path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* EAP-TLS server: Fix TLS Message Length validationHEADmasterJouni Malinen2012-10-071-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | EAP-TLS/PEAP/TTLS/FAST server implementation did not validate TLS Message Length value properly and could end up trying to store more information into the message buffer than the allocated size if the first fragment is longer than the indicated size. This could result in hostapd process terminating in wpabuf length validation. Fix this by rejecting messages that have invalid TLS Message Length value. This would affect cases that use the internal EAP authentication server in hostapd either directly with IEEE 802.1X or when using hostapd as a RADIUS authentication server and when receiving an incorrectly constructed EAP-TLS message. Cases where hostapd uses an external authentication are not affected. Thanks to Timo Warns for finding and reporting this issue. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1 (cherry picked from commit 586c446e0ff42ae00315b014924ec669023bd8de) (cherry picked from commit f3043318970a98c98e968ed17b3e2f49dc42c646) Conflicts: src/eap_server/eap_tls_common.c
* Fix fallback from failed PMKSA caching into full EAP authenticationJouni Malinen2010-10-041-1/+9
| | | | | | | | | | | | | | | Commit 83935317a78fb4157eb6e5134527b9311dbf7b8c added forced disconnection in case of 4-way handshake failures. However, it should not have changed the case where the supplicant is requesting fallback to full EAP authentication if the PMKID in EAPOL-Key message 1/4 is not know. This case needs to send an EAPOL-Start frame instead of EAPOL-Key message 2/4. This works around a problem with APs that try to force PMKSA caching even when the client does not include PMKID in (re)association request frame to request it. [Bug 355] (cherry picked from commit b4a1256d3660a2b5239062a9b42de79b8a34286a) (cherry picked from commit a5277ad2a182e0264715533c11ed9a90296298e4)
* Fix WPS IE in Probe Response frame to include proper Config Methods valuesJouni Malinen2010-08-281-1/+5
| | | | | | | | This attribute is supposed to indicate which methods the AP supports as an Enrollee for adding external Registrars. It was left to 0 when the AP code did not yet support external Registrars and was forgotten when the ER support was added. (cherry picked from commit bdda27eb171893aaa8bf2f574fca517facda176b)
* wext: Add cfg80211-specific optimization to avoid silly behaviorJouni Malinen2010-01-122-3/+39
| | | | | | | | | | | | If the driver is detected to use cfg80211, we can rely on it being able to disconnect with SIOCSIWMLME commands and to use empty SSID as a way to stop it from associating when we are in progress of configuring the driver for association. Consequently, we can remove the hack that uses random 32-octet SSID to force disconnection and re-order association commands to match the expectations that cfg80211 has for WEXT ioctls. This gets rid of extra scan rounds and attempts to associate with the silly 32-octet SSID. (cherry picked from commit 3145e6154c11355631b846b0dd2c57eead255401)
* Preparations for 0.6.10 releasehostap_0_6_10Jouni Malinen2010-01-121-1/+1
* Fix MinGW build: CertCreateCertificateContext() is now knownJouni Malinen2010-01-091-18/+3
| | | | (cherry picked from commit de979ef18c1aced0597e342de7dab37c15718090)
* nl80211/wext: Hardcode all auth_algs as supportedJouni Malinen2010-01-092-0/+6
| | | | | | There does not seem to be a driver interface for fetching auth_algs capability, but this may be used by some external application, so hardcode all auth_algs as supported for now.
* EAP-FAST server: Piggyback Phase 2 start with end of Phase 1Jouni Malinen2010-01-091-16/+61
| | | | | | | | If Finished message from peer has been received before the server Finished message, start Phase 2 with the same message to avoid extra roundtrip when the peer does not have anything to send after the server Finished message. (cherry picked from commit c479e41f53b10ff91f4c1e183c441da76d47f05e)
* wpabuf: Allow wpabuf_resize(NULL, len) to be usedJouni Malinen2010-01-091-0/+4
| | | | | | This matches with realloc() usage, i.e., allocate a new buffer if no buffer was specified. (cherry picked from commit 859db534bf29e360adfdc7da6a0bf0ad86fc1ec2)
* Mark fmt parameter const for wpa_printf/msgJouni Malinen2010-01-092-6/+7
| | | | (cherry picked from commit 0de4da91c1cc8bcdfd5b29aa7b33887a1f8e3775)
* Fix a typo in a doxygen commentJouni Malinen2010-01-091-1/+1
| | | | (cherry picked from commit 60ad2c7befcaba3be072ab20368418a41dd828b9)
* Allow TLS flags to be configured (allow MD5, disable time checks)Jouni Malinen2010-01-093-0/+43
| | | | | | | | | | | | | | Undocumented (at least for the time being) TLS parameters can now be provided in wpa_supplicant configuration to enable some workarounds for being able to connect insecurely to some networks. phase1 and phase2 network parameters can use following options: tls_allow_md5=1 - allow MD5 signature to be used (disabled by default with GnuTLS) tls_disable_time_checks=1 - ignore certificate expiration time For now, only the GnuTLS TLS wrapper implements support for these. (cherry picked from commit 29446569253c689356e7519feacddb7c923015cf)
* GnuTLS: Report certificate validation failures with TLS alertJouni Malinen2010-01-091-3/+29
| | | | | In addition, show more detailed reason for the failure in debug log. (cherry picked from commit 4a1e97790de4c3e9ddc3aed98836a2a2b26a0ad8)
* Fix lastReqData freeing to use wpabuf_free()Jouni Malinen2010-01-091-1/+1
| | | | (cherry picked from commit f52ab9e6b0f7cb77d35c59f7f561bcf383795002)
* Fix RADIUS client to cancel IPv6 socket read notificationsJouni Malinen2010-01-091-0/+6
| | | | (cherry picked from commit 2988796257e4ce850372376b5bc0a8c6c8db7a71)
* Fix RADIUS server deinit to cancel timeout for session removalJouni Malinen2010-01-091-4/+3
| | | | (cherry picked from commit f481459f5e3eb24932057b88fea32b4576cccfc7)
* OpenSSL: Silence "Failed to read possible Application Data"Jouni Malinen2010-01-091-3/+12
| | | | | | | | This message from tls_connection_handshake() is not really an error in most cases, so do not show it if there was indeed no Application Data available (which is a normal scenario and not an indication of any error). (cherry picked from commit d986b1b6c113083c8701abc54fd0c912fba329a6)
* EAP-TTLS/PAP: User-Password obfuscation for zero length passwordMasashi Honma2010-01-091-1/+1
| | | | | | | | | | | The password in User-Password AVP is padded to a multiple of 16 bytes on EAP-TTLS/PAP. But when the password length is zero, no padding is added. It doesn't cause connectivity issue. In fact, I could connect with hostapd RADIUS server with zero length password. I think it's better for obfuscation to pad the 16 bytes data when the password length is zero with this patch. (cherry picked from commit bab31499fd0883be8614d807daa6e05da2f9f4f8)
* Increase EAP server extra room for encryption overhead (for GnuTLS)Jouni Malinen2010-01-091-1/+1
| | | | | | | | This fixes issues with some GnuTLS versions that seem to be adding quite a bit of extra data into TLS messages. The EAP server code is now using the same 300 byte extra room that was already used in the EAP peer implementation. (cherry picked from commit f721aed4b1baef8ad9336c80f8835f3f3d504d68)
* Add cleared deprecation notes on iwl,ndiswrapper,madwifi(sta) wrappersJouni Malinen2010-01-092-1/+9
| | | | | | | These driver wrappers should not be used anymore; WEXT should be used instead. However, there may still be users stuck on older kernel versions that may require driver specific wrappers, so the source code still remains in the repository.
* WPS: Cleanup subscription URL list handlingJouni Malinen2010-01-093-6/+5
| | | | | | | | | | | | Do not give the allocated memory to the subscription code since it was not using it as-is anyway. This makes it easier to understand who owns the allocation an is responsible of freeing it. This may potentially fix some memory leaks on error paths. (cherry picked from commit 3f6dc111ff509348a92bff8bbfa2b27f3101315a) Conflicts: src/wps/wps_upnp_web.c
* Fix PKCS#12 use with OpenSSL 1.0.0Jouni Malinen2010-01-081-0/+9
| | | | | | | | | | | | | | Add 40-bit RC2 CBC explicitly since OpenSSL 1.0.0 does not seem to that anymore with PKCS12_PBE_add(). Furthermore, at least 1.0.0-beta4 crashes if the needed cipher is not registered when parsing the PKCS#12 data (this crashing part should be fixed in newer 1.0.0 versions) Following bug reports are related to the issue: https://bugzilla.redhat.com/show_bug.cgi?id=541924 https://bugzilla.redhat.com/show_bug.cgi?id=538851 http://rt.openssl.org/Ticket/Display.html?id=2127 http://rt.openssl.org/Ticket/Display.html?id=2128 (cherry picked from commit 1056dad796e78509604c0aa836803c8425b4ba37)
* WPS: Fix Probe Request processing to handle missing attributeJouni Malinen2010-01-011-0/+5
| | | | | | WPS IE parsing for PBC mode did not check whether the UUID-E attribute was included before dereferencing the pointer. This could result in the AP crashing when processing and invalid Probe Request frame.
* WPS: Abort ongoing PBC protocol run if session overlap is detectedJouni Malinen2009-11-251-1/+35
| | | | | | | | | If PBC session overlap is detected during an ongoing PBC protocol run, reject the run (if M8, i.e., credentials, have not yet been sent). This provides a bit longer monitoring time at the Registrar for PBC mode to catch some cases where two Enrollees in PBC mode try to enroll credentials at about the same time. (cherry picked from commit 2e7144451697738f55f2864cbc5d7116443fe6c8)
* WPS: Add PBC overlap and timeout events from WPS moduleOleg Kravtsov2009-11-254-1/+34
| | | | | | | This provides information about PBC mode result from the WPS Registrar module. This could be used, e.g., to provide a user notification on the AP UI on PBC failures. (cherry picked from commit 63330c68321cdf275193048236fa5e4051180447)
* wext: disconnect at init and deinitDan Williams2009-11-251-2/+9
| | | | | | | | | To ensure the supplicant starts and ends with a clean slate (keys are already cleaned up at init and deinit time), force a null BSSID and bogus SSID to ensure the driver isn't connected to anything. Signed-off-by: Dan Williams <dcbw@redhat.com> (cherry picked from commit 2976121955ba0e2f52c09fbffc93f91dbf0d845b)
* WPS: Add support for setting timeout for PINJouni Malinen2009-11-253-8/+49
| | | | | | | | hostapd_cli wps_pin command can now have an optional timeout parameter that sets the PIN lifetime in seconds. This can be used to reduce the likelihood of someone else using the PIN should an active PIN be left in the Registrar. (cherry picked from commit 077a781f7ab4e87955f1a97fcd0b939c74a57165)
* General revision of RoboSwitch driverJouke Witteveen2009-11-251-144/+176
| | | | | | | | | | | | | | | | | | | | | | Attached is a patch for the RoboSwitch driver in trunk. It is a general revision of the source code. Changes: - Improved IEEE 802.1X conformance ([1]) - Better conformity to Broadcom specifications - Fixed compatibility with different chipset revisions It is worth noting that performance may drop a little using the new driver. This can be overcome by using "multicast_only=1" as a parameter. In that case only packets to the PAE group address are regarded, as the previous revision of the driver did. A more detailed description of the parameter and it's consequences is available at [2] (summary: use "multicast_only=1" whenever possible). [1] http://lists.shmoo.com/pipermail/hostap/2009-February/019398.html [2] http://forum.openwrt.org/viewtopic.php?id=19873 (cherry picked from commit 077ed46d2b6a0311455662b4d935b720c6f4eb46)
* nl80211: Update to match with linux/nl80211.h from wireless-testing.gitJouni Malinen2009-11-221-16/+536
* WPS: Do not try to send byebye advertisements if socket is not validJouni Malinen2009-11-221-1/+1
| | | | | | | If initialization fails, we could potentially try to sendto() on -1 socket which would fail. No point in doing that, so just return early from the function. (cherry picked from commit 3c2166d63c3f8db9699bd29b152121ca63c70415)
* OpenSSL: Remove unneeded MinGW CryptoAPI compat codeJouni Malinen2009-11-221-68/+0
| | | | | | | The current MinGW/w32api versions seem to provide all the needed CryptoAPI functions, so the code for loading these dynamically from the DLL can be removed. (cherry picked from commit 55d0b0831e83bba429990ba02cb894c29819f8f8)
* GnuTLS: Fix compilation with newer GnuTLS versionsJouni Malinen2009-11-221-0/+4
| | | | | Avoid duplicate defination of TLS_RANDOM_SIZE and TLS_MASTER_SIZE. (cherry picked from commit e3992c3381e6ca1eb59a6bd3adfaa30c02721300)
* Fix strict aliasing issue with the internal SHA-1 implementationJouni Malinen2009-11-221-2/+2
| | | | | | | | | | | | | | | | | | | | | | | Need to define the workspace buffer properly to allow compiler to handle strict aliasing between the incoming unsigned char[64] buffer as an u32 array. The previous version built with strict aliasing enabled can result in SHA-1 producing incorrect results and consequently, with 4-way handshake failing. This is based on a report and patch from Dan Williams <dcbw@redhat.com> but with a different type (the union) used as a fix to avoid needing extra type casting. Discovered as part of the investigation of: https://bugzilla.redhat.com/show_bug.cgi?id=494262#c32 if sha1 is built with gcc without turning off strict aliasing, it will fail to correctly generate the hashes and will fail its own testcases as well. Signed-off-by: Dan Williams <dcbw@redhat.com> (cherry picked from commit 6d798e8b7e748935e10262566dc9b6ff02ac7d31)
* WPS: Fix MAC Address inside Credential be that of Enrollee'sJouni Malinen2009-11-223-3/+35
| | | | | | | | | | | | | | | | The WPS 1.0h specification is quite unclear on what exactly should be used as the MAC Address value in the Credential and AP Settings. It looks like this should after all be the MAC Address of the Enrollee, so change Registrar implementation to use that address instead of the AP BSSID. In addition, add validation code to the Enrollee implementation to check the MAC Address value inside Credential (and also inside AP Settings) to make sure it matches with the Enrollee's own address. However, since there are deployed implementations that do not follow this interpretation of the spec, only show the mismatch in debug information to avoid breaking interoperability with existing devices. (cherry picked from commit 4bdd556886fea5790aa4d56e2f416cc82ebf15b5)
* WPS: Determine the OpCode based on message type attribute (UPnP)Jouni Malinen2009-11-221-0/+11
| | | | | | This allows WSC_ACK and WSC_NACK to be processed correctly in the AP when operating as an Enrollee with an ER over UPnP transport. (cherry picked from commit 82b857ec0b78a28a080792a921cae785850dd470)
* WPS: Use a dummy WSC_ACK as WLANEvent as the initial event if neededJouni Malinen2009-11-221-3/+43
| | | | | | | | UPnP device architecture specification requires all evented variables to be included in the initial event message after subscription. Since this can happen before we have seen any events, generated a dummy event (WSC_ACK with all-zeros nonces) if needed. (cherry picked from commit fcac668faa5459c3f4ad1f9837f4b0f50edc4cba)
* WPS: Send SSDP byebye notifications when stopping UPnP advertisementsJouni Malinen2009-11-223-5/+36
| | | | | | | This will notify control points of the services going away and allows them to notice this without having to wait timeout on the initial advertisements. (cherry picked from commit 44577e4c2e37b1039ec8850c61e7a71f6c242c1f)
* WPS: Remove derivation of management keysJouni Malinen2009-11-223-59/+0
| | | | | | MgmtAuthKey and MgmtEncKey were not used for anything and are unlikely to ever be used, so better remove the code to reduce binary size. (cherry picked from commit d806a5588e8f6d8bb8141cdd3d890fdf8bff3cd1)
* WPS: Fix AP to proxy WSC_NACK to ERJouni Malinen2009-11-221-1/+2
| | | | (cherry picked from commit ed835e539b7c430241d842530de967c5de6427e0)
* WPS: Fix OpCode when proxying WSC_ACK or WSC_NACK from ERJouni Malinen2009-11-221-1/+11
| | | | | | | Previously, WSC_MSG was hardcoded for every message from ER, but this needs to be changed based on message type to send a valid message to the Enrollee via EAP transport. (cherry picked from commit 04f5d740772c53125bdf9251565d0e438b239430)
* Add wpa_msg_ctrl() for ctrl_interface-only messagesJouni Malinen2009-11-222-0/+39
| | | | | | | | | | | | This is like wpa_msg(), but the output is directed only to ctrl_interface listeners. In other words, the output will not be shown on stdout or in syslog. Change scan result reporting to use wpa_msg_ctrl() for CTRL-EVENT-SCAN-RESULTS message at info level and wpa_printf() at debug level to avoid showing scan result events in syslog in the common configuration used with NetworkManager. (cherry picked from commit 69856fadf77e680d01cac09da37e6bb3643ca427)
* WPS: Mark functions staticJouni Malinen2009-11-222-3/+2
| | | | | These functions are used only within wps_upnp_event.c. (cherry picked from commit b02ee4a2283a7850214c143811ed21bf1805cd4e)
* WPS: SelectedRegistrar expiration for internal PIN registrarAndriy Tkachuk2009-11-221-0/+14
| | | | | | | | | | | | | | Though we have such a timeout when handling SetSelectedRegistrar UPnP message from an external registrar, it looks like we don't have one when the internal registrar is activated for PIN connection. Thus we set the SelectedRegistrar flag when AP is activated for PIN connection but we never reset it - not by some timeout, nor when registration succeeds. This lead to situations where AP everlastingly declare that it is activated for WPS PIN connection when in reality it is not. Use the same timeout (and also success with PIN) to clear the selected registrar flag when using internal registrar, too. (cherry picked from commit 72ffc08242cc1b8200ceb4af7bf7b723e2a07012)
* WPS: Use Config Error 12 to indicate PBC overlap in M2DJouni Malinen2009-11-221-2/+4
| | | | | | | If PBC session overlap is detected between button press on the registrar and M1 is reception, report session overlap with the Config Error attribute in M2D to the Enrollee. (cherry picked from commit 7e3a67514f6afa45a90b0857921202d0384996e3)
* Fix dbus build without EAPJouni Malinen2009-11-221-0/+5
| | | | (cherry picked from commit e5fc45d7aec5270c0742e30956233ac28d50bedb)
* Include only the used DH groups in the buildJouni Malinen2009-11-221-1/+11
| | | | | | This reduces the binary size by 3 kB or so when WPS is included in the build, but IKEv2 is not. (cherry picked from commit dd01b1ff9d8a19c1e1b7e40d6df7d838d2ac34bb)
* nl80211: Recognize NL80211_CMD_TRIGGER_SCAN eventsJouni Malinen2009-11-221-0/+3
| | | | | | | | Replace "nl80211: Ignored unknown event (cmd=33)" with "nl80211: Scan trigger" to make debug output clearer. We do not currently do anything with this event apart from showing it in the debug log. (cherry picked from commit d942a79e6a9237b664e9973e11d109e2598340ab)
* DragonFly BSD: Fix wired IEEE 802.1XMasashi Honma2009-11-221-4/+4
| | | | | | | | | | | | | On DragonFly BSD, wired IEEE 802.1X fails with this message: ioctl[SIOC{ADD/DEL}MULTI]: Invalid argument This patch solves this issue. I have tested with these: OS : DragonFly BSD 2.4.0 EAP : EAP-TLS Switch : Cisco Catalyst 2950 (cherry picked from commit f335c69e148db2afcea6c22bcde73efd346d7812)
* Mac OS X: Fix wired IEEE 802.1XMasashi Honma2009-11-221-2/+2
| | | | (cherry picked from commit 40e107c1299deda181533d03eb8557580bc19ba0)
* WPS: Add parsing of AP Setup Locked attributeJouni Malinen2009-11-222-0/+9
| | | | (cherry picked from commit e9a2bca6f5e5dd7ef7aa62f6954b3877f41a1e34)