Commit Graph

13 Commits

Author SHA1 Message Date
Jouni Malinen
00468b4650 Add TLS client events, server probing, and srv cert matching
This allows external programs (e.g., UI) to get more information
about server certificate chain used during TLS handshake. This can
be used both to automatically probe the authentication server to
figure out most likely network configuration and to get information
about reasons for failed authentications.

The follow new control interface events are used for this:
CTRL-EVENT-EAP-PEER-CERT
CTRL-EVENT-EAP-TLS-CERT-ERROR

In addition, there is now an option for matching the server certificate
instead of the full certificate chain for cases where a trusted CA is
not configured or even known. This can be used, e.g., by first probing
the network and learning the server certificate hash based on the new
events and then adding a network configuration with the server
certificate hash after user have accepted it. Future connections will
then be allowed as long as the same server certificate is used.

Authentication server probing can be done, e.g., with following
configuration options:
    eap=TTLS PEAP TLS
    identity=""
    ca_cert="probe://"

Example set of control events for this:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' hash=5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=8 depth=0 subject='/C=US/ST=California/L=San Francisco/CN=Server/emailAddress=server@kir.nu' err='Server certificate chain probe'
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Server certificate matching is configured with ca_cert, e.g.:
    ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

This functionality is currently available only with OpenSSL. Other
TLS libraries (including internal implementation) may be added in
the future.
2010-02-13 11:14:23 +02:00
Jouni Malinen
7796f20edc Add new ctrl_iface event for EAP methods proposed by the server
This makes it easier for external programs to probe EAP server
preferences and potentially automatically detect which method
could be used.
2010-02-11 19:48:36 +02:00
Jouni Malinen
03da66bd59 Remove src/crypto from default include path
In addition, start ordering header file includes to be in more
consistent order: system header files, src/utils, src/*, same
directory as the *.c file.
2009-11-29 23:04:43 +02:00
Jouni Malinen
90973fb2fd Remove src/common from default header file path
This makes it clearer which files are including header from src/common.
Some of these cases should probably be cleaned up in the future not to
do that.

In addition, src/common/nl80211_copy.h and wireless_copy.h were moved
into src/drivers since they are only used by driver wrappers and do not
need to live in src/common.
2009-11-29 17:51:55 +02:00
Jouni Malinen
76f04b38b0 Preliminary support for FIPS mode operation with OpenSSL
wpa_supplicant can now be built with FIPS capable OpenSSL for FIPS mode
operation. Currently, this is only enabling the FIPS mode in OpenSSL
without providing any higher level enforcement in wpa_supplicant.
Consequently, invalid configuration will fail during the authentication
run. Proper configuration (e.g., WPA2-Enterprise with EAP-TLS) allows
the connection to be completed.
2009-08-16 14:24:22 +03:00
Jouni Malinen
f2d8fc3d96 Do not try session resumption after EAP failure
If session resumption fails for any reason, do not try it again because
that is just likely to fail. Instead, drop back to using full
authentication which may work. This is a workaround for servers that do
not like session resumption, but do not know how to fall back to full
authentication properly.
2009-02-15 17:36:49 +02:00
Jouni Malinen
01b0569437 Added protection against EAP-AKA' -> EAP-AKA bidding down attacks
AT_BIDDING attribute is included in EAP-AKA/Challenge to allow peer to
know whether the server would have preferred EAP-AKA'.
2008-12-05 22:25:47 +02:00
Jouni Malinen
398cfbf6be WPS: Moved mac_addr and uuid configuration into wps_context
There is no need to complicate EAPOL and EAP interfaces with WPS
specific parameters now that wps_context is passed through.
2008-11-28 20:44:47 +02:00
Jouni Malinen
116654ce24 WPS: Moved wps_context initialization into wps_supplicant.c
The wps_context data is now managed at wpa_supplicant, not EAP-WSC. This
makes wpa_supplicant design for WPS match with hostapd one and also
makes it easier configure whatever parameters and callbacks are needed
for WPS.
2008-11-28 20:32:13 +02:00
Jouni Malinen
f855f923a7 WPS: Moved UUID configuration from phase1 into global config area 2008-11-26 20:47:24 +02:00
Jouni Malinen
ad08c3633c Added preliminary Wi-Fi Protected Setup (WPS) implementation
This adds WPS support for both hostapd and wpa_supplicant. Both programs
can be configured to act as WPS Enrollee and Registrar. Both PBC and PIN
methods are supported.

Currently, hostapd has more complete configuration option for WPS
parameters and wpa_supplicant configuration style will likely change in
the future. External Registrars are not yet supported in hostapd or
wpa_supplicant. While wpa_supplicant has initial support for acting as
an Registrar to configure an AP, this is still using number of hardcoded
parameters which will need to be made configurable for proper operation.
2008-11-23 19:34:26 +02:00
Jouni Malinen
6982784e20 EAP-SIM/AKA: fixed initialization to verify PIN even if identity is set
Previously, hardcoded identity in the network configuration skipped both
IMSI reading and PIN verification. This broke cases where PIN is needed for
GSM/UMTS authentication. Now, only IMSI reading is skipped if identity is
hardcoded.
2008-11-07 20:09:44 +02:00
Jouni Malinen
6fc6879bd5 Re-initialize hostapd/wpa_supplicant git repository based on 0.6.3 release 2008-02-27 17:34:43 -08:00