path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Preparations for 0.6.3 releaseJouni Malinen2008-02-231-1/+1
* Removed couple of forgotten referencesJouni Malinen2008-02-232-3/+1
* Removed forgotten fileJouni Malinen2008-02-231-1/+0
* Removed WPS supportJouni Malinen2008-02-2321-5866/+1
* EAP-IKEv2 specification has been released as RFC 5106Jouni Malinen2008-02-224-4/+4
* Fix ndis_events.c to use correct string type for some IWbem callsRidouan Agarad2008-02-161-18/+93
| | | | | | | | | | | | wpa_supplicant on Windows 2000 has been failing due to WMI errors. It seems that when COM needs to do marshaling, the failures occurred. Further looking showed that some function calls (such as IWbemServices_ExecQuery) passed L"" strings, while BSTR's needed to passed. Making a wrapper to convert WCHARs to BSTRs solved the problem and the supplicant is now working OK on Windows 2000. Potentially, the same situation could also occur on Windows XP, but for some reason marshaling was not triggered while performing my tests on XP.
* Fixed function documentation (text copied from another function)Jouni Malinen2008-02-161-4/+0
* Fixed EAP-PEAP not to allow server to claim success when Phase 2 EAP methodJouni Malinen2008-02-153-7/+36
| | | | | | | | has been started, but has not yet completed successfully. Server is still allowed to skip Phase 2 EAP completely since that is the standard way of handling fast session resumption. However, if the server starts Phase 2 EAP authentication, this negotiation has to be completed before protected success notification can be used to terminate EAP-PEAP successfully.
* Updated EAP-TLV definitions to use new EAP-PEAP draft version -10Jouni Malinen2008-02-104-14/+17
| | | | | | draft-josefsson-ppext-eap-tls-eap-10.txt removes conflicts with the TLV types defined for EAP-FAST (RFC 4851), so this cleans up some of the definitions.
* Added some preliminary code for PEAPv2 style TLV encapsulationJouni Malinen2008-02-102-6/+236
| | | | | | The Phase 2 EAP messages are now encapsulated in EAP-Payload TLV if PEAPv2 is used. In addition, the EAP-Request/Identity is sent with the Phase 1 Server Finished message.
* Fixed EAPOL not to end up in infinite loop with dynamic WEP keysJouni Malinen2008-02-063-6/+10
| | | | | | | | | | eapol_sm_notify_lower_layer_success() was modified in 0.6.x to call eapol_sm_step(). This was fine for WPA-Enterprise case, but the IEEE 802.1X with dynamic WEP was calling eapol_sm_notify_lower_layer_success() from inside the EAPOL state machine and the extra call to eapol_sm_step() triggered an infinite loop with eapol_sm_processKey(). This is now avoided by telling eapol_sm_notify_lower_layer_success() whether the caller is already in EAPOL state machine loop.
* Check for src/ subdirectories on cleanKel Modderman2008-02-041-1/+1
| | | | | | | | | If src/wps/ is to be pruned from the release tarball by build_release, then "make clean" should not fail. Check for existence of each directory in src/ in clean target. Signed-off-by: Kel Modderman <kel@otaku42.de>
* Added more debug to issuer name validation errorJouni Malinen2008-02-041-0/+8
* Extend the identity workaround to remove all trailing null charactersJouni Malinen2008-02-042-2/+2
* Do not call Phase 2 method buildReq() if initialization failedJouni Malinen2008-02-031-0/+5
| | | | | | EAP-FAST with EAP-SIM as an inner method could tricker a NULL pointer dereference if EAP-SIM DB was not configured. Avoid this by not calling buildReq() for the Phase 2 method if initialization failed.
* Mark EAP-TTLS Phase 2 successfully completed even in MAY_CONT stateJouni Malinen2008-02-031-2/+2
| | | | | | | This used to require EAP workarounds to be enabled, but EAP-SIM and EAP-AKA can leave Phase 2 in MAY_CONT state if protected result indication is not used. Consequently, EAP-TTLS would be unable to derive keys in such a case even though authentication was completed successfully.
* Added more debug information for EAP keyData retrievalJouni Malinen2008-02-031-3/+13
* Added support for pending EAP Phase 2 processingJouni Malinen2008-02-033-5/+64
| | | | | | Store and re-use the decrypted Phase 2 data in EAP-{PEAP,TTLS,FAST} if the Phase 2 method enters pending wait state. This allows EAP-SIM and EAP-AKA to be used as the Phase 2 method.
* Fixed EAP-SIM Start/Response message for fast reauthenticationJouni Malinen2008-02-031-8/+10
| | | | | | Do not include AT_NONCE_MT and AT_SELECTED_VERSION attributes in EAP-SIM Start/Response when using fast reauthentication. These attributes are only used for full authentication.
* Fixed EAP-SIM Start response processing for fast reauthentication caseJouni Malinen2008-02-031-14/+14
| | | | | | The AT_NONCE_MT and AT_SELECTED_VERSION attributes are only included in the SIM/Start response when using full authentication. Fixed the code not to require these to be present when fast reauthentication is used.
* EAP-SIM/AKA: Ignore client error when sending success result indicationJouni Malinen2008-02-032-2/+8
| | | | | | RFCs require the EAP-SIM/AKA server to ignore the contents of a response to the protected success indication, so ignore client error in this case and reply with EAP-Success.
* Remove AT_COUNTER from EAP-SIM/AKA result indication in full authenticationJouni Malinen2008-02-032-30/+36
| | | | | | | | Previous version was incorrectly including AT_COUNTER in the Notification message even for full authentication. This caused interoperability issues and was against the RFCs, so AT_COUNTER (and the additional encryption attributes) is now only included in case the notification follows fast reauthentication.
* Include AT_ANY_ID_REQ in EAP-SIM/AKA start/identity per RFC recommendationJouni Malinen2008-02-032-0/+15
| | | | | | | This identity request is not really needed if EAP-Response/Identity already includes the correct identity. However, since the RFC 4186/4187 recommend that the EAP identity is ignored, it is safer to do that here should some peer implementations behave incorrectly.
* EAP-SIM/AKA workaround for incorrect null termination in the usernameJouni Malinen2008-02-033-7/+24
| | | | | | | | It looks like some EAP-SIM/AKA peer implementations include an extra null termination in the end of the identity/username. These implementations do not seem to include these null characters in key derivation and that would result in a key mismatch. As a workaround, drop the possible null characters from the end of the identity/username for key derivation.
* Fixed EAP-SIM/AKA realm processing to allow decorated usernames to be usedJouni Malinen2008-02-031-10/+32
| | | | | | The identity length needs to be compared to IMSI length only after the possible realm has been removed to avoid rejecting decorated usernames (e.g., 1<IMSI>@wlan.mnc###.mcc###.3gppnetwork.org).
* Added CTRL-EVENT-SCAN-RESULTS eventJouni Malinen2008-01-301-0/+2
| | | | | This event notifies ctrl_iface monitors of availability of new scan results.
* Removed WPS support from wpa_supplicant.Jouni Malinen2008-01-269-528/+1
* RADIUS server: Copy optional Proxy-State attribute(s) into responseJouni Malinen2008-01-243-15/+26
| | | | | RFC 2865 requires that these attributes are copied unmodified and in order into the response packet.
* TNC: Cleaned up conditional TNC integration in EAP-TTLSJouni Malinen2008-01-201-52/+56
* TNC: Fixed processing of TNC after non-EAP TTLS Phase 2 authenticationJouni Malinen2008-01-201-2/+8
| | | | | | | EAP-TTLS/MSCHAPv2 with TNC was failing since MSCHAPv2 handler was called for a TNC message. If EAP-TNC is started (after Phase 2 authentication), non-EAP methods are not used anymore when processing decrypted Phase 2 data.
* Moved MSCHAPv2 implementation into a shared file for EAP peerJouni Malinen2008-01-204-170/+186
| | | | | | This allows EAP-MSCHAPv2 and EAP-TTLS to share the common MSCHAPv2 functionality. In addition, code is cleaned up by using couple of additional defines for constants.
* Include MD5, SHA1, AES functions even without TLS_FUNCSJouni Malinen2008-01-161-2/+0
| | | | | These functions are needed for WPS, so include them in builds that include crypto support, but do not require TLS.
* Fixed handling of an invalid configuration with no RADIUS serverJouni Malinen2008-01-161-0/+14
| | | | | | Previous version was trying to dereference a NULL pointer if no RADIUS authentication/accounting server was configured, but the AP was still configured to use IEEE 802.1X without internal EAP server.
* WPS: Fixed generation of WPS IE for Probe Request not to dereference NULLJouni Malinen2008-01-161-1/+1
* FT: Use AES-128-CMAC for MIC regardless of pairwise cipher suiteJouni Malinen2008-01-154-30/+19
| | | | | | | | IEEE 802.11r was changed to use AES-128-CMAC for MIC in EAPOL-Key and FT Action frames regardless of the negotiated pairwise cipher suite. This changed couple of drafts back, but the implementation here was still using the old version that had different MIC algorithm for cases when CCMP was not the negotiated cipher suite.
* FT: Use new key name labels from IEEE 802.11r/D9.0Jouni Malinen2008-01-151-14/+14
* WPS: Reject new Registrar registration if AP is in locked stateJouni Malinen2008-01-142-2/+40
* WPS: Fixed a typoJouni Malinen2008-01-141-1/+1
* WPS: Added callbacks to notify hostapd about new AP SettingsJouni Malinen2008-01-143-1/+6
| | | | | | | hostapd_wps_cred_cb() in wps_hostapd.c is now called when a Registrar has configured the AP. This function is currently only showing the new configuration in debug output and sending a notification to ctrl_iface monitors, i.e., the configuration is not yet taken into use or stored.
* WPS: Show received/expected nonce in debug lock if a mismatch is detectedJouni Malinen2008-01-141-0/+8
| | | | | | | | It looks like Intel PROSet is sending incorrect Enrollee Nonce in WSC_NACK message when terminating Registrar registration after M7 (i.e., when not updating AP configuration). Now the reason for this error is more obvious from hostapd debug log since the received Enrollee Nonce (all zeroes) is shown.
* WPS: Move device-specific data from Registrar to generic WPS contextJouni Malinen2008-01-1412-105/+76
| | | | | | | | | | | | | | This adds a new struct wps_context for device-specific data that fits better for number of variables than struct wps_registrar. This allows AP configuration to be provided to Enrollee code so that M7 can be built with current AP configuration for external Registrar registration. In addition, Network Key is now hex encoded in wps_hostapd.c if needed to use correct fixed-PSK/passphrase setting. It should be noted that the option of using per-device PSK works only when the supplicant is acting as an Enrollee. If the supplicant is acting as a Registrar, generating a new per-device PSK would likely not work since the external Registrar could provision that PSK to other devices.
* Cleaned up rsn_supp interface by removing direct struct wpa_ssid usesJouni Malinen2008-01-147-55/+79
| | | | | | | This removes need to include wpa_supplicant/config_ssid.h into src/rsn_supp files. Only the needed configuration parameters are set to struct wpa_sm and wpa_s->current_ssid pointer is used as a context pointer (void *) that is not dereferenced in src/rsn_supp.
* Do not dereference a potential NULL pointer to get EAP configurationJouni Malinen2008-01-141-1/+2
* Removed wpa_supplicant directory from the default include directoriesJouni Malinen2008-01-149-16/+16
| | | | | | | | This removes unnecessary inclusion of header files from wpa_supplicant subdirectory into files under src directory. Couple of exceptions in src/rsn_supp is still using config_ssid.h, but they will now need to provide more complete path for the file. These uses should eventually be removed by providing the needed data through struct wpa_sm.
* Moved struct wpa_config_blob definition into src/eap_peer/eap_config.hJouni Malinen2008-01-143-2/+31
| | | | | | wpa_supplicant configuration blobs are only used for EAP specific parameters and this cleans up the header file inclusion in EAP peer code not to require a header file from wpa_supplicant directory.
* Moved EAP peer configuration parameter to an EAP specific data structureJouni Malinen2008-01-1416-111/+672
| | | | | | | | | | | | | This cleans up the interface between EAP peer module and core wpa_supplicant code by defining the EAP-specific parts of struct wpa_ssid in src/eap_peer/eap_config.h and including this structure as part of the wpa_supplicant network configuration data (struct wpa_ssid). The EAP peer code is now only using struct eap_peer_config and does not need to include wpa_supplicant/config_ssid.h. Parts of pending request for EAP parameters (identity, password, etc.) was also moved to wpas_glue.c since EAP peer code should not need to know anything about the current SSID.
* Simplified EAP-PSK/PAX/SAKE/GPSK configurationJouni Malinen2008-01-134-70/+55
| | | | | | | | | | | | | Replaced 'nai' with 'identity' and 'eappsk' with 'password' in network configuration block for EAP-PSK/PAX/SAKE/GPSK. If 'identity' was used as an anonymous identity previously (i.e., EAP-Response/Identity value), the same functionality can be achieved by using 'anonymous_identity'. This simplifies the EAP peer method configuration by sharing the same parameters for all methods using username/NAI and password/PSK. This is otherwise functionally identical to previous version, but EAP-PAX does not support variable length passwords anymore (i.e., the SHA-1 hashing of a password was removed).
* Fix setting transmit key index with older orinoco/prism54 driversDan Williams2008-01-131-1/+1
| | | | | | | | | | | | | I can't see why this is a problem with recent kernels, since both the orinoco and prism54 drivers seem to handle this case correctly from a scan of their IWENCODE handlers. However, it was certainly an issue with older drivers for these cards, where they would reject attempts to set the transmit key because they expected that the key would be NULL if the key length was 0. I believe the regression possibility is small, because (a) it only affects drivers that don't support IWENCODEEXT of which there are few, and (b) we've been running it in Fedora for almost 2 years now.
* WPS: Preliminary AP/Enrollee processing for credentialsJouni Malinen2008-01-132-38/+143
| | | | | | | | Send dummy values as AP configuration in M7 and parse the new AP configuration in M8. This is complete enough to finish AP/Enrollee negotiation successfully, but the used configuration values are not read from the AP configuration and the received configuration is not stored or taken into use.
* WPS: Added WSC_ACK and WSC_NACK processing for Authenticator/Enrollee caseJouni Malinen2008-01-132-2/+110