Do not give the allocated memory to the subscription code since it was
not using it as-is anyway. This makes it easier to understand who owns
the allocation an is responsible of freeing it. This may potentially
fix some memory leaks on error paths.
The WPS 1.0h specification is quite unclear on what exactly should be
used as the MAC Address value in the Credential and AP Settings. It
looks like this should after all be the MAC Address of the Enrollee,
so change Registrar implementation to use that address instead of the
AP BSSID.
In addition, add validation code to the Enrollee implementation to
check the MAC Address value inside Credential (and also inside AP Settings)
to make sure it matches with the Enrollee's own address. However, since
there are deployed implementations that do not follow this interpretation
of the spec, only show the mismatch in debug information to avoid breaking
interoperability with existing devices.
This will need some additional code in wps_er_pbc() to handle PBC mode
enabling for a single AP only. For now, this can only be expected to work
when the ER is connected to a single AP.
UPnP device architecture specification requires all evented variables to
be included in the initial event message after subscription. Since this
can happen before we have seen any events, generated a dummy event
(WSC_ACK with all-zeros nonces) if needed.
This will notify control points of the services going away and allows
them to notice this without having to wait timeout on the
initial advertisements.
This removes following WFA WLANConfig Service actions and the related
state variables: GetAPSettings, SetAPSettings, DelAPSettings,
GetSTASettings, SetSTASettings, DelSTASettings, RebootAP,
ResetAP, RebootSTA, ResetSTA.
While WFA WLANConfig Service version 1.0 claims that some of these are
mandatory to implement for an AP, there are no known implementations
supporting these actions neither in an AP/proxy or an External Registrar
that would use them. These are unlikely to be supported in the future
either and as such, it is just simpler to get rid of them to clean up
the implementation and reduce code size.
When using UPnP transport, the Op-Code is not included, but the WPS
frame processing will need this. Generate a matching Op-Code based
on the message type.
Previously, WSC_MSG was hardcoded for every message from ER, but
this needs to be changed based on message type to send a valid
message to the Enrollee via EAP transport.
New PINs can now be added to WPS ER. This results in the ER code
using SetSelectedRegistrar to modify AP state so that Enrollees
will be able to notice the actice registrar more easily.
This keeps STA/Enrollee entries up to date and sets up registration
protocol session. M1 is processed and M2D generated, but the there
is no code yet to transmit the response back to the AP with
PutWLANResponse.
Always bring down the wlan interface, even when not changing the
BSSID, the interface also needs to be down for changing its type
from managed to AP mode.
The receive Probe Request and EAP-WSC notifications are now parsed
(including the TLVs in them) and contents is shown in the debug log.
Actual processing of the received information is still missing (TODO
comments indicate the needed functionality).
rand would be the address of rand() function and never NULL. The previous
version could have crashed on invalid AKA-AUTS command. Though, these
commands are only from hostapd which sends valid requests and as such,
the actual issue did not show up.
This is like wpa_msg(), but the output is directed only to
ctrl_interface listeners. In other words, the output will not be
shown on stdout or in syslog.
Change scan result reporting to use wpa_msg_ctrl() for
CTRL-EVENT-SCAN-RESULTS message at info level and wpa_printf() at
debug level to avoid showing scan result events in syslog in the
common configuration used with NetworkManager.
This adds code to start a HTTP server and to subscribe to UPnP events
from each discovered WPS AP. The event messages are received, but there
is not yet any code to actually parse the contents of the event.
Clean up code so that UPnP implementation does not need to include all
the HTTP functionality. In addition, make it easier to share HTTP server
functionality with other components in the future.
Instead of implementing HTTP client functionality inside
wps_upnp_event.c, use a generic HTTP client module to do this. The HTTP
client code can now be shared more easily for other purposes, too.
This is the first step in adding support for using wpa_supplicant as a
WPS External Registrar to manage APs over UPnP. Only the device
discovery part is implemented in this commit.
While the actual use here would be unlikely to be broken by any C
optimization, it is better to use explicit union construction to let
gcc know about the aliasing and avoid warnings from gcc 4.4.
gcc 4.4 ends up generating strict-aliasing warnings about some very common
networking socket uses that do not really result in a real problem and
cannot be easily avoided with union-based type-punning due to struct
definitions including another struct in system header files. To avoid having
to fully disable strict-aliasing warnings, provide a mechanism to hide the
typecast from aliasing for now. A cleaner solution will hopefully be found
in the future to handle these cases.
Though we have such a timeout when handling SetSelectedRegistrar UPnP
message from an external registrar, it looks like we don't have one when
the internal registrar is activated for PIN connection. Thus we set the
SelectedRegistrar flag when AP is activated for PIN connection but we
never reset it - not by some timeout, nor when registration succeeds.
This lead to situations where AP everlastingly declare that it is
activated for WPS PIN connection when in reality it is not.
Use the same timeout (and also success with PIN) to clear the selected
registrar flag when using internal registrar, too.
If PBC session overlap is detected during an ongoing PBC protocol run,
reject the run (if M8, i.e., credentials, have not yet been sent). This
provides a bit longer monitoring time at the Registrar for PBC mode to
catch some cases where two Enrollees in PBC mode try to enroll
credentials at about the same time.
This provides information about PBC mode result from the WPS Registrar
module. This could be used, e.g., to provide a user notification on the
AP UI on PBC failures.
If PBC session overlap is detected between button press on the registrar
and M1 is reception, report session overlap with the Config Error
attribute in M2D to the Enrollee.
This functionality fits better with src/tls (i.e., internal TLS
implementation), so move it there to make crypto_internal.c more
of a wrapper like other crypto_*.c files.
Private keys can now be used in either unencrypted or encrypted
PKCS #8 encoding. Only the pbeWithMD5AndDES-CBC algorithm (PKCS #5)
is currently supported.
Recognize the PEM header "BEGIN PRIVATE KEY" as base64-decode the data
to be able to use PEM encoded, unencrypted PKCS#8 private keys with the
internal TLS implementation. Previously, only DER encoding of the
PKCS#8 private key was supported.
OpenSSL 0.9.7 does not include get_rfc3526_prime_1536() function, so
provide that functionality internally if needed. In addition, make
sha256_vector() building depend on whether SHA256 support is included
in the OpenSSL library. This with CONFIG_INTERNAL_SHA256=y in .config
allows OpenSSL without SHA256 support to be used.
Both hostapd/wpa_supplicant compilation fails on DragonFly BSD.
This patch solves this issue.
I have tested only compilation. Not functionality.
Because I don't have any device which can work on DragonFly BSD.
mac80211 does not currently allow (re)authentication when we are already
authenticated. In order to work around this, force deauthentication if
nl80211 authentication command fails with EALREADY. Unfortunately, the
workaround code in driver_nl80211.c alone is not enough since the
following disconnection event would clear wpa_supplicant authentication
state. To handle this, add some code to restore authentication state
when using userspace SME.
This workaround will hopefully become unnecessary in some point should
mac80211 start accepting new authentication requests even when in
authenticated state.
Reorganize the TLS/crypto library segments into a single set of blocks
for each library instead of multiple locations handling library-specific
operations. Group crypto functionality together and get wpa_supplicant
and hostapd Makefile closer to eachother in order to make it easier to
eventually move this into a shared makefile.
Crypto library wrappers can now override the internal DH (group 5)
implementation. As a starting point, this is done with OpenSSL. The
new mechanism is currently available only for WPS (i.e., IKEv2 still
depends on the internal DH implementation).
Replace "nl80211: Ignored unknown event (cmd=33)" with
"nl80211: Scan trigger" to make debug output clearer. We do not
currently do anything with this event apart from showing it in
the debug log.
This allows NSS to be used to derive EAP-TLS/PEAP/TTLS keying material.
NSS requires a patch from
https://bugzilla.mozilla.org/show_bug.cgi?id=507359
to provide the new API. In addition, that patch needs to be modified to
add the 16-bit context length value in SSL_ExportKeyingMaterial() only if
contextlen != 0 in order to match with the EAP-TLS/PEAP/TTLS use cases.
This issue seems to be coming from the unfortunate incompatibility in
draft-ietf-tls-extractor-07.txt (draft-ietf-tls-extractor-00.txt would
have used compatible PRF construction).
At this point, it is unclear how this will be resolved eventually, but
anyway, this shows a mechanism that can be used to implement EAP key
derivation with NSS with a small patch to NSS.
This brings in the first step in adding support for using NSS
(Mozilla Network Security Services) as the crypto and TLS library
with wpa_supplicant. This version is able to run through EAP-PEAP
and EAP-TTLS authentication, but does not yet implement any
certificate/private key configuration. In addition, this does not
implement proper key fetching functions either, so the end result
is not really of much use in real world yet.
On DragonFly BSD, wired IEEE 802.1X fails with this message:
ioctl[SIOC{ADD/DEL}MULTI]: Invalid argument
This patch solves this issue.
I have tested with these:
OS : DragonFly BSD 2.4.0
EAP : EAP-TLS
Switch : Cisco Catalyst 2950
This reverts commit 5aa9cb5cca.
The nested key attribute is using different attribute values
(NL80211_KEY_* vs. NL80211_ATTR_KEY_*), so cannot share the same routine
for these purposes..
Current wpa_supplicant has a bug with WEP keys, it adds a zero-length
sequence counter field to netlink which the kernel doesn't accept.
Additionally, the kernel API slightly changed to accept keys only when
connected, so we need to send it the keys after that. For that to work
with shared key authentication, we also include the default WEP TX key
in the authentication command.
To upload the keys properly _after_ associating, add a new flag
WPA_DRIVER_FLAGS_SET_KEYS_AFTER_ASSOC_DONE indicating that the driver
needs the keys at that point and not earlier.
Commit 0b55b934ee broke this by not
initializing drv->ap = 1 in hostapd case since the mode updating
code ended up unlinking the socket file. Setting drv->ap = 1
removes the mode change and as such, unlinking of the socket file.
It is simpler to just build in all the test driver code regardless
of whether this is for hostapd or wpa_supplicant (which will eventually
get AP mode support with driver_test, too).
radius_server_encapsulate_eap() resets sess->eap->if->eap{Success,Fail}
to FALSE, such that the completion condition is never true.
The net effect is that completed sessions would linger for
RADIUS_SESSION_TIMEOUT seconds.
Signed-off-by: Alex Badea <vamposdecampos@gmail.com>
Previously, the default settings allowed 100 sessions in 60 seconds.
With this fix, the default limit is now 100 sessions per 10 seconds.
[Bug 329]
Store a copy of device attributes during WPS protocol run and make it
available for external programs via the control interface STA MIB
command for associated stations. This gives access to device name and
type which can be useful when showing user information about associated
stations.
