This is a separate program and is used mainly with hostapd, so it is
better to move this into the hostapd subdirectory now that Milenage
code has already been moved into src/crypto. Milenage was the only
generic component in hlr_auc_gw.
eap_example is now using src/crypto/libcrypto.a and src/tls/libtls.a
instead of providing own rules for building the files for these
components. TLS library selection is temporarily disabled for
eap_example (it will be built using internal crypto/TLS), but the
configuration option for this will eventually be restored with a new
libcrypto.a configuration option.
Clean up the internal TLS implementation by removing conditional
build blocks for (mostly) EAP-FAST specific functionality. This
will increase the size a big for non-EAP-FAST builds, but is quite
helpful in making src/tls/libtls.a with single build options. If
the potential size reduction is considered significant in the future,
this can be reconsider with a more library compatible way (e.g.,
external file with registration function, etc.).
This allows libeap.a and libeap.so to be built by merging in multiple
libraries from src subdirectories. In addition, this avoids wasting
extra space and time for local builds.
This fixes issues with some GnuTLS versions that seem to be adding
quite a bit of extra data into TLS messages. The EAP server code is
now using the same 300 byte extra room that was already used in the
EAP peer implementation.
The following defines are not really needed in most places, so
remove them to clean up source code and build scripts:
EAP_TLS_FUNCS
EAP_TLS_OPENSSL
EAP_TLS_GNUTLS
CONFIG_TLS_INTERNAL
There seem to be some cases in which wpa_supplicant and
cfg80211/mac80211 seem to have different understanding on
authentication/association state. Since cfg80211/mac80211 is very strict
on when it accepts new authentication/association/scan commands, try our
best at clearing such state mismatches by explicitly deauthenticating
from BSSes with which the driver claims we are associated with if we do
not have local information about such association.
Print what the kernel believes the current BSS status (authenticated
or associated) is in scan results. In addition, check whether this
matches with the state that wpa_supplicant believes the driver to be
in.
This does not change the actual behavior, but will provide information
that will help in debugging potential issues where cfg80211/mac80211
seems to get into a different state from wpa_supplicant. In addition,
this provides an easy location for a workaround that could be added to
clear cfg80211/mac80211 state for unknown BSSes.
This is an initial step in further cleaning up the EAPOL authenticator
use to avoid requiring direct accesses to the internal data structures.
For now, number of external files are still including the internal
definitions from eapol_auth_sm_i.h, but eventually, these direct
references should be removed.
In addition, start ordering header file includes to be in more
consistent order: system header files, src/utils, src/*, same
directory as the *.c file.
This removes the hardcoded definition from Makefile and cleans up
source code by moving the mail HOSTAPD_DUMP_STATE blocks into separate
files to avoid conditional compilation within files.
While this may not include knowledge of all EAP methods since this
depends on build configuration, it is better to not have to include
ieee802_1x.h into eapol_sm.c.
This makes it clearer which files are including header from src/common.
Some of these cases should probably be cleaned up in the future not to
do that.
In addition, src/common/nl80211_copy.h and wireless_copy.h were moved
into src/drivers since they are only used by driver wrappers and do not
need to live in src/common.
This avoids passing the raw scan results into the RSN code and by
doing so, removes the only dependency on src/drivers from the
src/rsn_supp code (or from any src subdirectory for that matter).
Instead of using hardcoded maximum A-MPDU length of 64 kB and no
restrictions on minimum MPDU Start Spacing, use the correct values
reported by the driver.
This is not actually used at all and it looks like the rules for
maintaining the old/new RADIUS configuration are not very clear in the
case the RADIUS client configuration did not change. Consequently, it
is better to just remove this for now and if similar functionality is
ever needed, redesign it to be easier to use without causing hard to
find issues with using freed memory.
Simpler approach to reconfiguring the RADIUS client would involve
just deinitializing the old context unconditionally and initializing
a new one whenever the configuration could have changed.
Use shared functions for converting Primary Device Type between binary
and string formats. In addition, use array of eight octets instead of a
specific structure with multiple fields to reduce code complexity.
Mainly, this is including header files to get definitions for functions
which is good to verify that the parameters match. None of these are
issues that would have shown as incorrect behavior of the program.
This gets rid of previously deprecated driver_ops handlers set_wpa,
set_drop_unencrypted, set_auth_alg, set_mode. The same functionality
can be achieved by using the init/deinit/associate handlers.
These driver wrappers should not be used anymore; WEXT should be used
instead. However, there may still be users stuck on older kernel versions
that may require driver specific wrappers, so the source code still
remains in the repository.
This moves the MTU definition into driver_hostap.c since it was really
meant to be specific to this driver. Since this was the last remaining
definition in hostapd_defs.h, remove that header file as unnecessary.
This code was copied from driver_hostap.c where it is used with the
special wlan#ap interface. It was not supposed to be used to change
the MTU for a normal data interface.
Clean up driver_nl80211.c by gettign rid of the last remaining WEXT use.
This requires that a recent mac80211 version is used to get full protection
in station mode via the authorized flag (IEEE 802.1X PAE).
Clean up driver interface by merging hostapd and wpa_supplicant
specific set_beacon driver_ops into a single one. In addition,
merge set_beacon_int into to the same operation.
If initialization fails, we could potentially try to sendto() on -1
socket which would fail. No point in doing that, so just return early
from the function.
The current MinGW/w32api versions seem to provide all the needed CryptoAPI
functions, so the code for loading these dynamically from the DLL can be
removed.
Need to define the workspace buffer properly to allow compiler to handle
strict aliasing between the incoming unsigned char[64] buffer as an u32
array. The previous version built with strict aliasing enabled can
result in SHA-1 producing incorrect results and consequently, with
4-way handshake failing.
This is based on a report and patch from Dan Williams <dcbw@redhat.com>
but with a different type (the union) used as a fix to avoid needing
extra type casting.
Discovered as part of the investigation of:
https://bugzilla.redhat.com/show_bug.cgi?id=494262#c32
if sha1 is built with gcc without turning off strict aliasing, it will
fail to correctly generate the hashes and will fail its own testcases as
well.
Signed-off-by: Dan Williams <dcbw@redhat.com>
This avoids some issues in cases where the ER has been started and
stopped multiple times on the same address and an AP may have stored
multiple event notification addresses for the same ER. The random
identifier allows the ER to filter out unexpected messages from further
processing.
Do not give the allocated memory to the subscription code since it was
not using it as-is anyway. This makes it easier to understand who owns
the allocation an is responsible of freeing it. This may potentially
fix some memory leaks on error paths.
The WPS 1.0h specification is quite unclear on what exactly should be
used as the MAC Address value in the Credential and AP Settings. It
looks like this should after all be the MAC Address of the Enrollee,
so change Registrar implementation to use that address instead of the
AP BSSID.
In addition, add validation code to the Enrollee implementation to
check the MAC Address value inside Credential (and also inside AP Settings)
to make sure it matches with the Enrollee's own address. However, since
there are deployed implementations that do not follow this interpretation
of the spec, only show the mismatch in debug information to avoid breaking
interoperability with existing devices.
This will need some additional code in wps_er_pbc() to handle PBC mode
enabling for a single AP only. For now, this can only be expected to work
when the ER is connected to a single AP.
UPnP device architecture specification requires all evented variables to
be included in the initial event message after subscription. Since this
can happen before we have seen any events, generated a dummy event
(WSC_ACK with all-zeros nonces) if needed.
This will notify control points of the services going away and allows
them to notice this without having to wait timeout on the
initial advertisements.
This removes following WFA WLANConfig Service actions and the related
state variables: GetAPSettings, SetAPSettings, DelAPSettings,
GetSTASettings, SetSTASettings, DelSTASettings, RebootAP,
ResetAP, RebootSTA, ResetSTA.
While WFA WLANConfig Service version 1.0 claims that some of these are
mandatory to implement for an AP, there are no known implementations
supporting these actions neither in an AP/proxy or an External Registrar
that would use them. These are unlikely to be supported in the future
either and as such, it is just simpler to get rid of them to clean up
the implementation and reduce code size.
When using UPnP transport, the Op-Code is not included, but the WPS
frame processing will need this. Generate a matching Op-Code based
on the message type.
Previously, WSC_MSG was hardcoded for every message from ER, but
this needs to be changed based on message type to send a valid
message to the Enrollee via EAP transport.
New PINs can now be added to WPS ER. This results in the ER code
using SetSelectedRegistrar to modify AP state so that Enrollees
will be able to notice the actice registrar more easily.
This keeps STA/Enrollee entries up to date and sets up registration
protocol session. M1 is processed and M2D generated, but the there
is no code yet to transmit the response back to the AP with
PutWLANResponse.
