path: root/src/eapol_supp/eapol_supp_sm.c
Commit message (Collapse)AuthorAgeFilesLines
* Fix EAPOL supplicant port authorization with PMKSA cachingJouni Malinen2012-10-271-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | The previous eapol_sm_notify_cached() implementation forced the port to be authorized when receiving EAPOL-Key msg 1/4 that included a matching PMKID in cases when PMKSA caching is used. This is too early since the port should really be authorized only after the PTK has been configured which is the case when PMKSA caching is not used. Fix this by using the EAPOL supplicant PAE state machine to go through the AUTHENTICATING and AUTHENTICATED states instead of forcing a jump to AUTHENTICATED without performing full state machine steps. This can be achieved simply by marking eapSuccess TRUE at least with the current version of EAP and EAPOL state machines (the earlier commits in this function seemed to indicate that this may have not been that easy in the older versions due to the hacks needed here). This addresses an issue with nl80211-based driver interface when the driver depends on the STA Authorized flag being used to prevent unprotected frames from being accepted (both TX and RX) prior to PTK configuration. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
* EAP-SIM/AKA: Store pseudonym identity in configurationJouni Malinen2012-09-021-1/+11
| | | | | | | | Use the anonymous_identity field to store EAP-SIM/AKA pseudonym identity so that this can be maintained between EAP sessions (e.g., after wpa_supplicant restart) even if fast re-authentication data was cleared. Signed-hostap: Jouni Malinen <j@w1.fi>
* Clear idleWhile timer when EAP peer state machine is not in useJouni Malinen2012-08-261-1/+2
| | | | | | | This allows the EAPOL tick timer to be stopped more quickly when getting disconnected. Signed-hostap: Jouni Malinen <j@w1.fi>
* Disable network block temporarily on authentication failuresJouni Malinen2012-08-261-0/+8
| | | | | | | | If 4-way handshake fails due to likely PSK failure or if EAP authentication fails, disable the network block temporarily. Use longer duration if multiple consecutive failures are seen. Signed-hostap: Jouni Malinen <j@w1.fi>
* FIPS: Remove MD5 from the CONFIG_FIPS=y buildJouni Malinen2012-08-161-0/+2
| | | | | | | | When CONFIG_FIPS=y is used, do not include MD5 in the build and disable EAPOL-Key frames that use MD5 (WPA/TKIP and dynamic WEP with IEEE 802.1X). Signed-hostap: Jouni Malinen <j@w1.fi>
* Add explicit EAPOL-Key length validation in processKey()Jouni Malinen2012-08-071-2/+6
| | | | | | | | | These checks would not really be needed since eapol_sm_rx_eapol() validates the length fields. Anyway, these makes it more obvious to anyone reviewing the code that there are no integer underflow issues in processKey(). Signed-hostap: Jouni Malinen <j@w1.fi>
* Share a single definition of EAPOL-Key structure for WEP keysJouni Malinen2012-08-071-40/+0
| | | | Signed-hostap: Jouni Malinen <j@w1.fi>
* EXT PW: Add support for password parameter from external storageJouni Malinen2012-08-031-1/+9
| | | | | | | | | | | | | | | | | | | | This allows the password parameter for EAP methods to be fetched from an external storage. Following example can be used for developer testing: ext_password_backend=test:pw1=password|pw2=testing network={ key_mgmt=WPA-EAP eap=TTLS identity="user" password=ext:pw1 ca_cert="ca.pem" phase2="auth=PAP" } Signed-hostap: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Report EAP connection progress to DBusPaul Stewart2012-06-041-1/+13
| | | | | | | | | | | | | | | | | | | | | Send an "EAP" signal via the new DBus interface under various conditions during EAP authentication: - During method selection (ACK and NAK) - During certificate verification - While sending and receiving TLS alert messages - EAP success and failure messages This provides DBus callers a number of new tools: - The ability to probe an AP for available EAP methods (given an identity). - The ability to identify why the remote certificate was not verified. - The ability to identify why the remote peer refused a TLS connection. Signed-hostap: Paul Stewart <pstew@chromium.org>
* Remove the GPL notification from files contributed by Jouni MalinenJouni Malinen2012-02-111-8/+2
| | | | | | | Remove the GPL notification text from the files that were initially contributed by myself. Signed-hostap: Jouni Malinen <j@w1.fi>
* Clear EAPOL authWhile and heldWhile values when port is disabledJouni Malinen2011-12-311-0/+18
| | | | | | | | | | | | IEEE Std 802.1X-2004 does not clear authWhile and heldWhile in this case, but doing so allows the timer tick to be stopped more quickly when the port is not enabled. Since these variables are used only within HELD and RECEIVE states, clearing them on initialization does not change actual state machine behavior. This reduces some unnecessary operations in port disabled state and cleans up the wpa_supplicant debug log after disconnection. Signed-hostap: Jouni Malinen <j@w1.fi>
* Use an enum for EAP SM requestsDan Williams2011-10-301-1/+1
| | | | | | | | | | | Control requests will be extended for non-EAP uses later, so it makes sense to have them be generic. Furthermore, having them defined as an enum is easier for processing internally, and more generic for control interfaces that may not use field names. The public ctrl_req_type / field_name conversion function will be used later by the D-Bus control interface too. Signed-off-by: Dan Williams <dcbw@redhat.com>
* Fix typos found by codespellPavel Roskin2011-09-211-1/+1
| | | | Signed-off-by: Pavel Roskin <proski@gnu.org>
* eapol_test: Add option for writing server certificate chain to a fileJouni Malinen2011-09-171-0/+1
| | | | | | eapol_test command line argument -o<file> can now be used to request the received server certificate chain to be written to the specified file. The certificates will be written in PEM format. [Bug 391]
* Add dbus signal for information about server certificationMichael Chang2011-07-051-1/+11
| | | | | | | | | | | | In general, this patch attemps to extend commit 00468b4650998144f794762206c695c962c54734 with dbus support. This can be used by dbus client to implement subject match text entry with preset value probed from server. This preset value, if user accepts it, is remembered and passed to subject_match config for any future authentication. Signed-off-by: Michael Chang <mchang@novell.com>
* eapol_supp: Request EAP method from EAP state machinePaul Stewart2011-03-151-0/+15
| | | | Signed-off-by: Paul Stewart <pstew@google.com>
* Remove unnecessary definesJouni Malinen2009-12-051-2/+0
| | | | | | | | | The following defines are not really needed in most places, so remove them to clean up source code and build scripts: EAP_TLS_FUNCS EAP_TLS_OPENSSL EAP_TLS_GNUTLS CONFIG_TLS_INTERNAL
* Remove src/crypto from default include pathJouni Malinen2009-11-291-6/+6
| | | | | | In addition, start ordering header file includes to be in more consistent order: system header files, src/utils, src/*, same directory as the *.c file.
* Remove src/common from default header file pathJouni Malinen2009-11-291-1/+1
| | | | | | | | | | This makes it clearer which files are including header from src/common. Some of these cases should probably be cleaned up in the future not to do that. In addition, src/common/nl80211_copy.h and wireless_copy.h were moved into src/drivers since they are only used by driver wrappers and do not need to live in src/common.
* Move RC4 into crypto.h as a replaceable crypto functionJouni Malinen2009-08-161-1/+1
| | | | | | This allows crypto library wrappers to override the internal RC4 implementation in the same way as can already be done for other crypto algorithms.
* Remove rc4() wrapperJouni Malinen2009-08-161-2/+2
| | | | | | This is not really of that much use since rc4_skip() can be used as easily. In addition, rc4 has caused some symbol conflicts in the past, so it is easier to live without that as an exported symbol.
* Add new wpa_supplicant driver op for setting 802.1X port statusJouni Malinen2009-04-221-0/+24
| | | | | This can be used with drivers that implement PAE to control whether normal data frames (non-EAPOL) are allowed.
* Reduce latency on starting WPS negotiation (TX EAPOL-Start earlier)Jouni Malinen2009-02-231-0/+5
| | | | | | | | Reduce startWhen from 3 to 1 second if WPS is included in the build. While this is done regardless of runtime WPS configuration, it is fine to use a smaller value here in general. This cuts two seconds out from WPS negotiation if the driver does not support addition of WPS IE into the (Re)Association Request frame.
* Add an EAPOL payload length workaround for a WPS implementationJouni Malinen2009-01-231-0/+26
| | | | | | | | | Buffalo WHR-G125 Ver.1.47 seems to send EAP-WPS packets with too short EAPOL header length field (14 octets regardless of EAP frame length). This is fixed in firmware Ver.1.49, but the broken version is included in many deployed APs. As a workaround, fix the EAPOL header based on the correct length in the EAP packet. This workaround can be disabled with eap_workaround=0 option in the network configuration.
* WPS: Moved mac_addr and uuid configuration into wps_contextJouni Malinen2008-11-281-2/+0
| | | | | There is no need to complicate EAPOL and EAP interfaces with WPS specific parameters now that wps_context is passed through.
* WPS: Moved wps_context initialization into wps_supplicant.cJouni Malinen2008-11-281-15/+1
| | | | | | | The wps_context data is now managed at wpa_supplicant, not EAP-WSC. This makes wpa_supplicant design for WPS match with hostapd one and also makes it easier configure whatever parameters and callbacks are needed for WPS.
* WPS: Merged two cred_cb variables into the same oneJouni Malinen2008-11-281-1/+1
| | | | | | | Previously, wpa_supplicant as Enrollee case was handled using a different callback function pointer. However, now that the wps_context structure is allocated for all cases, the same variable can be used in all cases.
* WPS: Moved UUID configuration from phase1 into global config areaJouni Malinen2008-11-261-0/+1
* Added preliminary Wi-Fi Protected Setup (WPS) implementationJouni Malinen2008-11-231-0/+16
| | | | | | | | | | | | | This adds WPS support for both hostapd and wpa_supplicant. Both programs can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN methods are supported. Currently, hostapd has more complete configuration option for WPS parameters and wpa_supplicant configuration style will likely change in the future. External Registrars are not yet supported in hostapd or wpa_supplicant. While wpa_supplicant has initial support for acting as an Registrar to configure an AP, this is still using number of hardcoded parameters which will need to be made configurable for proper operation.
* Fixed EAPOL skip for PMKSA caching case to remain in authenticated stateJouni Malinen2008-10-251-0/+2
| | | | | | Need to make sure that portValid is TRUE in order to avoid PAE state machine going into DISCONNECTED state on eapol_sm_step(). This could be triggered at least with OKC.
* Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 releaseJouni Malinen2008-02-281-0/+1842