Commit graph

519 commits

Author SHA1 Message Date
Jouni Malinen
9e783041fa Add a workaround for EAP-FAST with Cisco AP local RADIUS server
When using the internal TLS implementation, EAP-FAST unauthenticated
provisioning ends up proposing multiple cipher suites. It looks like
Cisco AP (at least 350 and 1200 series) local authentication server does
not know how to search cipher suites from the list and seem to require
that the last entry in the list is the one that it wants to use.
However, TLS specification requires the list to be in the client
preference order. As a workaround, ass anon-DH AES-128-SHA1 again at the
end of the list to allow the Cisco code to find it.

This fixed EAP-FAST provisioning with the following IOS version:
Cisco IOS Software, C350 Software (C350-K9W7-M), Version 12.3(8)JEA3,
RELEASE SOFTWARE (fc2)
Compiled Wed 21-Nov-07 14:08 by ccai
2009-03-08 12:04:39 +02:00
Jouni Malinen
a14bda9d9d driver_ndis: Detect Native 802.11 drivers (NDIS 6, Vista)
This is just there very first step on being able to do something with
wireless LAN on Vista. There is some example code for requesting a scan,
but it does not work in its current form. Anyway, this adds a wpa_printf
noting that Native 802.11 drivers are not yet supported.
2009-03-07 23:53:40 +02:00
Jouni Malinen
c472ef754d driver_ndis: Add PAE group address to the multicast address
This is done with wired interfaces to fix IEEE 802.1X authentication
when the authenticator uses the group address (which should be happening
with wired Ethernet authentication).

This allows wpa_supplicant to complete wired authentication successfully
on Vista with a NDIS 6 driver, but the change is likely needed for
Windows XP, too.
2009-03-07 23:10:41 +02:00
Jouni Malinen
4ef1e644eb Determiner whether driver is wired at runtime based on capabilities
Do not use just the driver name for this since driver_ndis.c supports
both wired and wireless NDIS drivers and needs to indicate the driver
type after initialization.
2009-03-07 22:05:43 +02:00
Jouni Malinen
ed843aaa33 WMM-AC: Fix hostapd processing of ADDTS Request and add test code
Calculate the estimated medium time using integer variables since there
is no real need to use floating point arithmetics here. In addition,
make sure there is no division by zero regardless of how invalid the
request from the station is. Reject invalid parameters and refuse
requests that would take most of the bandwidth by themselves.

Add test code into wpa_supplicant mlme.c to allow WMM-AC negotiation to
be tested with driver_test.
2009-03-06 20:15:00 +02:00
Masashi Honma
e1ee6b600b WPS: Add support for NFC out-of-band mechanism
The new file wps_nfc.c and ndef.c implements NFC device independent
operation, wps_nfc_pn531.c implements NFC device dependent operation.

This patch is only for the following use case:
- Enrollee = wpa_supplicant
- Registrar = hostapd internal Registrar

Following NFC methods can be used:
- Enrollee PIN with NFC
- Registrar PIN with NFC
- unencrypted credential with NFC

Encrypted credentials are not supported.

Enrollee side operation:

Registrar side operation:

Example configuration.
CONFIG_WPS=y
CONFIG_WPS_NFC=y
CONFIG_WPS_NFC_PN531=y

I used NFC device "NXP PN531". The NFC device access method is
confidential, so I used outer library. Please download below files from
https://www.saice-wpsnfc.bz/index.php

[WPS NFC Library]
WpsNfcLibrary/WpsNfc.h
WpsNfcLibrary/WpsNfcType.h
WpsNfcLibrary/WpsNfcVersion.h
WpsNfcLibrary/linux/libnfc_mapping_pn53x.dll
WpsNfcLibrary/linux/wpsnfc.dll

[NFC Reader/Writer Kernel Driver]
NFCKernelDriver-1.0.3/linux/kobj/sonyrw.ko

<WiFi test>
The hostapd/wpa_supplicant with this patch passed below tests on
"Wi-Fi WPS Test Plan Version 1.6".
4.2.5 Add device using NFC Method with password token
(I used SONY STA instead of NXP STA.)

4.2.6 Add device using NFC Method with configuration token

5.1.9 Add to AP using NFC Method with password token
through internal registrar
(I used SONY AP instead of NXP AP.)

5.1.10 Add to AP using NFC Method with configuration token
through internal registrar
2009-03-06 16:16:22 +02:00
Jouni Malinen
3ae0800c5f WMM cleanup (WME -> WMM rename, comments, etc.)
This updates the terminogy to match with the final WMM specification. In
addition, some of the WMM TSPEC structure fields were in incorrect order
and used without byte order swapping. Those are also taken care of this
cleanup patch.
2009-03-04 12:33:24 +02:00
Sam Leffler
daa70d49de Add support for wpa_supplicant syslog output
Enable for build: CFLAGS += -DCONFIG_DEBUG_SYSLOG in .config
Enable at runtime: -s on command line
2009-03-02 21:40:44 +02:00
Jouni Malinen
af12135524 Fix hostapd build with RADIUS support removed 2009-03-02 21:25:53 +02:00
Jouni Malinen
1fd4b0db7c Fix EAPOL/EAP reauthentication with external RADIUS server
The EAP server state machine will need to have special code in
getDecision() to avoid starting passthrough operations before having
completed Identity round in the beginning of reauthentication. This was
broken when moving into using the full authenticator state machine from
RFC 4137 in 0.6.x.
2009-03-02 19:06:23 +02:00
Jouni Malinen
049a292f89 Fix builds that need SHA256 or mod_exp, but not TLS functions 2009-02-27 17:46:40 +02:00
Masashi Honma
d7e9a48f66 Fix Enrollee WPS state attribute in AP
Only non-AP Enrollee should hard code the state to be not configured.
2009-02-27 17:01:17 +02:00
Jouni Malinen
358b98668e Update EAP-GPSK references from internet draft to RFC 5433 2009-02-26 23:08:40 +02:00
Jouni Malinen
116f7bb0a3 WPS UFD: Build OOB functionality only if UFD is enabled 2009-02-26 22:10:21 +02:00
Jouni Malinen
d5e2b2d274 WPS UFD: Use pre-configured DH keys only with OOB
The old behavior of generating new DH keys can be maintained for non-OOB
cases and only OOB (in this case, with UFD) will use the pre-configured
DH keys to allow the public key hash to be checked.
2009-02-26 22:09:35 +02:00
Jouni Malinen
7cbf51bbd8 WPS UFD: Remove oob_dev pointer from wps_context
This pointer and the especially the oob_dev->device_path does not remain
valid, so better not save it any longer than it is needed.
2009-02-26 22:07:55 +02:00
Jouni Malinen
1b39bad109 WPS UFD: Handle scandir() error and no matches results differently
Better make sure there are no memory leaks in case of 0 entries
found. In addition, the error string may be of use in the error case.
2009-02-26 22:06:11 +02:00
Jouni Malinen
e7f3c1f436 WPS UFD: Define macros for the UFD directory templates
This allows the UNIX vs. DOS path separators to be handled in the build.
2009-02-26 22:05:39 +02:00
Jouni Malinen
70e070461d WPS UFD: Use private data structure for oob_device_data
This gets rid of global variable use and may be needed to allow
concurrent access in some case if the interface is extended.
2009-02-26 22:04:49 +02:00
Jouni Malinen
390cd3105d WPS UFD: Make build conditional on CONFIG_WPS_UFD=y
Not all embedded devices have USB interface and it is useful to be able
to remove unneeded functionality from the binary. In addition, the
current implementation has some UNIX specific calls in it which may make
it not compile cleanly on all target systems.
2009-02-26 22:01:36 +02:00
Jouni Malinen
a79e73a1b1 WPS UFD: Use mkdir() instead of system("mkdir ..") 2009-02-26 22:00:29 +02:00
Masashi Honma
46bdb83acd WPS: Add UFD support (USBA out-of-band mechanism)
This patch is only for the following use case:
- Enrollee = wpa_supplicant
- Registrar = hostapd internal Registrar

Following UFD methods can be used:
- Enrollee PIN with UFD
- Registrar PIN with UFD
- unencrypted credential with UFD

Encrypted credentials are not supported.

Enrollee side operation:
wpa_cli -i ath0 wps_oob <device type> <mount point> <oob method>
    oob method = pin-e/pin-r/cred

wpa_cli -i ath0 wps_oob ufd /mnt/ pin-r

Registrar side operation:
./hostapd_cli -i ath0 wps_oob <device type> <mount point> <oob method>
    oob method = pin-e/pin-r/cred

hostapd_cli -i ath0 wps_oob ufd /mnt/ cred
2009-02-26 21:57:38 +02:00
Jouni Malinen
b414900a90 Reduce latency on starting WPS negotiation (TX EAPOL-Start earlier)
Reduce startWhen from 3 to 1 second if WPS is included in the build.
While this is done regardless of runtime WPS configuration, it is fine
to use a smaller value here in general. This cuts two seconds out from
WPS negotiation if the driver does not support addition of WPS IE into
the (Re)Association Request frame.
2009-02-23 20:59:27 +02:00
Jouni Malinen
a20088e576 Allow SHA256-based key handshake to be used without 802.11r
Previously, both CONFIG_IEEE80211W=y and CONFIG_IEEE80211R=y were needed
to enable SHA256-based key handshake (WPA-PSK-SHA256 and
WPA-EAP-SHA256). This can now be done with just CONFIG_IEEE80211W=y.
2009-02-19 19:49:34 +02:00
Jouni Malinen
7c2849d2a0 Add BSS flags to scan results to indicate signal quality validity
These flags are used to mark which values (level, noise, qual) are
invalid (not available from the driver) and whether level is using dBm.
D-Bus interface will now only report the values that were available.
2009-02-18 13:40:38 +02:00
Jouni Malinen
d173df5232 nl80211: Use per-scan request WPS IE
Replace the global set probe request IEs mechanism with a new nl80211
option for specifying vendor IEs for each scan request.
2009-02-18 12:49:25 +02:00
Jouni Malinen
878ad127ba Sync nl80211_copy.h with wireless-testing linux/nl80211.h 2009-02-18 11:28:55 +02:00
Jouni Malinen
f2d8fc3d96 Do not try session resumption after EAP failure
If session resumption fails for any reason, do not try it again because
that is just likely to fail. Instead, drop back to using full
authentication which may work. This is a workaround for servers that do
not like session resumption, but do not know how to fall back to full
authentication properly.
2009-02-15 17:36:49 +02:00
Daniel Mierswa
d94d4bafbb Improved 'make install' (use BINDIR/LIBDIR, install shared objects) 2009-02-15 14:22:50 +02:00
Daniel Mierswa
6301cc5d38 Allow the privsep driver to pass the set_country to the real driver 2009-02-15 14:13:27 +02:00
Jouni Malinen
2cfcd014f4 Check EAP-AKA' AT_KDF duplication only if KDF was negotiated
This fixes an issue where two AKA'/Challenge messages are received when
resynchronizing SEQ#. Previously, this used to trigger an authentication
failure since the second Challenge message did not duplicate AT_KDF.
2009-02-15 10:28:55 +02:00
Jouni Malinen
3fe430b5d5 Add debug prints for couple of new EAP-AKA' attributes 2009-02-15 10:28:16 +02:00
Jouni Malinen
ba2a573c5f Rename "broadcast SSID" to "wildcard SSID"
"Wildcard SSID" is the term used in IEEE Std 802.11-2007, so it is a
better name for the zero-length SSID used in Probe Request.
2009-02-14 22:21:17 +02:00
Jouni Malinen
6a1063e008 driver_nl80211: Add support for multi-SSID scan requests 2009-02-14 21:17:46 +02:00
Jouni Malinen
f55b218a5c driver_test: Implement scan2() handler
This does not actually send out separate scan requests for each SSID,
but the debug output can be used to test scan2() functionality with
multiple SSIDs.
2009-02-14 17:11:21 +02:00
Jouni Malinen
fc2b7ed5f3 Add extended driver scan request command: driver_ops::scan2()
This can be used to provide support for scanning multiple SSIDs at a
time to optimize scan_ssid=1 operations. In addition, Probe Request IEs
will be available to scan2() (e.g., for WPS PBC scanning).
2009-02-14 17:01:32 +02:00
Jouni Malinen
362f781e1c Allow multiple driver wrappers to be specified on command line
For example, -Dnl80211,wext could be used to automatically select
between nl80211 and wext. The first driver wrapper that is able to
initialize the interface will be used.
2009-02-14 16:43:43 +02:00
Jouni Malinen
7d315b7b42 nl80211: Remove one second sleep after iface up
This workaround was needed with some drivers that used WEXT, but there
is no known nl80211-enabled driver that would need this, so lets get rid
of the extra delay.
2009-02-12 22:05:36 +02:00
Jouni Malinen
80bc75f135 New driver capability info: max number of scan SSIDs
The driver wrappers can now inform wpa_supplicant how many SSIDs can
be used in a single scan request (i.e., send multiple Probe Requests
per channel). This value is not yet used, but it can eventually be used
to allow a new scan command to specify multiple SSIDs to speed up
scan_ssid=1 operations. In addition, a warning could be printed if
scan_ssid=1 is used with a driver that does not support it
(max_scan_ssids=0).
2009-02-12 22:05:32 +02:00
Jouni Malinen
97865538ba nl80211: Replace WEXT scan event with nl80211
Use the new nl80211 scan event mechanism instead of the WEXT event.
This completes the move from WEXT scanning into nl80211 scanning.
2009-02-12 20:19:49 +02:00
Jouni Malinen
b3db1e1cd3 nl80211: Replace SIOCGIWSCAN with NL80211_CMD_GET_SCAN
This replaces the WEXT mechanism for fetching scan results with the new
nl80211 mechanism.
2009-02-12 20:19:33 +02:00
Jouni Malinen
0e75527f7e nl80211: Replace SIOCSIWSCAN with NL80211_CMD_TRIGGER_SCAN
This is the first step in replacing WEXT-based scan with the new
nl80211-based mechanism.
2009-02-12 20:19:09 +02:00
Jouni Malinen
b938903e41 Sync nl80211.h with the current wireless-testing version 2009-02-12 14:46:26 +02:00
Jouni Malinen
265ca78917 Add another Milenage test set that is suitable for EAP-AKA'
The Test Set 19 from TS 35.208 has an AMF with the separation bit set
and as such, it is suitable for EAP-AKA' testing.
2009-02-11 17:29:03 +02:00
Jouni Malinen
35f30422ec EAP-AKA': Verify that AMF separation bit is set 2009-02-11 17:28:42 +02:00
Helmut Schaa
e1b525c356 Use signal quality if level is not available for comparing max rates
Some drivers (for example ipw2100) do not report signal level but only
signal quality. wpa_supplicant already uses the signal quality if no
level is reported and all other comparision parameters are equal to sort
the scan results. However, if two APs have different max rates and the
signal level does not differ much wpa_supplicant chooses the AP with the
higher max rate.

In case of ipw2100 no signal level is reported and thus wpa_supplicant
always takes the AP with higher max rate even if its signal quality is
really low. For example if AP1 (max rate 11Mb/s, 80% signal quality) and
AP2 (max rate 54 Mb/s, 20% signal quality) are found by a scan
wpa_supplicant would choose AP2.

Hence, if no signal level is reported depend on the signal quality if
max rate should be compared. A quality difference of 10% is considered
acceptable in favor of the higher max rate.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
2009-02-10 13:47:14 +02:00
Jouni Malinen
4853d5ac84 wext: Force disconnect on deauthenticate()
Use the same zero-BSSID, random-SSID trick for both disassociate() and
deauthenticate().
2009-02-10 11:43:40 +02:00
Dan Williams
b965fa7294 wext: really disassociate (set random SSID)
Really disassociate when tearing stuff down; drivers may sometimes
(legally) keep trying to reassociate unless the BSSID is unlocked.  If
the SSID is unlocked too, under WEXT drivers are able to pick an SSID to
associate, so kill that behavior by setting a bogus SSID.  Unfortunately
WEXT doesn't provide an easy method to say "stop whatever doing and just
idle".

Signed-off-by: Dan Williams <dcbw@redhat.com>
2009-02-10 11:40:19 +02:00
Jouni Malinen
edd757e8a3 Use larger buffer for TLS encryption to avoid issues with GnuTLS
It looks like GnuTLS (at least newer versions) is using random padding
on the application data and the previously used 100 byte extra buffer
for tls_connection_encrypt() calls was not enough to handle all cases.
This resulted in semi-random authentication failures with EAP-PEAP and
EAP-TTLS during Phase 2.

Increase the extra space for encryption from 100 to 300 bytes and add an
error message into tls_gnutls.c to make it easier to notice this issue
should it ever show up again even with the larger buffer.
2009-02-09 22:37:55 +02:00
Masashi Honma
363a9e2434 WPS: Set correct Selected Registrar Config Methods attribute
I tried PBC with the hostapd registrar.
I pushed the button with "hostap_cli WPS_PBC".
But hostapd registrar always sends Selected Registrar Config Methods
attribute=0x0000 in beacon/probe response.
2009-02-09 19:50:52 +02:00
Alan T. DeKok
02a89365ab Create os_daemon for OS X, as it's now deprecated (Leopard)
Using it results in an error at build time.  So we replace it.
2009-02-08 13:40:34 +02:00
Jeremy C. Reed
898d6921b4 Allow driver_bsd.c to be built for NetBSD 2009-02-08 13:28:37 +02:00
Jouni Malinen
a3bfd14de1 Use os_strlcpy instead of os_strncpy when copying ifname
In theory, the ifname could be IFNAMSIZ characters long and there would
not be room for null termination.
2009-02-08 13:26:33 +02:00
Jouni Malinen
7818ad2c8f Avoid memory leak on error path in crypto_cipher_init() 2009-02-07 12:07:06 +02:00
Jouni Malinen
23a139246d Add crypto_cipher_{init,encrypt,decrypt,deinit} for GnuTLS 2009-02-07 12:04:45 +02:00
Jouni Malinen
96c7c3072d Fix privsep build with CONFIG_CLIENT_MLME=y
Add wpa_supplicant_sta_free_hw_features() and wpa_supplicant_sta_rx()
for driver wrappers in wpa_priv.
2009-02-07 10:30:32 +02:00
Jouni Malinen
745cb54e86 Removed printf size_t format warning on 64-bit 2009-02-07 10:16:11 +02:00
Pavel Roskin
4c2660c2b0 Fix building dynamic EAP peer modules
Strip directory name from the target in the pattern rule for dynamic
modules.  Remove dynamic modules on "make clean".
2009-02-07 10:05:23 +02:00
Jouni Malinen
d0184cb25c UPnP: Renamed PutWLANResponse callback function to match action
No point in adding extra "event_" to the name.
2009-02-06 21:44:19 +02:00
Jouni Malinen
915c1ba3c5 WPS UPnP: Added support for multiple external Registrars
Allow more than one pending PutWLANMessage data to be stored (M2/M2D
from multiple external Registrars) and drop pending M2/M2D messages when
the Enrollee replies with M3.
2009-02-06 21:39:32 +02:00
Jouni Malinen
745f8b664d WPS UPnP: Add IP address and port details into debug messages
This makes it much easier to debug operations with multiple external
Registrars.
2009-02-06 19:04:55 +02:00
Jouni Malinen
b93b6004e4 WPS: Allow minor version differences in Version attribute check
Version attribute processing details are not described in the WPS spec,
but it is safer to allow minor version to change and only refuse to
process the message if major version is different from ours. This
matches with the behavior used in the Intel reference implementation.
2009-02-06 14:19:59 +02:00
Jouni Malinen
f65cbff3a3 WPS: Moved Version attribute validation into a shared function 2009-02-06 14:15:47 +02:00
Jouni Malinen
fda90ab4b7 UPnP: Removed shadowed variable 2009-02-06 14:05:17 +02:00
Andriy Tkachuk
25e31cccbe WPS: Set correct Device Password ID in M2
It looks like we don't set correspondent Device Password ID attribute in
M2 message during PBC registration. Without it TG185n STA was not able
to connect to our AP in PBC mode. Attached patch fixes this.
2009-02-06 14:03:34 +02:00
Masashi Honma
1e2688be3e Setting probe request ie with madwifi driver
The madwifi driver has interface to set probe request ie.
Attached patch will enable the functionality.
I could see probe request includes WSC IE with this patch.
2009-02-05 19:19:19 +02:00
Jouni Malinen
3a19555445 Add crypto_mod_exp() for GnuTLS (libgcrypt)
This allows WPS to be linked with GnuTLS.
2009-02-05 18:57:26 +02:00
Jouni Malinen
5f1f352e6c Cleaned up printf format warnings on 64-bit build 2009-02-05 18:18:31 +02:00
Jouni Malinen
42f1ee7d1f Fixed scan buffer increasing with WEXT
We can now handle up to 65535 byte result buffer which is the maximum
due to WEXT using 16-bit length field. Previously, this was limited to
32768 bytes in practice even through we tried with 65536 and 131072
buffers which we just truncated into 0 in the 16-bit variable.

This more or less doubles the number of BSSes we can received from scan
results.
2009-02-05 12:00:23 +02:00
Jouke Witteveen
94abc2f11b Better support in RoboSwitch driver
I am terribly sorry, but because of a lack of testing equipment the
patch was submitted not properly tested.
Because the chipset documentation is not publicly available all
behaviour has to be found out by experimentation. The other day, I
made some incorrect assumptions based on my findings.

I do believe the attached patch does support the whole RoboSwitch line
(5325, 5350, 5352, 5365 and others). It is a drop-in substitution for
my previous submission.
2009-02-04 22:05:14 +02:00
Jouni Malinen
e80e5163f8 UPnP: Minor coding style cleanup 2009-02-03 13:25:49 +02:00
Jouke Witteveen
c0a0c97aa9 Better support in RoboSwitch driver
The RoboSwitch driver of wpa_supplicant had one shortcoming: not
supporting the 5365 series. I believe the patch attached fixes this
problem.

Furthermore it contains a small readability rewrite. It basically is an
explicit loop-rollout so that the wpa_driver_roboswitch_leave style
matches that of wpa_driver_roboswitch_join.
2009-02-03 13:13:54 +02:00
Jouni Malinen
6e488ff03c Remove orphaned wpa_cli control socket on EADDRINUSE
If the bind() on /tmp/wpa_ctrl_<pid>_<in-proc-counter> fails with
EADDRINUSE, there is an existing socket file with the name we are trying
to create. Since getpid() is unique, there cannot be another process
using that socket and we can just unlink the file and try again. This
can speed up client connection if wpa_cli is killed without allowing it
to clean up the socket file. [Bug 288]
2009-01-31 22:22:09 +02:00
Jouni Malinen
1c5aeef0c2 Add comments on the new Broadcom driver not using driver_broadcom.c
The newer Broadcom driver ("hybrid Linux driver") supports Linux
wireless extensions and does not need (or even work) with the old
driver wrapper.
2009-01-30 21:34:40 +02:00
Jouni Malinen
f620268f13 WPS: Add support for external Registrars using UPnP transport
This adds mostly feature complete external Registrar support with the
main missing part being proper support for multiple external Registrars
working at the same time and processing of concurrent registrations when
using an external Registrar.

This code is based on Sony/Saice implementation
(https://www.saice-wpsnfc.bz/) and the changes made by Ted Merrill
(Atheros) to make it more suitable for hostapd design and embedded
systems. Some of the UPnP code is based on Intel's libupnp. Copyrights
and licensing are explained in src/wps/wps_upnp.c in more detail.
2009-01-29 18:47:02 +02:00
Jouni Malinen
39034ce80f Fixed WPS Authenticator attribute processing after M2D
We must not replace M1 with M2D as the last_msg since we need M1 to
validate a possible M2 after M2D. Since M2D and ACK/NACK replies do not
include Authenticator attribute, we can just ignore M2D as far as
updating last_msg is concerned.
2009-01-28 11:59:29 +02:00
Jouni Malinen
1a5a04c3de WPS: Add a workaround for incorrect passphrase encoding in Network Key
External Registrar in Vista may include NULL termination in the Network
Key when encoding an ASCII passphrase for WPA/WPA2-PSK. As a workaround,
remove this extra octet if present.
2009-01-24 12:50:00 +02:00
Jouni Malinen
3b2cf800af WPS: Lock AP Setup on multiple AP PIN validation failures
If a Registrar tries to configure the AP, but fails to validate the
device password (AP PIN), lock the AP setup after four failures. This
protects the AP PIN against brute force guessing attacks.
2009-01-23 21:57:43 +02:00
Jouni Malinen
4c29cae932 Added ap_settings option for overriding WPS AP Settings in M7
This optional configuration parameter can be used to override AP
Settings attributes in M7 similarly to extra_cred option for Credential
attribute(s) in M8.
2009-01-23 21:08:55 +02:00
Jouni Malinen
b385188de3 Add an EAPOL payload length workaround for a WPS implementation
Buffalo WHR-G125 Ver.1.47 seems to send EAP-WPS packets with too short
EAPOL header length field (14 octets regardless of EAP frame length).
This is fixed in firmware Ver.1.49, but the broken version is included
in many deployed APs. As a workaround, fix the EAPOL header based on the
correct length in the EAP packet. This workaround can be disabled with
eap_workaround=0 option in the network configuration.
2009-01-23 18:01:03 +02:00
Jouni Malinen
a609915233 Allow WPS APs for PIN enrollment even without Selected Registrar
Some WPS APs do not set Selected Registrar attribute to 1 properly when
using an external Registrar. Allow such an AP to be selected for PIN
registration after couple of scan runs that do not find APs marked with
Selected Registrar = 1. This allows wpa_supplicant to iterate through
all APs that advertise WPS support without delaying connection with
implementations that set Selected Registrar = 1 properly.
2009-01-23 13:10:58 +02:00
Jouni Malinen
b3ddab2122 WPS: Pad DH Public Key and Shared Key to 192 octets
WPS spec is not very specific on the presentation used for the DH
values. The Public Key attribute is described to be 192 octets long, so
that could be interpreted to imply that other places use fixed length
presentation for the DH keys. Change the DH derivation to use fixed
length bufferd by zero padding them from beginning if needed. This can
resolve infrequent (about 1/256 chance for both Public Key and Shared
Key being shorter) interop issues.
2009-01-22 19:32:58 +02:00
Masashi Honma
96fa129da9 Use WPS state Not Configured instead of Configured in Enrollee
This is needed to allow external Registrar (at least the implementation
in Windows Vista) to configure the Enrollee.

With this patch and my previous patch (for wps.c) , I could pass "Wi-Fi
WPS Test Plan Version 1.0 [5.1.4. Add to AP using PIN Config method and
PASS PHRASE through wired external registrar]".
2009-01-22 15:18:03 +02:00
Masashi Honma
e29bcf9eab WPS: Check Device Password ID attribute only if present in AP search
I can't pass the "Wi-Fi WPS Test Plan Version 1.0 [5.1.4. Add to AP
using PIN Config method and PASS PHRASE through wired external
registrar]". The wpa_supplicant-0.6.7 can't recoginize the testbed
AP(BCM94704AGRRev-E.2.4) as WPS PIN AP. Because after PIN entered, the
AP sends Selected Registrar attribute=0 and not send Device Password ID
attribute.

The proposed change as-is removed validation of Selected Registrar
attribute completely. However, that part is not included in this commit
since it can cause problems for environments with multiple WPS-enabled
APs. Another workaround for this will be considered in wpa_supplicant
scanning process (e.g., start trying to use WPS with APs that do not set
Selected Registrar to TRUE after couple of scan runs that do not find
any APs with Selected Registrar TRUE).
2009-01-22 15:12:18 +02:00
Jouni Malinen
aabe26a136 WPS: Added option to disable AP auto-config on first registration
This operation can now be moved into an external program by configuring
hostapd with wps_cred_processing=1 and skip_cred_build=1. A new
ctrl_iface message (WPS-REG-SUCCESS <Enrollee MAC addr> <UUID-E>) will
be used to notify external programs of each successful registration and
that can be used as a tricker to move from unconfigured to configured
state.
2009-01-21 13:48:10 +02:00
Jouni Malinen
05bf32cc87 Changed Credential MAC Address to be BSSID in AP/Registrar
WPS spec is not very clear on which MAC address is used here, but BSSID
makes more sense than Enrollee MAC address.
2009-01-20 21:28:31 +02:00
Jouni Malinen
790ccdb2b3 Changed the version to 0.7.0 since development branch is now 0.7.x 2009-01-20 21:16:29 +02:00
Jouni Malinen
3a4606585c Implement set_probe_req_ie() for nl80211 drivers 2009-01-20 14:06:02 +02:00
Jouni Malinen
b0e8a05a1e Sync nl80211_copy.h with wireless-testing.git linux/nl80211.h 2009-01-20 13:56:58 +02:00
Jouni Malinen
adddffd129 Fixed MFP Association Comeback mechanism to use Timeout Interval IE
The separate Association Comeback Time IE was removed from IEEE 802.11w
and the Timeout Interval IE (from IEEE 802.11r) is used instead. The
editing on this is still somewhat incomplete in IEEE 802.11w/D7.0, but
still, the use of Timeout Interval IE is the expected mechanism.
2009-01-19 18:42:10 +02:00
Jouni Malinen
eca6e0a9a5 WPS: Provide the unparsed Credential attribute to cred_cb()
This makes it easier to pass the credential data to external programs
(e.g., Network Manager) for processing. The actual use of this data is
not yet included in hostapd/wpa_supplicant.
2009-01-17 22:17:12 +02:00
Jouni Malinen
655e466600 Changed the Network Index value to 1 since that is the default value 2009-01-17 21:14:13 +02:00
Jouni Malinen
0f057fb2c7 Added a separate ctx pointer for wpa_msg() calls in WPA supp
This is needed to allow IBSS RSN to use per-peer context while
maintaining support for wpa_msg() calls to get *wpa_s as the pointer.
2009-01-17 17:54:40 +02:00
Jouni Malinen
0d1286e411 Added support for IBSS scanning into driver_test 2009-01-17 16:44:05 +02:00
Jouni Malinen
6fa68a0ee5 Added an option to add (or override) Credential attribute(s) in M8 2009-01-16 22:50:41 +02:00
Jouni Malinen
11ef8d3578 Added initial step for IBSS RSN support
This commit adds a new build option, CONFIG_IBSS_RSN=y, that can be used
to enable RSN support for IBSS. This links in RSN Authenticator code
from hostapd and adds code for managing per-peer information for IBSS. A
new wpa_cli command or driver event can be used to request RSN
authentication with an IBSS peer. New RSN Authenticator and Supplicant
will be allocated for each peer.

The basic state machine setup code is included in this commit, but the
state machines are not properly started yet. In addition, some of the
callback functions are not yet complete.
2009-01-15 01:21:55 +02:00
Jouni Malinen
13268290b6 Moved rsn_pmkid() into shared code to avoid duplication 2009-01-14 21:31:47 +02:00
Dan Williams
8f33641c94 driver_wext: Add IW_ENCODE_TEMP into SIOCSIWENCODE{,EXT} calls
This is needed for airo driver to work correctly and no other driver
seems to care, so the change is safe to make. This has been in number of
distro releases for a long time and no issues have been reported.
2009-01-13 20:42:15 +02:00
Jouni Malinen
540264a721 Removed wpa_sm dereference from pmksa_cache_list() 2009-01-13 20:22:42 +02:00
Jouni Malinen
f5a51b58d4 Moved proto == RSN validation from pmksa_cache.c into the caller 2009-01-13 20:15:06 +02:00
Jouni Malinen
010dc06853 Moved RADIUS Class attribute helpers into RADIUS module 2009-01-13 20:01:29 +02:00
Jouni Malinen
0b8695bb2b Renamed shadowed variable 2009-01-13 19:31:51 +02:00
Jouni Malinen
03ba2cb4c6 Added CONFIG_NO_AES_EXTRAS for hostapd
This allows unneeded AES routines to be removed from the build to reduce
binary size.
2009-01-12 15:15:35 +02:00
Jouni Malinen
3904625396 Silenced some sparse warnings 2009-01-11 10:42:07 +02:00
Jouni Malinen
76e2592190 Share the same radiotap helper implementation 2009-01-09 15:22:19 +02:00
Jouni Malinen
f88bd28836 Added support for removing RADIUS accounting and RADIUS in general
CONFIG_NO_ACCOUNTING=y and CONFIG_NO_RADIUS=y build options can now be
used to remove RADIUS support from the hostapd build.
2009-01-08 19:15:25 +02:00
Jouni Malinen
7d02e64157 Mark shared secret const in RADIUS client routines 2009-01-08 16:41:47 +02:00
Jouni Malinen
1c6e69ccda Moved documentation from developer.txt into source code files
Use Doxygen comments for functions to replace the old text file that was
not up-to-date anymore.
2009-01-08 16:33:00 +02:00
Jouni Malinen
6f78f2fb3b Preparations for 0.6.7 release 2009-01-06 20:11:15 +02:00
Ihar Hrachyshka
7ee6258f7c Fix wpa_supplicant build for uClinux
The code contains a bogus #ifdef for uClinux building. [Bug 286]
2009-01-05 20:32:04 +02:00
Jouni Malinen
b39d1280a7 Silenced number of Doxygen warnings 2009-01-04 15:07:54 +02:00
Jouni Malinen
08c0f0670a Completed Doxygen documentation for functions declared in wps/wps.h 2009-01-04 13:43:05 +02:00
Jouni Malinen
2eba45c8de Added endianness annotation for sparse 2009-01-03 21:00:38 +02:00
Jouni Malinen
5306f43fc3 Fixed sparse warnings about integer vs. pointer use
The configuration parsing functions seemed to have worked fine before,
but these were real bugs even if they did not show up in practice.
hostapd_ip_diff() was broken for IPv6 addresses (overwrote address and
always returned 1.
2009-01-03 20:46:32 +02:00
Jouni Malinen
7e5ba1b916 Mark functions static if not used elsewhere and use proper prototypes 2009-01-03 20:38:42 +02:00
Jouni Malinen
26d1dc96e9 Include the header file to validate function prototype. 2009-01-03 20:21:12 +02:00
Jouni Malinen
c5adf528a2 Moved WPS Registrar initialization from EAP peer to wps_supplicant.c
This matches the style used in hostapd, i.e., Registrar is initialized
only once and callbacks are now processed in wps_supplicant.c.
2009-01-03 20:18:35 +02:00
Jouni Malinen
41c00105f2 Removed registrar pointer from wps_config and wps_data
wps_context::registrar can be used as the only location for this
pointer.
2009-01-03 20:09:35 +02:00
Jouni Malinen
5a8c6d3353 Removed duplicated authenticator yes/no from wps_config and wps_data
wps_context::ap is available for this purpose and there is no need to
change between AP and not AP between protocol runs.
2009-01-03 19:57:22 +02:00
Jouni Malinen
ae2633af63 Removed unused WPS_PENDING processing result 2009-01-03 19:52:20 +02:00
Jouni Malinen
f90c86d4a3 Added Doxygen documentation for WPS code 2009-01-03 19:50:49 +02:00
Jouni Malinen
a17df5fb8b Fixed number of doxygen warnings 2009-01-02 22:28:04 +02:00
Jouni Malinen
dd42f95f71 Move addr_un definitions to avoid using out-of-scope buffer 2009-01-02 21:53:21 +02:00
Jouni Malinen
79da74a20c WPS: Generate UUID based on MAC address, if not set
Generate a SHA1 hash -based UUID from the local MAC address if the UUID
was not configured. This makes it easier to prepare for WPS since there
is no need to generate an UUID.
2009-01-01 22:56:52 +02:00
Jouni Malinen
84f5b41fc1 WPS: Cleanup UUID and MAC address configuration
No need to configure these separately for each Enrollee in wps_config
since wps_context is now used both for Registrar and Enrollee.
2009-01-01 22:56:02 +02:00
Jouni Malinen
e834272f73 Include pending MFP defines in nl80211_copy.h
This can be used to get rid of the extra cpp define since we have our
local copy of wireless.h and nl80211.h.
2008-12-31 18:10:14 +02:00
Jouni Malinen
c2fef14520 Sync nl80211.h copy with the current kernel version 2008-12-31 18:00:07 +02:00
Jouni Malinen
ac43f1fa39 Renamed nl80211 HT channel parameters to match with kernel 2008-12-31 17:59:13 +02:00
Jouni Malinen
c3469d1534 MFP: Fix SA Query Action Category
IEEE 802.11w/D7.0 incorrectly changed the Action Category from 8 to 7
when renaming Ping to SA Query. Category 7 is reserved for HT (IEEE
802.11n) and IEEE 802.11w will need to continue to use the category 8
that was allocated for it.
2008-12-31 17:52:05 +02:00
Jouni Malinen
3f732d1fc3 Fix TLS message processing if Flags field is not present
Previous version assumed that the Flags field is always present and
ended up reading one octet past the end of the buffer should the Flags
field be missing. The message length would also be set incorrectly
(size_t)-1 or (size_t)-5, but it looks like reassembly code ended up
failing in malloc before actually using this huge length to read data.

RFC 2716 uses a somewhat unclear description on what exactly is included
in the TLS Ack message ("no data" can refer to either Data field in 4.1
or TLS Data field in 4.2), so in theory, it would be possible for some
implementations to not include Flags field. However,
EAP-{PEAP,TTLS,FAST} need the Flags field in Ack messages, too, for
indicating the used version.

The EAP peer code will now accept the no-Flags case as an Ack message if
EAP workarounds are enabled (which is the default behavior). If
workarounds are disabled, the message without Flags field will be
rejected.

[Bug 292]
2008-12-30 12:28:02 +02:00
Jouni Malinen
98de443890 WPS: Set recommended retransmission times with EAP method specific hint 2008-12-29 18:50:37 +02:00
Jouni Malinen
8e09c6d253 Fixed retransmission of EAP requests if no response is received
It looks like this never survived the move from IEEE 802.1X-2001 to
IEEE 802.1X-2004 and EAP state machine (RFC 4137). The retransmission
scheduling and control is now in EAP authenticator and the
calculateTimeout() producedure is used to determine timeout for
retransmission (either dynamic backoff or value from EAP method hint).

The recommended calculations based on SRTT and RTTVAR (RFC 2988) are not
yet implemented since there is no round-trip time measurement available
yet.

This should make EAP authentication much more robust in environments
where initial packets are lost for any reason. If the EAP method does
not provide a hint on timeout, default schedule of 3, 6, 12, 20, 20, 20,
... seconds will be used.
2008-12-29 18:10:34 +02:00
Jouni Malinen
65d50f0ac6 Add RADIUS server support for identity selection hint (RFC 4284)
Previously, only the delivery option 1 from RFC 4284
(EAP-Request/Identity from the AP) was supported. Now option 3
(subsequent EAP-Request/Identity from RADIUS server) can also be used
when hostapd is used as a RADIUS server. The eap_user file will need to
have a Phase 1 user entry pointing to Identity method in order for this
to happen (e.g., "* Identity" in the end of the file). The identity hint
is configured in the same was as for AP/Authenticator case (eap_message
in hostapd.conf).
2008-12-26 20:22:12 +02:00
Jouni Malinen
ff89afb77b Add Key Length field into IGTK sub-element (FTIE) per 802.11w/D7.0 2008-12-26 12:49:15 +02:00
Jouni Malinen
93b76319f1 Renamed Ping procedure into SA Query procedure per 802.11w/D7.0
This commit changes just the name and Action category per D7.0. The
retransmit/timeout processing in the AP is not yet updated with the
changes in D7.0.
2008-12-26 11:46:21 +02:00
Jouni Malinen
9a9876bf9c Fixed the MFP Status/Reason Code values per 802.11w/D7.0 2008-12-26 11:29:17 +02:00
Jouni Malinen
34cbe7d0b0 WPS: As a workaround, pad zero-length device attributes
Some deployed WPS implementations fail to parse zero-length attributes.
As a workaround, send a null character if the device attribute string is
empty. This allows default values (empty strings) to be used without
interop issues.
2008-12-25 21:19:46 +02:00
Andriy Tkachuk
febc0551c5 WPS: Do not use Selected Registrar Config Methods from scan results
Before this change, it looked like an AP that was using wsccmd did not
get activated since wsccmd left the Selected Registrar Config Methods
attribute to be zero. Since Device Password ID can be used to
distinguish PBC from any other method, use only it to figure out whether
PBC or PIN method is active.
2008-12-25 20:33:00 +02:00
Jouni Malinen
af7837feff Added get_interfaces() handler to list all NDIS adapters 2008-12-24 21:31:14 +02:00
Jouni Malinen
4b4a8ae547 Added a mechanism for quering driver wrappers for available interfaces
The new INTERFACE_LIST global control interface command can be used to
request a list of all available network interfaces that could be used
with the enabled driver wrappers. This could be used to enable
interfaces automatically by external programs (e.g., wpa_gui).
2008-12-24 20:25:19 +02:00
Jouni Malinen
3cf85239bd Mark local functions static. 2008-12-22 22:27:25 +02:00
Jouni Malinen
ac305589a3 Added support for global driver data (shared by multiple interfaces)
Driver wrappers can now register global_init() and global_deinit()
driver_ops handlers to get a global data structure that can be shared
for all interfaces. This allows driver wrappers to initialize some
functionality (e.g., interface monitoring) before any interfaces have
been initialized.
2008-12-22 22:24:31 +02:00
Jouni Malinen
d6e0ce9ac8 Use wildcard UUID when setting AP PIN for Registrar in wpa_supplicant 2008-12-21 17:37:40 +02:00
Jouni Malinen
723763cba0 Fixed NDIS AuthMode configuration for WPS connection 2008-12-21 17:27:32 +02:00
Jouni Malinen
a2b3a34bab IANA allocated EAP method type 51 to EAP-GPSK 2008-12-20 12:39:24 +02:00
Jouni Malinen
ad5302a1ca WPS: Added event callback for successfully completed registration 2008-12-19 22:34:18 +02:00
Jouni Malinen
469fc3a41f WPS: Added callback for failure-after-M2/M2D
This callback is now used to stop wpa_supplicant from trying to continue
using parameters (most likely, device password) that do not work in a
loop. In addition, wpa_gui can now notify user of failed registration.
2008-12-19 22:19:41 +02:00
Jouni Malinen
4b68290e77 WPS: Added event callback and M2D notification
The event callback will be used for various event messages and the M2D
notification is the first such message. It is used to notify wpa_gui
about Registrar not yet knowing the device password (PIN).
2008-12-18 21:58:42 +02:00
Andriy Tkachuk
f086742432 Fix CONFIG_WPS=y, CONFIG_TLS=internal build
crypto_mod_exp() is needed for both EAP-FAST and WPS.
2008-12-18 20:10:18 +02:00
Jouni Malinen
f0477201bd WPS: Fixed deinit code for freeing config and registrar data
We need to be a bit more careful when removing the WPS configuration
block since wpa_s->current_ssid may still be pointing at it. In
addition, registrar pointer in wps_context will need to be cleared
since the context data is now maintained over multiple EAP-WSC runs.
Without this, certain WPS operations could have used freed memory.
2008-12-18 01:06:06 +02:00
Jouni Malinen
a92c421d1a WPS: Improved error processing to use NACK correctly
Instead of sending out EAP-Failure on errors (on AP) or stopping (on
Supplicant), send a NACK message based on the allowed EAP state machine
transitions for EAP-WSC.
2008-12-16 22:37:55 +02:00
Jouni Malinen
ac5953db66 Fixed EAP-AKA build in case EAP-AKA' is disabled 2008-12-16 18:57:49 +02:00
Jouni Malinen
ff8a53a8d7 Use a fixed wps_msg prefix with WPS creds notification 2008-12-15 22:32:45 +02:00
Jouni Malinen
a524f05eb3 WPS: Added control interface notification for available WPS APs
Whenever new scan results include WPS AP(s) and the client is not
associated, send a notification message to control interface monitors.
This makes it easier for GUIs to notify the user about possible WPS
availability without having to go through the scan results.
2008-12-15 20:09:57 +02:00
Jouni Malinen
f4f2774a96 Fixed interoperability issue with PEAPv0 cryptobinding and NPS
Windows Server 2008 NPS gets very confused if the TLS Message Length is
not included in the Phase 1 messages even if fragmentation is not used.
If the TLS Message Length field is not included in ClientHello message,
NPS seems to decide to use the ClientHello data (excluding first six
octets, i.e., EAP header, type, Flags) as the OuterTLVs data in
Cryptobinding Compound_MAC calculation (per PEAPv2; not MS-PEAP)..

Lets add the TLS Message Length to PEAPv0 Phase 1 messages to get rid of
this issue. This seems to fix Cryptobinding issues with NPS and PEAPv0
is now using optional Cryptobinding by default (again) since there are
no known interop issues with it anymore.
2008-12-15 00:15:54 +02:00
Jouni Malinen
000a1de72b Cleaned up EAP-MSCHAPv2 key derivation
Changed peer to derive the full key (both MS-MPPE-Recv-Key and
MS-MPPE-Send-Key for total of 32 octets) to match with server
implementation.

Swapped the order of MPPE keys in MSK derivation since server
MS-MPPE-Recv-Key | MS-MPPE-Send-Key matches with the order specified for
EAP-TLS MSK derivation. This means that PEAPv0 cryptobinding is now
using EAP-MSCHAPv2 MSK as-is for ISK while EAP-FAST will need to swap
the order of the MPPE keys to get ISK in a way that interoperates with
Cisco EAP-FAST implementation.
2008-12-14 13:12:20 +02:00
Jouni Malinen
329a55b314 Ported driver_test to Windows (only UDP socket available) 2008-12-12 22:41:18 +02:00
Jouni Malinen
e33bbd8f4d driver_test: Optional support for using UDP socket
driver_test can now be used either over UNIX domain socket or UDP
socket. This makes it possible to run the test over network and makes it
easier to port driver_test to Windows.

hostapd configuration: test_socket=UDP:<listen port>
wpa_supplicant configuration: driver_param=test_udp=<dst IP addr>:<port>
2008-12-12 21:35:22 +02:00
Jouni Malinen
2ff0f83b9e Comment out dynamic CertEnumCertificatesInStore loading by default
This is now available in MinGW header files, so the loading code is
triggering conflicts.
2008-12-11 00:57:15 +02:00
Jouni Malinen
9e72e1d356 Workaround number of compiler warnings with newer MinGW version 2008-12-11 00:56:37 +02:00
Jouni Malinen
702c349e5e Resolved number of signed/unsigned mismatches and ntddndis.h location 2008-12-11 00:55:33 +02:00
Jouni Malinen
47ce4bfc38 Rename MSG to MESG to avoid conflicts with Windows header files 2008-12-11 00:54:49 +02:00
Jouni Malinen
3ee81d489a Don't include unused calls to SHA256 functions if EAP-AKA' is not enabled 2008-12-11 00:49:39 +02:00
Luis R. Rodriguez
6d1584905c wpa_supplicant: Add support for setting of a regulatory domain
This adds support for setting of a regulatory domain to wpa_supplicant
drivers. It also adds regulatory domain setting for the nl80211 driver.
We expect an ISO / IEC 3166 alpha2 in the wpa configuration file as a
global.
2008-12-09 22:11:14 +02:00
Jouni Malinen
7e45830ab7 nl80211: Include copy of linux/nl80211.h with hostapd/wpa_supplicant
This makes it easier to build the packages and allows all new features
to be built into the binary regardless of which kernel is currently
used.
2008-12-08 11:04:13 +02:00
Jouni Malinen
9478eaef53 Added option to force SoH version 1 (tnc=soh1)
The default version with tnc=soh remains to be 2 which is the currently
recommended version in SoH specification.
2008-12-07 21:00:42 +02:00
Jouni Malinen
a9d1364c5f Merged EAP-AKA' into eap_aka.c and added it to defconfig/ChangeLog 2008-12-07 19:24:56 +02:00
Jouni Malinen
01b0569437 Added protection against EAP-AKA' -> EAP-AKA bidding down attacks
AT_BIDDING attribute is included in EAP-AKA/Challenge to allow peer to
know whether the server would have preferred EAP-AKA'.
2008-12-05 22:25:47 +02:00
Jouni Malinen
8de5048e26 Fixed a typo in a comment 2008-12-04 22:15:51 +02:00
Jouni Malinen
a478ef0d12 EAP-AKA': Added CK',IK' derivation
This is based on a change request 3GPP TS 33.402 CR 0033 for version
8.1.1. The hardcoded ANID is now 'WLAN' since that is used in
3GPP TS 24.302.
2008-12-04 21:50:56 +02:00
Jouni Malinen
a49c428a1b EAP-AKA': Comment out EAP-AKA' server KDF negotiation
Since only one KDF is currently supported, the negotiation is not
allowed and peer must be rejected if it tries to send KDF selection in a
Challenge message. The negotiation code is left in the file and just
commented out since it was tested to work and can be used in the future
if another KDF is added.
2008-12-04 20:32:56 +02:00
Jouni Malinen
6ec4021c03 EAP-AKA': Added processing of AT_KDF and AT_KDF_INPUT attributes
Network Name is not yet generated and validated based on 3GPP.33.402
(i.e., a hardcoded string is used in server and anything is accepted in
peer).
2008-12-04 20:29:46 +02:00
Jouni Malinen
b8ab624984 Fixed EAP-SIM and EAP-AKA AT_IDENTITY parsing (server only)
The attribute uses 'Actual Identity Length' field to indicate the exact
(pre-padding) length of the Identity. This actual length should be used
as the length, not the remaining attribute length.

This was previously worked around by stripping null termination away
from the end of the identity string at EAP-SIM and EAP-AKA server code.
However, it is likely that that workaround is not really needed and the
real problem was in AT_IDENTITY parsing. Anyway, the workaround is left
in just in case it was really needed with some implementations.
2008-12-04 18:51:42 +02:00
Jouni Malinen
15828ba820 Made 802.11 management frame IE parser aware of vendor HT Capab IE
This IE is not (at least yet) actually used for anything, but parsing it
cleans up verbose debug log a bit since thie previously unknown, but
commonly used, vendor IE was being reported as unknown.
2008-12-04 13:42:33 +02:00
Jouni Malinen
73d48dc4b4 EAP-AKA': Allow both AKA AKA' to be registed from eap_aka_prime.c
This allows the same source code file to be shared for both methods. For
now, this is only in eap_aka_prime.c, but eventually, changes in
eap_aka_prime.c are likely to be merged into eap_aka.c at which point
the separate eap_aka_prime.c can be removed.
2008-12-03 19:59:52 +02:00
Jouni Malinen
9881795e2c EAP-AKA': Derive keys using the new KDF (PRF') 2008-12-03 19:22:20 +02:00
Jouni Malinen
806f869918 EAP-AKA': Use HMAC-SHA-256-128 for AT_MAC 2008-12-02 21:29:26 +02:00
Jouni Malinen
f54e2c34bf EAP-AKA': Use SHA256 for AT_CHECKCODE 2008-12-02 21:05:38 +02:00
Jouni Malinen
f09d19d46a Use a variable to store EAP method type for EAP-AKA vs. EAP-AKA'
This makes it easier to eventually replace EAP-AKA implementation with a
shared implementation that supports both EAP-AKA and EAP-AKA'.
2008-12-02 20:27:05 +02:00
Jouni Malinen
8c37556cd1 Add a starting point for EAP-AKA' (draft-arkko-eap-aka-kdf-10)
This is just making an as-is copy of EAP-AKA server and peer
implementation into a new file and by using the different EAP method
type that is allocated for EAP-AKA' (50). None of the other differences
between EAP-AKA and EAP-AKA' are not yet included.

It is likely that once EAP-AKA' implementation is done and is found to
work correctly, large part of the EAP-AKA and EAP-AKA' code will be
shared. However, it is not reasonable to destabilize EAP-AKA
implementation at this point before it is clearer what the final
differences will be.
2008-12-02 20:12:49 +02:00
Jouni Malinen
08bec36178 WPS: Added support for wildcard PINs that work with any UUID-E
Since the Registrar may not yet know the UUID-E when a new PIN is
entered, use of a wildcard PIN that works with any UUID-E can be useful.
Such a PIN will be bound to the first Enrollee trying to use it and it
will be invalidated after the first use.
2008-11-30 20:32:03 +02:00
Jouni Malinen
79d7d8efe7 WPS: Added more verbose debug info on authentication type mismatch 2008-11-30 19:56:11 +02:00
Jouni Malinen
351f09a221 WPS: Added support for fragmented WPS IE in Beacon and Probe Response
Fragment WPS IE if needed to fit into the IE length limits in hostapd
and Reassemble WPS IE data from multiple IEs in wpa_supplicant.

In addition, moved WPS code from events.c into wps_supplicant.c to clean
up module interfaces.
2008-11-29 22:06:34 +02:00
Jouni Malinen
23f53f2a81 WPS: Get AP PIN from configuration instead of using hardcoded value 2008-11-29 21:07:35 +02:00
Jouni Malinen
e05716d0b0 WPS: Added helper functions for generating and validating PINs 2008-11-29 14:02:09 +02:00
Jouni Malinen
b01c18a8ef WPS: Set Request Type properly into WPS IE in ProbeReq/AssocReq 2008-11-29 13:38:03 +02:00
Jouni Malinen
b8a8c299c8 WPS: Moved WPS IE building for ProbeReq/AssocReq into wps.c
These functions fit in better with the category of functions included in
wps.c. wps_common.c is now used for generic helper functions (currently,
only crypto code).
2008-11-29 13:21:28 +02:00
Jouni Malinen
7d7b8e960a WPS: Split wps_common.c into parts
To make it easier to find various functions, attribute functions were
split into wps_attr_{build,parse,process}.c.
2008-11-29 13:16:26 +02:00
Jouni Malinen
120bd30c34 WPS: Moved RF Bands processing into wps_dev_attr.c
This allows the RF Bands attribute to be configured and stored.
2008-11-29 12:59:43 +02:00
Jouni Malinen
c0d041d9a7 WPS: Moved ProbeReq/AssocReq WPS IE building into wps_common.c
This code and the related attributes are not specific to Enrollee
functionality, so wps_common.c is the correct location for them.
2008-11-29 12:44:02 +02:00
Jouni Malinen
7d7c918d97 WPS: Pass device data into wps_enrollee_build_probe_req_ie()
Use configured device data instead of hardcoded values to generate WPS
IE for Probe Request.
2008-11-29 12:19:30 +02:00
Jouni Malinen
eb76b7e3ff WPS: Parse Request Type from WPS IE in (Re)AssocReq and derive mgmt keys
WPS IE is now passed from hostapd association processing into EAP-WSC
and WPS processing. Request Type attribute is parsed from this
information and if the request is for a WLAN Manager Registrar,
additional management keys are derived (to be used with UPnP).
2008-11-29 12:11:56 +02:00
Jouni Malinen
e9ab39b444 WPS: Added comments for main data structures 2008-11-28 20:50:08 +02:00
Jouni Malinen
398cfbf6be WPS: Moved mac_addr and uuid configuration into wps_context
There is no need to complicate EAPOL and EAP interfaces with WPS
specific parameters now that wps_context is passed through.
2008-11-28 20:44:47 +02:00
Jouni Malinen
116654ce24 WPS: Moved wps_context initialization into wps_supplicant.c
The wps_context data is now managed at wpa_supplicant, not EAP-WSC. This
makes wpa_supplicant design for WPS match with hostapd one and also
makes it easier configure whatever parameters and callbacks are needed
for WPS.
2008-11-28 20:32:13 +02:00
Jouni Malinen
bcbbc7af45 WPS: Merged two cred_cb variables into the same one
Previously, wpa_supplicant as Enrollee case was handled using a
different callback function pointer. However, now that the wps_context
structure is allocated for all cases, the same variable can be used in
all cases.
2008-11-28 20:02:32 +02:00
Jouni Malinen
ff434cbdda WPS: Moved device attributes into wps_context::dev for Enrollee case
Previously, hardcoded values were used in wps_enrollee.c. These are now
moved into shared data in struct wps_context. In case of
AP/Authenticator, these are initialized in wps_hostapd.c. In case of
client/supplicant, these are now initialized in EAP-WSC peer method,
but will probably end up being moved into higher layer for better
configuration.
 EAP-WSC peer method for
2008-11-28 19:29:22 +02:00
Jouni Malinen
9d695f3dd0 WPS: Update supplicant configuration when acting as an external Registrar
This allows the network to be used after the Registrar configuration
step. The local WPS network is replaced with a new network block
similarly to the case of acting as an Enrollee.
2008-11-27 21:23:43 +02:00
Jouni Malinen
3f42d42c07 WPS: Moved Credential building to use struct wps_credential
This makes it easier to store old AP settings into wps->cred (and allow
them to modified and taken into use in the future). Separation between
Credential and AP Settings building is also cleaner in this design.
2008-11-27 21:14:39 +02:00
Jouni Malinen
96a2ed9f50 WPS: Process old AP Settings in M7 when registering as external Registrar
The old (i.e., currently used) AP Settings are processed. For now, they
are copied as-is into M8 as new AP Settings to avoid changing
configuration. This should be changed to allow external programs (e.g.,
GUI) to fetch the old AP settings over ctrl_iface and then allow
settings to be changed before sending M8 with the new settings.
2008-11-27 20:32:39 +02:00