wpa_supplicant can now be built with FIPS capable OpenSSL for FIPS mode
operation. Currently, this is only enabling the FIPS mode in OpenSSL
without providing any higher level enforcement in wpa_supplicant.
Consequently, invalid configuration will fail during the authentication
run. Proper configuration (e.g., WPA2-Enterprise with EAP-TLS) allows
the connection to be completed.
An SMC router was reported to use 0x22 (WPAPSK + WPA2PSK) in the
authentication type of the provisioned credential and wpa_supplicant
rejected this as invalid. Work around this by replacing WPAPSK + WPA2PSK
with WPA2PSK.
This is a (hopefully) temporary workaround to allow the same source code
tree to be used for building hostapd and wpa_supplicant without having
to manually force recompilation of some files. Currently, some of the
driver wrapper files need to be built separately for hostapd and
wpa_supplicant (#ifdef's in the files based on AP functionality).
This is somewhat racy as far as parallel make execution is concerned,
i.e., it may be necessary to run "make -j#" twice (plain "make" works
fine. Since this is supposed to be a temporary workaround, there is not
much point in trying to fix this with any more complex make processing.
Instead of having all driver stuff collected across wpa_supplicant
and hostapd, create a common snippet that they both include and
that handles the build configuration.
Change existing CONFIG_LIBNL20 compatibility code in
driver_nl80211.c to be used by both wpa_supplicant
and hostapd, but take care of nl_handle too now.
Propagate CONFIG_LIBNL20 out of .config file and onto
CFLAGS in the Makefile.
Use libnl-gen now too.
Signed-off-by: Jon Loeliger <jdl@bigfootnetworks.com>
---
Since we do not currently support changing the AP settings received
from M7, there is no point in actually sending out the M8 that would
likely trigger the AP to reconfigure itself and potentially reboot.
For now, we just receive the AP settings in M7 and add a local network
configuration block based on those, but NACK the message. This makes
wps_reg work like wps_pin, but by using the AP PIN instead of a client
PIN.
When the supplicant is connected and performs a scan, it doesn't enter
WPA_SCANNING state for various reasons. However, external programs
still need to know that the supplicant is scanning since they may not
wish to perform certain operations during a scan (as those operations
will likely fail or yield incorrect results). Add a 'scanning' property
and signal to the supplicant dbus interface to allow clients to
synchronize better with the supplicant when it scans.
Signed-off-by: Dan Williams <dcbw@redhat.com>
hostapd_cli wps_pin command can now have an optional timeout
parameter that sets the PIN lifetime in seconds. This can be used
to reduce the likelihood of someone else using the PIN should an
active PIN be left in the Registrar.
I've exported the methods wpsPbc, wpsReg and wpsPin (patch attached),
so wpa_supplicant should be able to connect with WPS using the dbus
interface. I couldn't test it well because the problem seems to be in
my wireless card, a Broadcom BCM4328. At least it seems to do the same
using both interfaces. With ndiswrapper driver the "wpsie" entry
(thanks Dan!) didn't appear, and with the Broadcom wl driver it
appears but I cannot associate using WPS.
Add a new DBus method "setDebugParams" which takes the parameters
debug_level, debug_timestamp and show_keys as input and updates the
internal debug variables accordingly.
To change the debug level, enable/disable timestamps and enable/disable
show_keys the following dbus-send command can be used:
dbus-send --system --dest=fi.epitest.hostap.WPASupplicant --print-reply
/fi/epitest/hostap/WPASupplicant fi.epitest.hostap.WPASupplicant.setDebugParams
int32:0 boolean:false boolean:false
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
When in AP mode, wpa_supplicant is now enabling WPS (only Internal
Registrar). wpa_cli wps_pbc and wps_pin commands can be used to initiate
WPS negotiation similarly to how this is done in station mode (though,
the BSSID parameter is ignored).
There is no point in trying to continue if a 4-way handshake frame is
discarded or if PTK/GTK/IGTK configuration fails. Force the client to
disconnect in such a case to avoid confusing user by claiming the
connection was successfully completed.