Commit graph

17371 commits

Author SHA1 Message Date
Jouni Malinen
0cf03892a4 OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API
Updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore).
2008-11-16 21:29:12 +02:00
Jouni Malinen
1e8b9d2889 Updated interop results for ACS 4.2 2008-11-16 11:30:34 +02:00
Jouni Malinen
ea251b4a23 EAP-FAST: Reorder TLVs in PAC Acknowledgment to fix interop issues
It looks like ACS did not like PAC Acknowledgment TLV before Result TLV, so
reorder the TLVs to match the order shown in a
draft-cam-winget-eap-fast-provisioning-09.txt example. This allows
authenticated provisioning to be terminated with Access-Accept (if ACS has
that option enabled). Previously, provisioning was otherwise successful,
but the server rejected connection due to not understanding the PAC Ack
("Invalid TEAP Data recieved").
2008-11-16 11:10:29 +02:00
Jouni Malinen
1b554eb0d7 Modified the OpenSSL patch to use session ticket -specific function
This is the first step in replacing SSL_set_hello_extension() with a new
SSL_set_session_ticket_ext() function that can only be used to override the
session ticket extension, not any arbitrary TLS extension.

SSL_set_hello_extension() is still present as a simple wrapper in this
version to avoid changing the API and to make testing with wpa_supplicant
and hostapd easier. It can be eventually removed when the patch is going in
into OpenSSL distribution.
2008-11-12 06:15:27 +02:00
Jouni Malinen
d13c05cafb Updated indentation in the patch to match style used elsewhere in OpenSSL 2008-11-12 05:06:03 +02:00
Kel Modderman
efd59c96d7 wpa_gui-qt4: tweak icon Makefile
Output the xpm icons in more convenient location.

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-11-11 17:41:19 +02:00
Martin Michlmayr
65db6cad23 wpa_gui-qt4: FTBFS with GCC 4.4: missing #include
GCC 4.4 cleaned up some more C++ headers.  You always have to #include
headers directly and cannot rely for things to be included indirectly.

> g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DCONFIG_CTRL_IFACE
-DCONFIG_CTRL_IFACE_UNIX -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED
-I/usr/share/qt4/mkspecs/linux-g++ -I. -I/usr/include/qt4/QtCore
-I/usr/include/qt4/QtCore -I/usr/include/qt4/QtGui -I/usr/include/qt4/QtGui
-I/usr/include/qt4 -I. -I.. -I../../src/utils -I../../src/common -I.moc -I.ui -o
.obj/wpagui.o wpagui.cpp
> wpagui.cpp: In constructor 'WpaGui::WpaGui(QWidget*, const char*,
Qt::WFlags)':
> wpagui.cpp:98: error: 'printf' was not declared in this scope

From: Martin Michlmayr <tbm@cyrius.com>
Bug:  http://bugs.debian.org/505041

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-11-11 17:36:37 +02:00
Jouni Malinen
46690a3b9b Added an optional mitigation mechanism for certain attacks against TKIP by
delaying Michael MIC error reports by a random amount of time between 0 and
60 seconds if multiple Michael MIC failures are detected with the same PTK
(i.e., the Authenticator does not rekey PTK on first failure report). This
is disabled by default and can be enabled with a build option
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config.

This may help in making a chopchop attack take much longer time by forcing
the attacker to wait 60 seconds before knowing whether a modified frame
resulted in a MIC failure.
2008-11-08 04:43:12 +02:00
Jouni Malinen
6982784e20 EAP-SIM/AKA: fixed initialization to verify PIN even if identity is set
Previously, hardcoded identity in the network configuration skipped both
IMSI reading and PIN verification. This broke cases where PIN is needed for
GSM/UMTS authentication. Now, only IMSI reading is skipped if identity is
hardcoded.
2008-11-07 20:09:44 +02:00
Jouni Malinen
04a5bad682 EAP-AKA: Validate RES Length field in AT_RES
This change breaks interoperability with older wpa_supplicant versions
(everything up to and including wpa_supplicant 0.5.10 and 0.6.5) which
incorrectly used this field as number of bytes, not bits, in RES.
2008-11-07 08:34:07 +02:00
Jouni Malinen
fa71a1d84a Fixed EAP-AKA RES Length field in AT_RES as length in bits, not bytes 2008-11-07 08:30:34 +02:00
Jouni Malinen
36100718de EAP-FAST server: allow expired PAC for PAC refresh
Instead of falling back to full TLS handshake on expired PAC, allow the
PAC to be used to allow a PAC update with some level of server
authentication (i.e., do not fall back to full TLS handshake since we
cannot be sure that the peer would be able to validate server certificate
now). However, reject the authentication since the PAC was not valid
anymore. Peer can connect again with the newly provisioned PAC after this.
2008-11-06 22:57:09 +02:00
Jouni Malinen
39452b4deb EAP-FAST: Include Tunnel PAC request only after EAP authentication 2008-11-06 21:07:53 +02:00
Jouni Malinen
581a8cde77 Added support for enforcing frequent PTK rekeying
Added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against TKIP
deficiencies. This can be set either by the Authenticator (to initiate
periodic 4-way handshake to rekey PTK) or by the Supplicant (to request
Authenticator to rekey PTK).

With both wpa_ptk_rekey and wpa_group_rekey (in hostapd) set to 600, TKIP
keys will not be used for more than 10 minutes which may make some attacks
against TKIP more difficult to implement.
2008-11-06 19:57:21 +02:00
Jouni Malinen
81eec387dd Added Milenage-GSM simulator for EAP-SIM
CONFIG_SIM_SIMULATOR=y in .config and password="Ki:OPc" in network config
to enable.
2008-11-06 04:21:32 +02:00
Jouni Malinen
31cbe002c9 driver_ndis: Added a workaround for a driver that removes SSID IE in scan
A driver was found to remove SSID IE from NDIS_WLAN_BSSID_EX IEs, but the
correct SSID is included in NDIS_802_11_SSID structure inside the BSSID
data. If this is seen in scan results, create a matching SSID IE and add it
to the end of IEs to fix scan result parsing.
2008-11-05 23:44:26 +02:00
Jouni Malinen
2a24bb3199 Added Milenage USIM emulator for EAP-AKA (can be used to simulate test
USIM card with a known private key; enable with CONFIG_USIM_SIMULATOR in
.config and password="Ki:OPc:SQN" in network configuration).
2008-11-05 23:02:13 +02:00
Jouni Malinen
988ab690ac Preparations for 0.6.5 release 2008-11-01 17:20:25 +02:00
Jouni Malinen
ac987fb7de Fixed fwrite error path in eap_fast_write_pac not to free buf
Caller expects the buffer to be allocated on error, so eap_fast_write_pac()
must be consistent with its behavior on error paths.
2008-11-01 17:09:28 +02:00
Jouni Malinen
8caa12b46c Added a comment about VS2008EE and updated WinPcap/OpenSSL versions 2008-11-01 14:46:00 +02:00
Jouni Malinen
07d44beeab Added a note about hostapd driver_nl80211 and AP mode in wireless-testing 2008-11-01 14:32:10 +02:00
Jouni Malinen
e3e51d9f03 Fixed ctrl_iface BSS command to fetch scan results, if needed
This makes BSS command work line SCAN_RESULTS and allows wpa_gui to get
some scan results without explicit scan results even when using ap_scan=2.
2008-11-01 14:28:34 +02:00
Johannes Berg
4aac554ce2 driver_nl80211: Remove set_ssid from nl80211 driver
This is no longer required (and does not work with current
wireless-testing anymore).

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
2008-11-01 13:45:34 +02:00
Jouni Malinen
b6a55236ce Updated VS2005 project files with new and removed C files 2008-11-01 13:03:09 +02:00
Jouni Malinen
3fd0b8f196 Use os_snprintf() instead of snprintf() 2008-11-01 13:02:50 +02:00
Jouni Malinen
1add3c3387 Use the common ieee802_11_parse_elems() implementations for mlme.c 2008-10-29 21:57:01 +02:00
Jouni Malinen
cb7b04c8c9 Moved ieee802_11_parse_elems() into common code 2008-10-29 21:48:14 +02:00
Jouni Malinen
3d536eb453 Removed the unused hapd argument to ieee802_11_parse_elems() 2008-10-29 21:33:46 +02:00
Jouni Malinen
fefee8a74d driver_nl80211: Added TX queue parameter configuration 2008-10-29 19:35:17 +02:00
Jouni Malinen
4c99a969e3 driver_nl80211: Added basic rate configuration 2008-10-29 19:34:27 +02:00
Jouni Malinen
308a4ec81a Verify fread(), fwrite(), and system() return values
These were starting to trigger compiler warning with recent glibc header
files and gcc.
2008-10-29 19:33:24 +02:00
Jouni Malinen
dd20838a7d Fixed size_t printf format for 64-bit targets 2008-10-29 19:30:23 +02:00
Jouni Malinen
8e8df25541 nl80211: Finish dumps properly (ported from iw.git) 2008-10-29 19:28:35 +02:00
Jouni Malinen
990ec3787e Set TX queue parameters during initialization
This was already called from reconfig.c, but the call from hostapd.c had
been forgotten.
2008-10-29 19:25:15 +02:00
Jouni Malinen
114622c021 Fixed EAPOL skip for PMKSA caching case to remain in authenticated state
Need to make sure that portValid is TRUE in order to avoid PAE state
machine going into DISCONNECTED state on eapol_sm_step(). This could be
triggered at least with OKC.
2008-10-25 20:21:31 +03:00
Jouni Malinen
9663596fac Fix group key rekeying when reauth happens during pending group key update
We need to cancel the group key update for a STA if a reauthentication
request is received while the STA is in pending group key update. When
canceling the update, we will also need to make sure that the PTK Group Key
state machine ends up in the correct state (IDLE) to allow future updates
in case of WPA2.
2008-10-21 13:54:54 +03:00
Jouni Malinen
244e07c54d EAP-FAST peer: Fixed not to add PAC Request in PAC Acknowledgement message 2008-10-19 10:02:57 +03:00
Jouni Malinen
2d86724409 EAP-FAST: Allow A-ID and A-ID-Info to be configured separately
Changed EAP-FAST configuration to use separate fields for A-ID and
A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed
16-octet len binary value for better interoperability with some peer
implementations; eap_fast_a_id is now configured as a hex string.
2008-10-19 09:55:59 +03:00
Jouni Malinen
2100a768bf Fixed WPA/RSN IE validation to verify the proto (WPA vs. WPA2) is enabled
Previous version could have allowed a broken client to complete WPA (or
WPA2) authentication even if the selected proto was not enabled in hostapd
configuration.
2008-10-15 06:34:39 +03:00
Jouni Malinen
8de4f2e9ba Avoid some gcc 4.3 warnings about deprecated string conversions 2008-10-14 07:39:51 +03:00
Jouni Malinen
a11c90a64a EAP-FAST: Make PAC-Key lifetime values configurable
The hardcoded values in eap_fast.c were replaced with values read from
hostapd.conf.
2008-10-08 17:25:47 +03:00
Jouni Malinen
378eae5e9b EAP-FAST: Added support for disabling anonymous/authenticated provisioning
eap_fast_prov config parameter can now be used to enable/disable different
EAP-FAST provisioning modes:
0 = provisioning disabled
1 = only anonymous provisioning allowed
2 = only authenticated provisioning allowed
3 = both provisioning modes allowed
2008-10-08 16:55:23 +03:00
Jouni Malinen
f36f51e403 Change the order of Result TLV and PAC TLV to avoid interop issues
draft-cam-winget-eap-fast-provisioning-06.txt or RFC 4851 do not seem to
mandate any particular order for TLVs, but some interop issues were noticed
with an EAP-FAST peer implementation when Result TLV followed PAC TLV. The
example in draft-cam-winget-eap-fast-provisioning-06.txt shows the TLVs in
the other order, so change the order here, too, to make it less likely to
hit this type of interop issues.
2008-10-08 15:50:01 +03:00
Jouni Malinen
1073e0ce46 wpa_gui-qt4: Set EAP-FAST provisioning parameters if inner method is 'any' 2008-10-07 18:53:02 +03:00
Jouni Malinen
3b7c9aa6aa Updated the comment on MS-Packet-Info mismatch based on [MS-SOH] info 2008-10-02 20:26:00 +03:00
Jouni Malinen
b43f7c34d2 SoH: Add null termination for empty url in MS-Quarantine-State. 2008-10-02 20:22:17 +03:00
Jouni Malinen
c908a9e5ae SoH: Add all the mandatory attributes into SSoH vendor specific attribute
This adds all the attributes that are marked as mandatory for SoH in
IF-TNCCS-SOH v1.0. MS-Machine-Inventory does not contain correct data
(i.e., all version fields are just marked as inapplicable) and
MS-MachineName is hardcoded to wpa_supplicant@w1.fi for now.
2008-10-02 19:34:22 +03:00
Jouni Malinen
75cf93d2c5 Fixed EAP-FAST peer not to add double Result TLV when ACKing PAC 2008-10-02 17:38:13 +03:00
Jouni Malinen
0930209dc2 Register a quick auth timeout if EAPOL fails to avoid long waits
This may be needed if the AP does not disconnect in case of EAP-FAST
unauthenticated provisioning (EAP-Failure). Adding the local short timeout
will speed up the process in such a case by reducing the wait (which can
often be up to 60 seconds).
2008-10-02 17:27:24 +03:00
Jouni Malinen
99a10f8d2c Added debug_timestamp option to Windows registry 2008-10-02 16:26:18 +03:00