Commit graph

2907 commits

Author SHA1 Message Date
Jouni Malinen
6572fc0d1b IEEE 802.11w: Use comeback duration to delay association 2008-09-01 11:49:51 +03:00
Jouni Malinen
c684525947 FT: Fixed FTIE for authentication after a failed association 2008-09-01 11:38:13 +03:00
Jouni Malinen
565861976d Added support for using SHA256-based stronger key derivation for WPA2
IEEE 802.11w/D6.0 defines new AKMPs to indicate SHA256-based algorithms for
key derivation (and AES-CMAC for EAPOL-Key MIC). Add support for using new
AKMPs and clean up AKMP processing with helper functions in defs.h.
2008-08-31 22:57:28 +03:00
Jouni Malinen
5d22a1d5aa IEEE 802.11w: Added association ping
This updates management frame protection to use the assocition ping process
from the latest draft (D6.0) to protect against unauthenticated
authenticate or (re)associate frames dropping association.
2008-08-31 11:04:47 +03:00
Jouni Malinen
0b60b0aaad Updated MFP defines based on IEEE 802.11w/D6.0 and use new MFPC/MFPR
This adds most of the new frame format and identifier definitions from IEEE
802.11w/D6.0. In addition, the RSN IE capability field values for MFP is
replaced with the new two-bit version with MFPC (capable) and MFPR
(required) processing.
2008-08-30 14:59:39 +03:00
Jouni Malinen
1d8ce433c9 Internal X.509/TLSv1: Support SHA-256 in X.509 certificate digest 2008-08-16 11:21:22 +03:00
Jouni Malinen
1c8735848d nl80211: Preliminary code for usermode MLME support
This adds some parts needed to use usermode MLME with the current mac80211
(plus a patch to add a new cfg80211 command; not yet submitted to
wireless-testing). This version creates a monitor interface for management
frames and is able to send Probe Request frames during scan. However, it
looks like management frame reception is not yet working properly. In
addition, mlme_{add,remove}_sta() handlers are still missing.
2008-08-15 22:14:49 +03:00
Jouni Malinen
101533269f Fixed supported rates IE generation for Probe Response frames. 2008-08-15 22:10:41 +03:00
Jouni Malinen
c1e033b0bb IEEE Std 802.11r-2008 has been released, so update references 2008-08-15 11:25:24 +03:00
Jouni Malinen
d48ae45b73 Preparations for 0.6.4 release 2008-08-10 20:33:12 +03:00
Jouni Malinen
6724f4d07a Fixed MinGW build without CONFIG_NDIS_EVENTS_INTEGRATED defined 2008-08-10 18:11:41 +03:00
Jouni Malinen
3ff77e070d Fixed opportunistic key caching (OKC)
wpa_sm_set_config() can be called even if the network block does not
change. However, the previous version ended up calling
pmksa_cache_notify_reconfig() every time and this cleared the network
context from PMKSA cache entries. This prevented OKC from ever being used.

Do not call pmksa_cache_notify_reconfig() if the network context remains
unchanged to allow OKC to be used.
2008-08-03 20:16:59 +03:00
Dan Williams
93ef879f0f wext: fix maxrate calculation
When scan results got moved from wpa_scan_result -> wpa_scan_res, the
'maxrate' member was dropped from wpa_scan_res.  The D-Bus interface
used 'maxrate', which was replaced with wpa_scan_get_max_rate().
Unfortunately, wpa_scan_get_max_rate() returns 802.11 rate values
directly from the IE, where 'maxrate' was the rate in bits/second.  The
supplicant internally fakes an IE for wpa_scan_res from the value of
wpa_scan_result->maxrate, but interprets ->maxrate as an 802.11 rate
index.

As a side-effect, this fixes a soft-break of the D-Bus control API since
the wpa_scan_res change was introduced.
2008-07-15 20:07:50 +03:00
Michael Bernhard
886a807fb5 Make proactive key caching working again
Function 'wpa_sm_set_config' used the argument 'config' as the network
context which is a pointer to a local variable of the function
'wpa_supplicant_rsn_supp_set_config'.

This is one reason why no proactive key was generated. This network
context never matched with the network context saved in the pmksa cache
entries.

The structure 'rsn_supp_config' has already a member 'network_ctx' which
is now filled in by this patch with 'ssid'.

Signed-off-by: Michael Bernhard <michael.bernhard@bfh.ch>
2008-07-06 10:50:53 +03:00
Pavel Polischouk
9d6762cfca man wpa_supplicant: Clearly state which options are given per interface
Documentation appeared a little vague about which options are global and
which are tied to a particular interface. This leads to confusion when
using certain combinations of options, e.g. the command "wpa_supplicant
-c /etc/wpa_supplican.conf -u" will not do what is intuitively expected
from it - it will not read the config file given with -c option because
no -i option was given. This command is still valid because -u option is
used. The wpa_supplicant running like this will also not listen on any
control socket, because the socket file name is usually given in the
config file. This command line also happens to be the default in Fedora 9.
This patch does not try to change any behaviour, but rather document
these nuances clearly.
2008-06-18 11:52:20 +03:00
Jouni Malinen
3e2ad1b932 Fixed race condition between disassociation event and group key handshake
This avoids getting stuck in state where wpa_supplicant has canceled scans,
but the driver is actually in disassociated state. The previously used code
that controlled scan timeout from WPA module is not really needed anymore
(and has not been needed for past four years since authentication timeout
was separated from scan request timeout), so this can simply be removed to
resolved the race condition. As an extra bonus, this simplifies the
interface to WPA module.
[Bug 261]
2008-06-09 16:26:47 +03:00
Jouni Malinen
2eeaa5c9d0 EAP-PEAP: Moved the common peap_prfplus() function into a shared file 2008-06-09 10:32:12 +03:00
Jouni Malinen
3f5285e852 Added a preliminary nl80211/cfg80211 driver interface for wpa_supplicant
driver_nl80211.c is based on driver_wext.c and it is still using Linux
wireless extensions for many functions. Over time, the new driver interface
code should be modified to use nl80211/cfg80211 for everything.
2008-06-06 16:55:42 +03:00
Jouni Malinen
187bc466a3 Removed the 20% estimate on faster bignum routines
This was not accurate since this was mostly based on total runtime of an
eapol_test run. The real improvement in the bignum routines is much larger
(mayby twice as fast as before).
2008-06-06 10:30:43 +03:00
Jouni Malinen
b95394c66f Combined internal LibTomMath configuration into one option
CONFIG_INTERNAL_LIBTOMMATH_FAST=y in .config can now be used to enable all
optimized routines at a cost of about 4 kB. This is small enough increase
in size to justify simplified configuration.
2008-06-06 10:21:28 +03:00
Jouni Malinen
ec0205a87a Added an option to build internal LibTomMath with faster div routine
At the cost of about 1 kB of additional binary size, the internal
LibTomMath can be configured to include faster div routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_DIV=y in
.config.
2008-06-06 10:11:17 +03:00
Jouni Malinen
c5f5c91aeb Add faster, optional sqr routine for internal LibTomMath
At the cost of about 0.5 kB of additional binary size, the internal
LibTomMath can be configured to include faster sqr routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_SQR=y in
.config.
2008-06-05 18:33:46 +03:00
Dan Williams
1d3c75b3b6 Give adhoc associations a bit more time
Depending on how the driver implements IBSS searching and creation, it
may need to perform one or more scans before successfully completing the
association operation.  Therefore, increase the timeout for IBSS
association operations so that the supplicant doesn't interrupt the
driver as much.
2008-06-04 21:00:09 +03:00
Jouni Malinen
8ccc0402b2 Internal LibTomMath: add optional support for Montgomery reduction
Add a cost of about 2.5 kB of additional cost, the internal LibTomMath can
be configured to include fast exptmod routine to speed up DH and RSA.
This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_EXPTMOD=y in
.config.
2008-06-04 11:57:55 +03:00
Jouni Malinen
a8e16edc86 Introduced new helper function is_zero_ether_addr()
Use this inline function to replace os_memcmp(addr,
"\x00\x00\x00\x00\x00\x00", ETH_ALEN) == 0.
2008-06-03 18:08:48 +03:00
Dan Williams
7e1488494e Do not continually reschedule specific scans to help finding hidden SSIDs
In situations where the driver does background scanning and sends a
steady stream of scan results, wpa_supplicant would continually
reschedule the scan.  This resulted in specific SSID scans never
happening for a hidden AP, and the supplicant never connecting to the AP
because it never got found.  Instead, if there's an already scheduled
scan, and a request comes in to reschedule it, and there are enabled
scan_ssid=1 network blocks, let the scan happen anyway so the hidden
SSID has a chance to be found.
2008-06-03 11:37:48 +03:00
Jouni Malinen
d952d16df4 Internal TLS: Added support for parsing PKCS #8 formatted private keys
The internal TLS implementation can now use both PKCS #1 RSA private key
and PKCS #8 encapsulated RSA private key. PKCS #8 encrypted private key is
not yet supported.
2008-06-02 19:39:46 +03:00
Jouni Malinen
b5aebee49e Fixed dbus build without OpenSSL. 2008-06-02 18:45:45 +03:00
Jouni Malinen
ec717917e5 Fixed build without CONFIG_IEEE8021X_EAPOL, but with CONFIG_CTRL_IFACE 2008-05-30 18:43:06 +03:00
Jouni Malinen
1b52ea47e4 Added fragmentation support for EAP-TNC 2008-05-26 12:00:18 +03:00
Jouni Malinen
d9521c7438 Example configuration for EAP-TLS authentication using PKCS#11 TPM token 2008-05-23 19:41:05 +03:00
David Smith
61ee0f71bb Add support to wpa_supplicant configuring eap_peer for client cert and CA
cert on smartcard, plus handling phase2 auth with smartcard same as phase1.
2008-05-23 10:55:30 +03:00
David Smith
e403be0b12 Add setSmartcardModules DBus message to set pkcs11 and opensc options
This will be used by most importantly network manager to set smartcard
options at run time.
2008-04-28 17:15:56 +03:00
Henrik Brix Andersen
a6a89fea36 Fix compilation without IEEE8021X_EAPOL defined 2008-04-28 17:06:43 +03:00
Jouni Malinen
fe2b7dda02 Fixed fallback to full handshake when server rejects PAC-Opaque
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
2008-04-15 17:24:06 +03:00
Jouni Malinen
d6888f9e37 PEAPv0: Added crypto_binding configuration option (part of phase1)
crypto_binding=# in phase1 network parameter can now be used to change the
PEAPv0 cryptobinding behavior (0 = do not use, 1 = optional (default),
2 = required).
2008-04-08 14:57:39 +03:00
Kel Modderman
0e5776f673 Remove the -w option from help output
Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-03-31 11:51:49 +03:00
Kel Modderman
7da6794022 Explain not all driver backends will be compiled into wpa_supplicant binary
Explain that wpa_supplicant supports a variety of drivers, but only a
subset of them are chosen at compile time.

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-03-31 11:49:55 +03:00
Tomasz Wolniewicz
c454f57379 eapol_test: Allow client IP address to be specified
Allow the user to set the IP address of the eapol_test client. This if
very useful when you have a machine with many interfaces and want to use a
particular one for testing RADIUS connectivity. For instance when I run the
national eduroam proxy I can only connect to other server from a particular
address, an our machine happens to have several IPs. So if I want to run
connectivity tests, I must make sure that my test uses a particular
interface. The -A option allows one to set this).

(jm: cleaned up to use radius configuration structure instead of global
variable for the address and added IPv6 support)
2008-03-30 18:15:52 +03:00
Tomasz Wolniewicz
1e4b9da10c Chargeable-User-Identity (RFC 4372) in eapol_test
Implements the Chargable-User-Identity (CUI), as defined in RFC 4372.
Option "-i" causes the eapol_test to send a NUL CUI - which is a request to
send a CUI back. Capital "-I" allows to specify the value of the CUI.
This has been defined for cases where the client wants to reauthenticate.
2008-03-30 17:39:19 +03:00
Jouni Malinen
e7d8003358 EAP-PEAP: Fixed interop issues in key derivation with cryptobinding
It looks like Microsoft implementation does not match with their
specification as far as PRF+ label usage is concerned.. IPMK|CMK is derived
without null termination on the label, but the label for CSK derivation
must be null terminated.

This allows cryptobinding to be used with PEAPv0 in a way that
interoperates with Windows XP SP3 (RC2) and as such, this functionality is
now enabled as an optional addition to PEAPv0.
2008-03-19 16:58:06 +02:00
Jouni Malinen
0ac0e4df1c EAP-PEAP: Moved EAP-TLV processing into eap_peap.c
EAP-PEAP was the only method that used the external eap_tlv.c peer
implementation. This worked fine just for the simple protected result
notification, but extending the TLV support for cryptobinding etc. is not
trivial with such separation. With the TLV processing integrated into
eap_peap.c, all the needed information is now available for using
additional TLVs.
2008-03-18 11:26:17 +02:00
Masakazu Mokuno
b5a357b476 Add support for PS3 Linux wireless driver
This adds support for PS3 wireless to wpa_supplicant.

Although PS3 wireless driver is designed to conform the WEXT standard
as much as possible, unfortunately the wext driver wrapper of
wpa_supplicant can not support PS3 wireless fully because:

 - PS3 wireless driver uses private WEXT ioctls for accepting PSK of
   WPA-Personal from the userland.
   WEXT does not specify the way to do it.

 - The association and 4-way handshake are done by PS3 virtual
   wireless device. The guest OSes can not interfere it.

 - No EAPOL frames are allowed to go outside of the
   hypervisor/firmware nor come from. They are eaten by the firmware.

Thus I needed to make a new driver wrapper for PS3 wireless.

This patch can be applied against the latest 0.6.x tree.

Signed-off-by: Masakazu Mokuno <mokuno@sm.sony.co.jp>
2008-03-13 19:00:37 +02:00
Jouni Malinen
658d166297 FT: Use correct BSSID when deriving PTK and verifying MIC
The old version was using struct wpa_sm::bssid which is not necessarily
updated to point to the correct target address when doing over-the-air FT
since the address is used before the association has actually been
completed.
2008-03-12 11:20:20 +02:00
Ryan Hill
748e54937d The attached patch fixes a few build errors when compiling with GCC 4.3,
caused by a few missing header includes. It was done against 0.5.8, but
still applies to 0.5.10.
2008-03-12 09:39:25 +02:00
Jouni Malinen
502a293e30 TNC: Added TNC server support into documentation and ChangeLogs 2008-03-09 12:14:15 +02:00
Jouni Malinen
4f1c561725 TNC: Added support for using TNC with EAP-FAST 2008-03-09 11:21:01 +02:00
Jouni Malinen
8e888179e1 Make the "invalid group" error show up with default verbosity level 2008-03-06 22:49:46 +02:00
Dan Williams
d113aa91ca Fix qt3 wpa_gui build
When a WpaMsg item to the QValueList WpaMsgList, there's no constructor
that the QValueList can call.  This is a port of the fix from the stable
branch where it builds fine.
2008-03-05 18:30:01 +02:00
Dan Williams
cf7a576f67 Fix potential use-after-free in dbus byte array demarshaling code
The byte array code should be clearing its own pointer, not the string
array pointer.
2008-03-05 16:15:10 +02:00
Jouni Malinen
9474b3a4e4 Added a missing '#' to indicate a comment. 2008-03-05 16:06:43 +02:00
Jouni Malinen
c673c5fc0f Renamed local DBUS_VERSION define to avoid conflict with dbus 1.1 headers 2008-03-05 16:05:26 +02:00
Jouni Malinen
7914585fe0 EAP-FAST: Cleaned up TLV processing and added support for EAP Sequences
Number of TLVs were processed in groups and these cases were now separated
into more flexible processing of one TLV at the time. wpabuf_concat()
function was added to make it easier to concatenate TLVs. EAP Sequences are
now supported in both server and peer code, but the server side is not
enabled by default.
2008-02-27 17:59:34 -08:00
Jouni Malinen
a4819630f6 EAP-FAST: Added shared helper functions for building TLVs 2008-02-27 17:56:30 -08:00
Kel Modderman
eff06a7cdb Enhance manpage with use of emphasis instead of strong quote
The Debian package checker "lintian" was making noise about
wpa_supplicant.conf(5). It was caused by a line beginning with ', which is
apparently not liked by man(1).

I suggest the use of <emphasis>word</emphasis> where 'word' is used at the
moment.

Signed-off-by: Kel Modderman <kel@otaku42.de>
2008-02-27 17:48:23 -08:00
Jouni Malinen
3b46a31ec7 Added files that cg-init excluded 2008-02-27 17:36:06 -08:00
Jouni Malinen
6fc6879bd5 Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00