Must update sm->pairwise when fetching PMK-R1 SA.
Add a workaround for drivers that cannot set keys before association
(e.g., cfg80211/mac80211): retry PTK configuration after association.
If the PTK configuration prior to association fails, allow reassociation
attempt to continue and configure PTK after association. This is a
workaround for drivers that do not allow PTK to be configured before
association (e.g., current cfg80211/mac80211).
This attribute is supposed to indicate which methods the AP supports as
an Enrollee for adding external Registrars. It was left to 0 when the
AP code did not yet support external Registrars and was forgotten when
the ER support was added.
On NetBSD 5.0.2, wpa_supplicant build results in messages below.
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_get_ssid':
../src/drivers/driver_bsd.c:876: warning: passing argument 2 of 'bsd_get_ssid'
from incompatible pointer type
../src/drivers/driver_bsd.c:876: warning: passing argument 3 of 'bsd_get_ssid'
makes integer from pointer without a cast
../src/drivers/driver_bsd.c:876: error: too many arguments to function
'bsd_get_ssid'
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_scan':
../src/drivers/driver_bsd.c:1125: warning: passing argument 2 of 'bsd_set_ssid'
from incompatible pointer type
../src/drivers/driver_bsd.c:1125: warning: passing argument 3 of 'bsd_set_ssid'
makes integer from pointer without a cast
../src/drivers/driver_bsd.c:1125: error: too many arguments to function
'bsd_set_ssid'
gmake: *** [../src/drivers/driver_bsd.o] Error 1
This patch solves this issue.
This is a step in adding FT support with nl80211-based drivers.
driver_nl80211.c is now registering to handle the FT Action frames
and is able to transmit FT Request frame. Received FT Action frames
are not yet indicated as driver events.
This is needed to fix PTK derivation to use correct length. Previously,
64-octet PTK may have been derived if the authenticator did not already
have a STA entry. Now, the correct pairwise cipher suite is learned when
then PMK-R1 SA is received.
This was not supposed to have duplicate value with WPA_AUTH_ALG_LEAP.
The previous version was unable to set FT as the authentication
algorithm with nl80211.
With this patch, a client gets kicked out of the last BSS it was
attached to, when it is associating to a different one.
While mac80211 does allow a station to be present on multiple bss
interfaces, this does seem to cause problems both for the stack
and for hostapd.
This patch allows the nl80211 driver to create its own per-bss context
and pass it to the drv_priv pointer of the hostapd bss state.
With this and the following patch, stations can associate to and switch
between multiple BSS interfaces of a single wiphy.
This obsoletes a few instances of passing ifname to a callback, those
can be removed in a separate patch.
It might also be useful to move more fields from the driver data to the
per-bss data structure in the future.
This patch allows wpa_supplicant to compile on Debian's kfreebsd
architectures.
Patch by Stefan Lippers-Hollmann based on work done by Petr Salinger
and Emmanuel Bouthenot for 0.6.X (http://bugs.debian.org/480572).
filter_ssids=1 global configuration parameter can now be used to
enable scan result filtering (with -Dnl80211 only for now) based on
the configured SSIDs. In other words, only the scan results that have
an SSID matching with one of the configured networks are included in the
BSS table. This can be used to reduce memory needs in environments that
have huge number of APs.
wpa_supplicant can now be notified of suspend/resume events, e.g.,
from pm-action scripts. This allows wpa_supplicant to clear information
that may become invalid during a suspend operation.
The kernel side support for this was just added into
wireless-testing.git. This commit adds the driver wrapper code needed
to allow wpa_supplicant to use the new functionality.
Some drivers may need to use a specific ifname for the virtual
interface, so allow them to do this with a new parameter passed
to the alloc_interface_addr() handler.
TNC IF-T is somewhat unclear on this are, but
draft-hanna-nea-pt-eap-00.txt, which is supposed to define the same
protocol, is clearer on the Flags field being included.
This change breaks interoperability with the old implementation if
EAP-TNC fragmentation is used. The old version would not accept
the acknowledgement message with the added Flags octet while the
new version accepts messagss with with both options.
If the last message from the EAP-TNC server was fragmented, the
fragment processing lost the DONE/FAIL state and did not know how
to handle the final ACK from the peer. Fix this by remembering the
earlier DONE/FAIL state when fragmenting a frame.
TNC IF-T specification is unclear on the exact contents of the fragment
acknowledgement frame. An interoperability issue with the tncs@fhh
implementation was reported by Arne Welzel
<arne.welzel@stud.fh-hannover.de> due to the different interpretations
of the specification. Relax EAP-TNC server/peer validation rules to
accept fragmentation acknowledgement frames to include the Flags field
to avoid this issue.
This patch aggregates ioctls.
First is SIOCS80211. The SIOCS80211's arguments has 3 couples.
1-1. i_len, i_data
1-2. i_val
1-3. i_len, i_data, i_val (currently only IEEE80211_IOC_APPIE)
There were 3 routines for each cases. This patch aggregates these to
one.
Second is SIOCG80211. The SIOCG80211 returns 2 type of value.
2-1. i_len
2-2. i_val
There were 2 routines for each cases. This patch aggregates these to
one.
I have tested on both FreeBSD 8.0 and NetBSD 5.0.1 with these cases.
[hostapd]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(STA)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(AP)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
This patch enables FreeBSD channel control.
I have tested on FreeBSD 7.2 with these cases.
[hostapd]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(STA)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(AP)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
The attached patch unifies hostapd wpa_driver_bsd_ops and
wpa_supplicant wpa_driver_bsd_ops.
I have tested on NetBSD 5.0.1 with these cases.
[hostapd]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(STA)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
[wpa_supplicant(AP)]
RSN-PSK(CCMP)/WPA-PSK(TKIP)
This patch modifies field name of struct bsd_driver_data to use
same name of struct wpa_driver_bsd_data. This is a preparation of
unifying struct bsd_driver_data and struct wpa_driver_bsd_data.
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.
The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR
In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.
Authentication server probing can be done, e.g., with following
configuration options:
eap=TTLS PEAP TLS
identity=""
ca_cert="probe://"
Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Server certificate matching is configured with ca_cert, e.g.:
ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
The previous version could end leaking memory since os_free() was used
instead of wpabuf_free(). In addition, this could potentially have
triggered a crash if the TLS context were being freed when pending
input data where still in the buffer (though, this may not be possible
to trigger in practice).
The bsd_send_eapol() adds Ethernet header by itself. This patch changes it
to use l2_packet functionality.
I have tested on NetBSD 5.0.1 with WPA-PSK(TKIP).
On NetBSD, we should configure some parameters manually out of hostapd
like below.
ifconfig ath0 mediaopt hostap
ifconfig ath0 mode 11g
ifconfig ath0 chan 6
This patch does these automatically. Maybe there will be some
objections, like "hardware configuration is not hostapd/wpa_supplican's
work". So I will write the reasons why I made this patch.
1. For usability.
2. The first command fails when previous state is adhoc. This patch is
free from previous state.
3. Some driver wrappers configure these automatically (like nl80211).
4. I have wasted time trying to find out these command were needed :(
The ps3 wireless kernel driver has wireless extension support.
There is a legacy wpa_supplicant driver, and support for this
has been removed from the kernel driver, as no distributions
are using it.
This may help in debugging why cfg80211 refused the association
command since the scan results should include information about all
pending authentication and association states.
cfg80211 has a limit on pending authentications, so we better clear
the entries that we do not care about to avoid hitting the limit
when roaming between multiple APs.
This patch moves the authentication server setup before
IEEE 802.1X initialization. It's because 802.1X already
needs to have a valid SSL context.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
This allows the driver wrappers to return two sets of IEs, so that
the BSS code can use information from both Beacon and Probe Response
frames if needed. For example, some Cisco APs seem to include more
information in Wireless Provisioning Services IE when it is in the
Beacon frame.
This makes the bridge parameter unnecessary for cases where the interface
is already in a bridge and sysfs is mounted to /sys so that the detection
code works.
For nl80211, the bridge parameter can be used to request the AP
interface to be added to the bridge automatically (brctl may refuse to
do this before hostapd has been started to change the interface mode).
If needed, the bridge interface is also created.
If the driver is detected to use cfg80211, we can rely on it being able
to disconnect with SIOCSIWMLME commands and to use empty SSID as a way
to stop it from associating when we are in progress of configuring the
driver for association. Consequently, we can remove the hack that uses
random 32-octet SSID to force disconnection and re-order association
commands to match the expectations that cfg80211 has for WEXT ioctls.
This gets rid of extra scan rounds and attempts to associate with the
silly 32-octet SSID.
Better make sure the eloop_timeout data gets fully initialized. The
current code is filling in all the fields, but it is clearer to just
zero the buffer to make sure any new field added to the structure gets
initialized.
This avoids potential use of uninitialized stack memory when printing
out peer address based on SMK error message that does not include the
MAC address.
wpa_sm_step() could theoretically free the statemachine, but it does
not do it in this particular case. Anyway, the code can be cleaned to
verify whether the state machine data is still available after the
wpa_sm_step() call.
On FreeBSD 8.0, driver_bsd.c build fails because of changes from
older versions of FreeBSD. The error messages are below:
In file included from ../src/drivers/driver_bsd.c:38:
/usr/include/net80211/ieee80211_crypto.h:94: error: 'IEEE80211_TID_SIZE'
undeclared here (not in a function)
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_set_wpa_ie':
../src/drivers/driver_bsd.c:968: error: 'IEEE80211_IOC_OPTIE' undeclared (first
use in this function)
../src/drivers/driver_bsd.c:968: error: (Each undeclared identifier is reported
only once
../src/drivers/driver_bsd.c:968: error: for each function it appears in.)
gmake: *** [../src/drivers/driver_bsd.o] Error 1
This patch solves this issue.
wmm_ac_??_cw{min,max} parameters are in log form
When the wme_ac_??_cw{min,max} parameters aren't specified in
hostapd.conf, hostapd uses an incorrect set of default values, as the
defaults are in 2^x-1 form instead of in log form. This patch changes
them over to the expected log form.
Number of Linux driver wrappers included this more or less identical
function, so lets add a new helper file to be able to share some more
code between the driver wrappers.
The three existing enums were already depending on using the same
values in couple of places and it is just simpler to standardize on
one of these to avoid need for mapping between different enums for
the exact same thing.
Most of this file was already moved into wpa_supplicant/scan.c and
we can remove the file completely by having couple of small helper
functions copied to the remaining users outside core wpa_supplicant
code.
This fits better in wpa_supplicant/scan.c. Couple of remaining
scan_helpers.c functions are currently used in driver wrappers,
but they can likely be removed in the future.
This adds new commands and events for allowing off-channel Action
frame exchanges to be requested. This functionality is not yet used
and is only fully supported by driver_test.c at this point.
driver_nl80211.c has support for the remain-on-channel commands, but
the Action frame TX/RX part is still pending review for the kernel
code and as such, is not yet included here.
This adds placeholder code for allowing the virtual interfaces to be
pre-allocated a MAC address before the interface type is known with
drivers that do not handle interface type changes.
Get rid of wpa_supplicant_sta_rx() and add a new driver event that is
marked to be used only with driver_test.c. In addition, remove this
functionality from privsep wrapper. This is only use for client mode
MLME testing with driver_test.c.
Get more information about scans when updating BSS table information.
This allows the missing-from-scans expiration rule to work properly
when only partial set of channels or SSIDs are being scanned.
WPS IE parsing for PBC mode did not check whether the UUID-E attribute
was included before dereferencing the pointer. This could result in the
AP crashing when processing and invalid Probe Request frame.
There does not seem to be a driver interface for fetching auth_algs
capability, but this may be used by some external application, so
hardcode all auth_algs as supported for now.
This allows the driver interface to be deinitialized before
struct hostapd_data instance gets freed. This needs to be done so
that the driver wrapper does not maintain a context pointer to
freed memory.
Doxygen and some build tools may get a bit confused about same file
name being used in different directories. Clean this up a bit by
renaming some of the duplicated file names in src/ap.
Initialize struct hostapd_data driver context with the same driver
information that was initialized earlier during wpa_supplicant start.
This allows the AP mode operations to be completed directly with the
same calls in AP code without having to maintain a separate translation
layer between the AP and station mode driver context.
Skip WPS IE building for Beacon and Probe Response frames is set_ie_cb()
is not set. This fixes a memory leak and optimizes operations by not
allocating memory and building the WPS IEs unnecessarily.
This code can be shared by both hostapd and wpa_supplicant and this
is an initial step in getting the generic code moved to be under the
src directories. Couple of generic files still remain under the
hostapd directory due to direct dependencies to files there. Once the
dependencies have been removed, they will also be moved to the src/ap
directory to allow wpa_supplicant to be built without requiring anything
from the hostapd directory.
set_ap_wps_ie() is not used to set WPS IE for both Beacon and Probe
Response frames with a single call. In addition, struct wpabuf is used
instead of separate u8* and length fields. This avoids duplicated
allocation of the IEs and simplifies code in general.
This mode allows associated stations to use 4-address frames to allow
layer 2 bridging to be used. At least for the time being, this is only
supported with driver=nl80211.
This WPA_TRACE=y additions allows components to register active references
to memory that has been provided to them as a pointer. If such an actively
referenced memory area is freed, tracer will report this as an error and
backtraces of both the invalid free and the location where this pointer
was marked referenced are shown.
This adds config_methods configuration option for wpa_supplicant
following the design used in hostapd. In addition, the string is
now parsed in common code from src/wps/wps_common.c and the list
of configurable methods include all the defined methods from
WPS 1.0h spec.
Since an Enrollee that does not advertise display as one of the
Config Methods is unlikely to be able to show the ASCII passphrase
to the user, prefer PSK format with such an Enrollee to reduce key
derivation time. This can help with some low-powered devices that
would take long time to derive the PSK from the passphrase.
The use_psk_key parameter can now be used to force the Registrar to
use PSK format instead of ASCII passphrase when building a Credential
for the Enrollee. For now, this is not enabled, but it could be enabled
either based on external (to WPS) configuration or automatically set
based on some WPS attribute values from the Enrollee.
Undocumented (at least for the time being) TLS parameters can now
be provided in wpa_supplicant configuration to enable some workarounds
for being able to connect insecurely to some networks. phase1 and
phase2 network parameters can use following options:
tls_allow_md5=1
- allow MD5 signature to be used (disabled by default with GnuTLS)
tls_disable_time_checks=1
- ignore certificate expiration time
For now, only the GnuTLS TLS wrapper implements support for these.
The new TLS wrapper use may end up returning alert data and we need to
make sure here that it does not end up getting interpreted as success
due to non-NULL response.
This converts tls_connection_handshake(),
tls_connection_server_handshake(), tls_connection_encrypt(), and
tls_connection_decrypt() to use struct wpa_buf to allow higher layer
code to be cleaned up with consistent struct wpabuf use.
Use an extra header to move the returned pointer to break os_free()
or free() of the returned value and verify that the correct magic
is present when freeing or resizing the wpabuf. Show backtrace on
invalid wpabuf use.
If Finished message from peer has been received before the server
Finished message, start Phase 2 with the same message to avoid extra
roundtrip when the peer does not have anything to send after the server
Finished message.
Instead of forcefully deinitializing ER immediately, give it some
time to complete unsubscription and call eloop_terminate() only once
ER code has completed its work.
WPA_TRACE=y builds will now verify that memory allocation in done
consistently using os_{zalloc,malloc,realloc,strdup,free} (i.e., no
mixing of os_* functions and unwrapper functions). In addition, some
common memory allocation issues (double-free, memory leaks, etc.) are
detected automatically.
WPA_TRACE=y can now be used to enable internal backtrace support that
will provide more details about implementation errors, e.g., when some
resources are not released correctly. In addition, this will print out
a backtrace automatically if SIGSEGV is received.
As an initial step in sharing netlink helper functions among driver
wrappers, create a new file for netlink code and move operstate send
function there.
This message from tls_connection_handshake() is not really an error in
most cases, so do not show it if there was indeed no Application Data
available (which is a normal scenario and not an indication of any
error).
Replace driver wrapper calls to hostapd_tx_status(),
hostapd_rx_from_unknown_sta(), hostapd_mgmt_rx(), and
hostapd_mgmt_tx_cb() with new generic driver events
EVENT_TX_STATUS, EVENT_RX_FROM_UNKNOWN, and EVENT_RX_MGMT.
This cleans up lot of the driver wrapper code to be less dependent
on whether it is being used within wpa_supplicant AP mode or hostapd.
This remove the need from driver_test.c to go through internal hostapd
structures to find the appropriate BSS when reporting events on secondary
BSSes.
This removes need for including hostapd/sta_flags.h into driver
wrappers and removes any remaining dependencies between driver flags
and internal hostapd flags.
The Prism54.org project seems have been dead for a while and it does not
look like this driver would ever be maintained again. Furthermore, it is
difficult to find a version that would work with the driver_prism54.c
wrapper and there is another driver for these card in the Linux kernel
tree.
The hostapd integration in driver_prism54.c is quite different from the
other driver wrappers and would require major effort to get it cleaned
up. Since there does not seem to be any real users for the cleaned up
version, there does not seem to be justification to spend this effort on
the wrapper. This old code is making it much more difficult to clean up
the driver interface and at this point, the best option seems to be to
remove the driver wrappers. Should someone really still need this, the
old code will continue to be available in hostapd 0.6.x.
Instead of using the latest selected registrar change, collect selected
registrar information separately from all registrars and use the union
of this information when building the WPS IE for Beacon and Probe
Response frames.
Note: SetSelectedRegistrar UPnP action does not include a unique
identifier, so the ER matching routine is based only on the IP address
of the ER. In theory, there could be multiple ERs using the same IP
address (but different port or URL), so there may be some corner cases
that would not always match the correct ER entry at the AP. Anyway, this
is not really expected to occur in normal use cases and even if it did
happen, the selected registrar information is not any worse than it was
before when only the last change from any registrar for being
advertized.
This is more logical location for checking the URL and potentially
handling a call to another URL handler. In addition, return 404 error,
not invalid UPnP action, if the URL does not match.
These callbacks can be handled internally within core WPS code, so there
is no need to go through wps_hostapd.c with a callback function that is
just calling back into the core WPS code.
This can be handled internally within core WPS code, so there is no
need to go through wps_hostapd.c with a callback function that is just
calling back into the core WPS code.
IEEE 802.11w uses distinct key indexes (4 and 5) so the same
get_seqnum() handler can be used to fetch packet number for both
TKIP/CCMP and BIP(using IGTK).
Since the new get_seqnum_igtk() handler was not actually implemented by
any driver wrapper, this may also fix BIP/IGTK sequence number reporting
with driver_nl80211.c.
The password in User-Password AVP is padded to a multiple of 16 bytes
on EAP-TTLS/PAP. But when the password length is zero, no padding is
added. It doesn't cause connectivity issue. In fact, I could connect
with hostapd RADIUS server with zero length password.
I think it's better for obfuscation to pad the 16 bytes data when the
password length is zero with this patch.
There was code for configuring this, but no driver wrapper actually
implements the actual setting. Remove this for now to reduce potential
confusion and to simply the driver interface.
In addition to the bitrate, the only other variable in this structure
is used internally in hostapd. Move this structure into hostapd.h and
make the driver API use simpler data structure (array of bitrates).
These are not really used and can be removed to clean up the driver
interface definition. The only remaining flag (HOSTAPD_RATE_BASIC) can
be removed once the basic rate set indication can be handled
differently.
if_add/if_remove can now be used as the generic driver ops for adding
and removing virtual interfaces of various types. In addition,
driver_nl80211.c is now including this code unconditionally, so that
the functions are not limited only for hostapd.
On NetBSD 5.0.1, driver_bsd.c build fails with message below.
../src/drivers/driver_bsd.c: In function 'wpa_driver_bsd_associate':
../src/drivers/driver_bsd.c:1170: warning: implicit declaration of function 'wpa_driver_bsd_set_auth_alg'
../src/drivers/driver_bsd.c: At top level:
../src/drivers/driver_bsd.c:1204: error: static declaration of 'wpa_driver_bsd_set_auth_alg' follows non-static declaration
../src/drivers/driver_bsd.c:1170: error: previous implicit declaration of 'wpa_driver_bsd_set_auth_alg' was here
gmake: *** [../src/drivers/driver_bsd.o] Error 1
This patch solves this issue.
The new test-asn1 and test-x509 tools are built using libraries
from src/{utils,crypto,tls}. Currently, cross dependencies between
crypto and tls are still preventing the test-x509 from being linked
properly.
This is a separate program and is used mainly with hostapd, so it is
better to move this into the hostapd subdirectory now that Milenage
code has already been moved into src/crypto. Milenage was the only
generic component in hlr_auc_gw.
eap_example is now using src/crypto/libcrypto.a and src/tls/libtls.a
instead of providing own rules for building the files for these
components. TLS library selection is temporarily disabled for
eap_example (it will be built using internal crypto/TLS), but the
configuration option for this will eventually be restored with a new
libcrypto.a configuration option.
Clean up the internal TLS implementation by removing conditional
build blocks for (mostly) EAP-FAST specific functionality. This
will increase the size a big for non-EAP-FAST builds, but is quite
helpful in making src/tls/libtls.a with single build options. If
the potential size reduction is considered significant in the future,
this can be reconsider with a more library compatible way (e.g.,
external file with registration function, etc.).
This allows libeap.a and libeap.so to be built by merging in multiple
libraries from src subdirectories. In addition, this avoids wasting
extra space and time for local builds.
This fixes issues with some GnuTLS versions that seem to be adding
quite a bit of extra data into TLS messages. The EAP server code is
now using the same 300 byte extra room that was already used in the
EAP peer implementation.
The following defines are not really needed in most places, so
remove them to clean up source code and build scripts:
EAP_TLS_FUNCS
EAP_TLS_OPENSSL
EAP_TLS_GNUTLS
CONFIG_TLS_INTERNAL
There seem to be some cases in which wpa_supplicant and
cfg80211/mac80211 seem to have different understanding on
authentication/association state. Since cfg80211/mac80211 is very strict
on when it accepts new authentication/association/scan commands, try our
best at clearing such state mismatches by explicitly deauthenticating
from BSSes with which the driver claims we are associated with if we do
not have local information about such association.
Print what the kernel believes the current BSS status (authenticated
or associated) is in scan results. In addition, check whether this
matches with the state that wpa_supplicant believes the driver to be
in.
This does not change the actual behavior, but will provide information
that will help in debugging potential issues where cfg80211/mac80211
seems to get into a different state from wpa_supplicant. In addition,
this provides an easy location for a workaround that could be added to
clear cfg80211/mac80211 state for unknown BSSes.
This is an initial step in further cleaning up the EAPOL authenticator
use to avoid requiring direct accesses to the internal data structures.
For now, number of external files are still including the internal
definitions from eapol_auth_sm_i.h, but eventually, these direct
references should be removed.
In addition, start ordering header file includes to be in more
consistent order: system header files, src/utils, src/*, same
directory as the *.c file.
This removes the hardcoded definition from Makefile and cleans up
source code by moving the mail HOSTAPD_DUMP_STATE blocks into separate
files to avoid conditional compilation within files.
While this may not include knowledge of all EAP methods since this
depends on build configuration, it is better to not have to include
ieee802_1x.h into eapol_sm.c.
This makes it clearer which files are including header from src/common.
Some of these cases should probably be cleaned up in the future not to
do that.
In addition, src/common/nl80211_copy.h and wireless_copy.h were moved
into src/drivers since they are only used by driver wrappers and do not
need to live in src/common.
This avoids passing the raw scan results into the RSN code and by
doing so, removes the only dependency on src/drivers from the
src/rsn_supp code (or from any src subdirectory for that matter).
Instead of using hardcoded maximum A-MPDU length of 64 kB and no
restrictions on minimum MPDU Start Spacing, use the correct values
reported by the driver.
This is not actually used at all and it looks like the rules for
maintaining the old/new RADIUS configuration are not very clear in the
case the RADIUS client configuration did not change. Consequently, it
is better to just remove this for now and if similar functionality is
ever needed, redesign it to be easier to use without causing hard to
find issues with using freed memory.
Simpler approach to reconfiguring the RADIUS client would involve
just deinitializing the old context unconditionally and initializing
a new one whenever the configuration could have changed.
Use shared functions for converting Primary Device Type between binary
and string formats. In addition, use array of eight octets instead of a
specific structure with multiple fields to reduce code complexity.
Mainly, this is including header files to get definitions for functions
which is good to verify that the parameters match. None of these are
issues that would have shown as incorrect behavior of the program.
This gets rid of previously deprecated driver_ops handlers set_wpa,
set_drop_unencrypted, set_auth_alg, set_mode. The same functionality
can be achieved by using the init/deinit/associate handlers.
These driver wrappers should not be used anymore; WEXT should be used
instead. However, there may still be users stuck on older kernel versions
that may require driver specific wrappers, so the source code still
remains in the repository.
This moves the MTU definition into driver_hostap.c since it was really
meant to be specific to this driver. Since this was the last remaining
definition in hostapd_defs.h, remove that header file as unnecessary.
This code was copied from driver_hostap.c where it is used with the
special wlan#ap interface. It was not supposed to be used to change
the MTU for a normal data interface.
Clean up driver_nl80211.c by gettign rid of the last remaining WEXT use.
This requires that a recent mac80211 version is used to get full protection
in station mode via the authorized flag (IEEE 802.1X PAE).
Clean up driver interface by merging hostapd and wpa_supplicant
specific set_beacon driver_ops into a single one. In addition,
merge set_beacon_int into to the same operation.
If initialization fails, we could potentially try to sendto() on -1
socket which would fail. No point in doing that, so just return early
from the function.
The current MinGW/w32api versions seem to provide all the needed CryptoAPI
functions, so the code for loading these dynamically from the DLL can be
removed.
Need to define the workspace buffer properly to allow compiler to handle
strict aliasing between the incoming unsigned char[64] buffer as an u32
array. The previous version built with strict aliasing enabled can
result in SHA-1 producing incorrect results and consequently, with
4-way handshake failing.
This is based on a report and patch from Dan Williams <dcbw@redhat.com>
but with a different type (the union) used as a fix to avoid needing
extra type casting.
Discovered as part of the investigation of:
https://bugzilla.redhat.com/show_bug.cgi?id=494262#c32
if sha1 is built with gcc without turning off strict aliasing, it will
fail to correctly generate the hashes and will fail its own testcases as
well.
Signed-off-by: Dan Williams <dcbw@redhat.com>
This avoids some issues in cases where the ER has been started and
stopped multiple times on the same address and an AP may have stored
multiple event notification addresses for the same ER. The random
identifier allows the ER to filter out unexpected messages from further
processing.
Do not give the allocated memory to the subscription code since it was
not using it as-is anyway. This makes it easier to understand who owns
the allocation an is responsible of freeing it. This may potentially
fix some memory leaks on error paths.
The WPS 1.0h specification is quite unclear on what exactly should be
used as the MAC Address value in the Credential and AP Settings. It
looks like this should after all be the MAC Address of the Enrollee,
so change Registrar implementation to use that address instead of the
AP BSSID.
In addition, add validation code to the Enrollee implementation to
check the MAC Address value inside Credential (and also inside AP Settings)
to make sure it matches with the Enrollee's own address. However, since
there are deployed implementations that do not follow this interpretation
of the spec, only show the mismatch in debug information to avoid breaking
interoperability with existing devices.
This will need some additional code in wps_er_pbc() to handle PBC mode
enabling for a single AP only. For now, this can only be expected to work
when the ER is connected to a single AP.
UPnP device architecture specification requires all evented variables to
be included in the initial event message after subscription. Since this
can happen before we have seen any events, generated a dummy event
(WSC_ACK with all-zeros nonces) if needed.
This will notify control points of the services going away and allows
them to notice this without having to wait timeout on the
initial advertisements.
This removes following WFA WLANConfig Service actions and the related
state variables: GetAPSettings, SetAPSettings, DelAPSettings,
GetSTASettings, SetSTASettings, DelSTASettings, RebootAP,
ResetAP, RebootSTA, ResetSTA.
While WFA WLANConfig Service version 1.0 claims that some of these are
mandatory to implement for an AP, there are no known implementations
supporting these actions neither in an AP/proxy or an External Registrar
that would use them. These are unlikely to be supported in the future
either and as such, it is just simpler to get rid of them to clean up
the implementation and reduce code size.
When using UPnP transport, the Op-Code is not included, but the WPS
frame processing will need this. Generate a matching Op-Code based
on the message type.
Previously, WSC_MSG was hardcoded for every message from ER, but
this needs to be changed based on message type to send a valid
message to the Enrollee via EAP transport.
New PINs can now be added to WPS ER. This results in the ER code
using SetSelectedRegistrar to modify AP state so that Enrollees
will be able to notice the actice registrar more easily.
This keeps STA/Enrollee entries up to date and sets up registration
protocol session. M1 is processed and M2D generated, but the there
is no code yet to transmit the response back to the AP with
PutWLANResponse.
Always bring down the wlan interface, even when not changing the
BSSID, the interface also needs to be down for changing its type
from managed to AP mode.
The receive Probe Request and EAP-WSC notifications are now parsed
(including the TLVs in them) and contents is shown in the debug log.
Actual processing of the received information is still missing (TODO
comments indicate the needed functionality).
rand would be the address of rand() function and never NULL. The previous
version could have crashed on invalid AKA-AUTS command. Though, these
commands are only from hostapd which sends valid requests and as such,
the actual issue did not show up.
This is like wpa_msg(), but the output is directed only to
ctrl_interface listeners. In other words, the output will not be
shown on stdout or in syslog.
Change scan result reporting to use wpa_msg_ctrl() for
CTRL-EVENT-SCAN-RESULTS message at info level and wpa_printf() at
debug level to avoid showing scan result events in syslog in the
common configuration used with NetworkManager.
This adds code to start a HTTP server and to subscribe to UPnP events
from each discovered WPS AP. The event messages are received, but there
is not yet any code to actually parse the contents of the event.
Clean up code so that UPnP implementation does not need to include all
the HTTP functionality. In addition, make it easier to share HTTP server
functionality with other components in the future.
Instead of implementing HTTP client functionality inside
wps_upnp_event.c, use a generic HTTP client module to do this. The HTTP
client code can now be shared more easily for other purposes, too.
This is the first step in adding support for using wpa_supplicant as a
WPS External Registrar to manage APs over UPnP. Only the device
discovery part is implemented in this commit.
While the actual use here would be unlikely to be broken by any C
optimization, it is better to use explicit union construction to let
gcc know about the aliasing and avoid warnings from gcc 4.4.
gcc 4.4 ends up generating strict-aliasing warnings about some very common
networking socket uses that do not really result in a real problem and
cannot be easily avoided with union-based type-punning due to struct
definitions including another struct in system header files. To avoid having
to fully disable strict-aliasing warnings, provide a mechanism to hide the
typecast from aliasing for now. A cleaner solution will hopefully be found
in the future to handle these cases.
Though we have such a timeout when handling SetSelectedRegistrar UPnP
message from an external registrar, it looks like we don't have one when
the internal registrar is activated for PIN connection. Thus we set the
SelectedRegistrar flag when AP is activated for PIN connection but we
never reset it - not by some timeout, nor when registration succeeds.
This lead to situations where AP everlastingly declare that it is
activated for WPS PIN connection when in reality it is not.
Use the same timeout (and also success with PIN) to clear the selected
registrar flag when using internal registrar, too.
If PBC session overlap is detected during an ongoing PBC protocol run,
reject the run (if M8, i.e., credentials, have not yet been sent). This
provides a bit longer monitoring time at the Registrar for PBC mode to
catch some cases where two Enrollees in PBC mode try to enroll
credentials at about the same time.
This provides information about PBC mode result from the WPS Registrar
module. This could be used, e.g., to provide a user notification on the
AP UI on PBC failures.
If PBC session overlap is detected between button press on the registrar
and M1 is reception, report session overlap with the Config Error
attribute in M2D to the Enrollee.
This functionality fits better with src/tls (i.e., internal TLS
implementation), so move it there to make crypto_internal.c more
of a wrapper like other crypto_*.c files.
Private keys can now be used in either unencrypted or encrypted
PKCS #8 encoding. Only the pbeWithMD5AndDES-CBC algorithm (PKCS #5)
is currently supported.
Recognize the PEM header "BEGIN PRIVATE KEY" as base64-decode the data
to be able to use PEM encoded, unencrypted PKCS#8 private keys with the
internal TLS implementation. Previously, only DER encoding of the
PKCS#8 private key was supported.
OpenSSL 0.9.7 does not include get_rfc3526_prime_1536() function, so
provide that functionality internally if needed. In addition, make
sha256_vector() building depend on whether SHA256 support is included
in the OpenSSL library. This with CONFIG_INTERNAL_SHA256=y in .config
allows OpenSSL without SHA256 support to be used.
Both hostapd/wpa_supplicant compilation fails on DragonFly BSD.
This patch solves this issue.
I have tested only compilation. Not functionality.
Because I don't have any device which can work on DragonFly BSD.
mac80211 does not currently allow (re)authentication when we are already
authenticated. In order to work around this, force deauthentication if
nl80211 authentication command fails with EALREADY. Unfortunately, the
workaround code in driver_nl80211.c alone is not enough since the
following disconnection event would clear wpa_supplicant authentication
state. To handle this, add some code to restore authentication state
when using userspace SME.
This workaround will hopefully become unnecessary in some point should
mac80211 start accepting new authentication requests even when in
authenticated state.
Reorganize the TLS/crypto library segments into a single set of blocks
for each library instead of multiple locations handling library-specific
operations. Group crypto functionality together and get wpa_supplicant
and hostapd Makefile closer to eachother in order to make it easier to
eventually move this into a shared makefile.
Crypto library wrappers can now override the internal DH (group 5)
implementation. As a starting point, this is done with OpenSSL. The
new mechanism is currently available only for WPS (i.e., IKEv2 still
depends on the internal DH implementation).
Replace "nl80211: Ignored unknown event (cmd=33)" with
"nl80211: Scan trigger" to make debug output clearer. We do not
currently do anything with this event apart from showing it in
the debug log.
This allows NSS to be used to derive EAP-TLS/PEAP/TTLS keying material.
NSS requires a patch from
https://bugzilla.mozilla.org/show_bug.cgi?id=507359
to provide the new API. In addition, that patch needs to be modified to
add the 16-bit context length value in SSL_ExportKeyingMaterial() only if
contextlen != 0 in order to match with the EAP-TLS/PEAP/TTLS use cases.
This issue seems to be coming from the unfortunate incompatibility in
draft-ietf-tls-extractor-07.txt (draft-ietf-tls-extractor-00.txt would
have used compatible PRF construction).
At this point, it is unclear how this will be resolved eventually, but
anyway, this shows a mechanism that can be used to implement EAP key
derivation with NSS with a small patch to NSS.
This brings in the first step in adding support for using NSS
(Mozilla Network Security Services) as the crypto and TLS library
with wpa_supplicant. This version is able to run through EAP-PEAP
and EAP-TTLS authentication, but does not yet implement any
certificate/private key configuration. In addition, this does not
implement proper key fetching functions either, so the end result
is not really of much use in real world yet.
On DragonFly BSD, wired IEEE 802.1X fails with this message:
ioctl[SIOC{ADD/DEL}MULTI]: Invalid argument
This patch solves this issue.
I have tested with these:
OS : DragonFly BSD 2.4.0
EAP : EAP-TLS
Switch : Cisco Catalyst 2950
This reverts commit 5aa9cb5cca.
The nested key attribute is using different attribute values
(NL80211_KEY_* vs. NL80211_ATTR_KEY_*), so cannot share the same routine
for these purposes..
Current wpa_supplicant has a bug with WEP keys, it adds a zero-length
sequence counter field to netlink which the kernel doesn't accept.
Additionally, the kernel API slightly changed to accept keys only when
connected, so we need to send it the keys after that. For that to work
with shared key authentication, we also include the default WEP TX key
in the authentication command.
To upload the keys properly _after_ associating, add a new flag
WPA_DRIVER_FLAGS_SET_KEYS_AFTER_ASSOC_DONE indicating that the driver
needs the keys at that point and not earlier.
Commit 0b55b934ee broke this by not
initializing drv->ap = 1 in hostapd case since the mode updating
code ended up unlinking the socket file. Setting drv->ap = 1
removes the mode change and as such, unlinking of the socket file.
It is simpler to just build in all the test driver code regardless
of whether this is for hostapd or wpa_supplicant (which will eventually
get AP mode support with driver_test, too).
radius_server_encapsulate_eap() resets sess->eap->if->eap{Success,Fail}
to FALSE, such that the completion condition is never true.
The net effect is that completed sessions would linger for
RADIUS_SESSION_TIMEOUT seconds.
Signed-off-by: Alex Badea <vamposdecampos@gmail.com>
Previously, the default settings allowed 100 sessions in 60 seconds.
With this fix, the default limit is now 100 sessions per 10 seconds.
[Bug 329]
Store a copy of device attributes during WPS protocol run and make it
available for external programs via the control interface STA MIB
command for associated stations. This gives access to device name and
type which can be useful when showing user information about associated
stations.
wpa_supplicant can now reconfigure the AP by acting as an External
Registrar with the wps_reg command. Previously, this was only used
to fetch the current AP settings, but now the wps_reg command has
optional arguments which can be used to provide the new AP
configuration. When the new parameters are set, the WPS protocol run
is allowed to continue through M8 to reconfigure the AP instead of
stopping at M7.
This is an initial step in adding support for the new connect command.
For now, we just add the capability query. The actual use of the new
command will be added separately.
