Chris Zimmermann [Wed, 12 Mar 2008 09:43:55 +0000 (11:43 +0200)]
Support for RADIUS ACLs with drivers that do not use hostapd MLME
Sam Leffler <sam@errno.com>:
Attached are changes from Chris Zimmerman (cc'd) to allow drivers to handle
radius ACL's. The patch is against 0.5.10 but I suspect will also apply to
your latest code. These mods enable radius acl support in freebsd w/ my
vap code.
You may want to do the changes to ieee802_11_auth.c differently as they
currently require all participating drivers to work the same. You might be
able to check the return value from hostapd_set_radius_acl_auth and use
that to decide whether the alternate code should be run so you can have 1
driver using this stuff while the other does not.
(jm: Added without more dynamic check for now; in addition, none of the
current in-tree driver wrappers actually implement these handlers, so this
is in preparation for future changes)
Chris Zimmermann [Wed, 12 Mar 2008 09:39:56 +0000 (11:39 +0200)]
hostapd_allowed_address() is called from hostapd_config_reload_sta() with
session_timeout and acct_interim_interval set to NULL. Without checking
these before accessing, we'd cause a NULL pointer access in this case. In
ieee802_11.c calls hostapd_allowed_address() with valid pointers.
Jouni Malinen [Wed, 12 Mar 2008 09:20:20 +0000 (11:20 +0200)]
FT: Use correct BSSID when deriving PTK and verifying MIC
The old version was using struct wpa_sm::bssid which is not necessarily
updated to point to the correct target address when doing over-the-air FT
since the address is used before the association has actually been
completed.
Jouni Malinen [Wed, 12 Mar 2008 09:18:57 +0000 (11:18 +0200)]
Delete PTK SA on (re)association if this is not part of a Fast BSS
Transition. This fixes a potential issue where an incorrectly behaving AP
could send a group key update using the old (now invalid after reassociate)
PTK. This could also happen if there is a race condition between reporting
received EAPOL frames and association events.
Ryan Hill [Wed, 12 Mar 2008 07:39:25 +0000 (09:39 +0200)]
The attached patch fixes a few build errors when compiling with GCC 4.3,
caused by a few missing header includes. It was done against 0.5.8, but
still applies to 0.5.10.
Jouni Malinen [Sun, 9 Mar 2008 10:04:10 +0000 (12:04 +0200)]
TNC: Fixed TNC when using EAP-TTLS with non-EAP Phase 2
Need to process EAP AVP after the non-EAP Phase 2 method. In addition,
EAP-TTLS/MSCHAPv2 needs special code for handling the starting of TNC after
extra roundtrip of MSCHAPv2 success message.
Jouni Malinen [Sun, 9 Mar 2008 09:22:17 +0000 (11:22 +0200)]
TNC: Integrated TNC support into EAP-FAST server
Tunneled EAP sequence is now used to perform both the authentication (e.g.,
using EAP-GTC) and TNC validation (EAP-TNC) inside the EAP-FAST tunnel if
TNC has been enabled.
Jouni Malinen [Sun, 9 Mar 2008 08:37:18 +0000 (10:37 +0200)]
TNC: Added preliminary TNC implementation for hostapd
This adds EAP-TNC method and TNCS (IF-IMV and IF-TNCCS) functionality.
There is no integration with EAP-TTLS and EAP-FAST at this point, so this
version is not yet suitable for real use (i.e., EAP-TNC can only be tested
outside a tunnel which is not an allowed configuration for deployment).
However, the basic TNCS functionality is more or less complete and this
version seems to interoperate with wpa_supplicant.
Dan Williams [Wed, 5 Mar 2008 16:30:01 +0000 (18:30 +0200)]
Fix qt3 wpa_gui build
When a WpaMsg item to the QValueList WpaMsgList, there's no constructor
that the QValueList can call. This is a port of the fix from the stable
branch where it builds fine.
Jouni Malinen [Thu, 28 Feb 2008 01:59:34 +0000 (17:59 -0800)]
EAP-FAST: Cleaned up TLV processing and added support for EAP Sequences
Number of TLVs were processed in groups and these cases were now separated
into more flexible processing of one TLV at the time. wpabuf_concat()
function was added to make it easier to concatenate TLVs. EAP Sequences are
now supported in both server and peer code, but the server side is not
enabled by default.
Jouni Malinen [Thu, 28 Feb 2008 01:55:40 +0000 (17:55 -0800)]
EAP-FAST: Add peer identity into EAP-FAST PAC-Opaque
This allows Phase 2 Identity Request to be skipped if the identity is
already known from PAC-Opaque received in TLS handshake in order to save
one roundtrip from normal authentication.
Jouni Malinen [Thu, 28 Feb 2008 01:54:06 +0000 (17:54 -0800)]
Added max_listen_interval configuration option
This allows associations to be denied if the STA tries to use too large
listen interval. The default value is 65535 which matches with the field
size limits.
Kel Modderman [Thu, 28 Feb 2008 01:48:23 +0000 (17:48 -0800)]
Enhance manpage with use of emphasis instead of strong quote
The Debian package checker "lintian" was making noise about
wpa_supplicant.conf(5). It was caused by a line beginning with ', which is
apparently not liked by man(1).
I suggest the use of <emphasis>word</emphasis> where 'word' is used at the
moment.
Jouni Malinen [Thu, 28 Feb 2008 01:47:23 +0000 (17:47 -0800)]
Silence SIOCSIWAUTH ioctl failure message.
These are expected in most cases and there is no need to confuse users
with the messages in stderr (perror was used here). These are now only
shown in debug output and EOPNOTSUPP errors are silently ignored.