Commit graph

1991 commits

Author SHA1 Message Date
Jouni Malinen
3f4ed97a70 Add support for PKCS #5 encrypted PKCS #8 keys with internal crypto
Private keys can now be used in either unencrypted or encrypted
PKCS #8 encoding. Only the pbeWithMD5AndDES-CBC algorithm (PKCS #5)
is currently supported.
2009-10-17 12:06:36 +03:00
Jouni Malinen
506b45ed22 Add DES-CBC support into internal crypto implementation 2009-10-17 12:05:06 +03:00
Jouni Malinen
8ef74414fc Internal TLS: Add support for unencrypred PKCS#8 private keys in PEM
Recognize the PEM header "BEGIN PRIVATE KEY" as base64-decode the data
to be able to use PEM encoded, unencrypted PKCS#8 private keys with the
internal TLS implementation. Previously, only DER encoding of the
PKCS#8 private key was supported.
2009-10-16 22:00:45 +03:00
Jouni Malinen
385f16c611 Remove wpa_priv on 'make clean' 2009-10-16 21:49:45 +03:00
Jouni Malinen
43fb529750 Add AP mode WPA status into ctrl_iface 2009-10-16 18:35:45 +03:00
Jouni Malinen
f730b421e9 wpa_gui-qt4: Dynamically update associated STAs in peer dialog 2009-10-16 17:53:02 +03:00
Jouni Malinen
20bd9547a1 Add ctrl_iface events for AP mode STA connect/disconnect
These are used to notify ctrl_iface monitors when a STA completes
connection (the port becomes authorized) and when a STA disconnects.
2009-10-16 17:51:49 +03:00
Jouni Malinen
278da1b52a openssl: Allow build with OpenSSL 0.9.7
OpenSSL 0.9.7 does not include get_rfc3526_prime_1536() function, so
provide that functionality internally if needed. In addition, make
sha256_vector() building depend on whether SHA256 support is included
in the OpenSSL library. This with CONFIG_INTERNAL_SHA256=y in .config
allows OpenSSL without SHA256 support to be used.
2009-10-16 15:57:17 +03:00
Jouni Malinen
d8130bdf13 openssl: Mark openssl_digest_vector() static 2009-10-16 15:54:52 +03:00
Jouni Malinen
e81634cd18 Skip networks without known SSID when selecting the BSS
Previously, APs that were hiding SSID (zero-length SSID IE in
Beacon frames) could have been selected when wildcard SSID matching
was used. This would result in failed association attempt since
the client does not know the correct SSID. This can slow down WPS
which is often using wildcard SSID matching.

Ignore BSSes without known SSID in the scan results when selecting
which BSS to use.
2009-10-15 21:58:58 +03:00
Witold Sowa
dc461de43e wpa_supplicant and dbus code separation
This patch completely separates supplicant's code from dbus.
It introduces three new notifications which copes with all
remaining dbus stuff.
wpas_notify_unregister_interface() was renamed to
wpas_notify_iface_removed().
2009-10-15 21:15:10 +03:00
Sam Leffler
4f34d51abe Do not schedule a new scan if no networks are enabled
This avoids an extra timeout to move to INACTIVE state.
2009-10-14 22:05:58 +03:00
Jouni Malinen
3afe7b61e0 Fix AES dependencies for CONFIG_AP=y (and IBSS) builds 2009-10-13 11:16:05 +03:00
Jouni Malinen
35deb646cc Fix CONFIG_AP=y build without CONFIG_CTRL_IFACE 2009-10-13 11:15:39 +03:00
Masashi Honma
279d859b8f Fix IEEE 802.11r/w compilation error
The hostapd/wpa_supplicant compilation failed with CONFIG_IEEE80211R=y
or CONFIG_IEEE80211W=y option if CONFIG_EAP_PSK and CONFIG_EAP_GPSK are
not used.
2009-10-13 10:04:46 +03:00
Masashi Honma
9b336bcef0 DragonFly BSD: Fix driver_bsd.c build
Both hostapd/wpa_supplicant compilation fails on DragonFly BSD.

This patch solves this issue.

I have tested only compilation. Not functionality.
Because I don't have any device which can work on DragonFly BSD.
2009-10-12 09:56:57 +03:00
Jouni Malinen
6d6f4bb87f nl80211: Work around mac80211 limitation on (re)auth when authenticated
mac80211 does not currently allow (re)authentication when we are already
authenticated. In order to work around this, force deauthentication if
nl80211 authentication command fails with EALREADY. Unfortunately, the
workaround code in driver_nl80211.c alone is not enough since the
following disconnection event would clear wpa_supplicant authentication
state. To handle this, add some code to restore authentication state
when using userspace SME.

This workaround will hopefully become unnecessary in some point should
mac80211 start accepting new authentication requests even when in
authenticated state.
2009-10-12 09:39:55 +03:00
Jouni Malinen
786c4fee9d Include aes_unwrap in build when needed (FT and EAP-FAST server) 2009-10-12 09:10:24 +03:00
Masashi Honma
0e27f655f1 MFP: Clear IGTK
The fourth and fifth keys are used as IGTK for management frame
protection. This patch clears these keys.

I have tested with linux kernel 2.6.31.2.
2009-10-12 07:19:01 +03:00
Jouni Malinen
bd4e9d033b Replace CONFIG_NO_AES_EXTRAS with auto-detection during build
There is no need to do this manually since it is possible to figure
out automatically which AES extra files need to be included in the
build.
2009-10-11 22:23:50 +03:00
Jouni Malinen
34c9910dc7 Fix EAP-AKA server build without EAP-SIM 2009-10-11 22:23:05 +03:00
Jouni Malinen
38b462868c Clean up crypto makefile segments
Reorganize the TLS/crypto library segments into a single set of blocks
for each library instead of multiple locations handling library-specific
operations. Group crypto functionality together and get wpa_supplicant
and hostapd Makefile closer to eachother in order to make it easier to
eventually move this into a shared makefile.
2009-10-11 22:04:29 +03:00
Jouni Malinen
7137456941 Move TLS_FUNCS and NEED_CRYPTO segment next to each other 2009-10-11 20:34:26 +03:00
Jouni Malinen
9d388d5007 Further crypto makefile unification 2009-10-11 20:31:15 +03:00
Jouni Malinen
0dba0175c5 Fix crypto config for minimal builds 2009-10-11 20:19:12 +03:00
Jouni Malinen
000bbd77c9 Cleaned up and unified some of the crypto Makefile code 2009-10-11 19:42:04 +03:00
Jouni Malinen
f042122a57 Allow the internal DH implementation to be overridden
Crypto library wrappers can now override the internal DH (group 5)
implementation. As a starting point, this is done with OpenSSL. The
new mechanism is currently available only for WPS (i.e., IKEv2 still
depends on the internal DH implementation).
2009-10-11 19:17:22 +03:00
Jouni Malinen
dd01b1ff9d Include only the used DH groups in the build
This reduces the binary size by 3 kB or so when WPS is included in
the build, but IKEv2 is not.
2009-10-11 15:24:40 +03:00
Jouni Malinen
b3ad11bb80 nl80211: Add parsing of NL80211_BSS_SEEN_MS_AGO into scan results 2009-10-01 17:53:22 +03:00
Jouni Malinen
d942a79e6a nl80211: Recognize NL80211_CMD_TRIGGER_SCAN events
Replace "nl80211: Ignored unknown event (cmd=33)" with
"nl80211: Scan trigger" to make debug output clearer. We do not
currently do anything with this event apart from showing it in
the debug log.
2009-10-01 13:58:17 +03:00
Blaž Bačnik
1066c1ee3c Fix VLAN ID validation check to use the new VLAN ID
When checking the validity of VLAN ID based on RADIUS-based ACL or
accept_mac_file, the assigned vlan_id, not the old sta->vlan_id
(likely zero) needs to be used.
2009-09-30 20:44:04 +03:00
Jouni Malinen
ebf214e670 NSS: Implement TLS PRF using new TLS extractor interface
This allows NSS to be used to derive EAP-TLS/PEAP/TTLS keying material.
NSS requires a patch from
https://bugzilla.mozilla.org/show_bug.cgi?id=507359
to provide the new API. In addition, that patch needs to be modified to
add the 16-bit context length value in SSL_ExportKeyingMaterial() only if
contextlen != 0 in order to match with the EAP-TLS/PEAP/TTLS use cases.
This issue seems to be coming from the unfortunate incompatibility in
draft-ietf-tls-extractor-07.txt (draft-ietf-tls-extractor-00.txt would
have used compatible PRF construction).

At this point, it is unclear how this will be resolved eventually, but
anyway, this shows a mechanism that can be used to implement EAP key
derivation with NSS with a small patch to NSS.
2009-09-30 20:12:32 +03:00
Author: Johannes Berg
1c766b094a nl80211: Fix a typo in set_sta_vlan()
The VLAN interface index needs to use NL80211_ATTR_STA_VLAN. It was
adding a duplicate NL80211_ATTR_IFINDEX.
2009-09-30 19:23:52 +03:00
Jouni Malinen
9fac49c15c Fix wpa_passphrase build with NSS 2009-09-30 19:14:43 +03:00
Jouni Malinen
d094741c5a wpa_gui-qt4: Add pending WPS PIN queries into peer dialog
Whenever running wpa_supplicant in AP mode with WPS enabled, the
notifications of missing WPS PIN are now shown on the peer dialog
to make it easier to provide the PIN.
2009-09-29 23:16:21 +03:00
Jouni Malinen
4f760fcc7c Fix hostapd wpa_msg() calls ctx for wpa_supplicant AP mode
Need to use wpa_s pointer, not hapd pointer, for these calls.
2009-09-29 21:25:14 +03:00
Jouni Malinen
acfbf1f5d7 wpa_gui-qt4: Fix peer_role_address for AP entry 2009-09-29 20:51:45 +03:00
Jouni Malinen
b55aaa5fdf Allow IBSS/AP mode networks to be created in ap_scan=1 mode
If no BSSes/IBSSes matching the enabled networks are found in the scan
results, IBSS/AP mode network (if configured) can be created in
ap_scan=1 mode instead of requiring ap_scan=2 mode to be used whenever
using IBSS or AP mode.
2009-09-29 17:11:36 +03:00
Jouni Malinen
09b9df4e4a Split wpa_supplicant_event_scan_results() into helper functions 2009-09-29 14:30:11 +03:00
Jouni Malinen
289ffc2b61 Add preliminary version of NSS TLS/crypto wrapper for wpa_supplicant
This brings in the first step in adding support for using NSS
(Mozilla Network Security Services) as the crypto and TLS library
with wpa_supplicant. This version is able to run through EAP-PEAP
and EAP-TTLS authentication, but does not yet implement any
certificate/private key configuration. In addition, this does not
implement proper key fetching functions either, so the end result
is not really of much use in real world yet.
2009-09-29 01:21:09 +03:00
Masashi Honma
f335c69e14 DragonFly BSD: Fix wired IEEE 802.1X
On DragonFly BSD, wired IEEE 802.1X fails with this message:
ioctl[SIOC{ADD/DEL}MULTI]: Invalid argument

This patch solves this issue.

I have tested with these:
OS : DragonFly BSD 2.4.0
EAP : EAP-TLS
Switch : Cisco Catalyst 2950
2009-09-28 16:10:02 +03:00
Jouni Malinen
c140a22858 Remove the STA entry on reassociation to clear STA PS state
hostapd needs to remove the old STA entry if it exists when processing
reassociation back to the same AP. This removes the potentially PS
buffered frames and allows association parameters to be updated with
mac80211.
2009-09-26 21:30:43 +03:00
Masashi Honma
40e107c129 Mac OS X: Fix wired IEEE 802.1X 2009-09-26 19:29:03 +03:00
Jouni Malinen
2aa5f84709 nl80211: Use defines for NL80211_KEY_CIPHER values 2009-09-15 11:23:48 +03:00
Jouni Malinen
d723bab4b3 Revert "nl80211: Share the same routine for NL80211_ATTR_KEY_CIPHER setup"
This reverts commit 5aa9cb5cca.

The nested key attribute is using different attribute values
(NL80211_KEY_* vs. NL80211_ATTR_KEY_*), so cannot share the same routine
for these purposes..
2009-09-15 11:21:25 +03:00
Jouni Malinen
5aa9cb5cca nl80211: Share the same routine for NL80211_ATTR_KEY_CIPHER setup 2009-09-15 10:54:41 +03:00
Johannes Berg
0194fedb46 driver_nl80211: Fix MLME key settings for static WEP
Current wpa_supplicant has a bug with WEP keys, it adds a zero-length
sequence counter field to netlink which the kernel doesn't accept.

Additionally, the kernel API slightly changed to accept keys only when
connected, so we need to send it the keys after that. For that to work
with shared key authentication, we also include the default WEP TX key
in the authentication command.

To upload the keys properly _after_ associating, add a new flag
WPA_DRIVER_FLAGS_SET_KEYS_AFTER_ASSOC_DONE indicating that the driver
needs the keys at that point and not earlier.
2009-09-15 10:48:30 +03:00
Jouni Malinen
60b94c9819 Add preliminary background scan and roaming module design
This allows background scanning and roaming decisions to be contained in
a single place based on a defined set of notification events which will
hopefully make it easier to experiment with roaming improvements. In
addition, this allows multiple intra-ESS roaming policies to be used
(each network configuration block can configure its own bgscan module).

The beacon loss and signal strength notifications are implemented for
the bgscan API, but the actual events are not yet available from the
driver.

The included sample bgscan module ("simple") is an example of what can
be done with the new bgscan mechanism. It requests periodic background
scans when the device remains associated with an ESS and has couple of
notes on what a more advanced bgscan module could do to optimize
background scanning and roaming. The periodic scans will cause the scan
result handler to pick a better AP if one becomes available. This bgscan
module can be taken into use by adding bgscan="simple" (or
bgscan="simple:<bgscan interval in seconds>") into the network
configuration block.
2009-09-15 00:08:24 +03:00
Samuel Ortiz
3180d7a208 Getting back to DISCONNECTED afer SCANNING
After transitioning from DISCONNECTED to SCANNING, we never go back
to DISCONNECTED even though scanning is done or failed.
We're thus stuck in SCANNING while scanning is actually done.
2009-09-14 17:25:03 +03:00
Masashi Honma
f1b0de09d9 WPS: Fix CONFIG_WPS=y compilation of wpa_supplicant
The wpa_supplicant compilation failed with CONFIG_WPS=y option
if CONFIG_CLIENT_MLME and CONFIG_IEEE80211R are not used.
2009-09-14 16:50:53 +03:00