I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you
only defined one engine variable, which was read already in phase1. I
defined some new variables:

engine2
engine2_id
pin2

and added support to read those in phase2 wheres all the engine
variables without number are only read in phase1. That solved it and I
am now able to use an engine also in EAP-TTLS phase2.
2008-11-18 16:53:32 +02:00
Jouni Malinen
9ef21b2fef roboswitch: Minor coding style cleanup 2008-11-18 16:35:08 +02:00
Jouke Witteveen
e519314ee9 Add RoboSwitch driver interface for wpa_supplicant
Find attached the patch that creates a new driver: roboswitch. This
driver adds support for wired authentication with a Broadcom
RoboSwitch chipset. For example it is now possible to do wired
authentication with a Linksys WRT54G router running OpenWRT.

LIMITATIONS
- At the moment the driver does not support the BCM5365 series (though
adding it requires just some register tweaks).
- The driver is also limited to Linux (this is a far more technical
restriction).
- In order to compile against a 2.4 series you need to edit
include/linux/mii.h and change all references to "u16" in "__u16". I
have submitted a patch upstream that will fix this in a future version
of the 2.4 kernel. [These modifications (and more) are now included in
the kernel source and can be found in versions 2.4.37-rc2 and up.]

USAGE
- Usage is similar to the wired driver. Choose the interfacename of
the vlan that contains your desired authentication port on the router.
This name must be formatted as <interface>.<vlan>, which is the
default on all systems I know.
2008-11-18 16:30:32 +02:00
Jouni Malinen
cd35db9fef Updated userspace MLME instructions for current mac80211
Remove the old code from driver_wext.c since the private ioctl interface is
never going to be used with mac80211. driver_nl80211.c has an
implementation than can be used with mac80211 (with two external patches to
enable userspace MLME configuration are still required, though).
2008-11-18 15:45:25 +02:00
Jouni Malinen
bac912e5bd Remove extra typedefs since they do not seem to be needed anymore
These typedefs were causing build issues with new kernel/C library headers,
so lets get rid of them since they do not seem to be needed anymore. This
applies only if CONFIG_FULL_DYNAMIC_VLAN is enabled which is not even
mentioned in the defconfig file, so this should not change behavior more
most users.
2008-11-18 15:06:03 +02:00
Jouni Malinen
ba60b94a40 Improved the error message for passive scan not being available
If the driver wrapper does not implement passive_scan handler, do not try
to use strerror() to figure out what the error meant. This is not really an
error that the user should be notified about.
2008-11-18 15:01:24 +02:00
Jouni Malinen
9ee06a63e5 driver_nl80211: Remove monitor interface if AP initialization fails 2008-11-18 14:55:32 +02:00
Jouni Malinen
10b83bd712 Changed channel flags configuration to read the information from the driver
(e.g., via driver_nl80211 when using mac80211) instead of using hostapd as
the source of the regulatory information (i.e., information from CRDA is
now used with mac80211); this allows 5 GHz channels to be used with hostapd
(if allowed in the current regulatory domain).
2008-11-18 14:51:43 +02:00
Jouni Malinen
0cf03892a4 OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API
Updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore).
2008-11-16 21:29:12 +02:00
Jouni Malinen
1e8b9d2889 Updated interop results for ACS 4.2 2008-11-16 11:30:34 +02:00
Jouni Malinen
ea251b4a23 EAP-FAST: Reorder TLVs in PAC Acknowledgment to fix interop issues
It looks like ACS did not like PAC Acknowledgment TLV before Result TLV, so
reorder the TLVs to match the order shown in a
draft-cam-winget-eap-fast-provisioning-09.txt example. This allows
authenticated provisioning to be terminated with Access-Accept (if ACS has
that option enabled). Previously, provisioning was otherwise successful,
but the server rejected connection due to not understanding the PAC Ack
("Invalid TEAP Data recieved").
2008-11-16 11:10:29 +02:00
Jouni Malinen
1b554eb0d7 Modified the OpenSSL patch to use session ticket -specific function
This is the first step in replacing SSL_set_hello_extension() with a new
SSL_set_session_ticket_ext() function that can only be used to override the
session ticket extension, not any arbitrary TLS extension.

SSL_set_hello_extension() is still present as a simple wrapper in this
version to avoid changing the API and to make testing with wpa_supplicant
and hostapd easier. It can be eventually removed when the patch is going in
into OpenSSL distribution.
2008-11-12 06:15:27 +02:00
Jouni Malinen
d13c05cafb Updated indentation in the patch to match style used elsewhere in OpenSSL 2008-11-12 05:06:03 +02:00
Kel Modderman
efd59c96d7 wpa_gui-qt4: tweak icon Makefile
Output the xpm icons in more convenient location.

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-11-11 17:41:19 +02:00
Martin Michlmayr
65db6cad23 wpa_gui-qt4: FTBFS with GCC 4.4: missing #include
GCC 4.4 cleaned up some more C++ headers.  You always have to #include
headers directly and cannot rely for things to be included indirectly.

> g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DCONFIG_CTRL_IFACE
-DCONFIG_CTRL_IFACE_UNIX -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED
-I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore
-I/usr/include/qt4/QtCore -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtGui
-I/usr/include/qt4 -I. -I.. -I../../src/utils -I../../src/common -I.moc -I.ui -o
.obj/wpagui.o wpagui.cpp
> wpagui.cpp: In constructor 'WpaGui::WpaGui(QWidget*, const char*,
Qt::WFlags)':
> wpagui.cpp:98: error: 'printf' was not declared in this scope

From: Martin Michlmayr <tbm@cyrius.com>
Bug:  http://bugs.debian.org/505041

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-11-11 17:36:37 +02:00
Jouni Malinen
46690a3b9b Added an optional mitigation mechanism for certain attacks against TKIP by
delaying Michael MIC error reports by a random amount of time between 0 and
60 seconds if multiple Michael MIC failures are detected with the same PTK
(i.e., the Authenticator does not rekey PTK on first failure report). This
is disabled by default and can be enabled with a build option
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config.

This may help in making a chopchop attack take much longer time by forcing
the attacker to wait 60 seconds before knowing whether a modified frame
resulted in a MIC failure.
2008-11-08 04:43:12 +02:00
Jouni Malinen
6982784e20 EAP-SIM/AKA: fixed initialization to verify PIN even if identity is set
Previously, hardcoded identity in the network configuration skipped both
IMSI reading and PIN verification. This broke cases where PIN is needed for
GSM/UMTS authentication. Now, only IMSI reading is skipped if identity is
hardcoded.
2008-11-07 20:09:44 +02:00
Jouni Malinen
04a5bad682 EAP-AKA: Validate RES Length field in AT_RES
This change breaks interoperability with older wpa_supplicant versions
(everything up to and including wpa_supplicant 0.5.10 and 0.6.5) which
incorrectly used this field as number of bytes, not bits, in RES.
2008-11-07 08:34:07 +02:00
Jouni Malinen
fa71a1d84a Fixed EAP-AKA RES Length field in AT_RES as length in bits, not bytes 2008-11-07 08:30:34 +02:00
Jouni Malinen
36100718de EAP-FAST server: allow expired PAC for PAC refresh
Instead of falling back to full TLS handshake on expired PAC, allow the
PAC to be used to allow a PAC update with some level of server
authentication (i.e., do not fall back to full TLS handshake since we
cannot be sure that the peer would be able to validate server certificate
now). However, reject the authentication since the PAC was not valid
anymore. Peer can connect again with the newly provisioned PAC after this.
2008-11-06 22:57:09 +02:00
Jouni Malinen
39452b4deb EAP-FAST: Include Tunnel PAC request only after EAP authentication 2008-11-06 21:07:53 +02:00
Jouni Malinen
581a8cde77 Added support for enforcing frequent PTK rekeying
Added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP
deficiencies. This can be set either by the Authenticator (to initiate
periodic 4-way handshake to rekey PTK) or by the Supplicant (to request
Authenticator to rekey PTK).

With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP
keys will not be used for more than 10 minutes which may make some attacks
against TKIP more difficult to implement.
2008-11-06 19:57:21 +02:00
Jouni Malinen
81eec387dd Added Milenage-GSM simulator for EAP-SIM
CONFIG_SIM_SIMULATOR=y in .config and password="Ki:OPc" in network config
to enable.
2008-11-06 04:21:32 +02:00
Jouni Malinen
31cbe002c9 driver_ndis: Added a workaround for a driver that removes SSID IE in scan
A driver was found to remove SSID IE from NDIS_WLAN_BSSID_EX IEs, but the
correct SSID is included in NDIS_802_11_SSID structure inside the BSSID
data. If this is seen in scan results, create a matching SSID IE and add it
to the end of IEs to fix scan result parsing.
2008-11-05 23:44:26 +02:00
Jouni Malinen
2a24bb3199 Added Milenage USIM emulator for EAP-AKA (can be used to simulate test
USIM card with a known private key; enable with CONFIG_USIM_SIMULATOR in
.config and password="Ki:OPc:SQN" in network configuration).
2008-11-05 23:02:13 +02:00
Jouni Malinen
988ab690ac Preparations for 0.6.5 release 2008-11-01 17:20:25 +02:00
Jouni Malinen
ac987fb7de Fixed fwrite error path in eap_fast_write_pac not to free buf
Caller expects the buffer to be allocated on error, so eap_fast_write_pac()
must be consistent with its behavior on error paths.
2008-11-01 17:09:28 +02:00
Jouni Malinen
8caa12b46c Added a comment about VS2008EE and updated WinPcap/OpenSSL versions 2008-11-01 14:46:00 +02:00
Jouni Malinen
07d44beeab Added a note about hostapd driver_nl80211 and AP mode in wireless-testing 2008-11-01 14:32:10 +02:00
Jouni Malinen
e3e51d9f03 Fixed ctrl_iface BSS command to fetch scan results, if needed
This makes BSS command work line SCAN_RESULTS and allows wpa_gui to get
some scan results without explicit scan results even when using ap_scan=2.
2008-11-01 14:28:34 +02:00
Johannes Berg
4aac554ce2 driver_nl80211: Remove set_ssid from nl80211 driver
This is no longer required (and does not work with current
wireless-testing anymore).

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2008-11-01 13:45:34 +02:00
Jouni Malinen
b6a55236ce Updated VS2005 project files with new and removed C files 2008-11-01 13:03:09 +02:00
Jouni Malinen
3fd0b8f196 Use os_snprintf() instead of snprintf() 2008-11-01 13:02:50 +02:00
Jouni Malinen
1add3c3387 Use the common ieee802_11_parse_elems() implementations for mlme.c 2008-10-29 21:57:01 +02:00
Jouni Malinen
cb7b04c8c9 Moved ieee802_11_parse_elems() into common code 2008-10-29 21:48:14 +02:00
Jouni Malinen
3d536eb453 Removed the unused hapd argument to ieee802_11_parse_elems() 2008-10-29 21:33:46 +02:00
Jouni Malinen
fefee8a74d driver_nl80211: Added TX queue parameter configuration 2008-10-29 19:35:17 +02:00
Jouni Malinen
4c99a969e3 driver_nl80211: Added basic rate configuration 2008-10-29 19:34:27 +02:00
Jouni Malinen
308a4ec81a Verify fread(), fwrite(), and system() return values
These were starting to trigger compiler warning with recent glibc header
files and gcc.
2008-10-29 19:33:24 +02:00
Jouni Malinen
dd20838a7d Fixed size_t printf format for 64-bit targets 2008-10-29 19:30:23 +02:00
Jouni Malinen
8e8df25541 nl80211: Finish dumps properly (ported from iw.git) 2008-10-29 19:28:35 +02:00
Jouni Malinen
990ec3787e Set TX queue parameters during initialization
This was already called from reconfig.c, but the call from hostapd.c had
been forgotten.
2008-10-29 19:25:15 +02:00
Jouni Malinen
114622c021 Fixed EAPOL skip for PMKSA caching case to remain in authenticated state
Need to make sure that portValid is TRUE in order to avoid PAE state
machine going into DISCONNECTED state on eapol_sm_step(). This could be
triggered at least with OKC.
2008-10-25 20:21:31 +03:00