Commit graph

14902 commits

Author SHA1 Message Date
Jouni Malinen
74bd7dae63 Use SM_ENTER_GLOBAL to clean up EAPOL state machine debug messages
This removes unnecessary messages about entering REAUTH_TIMER INITIALIZE
state every second when a STA is in unauthenticated state.
2008-11-23 11:01:28 +02:00
Jouni Malinen
b1fa8bf129 Allocate new Acct-Session-Id on EAPOL-Logoff
Stop accounting session on EAPOL-Logoff and use new Acct-Session-Id if
STA authenticates again within same association after this.
2008-11-23 10:47:36 +02:00
Jouni Malinen
39e50be082 Fixed listen interval configuration for nl80211 drivers
Need to update the struct sta_info value, too, and not only the local
variable used in handle_assoc()..
2008-11-22 21:20:27 +02:00
Jouni Malinen
a532c108bd Add more verbose debug output for GSM-Milenage use (RAND,SRES,Kc) 2008-11-22 14:06:58 +02:00
Jouni Malinen
fe2c5241b5 Remove experimental non-AP STA code from hostapd
This was used to allow hostapd to associate as a non-AP STA to another
AP one the same channel while still acting as an AP with the Host AP
driver. This was very experimental and did not work with all firmware
versions. Nowadays, much better way of doing this is to use mac80211
virtual non-AP STA interface. As such, this experimental code can be
removed from hostapd to reduce the code size and make MLME code easier
to understand since it is now only handling AP functionality.
2008-11-21 20:48:58 +02:00
Jouni Malinen
ddaa83ebeb Remove overly complex hostapd setup sequence with n+1 callbacks
This code was originally added as a mechanism to handle long waits
during channel selection and/or radar detection. It is not currently
really used and makes the setup sequence nearly impossible to
understand. Let's get rid of the unwanted complexity. This needs to be
redesigned if it is ever needed again.
2008-11-21 20:39:33 +02:00
Jouni Malinen
2387b8c0b0 Removed forgotten register_drivers() prototype
Driver registration style was changed long time ago and this is not used
anymore.
2008-11-21 19:51:06 +02:00
Jouni Malinen
d52e94f965 Removed partial IEEE 802.11h implementation
This code was not finished and did not work with the current mac80211
design. In order to avoid confusing users, it is better to remove this
completely for now and look at new implementation to work with mac80211.
2008-11-21 19:45:20 +02:00
Jouni Malinen
d337b6fb65 Removed now unused reconfig variables. 2008-11-21 19:31:54 +02:00
Jouni Malinen
fb6d357532 reconfig.c file was not used at all, so remove it.
This implementation of reconfiguration is way too complex. Something
simpler should be implemented to allow dynamic configuration changes.
2008-11-21 19:28:45 +02:00
Jouni Malinen
2bf6a16780 Added an attribution based on the original SSLeay license for OpenSSL. 2008-11-21 15:54:35 +02:00
Jouni Malinen
477df071d7 Fixed hostapd build without l2_packet (e.g., RADIUS server only). 2008-11-21 15:44:00 +02:00
Jouni Malinen
1ac2d4a9ee Fixed canceling of PMKSA caching with driver generated RSN IE
It looks like some Windows NDIS drivers (e.g., Intel) do not clear the
PMKID list even when wpa_supplicant explicitly sets the list to be
empty. In such a case, the driver ends up trying to use PMKSA caching
with the AP and wpa_supplicant may not have the PMK that would be needed
to complete 4-way handshake.

RSN processing already had some code for aborting PMKSA caching by
sending EAPOL-Start. However, this was not triggered in this particular
case where the driver generates the RSN IE. With this change, this case
is included, too, and the failed PMKSA caching attempt is cleanly
canceled and wpa_supplicant can fall back to full EAP authentication.
2008-11-21 15:31:25 +02:00
Jouni Malinen
76e6f26a94 Remove the unwanted Windows console from the Windows binary version of wpa_gui 2008-11-21 14:26:11 +02:00
Jouni Malinen
3b14fb0cab Silence printf() calls in wpa_gui to avoid stdout output from a GUI program 2008-11-21 14:05:37 +02:00
Jouni Malinen
8038591be2 wpa_gui: Add a PNG version of the tray icon for Windows binary build
It looks like Qt does not support SVG format by default on Windows and
it was not trivial to add the plugin into the build, so for now, build a
16x16 PNG icon file for Windows binary to avoid showing an invisible
icon in the tray.
2008-11-21 13:58:12 +02:00
Jouni Malinen
012783f1ab Fixed EAP-TLS message fragmentation for the last TLS message
It the message was large enough to require fragmentation (e.g., if a large
Session Ticket data is included), More Fragment flag was set, but no
more fragments were actually sent (i.e., Access-Accept was sent out).
2008-11-20 19:39:35 +02:00
Jouni Malinen
f32fe71a1f Fixed Milenage debug output to use correct length for IK and CK 2008-11-20 15:45:31 +02:00
Jouni Malinen
6cd4f02b03 Fixed EAPA-AKA warning message about AT_RES length to use bits 2008-11-20 15:23:51 +02:00
Jouni Malinen
c31a11c962 Changed PEAPv0 cryptobinding to be disabled by default
There are some interoperability issues with Windows Server 2008 NPS, so
better disable cryptobinding use by default for now.
2008-11-20 12:49:34 +02:00
Jouni Malinen
bd1d13c199 Fixed size_t printf format for 64-bit builds 2008-11-19 21:21:34 +02:00
Jouke Witteveen
ea6380e7c9 Fixed a bug in read -> _read cleanup; one missed change 2008-11-19 21:20:24 +02:00
Jouni Malinen
2d981c2fd0 EAP-PEAP: Copy Binding nonce from cryptobinding request to reply
It looks like [MS-PEAP] 3.2.5.6 points towards this being the expected
behavior (however, that chapter is very confusing).

In addition, remove Cryptobinding TLV from response if the received
Cryptobinding TLV is not valid. Add some more debug messages to the case
where the received Cryptobinding TLV is found invalid.
2008-11-19 19:25:14 +02:00
Carolin Latze
98842d51ec Separate OpenSSL engine configuration for Phase 2
I fixed the engine issue in phase2 of EAP-TTLS. The problem was that you
only defined one engine variable, which was read already in phase1. I
defined some new variables:

engine2
engine2_id
pin2

and added support to read those in phase2 wheres all the engine
variables without number are only read in phase1. That solved it and I
am now able to use an engine also in EAP-TTLS phase2.
2008-11-18 16:53:32 +02:00
Jouni Malinen
9ef21b2fef roboswitch: Minor coding style cleanup 2008-11-18 16:35:08 +02:00
Jouke Witteveen
e519314ee9 Add RoboSwitch driver interface for wpa_supplicant
Find attached the patch that creates a new driver: roboswitch. This
driver adds support for wired authentication with a Broadcom
RoboSwitch chipset. For example it is now possible to do wired
authentication with a Linksys WRT54G router running OpenWRT.

LIMITATIONS
- At the moment the driver does not support the BCM5365 series (though
adding it requires just some register tweaks).
- The driver is also limited to Linux (this is a far more technical
restriction).
- In order to compile against a 2.4 series you need to edit
include/linux/mii.h and change all references to "u16" in "__u16". I
have submitted a patch upstream that will fix this in a future version
of the 2.4 kernel. [These modifications (and more) are now included in
the kernel source and can be found in versions 2.4.37-rc2 and up.]

USAGE
- Usage is similar to the wired driver. Choose the interfacename of
the vlan that contains your desired authentication port on the router.
This name must be formatted as <interface>.<vlan>, which is the
default on all systems I know.
2008-11-18 16:30:32 +02:00
Jouni Malinen
cd35db9fef Updated userspace MLME instructions for current mac80211
Remove the old code from driver_wext.c since the private ioctl interface is
never going to be used with mac80211. driver_nl80211.c has an
implementation than can be used with mac80211 (with two external patches to
enable userspace MLME configuration are still required, though).
2008-11-18 15:45:25 +02:00
Jouni Malinen
bac912e5bd Remove extra typedefs since they do not seem to be needed anymore
These typedefs were causing build issues with new kernel/C library headers,
so lets get rid of them since they do not seem to be needed anymore. This
applies only if CONFIG_FULL_DYNAMIC_VLAN is enabled which is not even
mentioned in the defconfig file, so this should not change behavior more
most users.
2008-11-18 15:06:03 +02:00
Jouni Malinen
ba60b94a40 Improved the error message for passive scan not being available
If the driver wrapper does not implement passive_scan handler, do not try
to use strerror() to figure out what the error meant. This is not really an
error that the user should be notified about.
2008-11-18 15:01:24 +02:00
Jouni Malinen
9ee06a63e5 driver_nl80211: Remove monitor interface if AP initialization fails 2008-11-18 14:55:32 +02:00
Jouni Malinen
10b83bd712 Changed channel flags configuration to read the information from the driver
(e.g., via driver_nl80211 when using mac80211) instead of using hostapd as
the source of the regulatory information (i.e., information from CRDA is
now used with mac80211); this allows 5 GHz channels to be used with hostapd
(if allowed in the current regulatory domain).
2008-11-18 14:51:43 +02:00
Jouni Malinen
0cf03892a4 OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API
Updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore).
2008-11-16 21:29:12 +02:00
Jouni Malinen
1e8b9d2889 Updated interop results for ACS 4.2 2008-11-16 11:30:34 +02:00
Jouni Malinen
ea251b4a23 EAP-FAST: Reorder TLVs in PAC Acknowledgment to fix interop issues
It looks like ACS did not like PAC Acknowledgment TLV before Result TLV, so
reorder the TLVs to match the order shown in a
draft-cam-winget-eap-fast-provisioning-09.txt example. This allows
authenticated provisioning to be terminated with Access-Accept (if ACS has
that option enabled). Previously, provisioning was otherwise successful,
but the server rejected connection due to not understanding the PAC Ack
("Invalid TEAP Data recieved").
2008-11-16 11:10:29 +02:00
Jouni Malinen
1b554eb0d7 Modified the OpenSSL patch to use session ticket -specific function
This is the first step in replacing SSL_set_hello_extension() with a new
SSL_set_session_ticket_ext() function that can only be used to override the
session ticket extension, not any arbitrary TLS extension.

SSL_set_hello_extension() is still present as a simple wrapper in this
version to avoid changing the API and to make testing with wpa_supplicant
and hostapd easier. It can be eventually removed when the patch is going in
into OpenSSL distribution.
2008-11-12 06:15:27 +02:00
Jouni Malinen
d13c05cafb Updated indentation in the patch to match style used elsewhere in OpenSSL 2008-11-12 05:06:03 +02:00
Kel Modderman
efd59c96d7 wpa_gui-qt4: tweak icon Makefile
Output the xpm icons in more convenient location.

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-11-11 17:41:19 +02:00
Martin Michlmayr
65db6cad23 wpa_gui-qt4: FTBFS with GCC 4.4: missing #include
GCC 4.4 cleaned up some more C++ headers.  You always have to #include
headers directly and cannot rely for things to be included indirectly.

> g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DCONFIG_CTRL_IFACE
-DCONFIG_CTRL_IFACE_UNIX -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED
-I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore
-I/usr/include/qt4/QtCore -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtGui
-I/usr/include/qt4 -I. -I.. -I../../src/utils -I../../src/common -I.moc -I.ui -o
.obj/wpagui.o wpagui.cpp
> wpagui.cpp: In constructor 'WpaGui::WpaGui(QWidget*, const char*,
Qt::WFlags)':
> wpagui.cpp:98: error: 'printf' was not declared in this scope

From: Martin Michlmayr <tbm@cyrius.com>
Bug:  http://bugs.debian.org/505041

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-11-11 17:36:37 +02:00
Jouni Malinen
46690a3b9b Added an optional mitigation mechanism for certain attacks against TKIP by
delaying Michael MIC error reports by a random amount of time between 0 and
60 seconds if multiple Michael MIC failures are detected with the same PTK
(i.e., the Authenticator does not rekey PTK on first failure report). This
is disabled by default and can be enabled with a build option
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config.

This may help in making a chopchop attack take much longer time by forcing
the attacker to wait 60 seconds before knowing whether a modified frame
resulted in a MIC failure.
2008-11-08 04:43:12 +02:00
Jouni Malinen
6982784e20 EAP-SIM/AKA: fixed initialization to verify PIN even if identity is set
Previously, hardcoded identity in the network configuration skipped both
IMSI reading and PIN verification. This broke cases where PIN is needed for
GSM/UMTS authentication. Now, only IMSI reading is skipped if identity is
hardcoded.
2008-11-07 20:09:44 +02:00
Jouni Malinen
04a5bad682 EAP-AKA: Validate RES Length field in AT_RES
This change breaks interoperability with older wpa_supplicant versions
(everything up to and including wpa_supplicant 0.5.10 and 0.6.5) which
incorrectly used this field as number of bytes, not bits, in RES.
2008-11-07 08:34:07 +02:00
Jouni Malinen
fa71a1d84a Fixed EAP-AKA RES Length field in AT_RES as length in bits, not bytes 2008-11-07 08:30:34 +02:00
Jouni Malinen
36100718de EAP-FAST server: allow expired PAC for PAC refresh
Instead of falling back to full TLS handshake on expired PAC, allow the
PAC to be used to allow a PAC update with some level of server
authentication (i.e., do not fall back to full TLS handshake since we
cannot be sure that the peer would be able to validate server certificate
now). However, reject the authentication since the PAC was not valid
anymore. Peer can connect again with the newly provisioned PAC after this.
2008-11-06 22:57:09 +02:00
Jouni Malinen
39452b4deb EAP-FAST: Include Tunnel PAC request only after EAP authentication 2008-11-06 21:07:53 +02:00
Jouni Malinen
581a8cde77 Added support for enforcing frequent PTK rekeying
Added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP
deficiencies. This can be set either by the Authenticator (to initiate
periodic 4-way handshake to rekey PTK) or by the Supplicant (to request
Authenticator to rekey PTK).

With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP
keys will not be used for more than 10 minutes which may make some attacks
against TKIP more difficult to implement.
2008-11-06 19:57:21 +02:00
Jouni Malinen
81eec387dd Added Milenage-GSM simulator for EAP-SIM
CONFIG_SIM_SIMULATOR=y in .config and password="Ki:OPc" in network config
to enable.
2008-11-06 04:21:32 +02:00
Jouni Malinen
31cbe002c9 driver_ndis: Added a workaround for a driver that removes SSID IE in scan
A driver was found to remove SSID IE from NDIS_WLAN_BSSID_EX IEs, but the
correct SSID is included in NDIS_802_11_SSID structure inside the BSSID
data. If this is seen in scan results, create a matching SSID IE and add it
to the end of IEs to fix scan result parsing.
2008-11-05 23:44:26 +02:00
Jouni Malinen
2a24bb3199 Added Milenage USIM emulator for EAP-AKA (can be used to simulate test
USIM card with a known private key; enable with CONFIG_USIM_SIMULATOR in
.config and password="Ki:OPc:SQN" in network configuration).
2008-11-05 23:02:13 +02:00
Jouni Malinen
988ab690ac Preparations for 0.6.5 release 2008-11-01 17:20:25 +02:00
Jouni Malinen
ac987fb7de Fixed fwrite error path in eap_fast_write_pac not to free buf
Caller expects the buffer to be allocated on error, so eap_fast_write_pac()
must be consistent with its behavior on error paths.
2008-11-01 17:09:28 +02:00