Previous version assumed that the Flags field is always present and
ended up reading one octet past the end of the buffer should the Flags
field be missing. The message length would also be set incorrectly
(size_t)-1 or (size_t)-5, but it looks like reassembly code ended up
failing in malloc before actually using this huge length to read data.
RFC 2716 uses a somewhat unclear description on what exactly is included
in the TLS Ack message ("no data" can refer to either Data field in 4.1
or TLS Data field in 4.2), so in theory, it would be possible for some
implementations to not include Flags field. However,
EAP-{PEAP,TTLS,FAST} need the Flags field in Ack messages, too, for
indicating the used version.
The EAP peer code will now accept the no-Flags case as an Ack message if
EAP workarounds are enabled (which is the default behavior). If
workarounds are disabled, the message without Flags field will be
rejected.
[Bug 292]
There is not really much else the Authenticator can do if it does not
receive valid EAP response from the Supplicant/EAP peer. EAP-Failure
would need to be sent before trying to start again with
EAP-Request/Identity, but that is not allowed before the EAP peer
actually replies. Anyway, forcing a new association is likely to clean
up peer state, too, so it can help fixing some issues that could have
caused the peer not to be able to reply in the first place.
It looks like this never survived the move from IEEE 802.1X-2001 to
IEEE 802.1X-2004 and EAP state machine (RFC 4137). The retransmission
scheduling and control is now in EAP authenticator and the
calculateTimeout() producedure is used to determine timeout for
retransmission (either dynamic backoff or value from EAP method hint).
The recommended calculations based on SRTT and RTTVAR (RFC 2988) are not
yet implemented since there is no round-trip time measurement available
yet.
This should make EAP authentication much more robust in environments
where initial packets are lost for any reason. If the EAP method does
not provide a hint on timeout, default schedule of 3, 6, 12, 20, 20, 20,
... seconds will be used.
Previously, only the delivery option 1 from RFC 4284
(EAP-Request/Identity from the AP) was supported. Now option 3
(subsequent EAP-Request/Identity from RADIUS server) can also be used
when hostapd is used as a RADIUS server. The eap_user file will need to
have a Phase 1 user entry pointing to Identity method in order for this
to happen (e.g., "* Identity" in the end of the file). The identity hint
is configured in the same was as for AP/Authenticator case (eap_message
in hostapd.conf).
This commit changes just the name and Action category per D7.0. The
retransmit/timeout processing in the AP is not yet updated with the
changes in D7.0.
Some deployed WPS implementations fail to parse zero-length attributes.
As a workaround, send a null character if the device attribute string is
empty. This allows default values (empty strings) to be used without
interop issues.
Before this change, it looked like an AP that was using wsccmd did not
get activated since wsccmd left the Selected Registrar Config Methods
attribute to be zero. Since Device Password ID can be used to
distinguish PBC from any other method, use only it to figure out whether
PBC or PIN method is active.
It seems that for WPS registration we should use the same authentication
timeout as for ieee8021x, no? (See patch attached.) On slow platforms
public keys computation may take around 4-5 seconds (we actually stuck
on this issue).
Set ctrl_interface to non-empty value in INTERFACE_ADD to avoid
ctrl_iface.c assuming the control interface is not to be enabled. This
fixes the dynamically added interface to use control interface.
The NSIS installer will now add Windows registry entries for
wpa_supplicant during installation and removes them during
uninstallation. This allows wpa_gui to start wpasvc and add new
interfaces without requiring the user to do any manual registry
editing.
"Add interface" command in File menu can now be used to add a new
network interface to running wpa_supplicant (using INTERFACE_ADD control
interface command). In addition, the network interface is added into
Windows registry (with skip_on_error) for future use. This functionality
is currently enabled only for Windows builds. The user is also prompted
about the possibility of adding an interface if no interfaces are
enabled. This makes it easier to get started without having to touch
registry manually.
This can be used to include binding information for multiple interfaces
in Windows registry and only use the ones that match with an available
network interface.
The new INTERFACE_LIST global control interface command can be used to
request a list of all available network interfaces that could be used
with the enabled driver wrappers. This could be used to enable
interfaces automatically by external programs (e.g., wpa_gui).
Driver wrappers can now register global_init() and global_deinit()
driver_ops handlers to get a global data structure that can be shared
for all interfaces. This allows driver wrappers to initialize some
functionality (e.g., interface monitoring) before any interfaces have
been initialized.
UUID-E is not required to be present in Beacon frame, so we need to
accept scan results that do not have UUID-E as a valid PBC situation as
long as not more than one AP is in active PBC mode.
wpa_gui will now ask user whether the wpasvc service should be started
if it is not running. In addition, File menu has items for starting and
stopping the service.
Change association behavior to match with ap_scan=1 when WPS is used in
ap_scan=2 mode with wildcard SSID matching. In addition, allow hardcoded
BSSID to be used to select AP even if selected registrar attribute is
not present.
A separate cross compiler mkspecs file (win32-x-g++) is now used to
configure all build options so the setup-mingw-cross-compiling hack is
not needed anymore. Furthermore, the MinGW setup is now on path, so no
need to specify extra PATH changes for it.
This callback is now used to stop wpa_supplicant from trying to continue
using parameters (most likely, device password) that do not work in a
loop. In addition, wpa_gui can now notify user of failed registration.