Commit graph

7628 commits

Author SHA1 Message Date
Jouni Malinen
00468b4650 Add TLS client events, server probing, and srv cert matching
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.

The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR

In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.

Authentication server probing can be done, e.g., with following
configuration options:
    eap=TTLS PEAP TLS
    identity=""
    ca_cert="probe://"

Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Server certificate matching is configured with ca_cert, e.g.:
    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
2010-02-13 11:14:23 +02:00
Jouni Malinen
c7d711609b Fix memory leak on TLS setup error path
Need tof free TLS context in some cases to avoid a memory leak
on error path.
2010-02-13 10:19:41 +02:00
Jouni Malinen
2e06e9dd6f Fix TLS in/out buffer freeing
The previous version could end leaking memory since os_free() was used
instead of wpabuf_free(). In addition, this could potentially have
triggered a crash if the TLS context were being freed when pending
input data where still in the buffer (though, this may not be possible
to trigger in practice).
2010-02-12 21:13:51 +02:00
Jouni Malinen
cf123d7f4c OpenSSL: Fix tls_init(NULL) with FIPS-enabled build
The conf argument to tls_init() may be NULL (as it is when using
hostapd), so we must check that here before dereferencing the
pointer.
2010-02-12 20:51:10 +02:00
Jouni Malinen
e0b3b3cb77 WPS: Fix AP operation with internal Registrar when ER is also active
Ignore the pending WPS message from ER (PutWLANReseponse action) if the
internal Registrar has already sent out M2.
2010-02-12 12:38:14 +02:00
Jouni Malinen
7796f20edc Add new ctrl_iface event for EAP methods proposed by the server
This makes it easier for external programs to probe EAP server
preferences and potentially automatically detect which method
could be used.
2010-02-11 19:48:36 +02:00
Jouni Malinen
e748062b58 nl80211: Do not try to remove non-existing STA WDS interface
This removes confusing error messages from the default (no WDS) case.
2010-02-10 11:29:53 +02:00
Jouni Malinen
aba7569ec8 driver_bsd: Fix build without SIOCS80211CHANNEL
At least FreeBSD 7 does not seem to define this and failed to build
after the previous changes.
2010-02-08 21:41:51 +02:00
Masashi Honma
42f34a9b41 driver_bsd.c: Enable AP mode wpa_supplicant 2010-02-08 21:33:59 +02:00
Masashi Honma
d373725686 driver_bsd: Clean up EAPOL frame transmission code
The bsd_send_eapol() adds Ethernet header by itself. This patch changes it
to use l2_packet functionality.

I have tested on NetBSD 5.0.1 with WPA-PSK(TKIP).
2010-02-08 21:28:59 +02:00
Masashi Honma
719196b159 driver_bsd.c: Reduce code duplication (setkey)
This patch reduces code duplication between hostapd and wpa_supplicant
for IEEE80211_IOC_WPAKEY.
2010-02-08 21:25:18 +02:00
Masashi Honma
60bc30333c driver_bsd.c: Reduce code duplication (ifflag)
This patch reduces code duplication between hostapd and wpa_supplicant
for SIOC[GS]IFFLAGS.
2010-02-08 21:23:28 +02:00
Masashi Honma
fa6b8afe6f driver_bsd.c: Reduce code duplication (MLME)
This patch reduces code duplication between hostapd and wpa_supplicant
about IEEE80211_IOC_MLME. This is a preparation for AP mode
wpa_supplicant.
2010-02-08 21:21:23 +02:00
Masashi Honma
cbdecd2b0d driver_bsd.c: Reduce code duplication (DELKEY)
This patch reduces code duplication between hostapd and wpa_supplicant
about IEEE80211_IOC_DELKEY. This is a preparation for AP mode
wpa_supplicant. This is a patch to
http://lists.shmoo.com/pipermail/hostap/2010-January/021030.html.
2010-02-08 21:18:09 +02:00
Masashi Honma
5197244a04 bsd: Enable auto configuration
On NetBSD, we should configure some parameters manually out of hostapd
like below.

  ifconfig ath0 mediaopt hostap
  ifconfig ath0 mode 11g
  ifconfig ath0 chan 6

This patch does these automatically. Maybe there will be some
objections, like "hardware configuration is not hostapd/wpa_supplican's
work". So I will write the reasons why I made this patch.

1. For usability.
2. The first command fails when previous state is adhoc. This patch is
free from previous state.
3. Some driver wrappers configure these automatically (like nl80211).
4. I have wasted time trying to find out these command were needed :(
2010-02-08 21:14:22 +02:00
Masashi Honma
82f36163ac driver_bsd.c: Use os_free() instead of free()
This patch replaces some free() with os_free() when the memory was
allocated by os_*().
2010-02-08 21:11:52 +02:00
Hamish Guthrie
79e4140c61 driver_ps3: Remove legacy ps3 wpa driver
The ps3 wireless kernel driver has wireless extension support.
There is a legacy wpa_supplicant driver, and support for this
has been removed from the kernel driver, as no distributions
are using it.
2010-02-08 21:08:54 +02:00
Jouni Malinen
c5674000a3 wpa_gui-qt4: Stop BSS fetch loop on error for Peers dialog
There is no need to continue the loop until the 1000 max BSS limit
if a BSS command fails.
2010-01-24 18:42:45 -08:00
Jouni Malinen
48563d86b2 Try to avoid some unnecessary roaming
When multiple APs are present in scan results with similar signal
strength, wpa_supplicant may end up bounching between them frequently
whenever new scan results are available (e.g., due to periodic scans
requested by NetworkManager). This can result in unnecessary roaming
and in case of the current cfg80211 version, to frequent network
disconnections.

Do not request a roam if the current BSS is still present in the scan
results and the selected BSS is in the same ESS and has only a slighly
stronger signal strength.
2010-01-24 18:19:50 -08:00
Jouni Malinen
8856462d61 nl80211: Dump scan results in debug log if association command fails
This may help in debugging why cfg80211 refused the association
command since the scan results should include information about all
pending authentication and association states.
2010-01-24 18:11:30 -08:00
Jouni Malinen
b85e772449 SME: Request a new scan if SME association command fails
This handles some error cases without getting stuck waiting for new
events from the driver if association command fails for any reason.
2010-01-24 18:09:36 -08:00
Jouni Malinen
582507be85 nl80211: Clear cfg80211 authentication data for old entries
cfg80211 has a limit on pending authentications, so we better clear
the entries that we do not care about to avoid hitting the limit
when roaming between multiple APs.
2010-01-24 18:07:34 -08:00
Christian Lamparter
43a7fe2e0e ap: Reorder authsrv_init() to fix IEEE 802.1X initialization
This patch moves the authentication server setup before
IEEE 802.1X initialization. It's because 802.1X already
needs to have a valid SSL context.

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
2010-01-17 12:14:17 +02:00
Jouni Malinen
dff0f701d0 Preparations for v0.7.1 release 2010-01-16 19:04:38 +02:00
Jouni Malinen
3e674c063c Update VS 2005 project files with new/removed source files 2010-01-16 18:49:17 +02:00
Jouni Malinen
de1b2d143a Make sure the resutl from readlink is properly null terminated 2010-01-16 17:19:06 +02:00
Witold Sowa
7899e2f42d dbus: Change WPA/RSNIE byte array props to dicts
Expose RSN and WPA properties for BSS objects containing information
about key management and cipher suites. Get rid of WPA/RSN/WPSIE
byte array properties and add IEs byte array property with all IE data
instead.
2010-01-16 16:37:37 +02:00
Jouni Malinen
8c0906542c Fetch IEs from both Beacon and Probe Response frames if available
This allows the driver wrappers to return two sets of IEs, so that
the BSS code can use information from both Beacon and Probe Response
frames if needed. For example, some Cisco APs seem to include more
information in Wireless Provisioning Services IE when it is in the
Beacon frame.
2010-01-16 16:11:05 +02:00
Jouni Malinen
94627f6cc8 hostapd: Detect bridge interface automatically
This makes the bridge parameter unnecessary for cases where the interface
is already in a bridge and sysfs is mounted to /sys so that the detection
code works.

For nl80211, the bridge parameter can be used to request the AP
interface to be added to the bridge automatically (brctl may refuse to
do this before hostapd has been started to change the interface mode).
If needed, the bridge interface is also created.
2010-01-16 15:19:58 +02:00
Jouni Malinen
d455d0806e driver_test: Learn scan result channel from DS Params IE 2010-01-16 12:26:03 +02:00
Jouni Malinen
c35faef51a driver_test: Initialize bss_ctx based on drv->ctx for new BSS interfaces
This is needed with wpa_supplicant to get the correct context pointer
for a virtual BSS interface.
2010-01-16 12:24:31 +02:00
Jouni Malinen
37b776eac1 driver_test: Add support for per-SSID scans for non-MLME case 2010-01-16 12:23:39 +02:00
Jouni Malinen
af47308823 Add deinit_ap driver op to help wpa_supplicant AP mode use 2010-01-16 12:20:51 +02:00
Jouni Malinen
e882899981 Add BSSID to TX/RX Action frame driver ops
This meets better the needs for various Public Action frame use cases.
2010-01-16 12:16:20 +02:00
Jouni Malinen
4e5cb1a366 Add driver op for disabling 802.11b rates 2010-01-16 12:11:19 +02:00
Jouni Malinen
ae58592894 Sync with wireless-testing.git linux/nl80211.h 2010-01-16 12:06:42 +02:00
Masashi Honma
11386396cc driver_bsd.c: Clean up EAPOL frame transmission code
The bsd_send_eapol() prepares 3000 bytes buffer for every EAPOL
frame transmission. I think malloc() is better way for efficient
memory use.
2010-01-16 11:47:05 +02:00
Jouni Malinen
73b217570c Fix linking of nt_password_hash
Need to use conditional linking of some crypto functionality and add
couple of additional object files. [Bug 343]
2010-01-16 10:38:53 +02:00
Jouni Malinen
a2e4f66edc Remove completed to-do item 2010-01-16 09:44:41 +02:00
Jouni Malinen
b590812e8f Add preliminary documentation for ctrl_iface events 2010-01-15 19:24:08 +02:00
Jouni Malinen
3145e6154c wext: Add cfg80211-specific optimization to avoid silly behavior
If the driver is detected to use cfg80211, we can rely on it being able
to disconnect with SIOCSIWMLME commands and to use empty SSID as a way
to stop it from associating when we are in progress of configuring the
driver for association. Consequently, we can remove the hack that uses
random 32-octet SSID to force disconnection and re-order association
commands to match the expectations that cfg80211 has for WEXT ioctls.
This gets rid of extra scan rounds and attempts to associate with the
silly 32-octet SSID.
2010-01-12 20:01:09 +02:00
Jouni Malinen
b0d77f43f7 Preparations for 0.6.10 release 2010-01-12 18:31:56 +02:00
Jouni Malinen
20766f2007 Make wpa_bss_get_max_rate() a bit more readable with a local variable 2010-01-10 22:53:36 +02:00
Jouni Malinen
f5455a2dbd Verify that os_get_random() success for SA Query id 2010-01-10 22:28:21 +02:00
Jouni Malinen
4a5869206e wext: Check hexstr2bin() return value in custom scan text processing 2010-01-10 22:26:11 +02:00
Jouni Malinen
a7efb16052 WEXT: Show BSSID/SSID set failures on disconnect in debug log 2010-01-10 22:18:50 +02:00
Jouni Malinen
fbe3e7f840 wext: Check hexstr2bin() return value 2010-01-10 22:16:51 +02:00
Jouni Malinen
68fd595fa5 WPS ER: Check uuid_str2bin() return value 2010-01-10 22:12:55 +02:00
Jouni Malinen
4f6050e796 WPS ER: Verify os_get_random() return value 2010-01-10 22:08:43 +02:00
Jouni Malinen
4edc521068 EAP-FAST peer: Clean up PAC writing function
Use more explicit validation of input parameters and clean up the
writes by using a local end-of-buffer variable to simplify
calculations.
2010-01-10 22:04:59 +02:00