Commit graph

143 commits

Author SHA1 Message Date
Jouni Malinen
03d3f28a69 Fix wpa_key_mgmt_*() helper functions to handle multiple bits
These can be used in some cases with a bitfield having multiple
AKMs enabled (e.g., WPA-PSK and WPA-PSK-SHA256). Address those
cases by checking whether any of the matching AKM are included.
2011-04-08 19:11:54 +03:00
Jouni Malinen
cd9fc7869a hostapd: Add testing mode for RSN element extensions
CFLAGS += -DCONFIG_RSN_TESTING in .config and rsn_testing=1 in
hostapd.conf can now be used to enable a testing mode that adds
extensions to RSN element. This can be used to check whether
station implementations are incompatible with future extensions
to the RSN element.
2011-03-21 13:59:05 +02:00
Dmitry Shmidt
c6a3a11048 Check select() return value in wpa_ctrl_request()
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2011-03-15 15:54:21 +02:00
Ganesh Prasadh
281ff0aa76 TDLS: Add initial support for TDLS (IEEE Std 802.11z-2010) 2011-03-06 14:53:49 +02:00
Jouni Malinen
73304dbf65 Allow client control socket location to be overridden
Build options can now be used to replace the location of client
sockets for UNIX domain socket control interface:

CFLAGS += -DCONFIG_CTRL_IFACE_CLIENT_DIR=\"/tmp\"
CFLAGS += -DCONFIG_CTRL_IFACE_CLIENT_PREFIX=\"wpa_ctrl_\"
2011-02-27 18:35:33 +02:00
Dmitry Shmidt
b3f3865e0e Use Android reserved namespace for control interface
On Android, use a special reserved namespace for the UNIX domain
socket.
2011-02-27 18:19:17 +02:00
Dmitry Shmidt
1480633f96 Use longer timeout in wpa_ctrl_request()
Wait longer for control interface response from wpa_supplicant to
avoid issues with some drivers that have long blocking operations.
2011-02-27 17:08:15 +02:00
Dmitry Shmidt
36fde1e79c Make wpa_ctrl_close() handle unopened connection 2011-02-27 17:07:07 +02:00
Dmitry Shmidt
4e2ead7a72 Add wpa_supplicant state change event for Android network manager
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2011-02-26 13:20:16 +02:00
Jouni Malinen
2944824315 hostapd: Add require_ht configuration parameter
This can be used to configure hostapd to reject association with
any station that does not support HT PHY.
2011-02-09 15:08:47 +02:00
Jouni Malinen
1161ff1ef5 hostapd: Allow TDLS use to be prohibited in the BSS
tdls_prohibit=1 and tdls_prohibit_chan_switch=1 and now be used to
disable use of TDLS or TDLS channel switching in the BSS using
extended cabilities IE as defined in IEEE 802.11z.
2011-01-28 19:21:59 +02:00
Jouni Malinen
bc8318acbc WPA: Add more info for EAPOL-Key Nonce/MIC debugging 2011-01-15 16:57:08 +02:00
Jouni Malinen
f981eabcf0 WPS: Add option to disable open networks by default
CONFIG_WPS_REG_DISABLE_OPEN=y can be used to configure wpa_supplicant
to disable open networks by default when wps_reg command is used to
learn the current AP settings. When this is enabled, there will be a
WPS-OPEN-NETWORK ctrl_iface event and the user will need to explicitly
enable the network (e.g., with "select_network <id>") to connect to
the open network.
2010-12-30 12:28:13 +02:00
Johannes Berg
0d7e5a3a29 Allow AP mode to disconnect STAs based on low ACK condition
The nl80211 driver can report low ACK condition (in fact it reports
complete loss right now only). Use that, along with a config option, to
disconnect stations when the data connection is not working properly,
e.g., due to the STA having went outside the range of the AP. This is
disabled by default and can be enabled with disassoc_low_ack=1 in
hostapd or wpa_supplicant configuration file.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2010-12-28 17:15:01 +02:00
Jouni Malinen
b39f58347d wlantest: Add support for decrypting TDLS frames
Derive TPK based on TDLS TPK Handshake and decrypt frames on the
direct link with TPK-TK.
2010-12-13 11:20:55 +02:00
Jouni Malinen
f3b87561d7 Share WPA IE parser function for RSN authenticator/supplicant
There is no point in maintaining two almost identical versions
of this parser. Move WPA IE parser into wpa_common.c similarly
to what was already the case with RSN IE parse.
2010-11-12 21:52:14 +02:00
Jouni Malinen
43882f1efc Allow TSN AP to be selected when configured for WEP
Commit d8d940b746 introduced a regression
that prevented TSN APs from being used with WEP since the AP was
rejected if it advertised WPA or RSN IE when we were configured to use
WEP. Resolve this by checking whether the AP is advertising a TSN, i.e.,
whether the AP allows WEP to be used as a group cipher. If so, allow
the AP to be selected if we are configured to use static WEP or
IEEE 802.1X (non-WPA).

It should be noted that this is still somewhat more restricted in AP
selection than earlier wpa_supplicant branches (0.7.x or older) that
ignore the WPA/RSN IE completely when configured for non-WPA.
2010-11-08 21:14:32 +02:00
Jouni Malinen
a149fcc77d wlantest: Add preliminary version of IEEE 802.11 protocol testing tool
This tool can be used to capture IEEE 802.11 frames either from a
monitor interface for realtime capturing or from pcap files for
offline analysis. This version is only adding basic infrastructure for
going through the frames and parsing their headers.
2010-11-07 23:29:00 +02:00
Jouni Malinen
ea78c315a2 Add ctrl_interface event for association rejected 2010-10-27 20:28:16 +03:00
Jouni Malinen
3e7533b399 WPS ER: Show SetSelectedRegistrar events as ctrl_iface events
This makes it easier to figure out if something goes wrong in
preparing the AP for enrolling a station.
2010-10-25 21:29:22 +03:00
Jouni Malinen
b74c19faf5 P2P: Fix a typo in P2P manager definition 2010-10-08 18:15:38 +03:00
Jouni Malinen
bf0ed63f3f Allow a postfix to be defined for the version number
A separate build number (etc.) version number postfix can now be
added to the build without having to modify source code files by
defining VERSION_STR_POSTFIX. This can be done, e.g., by adding
following line to .config:

CFLAGS += -DVERSION_STR_POSTFIX=\"-foo\"
2010-10-07 10:51:04 +03:00
Jouni Malinen
72044390f3 P2P: Add support for cross connection
If enabled, cross connection allows GO to forward IPv4 packets
using masquerading NAT from the P2P clients in the group to an
uplink WLAN connection. This is disabled by default and can be
enabled with "wpa_cli p2p_set cross_connect 1" on the P2P device
interface.
2010-09-09 07:17:20 -07:00
Jouni Malinen
6c6915f3db P2P: Add defined values for P2P Manageability Bitmap 2010-09-09 07:17:20 -07:00
Jouni Malinen
bf608cad56 P2P: Rename SD info not available define to match with spec change 2010-09-09 07:17:19 -07:00
Jouni Malinen
b22128efdc P2P: Add initial version of P2P Module 2010-09-09 07:17:17 -07:00
Jouni Malinen
75bde05d53 P2P: Add driver operations for P2P use 2010-09-09 07:17:16 -07:00
Jouni Malinen
91a9464528 Make IEEE 802.11 IE parser aware of P2P IE
This does not handle fragmented IEs and is only used to check quickly
whether the IE blob includes any P2P IE(s).
2010-09-09 07:17:16 -07:00
Jouni Malinen
dd6cc5a20c P2P: Wi-Fi Direct frame format definitions 2010-09-09 07:17:16 -07:00
Jouni Malinen
31fcea931d WPS 2.0: Add support for AuthorizedMACs attribute
Advertize list of authorized enrollee MAC addresses in Beacon and
Probe Response frames and use these when selecting the AP. In order
to provide the list, the enrollee MAC address should be specified
whenever adding a new PIN. In addition, add UUID-R into
SetSelectedRegistrar action to make it potentially easier for an AP
to figure out which ER sent the action should there be multiple ERs
using the same IP address.
2010-09-09 06:07:47 -07:00
Masashi Honma
60da5e0f3f Solaris: Add support for wired IEEE 802.1X client
This patch adds support for wired IEEE 802.1X client on the Solaris.

I have tested with these:
OS : OpenSolaris 2009.06
EAP : EAP-MD5
Switch : Cisco Catalyst 2950
2010-08-28 11:40:07 +03:00
Jouni Malinen
5a1cc30f1a WPS: Add support for dynamic AP PIN management
A new hostapd_cli command, wps_ap_pin, can now be used to manage
AP PIN at runtime. This can be used to generate a random AP PIN and
to only enable the AP PIN for short period (e.g., based on user
action on the AP device). Use of random AP PIN that is only enabled
for short duration is highly recommended to avoid security issues
with a static AP PIN.
2010-08-24 16:35:37 +03:00
Jouni Malinen
944814106e WPS: Do not disable AP PIN permanently, only slow down attacks
As a compromise between usability and security, do not disable
AP PIN permanently based on failed PIN validations. Instead, go to
AP Setup Locked state for increasing amount of time between each
failure to slow down brute force attacks against the AP PIN.

This avoids problems with some external Registrars that may try
to use the same PIN multiple times without user input. Now, the
user will still be able to fix the PIN and try again later while
a real attack is delayed enough to make it impractical.
2010-08-24 15:24:05 +03:00
Jouni Malinen
b3b2da770e Define Public Action and Vendor-specific Public Action frames 2010-07-17 20:22:40 -07:00
Jouni Malinen
950388f745 IEEE 802.11u GAS defines 2010-07-17 20:21:39 -07:00
Jouni Malinen
2d8bf73298 Add new debug message level for excessive information
Some frequent debug prints are of limited use and make debug output
difficult to read. Make them use a new debug level so that -dd
provides more readable output (-ddd can now be used to enable
the excessive debug prints).
2010-07-05 12:21:48 -07:00
Jouni Malinen
15dbf1291a WPS ER: Add ctrl_iface event for learned AP settings 2010-05-27 15:24:45 +03:00
Jouni Malinen
8401a6b028 Add Linux rfkill support
Add a new wpa_supplicant state: interface disabled. This can be used
to allow wpa_supplicant to be running with the network interface even
when the driver does not actually allow any radio operations (e.g.,
due to rfkill).

Allow driver_nl80211.c and driver_wext.c to start while rfkill is in
blocked state (i.e., when ifconfig up fails) and process rfkill
events to block/unblock WLAN.
2010-05-23 10:27:32 +03:00
Jouni Malinen
fb2ab5dd6a hostap.git is now 0.8.x development tree
0.7.x for branched into hostap-07.git for stable releases.
2010-04-18 21:01:00 +03:00
Jouni Malinen
be48214d2b Preparations for 0.7.2 release 2010-04-18 18:02:34 +03:00
Jouni Malinen
7992b07f6a Remove unnecessary SUBDIRS loops from src/*/Makefile
There are no subdirectories in any of these directories or plans
for adding ones. As such, there is no point in running the loop
that does not do anything and can cause problems with some shells.
2010-04-17 17:10:31 +03:00
Jouni Malinen
d3ccead325 Make wpa_compare_rsn_ie() handle missing IEs 2010-04-10 16:47:29 +03:00
Jouni Malinen
26e23750b9 FT: Fix FT 4-Way Handshake to include PMKR1Name in messages 2 and 3
IEEE Std 802.11r-2008, 11A.4.2 describes FT initial mobility domain
association in an RSN to include PMKR1Name in the PMKID-List field
in RSN IE in messages 2/4 and 3/4. This makes the RSN IE not be
bitwise identical with the values used in Beacon, Probe Response,
(Re)association Request frames.

The previous versions of wpa_supplicant and hostapd did not add the
PMKR1Name value in EAPOL-Key frame and did not accept it if added
(due to bitwise comparison of RSN IEs). This commit fixes the
implementation to be compliant with the standard by adding the
PMKR1Name value into EAPOL-Key messages during FT 4-Way Handshake and
by verifying that the received value matches with the value derived
locally.

This breaks interoperability with previous wpa_supplicant/hostapd
versions.
2010-04-07 21:04:13 +03:00
Marcin Marzec
f400f4f34b Fix typo in WPA_AUTH_ALG_FT definition
This was not supposed to have duplicate value with WPA_AUTH_ALG_LEAP.
The previous version was unable to set FT as the authentication
algorithm with nl80211.
2010-03-07 21:02:55 +02:00
Jouni Malinen
00468b4650 Add TLS client events, server probing, and srv cert matching
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.

The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR

In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.

Authentication server probing can be done, e.g., with following
configuration options:
    eap=TTLS PEAP TLS
    identity=""
    ca_cert="probe://"

Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Server certificate matching is configured with ca_cert, e.g.:
    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
2010-02-13 11:14:23 +02:00
Jouni Malinen
7796f20edc Add new ctrl_iface event for EAP methods proposed by the server
This makes it easier for external programs to probe EAP server
preferences and potentially automatically detect which method
could be used.
2010-02-11 19:48:36 +02:00
Jouni Malinen
dff0f701d0 Preparations for v0.7.1 release 2010-01-16 19:04:38 +02:00
Jouni Malinen
b590812e8f Add preliminary documentation for ctrl_iface events 2010-01-15 19:24:08 +02:00
Jouni Malinen
abd9fafab6 Standardize on a single definition of auth_alg bitfield values 2010-01-03 21:14:40 +02:00
Jouni Malinen
70f8cc8ec8 Share the same enum for MFP configuration
The three existing enums were already depending on using the same
values in couple of places and it is just simpler to standardize on
one of these to avoid need for mapping between different enums for
the exact same thing.
2010-01-03 21:02:51 +02:00