Commit graph

66 commits

Author SHA1 Message Date
Jouni Malinen
95a825bc43 RADIUS: Preliminary support RADIUS/TLS as an alternative to RADIUS/UDP
This adds initial parts for RADIUS/TLS support in the RADIUS client.
This can be used with eapol_test and hostapd. This functionality is not
included by default and CONFIG_RADIUS_TLS=y in .config can be used to
enable it.

This version does not yet include all the needed functionality for TLS
validation and the rules for dropping a TCP connection based on invalid
RADIUS attributes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-25 20:54:14 +02:00
Maximilian Bosch
d8d2b3a338 Implement read-only mode for SSIDs from the additional config (-I)
On NixOS[1] - a Linux distribution which allows to configure a full OS
declaratively - it's possible to configure SSIDs for `wpa_supplicant`
like this:

    networking.wireless.networks = {
      myssid = {
        pskRaw = "<redacted>";
      };
    };

It's also possible to add networks "imperatively" using `wpa_gui` or
`wpa_cli`. However it's not possible to do both because if the first
option is used, NixOS creates a read-only symlink at
`/etc/wpa_supplicant.conf` and then it's not possible for
`wpa_supplicant` anymore to write to it.

This patch aims to help us changing this: while "declarative" SSID
configuration can be quite useful, it's a bad idea for e.g. sensitive
stuff like a WPA2 enterprise network.

The original idea was to use `-I`[2] for immutable configs (including
"declarative" networks) on NixOS and `-c /etc/wpa_supplicant.conf` for
anything "imperative".

However this doesn't really work out because if a wifi network from a
config file specified with `-I` is changed by e.g. `wpa_gui`, it's
silently overwritten in `/etc/wpa_supplicant.conf` (specified with
`-c`) which is IMHO unintuitive (in our case at least). This patch
basically declares each network defined in a config file passed via `-I`
to `wpa_supplicant` as "read-only" and doesn't write these "read-only"
networks to `/etc/wpa_supplicant.conf`.

A bit more context can be found on GitHub in the PR where I implemented
this[3].

[1] https://nixos.org/
[2] Added in e6304cad47
[3] https://github.com/NixOS/nixpkgs/pull/113716

Signed-off-by: Maximilian Bosch <maximilian@mbosch.me>
2022-11-29 12:55:47 +02:00
Jouni Malinen
18c0ac8901 Provide information about the encryption status of received EAPOL frames
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-07 21:37:03 +03:00
Jouni Malinen
b0f016b873 eapol_test: Update with src/ap/ieee802_1x.c changes
eapol_test.c contains variants of couple of functions from the hostapd
implementation. Those had not been updated for a while and this commit
brings in the main changes to keep the implementations closer to
each other.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 19:51:09 +03:00
Alan T. DeKok
3240cedd6a eapol_test: Print out names for additional known EAP types
And order the names by number.

Signed-off-by: Alan DeKok <aland@freeradius.org>
2022-04-17 11:50:25 +03:00
Jouni Malinen
f5c711c855 OpenSSL: Unload providers only at process exit
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.

Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.

Fixes: 097ca6bf0b ("OpenSSL: Unload providers on deinit")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-16 18:51:32 +03:00
Jouni Malinen
8ca330bd70 Flush pending control interface message for an interface to be removed
wpa_supplicant_ctrl_iface_deinit() was executed only if the
per-interface control interface initialization had been completed. This
is not the case if driver initialization fails and that could result in
leaving behind references to the freed wpa_s instance in a corner case
where control interface messages ended up getting queued.

Fix this by calling wpa_supplicant_ctrl_iface_deinit() in all cases to
cancel the potential eloop timeout for wpas_ctrl_msg_queue_timeout with
the reference to the wpa_s pointer. In addition, flush any pending
message from the global queue for this interface since such a message
cannot be of use after this and there is no need to leave them in the
queue until the global control interface gets deinitialized.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-26 00:21:18 +02:00
Stefan Paetow
e80e6a2f17 eapol_test: Add address family for IPv4 in Windows build
Add the address family when manually constructing IPv4 addresses in
eapol_test on Windows. Otherwise other functions, like hostapd_ip_txt()
in src/utils/ip_addr.c, that rely on addr->af being set fail miserably.
The non-Windows option uses hostapd_parse_ip_addr() which does this as
part of the helper function.

Signed-off-by: Stefan Paetow <oss@eons.net>
2021-03-12 09:49:20 +02:00
Jouni Malinen
da8478a1ab EAPOL supp: Convert Boolean to C99 bool
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-04-24 17:06:50 +03:00
Didier Raboud
8155b36fae Fix VERSION_STR printf() calls in case the postfix strings include %
Do not use VERSION_STR directly as the format string to printf() since
it is possible for that string to contain '%'.

Signed-off-by: Didier Raboud <odyx@debian.org>
2020-02-17 19:17:10 +02:00
Jouni Malinen
8e5e36a184 Clean up base64_{encode,decode} pointer types
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-11-28 16:39:09 +02:00
Jouni Malinen
d3a035169b Remove useless NULL comparison for an array
Now that the TLS peer_cert information is provided as a full struct to
handler functions, the altsubject pointer shows up as an array and
causes static analyzers to warn about unnecessary NULL comparison. Get
rid of that comparison now that it is clearly not needed anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-07 10:00:49 +03:00
Jouni Malinen
bc0634da4a Pass full struct to peer certificate callbacks
This makes it easier to add new information to the callbacks without
having to modify each callback function type in EAPOL and EAP code every
time.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-06-14 23:10:50 +03:00
Martin Stanislav
cfb01f58a6 eapol_test: Start the identifier at an initial random value
Start the (EAP request) identifier at an initial random value
as recommended by RFC 3748 in section 4.1 Request and Response
on page 21.

Signed-off-by: Martin Stanislav <ms@uakom.sk>
2019-01-08 13:40:33 +02:00
Nick Lowe
8c676b5056 Add RADIUS Service-Type attribute with a value of Framed
This seems to be the common value used by APs and also mentioned in RFC
3580.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-19 18:44:39 +02:00
Nick Lowe
2cbc6ffb3a RADIUS: Redesign Request Authenticator generation
Simplify and make properly random the generation of the Request
Authenticator.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:19:35 +02:00
Jouni Malinen
4363c0d6f5 eapol_test: Add -v for displaying version information
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-16 22:00:11 +03:00
Jouni Malinen
048d084d45 eapol_test: Add a new operation mode for control interface use
The -T<ctrl_iface> command line argument can now be used to start
eapol_test in mode where the configuration file is not needed and the
authentication operations are started through the control interface.
Network profile is also managed through the control interface in this
case. This can be used to provide more control for scripted RADIUS
authentication server testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-21 00:48:29 +03:00
Jouni Malinen
3b3677b3bc eapol_test: Allow interface name to be specified
The new -i<ifname> command line argument can be used to specify the name
of the interface to use. This is mainly to allow unique control
interface names to be defined without having to use multiple
directories.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-20 23:13:33 +03:00
Ondřej Caletka
e1ede80d3b eapol_test: Support IPv6 for authentication server
This allows testing RADIUS servers over IPv6.

Signed-off-by: Ondřej Caletka <ondrej@caletka.cz>
2015-06-10 13:53:22 +03:00
Mikael Kanstrup
8b423edbd3 Declare all read only data structures as const
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-04-25 17:33:06 +03:00
Jouni Malinen
242b83a380 eapol_test: Fix cert_cb() function arguments
altsubject[] was added here, but the callback implementation in
eapol_test.c was forgotten from the commit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-17 02:24:00 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
07e2de3193 wpa_supplicant: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled for TLS-based EAP methods when
OpenSSL is used as the TLS library. This parameter can be used both as a
global parameter to set the default for all network blocks and as a
network block parameter to override the default for each network
profile.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:55:13 +03:00
Jouni Malinen
e3a451118e eapol_test: Check inet_aton() result
This makes code more consistent (CID 72676).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-11 19:45:17 +03:00
Dmitry Shmidt
1de809e152 eapol_test: Fix -R option to not replace -s option value
Commit e9852462d5 ('eapol_test: Add PC/SC
reader and PIN command line arguments') did not add break to the switch
statement for the new -R command line option.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-06-28 10:51:29 +03:00
Jouni Malinen
e9852462d5 eapol_test: Add PC/SC reader and PIN command line arguments
The new command line arguments -R<reader> and -P<PIN> can now be used to
specify which PC/SC reader (prefix match) and PIN are to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-21 22:46:28 +03:00
Jouni Malinen
cfdb32e88f eapol_test: Check EAP-Key-Name
The new command line argument -e can be used to request the server to
send EAP-Key-Name in Access-Accept. If both the local EAP peer
implementation and server provide the EAP Session-Id, compare those
values and indicate in debug log whether a match was seen.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-05-11 21:22:37 +03:00
Jouni Malinen
c60ba9f7ab Skip network disabling on expected EAP failure
Some EAP methods can go through a step that is expected to fail and as
such, should not trigger temporary network disabling when processing
EAP-Failure or deauthentication. EAP-WSC for WPS was already handled as
a special case, but similar behavior is needed for EAP-FAST with
unauthenticated provisioning.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-08 16:42:15 +02:00
Jouni Malinen
0187c41d88 Declare wpa_debug_* variables in src/utils/wpa_debug.h
These were somewhat more hidden to avoid direct use, but there are now
numerous places where these are needed and more justification to make
the extern int declarations available from wpa_debug.h. In addition,
this avoids some warnings from sparse.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-12-31 19:29:52 +02:00
Masashi Honma
22cf7d7324 SCARD: Clean up SIM/USIM selection
Commit eb32460029 left an unneeded
sim_type argument to scard_init(). Remove that unnecessary argument to
clean up the implementation.

Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
2013-11-17 16:47:38 +02:00
Jouni Malinen
a5d44ac083 EAP peer: Add framework for external SIM/USIM processing
The new configuration parameter external_sim=<0/1> can now be used to
configure wpa_supplicant to use external SIM/USIM processing (e.g., GSM
authentication for EAP-SIM or UMTS authentication for EAP-AKA). The
requests and responses for such operations are sent over the ctrl_iface
CTRL-REQ-SIM and CTRL-RSP-SIM commands similarly to the existing
password query mechanism.

Changes to the EAP methods to use this new mechanism will be added in
separate commits.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 13:12:04 +03:00
Jouni Malinen
7e8bc7d6fb eapol_test: Initialize BSS lists
This is needed to avoid issues with control interface commands that
could request BSS list during an eapol_test run. wpa_cli tries to update
its internal BSS list and that could trigger eapol_test crashes without
this.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-19 16:28:56 +03:00
Jouni Malinen
b6077964c2 eapol_test: Fix external EAP request mechanism
The eap_param_needed callback was forgotten from eapol_test and this
prevented external EAP request processing through ctrl_iface from being
tested.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-19 13:44:39 +03:00
Jouni Malinen
94de082b39 eapol_test: Initialize wpa_s->global to fix ctrl_iface
wpa_s->global is now dereferenced in number of places and at least one
of them hits in eapol_test cases. Fix issues with this by setting the
global pointer to empty data.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-19 13:08:37 +03:00
Dmitry Shmidt
e6304cad47 wpa_supplicant: Add option -I for additional config file
This option can be used only for global parameters that are not going
to be changed from settings.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Iliyan Malchev <malchev@google.com>
2013-04-23 17:38:57 +03:00
Jouni Malinen
dc013f1e37 eapol_test: Remove unnecessary header file inclusion
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-01-15 12:03:29 +02:00
Jouni Malinen
d03f1e5d63 eapol_test: Allow full RADIUS attribute length to be used
The -N and -C command line parameters can be used to add arbitrary
RADIUS attributes to the messages. However, these were truncated to
about 128 bytes when the actually message was constructed. Fix this by
using larger buffers to allow the maximum attribute length (253 octets
of payload) to be used. [Bug 458]

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 12:39:27 +02:00
Jouni Malinen
42ad72029f eapol_test: Fix extra RADIUS attribute allocation
The sizeof(ptr) use here was not correct and resulted in too small
memory block getting allocated for the -N command line argument.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 12:32:43 +02:00
Jouni Malinen
e026159a8e EAP-SIM/AKA: Store pseudonym identity in configuration
Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity
so that this can be maintained between EAP sessions (e.g., after
wpa_supplicant restart) even if fast re-authentication data was cleared.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-09-02 13:04:18 +03:00
Jouni Malinen
e100828b76 Return wpabuf from radius_msg_get_eap()
This simplifies the implementation by using the buffer type to which the
returned data will be converted anyway. This avoids one memory
allocation for each processed RADIUS message.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-07 18:14:42 +03:00
Jouni Malinen
306ae22556 EXT PW: Add framework for supporting external password storage
This new mechanism can be used to make wpa_supplicant using external
storage (e.g., key store in the operating system) for passwords,
passphrases, and PSKs. This commit is only adding the framework part
needed to support this, i.e., no actual configuration parameter can
yet use this new mechanism. In addition, only a simple test backend
is added to allow developer testing of the functionality.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-08-03 22:15:42 +03:00
Jouni Malinen
ca8e039fec Fix memory leaks on radius_client_send error paths
In case this function returns an error, the RADIUS message needs to
freed in the caller.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-04-01 17:55:20 +03:00
Jouni Malinen
f64adcd71e Allow PC/SC reader to be selected and initialized at start
New global configuration parameters pcsc_reader and pcsc_pin can now be
used to initialize PC/SC reader context at start of wpa_supplicant.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-26 13:09:30 +02:00
Jouni Malinen
0f3d578efc Remove the GPL notification from files contributed by Jouni Malinen
Remove the GPL notification text from the files that were
initially contributed by myself.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-02-11 19:39:36 +02:00
Jouni Malinen
beec9c3a1f eapol_test: Show MNC length in debug output
Signed-hostap: Jouni Malinen <j@w1.fi>
2012-01-22 20:59:00 +02:00
Jouni Malinen
1b414f59fc eapol_test: Add option for writing server certificate chain to a file
eapol_test command line argument -o<file> can now be used to request
the received server certificate chain to be written to the specified
file. The certificates will be written in PEM format. [Bug 391]
2011-09-17 22:42:54 +03:00
Jouni Malinen
4f525d8e5b Move peer certificate wpa_msg() calls to notify.c
This type of wpa_supplicant specific message construction does not need
to be at the EAP implementation, so better move it up to notify.c.
2011-07-05 12:40:37 +03:00
Jouni Malinen
eacc12bfbb eapol_test: Unregister EAP server methods if CONFIG_AP=y
This fixes a memory leak in CONFIG_AP=y builds.
2010-11-07 11:38:26 +02:00
Jouni Malinen
0456ea16d8 eloop: Remove global user data pointer
This is not really needed since all signal handlers can use a context
pointer provided during signal handler registration.
2009-12-19 19:22:16 +02:00