Commit graph

19 commits

Author SHA1 Message Date
Jouni Malinen
944814106e WPS: Do not disable AP PIN permanently, only slow down attacks
As a compromise between usability and security, do not disable
AP PIN permanently based on failed PIN validations. Instead, go to
AP Setup Locked state for increasing amount of time between each
failure to slow down brute force attacks against the AP PIN.

This avoids problems with some external Registrars that may try
to use the same PIN multiple times without user input. Now, the
user will still be able to fix the PIN and try again later while
a real attack is delayed enough to make it impractical.
2010-08-24 15:24:05 +03:00
Jouni Malinen
15dbf1291a WPS ER: Add ctrl_iface event for learned AP settings 2010-05-27 15:24:45 +03:00
Jouni Malinen
00468b4650 Add TLS client events, server probing, and srv cert matching
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.

The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR

In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.

Authentication server probing can be done, e.g., with following
configuration options:
    eap=TTLS PEAP TLS
    identity=""
    ca_cert="probe://"

Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Server certificate matching is configured with ca_cert, e.g.:
    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
2010-02-13 11:14:23 +02:00
Jouni Malinen
7796f20edc Add new ctrl_iface event for EAP methods proposed by the server
This makes it easier for external programs to probe EAP server
preferences and potentially automatically detect which method
could be used.
2010-02-11 19:48:36 +02:00
Jouni Malinen
b590812e8f Add preliminary documentation for ctrl_iface events 2010-01-15 19:24:08 +02:00
Jouni Malinen
c2f5126941 WPS: Add Enrollee-seen event message and wpa_gui-qt4 Peers entry
This can be used to show active Enrollees in AP mode to make it
easier to provision a new device.
2009-12-28 16:24:04 +02:00
Jouni Malinen
f0d126d339 Add ctrl_iface events for BSS added/removed 2009-12-28 00:42:51 +02:00
Jouni Malinen
b78bc3a37e WPS ER: Add ctrl_iface notifications for AP/Enrollee add/remove 2009-11-15 12:07:27 +02:00
Jouni Malinen
20bd9547a1 Add ctrl_iface events for AP mode STA connect/disconnect
These are used to notify ctrl_iface monitors when a STA completes
connection (the port becomes authorized) and when a STA disconnects.
2009-10-16 17:51:49 +03:00
Jouni Malinen
3b2cf800af WPS: Lock AP Setup on multiple AP PIN validation failures
If a Registrar tries to configure the AP, but fails to validate the
device password (AP PIN), lock the AP setup after four failures. This
protects the AP PIN against brute force guessing attacks.
2009-01-23 21:57:43 +02:00
Jouni Malinen
a609915233 Allow WPS APs for PIN enrollment even without Selected Registrar
Some WPS APs do not set Selected Registrar attribute to 1 properly when
using an external Registrar. Allow such an AP to be selected for PIN
registration after couple of scan runs that do not find APs marked with
Selected Registrar = 1. This allows wpa_supplicant to iterate through
all APs that advertise WPS support without delaying connection with
implementations that set Selected Registrar = 1 properly.
2009-01-23 13:10:58 +02:00
Jouni Malinen
aabe26a136 WPS: Added option to disable AP auto-config on first registration
This operation can now be moved into an external program by configuring
hostapd with wps_cred_processing=1 and skip_cred_build=1. A new
ctrl_iface message (WPS-REG-SUCCESS <Enrollee MAC addr> <UUID-E>) will
be used to notify external programs of each successful registration and
that can be used as a tricker to move from unconfigured to configured
state.
2009-01-21 13:48:10 +02:00
Jouni Malinen
ad5302a1ca WPS: Added event callback for successfully completed registration 2008-12-19 22:34:18 +02:00
Jouni Malinen
469fc3a41f WPS: Added callback for failure-after-M2/M2D
This callback is now used to stop wpa_supplicant from trying to continue
using parameters (most likely, device password) that do not work in a
loop. In addition, wpa_gui can now notify user of failed registration.
2008-12-19 22:19:41 +02:00
Jouni Malinen
4b68290e77 WPS: Added event callback and M2D notification
The event callback will be used for various event messages and the M2D
notification is the first such message. It is used to notify wpa_gui
about Registrar not yet knowing the device password (PIN).
2008-12-18 21:58:42 +02:00
Jouni Malinen
ff8a53a8d7 Use a fixed wps_msg prefix with WPS creds notification 2008-12-15 22:32:45 +02:00
Jouni Malinen
a524f05eb3 WPS: Added control interface notification for available WPS APs
Whenever new scan results include WPS AP(s) and the client is not
associated, send a notification message to control interface monitors.
This makes it easier for GUIs to notify the user about possible WPS
availability without having to go through the scan results.
2008-12-15 20:09:57 +02:00
Jouni Malinen
ad08c3633c Added preliminary Wi-Fi Protected Setup (WPS) implementation
This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.

Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
2008-11-23 19:34:26 +02:00
Jouni Malinen
6fc6879bd5 Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00