aboutsummaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Fix lastReqData freeing to use wpabuf_free()Jouni Malinen2010-01-091-1/+1
| | | | (cherry picked from commit f52ab9e6b0f7cb77d35c59f7f561bcf383795002)
* Fix RADIUS client to cancel IPv6 socket read notificationsJouni Malinen2010-01-091-0/+6
| | | | (cherry picked from commit 2988796257e4ce850372376b5bc0a8c6c8db7a71)
* Fix RADIUS server deinit to cancel timeout for session removalJouni Malinen2010-01-091-4/+3
| | | | (cherry picked from commit f481459f5e3eb24932057b88fea32b4576cccfc7)
* OpenSSL: Silence "Failed to read possible Application Data"Jouni Malinen2010-01-091-3/+12
| | | | | | | | This message from tls_connection_handshake() is not really an error in most cases, so do not show it if there was indeed no Application Data available (which is a normal scenario and not an indication of any error). (cherry picked from commit d986b1b6c113083c8701abc54fd0c912fba329a6)
* EAP-TTLS/PAP: User-Password obfuscation for zero length passwordMasashi Honma2010-01-091-1/+1
| | | | | | | | | | | The password in User-Password AVP is padded to a multiple of 16 bytes on EAP-TTLS/PAP. But when the password length is zero, no padding is added. It doesn't cause connectivity issue. In fact, I could connect with hostapd RADIUS server with zero length password. I think it's better for obfuscation to pad the 16 bytes data when the password length is zero with this patch. (cherry picked from commit bab31499fd0883be8614d807daa6e05da2f9f4f8)
* Increase EAP server extra room for encryption overhead (for GnuTLS)Jouni Malinen2010-01-091-1/+1
| | | | | | | | This fixes issues with some GnuTLS versions that seem to be adding quite a bit of extra data into TLS messages. The EAP server code is now using the same 300 byte extra room that was already used in the EAP peer implementation. (cherry picked from commit f721aed4b1baef8ad9336c80f8835f3f3d504d68)
* Add cleared deprecation notes on iwl,ndiswrapper,madwifi(sta) wrappersJouni Malinen2010-01-092-1/+9
| | | | | | | These driver wrappers should not be used anymore; WEXT should be used instead. However, there may still be users stuck on older kernel versions that may require driver specific wrappers, so the source code still remains in the repository.
* WPS: Cleanup subscription URL list handlingJouni Malinen2010-01-093-6/+5
| | | | | | | | | | | | Do not give the allocated memory to the subscription code since it was not using it as-is anyway. This makes it easier to understand who owns the allocation an is responsible of freeing it. This may potentially fix some memory leaks on error paths. (cherry picked from commit 3f6dc111ff509348a92bff8bbfa2b27f3101315a) Conflicts: src/wps/wps_upnp_web.c
* Fix PKCS#12 use with OpenSSL 1.0.0Jouni Malinen2010-01-081-0/+9
| | | | | | | | | | | | | | Add 40-bit RC2 CBC explicitly since OpenSSL 1.0.0 does not seem to that anymore with PKCS12_PBE_add(). Furthermore, at least 1.0.0-beta4 crashes if the needed cipher is not registered when parsing the PKCS#12 data (this crashing part should be fixed in newer 1.0.0 versions) Following bug reports are related to the issue: https://bugzilla.redhat.com/show_bug.cgi?id=541924 https://bugzilla.redhat.com/show_bug.cgi?id=538851 http://rt.openssl.org/Ticket/Display.html?id=2127 http://rt.openssl.org/Ticket/Display.html?id=2128 (cherry picked from commit 1056dad796e78509604c0aa836803c8425b4ba37)
* WPS: Fix Probe Request processing to handle missing attributeJouni Malinen2010-01-011-0/+5
| | | | | | WPS IE parsing for PBC mode did not check whether the UUID-E attribute was included before dereferencing the pointer. This could result in the AP crashing when processing and invalid Probe Request frame.
* WPS: Abort ongoing PBC protocol run if session overlap is detectedJouni Malinen2009-11-251-1/+35
| | | | | | | | | If PBC session overlap is detected during an ongoing PBC protocol run, reject the run (if M8, i.e., credentials, have not yet been sent). This provides a bit longer monitoring time at the Registrar for PBC mode to catch some cases where two Enrollees in PBC mode try to enroll credentials at about the same time. (cherry picked from commit 2e7144451697738f55f2864cbc5d7116443fe6c8)
* WPS: Add PBC overlap and timeout events from WPS moduleOleg Kravtsov2009-11-254-1/+34
| | | | | | | This provides information about PBC mode result from the WPS Registrar module. This could be used, e.g., to provide a user notification on the AP UI on PBC failures. (cherry picked from commit 63330c68321cdf275193048236fa5e4051180447)
* wext: disconnect at init and deinitDan Williams2009-11-251-2/+9
| | | | | | | | | To ensure the supplicant starts and ends with a clean slate (keys are already cleaned up at init and deinit time), force a null BSSID and bogus SSID to ensure the driver isn't connected to anything. Signed-off-by: Dan Williams <dcbw@redhat.com> (cherry picked from commit 2976121955ba0e2f52c09fbffc93f91dbf0d845b)
* WPS: Add support for setting timeout for PINJouni Malinen2009-11-253-8/+49
| | | | | | | | hostapd_cli wps_pin command can now have an optional timeout parameter that sets the PIN lifetime in seconds. This can be used to reduce the likelihood of someone else using the PIN should an active PIN be left in the Registrar. (cherry picked from commit 077a781f7ab4e87955f1a97fcd0b939c74a57165)
* General revision of RoboSwitch driverJouke Witteveen2009-11-251-144/+176
| | | | | | | | | | | | | | | | | | | | | | Attached is a patch for the RoboSwitch driver in trunk. It is a general revision of the source code. Changes: - Improved IEEE 802.1X conformance ([1]) - Better conformity to Broadcom specifications - Fixed compatibility with different chipset revisions It is worth noting that performance may drop a little using the new driver. This can be overcome by using "multicast_only=1" as a parameter. In that case only packets to the PAE group address are regarded, as the previous revision of the driver did. A more detailed description of the parameter and it's consequences is available at [2] (summary: use "multicast_only=1" whenever possible). [1] http://lists.shmoo.com/pipermail/hostap/2009-February/019398.html [2] http://forum.openwrt.org/viewtopic.php?id=19873 (cherry picked from commit 077ed46d2b6a0311455662b4d935b720c6f4eb46)
* nl80211: Update to match with linux/nl80211.h from wireless-testing.gitJouni Malinen2009-11-221-16/+536
|
* WPS: Do not try to send byebye advertisements if socket is not validJouni Malinen2009-11-221-1/+1
| | | | | | | If initialization fails, we could potentially try to sendto() on -1 socket which would fail. No point in doing that, so just return early from the function. (cherry picked from commit 3c2166d63c3f8db9699bd29b152121ca63c70415)
* OpenSSL: Remove unneeded MinGW CryptoAPI compat codeJouni Malinen2009-11-221-68/+0
| | | | | | | The current MinGW/w32api versions seem to provide all the needed CryptoAPI functions, so the code for loading these dynamically from the DLL can be removed. (cherry picked from commit 55d0b0831e83bba429990ba02cb894c29819f8f8)
* GnuTLS: Fix compilation with newer GnuTLS versionsJouni Malinen2009-11-221-0/+4
| | | | | Avoid duplicate defination of TLS_RANDOM_SIZE and TLS_MASTER_SIZE. (cherry picked from commit e3992c3381e6ca1eb59a6bd3adfaa30c02721300)
* Fix strict aliasing issue with the internal SHA-1 implementationJouni Malinen2009-11-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | Need to define the workspace buffer properly to allow compiler to handle strict aliasing between the incoming unsigned char[64] buffer as an u32 array. The previous version built with strict aliasing enabled can result in SHA-1 producing incorrect results and consequently, with 4-way handshake failing. This is based on a report and patch from Dan Williams <dcbw@redhat.com> but with a different type (the union) used as a fix to avoid needing extra type casting. Discovered as part of the investigation of: https://bugzilla.redhat.com/show_bug.cgi?id=494262#c32 if sha1 is built with gcc without turning off strict aliasing, it will fail to correctly generate the hashes and will fail its own testcases as well. Signed-off-by: Dan Williams <dcbw@redhat.com> (cherry picked from commit 6d798e8b7e748935e10262566dc9b6ff02ac7d31)
* WPS: Fix MAC Address inside Credential be that of Enrollee'sJouni Malinen2009-11-223-3/+35
| | | | | | | | | | | | | | | | The WPS 1.0h specification is quite unclear on what exactly should be used as the MAC Address value in the Credential and AP Settings. It looks like this should after all be the MAC Address of the Enrollee, so change Registrar implementation to use that address instead of the AP BSSID. In addition, add validation code to the Enrollee implementation to check the MAC Address value inside Credential (and also inside AP Settings) to make sure it matches with the Enrollee's own address. However, since there are deployed implementations that do not follow this interpretation of the spec, only show the mismatch in debug information to avoid breaking interoperability with existing devices. (cherry picked from commit 4bdd556886fea5790aa4d56e2f416cc82ebf15b5)
* WPS: Determine the OpCode based on message type attribute (UPnP)Jouni Malinen2009-11-221-0/+11
| | | | | | This allows WSC_ACK and WSC_NACK to be processed correctly in the AP when operating as an Enrollee with an ER over UPnP transport. (cherry picked from commit 82b857ec0b78a28a080792a921cae785850dd470)
* WPS: Use a dummy WSC_ACK as WLANEvent as the initial event if neededJouni Malinen2009-11-221-3/+43
| | | | | | | | UPnP device architecture specification requires all evented variables to be included in the initial event message after subscription. Since this can happen before we have seen any events, generated a dummy event (WSC_ACK with all-zeros nonces) if needed. (cherry picked from commit fcac668faa5459c3f4ad1f9837f4b0f50edc4cba)
* WPS: Send SSDP byebye notifications when stopping UPnP advertisementsJouni Malinen2009-11-223-5/+36
| | | | | | | This will notify control points of the services going away and allows them to notice this without having to wait timeout on the initial advertisements. (cherry picked from commit 44577e4c2e37b1039ec8850c61e7a71f6c242c1f)
* WPS: Remove derivation of management keysJouni Malinen2009-11-223-59/+0
| | | | | | MgmtAuthKey and MgmtEncKey were not used for anything and are unlikely to ever be used, so better remove the code to reduce binary size. (cherry picked from commit d806a5588e8f6d8bb8141cdd3d890fdf8bff3cd1)
* WPS: Fix AP to proxy WSC_NACK to ERJouni Malinen2009-11-221-1/+2
| | | | (cherry picked from commit ed835e539b7c430241d842530de967c5de6427e0)
* WPS: Fix OpCode when proxying WSC_ACK or WSC_NACK from ERJouni Malinen2009-11-221-1/+11
| | | | | | | Previously, WSC_MSG was hardcoded for every message from ER, but this needs to be changed based on message type to send a valid message to the Enrollee via EAP transport. (cherry picked from commit 04f5d740772c53125bdf9251565d0e438b239430)
* Add wpa_msg_ctrl() for ctrl_interface-only messagesJouni Malinen2009-11-222-0/+39
| | | | | | | | | | | | This is like wpa_msg(), but the output is directed only to ctrl_interface listeners. In other words, the output will not be shown on stdout or in syslog. Change scan result reporting to use wpa_msg_ctrl() for CTRL-EVENT-SCAN-RESULTS message at info level and wpa_printf() at debug level to avoid showing scan result events in syslog in the common configuration used with NetworkManager. (cherry picked from commit 69856fadf77e680d01cac09da37e6bb3643ca427)
* WPS: Mark functions staticJouni Malinen2009-11-222-3/+2
| | | | | These functions are used only within wps_upnp_event.c. (cherry picked from commit b02ee4a2283a7850214c143811ed21bf1805cd4e)
* WPS: SelectedRegistrar expiration for internal PIN registrarAndriy Tkachuk2009-11-221-0/+14
| | | | | | | | | | | | | | Though we have such a timeout when handling SetSelectedRegistrar UPnP message from an external registrar, it looks like we don't have one when the internal registrar is activated for PIN connection. Thus we set the SelectedRegistrar flag when AP is activated for PIN connection but we never reset it - not by some timeout, nor when registration succeeds. This lead to situations where AP everlastingly declare that it is activated for WPS PIN connection when in reality it is not. Use the same timeout (and also success with PIN) to clear the selected registrar flag when using internal registrar, too. (cherry picked from commit 72ffc08242cc1b8200ceb4af7bf7b723e2a07012)
* WPS: Use Config Error 12 to indicate PBC overlap in M2DJouni Malinen2009-11-221-2/+4
| | | | | | | If PBC session overlap is detected between button press on the registrar and M1 is reception, report session overlap with the Config Error attribute in M2D to the Enrollee. (cherry picked from commit 7e3a67514f6afa45a90b0857921202d0384996e3)
* Fix dbus build without EAPJouni Malinen2009-11-221-0/+5
| | | | (cherry picked from commit e5fc45d7aec5270c0742e30956233ac28d50bedb)
* Include only the used DH groups in the buildJouni Malinen2009-11-221-1/+11
| | | | | | This reduces the binary size by 3 kB or so when WPS is included in the build, but IKEv2 is not. (cherry picked from commit dd01b1ff9d8a19c1e1b7e40d6df7d838d2ac34bb)
* nl80211: Recognize NL80211_CMD_TRIGGER_SCAN eventsJouni Malinen2009-11-221-0/+3
| | | | | | | | Replace "nl80211: Ignored unknown event (cmd=33)" with "nl80211: Scan trigger" to make debug output clearer. We do not currently do anything with this event apart from showing it in the debug log. (cherry picked from commit d942a79e6a9237b664e9973e11d109e2598340ab)
* DragonFly BSD: Fix wired IEEE 802.1XMasashi Honma2009-11-221-4/+4
| | | | | | | | | | | | | On DragonFly BSD, wired IEEE 802.1X fails with this message: ioctl[SIOC{ADD/DEL}MULTI]: Invalid argument This patch solves this issue. I have tested with these: OS : DragonFly BSD 2.4.0 EAP : EAP-TLS Switch : Cisco Catalyst 2950 (cherry picked from commit f335c69e148db2afcea6c22bcde73efd346d7812)
* Mac OS X: Fix wired IEEE 802.1XMasashi Honma2009-11-221-2/+2
| | | | (cherry picked from commit 40e107c1299deda181533d03eb8557580bc19ba0)
* WPS: Add parsing of AP Setup Locked attributeJouni Malinen2009-11-222-0/+9
| | | | (cherry picked from commit e9a2bca6f5e5dd7ef7aa62f6954b3877f41a1e34)
* radius_server: clean up completed sessions soonerAlex Badea2009-11-221-1/+5
| | | | | | | | | | | | | | | radius_server_encapsulate_eap() resets sess->eap->if->eap{Success,Fail} to FALSE, such that the completion condition is never true. The net effect is that completed sessions would linger for RADIUS_SESSION_TIMEOUT seconds. Signed-off-by: Alex Badea <vamposdecampos@gmail.com> Previously, the default settings allowed 100 sessions in 60 seconds. With this fix, the default limit is now 100 sessions per 10 seconds. [Bug 329] (cherry picked from commit 7598210b79ce6d0736892fc4a68caed8f6bc0e6f)
* OpenBSD: wired IEEE 802.1X for OpenBSDMasashi Honma2009-11-223-5/+13
| | | | | | | | | | | | | This is a patch for OpenBSD wired IEEE 802.1X. This is only for wired, not wireless, because OpenBSD uses wpa_supplicant only on wired now. http://www.openbsd.org/cgi-bin/cvsweb/ports/security/wpa_supplicant/ I have tested with these. OS : OpenBSD 4.5 EAP : EAP-TLS Switch : CentreCOM 8724SL (cherry picked from commit 80cc6bf6d0f9b86603e5181cdf11d984dded89cc)
* Disable PMTU discovery for RADIUS packets (sent them without DF)Jouni Malinen2009-11-221-0/+18
| | | | | | | | | | | | When Linux has Path MTU discovery enabled, it sets by default the DF bit on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger than the smallest MTU size to the target, it will be discarded. This effectively limits RADIUS messages to ~ 1500 Bytes, while they can be up to 4k according to RFC2865. In practice, this can mean trouble when doing EAP-TLS with many RADIUS attributes besides the EAP-Message. [Bug 326] (cherry picked from commit 5cd89c26f952a6cd6fca4b55d52fe849e7483a62)
* Disable PMTU discovery for RADIUS packets (sent them without DF)Stefan Winter2009-11-221-2/+22
| | | | | | | | | | | | When Linux has Path MTU discovery enabled, it sets by default the DF bit on all outgoing datagrams, also UDP ones. If a RADIUS message is bigger than the smallest MTU size to the target, it will be discarded. This effectively limits RADIUS messages to ~ 1500 Bytes, while they can be up to 4k according to RFC2865. In practice, this can mean trouble when doing EAP-TLS with many RADIUS attributes besides the EAP-Message. [Bug 326] (cherry picked from commit a2fbf12524b78c323fd3e4793b042943834d9d2f)
* Remove rc4() wrapperJouni Malinen2009-11-224-20/+3
| | | | | | | This is not really of that much use since rc4_skip() can be used as easily. In addition, rc4 has caused some symbol conflicts in the past, so it is easier to live without that as an exported symbol. (cherry picked from commit 8ef168311557982dd6b88cfcf26453aeb4dad6ac)
* Enable SHA256 digest support in OpenSSLJouni Malinen2009-11-221-0/+3
| | | | | | This is needed to allow X.509 certificates with SHA256 digest to be used. [Bug 323] (cherry picked from commit e1ffdfc18be9027b5ff9ae254f92b6255930ac71)
* NetBSD: Fix wired IEEE 802.1X problemMasashi Honma2009-11-221-0/+9
| | | | | | | | | | | | | | | | On NetBSD 5.0, when I use wired 802.1X, "Invalid argument" occurs on SIOCADDMULTI ioctl and 802.1X fails. I tried FreeBSD code, but "Address family not supported by protocol family" occurs on SIOCADDMULTI ioctl and 802.1X fails, too. This patch solves this issue. I have tested with these: OS : NetBSD 5.0 EAP : EAP-MD5 Switch : CentreCOM 8724SL (cherry picked from commit d43430d43d3592daceced77206fea5eb54346b05)
* Avoid a theoretical integer overflow in base64_encode()Jouni Malinen2009-11-221-0/+2
| | | | | | | | | | | | If base64_encode() were to be used with a huge data array, the previous version could have resulted in overwriting the allocated buffer due to an integer overflow as pointed out in http://www.freebsd.org/cgi/query-pr.cgi?pr=137484. However, there are no know use cases in hostapd or wpa_supplicant that would do that. Anyway, the recommended change looks reasonable and provides additional protection should the base64_encode() function be used for something else in the future. (cherry picked from commit 6b23b70445ee091722bc4a9d3933ae16a880d238)
* Fix EAP-TNC peer memory leak on an error pathRyuji2009-11-221-0/+1
| | | | (cherry picked from commit 1c5a1aa51c37f3604bbef5c24b3e4209848f6886)
* Add root .gitignore file to cleanup ignore listsJouni Malinen2009-11-2214-14/+0
| | | | | | | This removes need for local configuration to ignore *.o and *~ and allows the src/*/.gitignore files to be removed (subdirectories will inherit the rules from the root .gitignore). (cherry picked from commit 064bb8232c9003b11be7bce3aa0a4a68aee2fd6f)
* EAP-SIM peer: Remove AT_NOTIFICATION from Notification responseJouni Malinen2009-11-221-2/+0
| | | | | | | | | | | | This attribute is not supposed to be used in the response frame (i.e., it is only in the EAP-Request/SIM-Notification frame) per RFC 4186 chapters 10.1 and 9.9. This is a minor bug since the server is required to ignore the contents of the EAP-Response/SIM-Notification during protected result indication per chapter 6.2. EAP-AKA peer was already following the similar specification in RFC 4187, but this was somehow missed in the EAP-SIM peer implementation. (cherry picked from commit f141be0cafeb327ecec374de52fef3d216af5014)
* Fix comparison to use correct symbol name (__rand vs. rand)Jouni Malinen2009-11-221-1/+1
| | | | | | | | rand would be the address of rand() function and never NULL. The previous version could have crashed on invalid AKA-AUTS command. Though, these commands are only from hostapd which sends valid requests and as such, the actual issue did not show up. (cherry picked from commit 6689218ec77165de16e07a49b627cb41bdb327c1)
* Rename variable to avoid gcc warning about shadowed namesJouni Malinen2009-11-221-5/+5
| | | | (cherry picked from commit 2b16c01c4e9ae01f2d09457ac8aaeed99e57f276)