Commit message (Collapse)AuthorAgeFilesLines
* EAP-TLS server: Fix TLS Message Length validationHEADmasterJouni Malinen2012-10-071-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS Message Length value properly and could end up trying to store more information into the message buffer than the allocated size if the first fragment is longer than the indicated size. This could result in hostapd process terminating in wpabuf length validation. Fix this by rejecting messages that have invalid TLS Message Length value. This would affect cases that use the internal EAP authentication server in hostapd either directly with IEEE 802.1X or when using hostapd as a RADIUS authentication server and when receiving an incorrectly constructed EAP-TLS message. Cases where hostapd uses an external authentication are not affected. Thanks to Timo Warns for finding and reporting this issue. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1 (cherry picked from commit 586c446e0ff42ae00315b014924ec669023bd8de) (cherry picked from commit f3043318970a98c98e968ed17b3e2f49dc42c646) Conflicts: src/eap_server/eap_tls_common.c
* Fix fallback from failed PMKSA caching into full EAP authenticationJouni Malinen2010-10-041-1/+9
| | | | | | | | | | | | | | | Commit 83935317a78fb4157eb6e5134527b9311dbf7b8c added forced disconnection in case of 4-way handshake failures. However, it should not have changed the case where the supplicant is requesting fallback to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is not know. This case needs to send an EAPOL-Start frame instead of EAPOL-Key message 2/4. This works around a problem with APs that try to force PMKSA caching even when the client does not include PMKID in (re)association request frame to request it. [Bug 355] (cherry picked from commit b4a1256d3660a2b5239062a9b42de79b8a34286a) (cherry picked from commit a5277ad2a182e0264715533c11ed9a90296298e4)
* Fix WPS IE in Probe Response frame to include proper Config Methods valuesJouni Malinen2010-08-281-1/+5
| | | | | | | | This attribute is supposed to indicate which methods the AP supports as an Enrollee for adding external Registrars. It was left to 0 when the AP code did not yet support external Registrars and was forgotten when the ER support was added. (cherry picked from commit bdda27eb171893aaa8bf2f574fca517facda176b)
* Move DTIM period configuration into Beacon set operationJouni Malinen2010-02-202-6/+4
| | | | | | | | | | This is needed to make mac80211 work with multi-BSS configuration. The previous design ended up setting DTIM period for secondary BSSes before setting the Beacon and driver_nl80211.c was not really prepared for that. Eventually, the Beacon configuration routines should be combined into a single driver operation, but for now, just moving this call is the simplest workaround. (cherry picked from commit eb1f7446b5b86cceb1508f060f5e66e5dd791a4d)
* Use LDFLAGS in all linker commandsBjarke Istrup Pedersen2010-02-082-11/+11
| | | | | | When building hostapd and wpa_supplicant, the build system does not respect the LDFLAGS selected in the environment in some cases. [Bug 311] (cherry picked from commit 466940c55e101fd9d8c4b813361d2d90c11006ee)
* wext: Add cfg80211-specific optimization to avoid silly behaviorJouni Malinen2010-01-122-3/+39
| | | | | | | | | | | | If the driver is detected to use cfg80211, we can rely on it being able to disconnect with SIOCSIWMLME commands and to use empty SSID as a way to stop it from associating when we are in progress of configuring the driver for association. Consequently, we can remove the hack that uses random 32-octet SSID to force disconnection and re-order association commands to match the expectations that cfg80211 has for WEXT ioctls. This gets rid of extra scan rounds and attempts to associate with the silly 32-octet SSID. (cherry picked from commit 3145e6154c11355631b846b0dd2c57eead255401)
* Preparations for 0.6.10 releasehostap_0_6_10Jouni Malinen2010-01-123-3/+32
* Fix MinGW build: CertCreateCertificateContext() is now knownJouni Malinen2010-01-091-18/+3
| | | | (cherry picked from commit de979ef18c1aced0597e342de7dab37c15718090)
* nl80211/wext: Hardcode all auth_algs as supportedJouni Malinen2010-01-092-0/+6
| | | | | | There does not seem to be a driver interface for fetching auth_algs capability, but this may be used by some external application, so hardcode all auth_algs as supported for now.
* EAP-FAST server: Piggyback Phase 2 start with end of Phase 1Jouni Malinen2010-01-091-16/+61
| | | | | | | | If Finished message from peer has been received before the server Finished message, start Phase 2 with the same message to avoid extra roundtrip when the peer does not have anything to send after the server Finished message. (cherry picked from commit c479e41f53b10ff91f4c1e183c441da76d47f05e)
* Fix init2() driver_ops to get the correct global driver contextJouni Malinen2010-01-092-3/+7
| | | | | | | Need to provide the private driver context, not the wpa_supplicant global context, in init2() call. (this is a backported version of 8a5ab9f5e56cd2f5781c2d92f41495e60d544780 and d8222ae38c3be3fba794462d11fed8b57590c7f5)
* wpabuf: Allow wpabuf_resize(NULL, len) to be usedJouni Malinen2010-01-091-0/+4
| | | | | | This matches with realloc() usage, i.e., allocate a new buffer if no buffer was specified. (cherry picked from commit 859db534bf29e360adfdc7da6a0bf0ad86fc1ec2)
* Fix memory leak on RSN preauth init error pathJouni Malinen2010-01-091-0/+1
| | | | (cherry picked from commit 1ce77dcc66bdd8c44f85d1bea95526e4407953e9)
* Fix WMM default parametersLennert Buytenhek2010-01-091-3/+3
| | | | | | | | | wmm_ac_??_cw{min,max} parameters are in log form When the wme_ac_??_cw{min,max} parameters aren't specified in hostapd.conf, hostapd uses an incorrect set of default values, as the defaults are in 2^x-1 form instead of in log form. This patch changes them over to the expected log form.
* Mark fmt parameter const for wpa_printf/msgJouni Malinen2010-01-092-6/+7
| | | | (cherry picked from commit 0de4da91c1cc8bcdfd5b29aa7b33887a1f8e3775)
* WPS: Clear SSID selection if more than one BSSID match is foundJouni Malinen2010-01-091-2/+15
| | | | | | | Need to use wildcard SSID matching for WPS connection if the same BSSID occurs multiple time in scan results since any of the SSIDs may be used. (cherry picked from commit f7e54365022cd30de16e32d4a88e085861243881)
* Fix a typo in a doxygen commentJouni Malinen2010-01-091-1/+1
| | | | (cherry picked from commit 60ad2c7befcaba3be072ab20368418a41dd828b9)
* radius_example: Fix memory leak on deinitJouni Malinen2010-01-091-0/+1
| | | | (cherry picked from commit f42cdcc894a0f6511430d3d5fa984edd04f9ebf1)
* Fix RADIUS client callback function parametersJouni Malinen2010-01-091-1/+2
| | | | (cherry picked from commit 174e899f698eeafe40e77616aad0b50803d7ad3b)
* Fix memory leak in config freeingJouni Malinen2010-01-091-0/+2
| | | | | | Both supported_rates and basic_rates arrays must be freed when freeing hostapd configuration. (cherry picked from commit 79d6c85ffd135eed5fbd62481fa3b8347093555f)
* Allow TLS flags to be configured (allow MD5, disable time checks)Jouni Malinen2010-01-093-0/+43
| | | | | | | | | | | | | | Undocumented (at least for the time being) TLS parameters can now be provided in wpa_supplicant configuration to enable some workarounds for being able to connect insecurely to some networks. phase1 and phase2 network parameters can use following options: tls_allow_md5=1 - allow MD5 signature to be used (disabled by default with GnuTLS) tls_disable_time_checks=1 - ignore certificate expiration time For now, only the GnuTLS TLS wrapper implements support for these. (cherry picked from commit 29446569253c689356e7519feacddb7c923015cf)
* GnuTLS: Report certificate validation failures with TLS alertJouni Malinen2010-01-091-3/+29
| | | | | In addition, show more detailed reason for the failure in debug log. (cherry picked from commit 4a1e97790de4c3e9ddc3aed98836a2a2b26a0ad8)
* Fix lastReqData freeing to use wpabuf_free()Jouni Malinen2010-01-091-1/+1
| | | | (cherry picked from commit f52ab9e6b0f7cb77d35c59f7f561bcf383795002)
* Fix RADIUS client to cancel IPv6 socket read notificationsJouni Malinen2010-01-091-0/+6
| | | | (cherry picked from commit 2988796257e4ce850372376b5bc0a8c6c8db7a71)
* Fix RADIUS server deinit to cancel timeout for session removalJouni Malinen2010-01-091-4/+3
| | | | (cherry picked from commit f481459f5e3eb24932057b88fea32b4576cccfc7)
* OpenSSL: Silence "Failed to read possible Application Data"Jouni Malinen2010-01-091-3/+12
| | | | | | | | This message from tls_connection_handshake() is not really an error in most cases, so do not show it if there was indeed no Application Data available (which is a normal scenario and not an indication of any error). (cherry picked from commit d986b1b6c113083c8701abc54fd0c912fba329a6)
* EAP-TTLS/PAP: User-Password obfuscation for zero length passwordMasashi Honma2010-01-091-1/+1
| | | | | | | | | | | The password in User-Password AVP is padded to a multiple of 16 bytes on EAP-TTLS/PAP. But when the password length is zero, no padding is added. It doesn't cause connectivity issue. In fact, I could connect with hostapd RADIUS server with zero length password. I think it's better for obfuscation to pad the 16 bytes data when the password length is zero with this patch. (cherry picked from commit bab31499fd0883be8614d807daa6e05da2f9f4f8)
* Increase EAP server extra room for encryption overhead (for GnuTLS)Jouni Malinen2010-01-091-1/+1
| | | | | | | | This fixes issues with some GnuTLS versions that seem to be adding quite a bit of extra data into TLS messages. The EAP server code is now using the same 300 byte extra room that was already used in the EAP peer implementation. (cherry picked from commit f721aed4b1baef8ad9336c80f8835f3f3d504d68)
* Remove obsolete comment about wpa_supplicant header filesJouni Malinen2010-01-091-4/+0
| | | | (cherry picked from commit d66e084a9822133ee294dab43a9ca5ee6dbdd4f1)
* Fix wpa_priv memory leak in wpa_priv_get_scan_results2()Dmitry Shmidt2010-01-091-2/+2
| | | | | | I suspect that new scan results format demands more complex free procedure. (cherry picked from commit 4e2225a52026163ba5ed5eb03617dccd1ca444cf)
* Add cleared deprecation notes on iwl,ndiswrapper,madwifi(sta) wrappersJouni Malinen2010-01-094-3/+14
| | | | | | | These driver wrappers should not be used anymore; WEXT should be used instead. However, there may still be users stuck on older kernel versions that may require driver specific wrappers, so the source code still remains in the repository.
* Getting back to DISCONNECTED afer SCANNINGSamuel Ortiz2010-01-092-3/+9
| | | | | | | | | | | After transitioning from DISCONNECTED to SCANNING, we never go back to DISCONNECTED even though scanning is done or failed. We're thus stuck in SCANNING while scanning is actually done. (cherry picked from commit 3180d7a2088fdd429c2eb9ae74abfa96e6a9b9b0) Conflicts: wpa_supplicant/events.c
* Do not schedule a new scan if no networks are enabledSam Leffler2010-01-093-11/+25
| | | | | | | | | | This avoids an extra timeout to move to INACTIVE state. (cherry picked from commit 4f34d51abe432b615629dff6f4654c9344289677) Conflicts: wpa_supplicant/events.c wpa_supplicant/scan.c
* Reset EAPOL pointer when handling DBus smartcard parametersDavid Smith2010-01-091-0/+4
| | | | | | | | | | | | | Smartcard parameter update via DBus ended up re-initializing the EAPOL state machine without updating the pointer inside WPA state machine. This can trigger a segfault when EAP layer attempts to use the old reference. Fix this by re-initializing the pointer inside WPA state machine. (cherry picked from commit d7199342f0633b5ab147dca5b885530fe32ceaeb) Conflicts: wpa_supplicant/ctrl_iface_dbus_handlers.c
* WPS: Cleanup subscription URL list handlingJouni Malinen2010-01-093-6/+5
| | | | | | | | | | | | Do not give the allocated memory to the subscription code since it was not using it as-is anyway. This makes it easier to understand who owns the allocation an is responsible of freeing it. This may potentially fix some memory leaks on error paths. (cherry picked from commit 3f6dc111ff509348a92bff8bbfa2b27f3101315a) Conflicts: src/wps/wps_upnp_web.c
* wpa_supplicant: add DBus method for changing debug parametersHelmut Schaa2010-01-093-0/+54
| | | | | | | | | | | | | | | | Add a new DBus method "setDebugParams" which takes the parameters debug_level, debug_timestamp and show_keys as input and updates the internal debug variables accordingly. To change the debug level, enable/disable timestamps and enable/disable show_keys the following dbus-send command can be used: dbus-send --system --dest=fi.epitest.hostap.WPASupplicant --print-reply /fi/epitest/hostap/WPASupplicant fi.epitest.hostap.WPASupplicant.setDebugParams int32:0 boolean:false boolean:false Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> (cherry picked from commit 01a569e8a131cc6150210036ae171b8bfd418a3f)
* Fix PKCS#12 use with OpenSSL 1.0.0Jouni Malinen2010-01-081-0/+9
| | | | | | | | | | | | | | Add 40-bit RC2 CBC explicitly since OpenSSL 1.0.0 does not seem to that anymore with PKCS12_PBE_add(). Furthermore, at least 1.0.0-beta4 crashes if the needed cipher is not registered when parsing the PKCS#12 data (this crashing part should be fixed in newer 1.0.0 versions) Following bug reports are related to the issue: https://bugzilla.redhat.com/show_bug.cgi?id=541924 https://bugzilla.redhat.com/show_bug.cgi?id=538851 http://rt.openssl.org/Ticket/Display.html?id=2127 http://rt.openssl.org/Ticket/Display.html?id=2128 (cherry picked from commit 1056dad796e78509604c0aa836803c8425b4ba37)
* WPS: Fix Probe Request processing to handle missing attributeJouni Malinen2010-01-011-0/+5
| | | | | | WPS IE parsing for PBC mode did not check whether the UUID-E attribute was included before dereferencing the pointer. This could result in the AP crashing when processing and invalid Probe Request frame.
* WPS: Abort ongoing PBC protocol run if session overlap is detectedJouni Malinen2009-11-251-1/+35
| | | | | | | | | If PBC session overlap is detected during an ongoing PBC protocol run, reject the run (if M8, i.e., credentials, have not yet been sent). This provides a bit longer monitoring time at the Registrar for PBC mode to catch some cases where two Enrollees in PBC mode try to enroll credentials at about the same time. (cherry picked from commit 2e7144451697738f55f2864cbc5d7116443fe6c8)
* WPS: Add PBC overlap and timeout events from WPS moduleOleg Kravtsov2009-11-255-1/+38
| | | | | | | This provides information about PBC mode result from the WPS Registrar module. This could be used, e.g., to provide a user notification on the AP UI on PBC failures. (cherry picked from commit 63330c68321cdf275193048236fa5e4051180447)
* Allow CONFIG_DEBUG_SYSLOG=y to be usedSam Leffler2009-11-251-0/+4
| | | | | | Instead of having to add the syslog define manually into CFLAGS, CONFIG_DEBUG_SYSLOG=y can now be used in .config. (cherry picked from commit cca8773165fae7f3b88d528232b47b7ad10a32e5)
* Figure out absolute path for the pid file before daemonizingJouni Malinen2009-11-251-2/+4
| | | | | | | This allows relative path to be used in the same way as was already supported by wpa_supplicant. (cherry picked from commits cedf947308ed26d08aec391794a16c9f8d715023 and dd745de384a5d6398b62a2737f2b6bd581495de7)
* dbus: add 'scanning' propertyDan Williams2009-11-258-0/+115
| | | | | | | | | | | | | When the supplicant is connected and performs a scan, it doesn't enter WPA_SCANNING state for various reasons. However, external programs still need to know that the supplicant is scanning since they may not wish to perform certain operations during a scan (as those operations will likely fail or yield incorrect results). Add a 'scanning' property and signal to the supplicant dbus interface to allow clients to synchronize better with the supplicant when it scans. Signed-off-by: Dan Williams <dcbw@redhat.com> (cherry picked from commit cb8564b1ddf2738fa26a80523078749bb7a55c5f)
* wext: disconnect at init and deinitDan Williams2009-11-251-2/+9
| | | | | | | | | To ensure the supplicant starts and ends with a clean slate (keys are already cleaned up at init and deinit time), force a null BSSID and bogus SSID to ensure the driver isn't connected to anything. Signed-off-by: Dan Williams <dcbw@redhat.com> (cherry picked from commit 2976121955ba0e2f52c09fbffc93f91dbf0d845b)
* WPS: Add support for setting timeout for PINJouni Malinen2009-11-258-17/+81
| | | | | | | | hostapd_cli wps_pin command can now have an optional timeout parameter that sets the PIN lifetime in seconds. This can be used to reduce the likelihood of someone else using the PIN should an active PIN be left in the Registrar. (cherry picked from commit 077a781f7ab4e87955f1a97fcd0b939c74a57165)
* General revision of RoboSwitch driverJouke Witteveen2009-11-251-144/+176
| | | | | | | | | | | | | | | | | | | | | | Attached is a patch for the RoboSwitch driver in trunk. It is a general revision of the source code. Changes: - Improved IEEE 802.1X conformance ([1]) - Better conformity to Broadcom specifications - Fixed compatibility with different chipset revisions It is worth noting that performance may drop a little using the new driver. This can be overcome by using "multicast_only=1" as a parameter. In that case only packets to the PAE group address are regarded, as the previous revision of the driver did. A more detailed description of the parameter and it's consequences is available at [2] (summary: use "multicast_only=1" whenever possible). [1] http://lists.shmoo.com/pipermail/hostap/2009-February/019398.html [2] http://forum.openwrt.org/viewtopic.php?id=19873 (cherry picked from commit 077ed46d2b6a0311455662b4d935b720c6f4eb46)
* nl80211: Update to match with linux/nl80211.h from wireless-testing.gitJouni Malinen2009-11-221-16/+536
* WPS: Do not try to send byebye advertisements if socket is not validJouni Malinen2009-11-221-1/+1
| | | | | | | If initialization fails, we could potentially try to sendto() on -1 socket which would fail. No point in doing that, so just return early from the function. (cherry picked from commit 3c2166d63c3f8db9699bd29b152121ca63c70415)
* wpa_gui: Only move to WPS tab if inactive/disconnect and AP readyJouni Malinen2009-11-221-3/+6
| | | | | | | | | This removes many of the cases where moving to the WPS tab can be undesired. It is really only useful if we are not currently connected and there is an AP available that would likely be able to provide us network connectivity with use of WPS (active PBC more or selected registrar set). (cherry picked from commit 19019a84a24fd3f1f49ca3296fa24626b403a607)
* OpenSSL: Remove unneeded MinGW CryptoAPI compat codeJouni Malinen2009-11-221-68/+0
| | | | | | | The current MinGW/w32api versions seem to provide all the needed CryptoAPI functions, so the code for loading these dynamically from the DLL can be removed. (cherry picked from commit 55d0b0831e83bba429990ba02cb894c29819f8f8)