[pkg-wpa-devel] r1291 - in /wpasupplicant/trunk: debian/ patches/ src/common/ src/crypto/ src/drivers/ src/eap_common/ src/eap_peer/ src/eap_server/ src/hlr_auc_gw/ src/rsn_supp/ wpa_supplicant/ wpa_supplicant/doc/docbook/ wpa_supplicant/wpa_gui-qt4/ wpa_supplicant/wpa_gui-qt4/icons/
kelmo-guest at users.alioth.debian.org
kelmo-guest at users.alioth.debian.org
Sun Dec 7 13:49:05 UTC 2008
Author: kelmo-guest
Date: Sun Dec 7 13:49:04 2008
New Revision: 1291
URL: http://svn.debian.org/wsvn/pkg-wpa/?sc=1&rev=1291
Log:
* New upstream release.
* Update debian/copyright to include copyright holders of new source files
(src/drivers/driver_roboswitch.*).
Added:
wpasupplicant/trunk/src/drivers/driver_roboswitch.c
- copied unchanged from r1290, wpasupplicant/branches/upstream/current/src/drivers/driver_roboswitch.c
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/icons_png.qrc
- copied unchanged from r1290, wpasupplicant/branches/upstream/current/wpa_supplicant/wpa_gui-qt4/icons_png.qrc
Modified:
wpasupplicant/trunk/debian/changelog
wpasupplicant/trunk/debian/copyright
wpasupplicant/trunk/patches/openssl-0.9.9-session-ticket.patch
wpasupplicant/trunk/src/common/version.h
wpasupplicant/trunk/src/crypto/tls_openssl.c
wpasupplicant/trunk/src/drivers/driver.h
wpasupplicant/trunk/src/drivers/driver_broadcom.c
wpasupplicant/trunk/src/drivers/driver_ndis.c
wpasupplicant/trunk/src/drivers/driver_wext.c
wpasupplicant/trunk/src/drivers/drivers.c
wpasupplicant/trunk/src/eap_common/eap_sim_common.c
wpasupplicant/trunk/src/eap_common/eap_sim_common.h
wpasupplicant/trunk/src/eap_peer/eap.c
wpasupplicant/trunk/src/eap_peer/eap_aka.c
wpasupplicant/trunk/src/eap_peer/eap_config.h
wpasupplicant/trunk/src/eap_peer/eap_fast.c
wpasupplicant/trunk/src/eap_peer/eap_peap.c
wpasupplicant/trunk/src/eap_peer/eap_sim.c
wpasupplicant/trunk/src/eap_peer/eap_tls.c
wpasupplicant/trunk/src/eap_peer/eap_tls_common.c
wpasupplicant/trunk/src/eap_server/eap_aka.c
wpasupplicant/trunk/src/eap_server/eap_fast.c
wpasupplicant/trunk/src/eap_server/eap_tls.c
wpasupplicant/trunk/src/hlr_auc_gw/milenage.c
wpasupplicant/trunk/src/hlr_auc_gw/milenage.h
wpasupplicant/trunk/src/rsn_supp/wpa.c
wpasupplicant/trunk/src/rsn_supp/wpa.h
wpasupplicant/trunk/src/rsn_supp/wpa_i.h
wpasupplicant/trunk/wpa_supplicant/ChangeLog
wpasupplicant/trunk/wpa_supplicant/Makefile
wpasupplicant/trunk/wpa_supplicant/README
wpasupplicant/trunk/wpa_supplicant/README-Windows.txt
wpasupplicant/trunk/wpa_supplicant/config.c
wpasupplicant/trunk/wpa_supplicant/config_file.c
wpasupplicant/trunk/wpa_supplicant/config_ssid.h
wpasupplicant/trunk/wpa_supplicant/config_winreg.c
wpasupplicant/trunk/wpa_supplicant/defconfig
wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml
wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
wpasupplicant/trunk/wpa_supplicant/eap_testing.txt
wpasupplicant/trunk/wpa_supplicant/events.c
wpasupplicant/trunk/wpa_supplicant/scan.c
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/icons/Makefile
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/main.cpp
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/scanresults.cpp
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/setup-mingw-cross-compiling
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro
wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpagui.cpp
wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c
wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.conf
wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h
wpasupplicant/trunk/wpa_supplicant/wpas_glue.c
Modified: wpasupplicant/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/debian/changelog?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/debian/changelog (original)
+++ wpasupplicant/trunk/debian/changelog Sun Dec 7 13:49:04 2008
@@ -1,3 +1,11 @@
+wpasupplicant (0.6.6-1) experimental; urgency=low
+
+ * New upstream release.
+ * Update debian/copyright to include copyright holders of new source files
+ (src/drivers/driver_roboswitch.*).
+
+ -- Kel Modderman <kel at otaku42.de> Sun, 07 Dec 2008 23:43:59 +1000
+
wpasupplicant (0.6.5-2) experimental; urgency=low
* Bugfix: "Missing -d in testing for a directory in init script".
Modified: wpasupplicant/trunk/debian/copyright
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/debian/copyright?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/debian/copyright (original)
+++ wpasupplicant/trunk/debian/copyright Sun Dec 7 13:49:04 2008
@@ -56,6 +56,10 @@
Copyright: Copyright (c) 2007, Snowpin Lee <snowpin_lee at ralinktech.com.tw>
License: BSD | GPL-2
+Files: src/drivers/driver_roboswitch.*
+Copyright: Copyright (c) 2008 Jouke Witteveen
+License: BSD | GPL-2
+
Files: src/l2_packet/l2_packet_freebsd.c
Copyright: Copyright (c) 2003-2005, Jouni Malinen <j at w1.fi>
Copyright: Copyright (c) 2005, Sam Leffler <sam at errno.com>
Modified: wpasupplicant/trunk/patches/openssl-0.9.9-session-ticket.patch
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/patches/openssl-0.9.9-session-ticket.patch?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/patches/openssl-0.9.9-session-ticket.patch (original)
+++ wpasupplicant/trunk/patches/openssl-0.9.9-session-ticket.patch Sun Dec 7 13:49:04 2008
@@ -6,32 +6,35 @@
-Index: openssl-SNAP-20080928/ssl/s3_clnt.c
-===================================================================
---- openssl-SNAP-20080928.orig/ssl/s3_clnt.c
-+++ openssl-SNAP-20080928/ssl/s3_clnt.c
-@@ -788,6 +788,20 @@ int ssl3_get_server_hello(SSL *s)
+Index: openssl-SNAP-20081111/ssl/s3_clnt.c
+===================================================================
+--- openssl-SNAP-20081111.orig/ssl/s3_clnt.c
++++ openssl-SNAP-20081111/ssl/s3_clnt.c
+@@ -788,6 +788,23 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared secret */
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
-+ {
++ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s->session->master_key_length=sizeof(s->session->master_key);
-+ if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
-+ NULL, &pref_cipher, s->tls_session_secret_cb_arg))
-+ {
-+ s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j);
++ if (s->tls_session_secret_cb(s, s->session->master_key,
++ &s->session->master_key_length,
++ NULL, &pref_cipher,
++ s->tls_session_secret_cb_arg))
++ {
++ s->session->cipher = pref_cipher ?
++ pref_cipher : ssl_get_cipher_by_char(s, p+j);
++ }
+ }
-+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
-@@ -2927,11 +2941,8 @@ static int ssl3_check_finished(SSL *s)
+@@ -2927,11 +2944,8 @@ static int ssl3_check_finished(SSL *s)
{
int ok;
long n;
@@ -45,10 +48,10 @@
return 1;
/* this function is called when we really expect a Certificate
* message, so permit appropriate message length */
-Index: openssl-SNAP-20080928/ssl/s3_srvr.c
-===================================================================
---- openssl-SNAP-20080928.orig/ssl/s3_srvr.c
-+++ openssl-SNAP-20080928/ssl/s3_srvr.c
+Index: openssl-SNAP-20081111/ssl/s3_srvr.c
+===================================================================
+--- openssl-SNAP-20081111.orig/ssl/s3_srvr.c
++++ openssl-SNAP-20081111/ssl/s3_srvr.c
@@ -1010,6 +1010,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
@@ -65,20 +68,20 @@
+ pos=s->s3->server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
-+ {
++ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
-+ }
++ }
+ }
+
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
-+ {
++ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
-+ {
++ {
+ s->hit=1;
+ s->session->ciphers=ciphers;
+ s->session->verify_result=X509_V_OK;
@@ -104,8 +107,8 @@
+
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
++ }
+ }
-+ }
#endif
/* Worst case, we will use the NULL compression, but if we have other
@@ -133,27 +136,27 @@
/* Do the message type and length last */
d=p= &(buf[4]);
-Index: openssl-SNAP-20080928/ssl/ssl_err.c
-===================================================================
---- openssl-SNAP-20080928.orig/ssl/ssl_err.c
-+++ openssl-SNAP-20080928/ssl/ssl_err.c
+Index: openssl-SNAP-20081111/ssl/ssl_err.c
+===================================================================
+--- openssl-SNAP-20081111.orig/ssl/ssl_err.c
++++ openssl-SNAP-20081111/ssl/ssl_err.c
@@ -263,6 +263,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
-+{ERR_FUNC(SSL_F_SSL_SET_HELLO_EXTENSION), "SSL_set_hello_extension"},
++{ERR_FUNC(SSL_F_SSL_SET_SESSION_TICKET_EXT), "SSL_set_session_ticket_ext"},
{0,NULL}
};
-Index: openssl-SNAP-20080928/ssl/ssl.h
-===================================================================
---- openssl-SNAP-20080928.orig/ssl/ssl.h
-+++ openssl-SNAP-20080928/ssl/ssl.h
+Index: openssl-SNAP-20081111/ssl/ssl.h
+===================================================================
+--- openssl-SNAP-20081111.orig/ssl/ssl.h
++++ openssl-SNAP-20081111/ssl/ssl.h
@@ -355,6 +355,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
-+typedef struct tls_extension_st TLS_EXTENSION;
++typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -170,8 +173,8 @@
void *tlsext_opaque_prf_input;
size_t tlsext_opaque_prf_input_len;
-+ /* TLS extensions */
-+ TLS_EXTENSION *tls_extension;
++ /* TLS Session Ticket extension override */
++ TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
@@ -180,12 +183,16 @@
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
#define session_ctx initial_ctx
#else
-@@ -1746,6 +1756,12 @@ void *SSL_COMP_get_compression_methods(v
+@@ -1746,6 +1756,16 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
++/* NOTE: This function will be removed; it is only here for backwards
++ * compatibility for the API during testing. */
++int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
++
+/* TLS extensions functions */
-+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
@@ -193,114 +200,123 @@
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
-@@ -1948,6 +1964,7 @@ void ERR_load_SSL_strings(void);
+@@ -1948,6 +1968,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_PRF 284
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
-+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
++#define SSL_F_SSL_SET_SESSION_TICKET_EXT 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
-Index: openssl-SNAP-20080928/ssl/ssl_sess.c
-===================================================================
---- openssl-SNAP-20080928.orig/ssl/ssl_sess.c
-+++ openssl-SNAP-20080928/ssl/ssl_sess.c
-@@ -834,6 +834,52 @@ long SSL_CTX_get_timeout(const SSL_CTX *
+Index: openssl-SNAP-20081111/ssl/ssl_sess.c
+===================================================================
+--- openssl-SNAP-20081111.orig/ssl/ssl_sess.c
++++ openssl-SNAP-20081111/ssl/ssl_sess.c
+@@ -834,6 +834,62 @@ long SSL_CTX_get_timeout(const SSL_CTX *
return(s->session_timeout);
}
+#ifndef OPENSSL_NO_TLSEXT
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
-+{
++ {
+ if (s == NULL) return(0);
+ s->tls_session_secret_cb = tls_session_secret_cb;
+ s->tls_session_secret_cb_arg = arg;
+ return(1);
-+}
-+
++ }
++
++int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
++ {
++ if (s->version >= TLS1_VERSION)
++ {
++ if (s->tlsext_session_ticket)
++ {
++ OPENSSL_free(s->tlsext_session_ticket);
++ s->tlsext_session_ticket = NULL;
++ }
++
++ s->tlsext_session_ticket = OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
++ if (!s->tlsext_session_ticket)
++ {
++ SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++
++ if (ext_data)
++ {
++ s->tlsext_session_ticket->length = ext_len;
++ s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
++ memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
++ }
++ else
++ {
++ s->tlsext_session_ticket->length = 0;
++ s->tlsext_session_ticket->data = NULL;
++ }
++
++ return 1;
++ }
++
++ return 0;
++ }
++
++/* NOTE: This function will be removed; it is only here for backwards
++ * compatibility for the API during testing. */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len)
-+{
-+ if(s->version >= TLS1_VERSION)
-+ {
-+ if(s->tls_extension)
-+ {
-+ OPENSSL_free(s->tls_extension);
-+ s->tls_extension = NULL;
-+ }
-+
-+ s->tls_extension = OPENSSL_malloc(sizeof(TLS_EXTENSION) + ext_len);
-+ if(!s->tls_extension)
-+ {
-+ SSLerr(SSL_F_SSL_SET_HELLO_EXTENSION, ERR_R_MALLOC_FAILURE);
-+ return 0;
-+ }
-+
-+ s->tls_extension->type = ext_type;
-+
-+ if(ext_data)
-+ {
-+ s->tls_extension->length = ext_len;
-+ s->tls_extension->data = s->tls_extension + 1;
-+ memcpy(s->tls_extension->data, ext_data, ext_len);
-+ } else {
-+ s->tls_extension->length = 0;
-+ s->tls_extension->data = NULL;
-+ }
-+
-+ return 1;
++ {
++ if (ext_type != TLSEXT_TYPE_session_ticket)
++ return 0;
++
++ return SSL_set_session_ticket_ext(s, ext_data, ext_len);
+ }
-+
-+ return 0;
-+}
+#endif /* OPENSSL_NO_TLSEXT */
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
-Index: openssl-SNAP-20080928/ssl/t1_lib.c
-===================================================================
---- openssl-SNAP-20080928.orig/ssl/t1_lib.c
-+++ openssl-SNAP-20080928/ssl/t1_lib.c
+Index: openssl-SNAP-20081111/ssl/t1_lib.c
+===================================================================
+--- openssl-SNAP-20081111.orig/ssl/t1_lib.c
++++ openssl-SNAP-20081111/ssl/t1_lib.c
@@ -154,6 +154,12 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
+#ifndef OPENSSL_NO_TLSEXT
-+ if(s->tls_extension)
-+ {
-+ OPENSSL_free(s->tls_extension);
-+ }
-+#endif
++ if (s->tlsext_session_ticket)
++ {
++ OPENSSL_free(s->tlsext_session_ticket);
++ }
++#endif /* OPENSSL_NO_TLSEXT */
ssl3_free(s);
}
-@@ -357,8 +363,24 @@ unsigned char *ssl_add_clienthello_tlsex
+@@ -357,8 +363,23 @@ unsigned char *ssl_add_clienthello_tlsex
int ticklen;
if (s->session && s->session->tlsext_tick)
ticklen = s->session->tlsext_ticklen;
-+ else if (s->session && s->tls_extension &&
-+ s->tls_extension->type == TLSEXT_TYPE_session_ticket &&
-+ s->tls_extension->data)
-+ {
-+ ticklen = s->tls_extension->length;
++ else if (s->session && s->tlsext_session_ticket &&
++ s->tlsext_session_ticket->data)
++ {
++ ticklen = s->tlsext_session_ticket->length;
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
+ if (!s->session->tlsext_tick)
+ return NULL;
-+ memcpy(s->session->tlsext_tick, s->tls_extension->data,
++ memcpy(s->session->tlsext_tick,
++ s->tlsext_session_ticket->data,
+ ticklen);
+ s->session->tlsext_ticklen = ticklen;
-+ }
++ }
else
ticklen = 0;
-+ if (ticklen == 0 && s->tls_extension &&
-+ s->tls_extension->type == TLSEXT_TYPE_session_ticket &&
-+ s->tls_extension->data == NULL)
++ if (ticklen == 0 && s->tlsext_session_ticket &&
++ s->tlsext_session_ticket->data == NULL)
+ goto skip_ext;
/* Check for enough room 2 for extension type, 2 for len
* rest for ticket
*/
-@@ -371,6 +393,7 @@ unsigned char *ssl_add_clienthello_tlsex
+@@ -371,6 +392,7 @@ unsigned char *ssl_add_clienthello_tlsex
ret += ticklen;
}
}
@@ -308,7 +324,7 @@
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->s3->client_opaque_prf_input != NULL)
-@@ -1435,6 +1458,15 @@ int tls1_process_ticket(SSL *s, unsigned
+@@ -1435,6 +1457,15 @@ int tls1_process_ticket(SSL *s, unsigned
s->tlsext_ticket_expected = 1;
return 0; /* Cache miss */
}
@@ -324,32 +340,31 @@
return tls_decrypt_ticket(s, p, size, session_id, len,
ret);
}
-Index: openssl-SNAP-20080928/ssl/tls1.h
-===================================================================
---- openssl-SNAP-20080928.orig/ssl/tls1.h
-+++ openssl-SNAP-20080928/ssl/tls1.h
-@@ -512,6 +512,14 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
+Index: openssl-SNAP-20081111/ssl/tls1.h
+===================================================================
+--- openssl-SNAP-20081111.orig/ssl/tls1.h
++++ openssl-SNAP-20081111/ssl/tls1.h
+@@ -512,6 +512,13 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
-+/* TLS extension struct */
-+struct tls_extension_st
-+{
-+ unsigned short type;
++/* TLS Session Ticket extension struct */
++struct tls_session_ticket_ext_st
++ {
+ unsigned short length;
+ void *data;
-+};
++ };
+
#ifdef __cplusplus
}
#endif
-Index: openssl-SNAP-20080928/util/ssleay.num
-===================================================================
---- openssl-SNAP-20080928.orig/util/ssleay.num
-+++ openssl-SNAP-20080928/util/ssleay.num
+Index: openssl-SNAP-20081111/util/ssleay.num
+===================================================================
+--- openssl-SNAP-20081111.orig/util/ssleay.num
++++ openssl-SNAP-20081111/util/ssleay.num
@@ -254,3 +254,5 @@ PEM_read_bio_SSL_SESSION
SSL_CTX_set_psk_server_callback 303 EXIST::FUNCTION:PSK
SSL_get_psk_identity 304 EXIST::FUNCTION:PSK
PEM_write_SSL_SESSION 305 EXIST:!WIN16:FUNCTION:
-+SSL_set_hello_extension 306 EXIST::FUNCTION:TLSEXT
++SSL_set_session_ticket_ext 306 EXIST::FUNCTION:TLSEXT
+SSL_set_session_secret_cb 307 EXIST::FUNCTION:TLSEXT
Modified: wpasupplicant/trunk/src/common/version.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/common/version.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/common/version.h (original)
+++ wpasupplicant/trunk/src/common/version.h Sun Dec 7 13:49:04 2008
@@ -1,6 +1,6 @@
#ifndef VERSION_H
#define VERSION_H
-#define VERSION_STR "0.6.5"
+#define VERSION_STR "0.6.6"
#endif /* VERSION_H */
Modified: wpasupplicant/trunk/src/crypto/tls_openssl.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/crypto/tls_openssl.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/crypto/tls_openssl.c (original)
+++ wpasupplicant/trunk/src/crypto/tls_openssl.c Sun Dec 7 13:49:04 2008
@@ -1,6 +1,6 @@
/*
* WPA Supplicant / SSL/TLS interface functions for openssl
- * Copyright (c) 2004-2007, Jouni Malinen <j at w1.fi>
+ * Copyright (c) 2004-2008, Jouni Malinen <j at w1.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -35,6 +35,16 @@
#define OPENSSL_d2i_TYPE const unsigned char **
#else
#define OPENSSL_d2i_TYPE unsigned char **
+#endif
+
+#if OPENSSL_VERSION_NUMBER >= 0x00909000L
+#ifdef SSL_OP_NO_TICKET
+/*
+ * Session ticket override patch was merged into OpenSSL 0.9.9 tree on
+ * 2008-11-15. This version uses a bit different API compared to the old patch.
+ */
+#define CONFIG_OPENSSL_TICKET_OVERRIDE
+#endif
#endif
static int tls_openssl_ref_count = 0;
@@ -2333,12 +2343,18 @@
int ext_type, const u8 *data,
size_t data_len)
{
- if (conn == NULL || conn->ssl == NULL)
- return -1;
-
+ if (conn == NULL || conn->ssl == NULL || ext_type != 35)
+ return -1;
+
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+ if (SSL_set_session_ticket_ext(conn->ssl, (void *) data,
+ data_len) != 1)
+ return -1;
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
if (SSL_set_hello_extension(conn->ssl, ext_type, (void *) data,
data_len) != 1)
return -1;
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
return 0;
}
@@ -2564,6 +2580,33 @@
}
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+static int tls_session_ticket_ext_cb(SSL *s, const unsigned char *data,
+ int len, void *arg)
+{
+ struct tls_connection *conn = arg;
+
+ if (conn == NULL || conn->session_ticket_cb == NULL)
+ return 0;
+
+ wpa_printf(MSG_DEBUG, "OpenSSL: %s: length=%d", __func__, len);
+
+ os_free(conn->session_ticket);
+ conn->session_ticket = NULL;
+
+ wpa_hexdump(MSG_DEBUG, "OpenSSL: ClientHello SessionTicket "
+ "extension", data, len);
+
+ conn->session_ticket = os_malloc(len);
+ if (conn->session_ticket == NULL)
+ return 0;
+
+ os_memcpy(conn->session_ticket, data, len);
+ conn->session_ticket_len = len;
+
+ return 1;
+}
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET
static void tls_hello_ext_cb(SSL *s, int client_server, int type,
unsigned char *data, int len, void *arg)
@@ -2618,6 +2661,7 @@
return 0;
}
#endif /* SSL_OP_NO_TICKET */
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#endif /* EAP_FAST || EAP_FAST_DYNAMIC */
@@ -2634,6 +2678,10 @@
if (SSL_set_session_secret_cb(conn->ssl, tls_sess_sec_cb,
conn) != 1)
return -1;
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+ SSL_set_session_ticket_ext_cb(conn->ssl,
+ tls_session_ticket_ext_cb, conn);
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback(conn->ssl, tls_hello_ext_cb);
SSL_set_tlsext_debug_arg(conn->ssl, conn);
@@ -2642,9 +2690,13 @@
conn) != 1)
return -1;
#endif /* SSL_OP_NO_TICKET */
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
} else {
if (SSL_set_session_secret_cb(conn->ssl, NULL, NULL) != 1)
return -1;
+#ifdef CONFIG_OPENSSL_TICKET_OVERRIDE
+ SSL_set_session_ticket_ext_cb(conn->ssl, NULL, NULL);
+#else /* CONFIG_OPENSSL_TICKET_OVERRIDE */
#ifdef SSL_OP_NO_TICKET
SSL_set_tlsext_debug_callback(conn->ssl, NULL);
SSL_set_tlsext_debug_arg(conn->ssl, conn);
@@ -2652,6 +2704,7 @@
if (SSL_set_hello_extension_cb(conn->ssl, NULL, NULL) != 1)
return -1;
#endif /* SSL_OP_NO_TICKET */
+#endif /* CONFIG_OPENSSL_TICKET_OVERRIDE */
}
return 0;
Modified: wpasupplicant/trunk/src/drivers/driver.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/drivers/driver.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/drivers/driver.h (original)
+++ wpasupplicant/trunk/src/drivers/driver.h Sun Dec 7 13:49:04 2008
@@ -711,7 +711,7 @@
* @priv: private driver interface data
*
* Returns: Pointer to the interface name. This can differ from the
- * interface name used in init() call.
+ * interface name used in init() call. Init() is called first.
*
* This optional function can be used to allow the driver interface to
* replace the interface name with something else, e.g., based on an
@@ -944,6 +944,13 @@
*/
int (*set_mode)(void *priv, int mode);
};
+
+/* Function to check whether a driver is for wired connections */
+static inline int IS_WIRED(const struct wpa_driver_ops *drv)
+{
+ return os_strcmp(drv->name, "wired") == 0 ||
+ os_strcmp(drv->name, "roboswitch") == 0;
+}
/**
* enum wpa_event_type - Event type for wpa_supplicant_event() calls
Modified: wpasupplicant/trunk/src/drivers/driver_broadcom.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/drivers/driver_broadcom.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/drivers/driver_broadcom.c (original)
+++ wpasupplicant/trunk/src/drivers/driver_broadcom.c Sun Dec 7 13:49:04 2008
@@ -488,8 +488,9 @@
wbi = (wl_bss_info_t *) ((u8 *) wbi + wbi->length);
}
- wpa_printf(MSG_MSGDUMP, "Received %d bytes of scan results (%d BSSes)",
- wsr->buflen, ap_num);
+ wpa_printf(MSG_MSGDUMP, "Received %d bytes of scan results (%lu "
+ "BSSes)",
+ wsr->buflen, (unsigned long) ap_num);
os_free(buf);
return ap_num;
Modified: wpasupplicant/trunk/src/drivers/driver_ndis.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/drivers/driver_ndis.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/drivers/driver_ndis.c (original)
+++ wpasupplicant/trunk/src/drivers/driver_ndis.c Sun Dec 7 13:49:04 2008
@@ -731,6 +731,32 @@
}
+static struct wpa_scan_res * wpa_driver_ndis_add_scan_ssid(
+ struct wpa_scan_res *r, NDIS_802_11_SSID *ssid)
+{
+ struct wpa_scan_res *nr;
+ u8 *pos;
+
+ if (wpa_scan_get_ie(r, WLAN_EID_SSID))
+ return r; /* SSID IE already present */
+
+ if (ssid->SsidLength == 0 || ssid->SsidLength > 32)
+ return r; /* No valid SSID inside scan data */
+
+ nr = os_realloc(r, sizeof(*r) + r->ie_len + 2 + ssid->SsidLength);
+ if (nr == NULL)
+ return r;
+
+ pos = ((u8 *) (nr + 1)) + nr->ie_len;
+ *pos++ = WLAN_EID_SSID;
+ *pos++ = ssid->SsidLength;
+ os_memcpy(pos, ssid->Ssid, ssid->SsidLength);
+ nr->ie_len += 2 + ssid->SsidLength;
+
+ return nr;
+}
+
+
static struct wpa_scan_results * wpa_driver_ndis_get_scan_results(void *priv)
{
struct wpa_driver_ndis_data *drv = priv;
@@ -804,6 +830,7 @@
os_memcpy(r + 1, bss->IEs + sizeof(NDIS_802_11_FIXED_IEs),
bss->IELength - sizeof(NDIS_802_11_FIXED_IEs));
r->ie_len = bss->IELength - sizeof(NDIS_802_11_FIXED_IEs);
+ r = wpa_driver_ndis_add_scan_ssid(r, &bss->Ssid);
results->res[results->num++] = r;
Modified: wpasupplicant/trunk/src/drivers/driver_wext.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/drivers/driver_wext.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/drivers/driver_wext.c (original)
+++ wpasupplicant/trunk/src/drivers/driver_wext.c Sun Dec 7 13:49:04 2008
@@ -30,126 +30,6 @@
#include "driver_wext.h"
#include "ieee802_11_defs.h"
#include "wpa_common.h"
-
-#ifdef CONFIG_CLIENT_MLME
-#include <netpacket/packet.h>
-/* old definitions from net/mac80211 */
-
-typedef u32 __bitwise __be32;
-typedef u64 __bitwise __be64;
-
-#define PRISM2_IOCTL_PRISM2_PARAM (SIOCIWFIRSTPRIV + 0)
-#define PRISM2_IOCTL_GET_PRISM2_PARAM (SIOCIWFIRSTPRIV + 1)
-#define PRISM2_IOCTL_HOSTAPD (SIOCIWFIRSTPRIV + 3)
-
-#define PRISM2_PARAM_USER_SPACE_MLME 1045
-#define PRISM2_PARAM_MGMT_IF 1046
-#define PRISM2_HOSTAPD_ADD_STA 2
-#define PRISM2_HOSTAPD_REMOVE_STA 3
-#define PRISM2_HOSTAPD_GET_HW_FEATURES 1002
-#define PRISM2_HOSTAPD_MAX_BUF_SIZE 2048
-
-#ifndef ALIGNED
-#define ALIGNED __attribute__ ((aligned))
-#endif
-
-struct prism2_hostapd_param {
- u32 cmd;
- u8 sta_addr[ETH_ALEN];
- u8 pad[2];
- union {
- struct {
- u16 aid;
- u16 capability;
- u8 supp_rates[32];
- u8 wds_flags;
-#define IEEE80211_STA_DYNAMIC_ENC BIT(0)
- u8 enc_flags;
- u16 listen_interval;
- } add_sta;
- struct {
- u16 num_modes;
- u16 flags;
- u8 data[0] ALIGNED; /* num_modes * feature data */
- } hw_features;
- struct {
- u16 mode; /* MODE_* */
- u16 num_supported_rates;
- u16 num_basic_rates;
- u8 data[0] ALIGNED; /* num_supported_rates * u16 +
- * num_basic_rates * u16 */
- } set_rate_sets;
- struct {
- u16 mode; /* MODE_* */
- u16 chan;
- u32 flag;
- u8 power_level; /* regulatory limit in dBm */
- u8 antenna_max;
- } set_channel_flag;
- struct {
- u32 rd;
- } set_regulatory_domain;
- struct {
- u32 queue;
- s32 aifs;
- u32 cw_min;
- u32 cw_max;
- u32 burst_time; /* maximum burst time in 0.1 ms, i.e.,
- * 10 = 1 ms */
- } tx_queue_params;
- } u;
-};
-
-struct hostapd_ioctl_hw_modes_hdr {
- int mode;
- int num_channels;
- int num_rates;
-};
-
-/*
- * frame format for the management interface that is slated
- * to be replaced by "cooked monitor" with radiotap
- */
-#define IEEE80211_FI_VERSION 0x80211001
-struct ieee80211_frame_info {
- __be32 version;
- __be32 length;
- __be64 mactime;
- __be64 hosttime;
- __be32 phytype;
- __be32 channel;
- __be32 datarate;
- __be32 antenna;
- __be32 priority;
- __be32 ssi_type;
- __be32 ssi_signal;
- __be32 ssi_noise;
- __be32 preamble;
- __be32 encoding;
-
- /* Note: this structure is otherwise identical to capture format used
- * in linux-wlan-ng, but this additional field is used to provide meta
- * data about the frame to hostapd. This was the easiest method for
- * providing this information, but this might change in the future. */
- __be32 msg_type;
-} __attribute__ ((packed));
-
-/* old mode definitions */
-enum {
- MODE_IEEE80211A = 0 /* IEEE 802.11a */,
- MODE_IEEE80211B = 1 /* IEEE 802.11b only */,
- MODE_ATHEROS_TURBO = 2 /* Atheros Turbo mode (2x.11a at 5 GHz) */,
- MODE_IEEE80211G = 3 /* IEEE 802.11g (and 802.11b compatibility) */,
- MODE_ATHEROS_TURBOG = 4 /* Atheros Turbo mode (2x.11g at 2.4 GHz) */,
- NUM_IEEE80211_MODES = 5
-};
-
-#ifndef ETH_P_ALL
-#define ETH_P_ALL 0x0003
-#endif
-#endif /* CONFIG_CLIENT_MLME */
-
-
static int wpa_driver_wext_flush_pmkid(void *priv);
@@ -999,46 +879,6 @@
}
-#ifdef CONFIG_CLIENT_MLME
-
-static int wpa_driver_prism2_param_set(struct wpa_driver_wext_data *drv,
- int param, int value)
-{
- struct iwreq iwr;
- int *i;
-
- os_memset(&iwr, 0, sizeof(iwr));
- os_strlcpy(iwr.ifr_name, drv->ifname, IFNAMSIZ);
- i = (int *) iwr.u.name;
- *i++ = param;
- *i++ = value;
-
- return ioctl(drv->ioctl_sock, PRISM2_IOCTL_PRISM2_PARAM, &iwr);
-}
-
-
-static int wpa_driver_prism2_param_get(struct wpa_driver_wext_data *drv,
- int param)
-{
- struct iwreq iwr;
- int *i;
-
- os_memset(&iwr, 0, sizeof(iwr));
- os_strlcpy(iwr.ifr_name, drv->ifname, IFNAMSIZ);
- i = (int *) iwr.u.name;
- *i = param;
-
- if (ioctl(drv->ioctl_sock, PRISM2_IOCTL_GET_PRISM2_PARAM, &iwr) < 0) {
- perror("ioctl[PRISM2_IOCTL_GET_PRISM2_PARAM]");
- return -1;
- }
-
- return *i;
-}
-
-#endif /* CONFIG_CLIENT_MLME */
-
-
/**
* wpa_driver_wext_set_ifflags - Set interface flags (SIOCSIFFLAGS)
* @drv: driver_wext private data
@@ -1192,18 +1032,6 @@
if (wpa_driver_wext_get_ifflags(drv, &flags) == 0)
(void) wpa_driver_wext_set_ifflags(drv, flags & ~IFF_UP);
-
-#ifdef CONFIG_CLIENT_MLME
- if (drv->mlmedev[0]) {
- if (wpa_driver_wext_get_ifflags_ifname(drv, drv->mlmedev,
- &flags) == 0)
- (void) wpa_driver_wext_set_ifflags_ifname(
- drv, drv->mlmedev, flags & ~IFF_UP);
- wpa_driver_prism2_param_set(drv, PRISM2_PARAM_MGMT_IF, 0);
- wpa_driver_prism2_param_set(drv, PRISM2_PARAM_USER_SPACE_MLME,
- 0);
- }
-#endif /* CONFIG_CLIENT_MLME */
close(drv->event_sock);
close(drv->ioctl_sock);
@@ -2463,304 +2291,6 @@
}
-#ifdef CONFIG_CLIENT_MLME
-static int hostapd_ioctl(struct wpa_driver_wext_data *drv,
- struct prism2_hostapd_param *param, int len)
-{
- struct iwreq iwr;
-
- os_memset(&iwr, 0, sizeof(iwr));
- os_strlcpy(iwr.ifr_name, drv->ifname, IFNAMSIZ);
- iwr.u.data.pointer = (caddr_t) param;
- iwr.u.data.length = len;
-
- if (ioctl(drv->ioctl_sock, PRISM2_IOCTL_HOSTAPD, &iwr) < 0) {
- perror("ioctl[PRISM2_IOCTL_HOSTAPD]");
- return -1;
- }
-
- return 0;
-}
-
-
-static struct wpa_hw_modes *
-wpa_driver_wext_get_hw_feature_data(void *priv, u16 *num_modes, u16 *flags)
-{
- struct wpa_driver_wext_data *drv = priv;
- struct prism2_hostapd_param *param;
- u8 *pos, *end;
- struct wpa_hw_modes *modes = NULL;
- int i;
-
- param = os_zalloc(PRISM2_HOSTAPD_MAX_BUF_SIZE);
- if (param == NULL)
- return NULL;
- param->cmd = PRISM2_HOSTAPD_GET_HW_FEATURES;
-
- if (hostapd_ioctl(drv, param, PRISM2_HOSTAPD_MAX_BUF_SIZE) < 0) {
- perror("ioctl[PRISM2_IOCTL_HOSTAPD]");
- goto out;
- }
-
- *num_modes = param->u.hw_features.num_modes;
- *flags = param->u.hw_features.flags;
-
- pos = param->u.hw_features.data;
- end = pos + PRISM2_HOSTAPD_MAX_BUF_SIZE -
- (param->u.hw_features.data - (u8 *) param);
-
- modes = os_zalloc(*num_modes * sizeof(struct wpa_hw_modes));
- if (modes == NULL)
- goto out;
-
- for (i = 0; i < *num_modes; i++) {
- struct hostapd_ioctl_hw_modes_hdr *hdr;
- struct wpa_hw_modes *feature;
- int clen, rlen;
-
- hdr = (struct hostapd_ioctl_hw_modes_hdr *) pos;
- pos = (u8 *) (hdr + 1);
- clen = hdr->num_channels * sizeof(struct wpa_channel_data);
- rlen = hdr->num_rates * sizeof(struct wpa_rate_data);
-
- feature = &modes[i];
- switch (hdr->mode) {
- case MODE_IEEE80211A:
- feature->mode = WPA_MODE_IEEE80211A;
- break;
- case MODE_IEEE80211B:
- feature->mode = WPA_MODE_IEEE80211B;
- break;
- case MODE_IEEE80211G:
- feature->mode = WPA_MODE_IEEE80211G;
- break;
- case MODE_ATHEROS_TURBO:
- case MODE_ATHEROS_TURBOG:
- wpa_printf(MSG_ERROR, "Skip unsupported hw_mode=%d in "
- "get_hw_features data", hdr->mode);
- pos += clen + rlen;
- continue;
- default:
- wpa_printf(MSG_ERROR, "Unknown hw_mode=%d in "
- "get_hw_features data", hdr->mode);
- wpa_supplicant_sta_free_hw_features(modes, *num_modes);
- modes = NULL;
- break;
- }
- feature->num_channels = hdr->num_channels;
- feature->num_rates = hdr->num_rates;
-
- feature->channels = os_malloc(clen);
- feature->rates = os_malloc(rlen);
- if (!feature->channels || !feature->rates ||
- pos + clen + rlen > end) {
- wpa_supplicant_sta_free_hw_features(modes, *num_modes);
- modes = NULL;
- break;
- }
-
- os_memcpy(feature->channels, pos, clen);
- pos += clen;
- os_memcpy(feature->rates, pos, rlen);
- pos += rlen;
- }
-
-out:
- os_free(param);
- return modes;
-}
-
-
-int wpa_driver_wext_set_channel(void *priv, wpa_hw_mode phymode, int chan,
- int freq)
-{
- return wpa_driver_wext_set_freq(priv, freq);
-}
-
-
-static void wpa_driver_wext_mlme_read(int sock, void *eloop_ctx,
- void *sock_ctx)
-{
- struct wpa_driver_wext_data *drv = eloop_ctx;
- int len;
- unsigned char buf[3000];
- struct ieee80211_frame_info *fi;
- struct ieee80211_rx_status rx_status;
-
- len = recv(sock, buf, sizeof(buf), 0);
- if (len < 0) {
- perror("recv[MLME]");
- return;
- }
-
- if (len < (int) sizeof(struct ieee80211_frame_info)) {
- wpa_printf(MSG_DEBUG, "WEXT: Too short MLME frame (len=%d)",
- len);
- return;
- }
-
- fi = (struct ieee80211_frame_info *) buf;
- if (ntohl(fi->version) != IEEE80211_FI_VERSION) {
- wpa_printf(MSG_DEBUG, "WEXT: Invalid MLME frame info version "
- "0x%x", ntohl(fi->version));
- return;
- }
-
- os_memset(&rx_status, 0, sizeof(rx_status));
- rx_status.ssi = ntohl(fi->ssi_signal);
- rx_status.channel = ntohl(fi->channel);
-
- wpa_supplicant_sta_rx(drv->ctx,
- buf + sizeof(struct ieee80211_frame_info),
- len - sizeof(struct ieee80211_frame_info),
- &rx_status);
-}
-
-
-static int wpa_driver_wext_open_mlme(struct wpa_driver_wext_data *drv)
-{
- int flags, ifindex, s;
- struct sockaddr_ll addr;
- struct ifreq ifr;
-
- if (wpa_driver_prism2_param_set(drv, PRISM2_PARAM_USER_SPACE_MLME, 1) <
- 0) {
- wpa_printf(MSG_ERROR, "WEXT: Failed to configure driver to "
- "use user space MLME");
- return -1;
- }
-
- if (wpa_driver_prism2_param_set(drv, PRISM2_PARAM_MGMT_IF, 1) < 0) {
- wpa_printf(MSG_ERROR, "WEXT: Failed to add management "
- "interface for user space MLME");
- return -1;
- }
-
- ifindex = wpa_driver_prism2_param_get(drv, PRISM2_PARAM_MGMT_IF);
- if (ifindex <= 0) {
- wpa_printf(MSG_ERROR, "WEXT: MLME management device not "
- "found");
- return -1;
- }
-
- os_memset(&ifr, 0, sizeof(ifr));
- ifr.ifr_ifindex = ifindex;
- if (ioctl(drv->ioctl_sock, SIOCGIFNAME, &ifr) != 0) {
- perror("ioctl(SIOCGIFNAME)");
- return -1;
- }
- os_strlcpy(drv->mlmedev, ifr.ifr_name, sizeof(drv->mlmedev));
- wpa_printf(MSG_DEBUG, "WEXT: MLME management device '%s'",
- drv->mlmedev);
-
- if (wpa_driver_wext_get_ifflags_ifname(drv, drv->mlmedev, &flags) != 0
- || wpa_driver_wext_set_ifflags_ifname(drv, drv->mlmedev,
- flags | IFF_UP) != 0) {
- wpa_printf(MSG_ERROR, "WEXT: Could not set interface "
- "'%s' UP", drv->mlmedev);
- return -1;
- }
-
- s = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
- if (s < 0) {
- perror("socket[PF_PACKET,SOCK_RAW]");
- return -1;
- }
-
- os_memset(&addr, 0, sizeof(addr));
- addr.sll_family = AF_PACKET;
- addr.sll_ifindex = ifindex;
-
- if (bind(s, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
- perror("bind(MLME)");
- return -1;
- }
-
- if (eloop_register_read_sock(s, wpa_driver_wext_mlme_read, drv, NULL))
- {
- wpa_printf(MSG_ERROR, "WEXT: Could not register MLME read "
- "socket");
- close(s);
- return -1;
- }
-
- return s;
-}
-
-
-static int wpa_driver_wext_send_mlme(void *priv, const u8 *data,
- size_t data_len)
-{
- struct wpa_driver_wext_data *drv = priv;
- int ret;
-
- ret = send(drv->mlme_sock, data, data_len, 0);
- if (ret < 0) {
- perror("send[MLME]");
- return -1;
- }
-
- return 0;
-}
-
-
-static int wpa_driver_wext_mlme_add_sta(void *priv, const u8 *addr,
- const u8 *supp_rates,
- size_t supp_rates_len)
-{
- struct wpa_driver_wext_data *drv = priv;
- struct prism2_hostapd_param param;
- size_t len;
-
- os_memset(¶m, 0, sizeof(param));
- param.cmd = PRISM2_HOSTAPD_ADD_STA;
- os_memcpy(param.sta_addr, addr, ETH_ALEN);
- len = supp_rates_len;
- if (len > sizeof(param.u.add_sta.supp_rates))
- len = sizeof(param.u.add_sta.supp_rates);
- os_memcpy(param.u.add_sta.supp_rates, supp_rates, len);
- return hostapd_ioctl(drv, ¶m, sizeof(param));
-}
-
-
-static int wpa_driver_wext_mlme_remove_sta(void *priv, const u8 *addr)
-{
- struct wpa_driver_wext_data *drv = priv;
- struct prism2_hostapd_param param;
-
- os_memset(¶m, 0, sizeof(param));
- param.cmd = PRISM2_HOSTAPD_REMOVE_STA;
- os_memcpy(param.sta_addr, addr, ETH_ALEN);
- return hostapd_ioctl(drv, ¶m, sizeof(param));
-}
-
-#endif /* CONFIG_CLIENT_MLME */
-
-
-static int wpa_driver_wext_set_param(void *priv, const char *param)
-{
-#ifdef CONFIG_CLIENT_MLME
- struct wpa_driver_wext_data *drv = priv;
-
- if (param == NULL)
- return 0;
-
- wpa_printf(MSG_DEBUG, "%s: param='%s'", __func__, param);
-
- if (os_strstr(param, "use_mlme=1")) {
- wpa_printf(MSG_DEBUG, "WEXT: Using user space MLME");
- drv->capa.flags |= WPA_DRIVER_FLAGS_USER_SPACE_MLME;
-
- drv->mlme_sock = wpa_driver_wext_open_mlme(drv);
- if (drv->mlme_sock < 0)
- return -1;
- }
-#endif /* CONFIG_CLIENT_MLME */
-
- return 0;
-}
-
-
int wpa_driver_wext_get_version(struct wpa_driver_wext_data *drv)
{
return drv->we_version_compiled;
@@ -2785,19 +2315,9 @@
.set_auth_alg = wpa_driver_wext_set_auth_alg,
.init = wpa_driver_wext_init,
.deinit = wpa_driver_wext_deinit,
- .set_param = wpa_driver_wext_set_param,
.add_pmkid = wpa_driver_wext_add_pmkid,
.remove_pmkid = wpa_driver_wext_remove_pmkid,
.flush_pmkid = wpa_driver_wext_flush_pmkid,
.get_capa = wpa_driver_wext_get_capa,
.set_operstate = wpa_driver_wext_set_operstate,
-#ifdef CONFIG_CLIENT_MLME
- .get_hw_feature_data = wpa_driver_wext_get_hw_feature_data,
- .set_channel = wpa_driver_wext_set_channel,
- .set_ssid = wpa_driver_wext_set_ssid,
- .set_bssid = wpa_driver_wext_set_bssid,
- .send_mlme = wpa_driver_wext_send_mlme,
- .mlme_add_sta = wpa_driver_wext_mlme_add_sta,
- .mlme_remove_sta = wpa_driver_wext_mlme_remove_sta,
-#endif /* CONFIG_CLIENT_MLME */
};
Modified: wpasupplicant/trunk/src/drivers/drivers.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/drivers/drivers.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/drivers/drivers.c (original)
+++ wpasupplicant/trunk/src/drivers/drivers.c Sun Dec 7 13:49:04 2008
@@ -70,6 +70,10 @@
#ifdef CONFIG_DRIVER_IPHONE
extern struct wpa_driver_ops wpa_driver_iphone_ops; /* driver_iphone.m */
#endif /* CONFIG_DRIVER_IPHONE */
+#ifdef CONFIG_DRIVER_ROBOSWITCH
+/* driver_roboswitch.c */
+extern struct wpa_driver_ops wpa_driver_roboswitch_ops;
+#endif /* CONFIG_DRIVER_ROBOSWITCH */
struct wpa_driver_ops *wpa_supplicant_drivers[] =
@@ -128,5 +132,8 @@
#ifdef CONFIG_DRIVER_IPHONE
&wpa_driver_iphone_ops,
#endif /* CONFIG_DRIVER_IPHONE */
+#ifdef CONFIG_DRIVER_ROBOSWITCH
+ &wpa_driver_roboswitch_ops,
+#endif /* CONFIG_DRIVER_ROBOSWITCH */
NULL
};
Modified: wpasupplicant/trunk/src/eap_common/eap_sim_common.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_common/eap_sim_common.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_common/eap_sim_common.c (original)
+++ wpasupplicant/trunk/src/eap_common/eap_sim_common.c Sun Dec 7 13:49:04 2008
@@ -517,6 +517,7 @@
break;
case EAP_SIM_AT_RES:
wpa_printf(MSG_DEBUG, "EAP-SIM: AT_RES");
+ attr->res_len_bits = WPA_GET_BE16(apos);
apos += 2;
alen -= 2;
if (!aka || alen < EAP_AKA_MIN_RES_LEN ||
Modified: wpasupplicant/trunk/src/eap_common/eap_sim_common.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_common/eap_sim_common.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_common/eap_sim_common.h (original)
+++ wpasupplicant/trunk/src/eap_common/eap_sim_common.h Sun Dec 7 13:49:04 2008
@@ -137,6 +137,7 @@
const u8 *checkcode;
size_t num_chal, version_list_len, encr_data_len;
size_t next_pseudonym_len, next_reauth_id_len, identity_len, res_len;
+ size_t res_len_bits;
size_t checkcode_len;
enum eap_sim_id_req id_req;
int notification, counter, selected_version, client_error_code;
Modified: wpasupplicant/trunk/src/eap_peer/eap.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap.c Sun Dec 7 13:49:04 2008
@@ -906,8 +906,8 @@
#endif /* PCSC_FUNCS */
-static int eap_sm_get_scard_identity(struct eap_sm *sm,
- struct eap_peer_config *conf)
+static int eap_sm_set_scard_pin(struct eap_sm *sm,
+ struct eap_peer_config *conf)
{
#ifdef PCSC_FUNCS
if (scard_set_pin(sm->scard_ctx, conf->pin)) {
@@ -922,6 +922,18 @@
eap_sm_request_pin(sm);
return -1;
}
+ return 0;
+#else /* PCSC_FUNCS */
+ return -1;
+#endif /* PCSC_FUNCS */
+}
+
+static int eap_sm_get_scard_identity(struct eap_sm *sm,
+ struct eap_peer_config *conf)
+{
+#ifdef PCSC_FUNCS
+ if (eap_sm_set_scard_pin(sm, conf))
+ return -1;
return eap_sm_imsi_identity(sm, conf);
#else /* PCSC_FUNCS */
@@ -985,6 +997,9 @@
eap_sm_request_identity(sm);
return NULL;
}
+ } else if (config->pcsc) {
+ if (eap_sm_set_scard_pin(sm, config) < 0)
+ return NULL;
}
resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_IDENTITY, identity_len,
Modified: wpasupplicant/trunk/src/eap_peer/eap_aka.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_aka.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_aka.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_aka.c Sun Dec 7 13:49:04 2008
@@ -20,6 +20,10 @@
#include "eap_common/eap_sim_common.h"
#include "sha1.h"
#include "crypto.h"
+#include "eap_peer/eap_config.h"
+#ifdef CONFIG_USIM_SIMULATOR
+#include "hlr_auc_gw/milenage.h"
+#endif /* CONFIG_USIM_SIMULATOR */
struct eap_aka_data {
@@ -116,12 +120,58 @@
static int eap_aka_umts_auth(struct eap_sm *sm, struct eap_aka_data *data)
{
+ struct eap_peer_config *conf;
+
wpa_printf(MSG_DEBUG, "EAP-AKA: UMTS authentication algorithm");
-#ifdef PCSC_FUNCS
- return scard_umts_auth(sm->scard_ctx, data->rand,
- data->autn, data->res, &data->res_len,
- data->ik, data->ck, data->auts);
-#else /* PCSC_FUNCS */
+
+ conf = eap_get_config(sm);
+ if (conf == NULL)
+ return -1;
+ if (conf->pcsc) {
+ return scard_umts_auth(sm->scard_ctx, data->rand,
+ data->autn, data->res, &data->res_len,
+ data->ik, data->ck, data->auts);
+ }
+
+#ifdef CONFIG_USIM_SIMULATOR
+ if (conf->password) {
+ u8 opc[16], k[16], sqn[6];
+ const char *pos;
+ wpa_printf(MSG_DEBUG, "EAP-AKA: Use internal Milenage "
+ "implementation for UMTS authentication");
+ if (conf->password_len < 78) {
+ wpa_printf(MSG_DEBUG, "EAP-AKA: invalid Milenage "
+ "password");
+ return -1;
+ }
+ pos = (const char *) conf->password;
+ if (hexstr2bin(pos, k, 16))
+ return -1;
+ pos += 32;
+ if (*pos != ':')
+ return -1;
+ pos++;
+
+ if (hexstr2bin(pos, opc, 16))
+ return -1;
+ pos += 32;
+ if (*pos != ':')
+ return -1;
+ pos++;
+
+ if (hexstr2bin(pos, sqn, 6))
+ return -1;
+
+ return milenage_check(opc, k, sqn, data->rand, data->autn,
+ data->ik, data->ck,
+ data->res, &data->res_len, data->auts);
+ }
+#endif /* CONFIG_USIM_SIMULATOR */
+
+#ifdef CONFIG_USIM_HARDCODED
+ wpa_printf(MSG_DEBUG, "EAP-AKA: Use hardcoded Kc and SRES values for "
+ "testing");
+
/* These hardcoded Kc and SRES values are used for testing.
* Could consider making them configurable. */
os_memset(data->res, '2', EAP_AKA_RES_MAX_LEN);
@@ -148,7 +198,14 @@
}
#endif
return 0;
-#endif /* PCSC_FUNCS */
+
+#else /* CONFIG_USIM_HARDCODED */
+
+ wpa_printf(MSG_DEBUG, "EAP-AKA: No UMTS authentication algorith "
+ "enabled");
+ return -1;
+
+#endif /* CONFIG_USIM_HARDCODED */
}
@@ -415,7 +472,7 @@
msg = eap_sim_msg_init(EAP_CODE_RESPONSE, id, EAP_TYPE_AKA,
EAP_AKA_SUBTYPE_CHALLENGE);
wpa_printf(MSG_DEBUG, " AT_RES");
- eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len,
+ eap_sim_msg_add(msg, EAP_SIM_AT_RES, data->res_len * 8,
data->res, data->res_len);
eap_aka_add_checkcode(data, msg);
if (data->use_result_ind) {
Modified: wpasupplicant/trunk/src/eap_peer/eap_config.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_config.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_config.h (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_config.h Sun Dec 7 13:49:04 2008
@@ -353,8 +353,8 @@
*
* crypto_binding option can be used to control PEAPv0 cryptobinding
* behavior:
- * 0 = do not use cryptobinding
- * 1 = use cryptobinding if server supports it (default)
+ * 0 = do not use cryptobinding (default)
+ * 1 = use cryptobinding if server supports it
* 2 = require cryptobinding
*/
char *phase1;
@@ -407,6 +407,47 @@
* using a smartcard.
*/
char *engine_id;
+
+ /**
+ * engine2 - Enable OpenSSL engine (e.g., for smartcard) (Phase 2)
+ *
+ * This is used if private key operations for EAP-TLS are performed
+ * using a smartcard.
+ *
+ * This field is like engine, but used for phase 2 (inside
+ * EAP-TTLS/PEAP/FAST tunnel) authentication.
+ */
+ int engine2;
+
+
+ /**
+ * pin2 - PIN for USIM, GSM SIM, and smartcards (Phase 2)
+ *
+ * This field is used to configure PIN for SIM and smartcards for
+ * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
+ * smartcard is used for private key operations.
+ *
+ * This field is like pin2, but used for phase 2 (inside
+ * EAP-TTLS/PEAP/FAST tunnel) authentication.
+ *
+ * If left out, this will be asked through control interface.
+ */
+ char *pin2;
+
+ /**
+ * engine2_id - Engine ID for OpenSSL engine (Phase 2)
+ *
+ * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
+ * engine.
+ *
+ * This is used if private key operations for EAP-TLS are performed
+ * using a smartcard.
+ *
+ * This field is like engine_id, but used for phase 2 (inside
+ * EAP-TTLS/PEAP/FAST tunnel) authentication.
+ */
+ char *engine2_id;
+
/**
* key_id - Key ID for OpenSSL engine
Modified: wpasupplicant/trunk/src/eap_peer/eap_fast.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_fast.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_fast.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_fast.c Sun Dec 7 13:49:04 2008
@@ -1194,7 +1194,9 @@
}
if (data->current_pac == NULL && data->provisioning &&
- !data->anon_provisioning && !tlv.pac) {
+ !data->anon_provisioning && !tlv.pac &&
+ (tlv.iresult == EAP_TLV_RESULT_SUCCESS ||
+ tlv.result == EAP_TLV_RESULT_SUCCESS)) {
/*
* Need to request Tunnel PAC when using authenticated
* provisioning.
@@ -1206,10 +1208,10 @@
if (tlv.result == EAP_TLV_RESULT_SUCCESS && !failed) {
tmp = eap_fast_tlv_result(EAP_TLV_RESULT_SUCCESS, 0);
- resp = wpabuf_concat(resp, tmp);
+ resp = wpabuf_concat(tmp, resp);
} else if (failed) {
tmp = eap_fast_tlv_result(EAP_TLV_RESULT_FAILURE, 0);
- resp = wpabuf_concat(resp, tmp);
+ resp = wpabuf_concat(tmp, resp);
}
if (resp && tlv.result == EAP_TLV_RESULT_SUCCESS && !failed &&
Modified: wpasupplicant/trunk/src/eap_peer/eap_peap.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_peap.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_peap.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_peap.c Sun Dec 7 13:49:04 2008
@@ -65,6 +65,7 @@
struct wpabuf *pending_phase2_req;
enum { NO_BINDING, OPTIONAL_BINDING, REQUIRE_BINDING } crypto_binding;
int crypto_binding_used;
+ u8 binding_nonce[32];
u8 ipmk[40];
u8 cmk[20];
int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP)
@@ -139,7 +140,7 @@
data->peap_version = EAP_PEAP_VERSION;
data->force_peap_version = -1;
data->peap_outer_success = 2;
- data->crypto_binding = OPTIONAL_BINDING;
+ data->crypto_binding = NO_BINDING;
if (config && config->phase1 &&
eap_peap_parse_phase1(data, config->phase1) < 0) {
@@ -304,11 +305,6 @@
const u8 *addr[2];
size_t len[2];
u16 tlv_type;
- u8 binding_nonce[32];
-
- /* FIX: should binding_nonce be copied from request? */
- if (os_get_random(binding_nonce, 32))
- return -1;
/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
addr[0] = wpabuf_put(buf, 0);
@@ -326,7 +322,7 @@
wpabuf_put_u8(buf, data->peap_version); /* Version */
wpabuf_put_u8(buf, data->peap_version); /* RecvVersion */
wpabuf_put_u8(buf, 1); /* SubType: 0 = Request, 1 = Response */
- wpabuf_put_data(buf, binding_nonce, 32); /* Nonce */
+ wpabuf_put_data(buf, data->binding_nonce, 32); /* Nonce */
mac = wpabuf_put(buf, 20); /* Compound_MAC */
wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC CMK", data->cmk, 20);
wpa_hexdump(MSG_MSGDUMP, "EAP-PEAP: Compound_MAC data 1",
@@ -417,17 +413,24 @@
return -1;
}
pos += 4;
+ os_memcpy(data->binding_nonce, pos, 32);
pos += 32; /* Nonce */
/* Compound_MAC: HMAC-SHA1-160(cryptobinding TLV | EAP type) */
os_memcpy(buf, crypto_tlv, 60);
os_memset(buf + 4 + 4 + 32, 0, 20); /* Compound_MAC */
buf[60] = EAP_TYPE_PEAP;
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Compound_MAC data",
+ buf, sizeof(buf));
hmac_sha1(data->cmk, 20, buf, sizeof(buf), mac);
if (os_memcmp(mac, pos, SHA1_MAC_LEN) != 0) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: Invalid Compound_MAC in "
"cryptobinding TLV");
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Received MAC",
+ pos, SHA1_MAC_LEN);
+ wpa_hexdump(MSG_DEBUG, "EAP-PEAP: Expected MAC",
+ mac, SHA1_MAC_LEN);
return -1;
}
@@ -523,6 +526,9 @@
if (result_tlv == NULL)
return -1;
force_failure = 1;
+ crypto_tlv = NULL; /* do not include Cryptobinding TLV
+ * in response, if the received
+ * cryptobinding was invalid. */
}
} else if (!crypto_tlv && data->crypto_binding == REQUIRE_BINDING) {
wpa_printf(MSG_DEBUG, "EAP-PEAP: No cryptobinding TLV");
Modified: wpasupplicant/trunk/src/eap_peer/eap_sim.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_sim.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_sim.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_sim.c Sun Dec 7 13:49:04 2008
@@ -19,6 +19,9 @@
#include "eap_config.h"
#include "pcsc_funcs.h"
#include "eap_common/eap_sim_common.h"
+#ifdef CONFIG_SIM_SIMULATOR
+#include "hlr_auc_gw/milenage.h"
+#endif /* CONFIG_SIM_SIMULATOR */
struct eap_sim_data {
@@ -142,26 +145,81 @@
static int eap_sim_gsm_auth(struct eap_sm *sm, struct eap_sim_data *data)
{
+ struct eap_peer_config *conf;
+
wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication algorithm");
-#ifdef PCSC_FUNCS
- if (scard_gsm_auth(sm->scard_ctx, data->rand[0],
- data->sres[0], data->kc[0]) ||
- scard_gsm_auth(sm->scard_ctx, data->rand[1],
- data->sres[1], data->kc[1]) ||
- (data->num_chal > 2 &&
- scard_gsm_auth(sm->scard_ctx, data->rand[2],
- data->sres[2], data->kc[2]))) {
- wpa_printf(MSG_DEBUG, "EAP-SIM: GSM SIM authentication could "
- "not be completed");
+
+ conf = eap_get_config(sm);
+ if (conf == NULL)
return -1;
- }
-#else /* PCSC_FUNCS */
+ if (conf->pcsc) {
+ if (scard_gsm_auth(sm->scard_ctx, data->rand[0],
+ data->sres[0], data->kc[0]) ||
+ scard_gsm_auth(sm->scard_ctx, data->rand[1],
+ data->sres[1], data->kc[1]) ||
+ (data->num_chal > 2 &&
+ scard_gsm_auth(sm->scard_ctx, data->rand[2],
+ data->sres[2], data->kc[2]))) {
+ wpa_printf(MSG_DEBUG, "EAP-SIM: GSM SIM "
+ "authentication could not be completed");
+ return -1;
+ }
+ return 0;
+ }
+
+#ifdef CONFIG_SIM_SIMULATOR
+ if (conf->password) {
+ u8 opc[16], k[16];
+ const char *pos;
+ size_t i;
+ wpa_printf(MSG_DEBUG, "EAP-SIM: Use internal GSM-Milenage "
+ "implementation for authentication");
+ if (conf->password_len < 65) {
+ wpa_printf(MSG_DEBUG, "EAP-SIM: invalid GSM-Milenage "
+ "password");
+ return -1;
+ }
+ pos = (const char *) conf->password;
+ if (hexstr2bin(pos, k, 16))
+ return -1;
+ pos += 32;
+ if (*pos != ':')
+ return -1;
+ pos++;
+
+ if (hexstr2bin(pos, opc, 16))
+ return -1;
+
+ for (i = 0; i < data->num_chal; i++) {
+ if (gsm_milenage(opc, k, data->rand[i],
+ data->sres[i], data->kc[i])) {
+ wpa_printf(MSG_DEBUG, "EAP-SIM: "
+ "GSM-Milenage authentication "
+ "could not be completed");
+ return -1;
+ }
+ wpa_hexdump(MSG_DEBUG, "EAP-SIM: RAND",
+ data->rand[i], GSM_RAND_LEN);
+ wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: SRES",
+ data->sres[i], EAP_SIM_SRES_LEN);
+ wpa_hexdump_key(MSG_DEBUG, "EAP-SIM: Kc",
+ data->kc[i], EAP_SIM_KC_LEN);
+ }
+ return 0;
+ }
+#endif /* CONFIG_SIM_SIMULATOR */
+
+#ifdef CONFIG_SIM_HARDCODED
/* These hardcoded Kc and SRES values are used for testing. RAND to
* KC/SREC mapping is very bogus as far as real authentication is
* concerned, but it is quite useful for cases where the AS is rotating
* the order of pre-configured values. */
{
size_t i;
+
+ wpa_printf(MSG_DEBUG, "EAP-SIM: Use hardcoded Kc and SRES "
+ "values for testing");
+
for (i = 0; i < data->num_chal; i++) {
if (data->rand[i][0] == 0xaa) {
os_memcpy(data->kc[i],
@@ -184,8 +242,16 @@
}
}
}
-#endif /* PCSC_FUNCS */
+
return 0;
+
+#else /* CONFIG_SIM_HARDCODED */
+
+ wpa_printf(MSG_DEBUG, "EAP-SIM: No GSM authentication algorithm "
+ "enabled");
+ return -1;
+
+#endif /* CONFIG_SIM_HARDCODED */
}
Modified: wpasupplicant/trunk/src/eap_peer/eap_tls.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_tls.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_tls.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_tls.c Sun Dec 7 13:49:04 2008
@@ -36,7 +36,8 @@
struct eap_peer_config *config = eap_get_config(sm);
if (config == NULL ||
((sm->init_phase2 ? config->private_key2 : config->private_key)
- == NULL && config->engine == 0)) {
+ == NULL &&
+ (sm->init_phase2 ? config->engine2 : config->engine) == 0)) {
wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");
return NULL;
}
Modified: wpasupplicant/trunk/src/eap_peer/eap_tls_common.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_peer/eap_tls_common.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_peer/eap_tls_common.c (original)
+++ wpasupplicant/trunk/src/eap_peer/eap_tls_common.c Sun Dec 7 13:49:04 2008
@@ -56,6 +56,7 @@
params->dh_file = (char *) config->dh_file;
params->subject_match = (char *) config->subject_match;
params->altsubject_match = (char *) config->altsubject_match;
+ params->engine = config->engine;
params->engine_id = config->engine_id;
params->pin = config->pin;
params->key_id = config->key_id;
@@ -75,8 +76,9 @@
params->dh_file = (char *) config->dh_file2;
params->subject_match = (char *) config->subject_match2;
params->altsubject_match = (char *) config->altsubject_match2;
- params->engine_id = config->engine_id;
- params->pin = config->pin;
+ params->engine = config->engine2;
+ params->engine_id = config->engine2_id;
+ params->pin = config->pin2;
params->key_id = config->key2_id;
params->cert_id = config->cert2_id;
params->ca_cert_id = config->ca_cert2_id;
@@ -89,11 +91,13 @@
struct eap_peer_config *config, int phase2)
{
os_memset(params, 0, sizeof(*params));
- params->engine = config->engine;
- if (phase2)
+ if (phase2) {
+ wpa_printf(MSG_DEBUG, "TLS: using phase2 config options");
eap_tls_params_from_conf2(params, config);
- else
+ } else {
+ wpa_printf(MSG_DEBUG, "TLS: using phase1 config options");
eap_tls_params_from_conf1(params, config);
+ }
params->tls_ia = data->tls_ia;
/*
Modified: wpasupplicant/trunk/src/eap_server/eap_aka.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_server/eap_aka.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_server/eap_aka.c (original)
+++ wpasupplicant/trunk/src/eap_server/eap_aka.c Sun Dec 7 13:49:04 2008
@@ -666,10 +666,19 @@
return;
}
- if (attr->res == NULL || attr->res_len != data->res_len ||
+ /*
+ * AT_RES is padded, so verify that there is enough room for RES and
+ * that the RES length in bits matches with the expected RES.
+ */
+ if (attr->res == NULL || attr->res_len < data->res_len ||
+ attr->res_len_bits != data->res_len * 8 ||
os_memcmp(attr->res, data->res, data->res_len) != 0) {
wpa_printf(MSG_WARNING, "EAP-AKA: Challenge message did not "
- "include valid AT_RES");
+ "include valid AT_RES (attr len=%lu, res len=%lu "
+ "bits, expected %lu bits)",
+ (unsigned long) attr->res_len,
+ (unsigned long) attr->res_len_bits,
+ (unsigned long) data->res_len * 8);
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
return;
Modified: wpasupplicant/trunk/src/eap_server/eap_fast.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_server/eap_fast.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_server/eap_fast.c (original)
+++ wpasupplicant/trunk/src/eap_server/eap_fast.c Sun Dec 7 13:49:04 2008
@@ -241,12 +241,20 @@
if (os_get_time(&now) < 0 || lifetime <= 0 || now.sec > lifetime) {
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key not valid anymore "
"(lifetime=%ld now=%ld)", lifetime, now.sec);
- os_free(buf);
- return 0;
- }
-
- if (lifetime - now.sec < data->pac_key_refresh_time)
+ data->send_new_pac = 2;
+ /*
+ * Allow PAC to be used to allow a PAC update with some level
+ * of server authentication (i.e., do not fall back to full TLS
+ * handshake since we cannot be sure that the peer would be
+ * able to validate server certificate now). However, reject
+ * the authentication since the PAC was not valid anymore. Peer
+ * can connect again with the newly provisioned PAC after this.
+ */
+ } else if (lifetime - now.sec < data->pac_key_refresh_time) {
+ wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Key soft timeout; send "
+ "an update if authentication succeeds");
data->send_new_pac = 1;
+ }
eap_fast_derive_master_secret(pac_key, server_random, client_random,
master_secret);
@@ -1218,7 +1226,8 @@
wpa_printf(MSG_DEBUG, "EAP-FAST: PAC-Acknowledgement received "
"- PAC provisioning succeeded");
- eap_fast_state(data, data->anon_provisioning ?
+ eap_fast_state(data, (data->anon_provisioning ||
+ data->send_new_pac == 2) ?
FAILURE : SUCCESS);
return;
}
Modified: wpasupplicant/trunk/src/eap_server/eap_tls.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/eap_server/eap_tls.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/eap_server/eap_tls.c (original)
+++ wpasupplicant/trunk/src/eap_server/eap_tls.c Sun Dec 7 13:49:04 2008
@@ -26,6 +26,7 @@
struct eap_tls_data {
struct eap_ssl_data ssl;
enum { START, CONTINUE, SUCCESS, FAILURE } state;
+ int established;
};
@@ -109,25 +110,24 @@
static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id)
{
struct eap_tls_data *data = priv;
-
+ struct wpabuf *res;
if (data->ssl.state == FRAG_ACK) {
return eap_server_tls_build_ack(id, EAP_TYPE_TLS, 0);
}
if (data->ssl.state == WAIT_FRAG_ACK) {
- return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0,
- id);
+ res = eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0,
+ id);
+ goto check_established;
}
switch (data->state) {
case START:
return eap_tls_build_start(sm, data, id);
case CONTINUE:
- if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
- wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
- eap_tls_state(data, SUCCESS);
- }
+ if (tls_connection_established(sm->ssl_ctx, data->ssl.conn))
+ data->established = 1;
break;
default:
wpa_printf(MSG_DEBUG, "EAP-TLS: %s - unexpected state %d",
@@ -135,7 +135,17 @@
return NULL;
}
- return eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, id);
+ res = eap_server_tls_build_msg(&data->ssl, EAP_TYPE_TLS, 0, id);
+
+check_established:
+ if (data->established && data->ssl.state != WAIT_FRAG_ACK) {
+ /* TLS handshake has been completed and there are no more
+ * fragments waiting to be sent out. */
+ wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
+ eap_tls_state(data, SUCCESS);
+ }
+
+ return res;
}
Modified: wpasupplicant/trunk/src/hlr_auc_gw/milenage.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/hlr_auc_gw/milenage.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/hlr_auc_gw/milenage.c (original)
+++ wpasupplicant/trunk/src/hlr_auc_gw/milenage.c Sun Dec 7 13:49:04 2008
@@ -52,9 +52,9 @@
return -1;
/* tmp2 = IN1 = SQN || AMF || SQN || AMF */
- memcpy(tmp2, sqn, 6);
- memcpy(tmp2 + 6, amf, 2);
- memcpy(tmp2 + 8, tmp2, 8);
+ os_memcpy(tmp2, sqn, 6);
+ os_memcpy(tmp2 + 6, amf, 2);
+ os_memcpy(tmp2 + 8, tmp2, 8);
/* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */
@@ -72,9 +72,9 @@
for (i = 0; i < 16; i++)
tmp1[i] ^= opc[i];
if (mac_a)
- memcpy(mac_a, tmp1, 8); /* f1 */
+ os_memcpy(mac_a, tmp1, 8); /* f1 */
if (mac_s)
- memcpy(mac_s, tmp1 + 8, 8); /* f1* */
+ os_memcpy(mac_s, tmp1 + 8, 8); /* f1* */
return 0;
}
@@ -119,9 +119,9 @@
for (i = 0; i < 16; i++)
tmp3[i] ^= opc[i];
if (res)
- memcpy(res, tmp3 + 8, 8); /* f2 */
+ os_memcpy(res, tmp3 + 8, 8); /* f2 */
if (ak)
- memcpy(ak, tmp3, 6); /* f5 */
+ os_memcpy(ak, tmp3, 6); /* f5 */
/* f3 */
if (ck) {
@@ -181,7 +181,7 @@
u8 *ck, u8 *res, size_t *res_len)
{
int i;
- u8 mac_a[16], ak[6];
+ u8 mac_a[8], ak[6];
if (*res_len < 8) {
*res_len = 0;
@@ -197,8 +197,8 @@
/* AUTN = (SQN ^ AK) || AMF || MAC */
for (i = 0; i < 6; i++)
autn[i] = sqn[i] ^ ak[i];
- memcpy(autn + 6, amf, 2);
- memcpy(autn + 8, mac_a, 8);
+ os_memcpy(autn + 6, amf, 2);
+ os_memcpy(autn + 8, mac_a, 8);
}
@@ -250,11 +250,81 @@
kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8];
#ifdef GSM_MILENAGE_ALT_SRES
- memcpy(sres, res, 4);
+ os_memcpy(sres, res, 4);
#else /* GSM_MILENAGE_ALT_SRES */
for (i = 0; i < 4; i++)
sres[i] = res[i] ^ res[i + 4];
#endif /* GSM_MILENAGE_ALT_SRES */
+ return 0;
+}
+
+
+/**
+ * milenage_generate - Generate AKA AUTN,IK,CK,RES
+ * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
+ * @k: K = 128-bit subscriber key
+ * @sqn: SQN = 48-bit sequence number
+ * @_rand: RAND = 128-bit random challenge
+ * @autn: AUTN = 128-bit authentication token
+ * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
+ * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
+ * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
+ * @res_len: Variable that will be set to RES length
+ * @auts: 112-bit buffer for AUTS
+ * Returns: 0 on success, -1 on failure, or -2 on synchronization failure
+ */
+int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
+ const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
+ u8 *auts)
+{
+ int i;
+ u8 mac_a[8], ak[6], rx_sqn[6];
+ const u8 *amf;
+
+ wpa_hexdump(MSG_DEBUG, "Milenage: AUTN", autn, 16);
+ wpa_hexdump(MSG_DEBUG, "Milenage: RAND", _rand, 16);
+
+ if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL))
+ return -1;
+
+ *res_len = 8;
+ wpa_hexdump_key(MSG_DEBUG, "Milenage: RES", res, *res_len);
+ wpa_hexdump_key(MSG_DEBUG, "Milenage: CK", ck, 16);
+ wpa_hexdump_key(MSG_DEBUG, "Milenage: IK", ik, 16);
+ wpa_hexdump_key(MSG_DEBUG, "Milenage: AK", ak, 6);
+
+ /* AUTN = (SQN ^ AK) || AMF || MAC */
+ for (i = 0; i < 6; i++)
+ rx_sqn[i] = autn[i] ^ ak[i];
+ wpa_hexdump(MSG_DEBUG, "Milenage: SQN", rx_sqn, 6);
+
+ if (os_memcmp(rx_sqn, sqn, 6) <= 0) {
+ u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
+ if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
+ return -1;
+ wpa_hexdump_key(MSG_DEBUG, "Milenage: AK*", ak, 6);
+ for (i = 0; i < 6; i++)
+ auts[i] = sqn[i] ^ ak[i];
+ if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6))
+ return -1;
+ wpa_hexdump(MSG_DEBUG, "Milenage: AUTS", auts, 14);
+ return -2;
+ }
+
+ amf = autn + 6;
+ wpa_hexdump(MSG_DEBUG, "Milenage: AMF", amf, 2);
+ if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL))
+ return -1;
+
+ wpa_hexdump(MSG_DEBUG, "Milenage: MAC_A", mac_a, 8);
+
+ if (os_memcmp(mac_a, autn + 8, 8) != 0) {
+ wpa_printf(MSG_DEBUG, "Milenage: MAC mismatch");
+ wpa_hexdump(MSG_DEBUG, "Milenage: Received MAC_A",
+ autn + 8, 8);
+ return -1;
+ }
+
return 0;
}
@@ -1006,17 +1076,18 @@
}
printf("milenage_auts test:\n");
- memcpy(auts, "\x4f\x20\x39\x39\x2d\xdd", 6);
- memcpy(auts + 6, "\x4b\xb4\x31\x6e\xd4\xa1\x46\x88", 8);
+ os_memcpy(auts, "\x4f\x20\x39\x39\x2d\xdd", 6);
+ os_memcpy(auts + 6, "\x4b\xb4\x31\x6e\xd4\xa1\x46\x88", 8);
res = milenage_auts(t->opc, t->k, t->rand, auts, buf);
printf("AUTS for test set %d: %d / SQN=%02x%02x%02x%02x%02x%02x\n",
i, res, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5]);
if (res)
ret++;
- memset(_rand, 0xaa, sizeof(_rand));
- memcpy(auts,
- "\x43\x68\x1a\xd3\xda\xf0\x06\xbc\xde\x40\x5a\x20\x72\x67", 14);
+ os_memset(_rand, 0xaa, sizeof(_rand));
+ os_memcpy(auts,
+ "\x43\x68\x1a\xd3\xda\xf0\x06\xbc\xde\x40\x5a\x20\x72\x67",
+ 14);
res = milenage_auts(t->opc, t->k, _rand, auts, buf);
printf("AUTS from a test USIM: %d / SQN=%02x%02x%02x%02x%02x%02x\n",
res, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5]);
@@ -1024,9 +1095,9 @@
ret++;
printf("milenage_generate test:\n");
- memcpy(sqn, "\x00\x00\x00\x00\x40\x44", 6);
- memcpy(_rand, "\x12\x69\xb8\x23\x41\x39\x35\x66\xfb\x99\x41\xe9\x84"
- "\x4f\xe6\x2f", 16);
+ os_memcpy(sqn, "\x00\x00\x00\x00\x40\x44", 6);
+ os_memcpy(_rand, "\x12\x69\xb8\x23\x41\x39\x35\x66\xfb\x99\x41\xe9\x84"
+ "\x4f\xe6\x2f", 16);
res_len = 8;
milenage_generate(t->opc, t->amf, t->k, sqn, _rand, buf, buf2, buf3,
buf4, &res_len);
Modified: wpasupplicant/trunk/src/hlr_auc_gw/milenage.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/hlr_auc_gw/milenage.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/hlr_auc_gw/milenage.h (original)
+++ wpasupplicant/trunk/src/hlr_auc_gw/milenage.h Sun Dec 7 13:49:04 2008
@@ -22,5 +22,8 @@
u8 *sqn);
int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres,
u8 *kc);
+int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
+ const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
+ u8 *auts);
#endif /* MILENAGE_H */
Modified: wpasupplicant/trunk/src/rsn_supp/wpa.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/rsn_supp/wpa.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/rsn_supp/wpa.c (original)
+++ wpasupplicant/trunk/src/rsn_supp/wpa.c Sun Dec 7 13:49:04 2008
@@ -133,7 +133,6 @@
* @sm: Pointer to WPA state machine data from wpa_sm_init()
* @error: Indicate whether this is an Michael MIC error report
* @pairwise: 1 = error report for pairwise packet, 0 = for group packet
- * Returns: Pointer to the current network structure or %NULL on failure
*
* Send an EAPOL-Key Request to the current authenticator. This function is
* used to request rekeying and it is usually called when a local Michael MIC
@@ -267,7 +266,7 @@
"caching attempt");
sm->cur_pmksa = NULL;
abort_cached = 1;
- } else {
+ } else if (!abort_cached) {
return -1;
}
}
@@ -486,6 +485,14 @@
wpa_ft_prepare_auth_request(sm);
}
#endif /* CONFIG_IEEE80211R */
+}
+
+
+static void wpa_sm_rekey_ptk(void *eloop_ctx, void *timeout_ctx)
+{
+ struct wpa_sm *sm = eloop_ctx;
+ wpa_printf(MSG_DEBUG, "WPA: Request PTK rekeying");
+ wpa_sm_key_request(sm, 0, 1);
}
@@ -533,6 +540,13 @@
"driver.");
return -1;
}
+
+ if (sm->wpa_ptk_rekey) {
+ eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+ eloop_register_timeout(sm->wpa_ptk_rekey, 0, wpa_sm_rekey_ptk,
+ sm, NULL);
+ }
+
return 0;
}
@@ -1849,6 +1863,7 @@
return;
pmksa_cache_deinit(sm->pmksa);
eloop_cancel_timeout(wpa_sm_start_preauth, sm, NULL);
+ eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
os_free(sm->assoc_wpa_ie);
os_free(sm->ap_wpa_ie);
os_free(sm->ap_rsn_ie);
@@ -2018,6 +2033,7 @@
sm->ssid_len = config->ssid_len;
} else
sm->ssid_len = 0;
+ sm->wpa_ptk_rekey = config->wpa_ptk_rekey;
} else {
sm->network_ctx = NULL;
sm->peerkey_enabled = 0;
@@ -2026,6 +2042,7 @@
sm->eap_workaround = 0;
sm->eap_conf_ctx = NULL;
sm->ssid_len = 0;
+ sm->wpa_ptk_rekey = 0;
}
if (config == NULL || config->network_ctx != sm->network_ctx)
pmksa_cache_notify_reconfig(sm->pmksa);
Modified: wpasupplicant/trunk/src/rsn_supp/wpa.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/rsn_supp/wpa.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/rsn_supp/wpa.h (original)
+++ wpasupplicant/trunk/src/rsn_supp/wpa.h Sun Dec 7 13:49:04 2008
@@ -85,6 +85,7 @@
void *eap_conf_ctx;
const u8 *ssid;
size_t ssid_len;
+ int wpa_ptk_rekey;
};
#ifndef CONFIG_NO_WPA
Modified: wpasupplicant/trunk/src/rsn_supp/wpa_i.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/src/rsn_supp/wpa_i.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/src/rsn_supp/wpa_i.h (original)
+++ wpasupplicant/trunk/src/rsn_supp/wpa_i.h Sun Dec 7 13:49:04 2008
@@ -60,6 +60,7 @@
void *eap_conf_ctx;
u8 ssid[32];
size_t ssid_len;
+ int wpa_ptk_rekey;
u8 own_addr[ETH_ALEN];
const char *ifname;
Modified: wpasupplicant/trunk/wpa_supplicant/ChangeLog
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/ChangeLog?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/ChangeLog (original)
+++ wpasupplicant/trunk/wpa_supplicant/ChangeLog Sun Dec 7 13:49:04 2008
@@ -1,4 +1,31 @@
ChangeLog for wpa_supplicant
+
+2008-11-23 - v0.6.6
+ * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA
+ (can be used to simulate test SIM/USIM card with a known private key;
+ enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config
+ and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration)
+ * added a new network configuration option, wpa_ptk_rekey, that can be
+ used to enforce frequent PTK rekeying, e.g., to mitigate some attacks
+ against TKIP deficiencies
+ * added an optional mitigation mechanism for certain attacks against
+ TKIP by delaying Michael MIC error reports by a random amount of time
+ between 0 and 60 seconds; this can be enabled with a build option
+ CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
+ * fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
+ not bytes
+ * updated OpenSSL code for EAP-FAST to use an updated version of the
+ session ticket overriding API that was included into the upstream
+ OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
+ needed with that version anymore)
+ * updated userspace MLME instructions to match with the current Linux
+ mac80211 implementation; please also note that this can only be used
+ with driver_nl80211.c (the old code from driver_wext.c was removed)
+ * added support (Linux only) for RoboSwitch chipsets (often found in
+ consumer grade routers); driver interface 'roboswitch'
+ * fixed canceling of PMKSA caching when using drivers that generate
+ RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know
+ about
2008-11-01 - v0.6.5
* added support for SHA-256 as X.509 certificate digest when using the
Modified: wpasupplicant/trunk/wpa_supplicant/Makefile
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/Makefile?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/Makefile (original)
+++ wpasupplicant/trunk/wpa_supplicant/Makefile Sun Dec 7 13:49:04 2008
@@ -235,6 +235,11 @@
LIBS += -framework CoreFoundation
endif
+ifdef CONFIG_DRIVER_ROBOSWITCH
+CFLAGS += -DCONFIG_DRIVER_ROBOSWITCH
+OBJS_d += ../src/drivers/driver_roboswitch.o
+endif
+
ifndef CONFIG_L2_PACKET
CONFIG_L2_PACKET=linux
endif
@@ -576,6 +581,20 @@
else
LIBS += -lpcsclite -lpthread
endif
+endif
+
+ifdef CONFIG_SIM_SIMULATOR
+CFLAGS += -DCONFIG_SIM_SIMULATOR
+NEED_MILENAGE=y
+endif
+
+ifdef CONFIG_USIM_SIMULATOR
+CFLAGS += -DCONFIG_USIM_SIMULATOR
+NEED_MILENAGE=y
+endif
+
+ifdef NEED_MILENAGE
+OBJS += ../src/hlr_auc_gw/milenage.o
endif
ifndef CONFIG_TLS
@@ -937,6 +956,10 @@
CFLAGS += -DCONFIG_DEBUG_FILE
endif
+ifdef CONFIG_DELAYED_MIC_ERROR_REPORT
+CFLAGS += -DCONFIG_DELAYED_MIC_ERROR_REPORT
+endif
+
OBJS += ../src/drivers/scan_helpers.o
OBJS_wpa_rm := ctrl_iface.o mlme.o ctrl_iface_unix.o
Modified: wpasupplicant/trunk/wpa_supplicant/README
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/README?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/README (original)
+++ wpasupplicant/trunk/wpa_supplicant/README Sun Dec 7 13:49:04 2008
@@ -525,6 +525,7 @@
broadcom = Broadcom wl.o driver
ipw = Intel ipw2100/2200 driver (old; use wext with Linux 2.6.13 or newer)
wired = wpa_supplicant wired Ethernet driver
+ roboswitch = wpa_supplicant Broadcom switch driver
bsd = BSD 802.11 support (Atheros, etc.)
ndis = Windows NDIS driver
@@ -694,8 +695,8 @@
}
-6) Authentication for wired Ethernet. This can be used with 'wired' interface
- (-Dwired on command line).
+6) Authentication for wired Ethernet. This can be used with 'wired' or
+ 'roboswitch' interface (-Dwired or -Droboswitch on command line).
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
Modified: wpasupplicant/trunk/wpa_supplicant/README-Windows.txt
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/README-Windows.txt?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/README-Windows.txt (original)
+++ wpasupplicant/trunk/wpa_supplicant/README-Windows.txt Sun Dec 7 13:49:04 2008
@@ -9,7 +9,9 @@
license. Either license may be used at your option.
This product includes software developed by the OpenSSL Project
-for use in the OpenSSL Toolkit (http://www.openssl.org/)
+for use in the OpenSSL Toolkit (http://www.openssl.org/). This
+product includes cryptographic software written by Eric Young
+(eay at cryptsoft.com).
wpa_supplicant has support for being used as a WPA/WPA2/IEEE 802.1X
Modified: wpasupplicant/trunk/wpa_supplicant/config.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/config.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/config.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/config.c Sun Dec 7 13:49:04 2008
@@ -1331,10 +1331,13 @@
{ STRe(key_id) },
{ STRe(cert_id) },
{ STRe(ca_cert_id) },
+ { STR_KEYe(pin2) },
+ { STRe(engine2_id) },
{ STRe(key2_id) },
{ STRe(cert2_id) },
{ STRe(ca_cert2_id) },
{ INTe(engine) },
+ { INTe(engine2) },
{ INT(eapol_flags) },
#endif /* IEEE8021X_EAPOL */
{ FUNC_KEY(wep_key0) },
@@ -1357,7 +1360,8 @@
#endif /* CONFIG_IEEE80211W */
{ INT_RANGE(peerkey, 0, 1) },
{ INT_RANGE(mixed_cell, 0, 1) },
- { INT_RANGE(frequency, 0, 10000) }
+ { INT_RANGE(frequency, 0, 10000) },
+ { INT(wpa_ptk_rekey) }
};
#undef OFFSET
@@ -1496,6 +1500,8 @@
os_free(eap->key2_id);
os_free(eap->cert2_id);
os_free(eap->ca_cert2_id);
+ os_free(eap->pin2);
+ os_free(eap->engine2_id);
os_free(eap->otp);
os_free(eap->pending_req_otp);
os_free(eap->pac_file);
Modified: wpasupplicant/trunk/wpa_supplicant/config_file.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/config_file.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/config_file.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/config_file.c Sun Dec 7 13:49:04 2008
@@ -758,9 +758,12 @@
STR(cert_id);
STR(ca_cert_id);
STR(key2_id);
+ STR(pin2);
+ STR(engine2_id);
STR(cert2_id);
STR(ca_cert2_id);
INTe(engine);
+ INTe(engine2);
INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
#endif /* IEEE8021X_EAPOL */
for (i = 0; i < 4; i++)
Modified: wpasupplicant/trunk/wpa_supplicant/config_ssid.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/config_ssid.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/config_ssid.h (original)
+++ wpasupplicant/trunk/wpa_supplicant/config_ssid.h Sun Dec 7 13:49:04 2008
@@ -334,6 +334,14 @@
* will be used instead of this configured value.
*/
int frequency;
+
+ /**
+ * wpa_ptk_rekey - Maximum lifetime for PTK in seconds
+ *
+ * This value can be used to enforce rekeying of PTK to mitigate some
+ * attacks against TKIP deficiencies.
+ */
+ int wpa_ptk_rekey;
};
#endif /* CONFIG_SSID_H */
Modified: wpasupplicant/trunk/wpa_supplicant/config_winreg.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/config_winreg.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/config_winreg.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/config_winreg.c Sun Dec 7 13:49:04 2008
@@ -770,9 +770,12 @@
STR(cert_id);
STR(ca_cert_id);
STR(key2_id);
+ STR(pin2);
+ STR(engine2_id);
STR(cert2_id);
STR(ca_cert2_id);
INTe(engine);
+ INTe(engine2);
INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS);
#endif /* IEEE8021X_EAPOL */
for (i = 0; i < 4; i++)
Modified: wpasupplicant/trunk/wpa_supplicant/defconfig
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/defconfig?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/defconfig (original)
+++ wpasupplicant/trunk/wpa_supplicant/defconfig Sun Dec 7 13:49:04 2008
@@ -106,6 +106,9 @@
# Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y
+# Driver interface for the Broadcom RoboSwitch family
+#CONFIG_DRIVER_ROBOSWITCH=y
+
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
# included)
CONFIG_IEEE8021X_EAPOL=y
@@ -152,6 +155,9 @@
# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
#CONFIG_EAP_AKA=y
+
+# Enable USIM simulator (Milenage) for EAP-AKA
+#CONFIG_USIM_SIMULATOR=y
# EAP-SAKE
#CONFIG_EAP_SAKE=y
@@ -343,14 +349,15 @@
#CONFIG_DYNAMIC_EAP_METHODS=y
# Include client MLME (management frame processing).
-# This can be used to move MLME processing of Devicescape IEEE 802.11 stack
-# into user space.
+# This can be used to move MLME processing of Linux mac80211 stack into user
+# space.
#CONFIG_CLIENT_MLME=y
-# Currently, driver_devicescape.c build requires some additional parameters
-# to be able to include some of the kernel header files. Following lines can
-# be used to set these (WIRELESS_DEV must point to the root directory of the
-# wireless-dev.git tree).
-#WIRELESS_DEV=/usr/src/wireless-dev
+# Currently, driver_nl80211.c build requires some additional parameters to be
+# able to include some of the kernel header files. Following lines can be used
+# to set these (WIRELESS_DEV must point to the root directory of the
+# wireless-testing.git tree). In addition, mac80211 may need external patches
+# to enable userspace MLME support.
+#WIRELESS_DEV=/usr/src/wireless-testing
#CFLAGS += -I$(WIRELESS_DEV)/net/mac80211
# IEEE Std 802.11r-2008 (Fast BSS Transition)
@@ -361,3 +368,7 @@
# Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y
+
+# Enable mitigation against certain attacks against TKIP by delaying Michael
+# MIC error reports by a random amount of time between 0 and 60 seconds
+#CONFIG_DELAYED_MIC_ERROR_REPORT=y
Modified: wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml (original)
+++ wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.conf.sgml Sun Dec 7 13:49:04 2008
@@ -174,7 +174,8 @@
<listitem>
<para>Authentication for wired Ethernet. This can be used with
- <emphasis>wired</emphasis> interface (-Dwired on command line).</para>
+ <emphasis>wired</emphasis> or <emphasis>roboswitch</emphasis> interface
+ (-Dwired or -Droboswitch on command line).</para>
<blockquote><programlisting>
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
Modified: wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml (original)
+++ wpasupplicant/trunk/wpa_supplicant/doc/docbook/wpa_supplicant.sgml Sun Dec 7 13:49:04 2008
@@ -310,6 +310,13 @@
</varlistentry>
<varlistentry>
+ <term>roboswitch</term>
+ <listitem>
+ <para>wpa_supplicant Broadcom switch driver</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>bsd</term>
<listitem>
<para>BSD 802.11 support (Atheros, etc.).</para>
Modified: wpasupplicant/trunk/wpa_supplicant/eap_testing.txt
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/eap_testing.txt?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/eap_testing.txt (original)
+++ wpasupplicant/trunk/wpa_supplicant/eap_testing.txt Sun Dec 7 13:49:04 2008
@@ -58,7 +58,7 @@
EAP-PEAPv0/GTC + - + - + + + + - - + +
EAP-PEAPv0/OTP - - - - - + - - - - - -
EAP-PEAPv0/MD5 + - - + + + + + - - + -
-EAP-PEAPv0/TLS + + - + + + F + - - + -
+EAP-PEAPv0/TLS + + - + + + F + - - + +
EAP-PEAPv0/SIM - - - - - - - - - - + -
EAP-PEAPv0/AKA - - - - - - - - - - + -
EAP-PEAPv0/PSK - - - - - - - - - - + -
@@ -69,7 +69,7 @@
EAP-PEAPv1/GTC - - + + + +1 + +5 +8 - + +
EAP-PEAPv1/OTP - - - - - +1 - - - - - -
EAP-PEAPv1/MD5 - - - + + +1 + +5 - - + -
-EAP-PEAPv1/TLS - - - + + +1 F +5 - - + -
+EAP-PEAPv1/TLS - - - + + +1 F +5 - - + +
EAP-PEAPv1/SIM - - - - - - - - - - + -
EAP-PEAPv1/AKA - - - - - - - - - - + -
EAP-PEAPv1/PSK - - - - - - - - - - + -
@@ -354,13 +354,6 @@
- EAP-SIM
- EAP-PAX
-Cisco Secure ACS 3.3(1) for Windows Server
-- PEAPv1/GTC worked, but PEAPv0/GTC failed in the end after password was
- sent successfully; ACS is replying with empty PEAP packet (TLS ACK);
- wpa_supplicant tries to decrypt this.. Replying with TLS ACK and and
- marking the connection completed was enough to make this work.
-
-
PEAPv1:
Funk Odyssey 2.01.00.653:
Modified: wpasupplicant/trunk/wpa_supplicant/events.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/events.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/events.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/events.c Sun Dec 7 13:49:04 2008
@@ -862,6 +862,22 @@
}
+#ifdef CONFIG_DELAYED_MIC_ERROR_REPORT
+static void wpa_supplicant_delayed_mic_error_report(void *eloop_ctx,
+ void *sock_ctx)
+{
+ struct wpa_supplicant *wpa_s = eloop_ctx;
+
+ if (!wpa_s->pending_mic_error_report)
+ return;
+
+ wpa_printf(MSG_DEBUG, "WPA: Sending pending MIC error report");
+ wpa_sm_key_request(wpa_s->wpa, 1, wpa_s->pending_mic_error_pairwise);
+ wpa_s->pending_mic_error_report = 0;
+}
+#endif /* CONFIG_DELAYED_MIC_ERROR_REPORT */
+
+
static void
wpa_supplicant_event_michael_mic_failure(struct wpa_supplicant *wpa_s,
union wpa_event_data *data)
@@ -871,10 +887,25 @@
wpa_msg(wpa_s, MSG_WARNING, "Michael MIC failure detected");
pairwise = (data && data->michael_mic_failure.unicast);
- wpa_sm_key_request(wpa_s->wpa, 1, pairwise);
os_get_time(&t);
- if (wpa_s->last_michael_mic_error &&
- t.sec - wpa_s->last_michael_mic_error <= 60) {
+ if ((wpa_s->last_michael_mic_error &&
+ t.sec - wpa_s->last_michael_mic_error <= 60) ||
+ wpa_s->pending_mic_error_report) {
+ if (wpa_s->pending_mic_error_report) {
+ /*
+ * Send the pending MIC error report immediately since
+ * we are going to start countermeasures and AP better
+ * do the same.
+ */
+ wpa_sm_key_request(wpa_s->wpa, 1,
+ wpa_s->pending_mic_error_pairwise);
+ }
+
+ /* Send the new MIC error report immediately since we are going
+ * to start countermeasures and AP better do the same.
+ */
+ wpa_sm_key_request(wpa_s->wpa, 1, pairwise);
+
/* initialize countermeasures */
wpa_s->countermeasures = 1;
wpa_msg(wpa_s, MSG_WARNING, "TKIP countermeasures started");
@@ -895,8 +926,46 @@
wpa_s, NULL);
/* TODO: mark the AP rejected for 60 second. STA is
* allowed to associate with another AP.. */
+ } else {
+#ifdef CONFIG_DELAYED_MIC_ERROR_REPORT
+ if (wpa_s->mic_errors_seen) {
+ /*
+ * Reduce the effectiveness of Michael MIC error
+ * reports as a means for attacking against TKIP if
+ * more than one MIC failure is noticed with the same
+ * PTK. We delay the transmission of the reports by a
+ * random time between 0 and 60 seconds in order to
+ * force the attacker wait 60 seconds before getting
+ * the information on whether a frame resulted in a MIC
+ * failure.
+ */
+ u8 rval[4];
+ int sec;
+
+ if (os_get_random(rval, sizeof(rval)) < 0)
+ sec = os_random() % 60;
+ else
+ sec = WPA_GET_BE32(rval) % 60;
+ wpa_printf(MSG_DEBUG, "WPA: Delay MIC error report %d "
+ "seconds", sec);
+ wpa_s->pending_mic_error_report = 1;
+ wpa_s->pending_mic_error_pairwise = pairwise;
+ eloop_cancel_timeout(
+ wpa_supplicant_delayed_mic_error_report,
+ wpa_s, NULL);
+ eloop_register_timeout(
+ sec, os_random() % 1000000,
+ wpa_supplicant_delayed_mic_error_report,
+ wpa_s, NULL);
+ } else {
+ wpa_sm_key_request(wpa_s->wpa, 1, pairwise);
+ }
+#else /* CONFIG_DELAYED_MIC_ERROR_REPORT */
+ wpa_sm_key_request(wpa_s->wpa, 1, pairwise);
+#endif /* CONFIG_DELAYED_MIC_ERROR_REPORT */
}
wpa_s->last_michael_mic_error = t.sec;
+ wpa_s->mic_errors_seen++;
}
Modified: wpasupplicant/trunk/wpa_supplicant/scan.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/scan.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/scan.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/scan.c Sun Dec 7 13:49:04 2008
@@ -70,9 +70,9 @@
wpa_s->scan_req = 0;
if (wpa_s->conf->ap_scan != 0 &&
- wpa_s->driver && os_strcmp(wpa_s->driver->name, "wired") == 0) {
- wpa_printf(MSG_DEBUG, "Using wired driver - overriding "
- "ap_scan configuration");
+ wpa_s->driver && IS_WIRED(wpa_s->driver)) {
+ wpa_printf(MSG_DEBUG, "Using wired authentication - "
+ "overriding ap_scan configuration");
wpa_s->conf->ap_scan = 0;
}
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/icons/Makefile
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/icons/Makefile?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/icons/Makefile (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/icons/Makefile Sun Dec 7 13:49:04 2008
@@ -4,7 +4,7 @@
SVG := $(NAME).svg
SIZES := 16x16 22x22 32x32 48x48 64x64 128x128
ICONS := $(addsuffix .png,$(SIZES))
-ICONS += $(addsuffix .xpm,16x16 32x32)
+ICONS += $(addsuffix .xpm,$(NAME) $(NAME)-16)
all: $(ICONS)
@@ -15,9 +15,13 @@
--export-height=$(word 2,$(subst x, ,$(@:.png=))) \
--export-png=hicolor/$(@:.png=)/apps/$(NAME).png
-%.xpm:
+$(NAME).xpm:
mkdir -p pixmaps/
- convert hicolor/$(@:.xpm=)/apps/$(NAME).png pixmaps/$@
+ convert hicolor/32x32/apps/$(NAME).png pixmaps/$@
+
+$(NAME)-16.xpm:
+ mkdir -p pixmaps/
+ convert hicolor/16x16/apps/$(NAME).png pixmaps/$@
clean:
$(RM) -r pixmaps hicolor
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/main.cpp
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/main.cpp?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/main.cpp (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/main.cpp Sun Dec 7 13:49:04 2008
@@ -27,7 +27,7 @@
#ifdef CONFIG_NATIVE_WINDOWS
WSADATA wsaData;
if (WSAStartup(MAKEWORD(2, 0), &wsaData)) {
- printf("Could not find a usable WinSock.dll\n");
+ /* printf("Could not find a usable WinSock.dll\n"); */
return -1;
}
#endif /* CONFIG_NATIVE_WINDOWS */
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp Sun Dec 7 13:49:04 2008
@@ -12,6 +12,7 @@
* See README and COPYING for more details.
*/
+#include <cstdio>
#include <QMessageBox>
#include "networkconfig.h"
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/scanresults.cpp
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/scanresults.cpp?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/scanresults.cpp (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/scanresults.cpp Sun Dec 7 13:49:04 2008
@@ -11,6 +11,8 @@
*
* See README and COPYING for more details.
*/
+
+#include <cstdio>
#include "scanresults.h"
#include "wpagui.h"
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/setup-mingw-cross-compiling
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/setup-mingw-cross-compiling?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/setup-mingw-cross-compiling (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/setup-mingw-cross-compiling Sun Dec 7 13:49:04 2008
@@ -9,3 +9,5 @@
sed s%/usr/lib/qt4%/q/jm/qt4-win/4.3.3/lib%g |
sed s%/usr/include/qt4%/q/jm/qt4-win/4.3.3/include%g > tmp.Makefile.Release &&
mv -f tmp.Makefile.Release Makefile.Release
+
+make -C icons
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpa_gui.pro Sun Dec 7 13:49:04 2008
@@ -11,9 +11,10 @@
SOURCES += ../../src/utils/os_win32.c
} else:win32-g++ {
# cross compilation to win32
- LIBS += -lws2_32 -static
+ LIBS += -lws2_32 -static -mwindows
DEFINES += CONFIG_NATIVE_WINDOWS CONFIG_CTRL_IFACE_NAMED_PIPE
SOURCES += ../../src/utils/os_win32.c
+ RESOURCES += icons_png.qrc
} else {
DEFINES += CONFIG_CTRL_IFACE_UNIX
SOURCES += ../../src/utils/os_unix.c
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpagui.cpp
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpagui.cpp?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpagui.cpp (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_gui-qt4/wpagui.cpp Sun Dec 7 13:49:04 2008
@@ -17,14 +17,25 @@
#include <unistd.h>
#endif
+#include <cstdio>
#include <QMessageBox>
#include <QCloseEvent>
+#include <QImageReader>
#include "wpagui.h"
#include "dirent.h"
#include "wpa_ctrl.h"
#include "userdatarequest.h"
#include "networkconfig.h"
+
+#if 1
+/* Silence stdout */
+#define printf wpagui_printf
+static int wpagui_printf(const char *, ...)
+{
+ return 0;
+}
+#endif
WpaGui::WpaGui(QWidget *parent, const char *, Qt::WFlags)
: QMainWindow(parent)
@@ -1094,7 +1105,10 @@
tray_icon = new QSystemTrayIcon(this);
tray_icon->setToolTip(qAppName() + " - wpa_supplicant user interface");
- tray_icon->setIcon(QIcon(":/icons/wpa_gui.svg"));
+ if (QImageReader::supportedImageFormats().contains(QByteArray("svg")))
+ tray_icon->setIcon(QIcon(":/icons/wpa_gui.svg"));
+ else
+ tray_icon->setIcon(QIcon(":/icons/wpa_gui.png"));
connect(tray_icon,
SIGNAL(activated(QSystemTrayIcon::ActivationReason)),
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.c Sun Dec 7 13:49:04 2008
@@ -212,7 +212,7 @@
int sec, int usec)
{
if (wpa_s->conf && wpa_s->conf->ap_scan == 0 &&
- wpa_s->driver && os_strcmp(wpa_s->driver->name, "wired") == 0)
+ wpa_s->driver && IS_WIRED(wpa_s->driver))
return;
wpa_msg(wpa_s, MSG_DEBUG, "Setting authentication timeout: %d sec "
@@ -273,8 +273,7 @@
EAPOL_REQUIRE_KEY_BROADCAST;
}
- if (wpa_s->conf && wpa_s->driver &&
- os_strcmp(wpa_s->driver->name, "wired") == 0) {
+ if (wpa_s->conf && wpa_s->driver && IS_WIRED(wpa_s->driver)) {
eapol_conf.required_keys = 0;
}
}
@@ -1388,7 +1387,7 @@
}
wired = wpa_s->conf->ap_scan == 0 && wpa_s->driver &&
- os_strcmp(wpa_s->driver->name, "wired") == 0;
+ IS_WIRED(wpa_s->driver);
entry = wpa_s->conf->ssid;
while (entry) {
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.conf
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.conf?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.conf (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_supplicant.conf Sun Dec 7 13:49:04 2008
@@ -275,6 +275,9 @@
# 0 = disabled (default)
# 1 = enabled
#peerkey=1
+#
+# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
+# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
#
# Following fields are only used with internal EAP implementation.
# eap: space-separated list of accepted EAP methods
@@ -391,8 +394,8 @@
# protected result indication.
# 'crypto_binding' option can be used to control PEAPv0 cryptobinding
# behavior:
-# * 0 = do not use cryptobinding
-# * 1 = use cryptobinding if server supports it (default)
+# * 0 = do not use cryptobinding (default)
+# * 1 = use cryptobinding if server supports it
# * 2 = require cryptobinding
# phase2: Phase2 (inner authentication with TLS tunnel) parameters
# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
@@ -475,6 +478,17 @@
priority=2
}
+# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
+network={
+ ssid="example"
+ proto=WPA
+ key_mgmt=WPA-PSK
+ pairwise=TKIP
+ group=TKIP
+ psk="not so secure passphrase"
+ wpa_ptk_rekey=600
+}
+
# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
# or WEP40 as the group cipher will not be accepted.
network={
Modified: wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpa_supplicant_i.h Sun Dec 7 13:49:04 2008
@@ -334,6 +334,10 @@
struct wpa_client_mlme mlme;
int use_client_mlme;
int driver_4way_handshake;
+
+ int pending_mic_error_report;
+ int pending_mic_error_pairwise;
+ int mic_errors_seen; /* Michael MIC errors with the current PTK */
};
Modified: wpasupplicant/trunk/wpa_supplicant/wpas_glue.c
URL: http://svn.debian.org/wsvn/pkg-wpa/wpasupplicant/trunk/wpa_supplicant/wpas_glue.c?rev=1291&op=diff
==============================================================================
--- wpasupplicant/trunk/wpa_supplicant/wpas_glue.c (original)
+++ wpasupplicant/trunk/wpa_supplicant/wpas_glue.c Sun Dec 7 13:49:04 2008
@@ -427,11 +427,16 @@
}
-static int wpa_supplicant_set_key(void *wpa_s, wpa_alg alg,
+static int wpa_supplicant_set_key(void *_wpa_s, wpa_alg alg,
const u8 *addr, int key_idx, int set_tx,
const u8 *seq, size_t seq_len,
const u8 *key, size_t key_len)
{
+ struct wpa_supplicant *wpa_s = _wpa_s;
+ if (alg == WPA_ALG_TKIP && key_idx == 0 && key_len == 32) {
+ /* Clear the MIC error counter when setting a new PTK. */
+ wpa_s->mic_errors_seen = 0;
+ }
return wpa_drv_set_key(wpa_s, alg, addr, key_idx, set_tx, seq, seq_len,
key, key_len);
}
@@ -626,6 +631,7 @@
#endif /* IEEE8021X_EAPOL */
conf.ssid = ssid->ssid;
conf.ssid_len = ssid->ssid_len;
+ conf.wpa_ptk_rekey = ssid->wpa_ptk_rekey;
}
wpa_sm_set_config(wpa_s->wpa, ssid ? &conf : NULL);
}
More information about the Pkg-wpa-devel
mailing list