tobi/M7350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M7350v1_en_gpl

Browse Source
This commit is contained in:
T
2024-09-09 08:52:07 +00:00
commit f9cc65cfda
65988 changed files with 26357421 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
external/hostap/CONTRIBUTIONS
Vendored
+111
View File
@@ -0,0 +1,111 @@
Contributions to hostap.git
---------------------------
This software is distributed under a permissive open source license to
allow it to be used in any projects, whether open source or proprietary.
Contributions to the project are welcome and it is important to maintain
clear record of contributions and terms under which they are licensed.
To help with this, following procedure is used to allow acceptance and
recording of the terms.
These terms are similar to the process used in Linux kernel development.
The items (a) through (d) are identical to the Developer's Certificate
of Origin 1.1. To enable cleaner licensing option to be provided in the
future, an additional item (e) is included.
Until February 11, 2012, in case of most files in hostap.git, "under the
open source license indicated in the file" means that the contribution
is licensed both under GPL v2 and modified BSD license (see below) and
the choice between these licenses is given to anyone who redistributes
or uses the software. As such, the contribution has to be licensed under
both options to allow this choice.
As of February 11, 2012, the project has chosen to use only the BSD
license option for future distribution. As such, the GPL v2 license
option is no longer used and the contributions are not required to be
licensed until GPL v2. In case of most files in hostap.git, "under the
open source license indicated in the file" means that the contribution
is licensed under the modified BSD license (see below).
The additional item (e) is used to collect explicit approval to license
the contribution with only the modified BSD license (see below), i.e.,
without the GPL v2 option. This was done to allow simpler licensing
terms to be used in the future. It should be noted that the modified BSD
license is compatible with GNU GPL and as such, this possible move to
simpler licensing option does not prevent use of this software in
GPL projects.
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Additionally, I certify that:
(e) The contribution can be licensed under the modified BSD license
as shown below even in case of files that are currently licensed
under other terms.
To indicate your acceptance of these terms, please add the following
line to each contribution you make to the project:
Signed-hostap: Your Name <your@email.example.org>
using your real name. Pseudonyms or anonymous contributions cannot
unfortunately be accepted.
Modified BSD license (no advertisement clause):
Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name(s) of the above-listed copyright holder(s) nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
external/hostap/COPYING
Vendored
+22
View File
@@ -0,0 +1,22 @@
wpa_supplicant and hostapd
--------------------------
Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
See the README file for the current license terms.
This software was previously distributed under BSD/GPL v2 dual license
terms that allowed either of those license alternatives to be
selected. As of February 11, 2012, the project has chosen to use only
the BSD license option for future distribution. As such, the GPL v2
license option is no longer used. It should be noted that the BSD
license option (the one with advertisement clause removed) is compatible
with GPL and as such, does not prevent use of this software in projects
that use GPL.
Some of the files may still include pointers to GPL version 2 license
terms. However, such copyright and license notifications are maintained
only for attribution purposes and any distribution of this software
after February 11, 2012 is no longer under the GPL v2 option.
external/hostap/README
Vendored
+73
View File
@@ -0,0 +1,73 @@
wpa_supplicant and hostapd
--------------------------
Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
These programs are licensed under the BSD license (the one with
advertisement clause removed).
If you are submitting changes to the project, please see CONTRIBUTIONS
file for more instructions.
This package may include either wpa_supplicant, hostapd, or both. See
README file respective subdirectories (wpa_supplicant/README or
hostapd/README) for more details.
Source code files were moved around in v0.6.x releases and compared to
earlier releases, the programs are now built by first going to a
subdirectory (wpa_supplicant or hostapd) and creating build
configuration (.config) and running 'make' there (for Linux/BSD/cygwin
builds).
License
-------
This software may be distributed, used, and modified under the terms of
BSD license:
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name(s) of the above-listed copyright holder(s) nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
=============================================================
NOTICES
=============================================================
This software contains wpa_supplicant and hostapd code (the "wpa_supplicant
and hostapd Code"), which is available through https://w1.fi/ in its
original form. This distribution, which includes wpa_supplicant and
hostapd Code, is sublicensed to you under the below BSD license. The
wpa_supplicant and hostapd Code was obtained under a dual the BSD/GPL
license, and is distributed under a BSD license. If you wish to use or
obtain the wpa_supplicant and hostapd Code for your own projects under the
GPL license, you are free to do so with code you obtain directly from the
https://w1.fi/ website. As indicated by this NOTICES statement, this
instance of wpa_supplicant and hostapd is subject to the BSD license under
which you received it.
external/hostap/build_release
Vendored Executable
+47
View File
@@ -0,0 +1,47 @@
#!/bin/sh
set -e
if [ -z "$1" ]; then
echo "build_release <version>"
exit 1
fi
TMP=tmp.build_release
RELDIR=`pwd`/Release
VER=$1
NOW=`date +%Y-%m-%d`
echo "Version: $VER - $NOW"
DATEw=`head -n 3 wpa_supplicant/ChangeLog | tail -n 1 | sed "s/ .*//"`
DATEh=`head -n 3 hostapd/ChangeLog | tail -n 1 | sed "s/ .*//"`
if [ "$DATEw" != "$NOW" -o "$DATEh" != "$NOW" ]; then
echo "NOTE! Date mismatch in ChangeLog: wpa_supplicant $DATEw hostapd $DATEh != $NOW"
fi
if [ -r $TMP ]; then
echo "Temporary directory '$TMP' exists. Remove it before running this."
exit 1
fi
mkdir $TMP
mkdir -p $RELDIR
git archive --format=tar --prefix=wpa-$VER/ HEAD \
README COPYING patches src wpa_supplicant hostapd |
gzip > $RELDIR/wpa-$VER.tar.gz
git archive --format=tar --prefix=hostapd-$VER/ HEAD \
README COPYING patches src hostapd |
gzip > $RELDIR/hostapd-$VER.tar.gz
git archive --format=tar --prefix=wpa_supplicant-$VER/ HEAD \
README COPYING patches src wpa_supplicant |
tar --directory=$TMP -xf -
cd $TMP
make -C wpa_supplicant-$VER/wpa_supplicant/doc/docbook man
rm -f wpa_supplicant-$VER/wpa_supplicant/doc/docbook/manpage.{links,refs}
tar czf $RELDIR/wpa_supplicant-$VER.tar.gz wpa_supplicant-$VER
cd ..
rm -r $TMP
external/hostap/doc/Makefile
Vendored
+39
View File
@@ -0,0 +1,39 @@
all: docs
%.eps: %.fig
fig2dev -L eps $*.fig $*.eps
%.png: %.fig
fig2dev -L png -m 3 $*.fig | pngtopnm | pnmscale 0.4 | pnmtopng \
> $*.png
%.png: %.dot
dot $*.dot -Tpng -o $*.png
%.eps: %.dot
dot $*.dot -Tps -o $*.eps
_wpa_supplicant.png: wpa_supplicant.png
cp $< $@
docs-pics: wpa_supplicant.png wpa_supplicant.eps hostapd.png hostapd.eps p2p_sm.png p2p_sm.eps p2p_arch.png p2p_arch.eps p2p_arch2.png p2p_arch2.eps
docs: docs-pics
(cd ..; doxygen doc/doxygen.conf; cd doc)
$(MAKE) -C latex
cp latex/refman.pdf wpa_supplicant-devel.pdf
html: docs-pics _wpa_supplicant.png
(cd ..; doxygen doc/doxygen.conf; cd doc)
clean:
rm -f *~
rm -f wpa_supplicant.eps wpa_supplicant.png
rm -f _wpa_supplicant.png
rm -f hostapd.eps hostapd.png
rm -f p2p_sm.eps p2p_sm.png
rm -f p2p_arch.eps p2p_arch.png
rm -f p2p_arch2.eps p2p_arch2.png
rm -f doxygen.warnings
rm -rf html latex
rm -f wpa_supplicant-devel.pdf
external/hostap/doc/code_structure.doxygen
Vendored
+322
View File
@@ -0,0 +1,322 @@
/**
\page code_structure Structure of the source code
[ \ref _wpa_supplicant_core "wpa_supplicant core functionality" |
\ref generic_helper_func "Generic helper functions" |
\ref crypto_func "Cryptographic functions" |
\ref tls_func "TLS library" |
\ref configuration "Configuration" |
\ref ctrl_iface "Control interface" |
\ref wpa_code "WPA supplicant" |
\ref eap_peer "EAP peer" |
\ref eapol_supp "EAPOL supplicant" |
\ref win_port "Windows port" |
\ref test_programs "Test programs" ]
%wpa_supplicant implementation is divided into number of independent
modules. Core code includes functionality for controlling the network
selection, association, and configuration. Independent modules include
WPA code (key handshake, PMKSA caching, pre-authentication), EAPOL
state machine, and EAP state machine and methods. In addition, there
are number of separate files for generic helper functions.
Both WPA and EAPOL/EAP state machines can be used separately in other
programs than %wpa_supplicant. As an example, the included test
programs eapol_test and preauth_test are using these modules.
\ref driver_wrapper "Driver interface API" is defined in driver.h and
all hardware/driver dependent functionality is implemented in
driver_*.c.
\section _wpa_supplicant_core wpa_supplicant core functionality
wpa_supplicant.c
Program initialization, main control loop
main.c
main() for UNIX-like operating systems and MinGW (Windows); this
uses command line arguments to configure wpa_supplicant
events.c
Driver event processing; wpa_supplicant_event() and related functions
wpa_supplicant_i.h
Internal definitions for %wpa_supplicant core; should not be
included into independent modules
\section generic_helper_func Generic helper functions
%wpa_supplicant uses generic helper functions some of which are shared
with with hostapd. The following C files are currently used:
eloop.c and eloop.h
Event loop (select() loop with registerable timeouts, socket read
callbacks, and signal callbacks)
common.c and common.h
Common helper functions
defs.h
Definitions shared by multiple files
l2_packet.h, l2_packet_linux.c, and l2_packet_pcap.c
Layer 2 (link) access wrapper (includes native Linux implementation
and wrappers for libdnet/libpcap). A new l2_packet implementation
may need to be added when porting to new operating systems that are
not supported by libdnet/libpcap. Makefile can be used to select which
l2_packet implementation is included. l2_packet_linux.c uses Linux
packet sockets and l2_packet_pcap.c has a more portable version using
libpcap and libdnet.
pcsc_funcs.c and pcsc_funcs.h
Wrapper for PC/SC lite SIM and smart card readers
priv_netlink.h
Private version of netlink definitions from Linux kernel header files;
this could be replaced with C library header file once suitable
version becomes commonly available
version.h
Version number definitions
wireless_copy.h
Private version of Linux wireless extensions definitions from kernel
header files; this could be replaced with C library header file once
suitable version becomes commonly available
\section crypto_func Cryptographic functions
md5.c and md5.h
MD5 (replaced with a crypto library if TLS support is included)
HMAC-MD5 (keyed checksum for message authenticity validation)
rc4.c and rc4.h
RC4 (broadcast/default key encryption)
sha1.c and sha1.h
SHA-1 (replaced with a crypto library if TLS support is included)
HMAC-SHA-1 (keyed checksum for message authenticity validation)
PRF-SHA-1 (pseudorandom (key/nonce generation) function)
PBKDF2-SHA-1 (ASCII passphrase to shared secret)
T-PRF (for EAP-FAST)
TLS-PRF (RFC 2246)
sha256.c and sha256.h
SHA-256 (replaced with a crypto library if TLS support is included)
aes_wrap.c, aes_wrap.h, aes.c
AES (replaced with a crypto library if TLS support is included),
AES Key Wrap Algorithm with 128-bit KEK, RFC3394 (broadcast/default
key encryption),
One-Key CBC MAC (OMAC1) hash with AES-128,
AES-128 CTR mode encryption,
AES-128 EAX mode encryption/decryption,
AES-128 CBC
crypto.h
Definition of crypto library wrapper
crypto_openssl.c
Wrapper functions for libcrypto (OpenSSL)
crypto_internal.c
Wrapper functions for internal crypto implementation
crypto_gnutls.c
Wrapper functions for libgcrypt (used by GnuTLS)
ms_funcs.c and ms_funcs.h
Helper functions for MSCHAPV2 and LEAP
tls.h
Definition of TLS library wrapper
tls_none.c
Dummy implementation of TLS library wrapper for cases where TLS
functionality is not included.
tls_openssl.c
TLS library wrapper for openssl
tls_internal.c
TLS library for internal TLS implementation
tls_gnutls.c
TLS library wrapper for GnuTLS
\section tls_func TLS library
asn1.c and asn1.h
ASN.1 DER parsing
bignum.c and bignum.h
Big number math
rsa.c and rsa.h
RSA
x509v3.c and x509v3.h
X.509v3 certificate parsing and processing
tlsv1_client.c, tlsv1_client.h
TLSv1 client (RFC 2246)
tlsv1_client_i.h
Internal structures for TLSv1 client
tlsv1_client_read.c
TLSv1 client: read handshake messages
tlsv1_client_write.c
TLSv1 client: write handshake messages
tlsv1_common.c and tlsv1_common.h
Common TLSv1 routines and definitions
tlsv1_cred.c and tlsv1_cred.h
TLSv1 credentials
tlsv1_record.c and tlsv1_record.h
TLSv1 record protocol
\section configuration Configuration
config_ssid.h
Definition of per network configuration items
config.h
Definition of the %wpa_supplicant configuration
config.c
Configuration parser and common functions
config_file.c
Configuration backend for text files (e.g., wpa_supplicant.conf)
config_winreg.c
Configuration backend for Windows registry
\section ctrl_iface Control interface
%wpa_supplicant has a \ref ctrl_iface_page "control interface"
that can be used to get status
information and manage operations from external programs. An example
command line interface (wpa_cli) and GUI (wpa_gui) for this interface
are included in the %wpa_supplicant distribution.
ctrl_iface.c and ctrl_iface.h
%wpa_supplicant-side of the control interface
ctrl_iface_unix.c
UNIX domain sockets -based control interface backend
ctrl_iface_udp.c
UDP sockets -based control interface backend
ctrl_iface_named_pipe.c
Windows named pipes -based control interface backend
wpa_ctrl.c and wpa_ctrl.h
Library functions for external programs to provide access to the
%wpa_supplicant control interface
wpa_cli.c
Example program for using %wpa_supplicant control interface
\section wpa_code WPA supplicant
wpa.c and wpa.h
WPA state machine and 4-Way/Group Key Handshake processing
preauth.c and preauth.h
PMKSA caching and pre-authentication (RSN/WPA2)
wpa_i.h
Internal definitions for WPA code; not to be included to other modules.
\section eap_peer EAP peer
\ref eap_peer_module "EAP peer implementation" is a separate module that
can be used by other programs than just %wpa_supplicant.
eap.c and eap.h
EAP state machine and method interface
eap_defs.h
Common EAP definitions
eap_i.h
Internal definitions for EAP state machine and EAP methods; not to be
included in other modules
eap_sim_common.c and eap_sim_common.h
Common code for EAP-SIM and EAP-AKA
eap_tls_common.c and eap_tls_common.h
Common code for EAP-PEAP, EAP-TTLS, and EAP-FAST
eap_tlv.c and eap_tlv.h
EAP-TLV code for EAP-PEAP and EAP-FAST
eap_ttls.c and eap_ttls.h
EAP-TTLS
eap_pax.c, eap_pax_common.h, eap_pax_common.c
EAP-PAX
eap_psk.c, eap_psk_common.h, eap_psk_common.c
EAP-PSK (note: this is not needed for WPA-PSK)
eap_sake.c, eap_sake_common.h, eap_sake_common.c
EAP-SAKE
eap_gpsk.c, eap_gpsk_common.h, eap_gpsk_common.c
EAP-GPSK
eap_aka.c, eap_fast.c, eap_gtc.c, eap_leap.c, eap_md5.c, eap_mschapv2.c,
eap_otp.c, eap_peap.c, eap_sim.c, eap_tls.c
Other EAP method implementations
\section eapol_supp EAPOL supplicant
eapol_supp_sm.c and eapol_supp_sm.h
EAPOL supplicant state machine and IEEE 802.1X processing
\section win_port Windows port
ndis_events.c
Code for receiving NdisMIndicateStatus() events and delivering them to
%wpa_supplicant driver_ndis.c in more easier to use form
win_if_list.c
External program for listing current network interface
\section test_programs Test programs
radius_client.c and radius_client.h
RADIUS authentication client implementation for eapol_test
radius.c and radius.h
RADIUS message processing for eapol_test
eapol_test.c
Standalone EAP testing tool with integrated RADIUS authentication
client
preauth_test.c
Standalone RSN pre-authentication tool
wpa_passphrase.c
WPA ASCII passphrase to PSK conversion
*/
external/hostap/doc/ctrl_iface.doxygen
Vendored
+1054
View File
File diff suppressed because it is too large Load Diff
external/hostap/doc/dbus.doxygen
Vendored
+756
View File
@@ -0,0 +1,756 @@
/**
\page dbus %wpa_supplicant D-Bus API
This section documents the %wpa_supplicant D-Bus API. Every D-Bus
interface implemented by %wpa_supplicant is described here including
their methods, signals, and properties with arguments, returned
values, and possible errors.
Interfaces:
- \ref dbus_main
- \ref dbus_interface
- \ref dbus_wps
- \ref dbus_bss
- \ref dbus_network
\section dbus_main fi.w1.wpa_supplicant1
Interface implemented by the main %wpa_supplicant D-Bus object
registered in the bus with fi.w1.wpa_supplicant1 name.
\subsection dbus_main_methods Methods
<ul>
<li>
<h3>CreateInterface ( a{sv} : args ) --> o : interface</h3>
<p>Registers a wireless interface in %wpa_supplicant.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : args</dt>
<dd>
A dictionary with arguments used to add the interface to %wpa_supplicant. The dictionary may contain the following entries:
<table>
<tr><th>Key</th><th>Value type</th><th>Description</th><th>Required</th>
<tr><td>Ifname</td><td>s</td><td>Name of the network interface to control, e.g., wlan0</td><td>Yes</td>
<tr><td>Bridge_ifname</td><td>s</td><td>Name of the bridge interface to control, e.g., br0</td><td>No</td>
<tr><td>Driver</td><td>s</td><td>Driver name which the interface uses, e.g., nl80211</td><td>No</td>
</table>
</dd>
</dl>
<h4>Returns</h4>
<dl>
<dt>o : interface</dt>
<dd>A D-Bus path to object representing created interface</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.InterfaceExists</dt>
<dd>%wpa_supplicant already controls this interface.</dd>
<dt>fi.w1.wpa_supplicant1.UnknownError</dt>
<dd>Creating interface failed for an unknown reason.</dd>
<dt>fi.w1.wpa_supplicant1.InvalidArgs</dt>
<dd>Invalid entries were found in the passed argument.</dd>
</dl>
</li>
<li>
<h3>RemoveInterface ( o : interface ) --> nothing</h3>
<p>Deregisters a wireless interface from %wpa_supplicant.</p>
<h4>Arguments</h4>
<dl>
<dt>o : interface</dt>
<dd>A D-Bus path to an object representing an interface to remove returned by CreateInterface</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.InterfaceUnknown</dt>
<dd>Object pointed by the path doesn't exist or doesn't represent an interface.</dd>
<dt>fi.w1.wpa_supplicant1.UnknownError</dt>
<dd>Removing interface failed for an unknown reason.</dd>
</dl>
</li>
<li>
<h3>GetInterface ( s : ifname ) --> o : interface</h3>
<p>Returns a D-Bus path to an object related to an interface which %wpa_supplicant already controls.</p>
<h4>Arguments</h4>
<dl>
<dt>s : ifname</dt>
<dd>Name of the network interface, e.g., wlan0</dd>
</dl>
<h4>Returns</h4>
<dl>
<dt>o : interface</dt>
<dd>A D-Bus path to an object representing an interface</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.InterfaceUnknown</dt>
<dd>An interface with the passed name in not controlled by %wpa_supplicant.</dd>
<dt>fi.w1.wpa_supplicant1.UnknownError</dt>
<dd>Getting an interface object path failed for an unknown reason.</dd>
</dl>
</li>
</ul>
\subsection dbus_main_properties Properties
<ul>
<li>
<h3>DebugLevel - s - (read/write)</h3>
<p>Global %wpa_supplicant debugging level. Possible values are
"msgdump" (verbose debugging), "debug" (debugging),
"info" (informative), "warning" (warnings), and "error" (errors).</p>
</li>
<li>
<h3>DebugTimestamp - b - (read/write)</h3>
<p>Global %wpa_supplicant debugging parameter. Determines if timestamps are shown in debug logs.</p>
</li>
<li>
<h3>DebugShowKeys - b - (read/write)</h3>
<p>Global %wpa_supplicant debugging parameter. Determines if secrets are shown in debug logs.</p>
</li>
<li>
<h3>Interfaces - ao - (read)</h3>
<p>An array with paths to D-Bus objects representing controlled interfaces each.</p>
</li>
<li>
<h3>EapMethods - as - (read)</h3>
<p>An array with supported EAP methods names.</p>
</li>
</ul>
\subsection dbus_main_signals Signals
<ul>
<li>
<h3>InterfaceAdded ( o : interface, a{sv} : properties )</h3>
<p>A new interface was added to %wpa_supplicant.</p>
<h4>Arguments</h4>
<dl>
<dt>o : interface</dt>
<dd>A D-Bus path to an object representing the added interface</dd>
</dl>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary containing properties of added interface.</dd>
</dl>
</li>
<li>
<h3>InterfaceRemoved ( o : interface )</h3>
<p>An interface was removed from %wpa_supplicant.</p>
<h4>Arguments</h4>
<dl>
<dt>o : interface</dt>
<dd>A D-Bus path to an object representing the removed interface</dd>
</dl>
</li>
<li>
<h3>PropertiesChanged ( a{sv} : properties )</h3>
<p>Some properties have changed.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary with pairs of properties names which have changed and theirs new values. Possible dictionary keys are: "DebugParams"</dd>
</dl>
</li>
</ul>
\section dbus_interface fi.w1.wpa_supplicant1.Interface
Interface implemented by objects related to network interface added to
%wpa_supplicant, i.e., returned by
fi.w1.wpa_supplicant1.CreateInterface.
\subsection dbus_interface_methods Methods
<ul>
<li>
<h3>Scan ( a{sv} : args ) --> nothing</h3>
<p>Triggers a scan.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : args</dt>
<dd>
A dictionary with arguments describing scan type:
<table>
<tr><th>Key</th><th>Value type</th><th>Description</th><th>Required</th>
<tr><td>Type</td><td>s</td><td>Type of the scan. Possible values: "active", "passive"</td><td>Yes</td>
<tr><td>SSIDs</td><td>aay</td><td>Array of SSIDs to scan for (applies only if scan type is active)</td><td>No</td>
<tr><td>IEs</td><td>aay</td><td>Information elements to used in active scan (applies only if scan type is active)</td><td>No</td>
<tr><td>Channels</td><td>a(uu)</td><td>Array of frequencies to scan in form of (center, width) in MHz.</td><td>No</td>
</table>
</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.InvalidArgs</dt>
<dd>Invalid entries were found in the passed argument.</dd>
</dl>
</li>
<li>
<h3>Disconnect ( ) --> nothing</h3>
<p>Disassociates the interface from current network.</p>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.NotConnected</dt>
<dd>Interface is not connected to any network.</dd>
</dl>
</li>
<li>
<h3>AddNetwork ( a{sv} : args ) --> o : network</h3>
<p>Adds a new network to the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : args</dt>
<dd>A dictionary with network configuration. Dictionary entries are equivalent to entries in the "network" block in %wpa_supplicant configuration file. Entry values should be appropriate type to the entry, e.g., an entry with key "frequency" should have value type int.</dd>
</dl>
<h4>Returns</h4>
<dl>
<dt>o : network</dt>
<dd>A D-Bus path to an object representing a configured network</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.InvalidArgs</dt>
<dd>Invalid entries were found in the passed argument.</dd>
<dt>fi.w1.wpa_supplicant1.UnknownError</dt>
<dd>Adding network failed for an unknown reason.</dd>
</dl>
</li>
<li>
<h3>RemoveNetwork ( o : network ) --> nothing</h3>
<p>Removes a configured network from the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>o : network</dt>
<dd>A D-Bus path to an object representing a configured network returned by fi.w1.wpa_supplicant1.Interface.AddNetwork</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.NetworkUnknown</dt>
<dd>A passed path doesn't point to any network object.</dd>
<dt>fi.w1.wpa_supplicant1.InvalidArgs</dt>
<dd>A passed path doesn't point to any network object.</dd>
<dt>fi.w1.wpa_supplicant1.UnknownError</dt>
<dd>Removing network failed for an unknown reason.</dd>
</dl>
</li>
<li>
<h3>SelectNetwork ( o : network ) --> nothing</h3>
<p>Attempt association with a configured network.</p>
<h4>Arguments</h4>
<dl>
<dt>o : network</dt>
<dd>A D-Bus path to an object representing a configured network returned by fi.w1.wpa_supplicant1.Interface.AddNetwork</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.NetworkUnknown</dt>
<dd>A passed path doesn't point to any network object.</dd>
<dt>fi.w1.wpa_supplicant1.InvalidArgs</dt>
<dd>A passed path doesn't point to any network object.</dd>
</dl>
</li>
<li>
<h3>AddBlob ( s : name, ay : data ) --> nothing</h3>
<p>Adds a blob to the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>s : name</dt>
<dd>A name of a blob</dd>
<dt>ay : data</dt>
<dd>A blob data</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.BlobExists</dt>
<dd>A blob with the specified name already exists.</dd>
</dl>
</li>
<li>
<h3>RemoveBlob ( s : name ) --> nothing</h3>
<p>Removes the blob from the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>s : name</dt>
<dd>A name of the blob to remove</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.BlobUnknown</dt>
<dd>A blob with the specified name doesn't exist.</dd>
</dl>
</li>
<li>
<h3>GetBlob ( s : name ) --> ay : data</h3>
<p>Returns the blob data of a previously added blob.</p>
<h4>Arguments</h4>
<dl>
<dt>s : name</dt>
<dd>A name of the blob</dd>
</dl>
<h4>Returns</h4>
<dl>
<dt>ay : data</dt>
<dd>A blob data</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.BlobUnknown</dt>
<dd>A blob with the specified name doesn't exist.</dd>
</dl>
</li>
<li>
<h3>AutoScan ( s : arg ) --> nothing</h3>
<p>Set autoscan parameters for the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>s : arg</dt>
<dd>Autoscan parameter line or empty to unset autoscan.</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.NoMemory</dt>
<dd>Needed memory was not possible to get allocated.</dd>
<dt>fi.w1.wpa_supplicant1.InvalidArgs</dt>
<dd>Invalid entries were found in the passed argument.</dd>
</dl>
</li>
</ul>
\subsection dbus_interface_properties Properties
<ul>
<li>
<h3>Capabilities - a{sv} - (read)</h3>
<p>Capabilities of the interface. Dictionary contains following entries:</p>
<table>
<tr><th>Key</th><th>Value type</th><th>Description</th>
<tr><td>Pairwise</td><td>as</td><td>Possible array elements: "ccmp", "tkip", "none"</td>
<tr><td>Group</td><td>as</td><td>Possible array elements: "ccmp", "tkip", "wep104", "wep40"</td>
<tr><td>KeyMgmt</td><td>as</td><td>Possible array elements: "wpa-psk", "wpa-ft-psk", "wpa-psk-sha256", "wpa-eap", "wpa-ft-eap", "wpa-eap-sha256", "ieee8021x", "wpa-none", "wps", "none"</td>
<tr><td>Protocol</td><td>as</td><td>Possible array elements: "rsn", "wpa"</td>
<tr><td>AuthAlg</td><td>as</td><td>Possible array elements: "open", "shared", "leap"</td>
<tr><td>Scan</td><td>as</td><td>Possible array elements: "active", "passive", "ssid"</td>
<tr><td>Modes</td><td>as</td><td>Possible array elements: "infrastructure", "ad-hoc", "ap"</td>
</table>
</li>
<li>
<h3>State - s - (read)</h3>
<p>A state of the interface. Possible values are: return "disconnected", "inactive", "scanning", "authenticating", "associating", "associated", "4way_handshake", "group_handshake", "completed","unknown".</p>
</li>
<li>
<h3>Scanning - b - (read)</h3>
<p>Determines if the interface is already scanning or not</p>
</li>
<li>
<h3>ApScan - u - (read/write)</h3>
<p>Identical to ap_scan entry in %wpa_supplicant configuration file. Possible values are 0, 1 or 2.</p>
</li>
<li>
<h3>BSSExpireAge - u - (read/write)</h3>
<p>Identical to bss_expiration_age entry in %wpa_supplicant configuration file.</p>
</li>
<li>
<h3>BSSExpireCount - u - (read/write)</h3>
<p>Identical to bss_expiration_scan_count entry in %wpa_supplicant configuration file.</p>
</li>
<li>
<h3>Country - s - (read/write)</h3>
<p>Identical to country entry in %wpa_supplicant configuration file.</p>
</li>
<li>
<h3>Ifname - s - (read)</h3>
<p>Name of network interface controlled by the interface, e.g., wlan0.</p>
</li>
<li>
<h3>BridgeIfname - s - (read)</h3>
<p>Name of bridge network interface controlled by the interface, e.g., br0.</p>
</li>
<li>
<h3>Driver - s - (read)</h3>
<p>Name of driver used by the interface, e.g., nl80211.</p>
</li>
<li>
<h3>CurrentBSS - o - (read)</h3>
<p>Path to D-Bus object representing BSS which %wpa_supplicant is associated with, or "/" if is not associated at all.</p>
</li>
<li>
<h3>CurrentNetwork - o - (read)</h3>
<p>Path to D-Bus object representing configured network which %wpa_supplicant uses at the moment, or "/" if doesn't use any.</p>
</li>
<li>
<h3>Blobs - as - (read)</h3>
<p>List of blobs names added to the Interface.</p>
</li>
<li>
<h3>BSSs - ao - (read)</h3>
<p>List of D-Bus objects paths representing BSSs known to the interface, i.e., scan results.</p>
</li>
<li>
<h3>Networks - ao - (read)</h3>
<p>List of D-Bus objects paths representing configured networks.</p>
</li>
<li>
<h3>FastReauth - b - (read/write)</h3>
<p>Identical to fast_reauth entry in %wpa_supplicant configuration file.</p>
</li>
<li>
<h3>ScanInterval - i - (read/write)</h3>
<p>Time (in seconds) between scans for a suitable AP. Must be >= 0.</p>
</li>
</ul>
\subsection dbus_interface_signals Signals
<ul>
<li>
<h3>ScanDone ( b : success )</h3>
<p>Scanning finished. </p>
<h4>Arguments</h4>
<dl>
<dt>s : success</dt>
<dd>Determines if scanning was successful. If so, results are available.</dd>
</dl>
</li>
<li>
<h3>BSSAdded ( o : BSS, a{sv} : properties )</h3>
<p>Interface became aware of a new BSS.</p>
<h4>Arguments</h4>
<dl>
<dt>o : BSS</dt>
<dd>A D-Bus path to an object representing the new BSS.</dd>
</dl>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary containing properties of added BSS.</dd>
</dl>
</li>
<li>
<h3>BSSRemoved ( o : BSS )</h3>
<p>BSS disappeared.</p>
<h4>Arguments</h4>
<dl>
<dt>o : BSS</dt>
<dd>A D-Bus path to an object representing the BSS.</dd>
</dl>
</li>
<li>
<h3>BlobAdded ( s : blobName )</h3>
<p>A new blob has been added to the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>s : blobName</dt>
<dd>A name of the added blob.</dd>
</dl>
</li>
<li>
<h3>BlobRemoved ( s : blobName )</h3>
<p>A blob has been removed from the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>s : blobName</dt>
<dd>A name of the removed blob.</dd>
</dl>
</li>
<li>
<h3>NetworkAdded ( o : network, a{sv} : properties )</h3>
<p>A new network has been added to the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>o : network</dt>
<dd>A D-Bus path to an object representing the added network.</dd>
</dl>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary containing properties of added network.</dd>
</dl>
</li>
<li>
<h3>NetworkRemoved ( o : network )</h3>
<p>The network has been removed from the interface.</p>
<h4>Arguments</h4>
<dl>
<dt>o : network</dt>
<dd>A D-Bus path to an object representing the removed network.</dd>
</dl>
</li>
<li>
<h3>NetworkSelected ( o : network )</h3>
<p>The network has been selected.</p>
<h4>Arguments</h4>
<dl>
<dt>o : network</dt>
<dd>A D-Bus path to an object representing the selected network.</dd>
</dl>
</li>
<li>
<h3>PropertiesChanged ( a{sv} : properties )</h3>
<p>Some properties have changed.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary with pairs of properties names which have changed and theirs new values. Possible dictionary keys are: "ApScan", "Scanning", "State", "CurrentBSS", "CurrentNetwork"</dd>
</dl>
</li>
</ul>
\section dbus_wps fi.w1.wpa_supplicant1.Interface.WPS
Interface implemented by objects related to network interface added to
%wpa_supplicant, i.e., returned by fi.w1.wpa_supplicant1.CreateInterface.
\subsection dbus_wps_methods Methods
<ul>
<li>
<h3>Start ( a{sv} : args ) --> a{sv} : output</h3>
<p>Starts WPS configuration.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : args</dt>
<dd>
A dictionary with arguments used to start WPS configuration. The dictionary may contain the following entries:
<table>
<tr><th>Key</th><th>Value type</th><th>Description</th><th>Required</th>
<tr><td>Role</td><td>s</td><td>The device's role. Possible values are "enrollee" and "registrar".</td><td>Yes</td>
<tr><td>Type</td><td>s</td><td>WPS authentication type. Applies only for enrollee role. Possible values are "pin" and "pbc".</td><td>Yes, for enrollee role; otherwise no</td>
<tr><td>Pin</td><td>s</td><td>WPS Pin.</td><td>Yes, for registrar role; otherwise optional</td>
<tr><td>Bssid</td><td>ay</td><td></td><td>No</td>
</table>
</dd>
</dl>
<h4>Returns</h4>
<dl>
<dt>a{sv} : output</dt>
<dd>
<table>
<tr><th>Key</th><th>Value type</th><th>Description</th><th>Required</th>
<tr><td>Pin</td><td>s</td><td>Newly generated PIN, if not specified for enrollee role and pin authentication type.</td><td>No</td>
</table>
</dd>
</dl>
<h4>Possible errors</h4>
<dl>
<dt>fi.w1.wpa_supplicant1.UnknownError</dt>
<dd>Starting WPS configuration failed for an unknown reason.</dd>
<dt>fi.w1.wpa_supplicant1.InvalidArgs</dt>
<dd>Invalid entries were found in the passed argument.</dd>
</dl>
</li>
</ul>
\subsection dbus_wps_properties Properties
<ul>
<li>
<h3>ProcessCredentials - b - (read/write)</h3>
<p>Determines if the interface will process the credentials (credentials_processed configuration file parameter).</p>
</li>
</ul>
\subsection dbus_wps_signals Signals
<ul>
<li>
<h3>Event ( s : name, a{sv} : args )</h3>
<p>WPS event occurred.</p>
<h4>Arguments</h4>
<dl>
<dt>s : event</dt>
<dd>Event type. Possible values are: "success, "fail" and "m2d"</dd>
<dt>a{sv} : args</dt>
<dd>
Event arguments. Empty for success event, one entry ( "msg" : i ) for fail event and following entries for m2d event:
<table>
<tr><th>config_methods</th><th>Value type</th>
<tr><td>manufacturer</td><td>q</td>
<tr><td>model_name</td><td>ay</td>
<tr><td>model_number</td><td>ay</td>
<tr><td>serial_number</td><td>ay</td>
<tr><td>dev_name</td><td>ay</td>
<tr><td>primary_dev_type</td><td>ay</td>
<tr><td>config_error</td><td>q</td>
<tr><td>dev_password_id</td><td>q</td>
</table>
</dd>
</dl>
</li>
<li>
<h3>Credentials ( a{sv} : credentials )</h3>
<p>WPS credentials. Dictionary contains:</p>
<table>
<tr><th>Key</th><th>Value type</th><th>Description</th>
<tr><td>BSSID</td><td>ay</td><td></td>
<tr><td>SSID</td><td>s</td><td></td>
<tr><td>AuthType</td><td>as</td><td>Possible array elements: "open", "shared", "wpa-psk", "wpa-eap", "wpa2-eap", "wpa2-psk"</td>
<tr><td>EncrType</td><td>as</td><td>Possible array elements: "none", "wep", "tkip", "aes"</td>
<tr><td>Key</td><td>ay</td><td>Key data</td>
<tr><td>KeyIndex</td><td>u</td><td>Key index</td>
</table>
</li>
<li>
<h3>PropertiesChanged ( a{sv} : properties )</h3>
<p>Some properties have changed.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary with pairs of properties names which have changed and theirs new values. Possible dictionary keys are: "ProcessCredentials"</dd>
</dl>
</li>
</ul>
\section dbus_bss fi.w1.wpa_supplicant1.BSS
Interface implemented by objects representing a scanned BSSs, i.e.,
scan results.
\subsection dbus_bss_properties Properties
<ul>
<li>
<h3>BSSID - ay - (read)</h3>
<p>BSSID of the BSS.</p>
</li>
<li>
<h3>SSID - ay - (read)</h3>
<p>SSID of the BSS.</p>
</li>
<li>
<h3>WPA - a{sv} - (read)</h3>
<p>WPA information of the BSS. Empty dictionary indicates no WPA support. Dictionary entries are:</p>
<table>
<tr><td>KeyMgmt</td><td>as</td><td>Key management suite. Possible array elements: "wpa-psk", "wpa-eap", "wpa-none"</td>
<tr><td>Pairwise</td><td>as</td><td>Pairwise cipher suites. Possible array elements: "ccmp", "tkip"</td>
<tr><td>Group</td><td>s</td><td>Group cipher suite. Possible values are: "ccmp", "tkip", "wep104", "wep40"</td>
</table>
</li>
<li>
<h3>RSN - a{sv} - (read)</h3>
<p>RSN information of the BSS. Empty dictionary indicates no RSN support. Dictionary entries are:</p>
<table>
<tr><td>KeyMgmt</td><td>as</td><td>Key management suite. Possible array elements: "wpa-psk", "wpa-eap", "wpa-ft-psk", "wpa-ft-eap", "wpa-psk-sha256", "wpa-eap-sha256",</td>
<tr><td>Pairwise</td><td>as</td><td>Pairwise cipher suites. Possible array elements: "ccmp", "tkip"</td>
<tr><td>Group</td><td>s</td><td>Group cipher suite. Possible values are: "ccmp", "tkip", "wep104", "wep40"</td>
<tr><td>MgmtGroup</td><td>s</td><td>Mangement frames cipher suite. Possible values are: "aes128cmac"</td>
</table>
</li>
<li>
<h3>IEs - ay - (read)</h3>
<p>All IEs of the BSS as a chain of TLVs</p>
</li>
<li>
<h3>Privacy - b - (read)</h3>
<p>Indicates if BSS supports privacy.</p>
</li>
<li>
<h3>Mode - s - (read)</h3>
<p>Describes mode of the BSS. Possible values are: "ad-hoc" and "infrastructure".</p>
</li>
<li>
<h3>Frequency - q - (read)</h3>
<p>Frequency of the BSS in MHz.</p>
</li>
<li>
<h3>Rates - au - (read)</h3>
<p>Descending ordered array of rates supported by the BSS in bits per second.</p>
</li>
<li>
<h3>Signal - n - (read)</h3>
<p>Signal strength of the BSS.</p>
</li>
</ul>
\subsection dbus_bss_signals Signals
<ul>
<li>
<h3>PropertiesChanged ( a{sv} : properties )</h3>
<p>Some properties have changed.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary with pairs of properties names which have changed and theirs new values.</dd>
</dl>
</li>
</ul>
\section dbus_network fi.w1.wpa_supplicant1.Network
Interface implemented by objects representing configured networks,
i.e., returned by fi.w1.wpa_supplicant1.Interface.AddNetwork.
\subsection dbus_network_properties Properties
<ul>
<li>
<h3>Enabled - b - (read/write)</h3>
<p>Determines if the configured network is enabled or not.</p>
</li>
<li>
<h3>Properties - a{sv} - (read)</h3>
<p>Properties of the configured network. Dictionary contains entries from "network" block of %wpa_supplicant configuration file. All values are string type, e.g., frequency is "2437", not 2437.
</li>
</ul>
\subsection dbus_network_signals Signals
<ul>
<li>
<h3>PropertiesChanged ( a{sv} : properties )</h3>
<p>Some properties have changed.</p>
<h4>Arguments</h4>
<dl>
<dt>a{sv} : properties</dt>
<dd>A dictionary with pairs of properties names which have changed and theirs new values. Possible dictionary keys are: "Enabled"</dd>
</dl>
</li>
</ul>
*/
external/hostap/doc/directories.doxygen
Vendored
+90
View File
@@ -0,0 +1,90 @@
/**
\dir hostapd hostapd
hostapd-specific code for configuration, control interface, and AP
management.
\dir src/common Common functionality
This module includes IEEE 802.11, IEEE 802.1X, and WPA related
functionality that is shared between AP and station modes.
\dir src/crypto Cryptographical functionality and wrappers
This module defines crypto and tls interfaces to provide portability
layer for different crypto/TLS libraries. Wrappers for number of
libraries are also included here. In addition, internal implementation
of various crypto functions are provided as an alternative for an
external library and to extend some algorithms.
\dir src/drivers Driver wrappers
This directory includes the driver interface definition and all the
driver wrappers that can be used to interact with different drivers
without making rest of the software dependent on which particular
driver is used.
\dir src/eap_common Common EAP functionality for server and peer
\dir src/eap_peer EAP peer
\dir src/eap_server EAP server
\dir src/eapol_auth EAPOL authenticator
\dir src/eapol_supp EAPOL supplicant
\dir src/l2_packet Layer 2 packet interface
This module defines an interface for layer 2 (link layer) packet
sendinf and receiving. All the wrappers for supported mechanisms are
also included here. This is used to port packet access for new
operating systems without having to make rest of the source code
depend on which OS network stack is used.
\dir src/radius RADIUS
RADIUS module includes RADIUS message building and parsing
functionality and separate RADIUS client and server functions.
\dir src/rsn_supp IEEE 802.11 RSN and WPA supplicant
\dir src/tls Internal TLS server and client implementation
This module can be used as an alternative to using an external TLS
library.
\dir src/utils Utility functions
Independent set of helper functions that most other components
use. This includes portability wrappers and helpers for common tasks.
\dir src/wps Wi-Fi Protected Setup
This directory includes Wi-Fi Protected Setup functions for Registrar
(both internal in an AP and an External Registrar and
Enrollee. Minimal UPnP and HTTP functionality is also provided for the
functionality needed to implement Wi-Fi Protected Setup.
\dir wpa_supplicant %wpa_supplicant
%wpa_supplicant-specific code for configuration, control interface, and
client management.
*/
external/hostap/doc/doxygen.conf
Vendored
+1535
View File
File diff suppressed because it is too large Load Diff
external/hostap/doc/driver_wrapper.doxygen
Vendored
+180
View File
@@ -0,0 +1,180 @@
/**
\page driver_wrapper Driver wrapper implementation (driver.h, drivers.c)
All hardware and driver dependent functionality is in separate C files
that implement defined wrapper functions. Other parts
of the %wpa_supplicant are designed to be hardware, driver, and operating
system independent.
Driver wrappers need to implement whatever calls are used in the
target operating system/driver for controlling wireless LAN
devices. As an example, in case of Linux, these are mostly some glue
code and ioctl() calls and netlink message parsing for Linux Wireless
Extensions (WE). Since features required for WPA were added only recently to
Linux Wireless Extensions (in version 18), some driver specific code is used
in number of driver interface implementations. These driver dependent parts
can be replaced with generic code in driver_wext.c once the target driver
includes full support for WE-18. After that, all Linux drivers, at
least in theory, could use the same driver wrapper code.
A driver wrapper needs to implement some or all of the functions
defined in driver.h. These functions are registered by filling struct
wpa_driver_ops with function pointers. Hardware independent parts of
%wpa_supplicant will call these functions to control the driver/wlan
card. In addition, support for driver events is required. The event
callback function, wpa_supplicant_event(), and its parameters are
documented in driver.h. In addition, a pointer to the 'struct
wpa_driver_ops' needs to be registered in drivers.c file.
When porting to other operating systems, the driver wrapper should be
modified to use the native interface of the target OS. It is possible
that some extra requirements for the interface between the driver
wrapper and generic %wpa_supplicant code are discovered during porting
to a new operating system. These will be addressed on case by case
basis by modifying the interface and updating the other driver
wrappers for this. The goal is to avoid changing this interface
without very good reasons in order to limit the number of changes
needed to other wrappers and hardware independent parts of
%wpa_supplicant. When changes are required, recommended way is to
make them in backwards compatible way that allows existing driver
interface implementations to be compiled without any modification.
Generic Linux Wireless Extensions functions are implemented in
driver_wext.c. All Linux driver wrappers can use these when the kernel
driver supports the generic ioctl()s and wireless events. Driver
specific functions are implemented in separate C files, e.g.,
driver_hostap.c. These files need to define struct wpa_driver_ops
entry that will be used in wpa_supplicant.c when calling driver
functions. struct wpa_driver_ops entries are registered in drivers.c.
In general, it is likely to be useful to first take a look at couple
of driver interface examples before starting on implementing a new
one. driver_hostap.c and driver_wext.c include a complete
implementation for Linux drivers that use %wpa_supplicant-based control
of WPA IE and roaming. driver_ndis.c (with help from driver_ndis_.c)
is an example of a complete interface for Windows NDIS interface for
drivers that generate WPA IE themselves and decide when to roam. These
example implementations include full support for all security modes.
\section driver_req Driver requirements for WPA
WPA introduces new requirements for the device driver. At least some
of these need to be implemented in order to provide enough support for
%wpa_supplicant.
\subsection driver_tkip_ccmp TKIP/CCMP
WPA requires that the pairwise cipher suite (encryption algorithm for
unicast data packets) is TKIP or CCMP. These are new encryption
protocols and thus, the driver will need to be modified to support
them. Depending on the used wlan hardware, some parts of these may be
implemented by the hardware/firmware.
Specification for both TKIP and CCMP is available from IEEE (IEEE
802.11i amendment). Fully functional, hardware independent
implementation of both encryption protocols is also available in Host
AP driver (driver/modules/hostap_{tkip,ccmp}.c). In addition, Linux 2.6
kernel tree has generic implementations for WEP, TKIP, and CCMP that can
be used in Linux drivers.
The driver will also need to provide configuration mechanism to allow
user space programs to configure TKIP and CCMP. Linux Wireless Extensions
v18 added support for configuring these algorithms and
individual/non-default keys. If the target kernel does not include WE-18,
private ioctls can be used to provide similar functionality.
\subsection driver_roaming Roaming control and scanning support
%wpa_supplicant can optionally control AP selection based on the
information received from Beacon and/or Probe Response frames
(ap_scan=1 mode in configuration). This means that the driver should
support external control for scan process. In case of Linux, use of
new Wireless Extensions scan support (i.e., 'iwlist wlan0 scan') is
recommended. The current driver wrapper (driver_wext.c) uses this for
scan results.
Scan results must also include the WPA information element. Support for
this was added in WE-18. With older versions, a custom event can be used
to provide the full WPA IE (including element id and length) as a hex
string that is included in the scan results.
%wpa_supplicant needs to also be able to request the driver to
associate with a specific BSS. Current Host AP driver and matching
driver_hostap.c wrapper uses following sequence for this
request. Similar/identical mechanism should be usable also with other
drivers.
- set WPA IE for AssocReq with private ioctl
- set SSID with SIOCSIWESSID
- set channel/frequency with SIOCSIWFREQ
- set BSSID with SIOCSIWAP
(this last ioctl will trigger the driver to request association)
\subsection driver_wpa_ie WPA IE generation
%wpa_supplicant selects which cipher suites and key management suites
are used. Based on this information, it generates a WPA IE. This is
provided to the driver interface in the associate call. This does not
match with Windows NDIS drivers which generate the WPA IE
themselves.
%wpa_supplicant allows Windows NDIS-like behavior by providing the
selected cipher and key management suites in the associate call. If
the driver generates its own WPA IE and that differs from the one
generated by %wpa_supplicant, the driver has to inform %wpa_supplicant
about the used WPA IE (i.e., the one it used in (Re)Associate
Request). This notification is done using EVENT_ASSOCINFO event (see
driver.h). %wpa_supplicant is normally configured to use
ap_scan=2 mode with drivers that control WPA IE generation and roaming.
\subsection driver_events Driver events
%wpa_supplicant needs to receive event callbacks when certain events
occur (association, disassociation, Michael MIC failure, scan results
available, PMKSA caching candidate). These events and the callback
details are defined in driver.h (wpa_supplicant_event() function
and enum wpa_event_type).
On Linux, association and disassociation can use existing Wireless
Extensions event that is reporting new AP with SIOCGIWAP
event. Similarly, completion of a scan can be reported with SIOCGIWSCAN
event.
Michael MIC failure event was added in WE-18. Older versions of Wireless
Extensions will need to use a custom event. Host AP driver used a custom
event with following contents: MLME-MICHAELMICFAILURE.indication(keyid=#
broadcast/unicast addr=addr2). This is the recommended format until
the driver can be moved to use WE-18 mechanism.
\subsection driver_wext_summary Summary of Linux Wireless Extensions use
AP selection depends on ap_scan configuration:
ap_scan=1:
- %wpa_supplicant requests scan with SIOCSIWSCAN
- driver reports scan complete with wireless event SIOCGIWSCAN
- %wpa_supplicant reads scan results with SIOCGIWSCAN (multiple call if
a larget buffer is needed)
- %wpa_supplicant decides which AP to use based on scan results
- %wpa_supplicant configures driver to associate with the selected BSS
(SIOCSIWMODE, SIOCSIWGENIE, SIOCSIWAUTH, SIOCSIWFREQ,
SIOCSIWESSID, SIOCSIWAP)
ap_scan=2:
- %wpa_supplicant configures driver to associate with an SSID
(SIOCSIWMODE, SIOCSIWGENIE, SIOCSIWAUTH, SIOCSIWESSID)
After this, both modes use similar steps:
- optionally (or required for drivers that generate WPA/RSN IE for
(Re)AssocReq), driver reports association parameters (AssocReq IEs)
with wireless event IWEVASSOCREQIE (and optionally IWEVASSOCRESPIE)
- driver reports association with wireless event SIOCGIWAP
- %wpa_supplicant takes care of EAPOL frame handling (validating
information from associnfo and if needed, from scan results if WPA/RSN
IE from the Beacon frame is not reported through associnfo)
*/
external/hostap/doc/eap.doxygen
Vendored
+87
View File
@@ -0,0 +1,87 @@
/**
\page eap_peer_module EAP peer implementation
Extensible Authentication Protocol (EAP) is an authentication framework
defined in RFC 3748. %wpa_supplicant uses a separate code module for EAP
peer implementation. This module was designed to use only a minimal set
of direct function calls (mainly, to debug/event functions) in order for
it to be usable in other programs. The design of the EAP
implementation is based loosely on RFC 4137. The state machine is
defined in this RFC and so is the interface between the peer state
machine and methods. As such, this RFC provides useful information for
understanding the EAP peer implementation in %wpa_supplicant.
Some of the terminology used in EAP state machine is referring to
EAPOL (IEEE 802.1X), but there is no strict requirement on the lower
layer being IEEE 802.1X if EAP module is built for other programs than
%wpa_supplicant. These terms should be understood to refer to the
lower layer as defined in RFC 4137.
\section adding_eap_methods Adding EAP methods
Each EAP method is implemented as a separate module, usually as one C
file named eap_<name of the method>.c, e.g., eap_md5.c. All EAP
methods use the same interface between the peer state machine and
method specific functions. This allows new EAP methods to be added
without modifying the core EAP state machine implementation.
New EAP methods need to be registered by adding them into the build
(Makefile) and the EAP method registration list in the
eap_peer_register_methods() function of eap_methods.c. Each EAP
method should use a build-time configuration option, e.g., EAP_TLS, in
order to make it possible to select which of the methods are included
in the build.
EAP methods must implement the interface defined in eap_i.h. struct
eap_method defines the needed function pointers that each EAP method
must provide. In addition, the EAP type and name are registered using
this structure. This interface is based on section 4.4 of RFC 4137.
It is recommended that the EAP methods would use generic helper
functions, eap_msg_alloc() and eap_hdr_validate() when processing
messages. This allows code sharing and can avoid missing some of the
needed validation steps for received packets. In addition, these
functions make it easier to change between expanded and legacy EAP
header, if needed.
When adding an EAP method that uses a vendor specific EAP type
(Expanded Type as defined in RFC 3748, Chapter 5.7), the new method
must be registered by passing vendor id instead of EAP_VENDOR_IETF to
eap_peer_method_alloc(). These methods must not try to emulate
expanded types by registering a legacy EAP method for type 254. See
eap_vendor_test.c for an example of an EAP method implementation that
is implemented as an expanded type.
\section used_eap_library Using EAP implementation as a library
The Git repository has an eap_example directory that contains an
example showing how EAP peer and server code from %wpa_supplicant and
hostapd can be used as a library. The example program initializes both
an EAP server and an EAP peer entities and then runs through an
EAP-PEAP/MSCHAPv2 authentication.
eap_example_peer.c shows the initialization and glue code needed to
control the EAP peer implementation. eap_example_server.c does the
same for EAP server. eap_example.c is an example that ties in both the
EAP server and client parts to allow an EAP authentication to be
shown.
In this example, the EAP messages are passed between the server and
the peer are passed by direct function calls within the same process.
In practice, server and peer functionalities would likely reside in
separate devices and the EAP messages would be transmitted between the
devices based on an external protocol. For example, in IEEE 802.11
uses IEEE 802.1X EAPOL state machines to control the transmission of
EAP messages and WiMax supports optional PMK EAP authentication
mechanism that transmits EAP messages as defined in IEEE 802.16e.
The EAP library links in number of helper functions from src/utils and
src/crypto directories. Most of these are suitable as-is, but it may
be desirable to replace the debug output code in src/utils/wpa_debug.c
by dropping this file from the library and re-implementing the
functions there in a way that better fits in with the main
application.
*/
external/hostap/doc/eap_server.doxygen
Vendored
+56
View File
@@ -0,0 +1,56 @@
/**
\page eap_server_module EAP server implementation
Extensible Authentication Protocol (EAP) is an authentication framework
defined in RFC 3748. hostapd uses a separate code module for EAP server
implementation. This module was designed to use only a minimal set of
direct function calls (mainly, to debug/event functions) in order for
it to be usable in other programs. The design of the EAP
implementation is based loosely on RFC 4137. The state machine is
defined in this RFC and so is the interface between the server state
machine and methods. As such, this RFC provides useful information for
understanding the EAP server implementation in hostapd.
Some of the terminology used in EAP state machine is referring to
EAPOL (IEEE 802.1X), but there is no strict requirement on the lower
layer being IEEE 802.1X if EAP module is built for other programs than
%wpa_supplicant. These terms should be understood to refer to the
lower layer as defined in RFC 4137.
\section adding_eap_methods Adding EAP methods
Each EAP method is implemented as a separate module, usually as one C
file named eap_<name of the method>.c, e.g., eap_md5.c. All EAP
methods use the same interface between the server state machine and
method specific functions. This allows new EAP methods to be added
without modifying the core EAP state machine implementation.
New EAP methods need to be registered by adding them into the build
(Makefile) and the EAP method registration list in the
eap_server_register_methods() function of eap_methods.c. Each EAP
method should use a build-time configuration option, e.g., EAP_TLS, in
order to make it possible to select which of the methods are included
in the build.
EAP methods must implement the interface defined in eap_i.h. struct
eap_method defines the needed function pointers that each EAP method
must provide. In addition, the EAP type and name are registered using
this structure. This interface is based on section 4.4 of RFC 4137.
It is recommended that the EAP methods would use generic helper
functions, eap_msg_alloc() and eap_hdr_validate() when processing
messages. This allows code sharing and can avoid missing some of the
needed validation steps for received packets. In addition, these
functions make it easier to change between expanded and legacy EAP
header, if needed.
When adding an EAP method that uses a vendor specific EAP type
(Expanded Type as defined in RFC 3748, Chapter 5.7), the new method
must be registered by passing vendor id instead of EAP_VENDOR_IETF to
eap_server_method_alloc(). These methods must not try to emulate
expanded types by registering a legacy EAP method for type 254. See
eap_vendor_test.c for an example of an EAP method implementation that
is implemented as an expanded type.
*/
external/hostap/doc/hostapd.fig
Vendored
+264
View File
@@ -0,0 +1,264 @@
#FIG 3.2
Landscape
Center
Inches
Letter
100.00
Single
-2
1200 2
6 1875 4050 2925 4350
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1875 4050 2925 4050 2925 4350 1875 4350 1875 4050
4 0 0 50 -1 0 12 0.0000 4 180 735 2025 4275 l2_packet\001
-6
6 4725 1200 5925 1500
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4725 1200 5925 1200 5925 1500 4725 1500 4725 1200
4 0 0 50 -1 0 12 0.0000 4 135 1005 4800 1425 GUI frontend\001
-6
6 6000 2700 7200 3225
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6000 2700 7200 2700 7200 3225 6000 3225 6000 2700
4 0 0 50 -1 0 12 0.0000 4 135 975 6075 2925 WPA/WPA2\001
4 0 0 50 -1 0 12 0.0000 4 135 1065 6075 3150 state machine\001
-6
6 6000 4950 7200 5475
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6000 4950 7200 4950 7200 5475 6000 5475 6000 4950
4 0 0 50 -1 0 12 0.0000 4 135 360 6075 5175 EAP\001
4 0 0 50 -1 0 12 0.0000 4 135 1065 6075 5400 state machine\001
-6
6 4350 3900 5025 4425
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4350 3900 5025 3900 5025 4425 4350 4425 4350 3900
4 0 0 50 -1 0 12 0.0000 4 105 420 4500 4125 event\001
4 0 0 50 -1 0 12 0.0000 4 180 315 4500 4350 loop\001
-6
6 4275 2550 5100 2850
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4275 2550 5100 2550 5100 2850 4275 2850 4275 2550
4 0 0 50 -1 0 12 0.0000 4 135 450 4425 2775 ctrl i/f\001
-6
6 6000 3900 7200 4425
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6000 3900 7200 3900 7200 4425 6000 4425 6000 3900
4 0 0 50 -1 0 12 0.0000 4 135 600 6075 4125 EAPOL\001
4 0 0 50 -1 0 12 0.0000 4 135 1065 6075 4350 state machine\001
-6
6 2775 3150 4050 3450
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
2775 3150 4050 3150 4050 3450 2775 3450 2775 3150
4 0 0 50 -1 0 12 0.0000 4 180 990 2925 3375 configuration\001
-6
6 3450 1200 4575 1500
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
3450 1200 4575 1200 4575 1500 3450 1500 3450 1200
4 0 0 50 -1 0 12 0.0000 4 180 870 3600 1425 hostapd_cli\001
-6
6 3525 7800 5775 8100
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
3525 7800 5775 7800 5775 8100 3525 8100 3525 7800
4 0 0 50 -1 0 12 0.0000 4 135 2145 3600 8025 kernel network device driver\001
-6
6 4275 6000 5100 6300
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4275 6000 5100 6000 5100 6300 4275 6300 4275 6000
4 0 0 50 -1 0 12 0.0000 4 135 630 4350 6225 driver i/f\001
-6
6 8175 4725 9225 5025
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 4725 9225 4725 9225 5025 8175 5025 8175 4725
4 0 0 50 -1 0 12 0.0000 4 135 735 8250 4950 EAP-TLS\001
-6
6 9300 4725 10350 5025
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 4725 10350 4725 10350 5025 9300 5025 9300 4725
4 0 0 50 -1 0 12 0.0000 4 135 810 9375 4950 EAP-MD5\001
-6
6 8175 5100 9225 5400
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 5100 9225 5100 9225 5400 8175 5400 8175 5100
4 0 0 50 -1 0 12 0.0000 4 135 885 8250 5325 EAP-PEAP\001
-6
6 9300 5100 10350 5400
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 5100 10350 5100 10350 5400 9300 5400 9300 5100
4 0 0 50 -1 0 12 0.0000 4 135 840 9375 5325 EAP-TTLS\001
-6
6 8175 5475 9225 5775
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 5475 9225 5475 9225 5775 8175 5775 8175 5475
4 0 0 50 -1 0 12 0.0000 4 135 780 8250 5700 EAP-GTC\001
-6
6 8175 5850 9225 6150
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 5850 9225 5850 9225 6150 8175 6150 8175 5850
4 0 0 50 -1 0 12 0.0000 4 135 750 8250 6075 EAP-SIM\001
-6
6 8175 6225 9225 6525
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 6225 9225 6225 9225 6525 8175 6525 8175 6225
4 0 0 50 -1 0 12 0.0000 4 135 765 8250 6450 EAP-PSK\001
-6
6 9300 5850 10350 6150
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 5850 10350 5850 10350 6150 9300 6150 9300 5850
4 0 0 50 -1 0 12 0.0000 4 135 825 9375 6075 EAP-AKA\001
-6
6 9300 5475 10350 5775
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 5475 10350 5475 10350 5775 9300 5775 9300 5475
4 0 0 50 -1 0 12 0.0000 4 135 795 9375 5700 EAP-PAX\001
-6
6 8175 6600 9675 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 6600 9675 6600 9675 6900 8175 6900 8175 6600
4 0 0 50 -1 0 12 0.0000 4 135 1365 8250 6825 EAP-MSCHAPv2\001
-6
6 8700 3450 9375 3750
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8700 3450 9375 3450 9375 3750 8700 3750 8700 3450
4 0 0 50 -1 0 12 0.0000 4 150 480 8775 3675 crypto\001
-6
6 9600 3450 10275 3750
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9600 3450 10275 3450 10275 3750 9600 3750 9600 3450
4 0 0 50 -1 0 12 0.0000 4 135 315 9750 3675 TLS\001
-6
6 6000 5775 7200 6300
6 6000 5775 7200 6300
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6000 5775 7200 5775 7200 6300 6000 6300 6000 5775
4 0 0 50 -1 0 12 0.0000 4 135 690 6075 6000 RADIUS\001
-6
4 0 0 50 -1 0 12 0.0000 4 90 480 6075 6225 server\001
-6
6 8100 2250 8925 2775
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8100 2250 8925 2250 8925 2775 8100 2775 8100 2250
4 0 0 50 -1 0 12 0.0000 4 135 690 8175 2475 RADIUS\001
4 0 0 50 -1 0 12 0.0000 4 135 420 8175 2700 client\001
-6
6 3150 5475 4425 5775
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
3150 5475 4425 5475 4425 5775 3150 5775 3150 5475
4 0 0 50 -1 0 12 0.0000 4 135 990 3300 5700 driver events\001
-6
6 1950 5550 2625 6075
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1950 5550 2625 5550 2625 6075 1950 6075 1950 5550
4 0 0 50 -1 0 12 0.0000 4 135 540 2025 5775 Station\001
4 0 0 50 -1 0 12 0.0000 4 135 375 2025 6000 table\001
-6
6 1875 4725 2925 5250
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1875 4725 2925 4725 2925 5250 1875 5250 1875 4725
4 0 0 50 -1 0 12 0.0000 4 135 960 1950 4950 IEEE 802.11\001
4 0 0 50 -1 0 12 0.0000 4 135 555 1950 5175 MLME\001
-6
2 1 1 1 0 7 50 -1 -1 3.000 0 0 -1 0 0 2
1275 4200 1875 4200
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
4500 2550 3900 1500
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
4800 2550 5400 1500
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
2925 4200 4350 4200
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
5025 3900 6000 3000
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
5025 4200 6000 4200
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4650 6000 4650 4425
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
6600 4425 6600 4950
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
6600 3225 6600 3900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
7200 5250 8100 5250
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
9075 4425 9075 3750
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
7200 3000 8700 3525
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4650 3900 4650 2850
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
7200 4125 8700 3675
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
6000 4350 5025 6000
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
6000 3150 4875 6000
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1500 2100 10800 2100 10800 7500 1500 7500 1500 2100
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
9900 4425 9900 3750
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 1
4350 3900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4350 3900 4050 3450
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4350 4425 4050 5475
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
2250 7200 4200 7800
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
7200 7200 5100 7800
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
2775 6900 3675 6900 3675 7200 2775 7200 2775 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
3750 6900 4650 6900 4650 7200 3750 7200 3750 6900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 4
2250 6900 2250 6600 7200 6600 7200 6900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
3225 6900 3225 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4200 6900 4200 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
5175 6900 5175 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
6150 6900 6150 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4650 6600 4650 6300
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1800 6900 2700 6900 2700 7200 1800 7200 1800 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4725 6900 5625 6900 5625 7200 4725 7200 4725 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
5700 6900 6600 6900 6600 7200 5700 7200 5700 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6675 6900 7800 6900 7800 7200 6675 7200 6675 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8100 6975 10425 6975 10425 4425 8100 4425 8100 6975
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
6600 5475 6600 5775
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
5025 4425 6000 5775
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 3
4800 3900 5925 2550 8100 2550
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
7200 3900 8475 2775
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9450 2250 10425 2250 10425 2775 9450 2775 9450 2250
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
8925 2475 9450 2475
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
2325 5550 2325 5250
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
2925 4950 4350 4275
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 3
2850 4725 5775 2400 8100 2400
4 0 0 50 -1 0 12 0.0000 4 135 915 375 3975 EAPOL and\001
4 0 0 50 -1 0 12 0.0000 4 180 630 375 4200 pre-auth\001
4 0 0 50 -1 0 12 0.0000 4 180 810 375 4425 ethertypes\001
4 0 0 50 -1 0 12 0.0000 4 135 1050 375 4650 from/to kernel\001
4 0 0 50 -1 0 12 0.0000 4 135 1920 3675 1875 frontend control interface\001
4 0 0 50 -1 2 14 0.0000 4 195 720 1637 2371 hostapd\001
4 0 0 50 -1 0 12 0.0000 4 180 600 3825 7125 prism54\001
4 0 0 50 -1 0 12 0.0000 4 180 510 1875 7125 hostap\001
4 0 0 50 -1 0 12 0.0000 4 135 600 2850 7125 madwifi\001
4 0 0 50 -1 0 12 0.0000 4 135 270 4800 7125 bsd\001
4 0 0 50 -1 0 12 0.0000 4 105 300 6750 7125 test\001
4 0 0 50 -1 0 12 0.0000 4 135 420 5775 7125 wired\001
4 0 0 50 -1 0 12 0.0000 4 135 1050 8700 4650 EAP methods\001
4 0 0 50 -1 0 12 0.0000 4 135 690 9525 2475 RADIUS\001
4 0 0 50 -1 0 12 0.0000 4 180 825 9525 2700 accounting\001
external/hostap/doc/hostapd_ctrl_iface.doxygen
Vendored
+66
View File
@@ -0,0 +1,66 @@
/**
\page hostapd_ctrl_iface_page hostapd control interface
hostapd implements a control interface that can be used by
external programs to control the operations of the hostapd
daemon and to get status information and event notifications. There is
a small C library, in a form of a single C file, wpa_ctrl.c, that
provides helper functions to facilitate the use of the control
interface. External programs can link this file into them and then use
the library functions documented in wpa_ctrl.h to interact with
%wpa_supplicant. This library can also be used with C++. hostapd_cli.c
is an example program using this library.
There are multiple mechanisms for inter-process communication. For
example, Linux version of hostapd is using UNIX domain sockets for the
control interface. The use of the functions defined in wpa_ctrl.h can
be used to hide the details of the used IPC from external programs.
\section using_ctrl_iface Using the control interface
External programs, e.g., a GUI or a configuration utility, that need to
communicate with hostapd should link in wpa_ctrl.c. This
allows them to use helper functions to open connection to the control
interface with wpa_ctrl_open() and to send commands with
wpa_ctrl_request().
hostapd uses the control interface for two types of communication:
commands and unsolicited event messages. Commands are a pair of
messages, a request from the external program and a response from
hostapd. These can be executed using wpa_ctrl_request().
Unsolicited event messages are sent by hostapd to the control
interface connection without specific request from the external program
for receiving each message. However, the external program needs to
attach to the control interface with wpa_ctrl_attach() to receive these
unsolicited messages.
If the control interface connection is used both for commands and
unsolicited event messages, there is potential for receiving an
unsolicited message between the command request and response.
wpa_ctrl_request() caller will need to supply a callback, msg_cb,
for processing these messages. Often it is easier to open two
control interface connections by calling wpa_ctrl_open() twice and
then use one of the connections for commands and the other one for
unsolicited messages. This way command request/response pairs will
not be broken by unsolicited messages. wpa_cli is an example of how
to use only one connection for both purposes and wpa_gui demonstrates
how to use two separate connections.
Once the control interface connection is not needed anymore, it should
be closed by calling wpa_ctrl_close(). If the connection was used for
unsolicited event messages, it should be first detached by calling
wpa_ctrl_detach().
\section ctrl_iface_cmds Control interface commands
Following commands can be used with wpa_ctrl_request():
\subsection ctrl_iface_PING PING
This command can be used to test whether hostapd is replying
to the control interface commands. The expected reply is \c PONG if the
connection is open and hostapd is processing commands.
*/
external/hostap/doc/mainpage.doxygen
Vendored
+95
View File
@@ -0,0 +1,95 @@
/**
\mainpage Developers' documentation for wpa_supplicant and hostapd
The goal of this documentation and comments in the source code is to
give enough information for other developers to understand how
%wpa_supplicant and hostapd have been implemented, how they can be
modified, how new drivers can be supported, and how the source code
can be ported to other operating systems. If any information is
missing, feel free to contact Jouni Malinen <j@w1.fi> for more
information. Contributions as patch files are also very welcome at the
same address. Please note that this software is licensed under the
BSD license (the one with advertisement clause removed). All
contributions to %wpa_supplicant and hostapd are expected to use
compatible licensing terms.
The source code and read-only access to the combined %wpa_supplicant
and hostapd Git repository is available from the project home page at
http://w1.fi/wpa_supplicant/. This developers' documentation is also
available as a PDF file from
http://w1.fi/wpa_supplicant/wpa_supplicant-devel.pdf .
\section _wpa_supplicant wpa_supplicant
%wpa_supplicant is a WPA Supplicant for Linux, BSD and Windows with
support for WPA and WPA2 (IEEE 802.11i / RSN). Supplicant is the IEEE
802.1X/WPA component that is used in the client stations. It
implements key negotiation with a WPA Authenticator and it can optionally
control roaming and IEEE 802.11 authentication/association of the wlan
driver.
The design goal for %wpa_supplicant was to use hardware, driver, and
OS independent, portable C code for all WPA functionality. The source
code is divided into separate C files as shown on the \ref
code_structure "code structure page". All hardware/driver specific
functionality is in separate files that implement a \ref
driver_wrapper "well-defined driver API". Information about porting
to different target boards and operating systems is available on
the \ref porting "porting page".
EAPOL (IEEE 802.1X) state machines are implemented as a separate
module that interacts with \ref eap_peer_module "EAP peer implementation".
In addition to programs aimed at normal production use,
%wpa_supplicant source tree includes number of \ref testing_tools
"testing and development tools" that make it easier to test the
programs without having to setup a full test setup with wireless
cards. These tools can also be used to implement automatic test
suites.
%wpa_supplicant implements a
\ref ctrl_iface_page "control interface" that can be used by
external programs to control the operations of the %wpa_supplicant
daemon and to get status information and event notifications. There is
a small C library that provides helper functions to facilitate the use of the
control interface. This library can also be used with C++.
\image html _wpa_supplicant.png "wpa_supplicant modules"
\image latex _wpa_supplicant.eps "wpa_supplicant modules" width=15cm
\section _hostapd hostapd
hostapd includes IEEE 802.11 access point management (authentication /
association), IEEE 802.1X/WPA/WPA2 Authenticator, EAP server, and
RADIUS authentication server functionality. It can be build with
various configuration option, e.g., a standalone AP management
solution or a RADIUS authentication server with support for number of
EAP methods.
The design goal for hostapd was to use hardware, driver, and
OS independent, portable C code for all WPA functionality. The source
code is divided into separate C files as shown on the \ref
code_structure "code structure page". All hardware/driver specific
functionality is in separate files that implement a \ref
driver_wrapper "well-defined driver API". Information about porting
to different target boards and operating systems is available on
the \ref porting "porting page".
EAPOL (IEEE 802.1X) state machines are implemented as a separate
module that interacts with \ref eap_server_module "EAP server implementation".
Similarly, RADIUS authentication server is in its own separate module.
Both IEEE 802.1X and RADIUS authentication server can use EAP server
functionality.
hostapd implements a \ref hostapd_ctrl_iface_page "control interface"
that can be used by external programs to control the operations of the
hostapdt daemon and to get status information and event notifications.
There is a small C library that provides helper functions to facilitate
the use of the control interface. This library can also be used with
C++.
\image html hostapd.png "hostapd modules"
\image latex hostapd.eps "hostapd modules" width=15cm
*/
external/hostap/doc/p2p.doxygen
Vendored
+498
View File
@@ -0,0 +1,498 @@
/**
\page p2p Wi-Fi Direct - P2P module
Wi-Fi Direct functionality is implemented any many levels in the WLAN
stack from low-level driver operations to high-level GUI design. This
document covers the parts that can be user by %wpa_supplicant. However,
it should be noted that alternative designs are also possible, so some
of the functionality may reside in other components in the system.
The driver (or WLAN firmware/hardware) is expected to handle low-level
operations related to P2P Power Management and channel scheduling. In
addition, support for virtual network interface and data frame
processing is done inside the driver. Configuration for these
low-level operations is defined in the driver interface:
src/drivers/driver.h. This defines both the commands and events used to
interact with the driver.
P2P module implements higher layer functionality for management P2P
groups. It takes care of Device Discovery, Service Discovery, Group
Owner Negotiation, P2P Invitation. In addition, it maintains
information about neighboring P2P Devices. This module could be used
in designs that do not use %wpa_supplicant and it could also reside
inside the driver/firmware component. P2P module API is defined in
src/p2p/p2p.h.
Provisioning step of Group Formation is implemented using WPS
(src/wps/wps.h).
%wpa_supplicant includes code in interact with both the P2P module
(wpa_supplicant/p2p_supplicant.c) and WPS
(wpa_supplicant/wps_supplicant.c). The driver operations are passed
through these files, i.e., core P2P or WPS code does not interact
directly with the driver interface.
\section p2p_arch P2P architecture
P2P functionality affects many areas of the system architecture. This
section shows couple of examples on the location of main P2P
components. In the diagrams below, green arrows are used to show
communication paths from the P2P module to upper layer management
functionality and all the way to a GUI that user could use to manage
P2P connections. Blue arrows show the path taken for lower layer
operations. Glue code is used to bind the P2P module API to the rest
of the system to provide access both towards upper and lower layer
functionality.
\subsection p2p_arch_mac80211 P2P architecture with Linux/mac80211/ath9k
An architecture where the P2P module resides inside the
%wpa_supplicant process is used with Linux mac80211-based drivers,
e.g., ath9k. The following diagram shows the main components related
to P2P functionality in such an architecture.
\image html p2p_arch.png "P2P module within wpa_supplicant"
\image latex p2p_arch.eps "P2P module within wpa_supplicant" width=15cm
\subsection p2p_arch_umac P2P architecture with UMAC
The following diagram shows the main components related to P2P
functionality in an architecture where the P2P module resides inside
the kernel IEEE 802.11 stack (UMAC in the figure).
\image html p2p_arch2.png "P2P module in kernel
\image latex p2p_arch2.eps "P2P module in kernel" width=15cm
\section p2p_module P2P module
P2P module manages discovery and group formation with a single state
machine, i.e., only a single operation per device can be in progress
at any given time. The following diagram describes the P2P state
machine. For clarity, it does not include state transitions on
operation timeouts to the IDLE state. The states that are marked with
dotted ellipse are listed for clarity to describe the protocol
functionality for Device Discovery phase, but are not used in the
implementation (the SEARCH state is used to manage the initial Scan
and the alternating Listen and Search states within Find).
\image html p2p_sm.png "P2P module state machine"
\image latex p2p_sm.eps "P2P module state machine" width=15cm
\subsection p2p_module_api P2P module API
P2P module API is defined in src/p2p/p2p.h. The API consists of
functions for requesting operations and for providing event
notifications. Similar set of callback functions are configured with
struct p2p_config to provide callback functions that P2P module can
use to request operations and to provide event notifications. In
addition, there are number of generic helper functions that can be
used for P2P related operations.
These are the main functions for an upper layer management entity to
request P2P operations:
- p2p_find()
- p2p_stop_find()
- p2p_listen()
- p2p_connect()
- p2p_reject()
- p2p_prov_disc_req()
- p2p_sd_request()
- p2p_sd_cancel_request()
- p2p_sd_response()
- p2p_sd_service_update()
- p2p_invite()
These are the main callback functions for P2P module to provide event
notifications to the upper layer management entity:
- p2p_config::dev_found()
- p2p_config::go_neg_req_rx()
- p2p_config::go_neg_completed()
- p2p_config::sd_request()
- p2p_config::sd_response()
- p2p_config::prov_disc_req()
- p2p_config::prov_disc_resp()
- p2p_config::invitation_process()
- p2p_config::invitation_received()
- p2p_config::invitation_result()
The P2P module uses following functions to request lower layer driver
operations:
- p2p_config::p2p_scan()
- p2p_config::send_probe_resp()
- p2p_config::send_action()
- p2p_config::send_action_done()
- p2p_config::start_listen()
- p2p_config::stop_listen()
Events from lower layer driver operations are delivered to the P2P
module with following functions:
- p2p_probe_req_rx()
- p2p_rx_action()
- p2p_scan_res_handler()
- p2p_scan_res_handled()
- p2p_send_action_cb()
- p2p_listen_cb()
In addition to the per-device state, the P2P module maintains
per-group state for group owners. This is initialized with a call to
p2p_group_init() when a group is created and deinitialized with
p2p_group_deinit(). The upper layer GO management entity uses
following functions to interact with the P2P per-group state:
- p2p_group_notif_assoc()
- p2p_group_notif_disassoc()
- p2p_group_notif_formation_done()
- p2p_group_match_dev_type()
The P2P module will use following callback function to update P2P IE
for GO Beacon and Probe Response frames:
- p2p_group_config::ie_update()
\section p2p_driver P2P driver operations (low-level interface)
The following driver wrapper functions are needed for P2P in addition
to the standard station/AP mode operations when the P2P module resides
within %wpa_supplicant:
- wpa_driver_ops::if_add()
- wpa_driver_ops::if_remove()
- wpa_driver_ops::alloc_interface_addr()
- wpa_driver_ops::release_interface_addr()
- wpa_driver_ops::remain_on_channel()
- wpa_driver_ops::cancel_remain_on_channel()
- wpa_driver_ops::send_action()
- wpa_driver_ops::probe_req_report()
- wpa_driver_ops::disable_11b_rates()
The following driver wrapper events are needed for P2P in addition to
the standard station/AP mode events when the P2P module resides within
%wpa_supplicant:
- wpa_event_type::EVENT_RX_ACTION
- wpa_event_type::EVENT_REMAIN_ON_CHANNEL
- wpa_event_type::EVENT_CANCEL_REMAIN_ON_CHANNEL
- wpa_event_type::EVENT_RX_PROBE_REQ
The following driver wrapper functions are needed for P2P in addition
to the standard station/AP mode operations when the P2P module resides
in the driver or firmware:
- wpa_driver_ops::if_add()
- wpa_driver_ops::if_remove()
- wpa_driver_ops::alloc_interface_addr()
- wpa_driver_ops::release_interface_addr()
- wpa_driver_ops::disable_11b_rates()
- wpa_driver_ops::p2p_find()
- wpa_driver_ops::p2p_stop_find()
- wpa_driver_ops::p2p_listen()
- wpa_driver_ops::p2p_connect()
- wpa_driver_ops::p2p_reject()
- wpa_driver_ops::wps_success_cb()
- wpa_driver_ops::p2p_group_formation_failed()
- wpa_driver_ops::p2p_set_params()
The following driver wrapper events are needed for P2P in addition to
the standard station/AP mode events when the P2P module resides in the
driver or firmware:
- wpa_event_type::EVENT_P2P_DEV_FOUND
- wpa_event_type::EVENT_P2P_GO_NEG_REQ_RX
- wpa_event_type::EVENT_P2P_GO_NEG_COMPLETED
\section p2p_go_neg P2P device discovery and group formation
This section shows an example sequence of operations that can be used
to implement P2P device discovery and group formation. The function
calls are described based on the P2P module API. The exact design for
the glue code outside the P2P module depends on the architecture used
in the system.
An upper layer management entity starts P2P device discovery by
calling p2p_find(). The P2P module start the discovery by requesting a
full scan to be completed by calling p2p_config::p2p_scan(). Results
from the scan will be reported by calling p2p_scan_res_handler() and
after last result, the scan result processing is terminated with a
call to p2p_scan_res_handled(). The P2P peers that are found during
the full scan are reported with the p2p_config::dev_found() callback.
After the full scan, P2P module start alternating between Listen and
Search states until the device discovery operation times out or
terminated, e.g., with a call to p2p_stop_find().
When going into the Listen state, the P2P module requests the driver
to be configured to be awake on the listen channel with a call to
p2p_config::start_listen(). The glue code using the P2P module may
implement this, e.g., by using remain-on-channel low-level driver
functionality for off-channel operation. Once the driver is available
on the requested channel, notification of this is delivered by calling
p2p_listen_cb(). The Probe Request frames that are received during the
Listen period are delivered to the P2P module by calling
p2p_config::p2p_probe_req_rx() and P2P module request a response to
these to be sent by using p2p_config::send_probe_resp() callback
function. If a group owner negotiation from another P2P device is
received during the device discovery phase, that is indicated to the
upper layer code with the p2p_config::go_neg_req_tx() callback.
The Search state is implemented by using the normal scan interface,
i.e., the P2P module will call p2p_config::p2p_scan() just like in the
full scan phase described. Similarly, scan results from the search
operation will be delivered to the P2P module using the
p2p_scan_res_handler() and p2p_scan_res_handled() functions.
Once the upper layer management entity has found a peer with which it
wants to connect by forming a new group, it initiates group owner
negotiation by calling p2p_connect(). Before doing this, the upper
layer code is responsible for asking the user to provide the PIN to be
used during the provisioning step with the peer or the push button
press for PBC mode. The glue code will need to figure out the intended
interface address for the group before group owner negotiation can be
started.
Optional Provision Discovery mechanism can be used to request the peer
to display a PIN for the local device to enter (and vice versa). Upper
layer management entity can request the specific mechanism by calling
p2p_prov_disc_req(). The response to this will be reported with the
p2p_config::prov_disc_resp() callback. If the peer device started
Provision Discovery, an accepted request will be reported with the
p2p_config::prov_disc_req() callback. The P2P module will
automatically accept the Provision Discovery for display and keypad
methods, but it is up to the upper layer manegement entity to actually
generate the PIN and to configure it with following p2p_connect() call
to actually authorize the connection.
The P2P module will use p2p_config::send_action() callback to request
lower layer code to transmit an Action frame during group owner
negotiation. p2p_send_action_cb() is used to report the result of
transmission. If the peer is not reachable, the P2P module will try to
find it by alternating between Action frame send and Listen
states. The Listen state for this phase will be used similarly to the
Listen state during device discovery as described above.
Once the group owner negotiation has been completed, its results will
be reported with the p2p_config::go_neg_completed() callback. The
upper layer management code or the glue code using the P2P module API
is responsible for creating a new group interface and starting
provisioning step at this point by configuring WPS Registrar or
Enrollee functionality based on the reported group owner negotiation
results. The upper layer code is also responsible for timing out WPS
provisioning if it cannot be completed in 15 seconds.
Successful completion of the WPS provisioning is reported with a call
to p2p_wps_success_cb(). The P2P module will clear its group formation
state at this point and allows new group formation attempts to be
started. The upper layer management code is responsible for configuring
the GO to accept associations from devices and the client to connect to
the GO with the provisioned credentials. GO is also responsible for
calling p2p_group_notif_formation_done() as described below.
If the WPS provisioning step fails or times out, this is reported with
a call to p2p_group_formation_failed(). The P2P module will clear its
group formation state at this point and allows new group formation
attempts to be started. The upper layer management code is responsible
for removing the group interface for the failed group.
\section p2p_sd P2P service discovery
P2P protocol includes service discovery functionality that can be used
to discover which services are provided by the peers before forming a
group. This leverages the Generic Advertisement Service (GAS) protocol
from IEEE 802.11u and P2P vendor-specific contents inside the Native
GAS messages.
The P2P module takes care of GAS encapsulation, fragmentation, and
actual transmission and reception of the Action frames needed for
service discovery. The user of the P2P module is responsible for
providing P2P specific Service Request TLV(s) for queries and Service
Response TLV(s) for responses.
\subsection p2p_sd_query Quering services of peers
Service discovery is implemented by processing pending queries as a
part of the device discovery phase. p2p_sd_request() function is used
to schedule service discovery queries to a specific peer or to all
discovered peers. p2p_sd_cancel_request() can be used to cancel a
scheduled query. Queries that are specific to a single peer will be
removed automatically after the response has been received.
After the service discovery queries have been queued, device discovery
is started with a call to p2p_find(). The pending service discovery
queries are then sent whenever a peer is discovered during the find
operation. Responses to the queries will be reported with the
p2p_config::sd_response() callback.
\subsection p2p_sd_response Replying to service discovery queries from peers
The received service discovery requests will be indicated with the
p2p_config::sd_request() callback. The response to the query is sent
by calling p2p_sd_response().
\subsection p2p_sd_indicator Service update indicator
P2P service discovery provides a mechanism to notify peers about
changes in available services. This works by incrementing Service
Update Indicator value whenever there is a change in the
services. This value is included in all SD request and response
frames. The value received from the peers will be included in the
p2p_config::sd_request() and p2p_config::sd_response() callbacks. The
value to be sent to the peers is incremented with a call to
p2p_sd_service_update() whenever availibility of the local services
changes.
\section p2p_go P2P group owner
This section describes how P2P module can be used for managing
per-group information in a group owner. The function calls are
described based on the P2P module API. The exact design for the glue
code outside the P2P module depends on the architecture used in the
system.
When a P2P group interface is created in group owner role, per-group
data is initialized with p2p_group_init(). This call provides a
pointer to the per-device P2P module context and configures the
per-group operation. The configured p2p_group_config::ie_update()
callback is used to set the initial P2P IE for Beacon and Probe
Response frames in the group owner. The AP mode implementation may use
this information to add IEs into the frames.
Once the group formation has been completed (or if it is skipped in
case of manual group setup), p2p_group_notif_formation_done() is
called. This will allow the P2P module to update the P2P IE for
Beacon and Probe Response frames.
The SME/MLME code that managements IEEE 802.11 association processing
needs to inform P2P module whenever a P2P client associates or
disassociates with the group. This is done by calling
p2p_group_notif_assoc() and p2p_group_notif_disassoc(). The P2P module
manages a list of group members and updates the P2P Group Information
subelement in the P2P IE based on the information from the P2P
clients. The p2p_group_config::ie_update() callback is used whenever
the P2P IE in Probe Response frames needs to be changed.
The SME/MLME code that takes care of replying to Probe Request frames
can use p2p_group_match_dev_type() to check whether the Probe Request
frame request a reply only from groups that include a specific device
type in one of the clients or GO. A match will be reported if the
Probe Request does not request a specific device type, so this
function can be used to filter or received Probe Request frames and
only the ones that result in non-zero return value need to be replied.
When the P2P group interface for GO role is removed,
p2p_group_deinit() is used to deinitialize the per-group P2P module
state.
\section p2p_ctrl_iface P2P control interface
%wpa_supplicant \ref ctrl_iface_page "control interface" can be used
to manage P2P functionality from an external program (e.g., a GUI or a
system configuration manager). This interface can be used directly
through the control interface backend mechanism (e.g., local domain
sockets on Linux) or with help of wpa_cli (e.g., from a script).
The following P2P-related commands are available:
- \ref ctrl_iface_P2P_FIND P2P_FIND
- \ref ctrl_iface_P2P_STOP_FIND P2P_STOP_FIND
- \ref ctrl_iface_P2P_CONNECT P2P_CONNECT
- \ref ctrl_iface_P2P_LISTEN P2P_LISTEN
- \ref ctrl_iface_P2P_GROUP_REMOVE P2P_GROUP_REMOVE
- \ref ctrl_iface_P2P_GROUP_ADD P2P_GROUP_ADD
- \ref ctrl_iface_P2P_PROV_DISC P2P_PROV_DISC
- \ref ctrl_iface_P2P_SERV_DISC_REQ P2P_SERV_DISC_REQ
- \ref ctrl_iface_P2P_SERV_DISC_CANCEL_REQ P2P_SERV_DISC_CANCEL_REQ
- \ref ctrl_iface_P2P_SERV_DISC_RESP P2P_SERV_DISC_RESP
- \ref ctrl_iface_P2P_SERVICE_UPDATE P2P_SERVICE_UPDATE
- \ref ctrl_iface_P2P_SERV_DISC_EXTERNAL P2P_SERV_DISC_EXTERNAL
- \ref ctrl_iface_P2P_REJECT P2P_REJECT
- \ref ctrl_iface_P2P_INVITE P2P_INVITE
The following P2P-related events are used:
- \ref ctrl_iface_event_P2P_EVENT_DEVICE_FOUND P2P-DEVICE-FOUND
- \ref ctrl_iface_event_P2P_EVENT_GO_NEG_REQUEST P2P-GO-NEG-REQUEST
- \ref ctrl_iface_event_P2P_EVENT_GO_NEG_SUCCESS P2P-GO-NEG-SUCCESS
- \ref ctrl_iface_event_P2P_EVENT_GO_NEG_FAILURE P2P-GO-NEG-FAILURE
- \ref ctrl_iface_event_P2P_EVENT_GROUP_FORMATION_SUCCESS P2P-GROUP-FORMATION-SUCCESS
- \ref ctrl_iface_event_P2P_EVENT_GROUP_FORMATION_FAILURE P2P-GROUP-FORMATION-FAILURE
- \ref ctrl_iface_event_P2P_EVENT_GROUP_STARTED P2P-GROUP-STARTED
- \ref ctrl_iface_event_P2P_EVENT_GROUP_REMOVED P2P-GROUP-REMOVED
- \ref ctrl_iface_event_P2P_EVENT_PROV_DISC_SHOW_PIN P2P-PROV-DISC-SHOW-PIN
- \ref ctrl_iface_event_P2P_EVENT_PROV_DISC_ENTER_PIN P2P-PROV-DISC-ENTER-PIN
- \ref ctrl_iface_event_P2P_EVENT_SERV_DISC_REQ P2P-SERV-DISC-REQ
- \ref ctrl_iface_event_P2P_EVENT_SERV_DISC_RESP P2P-SERV-DISC-RESP
- \ref ctrl_iface_event_P2P_EVENT_INVITATION_RECEIVED P2P-INVITATION-RECEIVED
- \ref ctrl_iface_event_P2P_EVENT_INVITATION_RESULT P2P-INVITATION-RESULT
\subsection p2p_wpa_gui GUI example (wpa_gui)
wpa_gui has an example implementation of a GUI that could be used to
manage P2P operations. The P2P related functionality is contained
mostly in wpa_supplicant/wpa_gui-qt4/peers.cpp and it shows how the
control interface commands and events can be used.
\subsection p2p_wpa_cli wpa_cli example
wpa_cli can be used to control %wpa_supplicant in interactive
mode. The following sessions show examples of commands used for
device discovery and group formation. The lines starting with "> " are
commands from the user (followed by command result indication) and
lines starting with "<2>" are event messages from %wpa_supplicant.
P2P device "Wireless Client":
\verbatim
> p2p_find
OK
> <2>P2P-DEVICE-FOUND 02:40:61:c2:f3:b7 p2p_dev_addr=02:40:61:c2:f3:b7
pri_dev_type=1-0050F204-1 name='Wireless Client 2' config_methods=0x18c
dev_capab=0x1 group_capab=0x0
<2>P2P-GO-NEG-REQUEST 02:40:61:c2:f3:b7
<2>P2P-GO-NEG-REQUEST 02:40:61:c2:f3:b7
> p2p_connect 02:40:61:c2:f3:b7 pbc
OK
<2>P2P-GO-NEG-SUCCESS
<2>P2P-GROUP-FORMATION-SUCCESS
<2>P2P-GROUP-STARTED sta0-p2p-0 client DIRECT-vM
> interface
Available interfaces:
sta0-p2p-0
sta0
> p2p_group_remove sta0-p2p-0
<2>P2P-GROUP-REMOVED sta0-p2p-0 client
OK
> term
OK
\endverbatim
P2P device "Wireless Client2" (which ended up operating in GO role):
\verbatim
> p2p_find
OK
<2>P2P-DEVICE-FOUND 02:f0:bc:44:87:62 p2p_dev_addr=02:f0:bc:44:87:62
pri_dev_type=1-0050F204-1 name='Wireless Client' config_methods=0x18c
dev_capab=0x1 group_capab=0x0
> p2p_connect 02:f0:bc:44:87:62 pbc
OK
<2>P2P-GO-NEG-SUCCESS
<2>P2P-GROUP-FORMATION-SUCCESS
<2>P2P-GROUP-STARTED sta1-p2p-0 GO DIRECT-vM
> interface
Available interfaces:
sta1-p2p-0
sta1
> p2p_group_remove sta1-p2p-0
<2>P2P-GROUP-REMOVED sta1-p2p-0 GO
OK
> term
OK
\endverbatim
*/
external/hostap/doc/p2p_arch.dot
Vendored
+85
View File
@@ -0,0 +1,85 @@
digraph p2p_arch {
ranksep=.75;
size = "7.5,7.5";
edge [dir=none];
subgraph cluster_wpa_gui {
label = "wpa_gui";
status -> Qt;
scan -> Qt;
network -> Qt;
Qt -> peers;
Qt -> WPS;
Qt -> gui_ctrl;
gui_ctrl [label="ctrl i/f"];
}
subgraph cluster_wpa_supplicant {
label = "wpa_supplicant"
ctrl_iface [label="ctrl i/f"];
authenticator [label="Authenticator"];
supplicant [label="Supplicant"];
driver_iface [label="driver i/f"];
p2p_module [label="P2P\nmodule"];
wps_registrar [label="WPS\nRegistrar"];
wps_enrollee [label="WPS\nEnrollee"];
mgmt_entity [label="Management\nentity"];
ctrl_iface -> mgmt_entity;
p2p_module -> mgmt_entity;
wps_registrar -> mgmt_entity;
wps_enrollee -> mgmt_entity;
mgmt_entity -> authenticator;
mgmt_entity -> supplicant;
mgmt_entity -> driver_iface;
{ rank = same; mgmt_entity; p2p_module; }
}
subgraph cluster_wpa_cli {
label = "wpa_cli -a"
wpa_cli_action;
}
subgraph cluster_dnsmasq {
label = "dnsmasq"
dnsmasq;
}
subgraph cluster_dhclient {
label = "dhclient"
dhclient;
}
subgraph cluster_kernel {
label = "Linux kernel"
cfg80211 -> mac80211;
netdev -> mac80211;
mac80211 -> ath9k;
}
gui_ctrl -> ctrl_iface;
wpa_cli_action -> ctrl_iface;
driver_iface -> cfg80211;
wpa_cli_action -> dnsmasq;
wpa_cli_action -> dhclient;
dnsmasq -> netdev;
dhclient -> netdev;
edge [color=blue,dir=both];
p2p_module -> mgmt_entity -> driver_iface -> cfg80211 -> mac80211 -> ath9k;
edge [color=green,dir=both];
peers -> Qt -> gui_ctrl -> ctrl_iface -> mgmt_entity -> p2p_module;
}
external/hostap/doc/p2p_arch2.dot
Vendored
+85
View File
@@ -0,0 +1,85 @@
digraph p2p_arch2 {
ranksep=.75;
size = "7.5,7.5";
edge [dir=none];
subgraph cluster_wpa_gui {
label = "wpa_gui";
status -> Qt;
scan -> Qt;
network -> Qt;
Qt -> peers;
Qt -> WPS;
Qt -> gui_ctrl;
gui_ctrl [label="ctrl i/f"];
}
subgraph cluster_wpa_supplicant {
label = "wpa_supplicant"
ctrl_iface [label="ctrl i/f"];
authenticator [label="Authenticator"];
supplicant [label="Supplicant"];
driver_iface [label="driver i/f"];
wps_registrar [label="WPS\nRegistrar"];
wps_enrollee [label="WPS\nEnrollee"];
mgmt_entity [label="Management\nentity"];
ctrl_iface -> mgmt_entity;
wps_registrar -> mgmt_entity;
wps_enrollee -> mgmt_entity;
mgmt_entity -> authenticator;
mgmt_entity -> supplicant;
mgmt_entity -> driver_iface;
}
subgraph cluster_wpa_cli {
label = "wpa_cli -a"
wpa_cli_action;
}
subgraph cluster_dnsmasq {
label = "dnsmasq"
dnsmasq;
}
subgraph cluster_dhclient {
label = "dhclient"
dhclient;
}
subgraph cluster_kernel {
label = "Kernel"
ioctl -> umac;
netdev -> umac;
umac -> p2p_module;
p2p_module [label="P2P\nmodule"];
umac -> driver;
{ rank = same; umac; p2p_module; }
}
gui_ctrl -> ctrl_iface;
wpa_cli_action -> ctrl_iface;
driver_iface -> ioctl;
wpa_cli_action -> dnsmasq;
wpa_cli_action -> dhclient;
dnsmasq -> netdev;
dhclient -> netdev;
edge [color=blue,dir=both];
p2p_module -> umac -> driver;
edge [color=green,dir=both];
peers -> Qt -> gui_ctrl -> ctrl_iface -> mgmt_entity -> driver_iface -> ioctl -> umac -> p2p_module;
}
external/hostap/doc/p2p_sm.dot
Vendored
+62
View File
@@ -0,0 +1,62 @@
digraph p2p {
ranksep=.75;
size = "8.5,7.5";
start -> IDLE;
start [label="Init",shape=none];
/* Discovery: Scan followed by Find(SEARCH,LISTEN) */
subgraph cluster_0 {
label="Discovery";
color=lightgrey;
node [color=blue];
/* SCAN and LISTEN currently not used in the implementation */
SCAN [style=dotted];
LISTEN [style=dotted];
SCAN -> LISTEN;
LISTEN -> SEARCH -> LISTEN [style=dotted];
SEARCH -> SD_DURING_FIND [label="Peer SD capab\nand no info", weight=100];
SD_DURING_FIND -> SEARCH [label="RX SD Resp\nor timeout", weight=100];
SEARCH -> PROV_DISC_DURING_FIND [label="Prov Disc cmd\nand no Resp", weight=100];
PROV_DISC_DURING_FIND -> SEARCH [label="RX Prov Disc Resp\nor timeout", weight=100];
}
/* Group Formation */
subgraph cluster_1 {
label="Group Formation";
color=lightgrey;
node [color=green];
CONNECT -> CONNECT_LISTEN [style=dotted,weight=100];
CONNECT_LISTEN -> CONNECT [style=dotted,weight=100];
CONNECT -> WAIT_PEER_IDLE [label="RX GO Neg Resp\n(info unavail)"];
WAIT_PEER_IDLE -> WAIT_PEER_CONNECT [style=dotted,weight=100];
WAIT_PEER_CONNECT -> WAIT_PEER_IDLE [style=dotted,weight=100];
CONNECT -> GO_NEG [label="RX GO Neg Resp\n(success)", weight=10];
CONNECT_LISTEN -> GO_NEG [label="RX GO Neg Req or\nTX GO Neg Resp"];
WAIT_PEER_CONNECT -> GO_NEG [label="RX GO Neg Req"];
GO_NEG -> PROVISIONING [label="TX/RX GO Neg Conf"];
}
PROVISIONING -> IDLE [label="WPS\nsuccess"];
/* External triggers */
IDLE -> SCAN [label="Find cmd",weight=20];
IDLE -> CONNECT [label="Connect cmd",weight=20];
IDLE -> LISTEN_ONLY [label="Listen cmd"];
/* Timeouts */
/*
edge [color=red];
WAIT_PEER_IDLE -> IDLE [label="timeout", weight=0];
WAIT_PEER_CONNECT -> IDLE [label="timeout", weight=0];
CONNECT -> IDLE [label="timeout", weight=0];
CONNECT_LISTEN -> IDLE [label="timeout", weight=0];
GO_NEG -> IDLE [label="timeout", weight=0];
PROVISIONING -> IDLE [label="timeout", weight=0];
LISTEN_ONLY -> IDLE [label="timeout", weight=0];
SEARCH -> IDLE [label="timeout", weight=0];
*/
}
external/hostap/doc/porting.doxygen
Vendored
+208
View File
@@ -0,0 +1,208 @@
/**
\page porting Porting to different target boards and operating systems
%wpa_supplicant was designed to be easily portable to different
hardware (board, CPU) and software (OS, drivers) targets. It is
already used with number of operating systems and numerous wireless
card models and drivers. The main %wpa_supplicant repository includes
support for Linux, FreeBSD, and Windows. In addition, the code has been
ported to number of other operating systems like VxWorks, PalmOS,
Windows CE, and Windows Mobile. On the hardware
side, %wpa_supplicant is used on various systems: desktops, laptops,
PDAs, and embedded devices with CPUs including x86, PowerPC,
arm/xscale, and MIPS. Both big and little endian configurations are
supported.
\section ansi_c_extra Extra functions on top of ANSI C
%wpa_supplicant is mostly using ANSI C functions that are available on
most targets. However, couple of additional functions that are common
on modern UNIX systems are used. Number of these are listed with
prototypes in common.h (the \verbatim #ifdef CONFIG_ANSI_C_EXTRA \endverbatim
block). These functions may need to be implemented or at least defined
as macros to native functions in the target OS or C library.
Many of the common ANSI C functions are used through a wrapper
definitions in os.h to allow these to be replaced easily with a
platform specific version in case standard C libraries are not
available. In addition, os.h defines couple of common platform
specific functions that are implemented in os_unix.c for UNIX like
targets and in os_win32.c for Win32 API. If the target platform does
not support either of these examples, a new os_*.c file may need to be
added.
Unless OS_NO_C_LIB_DEFINES is defined, the standard ANSI C and POSIX
functions are used by defining the os_*() wrappers to use them
directly in order to avoid extra cost in size and speed. If the target
platform needs different versions of the functions, os.h can be
modified to define the suitable macros or alternatively,
OS_NO_C_LIB_DEFINES may be defined for the build and the wrapper
functions can then be implemented in a new os_*.c wrapper file.
common.h defines number of helper macros for handling integers of
different size and byte order. Suitable version of these definitions
may need to be added for the target platform.
\section configuration_backend Configuration backend
%wpa_supplicant implements a configuration interface that allows the
backend to be easily replaced in order to read configuration data from
a suitable source depending on the target platform. config.c
implements the generic code that can be shared with all configuration
backends. Each backend is implemented in its own config_*.c file.
The included config_file.c backend uses a text file for configuration
and config_winreg.c uses Windows registry. These files can be used as
an example for a new configuration backend if the target platform uses
different mechanism for configuration parameters. In addition,
config_none.c can be used as an empty starting point for building a
new configuration backend.
\section driver_iface_porting Driver interface
Unless the target OS and driver is already supported, most porting
projects have to implement a driver wrapper. This may be done by
adding a new driver interface module or modifying an existing module
(driver_*.c) if the new target is similar to one of them. \ref
driver_wrapper "Driver wrapper implementation" describes the details
of the driver interface and discusses the tasks involved in porting
this part of %wpa_supplicant.
\section l2_packet_porting l2_packet (link layer access)
%wpa_supplicant needs to have access to sending and receiving layer 2
(link layer) packets with two Ethertypes: EAP-over-LAN (EAPOL) 0x888e
and RSN pre-authentication 0x88c7. l2_packet.h defines the interfaces
used for this in the core %wpa_supplicant implementation.
If the target operating system supports a generic mechanism for link
layer access, that is likely the best mechanism for providing the
needed functionality for %wpa_supplicant. Linux packet socket is an
example of such a generic mechanism. If this is not available, a
separate interface may need to be implemented to the network stack or
driver. This is usually an intermediate or protocol driver that is
operating between the device driver and the OS network stack. If such
a mechanism is not feasible, the interface can also be implemented
directly in the device driver.
The main %wpa_supplicant repository includes l2_packet implementations
for Linux using packet sockets (l2_packet_linux.c), more portable
version using libpcap/libdnet libraries (l2_packet_pcap.c; this
supports WinPcap, too), and FreeBSD specific version of libpcap
interface (l2_packet_freebsd.c).
If the target operating system is supported by libpcap (receiving) and
libdnet (sending), l2_packet_pcap.c can likely be used with minimal or
no changes. If this is not a case or a proprietary interface for link
layer is required, a new l2_packet module may need to be
added. Alternatively, struct wpa_driver_ops::send_eapol() handler can
be used to override the l2_packet library if the link layer access is
integrated with the driver interface implementation.
\section eloop_porting Event loop
%wpa_supplicant uses a single process/thread model and an event loop
to provide callbacks on events (registered timeout, received packet,
signal). eloop.h defines the event loop interface. eloop.c is an
implementation of such an event loop using select() and sockets. This
is suitable for most UNIX/POSIX systems. When porting to other
operating systems, it may be necessary to replace that implementation
with OS specific mechanisms that provide similar functionality.
\section ctrl_iface_porting Control interface
%wpa_supplicant uses a \ref ctrl_iface_page "control interface"
to allow external processed
to get status information and to control the operations. Currently,
this is implemented with socket based communication; both UNIX domain
sockets and UDP sockets are supported. If the target OS does not
support sockets, this interface will likely need to be modified to use
another mechanism like message queues. The control interface is
optional component, so it is also possible to run %wpa_supplicant
without porting this part.
The %wpa_supplicant side of the control interface is implemented in
ctrl_iface.c. Matching client side is implemented as a control
interface library in wpa_ctrl.c.
\section entry_point Program entry point
%wpa_supplicant defines a set of functions that can be used to
initialize main supplicant processing. Each operating system has a
mechanism for starting new processing or threads. This is usually a
function with a specific set of arguments and calling convention. This
function is responsible on initializing %wpa_supplicant.
main.c includes an entry point for UNIX-like operating system, i.e.,
main() function that uses command line arguments for setting
parameters for %wpa_supplicant. When porting to other operating
systems, similar OS-specific entry point implementation is needed. It
can be implemented in a new file that is then linked with
%wpa_supplicant instead of main.o. main.c is also a good example on
how the initialization process should be done.
The supplicant initialization functions are defined in
wpa_supplicant_i.h. In most cases, the entry point function should
start by fetching configuration parameters. After this, a global
%wpa_supplicant context is initialized with a call to
wpa_supplicant_init(). After this, existing network interfaces can be
added with wpa_supplicant_add_iface(). wpa_supplicant_run() is then
used to start the main event loop. Once this returns at program
termination time, wpa_supplicant_deinit() is used to release global
context data.
wpa_supplicant_add_iface() and wpa_supplicant_remove_iface() can be
used dynamically to add and remove interfaces based on when
%wpa_supplicant processing is needed for them. This can be done, e.g.,
when hotplug network adapters are being inserted and ejected. It is
also possible to do this when a network interface is being
enabled/disabled if it is desirable that %wpa_supplicant processing
for the interface is fully enabled/disabled at the same time.
\section simple_build Simple build example
One way to start a porting project is to begin with a very simple
build of %wpa_supplicant with WPA-PSK support and once that is
building correctly, start adding features.
Following command can be used to build very simple version of
%wpa_supplicant:
\verbatim
cc -o wpa_supplicant config.c eloop.c common.c md5.c rc4.c sha1.c \
config_none.c l2_packet_none.c tls_none.c wpa.c preauth.c \
aes_wrap.c wpa_supplicant.c events.c main_none.c drivers.c
\endverbatim
The end result is not really very useful since it uses empty functions
for configuration parsing and layer 2 packet access and does not
include a driver interface. However, this is a good starting point
since the build is complete in the sense that all functions are
present and this is easy to configure to a build system by just
including the listed C files.
Once this version can be build successfully, the end result can be
made functional by adding a proper program entry point (main*.c),
driver interface (driver_*.c and matching CONFIG_DRIVER_* define for
registration in drivers.c), configuration parser/writer (config_*.c),
and layer 2 packet access implementation (l2_packet_*.c). After these
components have been added, the end result should be a working
WPA/WPA2-PSK enabled supplicant.
After the basic functionality has been verified to work, more features
can be added by linking in more files and defining C pre-processor
defines. Currently, the best source of information for what options
are available and which files needs to be included is in the Makefile
used for building the supplicant with make. Similar configuration will
be needed for build systems that either use different type of make
tool or a GUI-based project configuration.
*/
external/hostap/doc/testing_tools.doxygen
Vendored
+363
View File
@@ -0,0 +1,363 @@
/**
\page testing_tools Testing and development tools
[ \ref eapol_test "eapol_test" |
\ref preauth_test "preauth_test" |
\ref driver_test "driver_test" |
\ref unit_tests "Unit tests" |
\ref wpa_trace "Tracing code" ]
%wpa_supplicant source tree includes number of testing and development
tools that make it easier to test the programs without having to setup
a full test setup with wireless cards. In addition, these tools can be
used to implement automatic tests suites.
\section eapol_test eapol_test - EAP peer and RADIUS client testing
eapol_test is a program that links together the same EAP peer
implementation that %wpa_supplicant is using and the RADIUS
authentication client code from hostapd. In addition, it has minimal
glue code to combine these two components in similar ways to IEEE
802.1X/EAPOL Authenticator state machines. In other words, it
integrates IEEE 802.1X Authenticator (normally, an access point) and
IEEE 802.1X Supplicant (normally, a wireless client) together to
generate a single program that can be used to test EAP methods without
having to setup an access point and a wireless client.
The main uses for eapol_test are in interoperability testing of EAP
methods against RADIUS servers and in development testing for new EAP
methods. It can be easily used to automate EAP testing for
interoperability and regression since the program can be run from
shell scripts without require additional test components apart from a
RADIUS server. For example, the automated EAP tests described in
eap_testing.txt are implemented with eapol_test. Similarly, eapol_test
could be used to implement an automated regression test suite for a
RADIUS authentication server.
eapol_test uses the same build time configuration file, .config, as
%wpa_supplicant. This file is used to select which EAP methods are
included in eapol_test. This program is not built with the default
Makefile target, so a separate make command needs to be used to
compile the tool:
\verbatim
make eapol_test
\endverbatim
The resulting eapol_test binary has following command like options:
\verbatim
usage:
eapol_test [-nWS] -c<conf> [-a<AS IP>] [-p<AS port>] [-s<AS secret>] \
[-r<count>] [-t<timeout>] [-C<Connect-Info>] \
[-M<client MAC address>]
eapol_test scard
eapol_test sim <PIN> <num triplets> [debug]
options:
-c<conf> = configuration file
-a<AS IP> = IP address of the authentication server, default 127.0.0.1
-p<AS port> = UDP port of the authentication server, default 1812
-s<AS secret> = shared secret with the authentication server, default 'radius'
-r<count> = number of re-authentications
-W = wait for a control interface monitor before starting
-S = save configuration after authentiation
-n = no MPPE keys expected
-t<timeout> = sets timeout in seconds (default: 30 s)
-C<Connect-Info> = RADIUS Connect-Info (default: CONNECT 11Mbps 802.11b)
-M<client MAC address> = Set own MAC address (Calling-Station-Id,
default: 02:00:00:00:00:01)
\endverbatim
As an example,
\verbatim
eapol_test -ctest.conf -a127.0.0.1 -p1812 -ssecret -r1
\endverbatim
tries to complete EAP authentication based on the network
configuration from test.conf against the RADIUS server running on the
local host. A re-authentication is triggered to test fast
re-authentication. The configuration file uses the same format for
network blocks as %wpa_supplicant.
\section preauth_test preauth_test - WPA2 pre-authentication and EAP peer testing
preauth_test is similar to eapol_test in the sense that in combines
EAP peer implementation with something else, in this case, with WPA2
pre-authentication. This tool can be used to test pre-authentication
based on the code that %wpa_supplicant is using. As such, it tests
both the %wpa_supplicant implementation and the functionality of an
access point.
preauth_test is built with:
\verbatim
make preauth_test
\endverbatim
and it uses following command line arguments:
\verbatim
usage: preauth_test <conf> <target MAC address> <ifname>
\endverbatim
For example,
\verbatim
preauth_test test.conf 02:11:22:33:44:55 eth0
\endverbatim
would use network configuration from test.conf to try to complete
pre-authentication with AP using BSSID 02:11:22:33:44:55. The
pre-authentication packets would be sent using the eth0 interface.
\section driver_test driver_test - driver interface for testing wpa_supplicant
%wpa_supplicant was designed to support number of different ways to
communicate with a network device driver. This design uses \ref
driver_wrapper "driver interface API" and number of driver interface
implementations. One of these is driver_test.c, i.e., a test driver
interface that is actually not using any drivers. Instead, it provides
a mechanism for running %wpa_supplicant without having to have a
device driver or wireless LAN hardware for that matter.
driver_test can be used to talk directly with hostapd's driver_test
component to create a test setup where one or more clients and access
points can be tested within one test host and without having to have
multiple wireless cards. This makes it easier to test the core code in
%wpa_supplicant, and hostapd for that matter. Since driver_test uses
the same driver API than any other driver interface implementation,
the core code of %wpa_supplicant and hostapd can be tested with the
same coverage as one would get when using real wireless cards. The
only area that is not tested is the driver interface implementation
(driver_*.c).
Having the possibility to use simulated network components makes it
much easier to do development testing while adding new features and to
reproduce reported bugs. As such, it is often easiest to just do most
of the development and bug fixing without using real hardware. Once
the driver_test setup has been used to implement a new feature or fix
a bug, the end result can be verified with wireless LAN cards. In many
cases, this may even be unnecessary, depending on what area the
feature/bug is relating to. Of course, changes to driver interfaces
will still require use of real hardware.
Since multiple components can be run within a single host, testing of
complex network configuration, e.g., large number of clients
association with an access point, becomes quite easy. All the tests
can also be automated without having to resort to complex test setup
using remote access to multiple computers.
driver_test can be included in the %wpa_supplicant build in the same
way as any other driver interface, i.e., by adding the following line
into .config:
\verbatim
CONFIG_DRIVER_TEST=y
\endverbatim
When running %wpa_supplicant, the test interface is selected by using
\a -Dtest command line argument. The interface name (\a -i argument)
can be selected arbitrarily, i.e., it does not need to match with any
existing network interface. The interface name is used to generate a
MAC address, so when using multiple clients, each should use a
different interface, e.g., \a sta1, \a sta2, and so on.
%wpa_supplicant and hostapd are configured in the same way as they
would be for normal use. Following example shows a simple test setup
for WPA-PSK.
hostapd is configured with following psk-test.conf configuration file:
\verbatim
driver=test
interface=ap1
logger_stdout=-1
logger_stdout_level=0
debug=2
dump_file=/tmp/hostapd.dump
test_socket=/tmp/Test/ap1
ssid=jkm-test-psk
wpa=1
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
wpa_passphrase=12345678
\endverbatim
and started with following command:
\verbatim
hostapd psk-test.conf
\endverbatim
%wpa_supplicant uses following configuration file:
\verbatim
driver_param=test_socket=/tmp/Test/ap1
network={
ssid="jkm-test-psk"
key_mgmt=WPA-PSK
psk="12345678"
}
\endverbatim
%wpa_supplicant can then be started with following command:
\verbatim
wpa_supplicant -Dtest -cpsk-test.conf -ista1 -ddK
\endverbatim
If run without debug information, i.e., with
\verbatim
wpa_supplicant -Dtest -cpsk-test.conf -ista1
\endverbatim
%wpa_supplicant completes authentication and prints following events:
\verbatim
Trying to associate with 02:b8:a6:62:08:5a (SSID='jkm-test-psk' freq=0 MHz)
Associated with 02:b8:a6:62:08:5a
WPA: Key negotiation completed with 02:b8:a6:62:08:5a [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 02:b8:a6:62:08:5a completed (auth)
\endverbatim
If test setup is using multiple clients, it is possible to run
multiple %wpa_supplicant processes. Alternatively, the support for
multiple interfaces can be used with just one process to save some
resources on single-CPU systems. For example, following command runs
two clients:
\verbatim
./wpa_supplicant -Dtest -cpsk-test.conf -ista1 \
-N -Dtest -cpsk-test.conf -ista2
\endverbatim
This shows following event log:
\verbatim
Trying to associate with 02:b8:a6:62:08:5a (SSID='jkm-test-psk' freq=0 MHz)
Associated with 02:b8:a6:62:08:5a
WPA: Key negotiation completed with 02:b8:a6:62:08:5a [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 02:b8:a6:62:08:5a completed (auth)
Trying to associate with 02:b8:a6:62:08:5a (SSID='jkm-test-psk' freq=0 MHz)
Associated with 02:b8:a6:62:08:5a
WPA: Key negotiation completed with 02:b8:a6:62:08:5a [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 02:b8:a6:62:08:5a completed (auth)
\endverbatim
hostapd shows this with following events:
\verbatim
ap1: STA 02:b5:64:63:30:63 IEEE 802.11: associated
ap1: STA 02:b5:64:63:30:63 WPA: pairwise key handshake completed (WPA)
ap1: STA 02:b5:64:63:30:63 WPA: group key handshake completed (WPA)
ap1: STA 02:2a:c4:18:5b:f3 IEEE 802.11: associated
ap1: STA 02:2a:c4:18:5b:f3 WPA: pairwise key handshake completed (WPA)
ap1: STA 02:2a:c4:18:5b:f3 WPA: group key handshake completed (WPA)
\endverbatim
By default, driver_param is simulating a driver that uses the WPA/RSN
IE generated by %wpa_supplicant. Driver-generated IE and AssocInfo
events can be tested by adding \a use_associnfo=1 to the \a driver_param
line in the configuration file. For example:
\verbatim
driver_param=test_socket=/tmp/Test/ap1 use_associnfo=1
\endverbatim
\section unit_tests Unit tests
Number of the components (.c files) used in %wpa_supplicant define
their own unit tests for automated validation of the basic
functionality. Most of the tests for cryptographic algorithms are
using standard test vectors to validate functionality. These tests can
be useful especially when verifying port to a new CPU target.
The test programs are collected in the tests subdirectory. All
automated unit tests can be run with
\verbatim
make run-tests
\endverbatim
This make target builds and runs each test and terminates with zero
exit code if all tests were completed successfully.
\section wpa_trace Tracing code for developer debuggin
%wpa_supplicant and hostapd can be built with tracing code that will
track and analyze memory allocations and other resource registrations
and certain API uses. If incorrect use is detected, a backtrace of the
call location (and/or allocation location) is shown. This can also be
used to detect certain categories of memory leaks and report them
automatically when the program is terminated. The report will also
include information about forgotten eloop events.
The trace code can be enabled with CONFIG_WPA_TRACE=y build
option. More verbose backtrace information can be generated if libbfd
is available and the binaries are not stripped of symbol
information. This is enabled with CONFIG_WPA_TRACE_BFD=y.
For example, a memory leak (forgotten os_free() call) would show up
like this when the program is terminated:
\verbatim
MEMLEAK[0x82d200]: len 128
WPA_TRACE: memleak - START
[0]: ./wpa_supplicant(os_malloc+0x59) [0x41a5e9]
os_malloc() ../src/utils/os_unix.c:359
[1]: ./wpa_supplicant(os_zalloc+0x16) [0x41a676]
os_zalloc() ../src/utils/os_unix.c:418
[2]: ./wpa_supplicant(wpa_supplicant_init+0x38) [0x48b508]
wpa_supplicant_init() wpa_supplicant.c:2315
[3]: ./wpa_supplicant(main+0x2f3) [0x491073]
main() main.c:252
WPA_TRACE: memleak - END
MEMLEAK: total 128 bytes
\endverbatim
Another type of error that can be detected is freeing of memory area
that was registered for some use and is still be referenced:
\verbatim
WPA_TRACE: Freeing referenced memory - START
[2]: ./wpa_supplicant(os_free+0x5c) [0x41a53c]
os_free() ../src/utils/os_unix.c:411
[3]: ./wpa_supplicant(wpa_supplicant_remove_iface+0x30) [0x48b380]
wpa_supplicant_remove_iface() wpa_supplicant.c:2259
[4]: ./wpa_supplicant(wpa_supplicant_deinit+0x20) [0x48b3e0]
wpa_supplicant_deinit() wpa_supplicant.c:2430
[5]: ./wpa_supplicant(main+0x357) [0x4910d7]
main() main.c:276
WPA_TRACE: Freeing referenced memory - END
WPA_TRACE: Reference registration - START
[1]: ./wpa_supplicant [0x41c040]
eloop_trace_sock_add_ref() ../src/utils/eloop.c:94
[2]: ./wpa_supplicant(wpa_supplicant_ctrl_iface_deinit+0x17) [0x473247]
wpa_supplicant_ctrl_iface_deinit() ctrl_iface_unix.c:436
[3]: ./wpa_supplicant [0x48b21c]
wpa_supplicant_cleanup() wpa_supplicant.c:378
wpa_supplicant_deinit_iface() wpa_supplicant.c:2155
[4]: ./wpa_supplicant(wpa_supplicant_remove_iface+0x30) [0x48b380]
wpa_supplicant_remove_iface() wpa_supplicant.c:2259
[5]: ./wpa_supplicant(wpa_supplicant_deinit+0x20) [0x48b3e0]
wpa_supplicant_deinit() wpa_supplicant.c:2430
[6]: ./wpa_supplicant(main+0x357) [0x4910d7]
main() main.c:276
WPA_TRACE: Reference registration - END
Aborted
\endverbatim
This type of error results in showing backtraces for both the location
where the incorrect freeing happened and the location where the memory
area was marked referenced.
*/
external/hostap/doc/wpa_supplicant.fig
Vendored
+247
View File
@@ -0,0 +1,247 @@
#FIG 3.2
Landscape
Center
Inches
Letter
100.00
Single
-2
1200 2
6 1875 4050 2925 4350
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1875 4050 2925 4050 2925 4350 1875 4350 1875 4050
4 0 0 50 -1 0 12 0.0000 4 180 735 2025 4275 l2_packet\001
-6
6 3450 1200 4275 1500
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
3450 1200 4275 1200 4275 1500 3450 1500 3450 1200
4 0 0 50 -1 0 12 0.0000 4 180 585 3600 1425 wpa_cli\001
-6
6 4725 1200 5925 1500
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4725 1200 5925 1200 5925 1500 4725 1500 4725 1200
4 0 0 50 -1 0 12 0.0000 4 135 1005 4800 1425 GUI frontend\001
-6
6 6000 2700 7200 3225
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6000 2700 7200 2700 7200 3225 6000 3225 6000 2700
4 0 0 50 -1 0 12 0.0000 4 135 975 6075 2925 WPA/WPA2\001
4 0 0 50 -1 0 12 0.0000 4 135 1065 6075 3150 state machine\001
-6
6 6000 4950 7200 5475
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6000 4950 7200 4950 7200 5475 6000 5475 6000 4950
4 0 0 50 -1 0 12 0.0000 4 135 360 6075 5175 EAP\001
4 0 0 50 -1 0 12 0.0000 4 135 1065 6075 5400 state machine\001
-6
6 8700 3000 9375 3300
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8700 3000 9375 3000 9375 3300 8700 3300 8700 3000
4 0 0 50 -1 0 12 0.0000 4 150 480 8775 3225 crypto\001
-6
6 4350 3900 5025 4425
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4350 3900 5025 3900 5025 4425 4350 4425 4350 3900
4 0 0 50 -1 0 12 0.0000 4 105 420 4500 4125 event\001
4 0 0 50 -1 0 12 0.0000 4 180 315 4500 4350 loop\001
-6
6 4275 2550 5100 2850
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4275 2550 5100 2550 5100 2850 4275 2850 4275 2550
4 0 0 50 -1 0 12 0.0000 4 135 450 4425 2775 ctrl i/f\001
-6
6 6000 3900 7200 4425
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6000 3900 7200 3900 7200 4425 6000 4425 6000 3900
4 0 0 50 -1 0 12 0.0000 4 135 600 6075 4125 EAPOL\001
4 0 0 50 -1 0 12 0.0000 4 135 1065 6075 4350 state machine\001
-6
6 1800 6000 7800 8100
6 1800 6000 7800 7200
6 1800 6900 2700 7200
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1800 6900 2700 6900 2700 7200 1800 7200 1800 6900
4 0 0 50 -1 0 12 0.0000 4 105 375 1875 7125 wext\001
-6
6 4725 6900 5625 7200
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4725 6900 5625 6900 5625 7200 4725 7200 4725 6900
4 0 0 50 -1 0 12 0.0000 4 135 555 4800 7125 hermes\001
-6
6 6675 6900 7800 7200
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
6675 6900 7800 6900 7800 7200 6675 7200 6675 6900
4 0 0 50 -1 0 12 0.0000 4 180 930 6750 7125 ndiswrapper\001
-6
6 5700 6900 6600 7200
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
5700 6900 6600 6900 6600 7200 5700 7200 5700 6900
4 0 0 50 -1 0 12 0.0000 4 135 420 5775 7125 atmel\001
-6
6 4275 6000 5100 6300
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
4275 6000 5100 6000 5100 6300 4275 6300 4275 6000
4 0 0 50 -1 0 12 0.0000 4 135 630 4350 6225 driver i/f\001
-6
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
2775 6900 3675 6900 3675 7200 2775 7200 2775 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
3750 6900 4650 6900 4650 7200 3750 7200 3750 6900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 4
2250 6900 2250 6600 7200 6600 7200 6900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
3225 6900 3225 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4200 6900 4200 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
5175 6900 5175 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
6150 6900 6150 6600
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4650 6600 4650 6300
4 0 0 50 -1 0 12 0.0000 4 180 510 2850 7125 hostap\001
4 0 0 50 -1 0 12 0.0000 4 135 600 3825 7125 madwifi\001
-6
6 3525 7800 5775 8100
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
3525 7800 5775 7800 5775 8100 3525 8100 3525 7800
4 0 0 50 -1 0 12 0.0000 4 135 2145 3600 8025 kernel network device driver\001
-6
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
2250 7200 4200 7800
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
7200 7200 5100 7800
-6
6 9600 3000 10275 3300
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9600 3000 10275 3000 10275 3300 9600 3300 9600 3000
4 0 0 50 -1 0 12 0.0000 4 135 315 9750 3225 TLS\001
-6
6 8100 4425 10425 7350
6 8175 4725 9225 5025
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 4725 9225 4725 9225 5025 8175 5025 8175 4725
4 0 0 50 -1 0 12 0.0000 4 135 735 8250 4950 EAP-TLS\001
-6
6 9300 4725 10350 5025
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 4725 10350 4725 10350 5025 9300 5025 9300 4725
4 0 0 50 -1 0 12 0.0000 4 135 810 9375 4950 EAP-MD5\001
-6
6 8175 5100 9225 5400
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 5100 9225 5100 9225 5400 8175 5400 8175 5100
4 0 0 50 -1 0 12 0.0000 4 135 885 8250 5325 EAP-PEAP\001
-6
6 9300 5100 10350 5400
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 5100 10350 5100 10350 5400 9300 5400 9300 5100
4 0 0 50 -1 0 12 0.0000 4 135 840 9375 5325 EAP-TTLS\001
-6
6 8175 5475 9225 5775
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 5475 9225 5475 9225 5775 8175 5775 8175 5475
4 0 0 50 -1 0 12 0.0000 4 135 780 8250 5700 EAP-GTC\001
-6
6 9300 5475 10350 5775
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 5475 10350 5475 10350 5775 9300 5775 9300 5475
4 0 0 50 -1 0 12 0.0000 4 135 765 9375 5700 EAP-OTP\001
-6
6 8175 5850 9225 6150
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 5850 9225 5850 9225 6150 8175 6150 8175 5850
4 0 0 50 -1 0 12 0.0000 4 135 750 8250 6075 EAP-SIM\001
-6
6 9300 6225 10350 6525
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 6225 10350 6225 10350 6525 9300 6525 9300 6225
4 0 0 50 -1 0 12 0.0000 4 135 465 9375 6450 LEAP\001
-6
6 8175 6225 9225 6525
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 6225 9225 6225 9225 6525 8175 6525 8175 6225
4 0 0 50 -1 0 12 0.0000 4 135 765 8250 6450 EAP-PSK\001
-6
6 9300 5850 10350 6150
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 5850 10350 5850 10350 6150 9300 6150 9300 5850
4 0 0 50 -1 0 12 0.0000 4 135 825 9375 6075 EAP-AKA\001
-6
6 8175 6975 9675 7275
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 6975 9675 6975 9675 7275 8175 7275 8175 6975
4 0 0 50 -1 0 12 0.0000 4 135 1365 8250 7200 EAP-MSCHAPv2\001
-6
6 9300 6600 10350 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
9300 6600 10350 6600 10350 6900 9300 6900 9300 6600
4 0 0 50 -1 0 12 0.0000 4 135 870 9375 6825 EAP-FAST\001
-6
6 8175 6600 9225 6900
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8175 6600 9225 6600 9225 6900 8175 6900 8175 6600
4 0 0 50 -1 0 12 0.0000 4 135 795 8250 6825 EAP-PAX\001
-6
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
8100 7350 10425 7350 10425 4425 8100 4425 8100 7350
4 0 0 50 -1 0 12 0.0000 4 135 1050 8700 4650 EAP methods\001
-6
6 2775 5025 4050 5325
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
2775 5025 4050 5025 4050 5325 2775 5325 2775 5025
4 0 0 50 -1 0 12 0.0000 4 135 990 2925 5250 driver events\001
-6
6 2775 3150 4050 3450
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
2775 3150 4050 3150 4050 3450 2775 3450 2775 3150
4 0 0 50 -1 0 12 0.0000 4 180 990 2925 3375 configuration\001
-6
2 1 1 1 0 7 50 -1 -1 3.000 0 0 -1 0 0 2
1275 4200 1875 4200
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
4500 2550 3900 1500
2 1 1 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 2
4800 2550 5400 1500
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
2925 4200 4350 4200
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
5025 3900 6000 3000
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
5025 4200 6000 4200
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4650 6000 4650 4425
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
6600 4425 6600 4950
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
6600 3225 6600 3900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
7200 5250 8100 5250
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
9075 4425 9075 3300
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
7200 3000 8700 3150
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4650 3900 4650 2850
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
7200 4125 8700 3300
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
6000 4350 5025 6000
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
6000 3150 4875 6000
2 2 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 5
1500 2100 10800 2100 10800 7500 1500 7500 1500 2100
2 1 0 1 2 7 50 -1 -1 0.000 0 0 -1 0 0 2
9900 4425 9900 3300
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 1
4350 3900
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4350 3900 4050 3450
2 1 0 1 0 7 50 -1 -1 0.000 0 0 -1 0 0 2
4350 4425 4050 5025
4 0 0 50 -1 0 12 0.0000 4 135 915 375 3975 EAPOL and\001
4 0 0 50 -1 0 12 0.0000 4 180 630 375 4200 pre-auth\001
4 0 0 50 -1 0 12 0.0000 4 180 810 375 4425 ethertypes\001
4 0 0 50 -1 0 12 0.0000 4 135 1050 375 4650 from/to kernel\001
4 0 0 50 -1 0 12 0.0000 4 135 1920 3675 1875 frontend control interface\001
4 0 0 50 -1 2 14 0.0000 4 210 1440 1637 2371 wpa_supplicant\001
external/hostap/eap_example/Makefile
Vendored
+152
View File
@@ -0,0 +1,152 @@
ALL=eap_example
all: $(ALL)
ifndef CC
CC=gcc
endif
ifndef RANLIB
RANLIB=ranlib
endif
ifndef CFLAGS
CFLAGS = -MMD -O2 -Wall -g
endif
CFLAGS += -I.
CFLAGS += -I../src
CFLAGS += -I../src/utils
OBJS_both += ../src/utils/libutils.a
OBJS_both += ../src/crypto/libcrypto.a
OBJS_both += ../src/tls/libtls.a
OBJS_both += ../src/eap_common/eap_peap_common.o
OBJS_both += ../src/eap_common/eap_psk_common.o
OBJS_both += ../src/eap_common/eap_pax_common.o
OBJS_both += ../src/eap_common/eap_sake_common.o
OBJS_both += ../src/eap_common/eap_gpsk_common.o
OBJS_both += ../src/eap_common/chap.o
OBJS_peer += ../src/eap_peer/eap_tls.o
OBJS_peer += ../src/eap_peer/eap_peap.o
OBJS_peer += ../src/eap_peer/eap_ttls.o
OBJS_peer += ../src/eap_peer/eap_md5.o
OBJS_peer += ../src/eap_peer/eap_mschapv2.o
OBJS_peer += ../src/eap_peer/mschapv2.o
OBJS_peer += ../src/eap_peer/eap_otp.o
OBJS_peer += ../src/eap_peer/eap_gtc.o
OBJS_peer += ../src/eap_peer/eap_leap.o
OBJS_peer += ../src/eap_peer/eap_psk.o
OBJS_peer += ../src/eap_peer/eap_pax.o
OBJS_peer += ../src/eap_peer/eap_sake.o
OBJS_peer += ../src/eap_peer/eap_gpsk.o
OBJS_peer += ../src/eap_peer/eap.o
OBJS_peer += ../src/eap_common/eap_common.o
OBJS_peer += ../src/eap_peer/eap_methods.o
OBJS_peer += ../src/eap_peer/eap_tls_common.o
CFLAGS += -DEAP_TLS
CFLAGS += -DEAP_PEAP
CFLAGS += -DEAP_TTLS
CFLAGS += -DEAP_MD5
CFLAGS += -DEAP_MSCHAPv2
CFLAGS += -DEAP_GTC
CFLAGS += -DEAP_OTP
CFLAGS += -DEAP_LEAP
CFLAGS += -DEAP_PSK
CFLAGS += -DEAP_PAX
CFLAGS += -DEAP_SAKE
CFLAGS += -DEAP_GPSK -DEAP_GPSK_SHA256
CFLAGS += -DEAP_SERVER_IDENTITY
CFLAGS += -DEAP_SERVER_TLS
CFLAGS += -DEAP_SERVER_PEAP
CFLAGS += -DEAP_SERVER_TTLS
CFLAGS += -DEAP_SERVER_MD5
CFLAGS += -DEAP_SERVER_MSCHAPV2
CFLAGS += -DEAP_SERVER_GTC
CFLAGS += -DEAP_SERVER_PSK
CFLAGS += -DEAP_SERVER_PAX
CFLAGS += -DEAP_SERVER_SAKE
CFLAGS += -DEAP_SERVER_GPSK -DEAP_SERVER_GPSK_SHA256
CFLAGS += -DIEEE8021X_EAPOL
# Optional components to add EAP server support
OBJS_server += ../src/eap_server/eap_server_tls.o
OBJS_server += ../src/eap_server/eap_server_peap.o
OBJS_server += ../src/eap_server/eap_server_ttls.o
OBJS_server += ../src/eap_server/eap_server_md5.o
OBJS_server += ../src/eap_server/eap_server_mschapv2.o
OBJS_server += ../src/eap_server/eap_server_gtc.o
OBJS_server += ../src/eap_server/eap_server_psk.o
OBJS_server += ../src/eap_server/eap_server_pax.o
OBJS_server += ../src/eap_server/eap_server_sake.o
OBJS_server += ../src/eap_server/eap_server_gpsk.o
OBJS_server += ../src/eap_server/eap_server.o
OBJS_server += ../src/eap_server/eap_server_identity.o
OBJS_server += ../src/eap_server/eap_server_methods.o
OBJS_server += ../src/eap_server/eap_server_tls_common.o
CFLAGS += -DEAP_SERVER
ifndef LDO
LDO=$(CC)
endif
Q=@
E=echo
ifeq ($(V), 1)
Q=
E=true
endif
%.o: %.c
$(Q)$(CC) -c -o $@ $(CFLAGS) $<
@$(E) " CC " $<
OBJS_lib=$(OBJS_both) $(OBJS_peer) $(OBJS_server)
OBJS_ex = eap_example.o eap_example_peer.o eap_example_server.o
../src/utils/libutils.a:
$(MAKE) -C ../src/utils
../src/crypto/libcrypto.a:
$(MAKE) -C ../src/crypto
../src/tls/libtls.a:
$(MAKE) -C ../src/tls
ifneq ($(CONFIG_SOLIB), yes)
LIBEAP = libeap.a
libeap.a: $(OBJS_lib)
$(AR) crT libeap.a $(OBJS_lib)
$(RANLIB) libeap.a
else
CFLAGS += -fPIC -DPIC
LDFLAGS += -shared
LIBEAP = libeap.so
libeap.so: $(OBJS_lib)
$(LDO) $(LDFLAGS) $(OBJS_lib) -o $(LIBEAP)
endif
eap_example: $(OBJS_ex) $(LIBEAP)
$(LDO) $(LDFLAGS) -o eap_example $(OBJS_ex) -L. -leap $(LIBS)
clean:
$(MAKE) -C ../src clean
rm -f core *~ *.o *.d libeap.a libeap.so $(ALL)
-include $(OBJS:%.o=%.d)
external/hostap/eap_example/README
Vendored
+42
View File
@@ -0,0 +1,42 @@
EAP peer/server library and example program
Copyright (c) 2007, Jouni Malinen <j@w1.fi>
This software may be distributed under the terms of the BSD license.
See the parent directory README for more details.
The interfaces of the EAP server/peer implementation are based on RFC
4137 (EAP State Machines). This RFC is coordinated with the state
machines defined in IEEE 802.1X-2004. hostapd and wpa_supplicant
include implementation of the IEEE 802.1X EAPOL state machines and the
interface between them and EAP. However, the EAP implementation can be
used with other protocols, too, by providing a compatible interface
which maps the EAPOL<->EAP variables to another protocol.
This directory contains an example showing how EAP peer and server
code from wpa_supplicant and hostapd can be used as a library. The
example program initializes both an EAP server and an EAP peer
entities and then runs through an EAP-PEAP/MSCHAPv2 authentication.
eap_example_peer.c shows the initialization and glue code needed to
control the EAP peer implementation. eap_example_server.c does the
same for EAP server. eap_example.c is an example that ties in both the
EAP server and client parts to allow an EAP authentication to be
shown.
In this example, the EAP messages are passed between the server and
the peer are passed by direct function calls within the same process.
In practice, server and peer functionalities would likely reside in
separate devices and the EAP messages would be transmitted between the
devices based on an external protocol. For example, in IEEE 802.11
uses IEEE 802.1X EAPOL state machines to control the transmission of
EAP messages and WiMax supports optional PMK EAP authentication
mechanism that transmits EAP messages as defined in IEEE 802.16e.
The EAP library links in number of helper functions from src/utils and
src/crypto directories. Most of these are suitable as-is, but it may
be desirable to replace the debug output code in src/utils/wpa_debug.c
by dropping this file from the library and re-implementing the
functions there in a way that better fits in with the main
application.
external/hostap/eap_example/ca.pem
Vendored
+19
View File
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDBzCCAnCgAwIBAgIJAIb4NS4TdLXUMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQ4wDAYDVQQKEwV3MS5maTEQMA4G
A1UEAxMHVGVzdCBDQTEbMBkGCSqGSIb3DQEJARYMdGVzdGNhQHcxLmZpMB4XDTA3
MTIwOTAzMTQzN1oXDTE3MTIwNjAzMTQzN1owYTELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExDjAMBgNVBAoTBXcxLmZpMRAwDgYDVQQDEwdUZXN0IENB
MRswGQYJKoZIhvcNAQkBFgx0ZXN0Y2FAdzEuZmkwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAO6GoecRclnILh9FTvqnY/yUZmeJDgC+3/PQiicpMDhAzCkWAmi+
a1LSnqakNN/GdCy3q053TFLFEzhEHkhhRwY/zzj2vZIcFZESoUhr67CzCpcPmTGa
AfOzsGPjaH6xYcaOR4RZMfXd/EKfAauHxj3LuCusLL5hK/FwxWhQJNJrAgMBAAGj
gcYwgcMwHQYDVR0OBBYEFKhJuSLJ6JhcB/dRgB8j0h9mOlpKMIGTBgNVHSMEgYsw
gYiAFKhJuSLJ6JhcB/dRgB8j0h9mOlpKoWWkYzBhMQswCQYDVQQGEwJVUzETMBEG
A1UECBMKQ2FsaWZvcm5pYTEOMAwGA1UEChMFdzEuZmkxEDAOBgNVBAMTB1Rlc3Qg
Q0ExGzAZBgkqhkiG9w0BCQEWDHRlc3RjYUB3MS5maYIJAIb4NS4TdLXUMAwGA1Ud
EwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAuU+5Uerq+n8WgiIsiANT3wUoGe2Y
cnoQi2nVjUHrivgMDufH0tgh1AVfc3wVNNREdGC136qr1KBNqalQx2rKZ76xeNqW
sQa2LIC2wE7Q7LJsltUcUjPyZHGUhBqWjKsCvlonfNB6JHkEayTEvVvyupgzTsxW
QuuRdZ0sNv/S8VI=
-----END CERTIFICATE-----
external/hostap/eap_example/eap_example.c
Vendored
+49
View File
@@ -0,0 +1,49 @@
/*
* Example application showing how EAP peer and server code from
* wpa_supplicant/hostapd can be used as a library. This example program
* initializes both an EAP server and an EAP peer entities and then runs
* through an EAP-PEAP/MSCHAPv2 authentication.
* Copyright (c) 2007, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
int eap_example_peer_init(void);
void eap_example_peer_deinit(void);
int eap_example_peer_step(void);
int eap_example_server_init(void);
void eap_example_server_deinit(void);
int eap_example_server_step(void);
extern int wpa_debug_level;
int main(int argc, char *argv[])
{
int res_s, res_p;
wpa_debug_level = 0;
if (eap_example_peer_init() < 0 ||
eap_example_server_init() < 0)
return -1;
do {
printf("---[ server ]--------------------------------\n");
res_s = eap_example_server_step();
printf("---[ peer ]----------------------------------\n");
res_p = eap_example_peer_step();
} while (res_s || res_p);
eap_example_peer_deinit();
eap_example_server_deinit();
return 0;
}
external/hostap/eap_example/eap_example_peer.c
Vendored
+372
View File
@@ -0,0 +1,372 @@
/*
* Example application showing how EAP peer code from wpa_supplicant can be
* used as a library.
* Copyright (c) 2007, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "eap_peer/eap.h"
#include "eap_peer/eap_config.h"
#include "wpabuf.h"
void eap_example_server_rx(const u8 *data, size_t data_len);
struct eap_peer_ctx {
Boolean eapSuccess;
Boolean eapRestart;
Boolean eapFail;
Boolean eapResp;
Boolean eapNoResp;
Boolean eapReq;
Boolean portEnabled;
Boolean altAccept; /* for EAP */
Boolean altReject; /* for EAP */
struct wpabuf *eapReqData; /* for EAP */
unsigned int idleWhile; /* for EAP state machine */
struct eap_peer_config eap_config;
struct eap_sm *eap;
};
static struct eap_peer_ctx eap_ctx;
static struct eap_peer_config * peer_get_config(void *ctx)
{
struct eap_peer_ctx *peer = ctx;
return &peer->eap_config;
}
static Boolean peer_get_bool(void *ctx, enum eapol_bool_var variable)
{
struct eap_peer_ctx *peer = ctx;
if (peer == NULL)
return FALSE;
switch (variable) {
case EAPOL_eapSuccess:
return peer->eapSuccess;
case EAPOL_eapRestart:
return peer->eapRestart;
case EAPOL_eapFail:
return peer->eapFail;
case EAPOL_eapResp:
return peer->eapResp;
case EAPOL_eapNoResp:
return peer->eapNoResp;
case EAPOL_eapReq:
return peer->eapReq;
case EAPOL_portEnabled:
return peer->portEnabled;
case EAPOL_altAccept:
return peer->altAccept;
case EAPOL_altReject:
return peer->altReject;
}
return FALSE;
}
static void peer_set_bool(void *ctx, enum eapol_bool_var variable,
Boolean value)
{
struct eap_peer_ctx *peer = ctx;
if (peer == NULL)
return;
switch (variable) {
case EAPOL_eapSuccess:
peer->eapSuccess = value;
break;
case EAPOL_eapRestart:
peer->eapRestart = value;
break;
case EAPOL_eapFail:
peer->eapFail = value;
break;
case EAPOL_eapResp:
peer->eapResp = value;
break;
case EAPOL_eapNoResp:
peer->eapNoResp = value;
break;
case EAPOL_eapReq:
peer->eapReq = value;
break;
case EAPOL_portEnabled:
peer->portEnabled = value;
break;
case EAPOL_altAccept:
peer->altAccept = value;
break;
case EAPOL_altReject:
peer->altReject = value;
break;
}
}
static unsigned int peer_get_int(void *ctx, enum eapol_int_var variable)
{
struct eap_peer_ctx *peer = ctx;
if (peer == NULL)
return 0;
switch (variable) {
case EAPOL_idleWhile:
return peer->idleWhile;
}
return 0;
}
static void peer_set_int(void *ctx, enum eapol_int_var variable,
unsigned int value)
{
struct eap_peer_ctx *peer = ctx;
if (peer == NULL)
return;
switch (variable) {
case EAPOL_idleWhile:
peer->idleWhile = value;
break;
}
}
static struct wpabuf * peer_get_eapReqData(void *ctx)
{
struct eap_peer_ctx *peer = ctx;
if (peer == NULL || peer->eapReqData == NULL)
return NULL;
return peer->eapReqData;
}
static void peer_set_config_blob(void *ctx, struct wpa_config_blob *blob)
{
printf("TODO: %s\n", __func__);
}
static const struct wpa_config_blob *
peer_get_config_blob(void *ctx, const char *name)
{
printf("TODO: %s\n", __func__);
return NULL;
}
static void peer_notify_pending(void *ctx)
{
printf("TODO: %s\n", __func__);
}
static int eap_peer_register_methods(void)
{
int ret = 0;
#ifdef EAP_MD5
if (ret == 0)
ret = eap_peer_md5_register();
#endif /* EAP_MD5 */
#ifdef EAP_TLS
if (ret == 0)
ret = eap_peer_tls_register();
#endif /* EAP_TLS */
#ifdef EAP_MSCHAPv2
if (ret == 0)
ret = eap_peer_mschapv2_register();
#endif /* EAP_MSCHAPv2 */
#ifdef EAP_PEAP
if (ret == 0)
ret = eap_peer_peap_register();
#endif /* EAP_PEAP */
#ifdef EAP_TTLS
if (ret == 0)
ret = eap_peer_ttls_register();
#endif /* EAP_TTLS */
#ifdef EAP_GTC
if (ret == 0)
ret = eap_peer_gtc_register();
#endif /* EAP_GTC */
#ifdef EAP_OTP
if (ret == 0)
ret = eap_peer_otp_register();
#endif /* EAP_OTP */
#ifdef EAP_SIM
if (ret == 0)
ret = eap_peer_sim_register();
#endif /* EAP_SIM */
#ifdef EAP_LEAP
if (ret == 0)
ret = eap_peer_leap_register();
#endif /* EAP_LEAP */
#ifdef EAP_PSK
if (ret == 0)
ret = eap_peer_psk_register();
#endif /* EAP_PSK */
#ifdef EAP_AKA
if (ret == 0)
ret = eap_peer_aka_register();
#endif /* EAP_AKA */
#ifdef EAP_AKA_PRIME
if (ret == 0)
ret = eap_peer_aka_prime_register();
#endif /* EAP_AKA_PRIME */
#ifdef EAP_FAST
if (ret == 0)
ret = eap_peer_fast_register();
#endif /* EAP_FAST */
#ifdef EAP_PAX
if (ret == 0)
ret = eap_peer_pax_register();
#endif /* EAP_PAX */
#ifdef EAP_SAKE
if (ret == 0)
ret = eap_peer_sake_register();
#endif /* EAP_SAKE */
#ifdef EAP_GPSK
if (ret == 0)
ret = eap_peer_gpsk_register();
#endif /* EAP_GPSK */
#ifdef EAP_WSC
if (ret == 0)
ret = eap_peer_wsc_register();
#endif /* EAP_WSC */
#ifdef EAP_IKEV2
if (ret == 0)
ret = eap_peer_ikev2_register();
#endif /* EAP_IKEV2 */
#ifdef EAP_VENDOR_TEST
if (ret == 0)
ret = eap_peer_vendor_test_register();
#endif /* EAP_VENDOR_TEST */
#ifdef EAP_TNC
if (ret == 0)
ret = eap_peer_tnc_register();
#endif /* EAP_TNC */
return ret;
}
static struct eapol_callbacks eap_cb;
static struct eap_config eap_conf;
int eap_example_peer_init(void)
{
if (eap_peer_register_methods() < 0)
return -1;
os_memset(&eap_ctx, 0, sizeof(eap_ctx));
eap_ctx.eap_config.identity = (u8 *) os_strdup("user");
eap_ctx.eap_config.identity_len = 4;
eap_ctx.eap_config.password = (u8 *) os_strdup("password");
eap_ctx.eap_config.password_len = 8;
eap_ctx.eap_config.ca_cert = (u8 *) os_strdup("ca.pem");
eap_ctx.eap_config.fragment_size = 1398;
os_memset(&eap_cb, 0, sizeof(eap_cb));
eap_cb.get_config = peer_get_config;
eap_cb.get_bool = peer_get_bool;
eap_cb.set_bool = peer_set_bool;
eap_cb.get_int = peer_get_int;
eap_cb.set_int = peer_set_int;
eap_cb.get_eapReqData = peer_get_eapReqData;
eap_cb.set_config_blob = peer_set_config_blob;
eap_cb.get_config_blob = peer_get_config_blob;
eap_cb.notify_pending = peer_notify_pending;
os_memset(&eap_conf, 0, sizeof(eap_conf));
eap_ctx.eap = eap_peer_sm_init(&eap_ctx, &eap_cb, &eap_ctx, &eap_conf);
if (eap_ctx.eap == NULL)
return -1;
/* Enable "port" to allow authentication */
eap_ctx.portEnabled = TRUE;
return 0;
}
void eap_example_peer_deinit(void)
{
eap_peer_sm_deinit(eap_ctx.eap);
eap_peer_unregister_methods();
wpabuf_free(eap_ctx.eapReqData);
os_free(eap_ctx.eap_config.identity);
os_free(eap_ctx.eap_config.password);
os_free(eap_ctx.eap_config.ca_cert);
}
int eap_example_peer_step(void)
{
int res;
res = eap_peer_sm_step(eap_ctx.eap);
if (eap_ctx.eapResp) {
struct wpabuf *resp;
printf("==> Response\n");
eap_ctx.eapResp = FALSE;
resp = eap_get_eapRespData(eap_ctx.eap);
if (resp) {
/* Send EAP response to the server */
eap_example_server_rx(wpabuf_head(resp),
wpabuf_len(resp));
wpabuf_free(resp);
}
}
if (eap_ctx.eapSuccess) {
res = 0;
if (eap_key_available(eap_ctx.eap)) {
const u8 *key;
size_t key_len;
key = eap_get_eapKeyData(eap_ctx.eap, &key_len);
wpa_hexdump(MSG_DEBUG, "EAP keying material",
key, key_len);
}
}
return res;
}
void eap_example_peer_rx(const u8 *data, size_t data_len)
{
/* Make received EAP message available to the EAP library */
eap_ctx.eapReq = TRUE;
wpabuf_free(eap_ctx.eapReqData);
eap_ctx.eapReqData = wpabuf_alloc_copy(data, data_len);
}
external/hostap/eap_example/eap_example_server.c
Vendored
+295
View File
@@ -0,0 +1,295 @@
/*
* Example application showing how EAP server code from hostapd can be used as
* a library.
* Copyright (c) 2007, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "crypto/tls.h"
#include "eap_server/eap.h"
#include "wpabuf.h"
void eap_example_peer_rx(const u8 *data, size_t data_len);
struct eap_server_ctx {
struct eap_eapol_interface *eap_if;
struct eap_sm *eap;
void *tls_ctx;
};
static struct eap_server_ctx eap_ctx;
static int server_get_eap_user(void *ctx, const u8 *identity,
size_t identity_len, int phase2,
struct eap_user *user)
{
os_memset(user, 0, sizeof(*user));
if (!phase2) {
/* Only allow EAP-PEAP as the Phase 1 method */
user->methods[0].vendor = EAP_VENDOR_IETF;
user->methods[0].method = EAP_TYPE_PEAP;
return 0;
}
if (identity_len != 4 || identity == NULL ||
os_memcmp(identity, "user", 4) != 0) {
printf("Unknown user\n");
return -1;
}
/* Only allow EAP-MSCHAPv2 as the Phase 2 method */
user->methods[0].vendor = EAP_VENDOR_IETF;
user->methods[0].method = EAP_TYPE_MSCHAPV2;
user->password = (u8 *) os_strdup("password");
user->password_len = 8;
return 0;
}
static const char * server_get_eap_req_id_text(void *ctx, size_t *len)
{
*len = 0;
return NULL;
}
static struct eapol_callbacks eap_cb;
static struct eap_config eap_conf;
static int eap_example_server_init_tls(void)
{
struct tls_config tconf;
struct tls_connection_params tparams;
os_memset(&tconf, 0, sizeof(tconf));
eap_ctx.tls_ctx = tls_init(&tconf);
if (eap_ctx.tls_ctx == NULL)
return -1;
os_memset(&tparams, 0, sizeof(tparams));
tparams.ca_cert = "ca.pem";
tparams.client_cert = "server.pem";
/* tparams.private_key = "server.key"; */
tparams.private_key = "server-key.pem";
/* tparams.private_key_passwd = "whatever"; */
if (tls_global_set_params(eap_ctx.tls_ctx, &tparams)) {
printf("Failed to set TLS parameters\n");
return -1;
}
if (tls_global_set_verify(eap_ctx.tls_ctx, 0)) {
printf("Failed to set check_crl\n");
return -1;
}
return 0;
}
static int eap_server_register_methods(void)
{
int ret = 0;
#ifdef EAP_SERVER_IDENTITY
if (ret == 0)
ret = eap_server_identity_register();
#endif /* EAP_SERVER_IDENTITY */
#ifdef EAP_SERVER_MD5
if (ret == 0)
ret = eap_server_md5_register();
#endif /* EAP_SERVER_MD5 */
#ifdef EAP_SERVER_TLS
if (ret == 0)
ret = eap_server_tls_register();
#endif /* EAP_SERVER_TLS */
#ifdef EAP_SERVER_MSCHAPV2
if (ret == 0)
ret = eap_server_mschapv2_register();
#endif /* EAP_SERVER_MSCHAPV2 */
#ifdef EAP_SERVER_PEAP
if (ret == 0)
ret = eap_server_peap_register();
#endif /* EAP_SERVER_PEAP */
#ifdef EAP_SERVER_TLV
if (ret == 0)
ret = eap_server_tlv_register();
#endif /* EAP_SERVER_TLV */
#ifdef EAP_SERVER_GTC
if (ret == 0)
ret = eap_server_gtc_register();
#endif /* EAP_SERVER_GTC */
#ifdef EAP_SERVER_TTLS
if (ret == 0)
ret = eap_server_ttls_register();
#endif /* EAP_SERVER_TTLS */
#ifdef EAP_SERVER_SIM
if (ret == 0)
ret = eap_server_sim_register();
#endif /* EAP_SERVER_SIM */
#ifdef EAP_SERVER_AKA
if (ret == 0)
ret = eap_server_aka_register();
#endif /* EAP_SERVER_AKA */
#ifdef EAP_SERVER_AKA_PRIME
if (ret == 0)
ret = eap_server_aka_prime_register();
#endif /* EAP_SERVER_AKA_PRIME */
#ifdef EAP_SERVER_PAX
if (ret == 0)
ret = eap_server_pax_register();
#endif /* EAP_SERVER_PAX */
#ifdef EAP_SERVER_PSK
if (ret == 0)
ret = eap_server_psk_register();
#endif /* EAP_SERVER_PSK */
#ifdef EAP_SERVER_SAKE
if (ret == 0)
ret = eap_server_sake_register();
#endif /* EAP_SERVER_SAKE */
#ifdef EAP_SERVER_GPSK
if (ret == 0)
ret = eap_server_gpsk_register();
#endif /* EAP_SERVER_GPSK */
#ifdef EAP_SERVER_VENDOR_TEST
if (ret == 0)
ret = eap_server_vendor_test_register();
#endif /* EAP_SERVER_VENDOR_TEST */
#ifdef EAP_SERVER_FAST
if (ret == 0)
ret = eap_server_fast_register();
#endif /* EAP_SERVER_FAST */
#ifdef EAP_SERVER_WSC
if (ret == 0)
ret = eap_server_wsc_register();
#endif /* EAP_SERVER_WSC */
#ifdef EAP_SERVER_IKEV2
if (ret == 0)
ret = eap_server_ikev2_register();
#endif /* EAP_SERVER_IKEV2 */
#ifdef EAP_SERVER_TNC
if (ret == 0)
ret = eap_server_tnc_register();
#endif /* EAP_SERVER_TNC */
return ret;
}
int eap_example_server_init(void)
{
if (eap_server_register_methods() < 0)
return -1;
os_memset(&eap_ctx, 0, sizeof(eap_ctx));
if (eap_example_server_init_tls() < 0)
return -1;
os_memset(&eap_cb, 0, sizeof(eap_cb));
eap_cb.get_eap_user = server_get_eap_user;
eap_cb.get_eap_req_id_text = server_get_eap_req_id_text;
os_memset(&eap_conf, 0, sizeof(eap_conf));
eap_conf.eap_server = 1;
eap_conf.ssl_ctx = eap_ctx.tls_ctx;
eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf);
if (eap_ctx.eap == NULL)
return -1;
eap_ctx.eap_if = eap_get_interface(eap_ctx.eap);
/* Enable "port" and request EAP to start authentication. */
eap_ctx.eap_if->portEnabled = TRUE;
eap_ctx.eap_if->eapRestart = TRUE;
return 0;
}
void eap_example_server_deinit(void)
{
eap_server_sm_deinit(eap_ctx.eap);
eap_server_unregister_methods();
tls_deinit(eap_ctx.tls_ctx);
}
int eap_example_server_step(void)
{
int res, process = 0;
res = eap_server_sm_step(eap_ctx.eap);
if (eap_ctx.eap_if->eapReq) {
printf("==> Request\n");
process = 1;
eap_ctx.eap_if->eapReq = 0;
}
if (eap_ctx.eap_if->eapSuccess) {
printf("==> Success\n");
process = 1;
res = 0;
eap_ctx.eap_if->eapSuccess = 0;
if (eap_ctx.eap_if->eapKeyAvailable) {
wpa_hexdump(MSG_DEBUG, "EAP keying material",
eap_ctx.eap_if->eapKeyData,
eap_ctx.eap_if->eapKeyDataLen);
}
}
if (eap_ctx.eap_if->eapFail) {
printf("==> Fail\n");
process = 1;
eap_ctx.eap_if->eapFail = 0;
}
if (process && eap_ctx.eap_if->eapReqData) {
/* Send EAP response to the server */
eap_example_peer_rx(wpabuf_head(eap_ctx.eap_if->eapReqData),
wpabuf_len(eap_ctx.eap_if->eapReqData));
}
return res;
}
void eap_example_server_rx(const u8 *data, size_t data_len)
{
/* Make received EAP message available to the EAP library */
wpabuf_free(eap_ctx.eap_if->eapRespData);
eap_ctx.eap_if->eapRespData = wpabuf_alloc_copy(data, data_len);
if (eap_ctx.eap_if->eapRespData)
eap_ctx.eap_if->eapResp = TRUE;
}
external/hostap/eap_example/server-key.pem
Vendored
+15
View File
@@ -0,0 +1,15 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDToYuDPmjEWu+/Aj0RVWTSb07sX6dAkPnrTaUjZAG5AhjRqJWz
zD50kFmVKi+R7GgS5tlGzLUtokdwjuSUAmz8tMXwIwmVeS0HluFDVSi94XbVRczE
+nyoDigg1RGyy1mc3t5RG84bvNatq98OceJag4ngh8L8I4k1qTLRMlyBJwIDAQAB
AoGAP+v0asDn/h8FeSkg7uJfIJyUNxsxNnRTuHnsXkMvrgTvICyOgw828hhDpqVm
VuoUCVmG2Tatpsn0UBApBHezGRh0u1syWoGM8fiDvZmoYmhFe5FxKnftg3KNXhDf
Agk4OxwNNPBXpQFQP+GNxh6Qs7FEkYHLRh/J7vC0+wp3UWECQQDzcTQZXqYPow5M
uinL819HKfh1n2257w1HGvw8cMCiYbKRyR74Q18TJcxuEyEwnPrg5ZGpMPDKiIOU
SlgAMLBXAkEA3oxBpRue1Kqb2+Fq6lhZ7PQiZC5F69upIb/wxbk8ByImEl1pUKFW
rV+YoKujbnj77PmMq1+R0dFkT1ai3zDzsQJBAMa3CUgMMpFhEDMhYyzQJF36rI2W
7gJwV+5K4MqVXyktho3qFhWhKOKAYDcZ9mWwPjmGKzhocqVgecd6SAsfs1ECQA7r
xHL3eRy1G6IQaQSxS8YxUCT7XUDFB3/1yITZOIcZ6QeOL8NyLceOA0OyflCn1+w5
hw7uZ25z5Y/UNTNVquECQEgto3zPneEW06qkEnRz9EbLtWR3nRBS/QGrjOFNUuln
pNhVUH4RB17Kk35xveUTz4U/Iw/WRfGNjFLHrtR/5xk=
-----END RSA PRIVATE KEY-----
external/hostap/eap_example/server.key
Vendored
BIN
View File
Binary file not shown.
external/hostap/eap_example/server.pem
Vendored
+18
View File
@@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC0zCCAjygAwIBAgIJAIb4NS4TdLXVMA0GCSqGSIb3DQEBBQUAMGExCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMQ4wDAYDVQQKEwV3MS5maTEQMA4G
A1UEAxMHVGVzdCBDQTEbMBkGCSqGSIb3DQEJARYMdGVzdGNhQHcxLmZpMB4XDTA3
MTIwOTAzMTUwOFoXDTE3MTIwNjAzMTUwOFoweTELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xDjAMBgNVBAoT
BXcxLmZpMRAwDgYDVQQDEwdUZXN0IEFTMRswGQYJKoZIhvcNAQkBFgx0ZXN0YXNA
dzEuZmkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANOhi4M+aMRa778CPRFV
ZNJvTuxfp0CQ+etNpSNkAbkCGNGolbPMPnSQWZUqL5HsaBLm2UbMtS2iR3CO5JQC
bPy0xfAjCZV5LQeW4UNVKL3hdtVFzMT6fKgOKCDVEbLLWZze3lEbzhu81q2r3w5x
4lqDieCHwvwjiTWpMtEyXIEnAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRb
xGTC3mPimgyGb5vYLLV5wyc9ITAfBgNVHSMEGDAWgBSoSbkiyeiYXAf3UYAfI9If
ZjpaSjANBgkqhkiG9w0BAQUFAAOBgQA9wVGtroz/rsx1EeALJejW01SAr4kpTxoS
WP6zuWFb+J/lJd7DeVM6/QBYAwZb0fB6nwSpJJCj6XDRZtN/yLeaTd/rCZrfom4Z
8gbkWMTXDn2Cea2VnCe5W0gK+4dIj5DD5CpPvgt4lYqlwN0WAih6twd7Q4x/tiiJ
ejNQzlTHOg==
-----END CERTIFICATE-----
external/hostap/hostapd/.config
Vendored
+21
View File
@@ -0,0 +1,21 @@
# Driver interface for ATHEROS-AR600x driver
CONFIG_DRIVER_AR6000=y
AR6K_ROOT=$(WORKAREA)
CFLAGS += -I$(AR6K_ROOT)/include
CFLAGS += -I$(AR6K_ROOT)/host/include
CFLAGS += -I$(AR6K_ROOT)/host/os/linux/include
CFLAGS += -I$(AR6K_ROOT)/host/wlan/include
CONFIG_EAP=y
CONFIG_WPS=y
CONFIG_WPS2=y
CONFIG_WPS_UPNP=y
CONFIG_EAP_TLS=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_SIM=y
CONFIG_EAP_AKA=y
CONFIG_EAP_AKA_PRIME=y
external/hostap/hostapd/Android.mk
Vendored
+852
View File
@@ -0,0 +1,852 @@
# Copyright (C) 2008 The Android Open Source Project
#
# This software may be distributed under the terms of the BSD license.
# See README for more details.
#
LOCAL_PATH := $(call my-dir)
WPA_BUILD_HOSTAPD := false
ifneq ($(BOARD_HOSTAPD_DRIVER),)
WPA_BUILD_HOSTAPD := true
CONFIG_DRIVER_$(BOARD_HOSTAPD_DRIVER) := y
endif
ifeq ($(WPA_BUILD_HOSTAPD),true)
include $(LOCAL_PATH)/android.config
# To ignore possible wrong network configurations
L_CFLAGS = -DWPA_IGNORE_CONFIG_ERRORS
L_CFLAGS += -DVERSION_STR_POSTFIX=\"-$(PLATFORM_VERSION)\"
# Set Android log name
L_CFLAGS += -DANDROID_LOG_NAME=\"hostapd\"
# To force sizeof(enum) = 4
ifeq ($(TARGET_ARCH),arm)
L_CFLAGS += -mabi=aapcs-linux
endif
# To allow non-ASCII characters in SSID
L_CFLAGS += -DWPA_UNICODE_SSID
# OpenSSL is configured without engines on Android
L_CFLAGS += -DOPENSSL_NO_ENGINE
INCLUDES = $(LOCAL_PATH)
INCLUDES += $(LOCAL_PATH)/src
INCLUDES += $(LOCAL_PATH)/src/utils
INCLUDES += external/openssl/include
INCLUDES += frameworks/base/cmds/keystore
ifdef CONFIG_DRIVER_NL80211
INCLUDES += external/libnl-headers
endif
ifndef CONFIG_OS
ifdef CONFIG_NATIVE_WINDOWS
CONFIG_OS=win32
else
CONFIG_OS=unix
endif
endif
ifeq ($(CONFIG_OS), internal)
L_CFLAGS += -DOS_NO_C_LIB_DEFINES
endif
ifdef CONFIG_NATIVE_WINDOWS
L_CFLAGS += -DCONFIG_NATIVE_WINDOWS
LIBS += -lws2_32
endif
OBJS = main.c
OBJS += config_file.c
OBJS += src/ap/hostapd.c
OBJS += src/ap/wpa_auth_glue.c
OBJS += src/ap/drv_callbacks.c
OBJS += src/ap/ap_drv_ops.c
OBJS += src/ap/utils.c
OBJS += src/ap/authsrv.c
OBJS += src/ap/ieee802_1x.c
OBJS += src/ap/ap_config.c
OBJS += src/ap/ieee802_11_auth.c
OBJS += src/ap/sta_info.c
OBJS += src/ap/wpa_auth.c
OBJS += src/ap/tkip_countermeasures.c
OBJS += src/ap/ap_mlme.c
OBJS += src/ap/wpa_auth_ie.c
OBJS += src/ap/preauth_auth.c
OBJS += src/ap/pmksa_cache_auth.c
OBJS += src/ap/ieee802_11_shared.c
OBJS += src/ap/beacon.c
OBJS_d =
OBJS_p =
LIBS =
LIBS_c =
HOBJS =
LIBS_h =
NEED_RC4=y
NEED_AES=y
NEED_MD5=y
NEED_SHA1=y
OBJS += src/drivers/drivers.c
L_CFLAGS += -DHOSTAPD
ifdef CONFIG_WPA_TRACE
L_CFLAGS += -DWPA_TRACE
OBJS += src/utils/trace.c
HOBJS += src/utils/trace.c
LDFLAGS += -rdynamic
L_CFLAGS += -funwind-tables
ifdef CONFIG_WPA_TRACE_BFD
L_CFLAGS += -DWPA_TRACE_BFD
LIBS += -lbfd
LIBS_c += -lbfd
LIBS_h += -lbfd
endif
endif
OBJS += src/utils/eloop.c
OBJS += src/utils/common.c
OBJS += src/utils/wpa_debug.c
OBJS += src/utils/wpabuf.c
OBJS += src/utils/os_$(CONFIG_OS).c
OBJS += src/utils/ip_addr.c
OBJS += src/common/ieee802_11_common.c
OBJS += src/common/wpa_common.c
OBJS += src/eapol_auth/eapol_auth_sm.c
ifndef CONFIG_NO_DUMP_STATE
# define HOSTAPD_DUMP_STATE to include SIGUSR1 handler for dumping state to
# a file (undefine it, if you want to save in binary size)
L_CFLAGS += -DHOSTAPD_DUMP_STATE
OBJS += dump_state.c
OBJS += src/eapol_auth/eapol_auth_dump.c
endif
ifdef CONFIG_NO_RADIUS
L_CFLAGS += -DCONFIG_NO_RADIUS
CONFIG_NO_ACCOUNTING=y
else
OBJS += src/radius/radius.c
OBJS += src/radius/radius_client.c
endif
ifdef CONFIG_NO_ACCOUNTING
L_CFLAGS += -DCONFIG_NO_ACCOUNTING
else
OBJS += src/ap/accounting.c
endif
ifdef CONFIG_NO_VLAN
L_CFLAGS += -DCONFIG_NO_VLAN
else
OBJS += src/ap/vlan_init.c
ifdef CONFIG_VLAN_NETLINK
ifdef CONFIG_FULL_DYNAMIC_VLAN
OBJS += src/ap/vlan_util.c
endif
L_CFLAGS += -DCONFIG_VLAN_NETLINK
endif
endif
ifdef CONFIG_NO_CTRL_IFACE
L_CFLAGS += -DCONFIG_NO_CTRL_IFACE
else
OBJS += ctrl_iface.c
OBJS += src/ap/ctrl_iface_ap.c
endif
OBJS += src/crypto/md5.c
L_CFLAGS += -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX
ifdef CONFIG_IAPP
L_CFLAGS += -DCONFIG_IAPP
OBJS += src/ap/iapp.c
endif
ifdef CONFIG_RSN_PREAUTH
L_CFLAGS += -DCONFIG_RSN_PREAUTH
CONFIG_L2_PACKET=y
endif
ifdef CONFIG_PEERKEY
L_CFLAGS += -DCONFIG_PEERKEY
OBJS += src/ap/peerkey_auth.c
endif
ifdef CONFIG_IEEE80211W
L_CFLAGS += -DCONFIG_IEEE80211W
NEED_SHA256=y
NEED_AES_OMAC1=y
endif
ifdef CONFIG_IEEE80211R
L_CFLAGS += -DCONFIG_IEEE80211R
OBJS += src/ap/wpa_auth_ft.c
NEED_SHA256=y
NEED_AES_OMAC1=y
NEED_AES_UNWRAP=y
endif
ifdef CONFIG_IEEE80211N
L_CFLAGS += -DCONFIG_IEEE80211N
endif
include $(LOCAL_PATH)/src/drivers/drivers.mk
OBJS += $(DRV_AP_OBJS)
L_CFLAGS += $(DRV_AP_CFLAGS)
LDFLAGS += $(DRV_AP_LDFLAGS)
LIBS += $(DRV_AP_LIBS)
ifdef CONFIG_L2_PACKET
ifdef CONFIG_DNET_PCAP
ifdef CONFIG_L2_FREEBSD
LIBS += -lpcap
OBJS += src/l2_packet/l2_packet_freebsd.c
else
LIBS += -ldnet -lpcap
OBJS += src/l2_packet/l2_packet_pcap.c
endif
else
OBJS += src/l2_packet/l2_packet_linux.c
endif
else
OBJS += src/l2_packet/l2_packet_none.c
endif
ifdef CONFIG_EAP_MD5
L_CFLAGS += -DEAP_SERVER_MD5
OBJS += src/eap_server/eap_server_md5.c
CHAP=y
endif
ifdef CONFIG_EAP_TLS
L_CFLAGS += -DEAP_SERVER_TLS
OBJS += src/eap_server/eap_server_tls.c
TLS_FUNCS=y
endif
ifdef CONFIG_EAP_PEAP
L_CFLAGS += -DEAP_SERVER_PEAP
OBJS += src/eap_server/eap_server_peap.c
OBJS += src/eap_common/eap_peap_common.c
TLS_FUNCS=y
CONFIG_EAP_MSCHAPV2=y
endif
ifdef CONFIG_EAP_TTLS
L_CFLAGS += -DEAP_SERVER_TTLS
OBJS += src/eap_server/eap_server_ttls.c
TLS_FUNCS=y
CHAP=y
endif
ifdef CONFIG_EAP_MSCHAPV2
L_CFLAGS += -DEAP_SERVER_MSCHAPV2
OBJS += src/eap_server/eap_server_mschapv2.c
MS_FUNCS=y
endif
ifdef CONFIG_EAP_GTC
L_CFLAGS += -DEAP_SERVER_GTC
OBJS += src/eap_server/eap_server_gtc.c
endif
ifdef CONFIG_EAP_SIM
L_CFLAGS += -DEAP_SERVER_SIM
OBJS += src/eap_server/eap_server_sim.c
CONFIG_EAP_SIM_COMMON=y
NEED_AES_CBC=y
endif
ifdef CONFIG_EAP_AKA
L_CFLAGS += -DEAP_SERVER_AKA
OBJS += src/eap_server/eap_server_aka.c
CONFIG_EAP_SIM_COMMON=y
NEED_SHA256=y
NEED_AES_CBC=y
endif
ifdef CONFIG_EAP_AKA_PRIME
L_CFLAGS += -DEAP_SERVER_AKA_PRIME
endif
ifdef CONFIG_EAP_SIM_COMMON
OBJS += src/eap_common/eap_sim_common.c
# Example EAP-SIM/AKA interface for GSM/UMTS authentication. This can be
# replaced with another file implementating the interface specified in
# eap_sim_db.h.
OBJS += src/eap_server/eap_sim_db.c
NEED_FIPS186_2_PRF=y
endif
ifdef CONFIG_EAP_PAX
L_CFLAGS += -DEAP_SERVER_PAX
OBJS += src/eap_server/eap_server_pax.c src/eap_common/eap_pax_common.c
endif
ifdef CONFIG_EAP_PSK
L_CFLAGS += -DEAP_SERVER_PSK
OBJS += src/eap_server/eap_server_psk.c src/eap_common/eap_psk_common.c
NEED_AES_OMAC1=y
NEED_AES_ENCBLOCK=y
NEED_AES_EAX=y
endif
ifdef CONFIG_EAP_SAKE
L_CFLAGS += -DEAP_SERVER_SAKE
OBJS += src/eap_server/eap_server_sake.c src/eap_common/eap_sake_common.c
endif
ifdef CONFIG_EAP_GPSK
L_CFLAGS += -DEAP_SERVER_GPSK
OBJS += src/eap_server/eap_server_gpsk.c src/eap_common/eap_gpsk_common.c
ifdef CONFIG_EAP_GPSK_SHA256
L_CFLAGS += -DEAP_SERVER_GPSK_SHA256
endif
NEED_SHA256=y
NEED_AES_OMAC1=y
endif
ifdef CONFIG_EAP_PWD
L_CFLAGS += -DEAP_SERVER_PWD
OBJS += src/eap_server/eap_server_pwd.c src/eap_common/eap_pwd_common.c
NEED_SHA256=y
endif
ifdef CONFIG_EAP_VENDOR_TEST
L_CFLAGS += -DEAP_SERVER_VENDOR_TEST
OBJS += src/eap_server/eap_server_vendor_test.c
endif
ifdef CONFIG_EAP_FAST
L_CFLAGS += -DEAP_SERVER_FAST
OBJS += src/eap_server/eap_server_fast.c
OBJS += src/eap_common/eap_fast_common.c
TLS_FUNCS=y
NEED_T_PRF=y
NEED_AES_UNWRAP=y
endif
ifdef CONFIG_WPS
ifdef CONFIG_WPS2
L_CFLAGS += -DCONFIG_WPS2
endif
L_CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += src/utils/uuid.c
OBJS += src/ap/wps_hostapd.c
OBJS += src/eap_server/eap_server_wsc.c src/eap_common/eap_wsc_common.c
OBJS += src/wps/wps.c
OBJS += src/wps/wps_common.c
OBJS += src/wps/wps_attr_parse.c
OBJS += src/wps/wps_attr_build.c
OBJS += src/wps/wps_attr_process.c
OBJS += src/wps/wps_dev_attr.c
OBJS += src/wps/wps_enrollee.c
OBJS += src/wps/wps_registrar.c
NEED_DH_GROUPS=y
NEED_SHA256=y
NEED_BASE64=y
NEED_AES_CBC=y
NEED_MODEXP=y
CONFIG_EAP=y
ifdef CONFIG_WPS_UFD
L_CFLAGS += -DCONFIG_WPS_UFD
OBJS += src/wps/wps_ufd.c
NEED_WPS_OOB=y
endif
ifdef CONFIG_WPS_NFC
L_CFLAGS += -DCONFIG_WPS_NFC
OBJS += src/wps/ndef.c
OBJS += src/wps/wps_nfc.c
NEED_WPS_OOB=y
ifdef CONFIG_WPS_NFC_PN531
PN531_PATH ?= /usr/local/src/nfc
L_CFLAGS += -DCONFIG_WPS_NFC_PN531
L_CFLAGS += -I${PN531_PATH}/inc
OBJS += src/wps/wps_nfc_pn531.c
LIBS += ${PN531_PATH}/lib/wpsnfc.dll
LIBS += ${PN531_PATH}/lib/libnfc_mapping_pn53x.dll
endif
endif
ifdef NEED_WPS_OOB
L_CFLAGS += -DCONFIG_WPS_OOB
endif
ifdef CONFIG_WPS_UPNP
L_CFLAGS += -DCONFIG_WPS_UPNP
OBJS += src/wps/wps_upnp.c
OBJS += src/wps/wps_upnp_ssdp.c
OBJS += src/wps/wps_upnp_web.c
OBJS += src/wps/wps_upnp_event.c
OBJS += src/wps/wps_upnp_ap.c
OBJS += src/wps/upnp_xml.c
OBJS += src/wps/httpread.c
OBJS += src/wps/http_client.c
OBJS += src/wps/http_server.c
endif
ifdef CONFIG_WPS_STRICT
L_CFLAGS += -DCONFIG_WPS_STRICT
OBJS += src/wps/wps_validate.c
endif
ifdef CONFIG_WPS_TESTING
L_CFLAGS += -DCONFIG_WPS_TESTING
endif
endif
ifdef CONFIG_EAP_IKEV2
L_CFLAGS += -DEAP_SERVER_IKEV2
OBJS += src/eap_server/eap_server_ikev2.c src/eap_server/ikev2.c
OBJS += src/eap_common/eap_ikev2_common.c src/eap_common/ikev2_common.c
NEED_DH_GROUPS=y
NEED_DH_GROUPS_ALL=y
NEED_MODEXP=y
NEED_CIPHER=y
endif
ifdef CONFIG_EAP_TNC
L_CFLAGS += -DEAP_SERVER_TNC
OBJS += src/eap_server/eap_server_tnc.c
OBJS += src/eap_server/tncs.c
NEED_BASE64=y
ifndef CONFIG_DRIVER_BSD
LIBS += -ldl
endif
endif
# Basic EAP functionality is needed for EAPOL
OBJS += eap_register.c
OBJS += src/eap_server/eap_server.c
OBJS += src/eap_common/eap_common.c
OBJS += src/eap_server/eap_server_methods.c
OBJS += src/eap_server/eap_server_identity.c
L_CFLAGS += -DEAP_SERVER_IDENTITY
ifdef CONFIG_EAP
L_CFLAGS += -DEAP_SERVER
endif
ifdef CONFIG_PKCS12
L_CFLAGS += -DPKCS12_FUNCS
endif
ifdef MS_FUNCS
OBJS += src/crypto/ms_funcs.c
NEED_DES=y
NEED_MD4=y
endif
ifdef CHAP
OBJS += src/eap_common/chap.c
endif
ifdef TLS_FUNCS
NEED_DES=y
# Shared TLS functions (needed for EAP_TLS, EAP_PEAP, and EAP_TTLS)
L_CFLAGS += -DEAP_TLS_FUNCS
OBJS += src/eap_server/eap_server_tls_common.c
NEED_TLS_PRF=y
endif
ifndef CONFIG_TLS
CONFIG_TLS=openssl
endif
ifeq ($(CONFIG_TLS), openssl)
ifdef TLS_FUNCS
OBJS += src/crypto/tls_openssl.c
LIBS += -lssl
endif
OBJS += src/crypto/crypto_openssl.c
HOBJS += src/crypto/crypto_openssl.c
ifdef NEED_FIPS186_2_PRF
OBJS += src/crypto/fips_prf_openssl.c
endif
LIBS += -lcrypto
LIBS_h += -lcrypto
endif
ifeq ($(CONFIG_TLS), gnutls)
ifdef TLS_FUNCS
OBJS += src/crypto/tls_gnutls.c
LIBS += -lgnutls -lgpg-error
ifdef CONFIG_GNUTLS_EXTRA
L_CFLAGS += -DCONFIG_GNUTLS_EXTRA
LIBS += -lgnutls-extra
endif
endif
OBJS += src/crypto/crypto_gnutls.c
HOBJS += src/crypto/crypto_gnutls.c
ifdef NEED_FIPS186_2_PRF
OBJS += src/crypto/fips_prf_gnutls.c
endif
LIBS += -lgcrypt
LIBS_h += -lgcrypt
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_TLS), schannel)
ifdef TLS_FUNCS
OBJS += src/crypto/tls_schannel.c
endif
OBJS += src/crypto/crypto_cryptoapi.c
OBJS_p += src/crypto/crypto_cryptoapi.c
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_TLS), nss)
ifdef TLS_FUNCS
OBJS += src/crypto/tls_nss.c
LIBS += -lssl3
endif
OBJS += src/crypto/crypto_nss.c
ifdef NEED_FIPS186_2_PRF
OBJS += src/crypto/fips_prf_nss.c
endif
LIBS += -lnss3
LIBS_h += -lnss3
CONFIG_INTERNAL_MD4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_TLS), internal)
ifndef CONFIG_CRYPTO
CONFIG_CRYPTO=internal
endif
ifdef TLS_FUNCS
OBJS += src/crypto/crypto_internal-rsa.c
OBJS += src/crypto/tls_internal.c
OBJS += src/tls/tlsv1_common.c
OBJS += src/tls/tlsv1_record.c
OBJS += src/tls/tlsv1_cred.c
OBJS += src/tls/tlsv1_server.c
OBJS += src/tls/tlsv1_server_write.c
OBJS += src/tls/tlsv1_server_read.c
OBJS += src/tls/asn1.c
OBJS += src/tls/rsa.c
OBJS += src/tls/x509v3.c
OBJS += src/tls/pkcs1.c
OBJS += src/tls/pkcs5.c
OBJS += src/tls/pkcs8.c
NEED_SHA256=y
NEED_BASE64=y
NEED_TLS_PRF=y
NEED_MODEXP=y
NEED_CIPHER=y
L_CFLAGS += -DCONFIG_TLS_INTERNAL
L_CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
endif
ifdef NEED_CIPHER
NEED_DES=y
OBJS += src/crypto/crypto_internal-cipher.c
endif
ifdef NEED_MODEXP
OBJS += src/crypto/crypto_internal-modexp.c
OBJS += src/tls/bignum.c
endif
ifeq ($(CONFIG_CRYPTO), libtomcrypt)
OBJS += src/crypto/crypto_libtomcrypt.c
LIBS += -ltomcrypt -ltfm
LIBS_h += -ltomcrypt -ltfm
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_CRYPTO), internal)
OBJS += src/crypto/crypto_internal.c
NEED_AES_DEC=y
L_CFLAGS += -DCONFIG_CRYPTO_INTERNAL
ifdef CONFIG_INTERNAL_LIBTOMMATH
L_CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH
ifdef CONFIG_INTERNAL_LIBTOMMATH_FAST
L_CFLAGS += -DLTM_FAST
endif
else
LIBS += -ltommath
LIBS_h += -ltommath
endif
CONFIG_INTERNAL_AES=y
CONFIG_INTERNAL_DES=y
CONFIG_INTERNAL_SHA1=y
CONFIG_INTERNAL_MD4=y
CONFIG_INTERNAL_MD5=y
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_CRYPTO), cryptoapi)
OBJS += src/crypto/crypto_cryptoapi.c
OBJS_p += src/crypto/crypto_cryptoapi.c
L_CFLAGS += -DCONFIG_CRYPTO_CRYPTOAPI
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
endif
endif
ifeq ($(CONFIG_TLS), none)
ifdef TLS_FUNCS
OBJS += src/crypto/tls_none.c
L_CFLAGS += -DEAP_TLS_NONE
CONFIG_INTERNAL_AES=y
CONFIG_INTERNAL_SHA1=y
CONFIG_INTERNAL_MD5=y
endif
OBJS += src/crypto/crypto_none.c
OBJS_p += src/crypto/crypto_none.c
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
endif
ifndef TLS_FUNCS
OBJS += src/crypto/tls_none.c
ifeq ($(CONFIG_TLS), internal)
CONFIG_INTERNAL_AES=y
CONFIG_INTERNAL_SHA1=y
CONFIG_INTERNAL_MD5=y
CONFIG_INTERNAL_RC4=y
endif
endif
AESOBJS = # none so far
ifdef CONFIG_INTERNAL_AES
AESOBJS += src/crypto/aes-internal.c src/crypto/aes-internal-enc.c
endif
AESOBJS += src/crypto/aes-wrap.c
ifdef NEED_AES_EAX
AESOBJS += src/crypto/aes-eax.c
NEED_AES_CTR=y
endif
ifdef NEED_AES_CTR
AESOBJS += src/crypto/aes-ctr.c
endif
ifdef NEED_AES_ENCBLOCK
AESOBJS += src/crypto/aes-encblock.c
endif
ifdef NEED_AES_OMAC1
AESOBJS += src/crypto/aes-omac1.c
endif
ifdef NEED_AES_UNWRAP
NEED_AES_DEC=y
AESOBJS += src/crypto/aes-unwrap.c
endif
ifdef NEED_AES_CBC
NEED_AES_DEC=y
AESOBJS += src/crypto/aes-cbc.c
endif
ifdef NEED_AES_DEC
ifdef CONFIG_INTERNAL_AES
AESOBJS += src/crypto/aes-internal-dec.c
endif
endif
ifdef NEED_AES
OBJS += $(AESOBJS)
endif
SHA1OBJS =
ifdef NEED_SHA1
ifneq ($(CONFIG_TLS), openssl)
SHA1OBJS += src/crypto/sha1.c
endif
SHA1OBJS += src/crypto/sha1-prf.c
ifdef CONFIG_INTERNAL_SHA1
SHA1OBJS += src/crypto/sha1-internal.c
ifdef NEED_FIPS186_2_PRF
SHA1OBJS += src/crypto/fips_prf_internal.c
endif
endif
ifneq ($(CONFIG_TLS), openssl)
SHA1OBJS += src/crypto/sha1-pbkdf2.c
endif
ifdef NEED_T_PRF
SHA1OBJS += src/crypto/sha1-tprf.c
endif
ifdef NEED_TLS_PRF
SHA1OBJS += src/crypto/sha1-tlsprf.c
endif
endif
ifdef NEED_SHA1
OBJS += $(SHA1OBJS)
endif
ifdef NEED_MD5
ifdef CONFIG_INTERNAL_MD5
OBJS += src/crypto/md5-internal.c
HOBJS += src/crypto/md5-internal.c
endif
endif
ifdef NEED_MD4
ifdef CONFIG_INTERNAL_MD4
OBJS += src/crypto/md4-internal.c
endif
endif
ifdef NEED_DES
ifdef CONFIG_INTERNAL_DES
OBJS += src/crypto/des-internal.c
endif
endif
ifdef NEED_RC4
ifdef CONFIG_INTERNAL_RC4
OBJS += src/crypto/rc4.c
endif
endif
ifdef NEED_SHA256
L_CFLAGS += -DCONFIG_SHA256
ifneq ($(CONFIG_TLS), openssl)
OBJS += src/crypto/sha256.c
endif
OBJS += src/crypto/sha256-prf.c
ifdef CONFIG_INTERNAL_SHA256
OBJS += src/crypto/sha256-internal.c
endif
ifdef NEED_TLS_PRF_SHA256
OBJS += ../src/crypto/sha256-tlsprf.c
endif
endif
ifdef NEED_DH_GROUPS
OBJS += src/crypto/dh_groups.c
endif
ifdef NEED_DH_GROUPS_ALL
L_CFLAGS += -DALL_DH_GROUPS
endif
ifdef CONFIG_INTERNAL_DH_GROUP5
ifdef NEED_DH_GROUPS
OBJS += src/crypto/dh_group5.c
endif
endif
ifdef CONFIG_NO_RANDOM_POOL
L_CFLAGS += -DCONFIG_NO_RANDOM_POOL
else
OBJS += src/crypto/random.c
HOBJS += src/crypto/random.c
HOBJS += $(SHA1OBJS)
HOBJS += src/crypto/md5.c
endif
ifdef CONFIG_RADIUS_SERVER
L_CFLAGS += -DRADIUS_SERVER
OBJS += src/radius/radius_server.c
endif
ifdef CONFIG_IPV6
L_CFLAGS += -DCONFIG_IPV6
endif
ifdef CONFIG_DRIVER_RADIUS_ACL
L_CFLAGS += -DCONFIG_DRIVER_RADIUS_ACL
endif
ifdef CONFIG_FULL_DYNAMIC_VLAN
# define CONFIG_FULL_DYNAMIC_VLAN to have hostapd manipulate bridges
# and vlan interfaces for the vlan feature.
L_CFLAGS += -DCONFIG_FULL_DYNAMIC_VLAN
endif
ifdef NEED_BASE64
OBJS += src/utils/base64.c
endif
ifdef NEED_AP_MLME
OBJS += src/ap/wmm.c
OBJS += src/ap/ap_list.c
OBJS += src/ap/ieee802_11.c
OBJS += src/ap/hw_features.c
L_CFLAGS += -DNEED_AP_MLME
endif
ifdef CONFIG_IEEE80211N
OBJS += src/ap/ieee802_11_ht.c
endif
ifdef CONFIG_P2P_MANAGER
L_CFLAGS += -DCONFIG_P2P_MANAGER
OBJS += src/ap/p2p_hostapd.c
endif
OBJS += src/drivers/driver_common.c
ifdef CONFIG_NO_STDOUT_DEBUG
L_CFLAGS += -DCONFIG_NO_STDOUT_DEBUG
endif
ifdef CONFIG_DEBUG_FILE
L_CFLAGS += -DCONFIG_DEBUG_FILE
endif
ifdef CONFIG_ANDROID_LOG
L_CFLAGS += -DCONFIG_ANDROID_LOG
endif
OBJS_c = hostapd_cli.c src/common/wpa_ctrl.c src/utils/os_$(CONFIG_OS).c
OBJS_c += src/utils/eloop.c
ifdef CONFIG_WPA_TRACE
OBJS_c += src/utils/trace.c
endif
OBJS_c += src/utils/wpa_debug.c
ifdef CONFIG_WPA_CLI_EDIT
OBJS_c += src/utils/edit.c
else
OBJS_c += src/utils/edit_simple.c
endif
########################
include $(CLEAR_VARS)
LOCAL_MODULE := hostapd_cli
LOCAL_MODULE_TAGS := debug
LOCAL_SHARED_LIBRARIES := libc libcutils
LOCAL_CFLAGS := $(L_CFLAGS)
LOCAL_SRC_FILES := $(OBJS_c)
LOCAL_C_INCLUDES := $(INCLUDES)
include $(BUILD_EXECUTABLE)
########################
include $(CLEAR_VARS)
LOCAL_MODULE := hostapd
LOCAL_MODULE_TAGS := optional
ifdef CONFIG_DRIVER_CUSTOM
LOCAL_STATIC_LIBRARIES := libCustomWifi
endif
ifneq ($(BOARD_HOSTAPD_PRIVATE_LIB),)
LOCAL_STATIC_LIBRARIES += $(BOARD_HOSTAPD_PRIVATE_LIB)
endif
LOCAL_SHARED_LIBRARIES := libc libcutils libcrypto libssl
ifdef CONFIG_DRIVER_NL80211
LOCAL_STATIC_LIBRARIES += libnl_2
endif
LOCAL_CFLAGS := $(L_CFLAGS)
LOCAL_SRC_FILES := $(OBJS)
LOCAL_C_INCLUDES := $(INCLUDES)
include $(BUILD_EXECUTABLE)
endif # ifeq ($(WPA_BUILD_HOSTAPD),true)
external/hostap/hostapd/ChangeLog
Vendored
+754
View File
@@ -0,0 +1,754 @@
ChangeLog for hostapd
2012-05-10 - v1.0
* Add channel selection support in hostapd. See hostapd.conf.
* Add support for IEEE 802.11v Time Advertisement mechanism with UTC
TSF offset. See hostapd.conf for config info.
* Delay STA entry removal until Deauth/Disassoc TX status in AP mode.
This allows the driver to use PS buffering of Deauthentication and
Disassociation frames when the STA is in power save sleep. Only
available with drivers that provide TX status events for Deauth/
Disassoc frames (nl80211).
* Allow PMKSA caching to be disabled on the Authenticator. See
hostap.conf config parameter disable_pmksa_caching.
* atheros: Add support for IEEE 802.11w configuration.
* bsd: Add support for setting HT values in IFM_MMASK.
* Allow client isolation to be configured with ap_isolate. Client
isolation can be used to prevent low-level bridging of frames
between associated stations in the BSS. By default, this bridging
is allowed.
* Allow coexistance of HT BSSes with WEP/TKIP BSSes.
* Add require_ht config parameter, which can be used to configure
hostapd to reject association with any station that does not support
HT PHY.
* Add support for writing debug log to a file using "-f" option. Also
add relog CLI command to re-open the log file.
* Add bridge handling for WDS STA interfaces. By default they are
added to the configured bridge of the AP interface (if present),
but the user can also specify a separate bridge using cli command
wds_bridge.
* hostapd_cli:
- Add wds_bridge command for specifying bridge for WDS STA
interfaces.
- Add relog command for reopening log file.
- Send AP-STA-DISCONNECTED event when an AP disconnects a station
due to inactivity.
- Add wps_config ctrl_interface command for configuring AP. This
command can be used to configure the AP using the internal WPS
registrar. It works in the same way as new AP settings received
from an ER.
- Many WPS/WPS ER commands - see WPS/WPS ER sections for details.
- Add command get version, that returns hostapd version string.
* WNM: Add BSS Transition Management Request for ESS Disassoc Imminent.
Use hostapd_cli ess_disassoc (STA addr) (URL) to send the
notification to the STA.
* Allow AP mode to disconnect STAs based on low ACK condition (when
the data connection is not working properly, e.g., due to the STA
going outside the range of the AP). Disabled by default, enable by
config option disassoc_low_ack.
* Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad
config file.
* WPS:
- Send AP Settings as a wrapped Credential attribute to ctrl_iface
in WPS-NEW-AP-SETTINGS.
- Dispatch more WPS events through hostapd ctrl_iface.
- Add mechanism for indicating non-standard WPS errors.
- Change concurrent radio AP to use only one WPS UPnP instance.
- Add wps_check_pin command for processing PIN from user input.
UIs can use this command to process a PIN entered by a user and to
validate the checksum digit (if present).
- Add hostap_cli get_config command to display current AP config.
- Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at
runtime and support dynamic AP PIN management.
- Disable AP PIN after 10 consecutive failures. Slow down attacks
on failures up to 10.
- Allow AP to start in Enrollee mode without AP PIN for probing,
to be compatible with Windows 7.
- Add Config Error into WPS-FAIL events to provide more info
to the user on how to resolve the issue.
- When controlling multiple interfaces:
- apply WPS commands to all interfaces configured to use WPS
- apply WPS config changes to all interfaces that use WPS
- when an attack is detected on any interface, disable AP PIN on
all interfaces
* WPS ER:
- Show SetSelectedRegistrar events as ctrl_iface events.
- Add special AP Setup Locked mode to allow read only ER.
ap_setup_locked=2 can now be used to enable a special mode where
WPS ER can learn the current AP settings, but cannot change them.
* WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2)
- Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool
for testing protocol extensibility.
- Add build option CONFIG_WPS_STRICT to allow disabling of WPS
workarounds.
- Add support for AuthorizedMACs attribute.
* TDLS:
- Allow TDLS use or TDLS channel switching in the BSS to be
prohibited in the BSS, using config params tdls_prohibit and
tdls_prohibit_chan_switch.
* EAP server: Add support for configuring fragment size (see
fragment_size in hostapd.conf).
* wlantest: Add a tool wlantest for IEEE802.11 protocol testing.
wlantest can be used to capture frames from a monitor interface
for realtime capturing or from pcap files for offline analysis.
* Interworking: Support added for 802.11u. Enable in .config with
CONFIG_INTERWORKING. See hostapd.conf for config parameters for
interworking.
* Android: Add build and runtime support for Android hostapd.
* Add a new debug message level for excessive information. Use
-ddd to enable.
* TLS: Add support for tls_disable_time_checks=1 in client mode.
* Internal TLS:
- Add support for TLS v1.1 (RFC 4346). Enable with build parameter
CONFIG_TLSV11.
- Add domainComponent parser for X.509 names
* Reorder some IEs to get closer to IEEE 802.11 standard. Move
WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames.
Move HT IEs to be later in (Re)Assoc Resp.
* Many bugfixes.
2010-04-18 - v0.7.2
* fix WPS internal Registrar use when an external Registrar is also
active
* bsd: Cleaned up driver wrapper and added various low-level
configuration options
* TNC: fixed issues with fragmentation
* EAP-TNC: add Flags field into fragment acknowledgement (needed to
interoperate with other implementations; may potentially breaks
compatibility with older wpa_supplicant/hostapd versions)
* cleaned up driver wrapper API for multi-BSS operations
* nl80211: fix multi-BSS and VLAN operations
* fix number of issues with IEEE 802.11r/FT; this version is not
backwards compatible with old versions
* add SA Query Request processing in AP mode (IEEE 802.11w)
* fix IGTK PN in group rekeying (IEEE 802.11w)
* fix WPS PBC session overlap detection to use correct attribute
* hostapd_notif_Assoc() can now be called with all IEs to simplify
driver wrappers
* work around interoperability issue with some WPS External Registrar
implementations
* nl80211: fix WPS IE update
* hostapd_cli: add support for action script operations (run a script
on hostapd events)
* fix DH padding with internal crypto code (mainly, for WPS)
* fix WPS association with both WPS IE and WPA/RSN IE present with
driver wrappers that use hostapd MLME (e.g., nl80211)
2010-01-16 - v0.7.1
* cleaned up driver wrapper API (struct wpa_driver_ops); the new API
is not fully backwards compatible, so out-of-tree driver wrappers
will need modifications
* cleaned up various module interfaces
* merge hostapd and wpa_supplicant developers' documentation into a
single document
* fixed HT Capabilities IE with nl80211 drivers
* moved generic AP functionality code into src/ap
* WPS: handle Selected Registrar as union of info from all Registrars
* remove obsolte Prism54.org driver wrapper
* added internal debugging mechanism with backtrace support and memory
allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y)
* EAP-FAST server: piggyback Phase 2 start with the end of Phase 1
* WPS: add support for dynamically selecting whether to provision the
PSK as an ASCII passphrase or PSK
* added support for WDS (4-address frame) mode with per-station virtual
interfaces (wds_sta=1 in config file; only supported with
driver=nl80211 for now)
* fixed WPS Probe Request processing to handle missing required
attribute
* fixed PKCS#12 use with OpenSSL 1.0.0
* detect bridge interface automatically so that bridge parameter in
hostapd.conf becomes optional (though, it may now be used to
automatically add then WLAN interface into a bridge with
driver=nl80211)
2009-11-21 - v0.7.0
* increased hostapd_cli ping interval to 5 seconds and made this
configurable with a new command line options (-G<seconds>)
* driver_nl80211: use Linux socket filter to improve performance
* added support for external Registrars with WPS (UPnP transport)
* 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel
* driver_nl80211: fixed STA accounting data collection (TX/RX bytes
reported correctly; TX/RX packets not yet available from kernel)
* added support for WPS USBA out-of-band mechanism with USB Flash
Drives (UFD) (CONFIG_WPS_UFD=y)
* fixed EAPOL/EAP reauthentication when using an external RADIUS
authentication server
* fixed TNC with EAP-TTLS
* fixed IEEE 802.11r key derivation function to match with the standard
(note: this breaks interoperability with previous version) [Bug 303]
* fixed SHA-256 based key derivation function to match with the
standard when using CCMP (for IEEE 802.11r and IEEE 802.11w)
(note: this breaks interoperability with previous version) [Bug 307]
* added number of code size optimizations to remove unnecessary
functionality from the program binary based on build configuration
(part of this automatic; part configurable with CONFIG_NO_* build
options)
* use shared driver wrapper files with wpa_supplicant
* driver_nl80211: multiple updates to provide support for new Linux
nl80211/mac80211 functionality
* updated management frame protection to use IEEE Std 802.11w-2009
* fixed number of small WPS issues and added workarounds to
interoperate with common deployed broken implementations
* added some IEEE 802.11n co-existence rules to disable 40 MHz channels
or modify primary/secondary channels if needed based on neighboring
networks
* added support for NFC out-of-band mechanism with WPS
* added preliminary support for IEEE 802.11r RIC processing
2009-01-06 - v0.6.7
* added support for Wi-Fi Protected Setup (WPS)
(hostapd can now be configured to act as an integrated WPS Registrar
and provision credentials for WPS Enrollees using PIN and PBC
methods; external wireless Registrar can configure the AP, but
external WLAN Manager Registrars are not supported); WPS support can
be enabled by adding CONFIG_WPS=y into .config and setting the
runtime configuration variables in hostapd.conf (see WPS section in
the example configuration file); new hostapd_cli commands wps_pin and
wps_pbc are used to configure WPS negotiation; see README-WPS for
more details
* added IEEE 802.11n HT capability configuration (ht_capab)
* added support for generating Country IE based on nl80211 regulatory
information (added if ieee80211d=1 in configuration)
* fixed WEP authentication (both Open System and Shared Key) with
mac80211
* added support for EAP-AKA' (draft-arkko-eap-aka-kdf)
* added support for using driver_test over UDP socket
* changed EAP-GPSK to use the IANA assigned EAP method type 51
* updated management frame protection to use IEEE 802.11w/D7.0
* fixed retransmission of EAP requests if no response is received
2008-11-23 - v0.6.6
* added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against
TKIP deficiencies
* updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore)
* changed channel flags configuration to read the information from
the driver (e.g., via driver_nl80211 when using mac80211) instead of
using hostapd as the source of the regulatory information (i.e.,
information from CRDA is now used with mac80211); this allows 5 GHz
channels to be used with hostapd (if allowed in the current
regulatory domain)
* fixed EAP-TLS message processing for the last TLS message if it is
large enough to require fragmentation (e.g., if a large Session
Ticket data is included)
* fixed listen interval configuration for nl80211 drivers
2008-11-01 - v0.6.5
* added support for SHA-256 as X.509 certificate digest when using the
internal X.509/TLSv1 implementation
* fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer
identity lengths)
* fixed internal TLSv1 implementation for abbreviated handshake (used
by EAP-FAST server)
* added support for setting VLAN ID for STAs based on local MAC ACL
(accept_mac_file) as an alternative for RADIUS server-based
configuration
* updated management frame protection to use IEEE 802.11w/D6.0
(adds a new association ping to protect against unauthenticated
authenticate or (re)associate request frames dropping association)
* added support for using SHA256-based stronger key derivation for WPA2
(IEEE 802.11w)
* added new "driver wrapper" for RADIUS-only configuration
(driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config)
* fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2)
is enabled in configuration
* changed EAP-FAST configuration to use separate fields for A-ID and
A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed
16-octet len binary value for better interoperability with some peer
implementations; eap_fast_a_id is now configured as a hex string
* driver_nl80211: Updated to match the current Linux mac80211 AP mode
configuration (wireless-testing.git and Linux kernel releases
starting from 2.6.29)
2008-08-10 - v0.6.4
* added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
Identity Request if identity is already known
* added support for EAP Sequences in EAP-FAST Phase 2
* added support for EAP-TNC (Trusted Network Connect)
(this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST
changes needed to run two methods in sequence (IF-T) and the IF-IMV
and IF-TNCCS interfaces from TNCS)
* added support for optional cryptobinding with PEAPv0
* added fragmentation support for EAP-TNC
* added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled)
data
* added support for opportunistic key caching (OKC)
2008-02-22 - v0.6.3
* fixed Reassociation Response callback processing when using internal
MLME (driver_{hostap,nl80211,test}.c)
* updated FT support to use the latest draft, IEEE 802.11r/D9.0
* copy optional Proxy-State attributes into RADIUS response when acting
as a RADIUS authentication server
* fixed EAPOL state machine to handle a case in which no response is
received from the RADIUS authentication server; previous version
could have triggered a crash in some cases after a timeout
* fixed EAP-SIM/AKA realm processing to allow decorated usernames to
be used
* added a workaround for EAP-SIM/AKA peers that include incorrect null
termination in the username
* fixed EAP-SIM/AKA protected result indication to include AT_COUNTER
attribute in notification messages only when using fast
reauthentication
* fixed EAP-SIM Start response processing for fast reauthentication
case
* added support for pending EAP processing in EAP-{PEAP,TTLS,FAST}
phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method
2008-01-01 - v0.6.2
* fixed EAP-SIM and EAP-AKA message parser to validate attribute
lengths properly to avoid potential crash caused by invalid messages
* added data structure for storing allocated buffers (struct wpabuf);
this does not affect hostapd usage, but many of the APIs changed
and various interfaces (e.g., EAP) is not compatible with old
versions
* added support for protecting EAP-AKA/Identity messages with
AT_CHECKCODE (optional feature in RFC 4187)
* added support for protected result indication with AT_RESULT_IND for
EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1)
* added support for configuring EAP-TTLS phase 2 non-EAP methods in
EAP server configuration; previously all four were enabled for every
phase 2 user, now all four are disabled by default and need to be
enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP,
TTLS-MSCHAPV2
* removed old debug printing mechanism and the related 'debug'
parameter in the configuration file; debug verbosity is now set with
-d (or -dd) command line arguments
* added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt);
only shared key/password authentication is supported in this version
2007-11-24 - v0.6.1
* added experimental, integrated TLSv1 server implementation with the
needed X.509/ASN.1/RSA/bignum processing (this can be enabled by
setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in
.config); this can be useful, e.g., if the target system does not
have a suitable TLS library and a minimal code size is required
* added support for EAP-FAST server method to the integrated EAP
server
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
draft (draft-ietf-emu-eap-gpsk-07.txt)
* added a new configuration parameter, rsn_pairwise, to allow different
pairwise cipher suites to be enabled for WPA and RSN/WPA2
(note: if wpa_pairwise differs from rsn_pairwise, the driver will
either need to support this or will have to use the WPA/RSN IEs from
hostapd; currently, the included madwifi and bsd driver interfaces do
not have support for this)
* updated FT support to use the latest draft, IEEE 802.11r/D8.0
2007-05-28 - v0.6.0
* added experimental IEEE 802.11r/D6.0 support
* updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
* updated EAP-PSK to use the IANA-allocated EAP type 47
* fixed EAP-PSK bit ordering of the Flags field
* fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs
by reading wpa_psk_file [Bug 181]
* fixed EAP-TTLS AVP parser processing for too short AVP lengths
* fixed IPv6 connection to RADIUS accounting server
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
draft (draft-ietf-emu-eap-gpsk-04.txt)
* hlr_auc_gw: read GSM triplet file into memory and rotate through the
entries instead of only using the same three triplets every time
(this does not work properly with tests using multiple clients, but
provides bit better triplet data for testing a single client; anyway,
if a better quality triplets are needed, GSM-Milenage should be used
instead of hardcoded triplet file)
* fixed EAP-MSCHAPv2 server to use a space between S and M parameters
in Success Request [Bug 203]
* added support for sending EAP-AKA Notifications in error cases
* updated to use IEEE 802.11w/D2.0 for management frame protection
(still experimental)
* RADIUS server: added support for processing duplicate messages
(retransmissions from RADIUS client) by replying with the previous
reply
2006-11-24 - v0.5.6
* added support for configuring and controlling multiple BSSes per
radio interface (bss=<ifname> in hostapd.conf); this is only
available with Devicescape and test driver interfaces
* fixed PMKSA cache update in the end of successful RSN
pre-authentication
* added support for dynamic VLAN configuration (i.e., selecting VLAN-ID
for each STA based on RADIUS Access-Accept attributes); this requires
VLAN support from the kernel driver/802.11 stack and this is
currently only available with Devicescape and test driver interfaces
* driver_madwifi: fixed configuration of unencrypted modes (plaintext
and IEEE 802.1X without WEP)
* removed STAKey handshake since PeerKey handshake has replaced it in
IEEE 802.11ma and there are no known deployments of STAKey
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
draft (draft-ietf-emu-eap-gpsk-01.txt)
* added preliminary implementation of IEEE 802.11w/D1.0 (management
frame protection)
(Note: this requires driver support to work properly.)
(Note2: IEEE 802.11w is an unapproved draft and subject to change.)
* hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM)
* hlr_auc_gw: added support for reading per-IMSI Milenage keys and
parameters from a text file to make it possible to implement proper
GSM/UMTS authentication server for multiple SIM/USIM cards using
EAP-SIM/EAP-AKA
* fixed session timeout processing with drivers that do not use
ieee802_11.c (e.g., madwifi)
2006-08-27 - v0.5.5
* added 'hostapd_cli new_sta <addr>' command for adding a new STA into
hostapd (e.g., to initialize wired network authentication based on an
external signal)
* fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when
using WPA2 even if PMKSA caching is not used
* added -P<pid file> argument for hostapd to write the current process
id into a file
* added support for RADIUS Authentication Server MIB (RFC 2619)
2006-06-20 - v0.5.4
* fixed nt_password_hash build [Bug 144]
* added PeerKey handshake implementation for IEEE 802.11e
direct link setup (DLS) to replace STAKey handshake
* added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
draft-clancy-emu-eap-shared-secret-00.txt)
* fixed a segmentation fault when RSN pre-authentication was completed
successfully [Bug 152]
2006-04-27 - v0.5.3
* do not build nt_password_hash and hlr_auc_gw by default to avoid
requiring a TLS library for a successful build; these programs can be
build with 'make nt_password_hash' and 'make hlr_auc_gw'
* added a new configuration option, eapol_version, that can be used to
set EAPOL version to 1 (default is 2) to work around broken client
implementations that drop EAPOL frames which use version number 2
[Bug 89]
* added support for EAP-SAKE (no EAP method number allocated yet, so
this is using the same experimental type 255 as EAP-PSK)
* fixed EAP-MSCHAPv2 message length validation
2006-03-19 - v0.5.2
* fixed stdarg use in hostapd_logger(): if both stdout and syslog
logging was enabled, hostapd could trigger a segmentation fault in
vsyslog on some CPU -- C library combinations
* moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external
program to make it easier to use for implementing real SS7 gateway;
eap_sim_db is not anymore used as a file name for GSM authentication
triplets; instead, it is path to UNIX domain socket that will be used
to communicate with the external gateway program (e.g., hlr_auc_gw)
* added example HLR/AuC gateway implementation, hlr_auc_gw, that uses
local information (GSM authentication triplets from a text file and
hardcoded AKA authentication data); this can be used to test EAP-SIM
and EAP-AKA
* added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw
to make it possible to test EAP-AKA with real USIM cards (this is
disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw
to enable this)
* driver_madwifi: added support for getting station RSN IE from
madwifi-ng svn r1453 and newer; this fixes RSN that was apparently
broken with earlier change (r1357) in the driver
* changed EAP method registration to use a dynamic list of methods
instead of a static list generated at build time
* fixed WPA message 3/4 not to encrypt Key Data field (WPA IE)
[Bug 125]
* added ap_max_inactivity configuration parameter
2006-01-29 - v0.5.1
* driver_test: added better support for multiple APs and STAs by using
a directory with sockets that include MAC address for each device in
the name (test_socket=DIR:/tmp/test)
* added support for EAP expanded type (vendor specific EAP methods)
2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
* added experimental STAKey handshake implementation for IEEE 802.11e
direct link setup (DLS); note: this is disabled by default in both
build and runtime configuration (can be enabled with CONFIG_STAKEY=y
and stakey=1)
* added support for EAP methods to use callbacks to external programs
by buffering a pending request and processing it after the EAP method
is ready to continue
* improved EAP-SIM database interface to allow external request to GSM
HLR/AuC without blocking hostapd process
* added support for using EAP-SIM pseudonyms and fast re-authentication
* added support for EAP-AKA in the integrated EAP authenticator
* added support for matching EAP identity prefixes (e.g., "1"*) in EAP
user database to allow EAP-SIM/AKA selection without extra roundtrip
for EAP-Nak negotiation
* added support for storing EAP user password as NtPasswordHash instead
of plaintext password when using MSCHAP or MSCHAPv2 for
authentication (hash:<16-octet hex value>); added nt_password_hash
tool for hashing password to generate NtPasswordHash
2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
* driver_wired: fixed EAPOL sending to optionally use PAE group address
as the destination instead of supplicant MAC address; this is
disabled by default, but should be enabled with use_pae_group_addr=1
in configuration file if the wired interface is used by only one
device at the time (common switch configuration)
* driver_madwifi: configure driver to use TKIP countermeasures in order
to get correct behavior (IEEE 802.11 association failing; previously,
association succeeded, but hostpad forced disassociation immediately)
* driver_madwifi: added support for madwifi-ng
2005-10-27 - v0.4.6
* added support for replacing user identity from EAP with RADIUS
User-Name attribute from Access-Accept message, if that is included,
for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get
tunneled identity into accounting messages when the RADIUS server
does not support better way of doing this with Class attribute)
* driver_madwifi: fixed EAPOL packet receive for configuration where
ath# is part of a bridge interface
* added a configuration file and log analyzer script for logwatch
* fixed EAPOL state machine step function to process all state
transitions before processing new events; this resolves a race
condition in which EAPOL-Start message could trigger hostapd to send
two EAP-Response/Identity frames to the authentication server
2005-09-25 - v0.4.5
* added client CA list to the TLS certificate request in order to make
it easier for the client to select which certificate to use
* added experimental support for EAP-PSK
* added support for WE-19 (hostap, madwifi)
2005-08-21 - v0.4.4
* fixed build without CONFIG_RSN_PREAUTH
* fixed FreeBSD build
2005-06-26 - v0.4.3
* fixed PMKSA caching to copy User-Name and Class attributes so that
RADIUS accounting gets correct information
* start RADIUS accounting only after successful completion of WPA
4-Way Handshake if WPA-PSK is used
* fixed PMKSA caching for the case where STA (re)associates without
first disassociating
2005-06-12 - v0.4.2
* EAP-PAX is now registered as EAP type 46
* fixed EAP-PAX MAC calculation
* fixed EAP-PAX CK and ICK key derivation
* renamed eap_authenticator configuration variable to eap_server to
better match with RFC 3748 (EAP) terminology
* driver_test: added support for testing hostapd with wpa_supplicant
by using test driver interface without any kernel drivers or network
cards
2005-05-22 - v0.4.1
* fixed RADIUS server initialization when only auth or acct server
is configured and the other one is left empty
* driver_madwifi: added support for RADIUS accounting
* driver_madwifi: added preliminary support for compiling against 'BSD'
branch of madwifi CVS tree
* driver_madwifi: fixed pairwise key removal to allow WPA reauth
without disassociation
* added support for reading additional certificates from PKCS#12 files
and adding them to the certificate chain
* fixed RADIUS Class attribute processing to only use Access-Accept
packets to update Class; previously, other RADIUS authentication
packets could have cleared Class attribute
* added support for more than one Class attribute in RADIUS packets
* added support for verifying certificate revocation list (CRL) when
using integrated EAP authenticator for EAP-TLS; new hostapd.conf
options 'check_crl'; CRL must be included in the ca_cert file for now
2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
* added support for including network information into
EAP-Request/Identity message (ASCII-0 (nul) in eap_message)
(e.g., to implement draft-adrange-eap-network-discovery-07.txt)
* fixed a bug which caused some RSN pre-authentication cases to use
freed memory and potentially crash hostapd
* fixed private key loading for cases where passphrase is not set
* added support for sending TLS alerts and aborting authentication
when receiving a TLS alert
* fixed WPA2 to add PMKSA cache entry when using integrated EAP
authenticator
* fixed PMKSA caching (EAP authentication was not skipped correctly
with the new state machine changes from IEEE 802.1X draft)
* added support for RADIUS over IPv6; own_ip_addr, auth_server_addr,
and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs
to be added to .config to include IPv6 support); for RADIUS server,
radius_server_ipv6=1 needs to be set in hostapd.conf and addresses
in RADIUS clients file can then use IPv6 format
* added experimental support for EAP-PAX
* replaced hostapd control interface library (hostapd_ctrl.[ch]) with
the same implementation that wpa_supplicant is using (wpa_ctrl.[ch])
2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
2005-01-23 - v0.3.5
* added support for configuring a forced PEAP version based on the
Phase 1 identity
* fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV
to terminate authentication
* fixed EAP identifier duplicate processing with the new IEEE 802.1X
draft
* clear accounting data in the driver when starting a new accounting
session
* driver_madwifi: filter wireless events based on ifindex to allow more
than one network interface to be used
* fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt
setting if the packet does not pass MIC verification (e.g., due to
incorrect PSK); previously, message 1/4 was not tried again if an
invalid message 2/4 was received
* fixed reconfiguration of RADIUS client retransmission timer when
adding a new message to the pending list; previously, timer was not
updated at this point and if there was a pending message with long
time for the next retry, the new message needed to wait that long for
its first retry, too
2005-01-09 - v0.3.4
* added support for configuring multiple allowed EAP types for Phase 2
authentication (EAP-PEAP, EAP-TTLS)
* fixed EAPOL-Start processing to trigger WPA reauthentication
(previously, only EAPOL authentication was done)
2005-01-02 - v0.3.3
* added support for EAP-PEAP in the integrated EAP authenticator
* added support for EAP-GTC in the integrated EAP authenticator
* added support for configuring list of EAP methods for Phase 1 so that
the integrated EAP authenticator can, e.g., use the wildcard entry
for EAP-TLS and EAP-PEAP
* added support for EAP-TTLS in the integrated EAP authenticator
* added support for EAP-SIM in the integrated EAP authenticator
* added support for using hostapd as a RADIUS authentication server
with the integrated EAP authenticator taking care of EAP
authentication (new hostapd.conf options: radius_server_clients and
radius_server_auth_port); this is not included in default build; use
CONFIG_RADIUS_SERVER=y in .config to include
2004-12-19 - v0.3.2
* removed 'daemonize' configuration file option since it has not really
been used at all for more than year
* driver_madwifi: fixed group key setup and added get_ssid method
* added support for EAP-MSCHAPv2 in the integrated EAP authenticator
2004-12-12 - v0.3.1
* added support for integrated EAP-TLS authentication (new hostapd.conf
variables: ca_cert, server_cert, private_key, private_key_passwd);
this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without
external RADIUS server
* added support for reading PKCS#12 (PFX) files (as a replacement for
PEM/DER) to get certificate and private key (CONFIG_PKCS12)
2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
* added support for Acct-{Input,Output}-Gigawords
* added support for Event-Timestamp (in RADIUS Accounting-Requests)
* added support for RADIUS Authentication Client MIB (RFC2618)
* added support for RADIUS Accounting Client MIB (RFC2620)
* made EAP re-authentication period configurable (eap_reauth_period)
* fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication
* fixed EAPOL state machine to stop if STA is removed during
eapol_sm_step(); this fixes at least one segfault triggering bug with
IEEE 802.11i pre-authentication
* added support for multiple WPA pre-shared keys (e.g., one for each
client MAC address or keys shared by a group of clients);
new hostapd.conf field wpa_psk_file for setting path to a text file
containing PSKs, see hostapd.wpa_psk for an example
* added support for multiple driver interfaces to allow hostapd to be
used with other drivers
* added wired authenticator driver interface (driver=wired in
hostapd.conf, see wired.conf for example configuration)
* added madwifi driver interface (driver=madwifi in hostapd.conf, see
madwifi.conf for example configuration; Note: include files from
madwifi project is needed for building and a configuration file,
.config, needs to be created in hostapd directory with
CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd
build)
* fixed an alignment issue that could cause SHA-1 to fail on some
platforms (e.g., Intel ixp425 with a compiler that does not 32-bit
align variables)
* fixed RADIUS reconnection after an error in sending interim
accounting packets
* added hostapd control interface for external programs and an example
CLI, hostapd_cli (like wpa_cli for wpa_supplicant)
* started adding dot11, dot1x, radius MIBs ('hostapd_cli mib',
'hostapd_cli sta <addr>')
* finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)
* added support for strict GTK rekeying (wpa_strict_rekey in
hostapd.conf)
* updated IAPP to use UDP port 3517 and multicast address 224.0.1.178
(instead of broadcast) for IAPP ADD-notify (moved from draft 3 to
IEEE 802.11F-2003)
* added Prism54 driver interface (driver=prism54 in hostapd.conf;
note: .config needs to be created in hostapd directory with
CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd
build)
* dual-licensed hostapd (GPLv2 and BSD licenses)
* fixed RADIUS accounting to generate a new session id for cases where
a station reassociates without first being complete deauthenticated
* fixed STA disassociation handler to mark next timeout state to
deauthenticate the station, i.e., skip long wait for inactivity poll
and extra disassociation, if the STA disassociates without
deauthenticating
* added integrated EAP authenticator that can be used instead of
external RADIUS authentication server; currently, only EAP-MD5 is
supported, so this cannot yet be used for key distribution; the EAP
method interface is generic, though, so adding new EAP methods should
be straightforward; new hostapd.conf variables: 'eap_authenticator'
and 'eap_user_file'; this obsoletes "minimal authentication server"
('minimal_eap' in hostapd.conf) which is now removed
* added support for FreeBSD and driver interface for the BSD net80211
layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in
.config); please note that some of the required kernel mods have not
yet been committed
2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
* fixed some accounting cases where Accounting-Start was sent when
IEEE 802.1X port was being deauthorized
2004-06-20 - v0.2.3
* modified RADIUS client to re-connect the socket in case of certain
error codes that are generated when a network interface state is
changes (e.g., when IP address changes or the interface is set UP)
* fixed couple of cases where EAPOL state for a station was freed
twice causing a segfault for hostapd
* fixed couple of bugs in processing WPA deauthentication (freed data
was used)
2004-05-31 - v0.2.2
* fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM)
* fixed group rekeying to send zero TSC in EAPOL-Key messages to fix
cases where STAs dropped multicast frames as replay attacks
* added support for copying RADIUS Attribute 'Class' from
authentication messages into accounting messages
* send canned EAP failure if RADIUS server sends Access-Reject without
EAP message (previously, Supplicant was not notified in this case)
* fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do
not start EAPOL state machines if the STA selected to use WPA-PSK)
2004-05-06 - v0.2.1
* added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality
- based on IEEE 802.11i/D10.0 but modified to interoperate with WPA
(i.e., IEEE 802.11i/D3.0)
- supports WPA-only, RSN-only, and mixed WPA/RSN mode
- both WPA-PSK and WPA-RADIUS/EAP are supported
- PMKSA caching and pre-authentication
- new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase,
wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey,
rsn_preauth, rsn_preauth_interfaces
* fixed interim accounting to remove any pending accounting messages
to the STA before sending a new one
2004-02-15 - v0.2.0
* added support for Acct-Interim-Interval:
- draft-ietf-radius-acct-interim-01.txt
- use Acct-Interim-Interval attribute from Access-Accept if local
'radius_acct_interim_interval' is not set
- allow different update intervals for each STA
* fixed event loop to call signal handlers only after returning from
the real signal handler
* reset sta->timeout_next after successful association to make sure
that the previously registered inactivity timer will not remove the
STA immediately (e.g., if STA deauthenticates and re-associates
before the timer is triggered).
* added new hostapd.conf variable, nas_identifier, that can be used to
add an optional RADIUS Attribute, NAS-Identifier, into authentication
and accounting messages
* added support for Accounting-On and Accounting-Off messages
* fixed accounting session handling to send Accounting-Start only once
per session and not to send Accounting-Stop if the session was not
initialized properly
* fixed Accounting-Stop statistics in cases where the message was
previously sent after the kernel entry for the STA (and/or IEEE
802.1X data) was removed
Note:
Older changes up to and including v0.1.0 are included in the ChangeLog
of the Host AP driver.
external/hostap/hostapd/Makefile
Vendored
+964
View File
@@ -0,0 +1,964 @@
ifndef CC
CC=gcc
endif
ifndef CFLAGS
CFLAGS = -MMD -O2 -Wall -g
endif
CFLAGS += -I../src
CFLAGS += -I../src/utils
# Uncomment following line and set the path to your kernel tree include
# directory if your C library does not include all header files.
# CFLAGS += -DUSE_KERNEL_HEADERS -I/usr/src/linux/include
-include .config
ifndef CONFIG_OS
ifdef CONFIG_NATIVE_WINDOWS
CONFIG_OS=win32
else
CONFIG_OS=unix
endif
endif
ifeq ($(CONFIG_OS), internal)
CFLAGS += -DOS_NO_C_LIB_DEFINES
endif
ifdef CONFIG_NATIVE_WINDOWS
CFLAGS += -DCONFIG_NATIVE_WINDOWS
LIBS += -lws2_32
endif
OBJS += main.o
OBJS += config_file.o
OBJS += ../src/ap/hostapd.o
OBJS += ../src/ap/wpa_auth_glue.o
OBJS += ../src/ap/drv_callbacks.o
OBJS += ../src/ap/ap_drv_ops.o
OBJS += ../src/ap/utils.o
OBJS += ../src/ap/authsrv.o
OBJS += ../src/ap/ieee802_1x.o
OBJS += ../src/ap/ap_config.o
OBJS += ../src/ap/ieee802_11_auth.o
OBJS += ../src/ap/sta_info.o
OBJS += ../src/ap/wpa_auth.o
OBJS += ../src/ap/tkip_countermeasures.o
OBJS += ../src/ap/ap_mlme.o
OBJS += ../src/ap/wpa_auth_ie.o
OBJS += ../src/ap/preauth_auth.o
OBJS += ../src/ap/pmksa_cache_auth.o
OBJS += ../src/ap/ieee802_11_shared.o
OBJS += ../src/ap/beacon.o
OBJS_c = hostapd_cli.o ../src/common/wpa_ctrl.o ../src/utils/os_$(CONFIG_OS).o
NEED_RC4=y
NEED_AES=y
NEED_MD5=y
NEED_SHA1=y
OBJS += ../src/drivers/drivers.o
CFLAGS += -DHOSTAPD
ifdef CONFIG_WPA_TRACE
CFLAGS += -DWPA_TRACE
OBJS += ../src/utils/trace.o
HOBJS += ../src/utils/trace.o
LDFLAGS += -rdynamic
CFLAGS += -funwind-tables
ifdef CONFIG_WPA_TRACE_BFD
CFLAGS += -DWPA_TRACE_BFD
LIBS += -lbfd
LIBS_c += -lbfd
LIBS_h += -lbfd
endif
endif
ifndef CONFIG_ELOOP
CONFIG_ELOOP=eloop
endif
OBJS += ../src/utils/$(CONFIG_ELOOP).o
OBJS_c += ../src/utils/$(CONFIG_ELOOP).o
OBJS += ../src/utils/common.o
OBJS += ../src/utils/wpa_debug.o
OBJS_c += ../src/utils/wpa_debug.o
OBJS += ../src/utils/wpabuf.o
OBJS += ../src/utils/os_$(CONFIG_OS).o
OBJS += ../src/utils/ip_addr.o
OBJS += ../src/common/ieee802_11_common.o
OBJS += ../src/common/wpa_common.o
OBJS += ../src/eapol_auth/eapol_auth_sm.o
ifndef CONFIG_NO_DUMP_STATE
# define HOSTAPD_DUMP_STATE to include SIGUSR1 handler for dumping state to
# a file (undefine it, if you want to save in binary size)
CFLAGS += -DHOSTAPD_DUMP_STATE
OBJS += dump_state.o
OBJS += ../src/eapol_auth/eapol_auth_dump.o
endif
ifdef CONFIG_NO_RADIUS
CFLAGS += -DCONFIG_NO_RADIUS
CONFIG_NO_ACCOUNTING=y
else
OBJS += ../src/radius/radius.o
OBJS += ../src/radius/radius_client.o
OBJS += ../src/radius/radius_das.o
endif
ifdef CONFIG_NO_ACCOUNTING
CFLAGS += -DCONFIG_NO_ACCOUNTING
else
OBJS += ../src/ap/accounting.o
endif
ifdef CONFIG_NO_VLAN
CFLAGS += -DCONFIG_NO_VLAN
else
OBJS += ../src/ap/vlan_init.o
ifdef CONFIG_VLAN_NETLINK
ifdef CONFIG_FULL_DYNAMIC_VLAN
OBJS += ../src/ap/vlan_util.o
endif
CFLAGS += -DCONFIG_VLAN_NETLINK
endif
endif
ifdef CONFIG_NO_CTRL_IFACE
CFLAGS += -DCONFIG_NO_CTRL_IFACE
else
OBJS += ctrl_iface.o
OBJS += ../src/ap/ctrl_iface_ap.o
endif
OBJS += ../src/crypto/md5.o
CFLAGS += -DCONFIG_CTRL_IFACE -DCONFIG_CTRL_IFACE_UNIX
ifdef CONFIG_IAPP
CFLAGS += -DCONFIG_IAPP
OBJS += ../src/ap/iapp.o
endif
ifdef CONFIG_RSN_PREAUTH
CFLAGS += -DCONFIG_RSN_PREAUTH
CONFIG_L2_PACKET=y
endif
ifdef CONFIG_PEERKEY
CFLAGS += -DCONFIG_PEERKEY
OBJS += ../src/ap/peerkey_auth.o
endif
ifdef CONFIG_IEEE80211W
CFLAGS += -DCONFIG_IEEE80211W
NEED_SHA256=y
NEED_AES_OMAC1=y
endif
ifdef CONFIG_IEEE80211R
CFLAGS += -DCONFIG_IEEE80211R
OBJS += ../src/ap/wpa_auth_ft.o
NEED_SHA256=y
NEED_AES_OMAC1=y
NEED_AES_UNWRAP=y
endif
ifdef CONFIG_IEEE80211V
CFLAGS += -DCONFIG_IEEE80211V
OBJS += ../src/ap/wnm_ap.o
endif
ifdef CONFIG_IEEE80211N
CFLAGS += -DCONFIG_IEEE80211N
endif
ifdef CONFIG_WNM
CFLAGS += -DCONFIG_WNM
endif
ifdef CONFIG_IEEE80211AC
CFLAGS += -DCONFIG_IEEE80211AC
endif
include ../src/drivers/drivers.mak
OBJS += $(DRV_AP_OBJS)
CFLAGS += $(DRV_AP_CFLAGS)
LDFLAGS += $(DRV_AP_LDFLAGS)
LIBS += $(DRV_AP_LIBS)
ifdef CONFIG_L2_PACKET
ifdef CONFIG_DNET_PCAP
ifdef CONFIG_L2_FREEBSD
LIBS += -lpcap
OBJS += ../src/l2_packet/l2_packet_freebsd.o
else
LIBS += -ldnet -lpcap
OBJS += ../src/l2_packet/l2_packet_pcap.o
endif
else
OBJS += ../src/l2_packet/l2_packet_linux.o
endif
else
OBJS += ../src/l2_packet/l2_packet_none.o
endif
ifdef CONFIG_EAP_MD5
CFLAGS += -DEAP_SERVER_MD5
OBJS += ../src/eap_server/eap_server_md5.o
CHAP=y
endif
ifdef CONFIG_EAP_TLS
CFLAGS += -DEAP_SERVER_TLS
OBJS += ../src/eap_server/eap_server_tls.o
TLS_FUNCS=y
endif
ifdef CONFIG_EAP_UNAUTH_TLS
CFLAGS += -DEAP_SERVER_UNAUTH_TLS
ifndef CONFIG_EAP_TLS
OBJS += ../src/eap_server/eap_server_tls.o
TLS_FUNCS=y
endif
endif
ifdef CONFIG_EAP_PEAP
CFLAGS += -DEAP_SERVER_PEAP
OBJS += ../src/eap_server/eap_server_peap.o
OBJS += ../src/eap_common/eap_peap_common.o
TLS_FUNCS=y
CONFIG_EAP_MSCHAPV2=y
endif
ifdef CONFIG_EAP_TTLS
CFLAGS += -DEAP_SERVER_TTLS
OBJS += ../src/eap_server/eap_server_ttls.o
TLS_FUNCS=y
CHAP=y
endif
ifdef CONFIG_EAP_MSCHAPV2
CFLAGS += -DEAP_SERVER_MSCHAPV2
OBJS += ../src/eap_server/eap_server_mschapv2.o
MS_FUNCS=y
endif
ifdef CONFIG_EAP_GTC
CFLAGS += -DEAP_SERVER_GTC
OBJS += ../src/eap_server/eap_server_gtc.o
endif
ifdef CONFIG_EAP_SIM
CFLAGS += -DEAP_SERVER_SIM
OBJS += ../src/eap_server/eap_server_sim.o
CONFIG_EAP_SIM_COMMON=y
NEED_AES_CBC=y
endif
ifdef CONFIG_EAP_AKA
CFLAGS += -DEAP_SERVER_AKA
OBJS += ../src/eap_server/eap_server_aka.o
CONFIG_EAP_SIM_COMMON=y
NEED_SHA256=y
NEED_AES_CBC=y
endif
ifdef CONFIG_EAP_AKA_PRIME
CFLAGS += -DEAP_SERVER_AKA_PRIME
endif
ifdef CONFIG_EAP_SIM_COMMON
OBJS += ../src/eap_common/eap_sim_common.o
# Example EAP-SIM/AKA interface for GSM/UMTS authentication. This can be
# replaced with another file implementating the interface specified in
# eap_sim_db.h.
OBJS += ../src/eap_server/eap_sim_db.o
NEED_FIPS186_2_PRF=y
endif
ifdef CONFIG_EAP_PAX
CFLAGS += -DEAP_SERVER_PAX
OBJS += ../src/eap_server/eap_server_pax.o ../src/eap_common/eap_pax_common.o
endif
ifdef CONFIG_EAP_PSK
CFLAGS += -DEAP_SERVER_PSK
OBJS += ../src/eap_server/eap_server_psk.o ../src/eap_common/eap_psk_common.o
NEED_AES_OMAC1=y
NEED_AES_ENCBLOCK=y
NEED_AES_EAX=y
endif
ifdef CONFIG_EAP_SAKE
CFLAGS += -DEAP_SERVER_SAKE
OBJS += ../src/eap_server/eap_server_sake.o ../src/eap_common/eap_sake_common.o
endif
ifdef CONFIG_EAP_GPSK
CFLAGS += -DEAP_SERVER_GPSK
OBJS += ../src/eap_server/eap_server_gpsk.o ../src/eap_common/eap_gpsk_common.o
ifdef CONFIG_EAP_GPSK_SHA256
CFLAGS += -DEAP_SERVER_GPSK_SHA256
endif
NEED_SHA256=y
NEED_AES_OMAC1=y
endif
ifdef CONFIG_EAP_PWD
CFLAGS += -DEAP_SERVER_PWD
OBJS += ../src/eap_server/eap_server_pwd.o ../src/eap_common/eap_pwd_common.o
NEED_SHA256=y
endif
ifdef CONFIG_EAP_VENDOR_TEST
CFLAGS += -DEAP_SERVER_VENDOR_TEST
OBJS += ../src/eap_server/eap_server_vendor_test.o
endif
ifdef CONFIG_EAP_FAST
CFLAGS += -DEAP_SERVER_FAST
OBJS += ../src/eap_server/eap_server_fast.o
OBJS += ../src/eap_common/eap_fast_common.o
TLS_FUNCS=y
NEED_T_PRF=y
NEED_AES_UNWRAP=y
endif
ifdef CONFIG_WPS
ifdef CONFIG_WPS2
CFLAGS += -DCONFIG_WPS2
endif
CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += ../src/utils/uuid.o
OBJS += ../src/ap/wps_hostapd.o
OBJS += ../src/eap_server/eap_server_wsc.o ../src/eap_common/eap_wsc_common.o
OBJS += ../src/wps/wps.o
OBJS += ../src/wps/wps_common.o
OBJS += ../src/wps/wps_attr_parse.o
OBJS += ../src/wps/wps_attr_build.o
OBJS += ../src/wps/wps_attr_process.o
OBJS += ../src/wps/wps_dev_attr.o
OBJS += ../src/wps/wps_enrollee.o
OBJS += ../src/wps/wps_registrar.o
NEED_DH_GROUPS=y
NEED_SHA256=y
NEED_BASE64=y
NEED_AES_CBC=y
NEED_MODEXP=y
CONFIG_EAP=y
ifdef CONFIG_WPS_UFD
CFLAGS += -DCONFIG_WPS_UFD
OBJS += ../src/wps/wps_ufd.o
NEED_WPS_OOB=y
endif
ifdef CONFIG_WPS_NFC
CFLAGS += -DCONFIG_WPS_NFC
OBJS += ../src/wps/ndef.o
OBJS += ../src/wps/wps_nfc.o
NEED_WPS_OOB=y
ifdef CONFIG_WPS_NFC_PN531
PN531_PATH ?= /usr/local/src/nfc
CFLAGS += -DCONFIG_WPS_NFC_PN531
CFLAGS += -I${PN531_PATH}/inc
OBJS += ../src/wps/wps_nfc_pn531.o
LIBS += ${PN531_PATH}/lib/wpsnfc.dll
LIBS += ${PN531_PATH}/lib/libnfc_mapping_pn53x.dll
endif
endif
ifdef NEED_WPS_OOB
CFLAGS += -DCONFIG_WPS_OOB
endif
ifdef CONFIG_WPS_UPNP
CFLAGS += -DCONFIG_WPS_UPNP
OBJS += ../src/wps/wps_upnp.o
OBJS += ../src/wps/wps_upnp_ssdp.o
OBJS += ../src/wps/wps_upnp_web.o
OBJS += ../src/wps/wps_upnp_event.o
OBJS += ../src/wps/wps_upnp_ap.o
OBJS += ../src/wps/upnp_xml.o
OBJS += ../src/wps/httpread.o
OBJS += ../src/wps/http_client.o
OBJS += ../src/wps/http_server.o
endif
ifdef CONFIG_WPS_STRICT
CFLAGS += -DCONFIG_WPS_STRICT
OBJS += ../src/wps/wps_validate.o
endif
ifdef CONFIG_WPS_TESTING
CFLAGS += -DCONFIG_WPS_TESTING
endif
endif
ifdef CONFIG_EAP_IKEV2
CFLAGS += -DEAP_SERVER_IKEV2
OBJS += ../src/eap_server/eap_server_ikev2.o ../src/eap_server/ikev2.o
OBJS += ../src/eap_common/eap_ikev2_common.o ../src/eap_common/ikev2_common.o
NEED_DH_GROUPS=y
NEED_DH_GROUPS_ALL=y
NEED_MODEXP=y
NEED_CIPHER=y
endif
ifdef CONFIG_EAP_TNC
CFLAGS += -DEAP_SERVER_TNC
OBJS += ../src/eap_server/eap_server_tnc.o
OBJS += ../src/eap_server/tncs.o
NEED_BASE64=y
ifndef CONFIG_DRIVER_BSD
LIBS += -ldl
endif
endif
# Basic EAP functionality is needed for EAPOL
OBJS += eap_register.o
OBJS += ../src/eap_server/eap_server.o
OBJS += ../src/eap_common/eap_common.o
OBJS += ../src/eap_server/eap_server_methods.o
OBJS += ../src/eap_server/eap_server_identity.o
CFLAGS += -DEAP_SERVER_IDENTITY
ifdef CONFIG_EAP
CFLAGS += -DEAP_SERVER
endif
ifdef CONFIG_PKCS12
CFLAGS += -DPKCS12_FUNCS
endif
ifdef MS_FUNCS
OBJS += ../src/crypto/ms_funcs.o
NEED_DES=y
NEED_MD4=y
endif
ifdef CHAP
OBJS += ../src/eap_common/chap.o
endif
ifdef TLS_FUNCS
NEED_DES=y
# Shared TLS functions (needed for EAP_TLS, EAP_PEAP, and EAP_TTLS)
CFLAGS += -DEAP_TLS_FUNCS
OBJS += ../src/eap_server/eap_server_tls_common.o
NEED_TLS_PRF=y
endif
ifndef CONFIG_TLS
CONFIG_TLS=openssl
endif
ifdef CONFIG_TLSV11
CFLAGS += -DCONFIG_TLSV11
endif
ifdef CONFIG_TLSV12
CFLAGS += -DCONFIG_TLSV12
NEED_SHA256=y
endif
ifeq ($(CONFIG_TLS), openssl)
ifdef TLS_FUNCS
OBJS += ../src/crypto/tls_openssl.o
LIBS += -lssl
endif
OBJS += ../src/crypto/crypto_openssl.o
HOBJS += ../src/crypto/crypto_openssl.o
ifdef NEED_FIPS186_2_PRF
OBJS += ../src/crypto/fips_prf_openssl.o
endif
LIBS += -lcrypto
LIBS_h += -lcrypto
endif
ifeq ($(CONFIG_TLS), gnutls)
ifdef TLS_FUNCS
OBJS += ../src/crypto/tls_gnutls.o
LIBS += -lgnutls -lgpg-error
endif
OBJS += ../src/crypto/crypto_gnutls.o
HOBJS += ../src/crypto/crypto_gnutls.o
ifdef NEED_FIPS186_2_PRF
OBJS += ../src/crypto/fips_prf_gnutls.o
endif
LIBS += -lgcrypt
LIBS_h += -lgcrypt
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_TLS), schannel)
ifdef TLS_FUNCS
OBJS += ../src/crypto/tls_schannel.o
endif
OBJS += ../src/crypto/crypto_cryptoapi.o
OBJS_p += ../src/crypto/crypto_cryptoapi.o
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_TLS), nss)
ifdef TLS_FUNCS
OBJS += ../src/crypto/tls_nss.o
LIBS += -lssl3
endif
OBJS += ../src/crypto/crypto_nss.o
ifdef NEED_FIPS186_2_PRF
OBJS += ../src/crypto/fips_prf_nss.o
endif
LIBS += -lnss3
LIBS_h += -lnss3
CONFIG_INTERNAL_MD4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_TLS), internal)
ifndef CONFIG_CRYPTO
CONFIG_CRYPTO=internal
endif
ifdef TLS_FUNCS
OBJS += ../src/crypto/crypto_internal-rsa.o
OBJS += ../src/crypto/tls_internal.o
OBJS += ../src/tls/tlsv1_common.o
OBJS += ../src/tls/tlsv1_record.o
OBJS += ../src/tls/tlsv1_cred.o
OBJS += ../src/tls/tlsv1_server.o
OBJS += ../src/tls/tlsv1_server_write.o
OBJS += ../src/tls/tlsv1_server_read.o
OBJS += ../src/tls/asn1.o
OBJS += ../src/tls/rsa.o
OBJS += ../src/tls/x509v3.o
OBJS += ../src/tls/pkcs1.o
OBJS += ../src/tls/pkcs5.o
OBJS += ../src/tls/pkcs8.o
NEED_SHA256=y
NEED_BASE64=y
NEED_TLS_PRF=y
ifdef CONFIG_TLSV12
NEED_TLS_PRF_SHA256=y
endif
NEED_MODEXP=y
NEED_CIPHER=y
CFLAGS += -DCONFIG_TLS_INTERNAL
CFLAGS += -DCONFIG_TLS_INTERNAL_SERVER
endif
ifdef NEED_CIPHER
NEED_DES=y
OBJS += ../src/crypto/crypto_internal-cipher.o
endif
ifdef NEED_MODEXP
OBJS += ../src/crypto/crypto_internal-modexp.o
OBJS += ../src/tls/bignum.o
endif
ifeq ($(CONFIG_CRYPTO), libtomcrypt)
OBJS += ../src/crypto/crypto_libtomcrypt.o
LIBS += -ltomcrypt -ltfm
LIBS_h += -ltomcrypt -ltfm
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_CRYPTO), internal)
OBJS += ../src/crypto/crypto_internal.o
NEED_AES_DEC=y
CFLAGS += -DCONFIG_CRYPTO_INTERNAL
ifdef CONFIG_INTERNAL_LIBTOMMATH
CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH
ifdef CONFIG_INTERNAL_LIBTOMMATH_FAST
CFLAGS += -DLTM_FAST
endif
else
LIBS += -ltommath
LIBS_h += -ltommath
endif
CONFIG_INTERNAL_AES=y
CONFIG_INTERNAL_DES=y
CONFIG_INTERNAL_SHA1=y
CONFIG_INTERNAL_MD4=y
CONFIG_INTERNAL_MD5=y
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
CONFIG_INTERNAL_DH_GROUP5=y
endif
ifeq ($(CONFIG_CRYPTO), cryptoapi)
OBJS += ../src/crypto/crypto_cryptoapi.o
OBJS_p += ../src/crypto/crypto_cryptoapi.o
CFLAGS += -DCONFIG_CRYPTO_CRYPTOAPI
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
endif
endif
ifeq ($(CONFIG_TLS), none)
ifdef TLS_FUNCS
OBJS += ../src/crypto/tls_none.o
CFLAGS += -DEAP_TLS_NONE
CONFIG_INTERNAL_AES=y
CONFIG_INTERNAL_SHA1=y
CONFIG_INTERNAL_MD5=y
endif
OBJS += ../src/crypto/crypto_none.o
OBJS_p += ../src/crypto/crypto_none.o
CONFIG_INTERNAL_SHA256=y
CONFIG_INTERNAL_RC4=y
endif
ifndef TLS_FUNCS
OBJS += ../src/crypto/tls_none.o
ifeq ($(CONFIG_TLS), internal)
CONFIG_INTERNAL_AES=y
CONFIG_INTERNAL_SHA1=y
CONFIG_INTERNAL_MD5=y
CONFIG_INTERNAL_RC4=y
endif
endif
AESOBJS = # none so far
ifdef CONFIG_INTERNAL_AES
AESOBJS += ../src/crypto/aes-internal.o ../src/crypto/aes-internal-enc.o
endif
AESOBJS += ../src/crypto/aes-wrap.o
ifdef NEED_AES_EAX
AESOBJS += ../src/crypto/aes-eax.o
NEED_AES_CTR=y
endif
ifdef NEED_AES_CTR
AESOBJS += ../src/crypto/aes-ctr.o
endif
ifdef NEED_AES_ENCBLOCK
AESOBJS += ../src/crypto/aes-encblock.o
endif
ifdef NEED_AES_OMAC1
AESOBJS += ../src/crypto/aes-omac1.o
endif
ifdef NEED_AES_UNWRAP
NEED_AES_DEC=y
AESOBJS += ../src/crypto/aes-unwrap.o
endif
ifdef NEED_AES_CBC
NEED_AES_DEC=y
AESOBJS += ../src/crypto/aes-cbc.o
endif
ifdef NEED_AES_DEC
ifdef CONFIG_INTERNAL_AES
AESOBJS += ../src/crypto/aes-internal-dec.o
endif
endif
ifdef NEED_AES
OBJS += $(AESOBJS)
endif
ifdef NEED_SHA1
ifneq ($(CONFIG_TLS), openssl)
SHA1OBJS += ../src/crypto/sha1.o
endif
SHA1OBJS += ../src/crypto/sha1-prf.o
ifdef CONFIG_INTERNAL_SHA1
SHA1OBJS += ../src/crypto/sha1-internal.o
ifdef NEED_FIPS186_2_PRF
SHA1OBJS += ../src/crypto/fips_prf_internal.o
endif
endif
ifneq ($(CONFIG_TLS), openssl)
SHA1OBJS += ../src/crypto/sha1-pbkdf2.o
endif
ifdef NEED_T_PRF
SHA1OBJS += ../src/crypto/sha1-tprf.o
endif
ifdef NEED_TLS_PRF
SHA1OBJS += ../src/crypto/sha1-tlsprf.o
endif
endif
ifdef NEED_SHA1
OBJS += $(SHA1OBJS)
endif
ifdef NEED_MD5
ifdef CONFIG_INTERNAL_MD5
OBJS += ../src/crypto/md5-internal.o
HOBJS += ../src/crypto/md5-internal.o
endif
endif
ifdef NEED_MD4
ifdef CONFIG_INTERNAL_MD4
OBJS += ../src/crypto/md4-internal.o
endif
endif
ifdef NEED_DES
ifdef CONFIG_INTERNAL_DES
OBJS += ../src/crypto/des-internal.o
endif
endif
ifdef NEED_RC4
ifdef CONFIG_INTERNAL_RC4
OBJS += ../src/crypto/rc4.o
endif
endif
ifdef NEED_SHA256
CFLAGS += -DCONFIG_SHA256
ifneq ($(CONFIG_TLS), openssl)
OBJS += ../src/crypto/sha256.o
endif
OBJS += ../src/crypto/sha256-prf.o
ifdef CONFIG_INTERNAL_SHA256
OBJS += ../src/crypto/sha256-internal.o
endif
ifdef NEED_TLS_PRF_SHA256
OBJS += ../src/crypto/sha256-tlsprf.o
endif
endif
ifdef NEED_DH_GROUPS
OBJS += ../src/crypto/dh_groups.o
endif
ifdef NEED_DH_GROUPS_ALL
CFLAGS += -DALL_DH_GROUPS
endif
ifdef CONFIG_INTERNAL_DH_GROUP5
ifdef NEED_DH_GROUPS
OBJS += ../src/crypto/dh_group5.o
endif
endif
ifdef CONFIG_NO_RANDOM_POOL
CFLAGS += -DCONFIG_NO_RANDOM_POOL
else
OBJS += ../src/crypto/random.o
HOBJS += ../src/crypto/random.o
HOBJS += ../src/utils/eloop.o
HOBJS += $(SHA1OBJS)
HOBJS += ../src/crypto/md5.o
endif
ifdef CONFIG_RADIUS_SERVER
CFLAGS += -DRADIUS_SERVER
OBJS += ../src/radius/radius_server.o
endif
ifdef CONFIG_IPV6
CFLAGS += -DCONFIG_IPV6
endif
ifdef CONFIG_DRIVER_RADIUS_ACL
CFLAGS += -DCONFIG_DRIVER_RADIUS_ACL
endif
ifdef CONFIG_FULL_DYNAMIC_VLAN
# define CONFIG_FULL_DYNAMIC_VLAN to have hostapd manipulate bridges
# and vlan interfaces for the vlan feature.
CFLAGS += -DCONFIG_FULL_DYNAMIC_VLAN
endif
ifdef NEED_BASE64
OBJS += ../src/utils/base64.o
endif
ifdef NEED_AP_MLME
OBJS += ../src/ap/wmm.o
OBJS += ../src/ap/ap_list.o
OBJS += ../src/ap/ieee802_11.o
OBJS += ../src/ap/hw_features.o
CFLAGS += -DNEED_AP_MLME
endif
ifdef CONFIG_IEEE80211N
OBJS += ../src/ap/ieee802_11_ht.o
endif
ifdef CONFIG_HT2040_COEX
ifdef CONFIG_DRIVER_NL80211
CFLAGS += -DCONFIG_HT2040_COEX
endif
endif
ifdef CONFIG_IEEE80211AC
OBJS += ../src/ap/ieee802_11_vht.o
endif
ifdef CONFIG_P2P_MANAGER
CFLAGS += -DCONFIG_P2P_MANAGER
OBJS += ../src/ap/p2p_hostapd.o
endif
ifdef CONFIG_HS20
CFLAGS += -DCONFIG_HS20
OBJS += ../src/ap/hs20.o
CONFIG_INTERWORKING=y
endif
ifdef CONFIG_INTERWORKING
CFLAGS += -DCONFIG_INTERWORKING
OBJS += ../src/common/gas.o
OBJS += ../src/ap/gas_serv.o
endif
OBJS += ../src/drivers/driver_common.o
ifdef CONFIG_WPA_CLI_EDIT
OBJS_c += ../src/utils/edit.o
else
OBJS_c += ../src/utils/edit_simple.o
endif
ifdef CONFIG_NO_STDOUT_DEBUG
CFLAGS += -DCONFIG_NO_STDOUT_DEBUG
endif
ifdef CONFIG_DEBUG_FILE
CFLAGS += -DCONFIG_DEBUG_FILE
endif
ifdef CONFIG_SQLITE
CFLAGS += -DCONFIG_SQLITE
LIBS += -lsqlite3
LIBS_h += -lsqlite3
endif
ALL=hostapd hostapd_cli hostapd_wps
all: verify_config $(ALL)
Q=@
E=echo
ifeq ($(V), 1)
Q=
E=true
endif
%.o: %.c
$(Q)$(CC) -c -o $@ $(CFLAGS) $<
@$(E) " CC " $<
verify_config:
@if [ ! -r .config ]; then \
echo 'Building hostapd requires a configuration file'; \
echo '(.config). See README for more instructions. You can'; \
echo 'run "cp defconfig .config" to create an example'; \
echo 'configuration.'; \
exit 1; \
fi
install: all
mkdir -p $(DESTDIR)/usr/bin
for i in $(ALL); do cp -f $$i $(DESTDIR)/usr/bin/$$i; done
mkdir -p $(DESTDIR)/etc
ifdef CONFIG_DRIVER_AR6000
install -m 0644 config/ar6k-ap-all.conf $(DESTDIR)/etc/AR6003_hostapd.conf
install -m 0644 config/ar6k-ap1-all.conf $(DESTDIR)/etc/AR6003_AP1_hostapd.conf
endif
ifdef CONFIG_DRIVER_NL80211
ifdef CONFIG_WIRELESS_ACL_TYPE_BLACK
#[liyuan start] M7350 series enable acl deny list in default
install -m 0644 -d $(DESTDIR)/etc/config
install -m 0644 config/tp-ath6kl-ap-all-7350-series.conf $(DESTDIR)/etc/AR6004_hostapd.conf
install -m 0644 config/tp-ath6kl-ap-all-7350-series.deny $(DESTDIR)/etc/config/hostapd.deny
install -m 0644 config/ath6kl-ap1-all.conf $(DESTDIR)/etc/AR6004_AP1_hostapd.conf
ln -s /etc/AR6004_hostapd.conf $(DESTDIR)/etc/hostapd.conf
install -m 0644 -d $(DESTDIR)/etc/default_config
install -m 0644 config/tp-ath6kl-ap-all-7350-series.conf $(DESTDIR)/etc/default_config/AR6004_hostapd.conf
install -m 0644 config/tp-ath6kl-ap-all-7350-series.deny $(DESTDIR)/etc/default_config/hostapd.deny
#[liyuan end]
else
#[lixiangkui start] install wifi default config
#install -m 0644 config/ath6kl-ap-all.conf $(DESTDIR)/etc/AR6004_hostapd.conf
install -m 0644 config/tp-ath6kl-ap-all.conf $(DESTDIR)/etc/AR6004_hostapd.conf
install -m 0644 config/ath6kl-ap1-all.conf $(DESTDIR)/etc/AR6004_AP1_hostapd.conf
ln -s /etc/AR6004_hostapd.conf $(DESTDIR)/etc/hostapd.conf
install -m 0644 -d $(DESTDIR)/etc/default_config
install -m 0644 config/tp-ath6kl-ap-all.conf $(DESTDIR)/etc/default_config/AR6004_hostapd.conf
#[lixiangkui end]
endif
endif
../src/drivers/build.hostapd:
@if [ -f ../src/drivers/build.wpa_supplicant ]; then \
$(MAKE) -C ../src/wps clean; \
$(MAKE) -C ../src/drivers clean; \
fi
@touch ../src/drivers/build.hostapd
BCHECK=../src/drivers/build.hostapd
hostapd: $(BCHECK) $(OBJS)
$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
@$(E) " LD " $@
ifdef CONFIG_WPA_TRACE
OBJS_c += ../src/utils/trace.o
endif
hostapd_cli: $(OBJS_c)
$(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c)
@$(E) " LD " $@
OBJS_w = hostapd_wps.o
hostapd_wps: $(OBJS_w)
$(Q)$(CC) -o hostapd_wps $(OBJS_w)
@$(E) " LD " $@
NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS) ../src/crypto/md5.o
ifdef NEED_RC4
ifdef CONFIG_INTERNAL_RC4
NOBJS += ../src/crypto/rc4.o
endif
endif
ifdef CONFIG_INTERNAL_MD5
NOBJS += ../src/crypto/md5-internal.o
endif
NOBJS += ../src/crypto/crypto_openssl.o ../src/utils/os_$(CONFIG_OS).o
NOBJS += ../src/utils/wpa_debug.o
NOBJS += ../src/utils/wpabuf.o
ifdef CONFIG_WPA_TRACE
NOBJS += ../src/utils/trace.o
LIBS_n += -lbfd
endif
ifdef TLS_FUNCS
LIBS_n += -lcrypto
endif
HOBJS += hlr_auc_gw.o ../src/utils/common.o ../src/utils/wpa_debug.o ../src/utils/os_$(CONFIG_OS).o ../src/utils/wpabuf.o ../src/crypto/milenage.o
HOBJS += ../src/crypto/aes-encblock.o
ifdef CONFIG_INTERNAL_AES
HOBJS += ../src/crypto/aes-internal.o
HOBJS += ../src/crypto/aes-internal-enc.o
endif
nt_password_hash: $(NOBJS)
$(Q)$(CC) $(LDFLAGS) -o nt_password_hash $(NOBJS) $(LIBS_n)
@$(E) " LD " $@
hlr_auc_gw: $(HOBJS)
$(Q)$(CC) $(LDFLAGS) -o hlr_auc_gw $(HOBJS) $(LIBS_h)
@$(E) " LD " $@
clean:
$(MAKE) -C ../src clean
rm -f core *~ *.o hostapd hostapd_cli hostapd_wps nt_password_hash hlr_auc_gw
rm -f *.d
-include $(OBJS:%.o=%.d)
external/hostap/hostapd/README
Vendored
+372
View File
@@ -0,0 +1,372 @@
hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP
Authenticator and RADIUS authentication server
================================================================
Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> and contributors
All Rights Reserved.
This program is licensed under the BSD license (the one with
advertisement clause removed).
If you are submitting changes to the project, please see CONTRIBUTIONS
file for more instructions.
License
-------
This software may be distributed, used, and modified under the terms of
BSD license:
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name(s) of the above-listed copyright holder(s) nor the
names of its contributors may be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Introduction
============
Originally, hostapd was an optional user space component for Host AP
driver. It adds more features to the basic IEEE 802.11 management
included in the kernel driver: using external RADIUS authentication
server for MAC address based access control, IEEE 802.1X Authenticator
and dynamic WEP keying, RADIUS accounting, WPA/WPA2 (IEEE 802.11i/RSN)
Authenticator and dynamic TKIP/CCMP keying.
The current version includes support for other drivers, an integrated
EAP server (i.e., allow full authentication without requiring
an external RADIUS authentication server), and RADIUS authentication
server for EAP authentication.
Requirements
------------
Current hardware/software requirements:
- drivers:
Host AP driver for Prism2/2.5/3.
(http://hostap.epitest.fi/)
Please note that station firmware version needs to be 1.7.0 or newer
to work in WPA mode.
madwifi driver for cards based on Atheros chip set (ar521x)
(http://sourceforge.net/projects/madwifi/)
Please note that you will need to add the correct path for
madwifi driver root directory in .config (see defconfig file for
an example: CFLAGS += -I<path>)
mac80211-based drivers that support AP mode (with driver=nl80211).
This includes drivers for Atheros (ath9k) and Broadcom (b43)
chipsets.
Any wired Ethernet driver for wired IEEE 802.1X authentication
(experimental code)
FreeBSD -current (with some kernel mods that have not yet been
committed when hostapd v0.3.0 was released)
BSD net80211 layer (e.g., Atheros driver)
Build configuration
-------------------
In order to be able to build hostapd, you will need to create a build
time configuration file, .config that selects which optional
components are included. See defconfig file for example configuration
and list of available options.
IEEE 802.1X
===========
IEEE Std 802.1X-2001 is a standard for port-based network access
control. In case of IEEE 802.11 networks, a "virtual port" is used
between each associated station and the AP. IEEE 802.11 specifies
minimal authentication mechanism for stations, whereas IEEE 802.1X
introduces a extensible mechanism for authenticating and authorizing
users.
IEEE 802.1X uses elements called Supplicant, Authenticator, Port
Access Entity, and Authentication Server. Supplicant is a component in
a station and it performs the authentication with the Authentication
Server. An access point includes an Authenticator that relays the packets
between a Supplicant and an Authentication Server. In addition, it has a
Port Access Entity (PAE) with Authenticator functionality for
controlling the virtual port authorization, i.e., whether to accept
packets from or to the station.
IEEE 802.1X uses Extensible Authentication Protocol (EAP). The frames
between a Supplicant and an Authenticator are sent using EAP over LAN
(EAPOL) and the Authenticator relays these frames to the Authentication
Server (and similarly, relays the messages from the Authentication
Server to the Supplicant). The Authentication Server can be colocated with the
Authenticator, in which case there is no need for additional protocol
for EAP frame transmission. However, a more common configuration is to
use an external Authentication Server and encapsulate EAP frame in the
frames used by that server. RADIUS is suitable for this, but IEEE
802.1X would also allow other mechanisms.
Host AP driver includes PAE functionality in the kernel driver. It
is a relatively simple mechanism for denying normal frames going to
or coming from an unauthorized port. PAE allows IEEE 802.1X related
frames to be passed between the Supplicant and the Authenticator even
on an unauthorized port.
User space daemon, hostapd, includes Authenticator functionality. It
receives 802.1X (EAPOL) frames from the Supplicant using the wlan#ap
device that is also used with IEEE 802.11 management frames. The
frames to the Supplicant are sent using the same device.
The normal configuration of the Authenticator would use an external
Authentication Server. hostapd supports RADIUS encapsulation of EAP
packets, so the Authentication Server should be a RADIUS server, like
FreeRADIUS (http://www.freeradius.org/). The Authenticator in hostapd
relays the frames between the Supplicant and the Authentication
Server. It also controls the PAE functionality in the kernel driver by
controlling virtual port authorization, i.e., station-AP
connection, based on the IEEE 802.1X state.
When a station would like to use the services of an access point, it
will first perform IEEE 802.11 authentication. This is normally done
with open systems authentication, so there is no security. After
this, IEEE 802.11 association is performed. If IEEE 802.1X is
configured to be used, the virtual port for the station is set in
Unauthorized state and only IEEE 802.1X frames are accepted at this
point. The Authenticator will then ask the Supplicant to authenticate
with the Authentication Server. After this is completed successfully,
the virtual port is set to Authorized state and frames from and to the
station are accepted.
Host AP configuration for IEEE 802.1X
-------------------------------------
The user space daemon has its own configuration file that can be used to
define AP options. Distribution package contains an example
configuration file (hostapd/hostapd.conf) that can be used as a basis
for configuration. It includes examples of all supported configuration
options and short description of each option. hostapd should be started
with full path to the configuration file as the command line argument,
e.g., './hostapd /etc/hostapd.conf'. If you have more that one wireless
LAN card, you can use one hostapd process for multiple interfaces by
giving a list of configuration files (one per interface) in the command
line.
hostapd includes a minimal co-located IEEE 802.1X server which can be
used to test IEEE 802.1X authentication. However, it should not be
used in normal use since it does not provide any security. This can be
configured by setting ieee8021x and minimal_eap options in the
configuration file.
An external Authentication Server (RADIUS) is configured with
auth_server_{addr,port,shared_secret} options. In addition,
ieee8021x and own_ip_addr must be set for this mode. With such
configuration, the co-located Authentication Server is not used and EAP
frames will be relayed using EAPOL between the Supplicant and the
Authenticator and RADIUS encapsulation between the Authenticator and
the Authentication Server. Other than this, the functionality is similar
to the case with the co-located Authentication Server.
Authentication Server and Supplicant
------------------------------------
Any RADIUS server supporting EAP should be usable as an IEEE 802.1X
Authentication Server with hostapd Authenticator. FreeRADIUS
(http://www.freeradius.org/) has been successfully tested with hostapd
Authenticator and both Xsupplicant (http://www.open1x.org) and Windows
XP Supplicants. EAP/TLS was used with Xsupplicant and
EAP/MD5-Challenge with Windows XP.
http://www.missl.cs.umd.edu/wireless/eaptls/ has useful information
about using EAP/TLS with FreeRADIUS and Xsupplicant (just replace
Cisco access point with Host AP driver, hostapd daemon, and a Prism2
card ;-). http://www.freeradius.org/doc/EAP-MD5.html has information
about using EAP/MD5 with FreeRADIUS, including instructions for WinXP
configuration. http://www.denobula.com/EAPTLS.pdf has a HOWTO on
EAP/TLS use with WinXP Supplicant.
Automatic WEP key configuration
-------------------------------
EAP/TLS generates a session key that can be used to send WEP keys from
an AP to authenticated stations. The Authenticator in hostapd can be
configured to automatically select a random default/broadcast key
(shared by all authenticated stations) with wep_key_len_broadcast
option (5 for 40-bit WEP or 13 for 104-bit WEP). In addition,
wep_key_len_unicast option can be used to configure individual unicast
keys for stations. This requires support for individual keys in the
station driver.
WEP keys can be automatically updated by configuring rekeying. This
will improve security of the network since same WEP key will only be
used for a limited period of time. wep_rekey_period option sets the
interval for rekeying in seconds.
WPA/WPA2
========
Features
--------
Supported WPA/IEEE 802.11i features:
- WPA-PSK ("WPA-Personal")
- WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise")
- key management for CCMP, TKIP, WEP104, WEP40
- RSN/WPA2 (IEEE 802.11i), including PMKSA caching and pre-authentication
WPA
---
The original security mechanism of IEEE 802.11 standard was not
designed to be strong and has proved to be insufficient for most
networks that require some kind of security. Task group I (Security)
of IEEE 802.11 working group (http://www.ieee802.org/11/) has worked
to address the flaws of the base standard and has in practice
completed its work in May 2004. The IEEE 802.11i amendment to the IEEE
802.11 standard was approved in June 2004 and this amendment is likely
to be published in July 2004.
Wi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the
IEEE 802.11i work (draft 3.0) to define a subset of the security
enhancements that can be implemented with existing wlan hardware. This
is called Wi-Fi Protected Access<TM> (WPA). This has now become a
mandatory component of interoperability testing and certification done
by Wi-Fi Alliance. Wi-Fi provides information about WPA at its web
site (http://www.wi-fi.org/OpenSection/protected_access.asp).
IEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm
for protecting wireless networks. WEP uses RC4 with 40-bit keys,
24-bit initialization vector (IV), and CRC32 to protect against packet
forgery. All these choices have proven to be insufficient: key space is
too small against current attacks, RC4 key scheduling is insufficient
(beginning of the pseudorandom stream should be skipped), IV space is
too small and IV reuse makes attacks easier, there is no replay
protection, and non-keyed authentication does not protect against bit
flipping packet data.
WPA is an intermediate solution for the security issues. It uses
Temporal Key Integrity Protocol (TKIP) to replace WEP. TKIP is a
compromise on strong security and possibility to use existing
hardware. It still uses RC4 for the encryption like WEP, but with
per-packet RC4 keys. In addition, it implements replay protection,
keyed packet authentication mechanism (Michael MIC).
Keys can be managed using two different mechanisms. WPA can either use
an external authentication server (e.g., RADIUS) and EAP just like
IEEE 802.1X is using or pre-shared keys without need for additional
servers. Wi-Fi calls these "WPA-Enterprise" and "WPA-Personal",
respectively. Both mechanisms will generate a master session key for
the Authenticator (AP) and Supplicant (client station).
WPA implements a new key handshake (4-Way Handshake and Group Key
Handshake) for generating and exchanging data encryption keys between
the Authenticator and Supplicant. This handshake is also used to
verify that both Authenticator and Supplicant know the master session
key. These handshakes are identical regardless of the selected key
management mechanism (only the method for generating master session
key changes).
IEEE 802.11i / WPA2
-------------------
The design for parts of IEEE 802.11i that were not included in WPA has
finished (May 2004) and this amendment to IEEE 802.11 was approved in
June 2004. Wi-Fi Alliance is using the final IEEE 802.11i as a new
version of WPA called WPA2. This includes, e.g., support for more
robust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC)
to replace TKIP and optimizations for handoff (reduced number of
messages in initial key handshake, pre-authentication, and PMKSA caching).
Some wireless LAN vendors are already providing support for CCMP in
their WPA products. There is no "official" interoperability
certification for CCMP and/or mixed modes using both TKIP and CCMP, so
some interoperability issues can be expected even though many
combinations seem to be working with equipment from different vendors.
Testing for WPA2 is likely to start during the second half of 2004.
hostapd configuration for WPA/WPA2
----------------------------------
TODO
# Enable WPA. Setting this variable configures the AP to require WPA (either
# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
# RADIUS authentication server must be configured, and WPA-EAP must be included
# in wpa_key_mgmt.
# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
# and/or WPA2 (full IEEE 802.11i/RSN):
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2)
#wpa=1
# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
# (8..63 characters) that will be converted to PSK. This conversion uses SSID
# so the PSK changes when ASCII passphrase is used and the SSID is changed.
#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#wpa_passphrase=secret passphrase
# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
# entries are separated with a space.
#wpa_key_mgmt=WPA-PSK WPA-EAP
# Set of accepted cipher suites (encryption algorithms) for pairwise keys
# (unicast packets). This is a space separated list of algorithms:
# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i]
# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i]
# Group cipher suite (encryption algorithm for broadcast and multicast frames)
# is automatically selected based on this configuration. If only CCMP is
# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
# TKIP will be used as the group cipher.
#wpa_pairwise=TKIP CCMP
# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
# seconds.
#wpa_group_rekey=600
# Time interval for rekeying GMK (master key used internally to generate GTKs
# (in seconds).
#wpa_gmk_rekey=86400
# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
# authentication and key handshake before actually associating with a new AP.
#rsn_preauth=1
#
# Space separated list of interfaces from which pre-authentication frames are
# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
# interface that are used for connections to other APs. This could include
# wired interfaces and WDS links. The normal wireless data interface towards
# associated stations (e.g., wlan0) should not be added, since
# pre-authentication is only used with APs other than the currently associated
# one.
#rsn_preauth_interfaces=eth0
external/hostap/hostapd/README-WPS
Vendored
+340
View File
@@ -0,0 +1,340 @@
hostapd and Wi-Fi Protected Setup (WPS)
=======================================
This document describes how the WPS implementation in hostapd can be
configured and how an external component on an AP (e.g., web UI) is
used to enable enrollment of client devices.
Introduction to WPS
-------------------
Wi-Fi Protected Setup (WPS) is a mechanism for easy configuration of a
wireless network. It allows automated generation of random keys (WPA
passphrase/PSK) and configuration of an access point and client
devices. WPS includes number of methods for setting up connections
with PIN method and push-button configuration (PBC) being the most
commonly deployed options.
While WPS can enable more home networks to use encryption in the
wireless network, it should be noted that the use of the PIN and
especially PBC mechanisms for authenticating the initial key setup is
not very secure. As such, use of WPS may not be suitable for
environments that require secure network access without chance for
allowing outsiders to gain access during the setup phase.
WPS uses following terms to describe the entities participating in the
network setup:
- access point: the WLAN access point
- Registrar: a device that control a network and can authorize
addition of new devices); this may be either in the AP ("internal
Registrar") or in an external device, e.g., a laptop, ("external
Registrar")
- Enrollee: a device that is being authorized to use the network
It should also be noted that the AP and a client device may change
roles (i.e., AP acts as an Enrollee and client device as a Registrar)
when WPS is used to configure the access point.
More information about WPS is available from Wi-Fi Alliance:
http://www.wi-fi.org/wifi-protected-setup
hostapd implementation
----------------------
hostapd includes an optional WPS component that can be used as an
internal WPS Registrar to manage addition of new WPS enabled clients
to the network. In addition, WPS Enrollee functionality in hostapd can
be used to allow external WPS Registrars to configure the access
point, e.g., for initial network setup. In addition, hostapd can proxy a
WPS registration between a wireless Enrollee and an external Registrar
(e.g., Microsoft Vista or Atheros JumpStart) with UPnP.
hostapd configuration
---------------------
WPS is an optional component that needs to be enabled in hostapd build
configuration (.config). Here is an example configuration that
includes WPS support and uses madwifi driver interface:
CONFIG_DRIVER_MADWIFI=y
CFLAGS += -I/usr/src/madwifi-0.9.3
CONFIG_WPS=y
CONFIG_WPS2=y
CONFIG_WPS_UPNP=y
Following parameter can be used to enable support for NFC config method:
CONFIG_WPS_NFC=y
Following section shows an example runtime configuration
(hostapd.conf) that enables WPS:
# Configure the driver and network interface
driver=madwifi
interface=ath0
# WPA2-Personal configuration for the AP
ssid=wps-test
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
# Default WPA passphrase for legacy (non-WPS) clients
wpa_passphrase=12345678
# Enable random per-device PSK generation for WPS clients
# Please note that the file has to exists for hostapd to start (i.e., create an
# empty file as a starting point).
wpa_psk_file=/etc/hostapd.psk
# Enable control interface for PBC/PIN entry
ctrl_interface=/var/run/hostapd
# Enable internal EAP server for EAP-WSC (part of Wi-Fi Protected Setup)
eap_server=1
# WPS configuration (AP configured, do not allow external WPS Registrars)
wps_state=2
ap_setup_locked=1
# If UUID is not configured, it will be generated based on local MAC address.
uuid=87654321-9abc-def0-1234-56789abc0000
wps_pin_requests=/var/run/hostapd.pin-req
device_name=Wireless AP
manufacturer=Company
model_name=WAP
model_number=123
serial_number=12345
device_type=6-0050F204-1
os_version=01020300
config_methods=label display push_button keypad
# if external Registrars are allowed, UPnP support could be added:
#upnp_iface=br0
#friendly_name=WPS Access Point
External operations
-------------------
WPS requires either a device PIN code (usually, 8-digit number) or a
pushbutton event (for PBC) to allow a new WPS Enrollee to join the
network. hostapd uses the control interface as an input channel for
these events.
The PIN value used in the commands must be processed by an UI to
remove non-digit characters and potentially, to verify the checksum
digit. "hostapd_cli wps_check_pin <PIN>" can be used to do such
processing. It returns FAIL if the PIN is invalid, or FAIL-CHECKSUM if
the checksum digit is incorrect, or the processed PIN (non-digit
characters removed) if the PIN is valid.
When a client device (WPS Enrollee) connects to hostapd (WPS
Registrar) in order to start PIN mode negotiation for WPS, an
identifier (Enrollee UUID) is sent. hostapd will need to be configured
with a device password (PIN) for this Enrollee. This is an operation
that requires user interaction (assuming there are no pre-configured
PINs on the AP for a set of Enrollee).
The PIN request with information about the device is appended to the
wps_pin_requests file (/var/run/hostapd.pin-req in this example). In
addition, hostapd control interface event is sent as a notification of
a new device. The AP could use, e.g., a web UI for showing active
Enrollees to the user and request a PIN for an Enrollee.
The PIN request file has one line for every Enrollee that connected to
the AP, but for which there was no PIN. Following information is
provided for each Enrollee (separated with tabulators):
- timestamp (seconds from 1970-01-01)
- Enrollee UUID
- MAC address
- Device name
- Manufacturer
- Model Name
- Model Number
- Serial Number
- Device category
Example line in the /var/run/hostapd.pin-req file:
1200188391 53b63a98-d29e-4457-a2ed-094d7e6a669c Intel(R) Centrino(R) Intel Corporation Intel(R) Centrino(R) - - 1-0050F204-1
Control interface data:
WPS-PIN-NEEDED [UUID-E|MAC Address|Device Name|Manufacturer|Model Name|Model Number|Serial Number|Device Category]
For example:
<2>WPS-PIN-NEEDED [53b63a98-d29e-4457-a2ed-094d7e6a669c|02:12:34:56:78:9a|Device|Manuf|Model|Model Number|Serial Number|1-0050F204-1]
When the user enters a PIN for a pending Enrollee, e.g., on the web
UI), hostapd needs to be notified of the new PIN over the control
interface. This can be done either by using the UNIX domain socket
-based control interface directly (src/common/wpa_ctrl.c provides
helper functions for using the interface) or by calling hostapd_cli.
Example command to add a PIN (12345670) for an Enrollee:
hostapd_cli wps_pin 53b63a98-d29e-4457-a2ed-094d7e6a669c 12345670
If the UUID-E is not available (e.g., Enrollee waits for the Registrar
to be selected before connecting), wildcard UUID may be used to allow
the PIN to be used once with any UUID:
hostapd_cli wps_pin any 12345670
To reduce likelihood of PIN being used with other devices or of
forgetting an active PIN available for potential attackers, expiration
time in seconds can be set for the new PIN (value 0 indicates no
expiration):
hostapd_cli wps_pin any 12345670 300
If the MAC address of the enrollee is known, it should be configured
to allow the AP to advertise list of authorized enrollees:
hostapd_cli wps_pin 53b63a98-d29e-4457-a2ed-094d7e6a669c \
12345670 300 00:11:22:33:44:55
After this, the Enrollee can connect to the AP again and complete WPS
negotiation. At that point, a new, random WPA PSK is generated for the
client device and the client can then use that key to connect to the
AP to access the network.
If the AP includes a pushbutton, WPS PBC mode can be used. It is
enabled by pushing a button on both the AP and the client at about the
same time (2 minute window). hostapd needs to be notified about the AP
button pushed event over the control interface, e.g., by calling
hostapd_cli:
hostapd_cli wps_pbc
At this point, the client has two minutes to complete WPS negotiation
which will generate a new WPA PSK in the same way as the PIN method
described above.
When an external Registrar is used, the AP can act as an Enrollee and
use its AP PIN. A static AP PIN (e.g., one one a label in the AP
device) can be configured in hostapd.conf (ap_pin parameter). A more
secure option is to use hostapd_cli wps_ap_pin command to enable the
AP PIN only based on user action (and even better security by using a
random AP PIN for each session, i.e., by using "wps_ap_pin random"
command with a timeout value). Following commands are available for
managing the dynamic AP PIN operations:
hostapd_cli wps_ap_pin disable
- disable AP PIN (i.e., do not allow external Registrars to use it to
learn the current AP settings or to reconfigure the AP)
hostapd_cli wps_ap_pin random [timeout]
- generate a random AP PIN and enable it
- if the optional timeout parameter is given, the AP PIN will be enabled
for the specified number of seconds
hostapd_cli wps_ap_pin get
- fetch the current AP PIN
hostapd_cli wps_ap_pin set <PIN> [timeout]
- set the AP PIN and enable it
- if the optional timeout parameter is given, the AP PIN will be enabled
for the specified number of seconds
hostapd_cli get_config
- display the current configuration
hostapd_cli wps_config <new SSID> <auth> <encr> <new key>
examples:
hostapd_cli wps_config testing WPA2PSK CCMP 12345678
hostapd_cli wps_config "no security" OPEN NONE ""
<auth> must be one of the following: OPEN WPAPSK WPA2PSK
<encr> must be one of the following: NONE WEP TKIP CCMP
Credential generation and configuration changes
-----------------------------------------------
By default, hostapd generates credentials for Enrollees and processing
AP configuration updates internally. However, it is possible to
control these operations from external programs, if desired.
The internal credential generation can be disabled with
skip_cred_build=1 option in the configuration. extra_cred option will
then need to be used to provide pre-configured Credential attribute(s)
for hostapd to use. The exact data from this binary file will be sent,
i.e., it will have to include valid WPS attributes. extra_cred can
also be used to add additional networks if the Registrar is used to
configure credentials for multiple networks.
Processing of received configuration updates can be disabled with
wps_cred_processing=1 option. When this is used, an external program
is responsible for creating hostapd configuration files and processing
configuration updates based on messages received from hostapd over
control interface. This will also include the initial configuration on
first successful registration if the AP is initially set in
unconfigured state.
Following control interface messages are sent out for external programs:
WPS-REG-SUCCESS <Enrollee MAC address <UUID-E>
For example:
<2>WPS-REG-SUCCESS 02:66:a0:ee:17:27 2b7093f1-d6fb-5108-adbb-bea66bb87333
This can be used to trigger change from unconfigured to configured
state (random configuration based on the first successful WPS
registration). In addition, this can be used to update AP UI about the
status of WPS registration progress.
WPS-NEW-AP-SETTINGS <hexdump of AP Setup attributes>
For example:
<2>WPS-NEW-AP-SETTINGS 10260001011045000c6a6b6d2d7770732d74657374100300020020100f00020008102700403065346230343536633236366665306433396164313535346131663462663731323433376163666462376633393965353466316631623032306164343438623510200006024231cede15101e000844
This can be used to update the externally stored AP configuration and
then update hostapd configuration (followed by restarting of hostapd).
WPS with NFC
------------
WPS can be used with NFC-based configuration method. An NFC tag
containing a password token from the Enrollee can be used to
authenticate the connection instead of the PIN. In addition, an NFC tag
with a configuration token can be used to transfer AP settings without
going through the WPS protocol.
When the AP acts as an Enrollee, a local NFC tag with a password token
can be used by touching the NFC interface of an external Registrar. The
wps_nfc_token command is used to manage use of the NFC password token
from the AP. "wps_nfc_token enable" enables the use of the AP's NFC
password token (in place of AP PIN) and "wps_nfc_token disable" disables
the NFC password token.
The NFC password token that is either pre-configured in the
configuration file (wps_nfc_dev_pw_id, wps_nfc_dh_pubkey,
wps_nfc_dh_privkey, wps_nfc_dev_pw) or generated dynamically with
"wps_nfc_token <WPS|NDEF>" command. The nfc_pw_token tool from
wpa_supplicant can be used to generate NFC password tokens during
manufacturing (each AP needs to have its own random keys).
The "wps_nfc_config_token <WPS/NDEF>" command can be used to build an
NFC configuration token. The output value from this command is a hexdump
of the current AP configuration (WPS parameter requests this to include
only the WPS attributes; NDEF parameter requests additional NDEF
encapsulation to be included). This data needs to be written to an NFC
tag with an external program. Once written, the NFC configuration token
can be used to touch an NFC interface on a station to provision the
credentials needed to access the network.
When the NFC device on the AP reads an NFC tag with a MIME media type
"application/vnd.wfa.wsc", the NDEF message payload (with or without
NDEF encapsulation) can be delivered to hostapd using the
following hostapd_cli command:
wps_nfc_tag_read <hexdump of payload>
If the NFC tag contains a password token, the token is added to the
internal Registrar. This allows station Enrollee from which the password
token was received to run through WPS protocol to provision the
credential.
external/hostap/hostapd/android.config
Vendored
+190
View File
@@ -0,0 +1,190 @@
# Example hostapd build time configuration
#
# This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option
# lines must be commented out complete, if they are not to be included, i.e.,
# just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cass, these lines should use += in order not
# to override previous values of the variables.
# Driver interface for Host AP driver
#CONFIG_DRIVER_HOSTAP=y
# Driver interface for wired authenticator
#CONFIG_DRIVER_WIRED=y
# Driver interface for madwifi driver
#CONFIG_DRIVER_MADWIFI=y
#CFLAGS += -I../../madwifi # change to the madwifi source directory
# Driver interface for drivers using the nl80211 kernel interface
#CONFIG_DRIVER_NL80211=y
# driver_nl80211.c requires a rather new libnl (version 1.1) which may not be
# shipped with your distribution yet. If that is the case, you need to build
# newer libnl version and point the hostapd build to use it.
#LIBNL=/usr/src/libnl
#CFLAGS += -I$(LIBNL)/include
#LIBS += -L$(LIBNL)/lib
CONFIG_LIBNL20=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for no driver (e.g., RADIUS server only)
#CONFIG_DRIVER_NONE=y
# IEEE 802.11F/IAPP
#CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication
#CONFIG_RSN_PREAUTH=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
#CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection)
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y
# Integrated EAP server
#CONFIG_EAP=y
# EAP-MD5 for the integrated EAP server
#CONFIG_EAP_MD5=y
# EAP-TLS for the integrated EAP server
#CONFIG_EAP_TLS=y
# EAP-MSCHAPv2 for the integrated EAP server
#CONFIG_EAP_MSCHAPV2=y
# EAP-PEAP for the integrated EAP server
#CONFIG_EAP_PEAP=y
# EAP-GTC for the integrated EAP server
#CONFIG_EAP_GTC=y
# EAP-TTLS for the integrated EAP server
#CONFIG_EAP_TTLS=y
# EAP-SIM for the integrated EAP server
#CONFIG_EAP_SIM=y
# EAP-AKA for the integrated EAP server
#CONFIG_EAP_AKA=y
# EAP-AKA' for the integrated EAP server
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# EAP-PAX for the integrated EAP server
#CONFIG_EAP_PAX=y
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
# EAP-SAKE for the integrated EAP server
#CONFIG_EAP_SAKE=y
# EAP-GPSK for the integrated EAP server
#CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
#CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server
# Note: Default OpenSSL package does not include support for all the
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
# the OpenSSL library must be patched (openssl-0.9.9-session-ticket.patch)
# to add the needed functions.
#CONFIG_EAP_FAST=y
# Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y
# Enable WSC 2.0 support
CONFIG_WPS2=y
# Enable UPnP support for external WPS Registrars
#CONFIG_WPS_UPNP=y
# EAP-IKEv2
#CONFIG_EAP_IKEV2=y
# Trusted Network Connect (EAP-TNC)
#CONFIG_EAP_TNC=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
# RADIUS authentication server. This provides access to the integrated EAP
# server from external hosts using RADIUS.
#CONFIG_RADIUS_SERVER=y
# Build IPv6 support for RADIUS operations
CONFIG_IPV6=y
# IEEE Std 802.11r-2008 (Fast BSS Transition)
#CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211)
#CONFIG_DRIVER_RADIUS_ACL=y
# IEEE 802.11n (High Throughput) support
CONFIG_IEEE80211N=y
# Remove debugging code that is printing out debug messages to stdout.
# This can be used to reduce the size of the hostapd considerably if debugging
# code is not needed.
#CONFIG_NO_STDOUT_DEBUG=y
# Add support for writing debug log to Android logcat instead of standard output
CONFIG_ANDROID_LOG=y
# Remove support for RADIUS accounting
#CONFIG_NO_ACCOUNTING=y
# Remove support for RADIUS
CONFIG_NO_RADIUS=y
# Remove support for VLANs
#CONFIG_NO_VLAN=y
# Remove support for dumping state into a file on SIGUSR1 signal
# This can be used to reduce binary size at the cost of disabling a debugging
# option.
#CONFIG_NO_DUMP_STATE=y
# Select wrapper for operatins system and C library specific functions
# unix = UNIX/POSIX like systems (default)
# win32 = Windows systems
# none = Empty template
CONFIG_OS=unix
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, comment out these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# Enable AP
CONFIG_AP=y
external/hostap/hostapd/config/ar6k-all.conf
Vendored
+27
View File
@@ -0,0 +1,27 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K-RSN-WPA
channel_num=1
ignore_broadcast_ssid=0
##### WPA related configuration ############################
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=1234567890
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH =4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-ap-all.conf
Vendored
+31
View File
@@ -0,0 +1,31 @@
##### Interface & driver configuration #####################
interface=wlan0
bridge=bridge0
driver=ar6000
ctrl_interface=/var/run/hostapd
##### IEEE 802.11 related configuration ####################
ssid=QSoftAP
channel_num=1
ignore_broadcast_ssid=0
# Maximum number of stations that can be connected to this interface
# Default value is 10
#max_num_sta=5
##### WPA related configuration ############################
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=1234567890
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH =4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-ap1-all.conf
Vendored
+32
View File
@@ -0,0 +1,32 @@
##### Interface & driver configuration #####################
interface=wlan1
#Commenting the bridge interface for now
bridge=bridge0
driver=ar6000
ctrl_interface=/var/run/hostapd
##### IEEE 802.11 related configuration ####################
ssid=QSoftAP1
channel_num=1
ignore_broadcast_ssid=0
# Maximum number of stations that can be connected to this interface
# Default value is 10
max_num_sta=5
##### WPA related configuration ############################
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=1234567890
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH =4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-eap-sim-aka.conf
Vendored
+34
View File
@@ -0,0 +1,34 @@
##### Interface & driver configuration #####################
interface=eth0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K
channel_num=6
ignore_broadcast_ssid=0
# Require IEEE 802.1X authorization
ieee8021x=1
own_ip_addr=192.168.2.125
nas_identifier=eap
# RADIUS authentication server
auth_server_addr=192.168.2.116
auth_server_port=1812
auth_server_shared_secret=wifi
acct_server_addr=192.168.2.116
acct_server_port=1812
acct_server_shared_secret=wifi
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
##### ACL configurations ###################################
# 0 - ignore, ACL will be controlled by wmiconfig
# 1 - Disable ACL
# 2 - Deny
# 3 - Allow
############################################################
#macaddr_acl=0
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-open.conf
Vendored
+21
View File
@@ -0,0 +1,21 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K
channel_num=1
ignore_broadcast_ssid=0
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH = 4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-rsn-ccmp.conf
Vendored
+27
View File
@@ -0,0 +1,27 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K-RSN
channel_num=1
ignore_broadcast_ssid=0
##### WPA related configuration ############################
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=1234567890
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH = 4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-wep-open.conf
Vendored
+29
View File
@@ -0,0 +1,29 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K-WEP
channel_num=1
ignore_broadcast_ssid=0
##### WEP releasted configuration ##########################
auth_algs=1
wep_key0=1234567890
wep_key1=0987654321
wep_key2=1111111111
wep_key3=2222222222
wep_default_key=0
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH = 4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-wep-shared.conf
Vendored
+29
View File
@@ -0,0 +1,29 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K-SHARED
channel_num=1
ignore_broadcast_ssid=0
##### WEP releasted configuration ##########################
auth_algs=2
wep_key0=1234567890
wep_key1=0987654321
wep_key2=1111111111
wep_key3=2222222222
wep_default_key=0
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH = 4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-wpa-tkip.conf
Vendored
+27
View File
@@ -0,0 +1,27 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K-WPA
channel_num=1
ignore_broadcast_ssid=0
##### WPA related configuration ############################
wpa=1
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
wpa_passphrase=1234567890
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH = 4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-wps-manual-psk.conf
Vendored
+42
View File
@@ -0,0 +1,42 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
#upnp_iface=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K-WPS
channel_num=1
ignore_broadcast_ssid=0
##### WPA related configuration ############################
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=1234567890
##### WPS configurations ###################################
wps_state=2
ap_pin=12345670
eap_server=1
ap_setup_locked=0
device_name=AR6K-AP
manufacturer=QUALCOMM
model_name=AR600x
device_type=6-0050F204-1
config_methods=label display push_button keypad ethernet
friendly_name=AR6K-WPS-AP
wps_pin_requests=/var/run/hostapd.pin-req
ctrl_interface=/var/run/hostapd
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH = 4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ar6k-wps-oob.conf
Vendored
+41
View File
@@ -0,0 +1,41 @@
##### Interface & driver configuration #####################
interface=eth0
#Commenting the bridge interface for now
#bridge=br0
#upnp_iface=br0
driver=ar6000
##### IEEE 802.11 related configuration ####################
ssid=AR6K-WPS
channel_num=1
ignore_broadcast_ssid=0
##### WPA related configuration ############################
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
##### WPS configurations ###################################
wps_state=2
ap_pin=12345670
eap_server=1
ap_setup_locked=0
device_name=AR6K-AP
manufacturer=QUALCOMM
model_name=AR600x
device_type=6-0050F204-1
config_methods=label display push_button keypad ethernet
friendly_name=AR6K-WPS-AP
wps_pin_requests=/var/run/hostapd.pin-req
ctrl_interface=/var/run/hostapd
##### ACL configurations ###################################
# DISABLE_MAC_ACL = 1
# ACCEPT_UNLESS_DENIED =2
# DENY_UNLESS_ACCEPTED = 3
# USE_EXTERNAL_RADIUS_AUTH = 4
############################################################
#macaddr_acl=1
#deny_mac_file=/opt/deny
#accept_mac_file=/opt/accept
external/hostap/hostapd/config/ath6kl-ap-all.conf
Vendored
+88
View File
@@ -0,0 +1,88 @@
##### hostapd configuration file ##############################################
interface=wlan0
#bridge=bridge0
driver=nl80211
ctrl_interface=/var/run/hostapd
# SSID to be used in IEEE 802.11 management frames
ssid=QSoftAP
# Country code (ISO/IEC 3166-1). Used to set regulatory domain.
country_code=US
# Operation mode (1 = IEEE 802.11a, 2 = IEEE 802.11g, 4 = IEEE 802.11b,
# Default: 2 = IEEE 802.11g
wmode=2
# Channel number (IEEE 802.11)
# If auto_chan_select is set channel number is ignored
channel=1
# Best channel select (1 = Best of Channels(1,6,11), 2 = Best of Channels(1,6))
# Default value is 0
#auto_chan_select=1
# Maximum number of stations that can be connected to this interface
# Default value is 15
#max_num_sta=10
# Station MAC address -based authentication
# Please note that this kind of access control requires a driver that uses
# hostapd to take care of management frame processing and as such, this can be
# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
# Drivers which have support for access control can advertise the capability
# and these acl configurations are set to driver.
# 2 = accept unless in deny list
# 3 = deny unless in accept list
# 4 = use external RADIUS server (accept/deny lists are searched first)
#macaddr_acl=2
#deny_mac_file=<file>
#accept_mac_file=<file>
# Overlapping BSS scan interval configuration for HT 20/40 co-existance.
# It applies only for 2.4Ghz mode. The Default value is 300
#obss_scan_interval=300
# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
beacon_int=100
# Client isolation can be used to prevent low-level bridging of frames between
# associated stations in the BSS. By default, this bridging is allowed.
#ap_isolate=1
##### IEEE 802.11n related configuration ######################################
# ieee80211n: Whether IEEE 802.11n (HT) is enabled
# 0 = disabled (default)
# 1 = enabled
# Note: You will also need to enable WMM for full HT functionality.
ieee80211n=1
# HT capabilities
#ht_capab=[HT40-][HT40+][SHORT-GI-20][SHORT-GI-40]
# ht2040_coex_disable: Whether to Disable HT20/40 CoEx or not. if this
# entry is removed, it is same as the value set to 0 (i.e) HT20/40
# CoEx is enabled.
# Please note that Disabling HT20/40 CoEx is violation of standard,
# However, it is customer choice or responsiblity to enable or disable.
# Some of the customer prefers to disable even though it is not recommened
# by standard.
# 0 = enable (default)
# 1 = disable
# The station can associate again with the AP if it is still in range;
# this inactivity poll is just used as a nicer way of verifying
# inactivity; i.e., client will not report broken connection because
# disassociation frame is not sent immediately without first polling
# the STA with a data frame.
# default: 300 (i.e., 5 minutes)
#ap_max_inactivity=300
##### WPA related configuration ############################
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=1234567890
external/hostap/hostapd/config/ath6kl-ap1-all.conf
Vendored
+88
View File
@@ -0,0 +1,88 @@
##### hostapd configuration file ##############################################
interface=wlan1
#bridge=bridge0
driver=nl80211
ctrl_interface=/var/run/hostapd
# SSID to be used in IEEE 802.11 management frames
ssid=QSoftAP1
# Country code (ISO/IEC 3166-1). Used to set regulatory domain.
country_code=US
# Operation mode (1 = IEEE 802.11a, 2 = IEEE 802.11g, 4 = IEEE 802.11b,
# Default: 2 = IEEE 802.11g
wmode=1
# Channel number (IEEE 802.11)
# If auto_chan_select is set channel number is ignored
channel=36
# Best channel select (1 = Best of Channels(1,6,11), 2 = Best of Channels(1,6))
# Default value is 0
#auto_chan_select=1
# Maximum number of stations that can be connected to this interface
# Default value is 0
max_num_sta=5
# Station MAC address -based authentication
# Please note that this kind of access control requires a driver that uses
# hostapd to take care of management frame processing and as such, this can be
# used with driver=hostap or driver=nl80211, but not with driver=madwifi.
# Drivers which have support for access control can advertise the capability
# and these acl configurations are set to driver.
# 2 = accept unless in deny list
# 3 = deny unless in accept list
# 4 = use external RADIUS server (accept/deny lists are searched first)
#macaddr_acl=2
#deny_mac_file=<file>
#accept_mac_file=<file>
# Overlapping BSS scan interval configuration for HT 20/40 co-existance.
# It applies only for 2.4Ghz mode. The Default value is 300
#obss_scan_interval=300
# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535)
beacon_int=100
# Client isolation can be used to prevent low-level bridging of frames between
# associated stations in the BSS. By default, this bridging is allowed.
#ap_isolate=1
##### IEEE 802.11n related configuration ######################################
# ieee80211n: Whether IEEE 802.11n (HT) is enabled
# 0 = disabled (default)
# 1 = enabled
# Note: You will also need to enable WMM for full HT functionality.
ieee80211n=1
# HT capabilities
#ht_capab=[HT40-][HT40+][SHORT-GI-20][SHORT-GI-40]
# ht2040_coex_disable: Whether to Disable HT20/40 CoEx or not. if this
# entry is removed, it is same as the value set to 0 (i.e) HT20/40
# CoEx is enabled.
# Please note that Disabling HT20/40 CoEx is violation of standard,
# However, it is customer choice or responsiblity to enable or disable.
# Some of the customer prefers to disable even though it is not recommened
# by standard.
# 0 = enable (default)
# 1 = disable
# The station can associate again with the AP if it is still in range;
# this inactivity poll is just used as a nicer way of verifying
# inactivity; i.e., client will not report broken connection because
# disassociation frame is not sent immediately without first polling
# the STA with a data frame.
# default: 300 (i.e., 5 minutes)
#ap_max_inactivity=300
##### WPA related configuration ############################
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=1234567890
external/hostap/hostapd/config/tp-ath6kl-ap-all-7350-series.conf
Vendored
+15
View File
@@ -0,0 +1,15 @@
interface=wlan0
bridge=bridge0
driver=nl80211
ctrl_interface=/var/run/hostapd
wmode=2
channel=0
auto_chan_select=2
auth_algs=1
ignore_broadcast_ssid=0
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
require_ht=0
max_num_sta=15
macaddr_acl=3
deny_mac_file=/etc/config/hostapd.deny
external/hostap/hostapd/config/tp-ath6kl-ap-all-7350-series.deny
Vendored
View File
external/hostap/hostapd/config/tp-ath6kl-ap-all.conf
Vendored
+13
View File
@@ -0,0 +1,13 @@
interface=wlan0
bridge=bridge0
driver=nl80211
ctrl_interface=/var/run/hostapd
wmode=2
channel=0
auto_chan_select=2
auth_algs=1
ignore_broadcast_ssid=0
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
require_ht=0
max_num_sta=15
external/hostap/hostapd/config_file.c
Vendored
+3397
View File
File diff suppressed because it is too large Load Diff
external/hostap/hostapd/config_file.h
Vendored
+17
View File
@@ -0,0 +1,17 @@
/*
* hostapd / Configuration file parser
* Copyright (c) 2003-2009, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#ifndef CONFIG_FILE_H
#define CONFIG_FILE_H
struct hostapd_config * hostapd_config_read(const char *fname);
int hostapd_set_iface(struct hostapd_config *conf,
struct hostapd_bss_config *bss, char *field,
char *value);
#endif /* CONFIG_FILE_H */
external/hostap/hostapd/ctrl_iface.c
Vendored
+1514
View File
File diff suppressed because it is too large Load Diff
external/hostap/hostapd/ctrl_iface.h
Vendored
+39
View File
@@ -0,0 +1,39 @@
/*
* hostapd / UNIX domain socket -based control interface
* Copyright (c) 2004, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#ifndef CTRL_IFACE_H
#define CTRL_IFACE_H
#ifndef CONFIG_NO_CTRL_IFACE
int hostapd_ctrl_iface_init(struct hostapd_data *hapd);
void hostapd_ctrl_iface_deinit(struct hostapd_data *hapd);
int hostapd_global_ctrl_iface_init(struct hapd_interfaces *interface);
void hostapd_global_ctrl_iface_deinit(struct hapd_interfaces *interface);
#else /* CONFIG_NO_CTRL_IFACE */
static inline int hostapd_ctrl_iface_init(struct hostapd_data *hapd)
{
return 0;
}
static inline void hostapd_ctrl_iface_deinit(struct hostapd_data *hapd)
{
}
static inline int
hostapd_global_ctrl_iface_init(struct hapd_interfaces *interface)
{
return 0;
}
static inline void
hostapd_global_ctrl_iface_deinit(struct hapd_interfaces *interface)
{
}
#endif /* CONFIG_NO_CTRL_IFACE */
#endif /* CTRL_IFACE_H */
external/hostap/hostapd/defconfig
Vendored
+269
View File
@@ -0,0 +1,269 @@
# Example hostapd build time configuration
#
# This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option
# lines must be commented out complete, if they are not to be included, i.e.,
# just setting VARIABLE=n is not disabling that variable.
#
# This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cass, these lines should use += in order not
# to override previous values of the variables.
# Driver interface for Host AP driver
CONFIG_DRIVER_HOSTAP=y
# Driver interface for wired authenticator
#CONFIG_DRIVER_WIRED=y
# Driver interface for madwifi driver
#CONFIG_DRIVER_MADWIFI=y
#CFLAGS += -I../../madwifi # change to the madwifi source directory
# Driver interface for drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for no driver (e.g., RADIUS server only)
#CONFIG_DRIVER_NONE=y
# IEEE 802.11F/IAPP
CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection)
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y
# Integrated EAP server
CONFIG_EAP=y
# EAP-MD5 for the integrated EAP server
CONFIG_EAP_MD5=y
# EAP-TLS for the integrated EAP server
CONFIG_EAP_TLS=y
# EAP-MSCHAPv2 for the integrated EAP server
CONFIG_EAP_MSCHAPV2=y
# EAP-PEAP for the integrated EAP server
CONFIG_EAP_PEAP=y
# EAP-GTC for the integrated EAP server
CONFIG_EAP_GTC=y
# EAP-TTLS for the integrated EAP server
CONFIG_EAP_TTLS=y
# EAP-SIM for the integrated EAP server
#CONFIG_EAP_SIM=y
# EAP-AKA for the integrated EAP server
#CONFIG_EAP_AKA=y
# EAP-AKA' for the integrated EAP server
# This requires CONFIG_EAP_AKA to be enabled, too.
#CONFIG_EAP_AKA_PRIME=y
# EAP-PAX for the integrated EAP server
#CONFIG_EAP_PAX=y
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y
# EAP-pwd for the integrated EAP server (secure authentication with a password)
#CONFIG_EAP_PWD=y
# EAP-SAKE for the integrated EAP server
#CONFIG_EAP_SAKE=y
# EAP-GPSK for the integrated EAP server
#CONFIG_EAP_GPSK=y
# Include support for optional SHA256 cipher suite in EAP-GPSK
#CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server
# Note: Default OpenSSL package does not include support for all the
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
# the OpenSSL library must be patched (openssl-0.9.9-session-ticket.patch)
# to add the needed functions.
#CONFIG_EAP_FAST=y
# Wi-Fi Protected Setup (WPS)
#CONFIG_WPS=y
# Enable WSC 2.0 support
#CONFIG_WPS2=y
# Enable UPnP support for external WPS Registrars
#CONFIG_WPS_UPNP=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2
#CONFIG_EAP_IKEV2=y
# Trusted Network Connect (EAP-TNC)
#CONFIG_EAP_TNC=y
# PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y
# RADIUS authentication server. This provides access to the integrated EAP
# server from external hosts using RADIUS.
#CONFIG_RADIUS_SERVER=y
# Build IPv6 support for RADIUS operations
CONFIG_IPV6=y
# IEEE Std 802.11r-2008 (Fast BSS Transition)
#CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g., madwifi or FreeBSD/net80211)
#CONFIG_DRIVER_RADIUS_ACL=y
# IEEE 802.11n (High Throughput) support
#CONFIG_IEEE80211N=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# IEEE 802.11ac (Very High Throughput) support
#CONFIG_IEEE80211AC=y
# Remove debugging code that is printing out debug messages to stdout.
# This can be used to reduce the size of the hostapd considerably if debugging
# code is not needed.
#CONFIG_NO_STDOUT_DEBUG=y
# Add support for writing debug log to a file: -f /tmp/hostapd.log
# Disabled by default.
#CONFIG_DEBUG_FILE=y
# Remove support for RADIUS accounting
#CONFIG_NO_ACCOUNTING=y
# Remove support for RADIUS
#CONFIG_NO_RADIUS=y
# Remove support for VLANs
#CONFIG_NO_VLAN=y
# Enable support for fully dynamic VLANs. This enables hostapd to
# automatically create bridge and VLAN interfaces if necessary.
#CONFIG_FULL_DYNAMIC_VLAN=y
# Use netlink-based kernel API for VLAN operations instead of ioctl()
# Note: This requires libnl 3.1 or newer.
#CONFIG_VLAN_NETLINK=y
# Remove support for dumping state into a file on SIGUSR1 signal
# This can be used to reduce binary size at the cost of disabling a debugging
# option.
#CONFIG_NO_DUMP_STATE=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, comment out these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# hostapd depends on strong random number generation being available from the
# operating system. os_get_random() function is used to fetch random data when
# needed, e.g., for key generation. On Linux and BSD systems, this works by
# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
# properly initialized before hostapd is started. This is important especially
# on embedded devices that do not have a hardware random number generator and
# may by default start up with minimal entropy available for random number
# generation.
#
# As a safety net, hostapd is by default trying to internally collect
# additional entropy for generating random data to mix in with the data
# fetched from the OS. This by itself is not considered to be very strong, but
# it may help in cases where the system pool is not initialized properly.
# However, it is very strongly recommended that the system pool is initialized
# with enough entropy either by using hardware assisted random number
# generator or by storing state over device reboots.
#
# hostapd can be configured to maintain its own entropy store over restarts to
# enhance random number generation. This is not perfect, but it is much more
# secure than using the same sequence of random numbers after every reboot.
# This can be enabled with -e<entropy file> command line option. The specified
# file needs to be readable and writable by hostapd.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal hostapd random pool can be disabled.
# This will save some in binary size and CPU use. However, this should only be
# considered for builds that are known to be used on devices that meet the
# requirements described above.
#CONFIG_NO_RANDOM_POOL=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# none = Empty template
#CONFIG_TLS=openssl
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used.
#CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms.
#CONFIG_TLSV12=y
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
#CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks.
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable SQLite database support in hlr_auc_gw
#CONFIG_SQLITE=y
external/hostap/hostapd/dump_state.c
Vendored
+180
View File
@@ -0,0 +1,180 @@
/*
* hostapd / State dump
* Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "utils/includes.h"
#include <time.h>
#include "utils/common.h"
#include "radius/radius_client.h"
#include "radius/radius_server.h"
#include "eapol_auth/eapol_auth_sm.h"
#include "eapol_auth/eapol_auth_sm_i.h"
#include "eap_server/eap.h"
#include "ap/hostapd.h"
#include "ap/ap_config.h"
#include "ap/sta_info.h"
#include "dump_state.h"
static void fprint_char(FILE *f, char c)
{
if (c >= 32 && c < 127)
fprintf(f, "%c", c);
else
fprintf(f, "<%02x>", c);
}
static void ieee802_1x_dump_state(FILE *f, const char *prefix,
struct sta_info *sta)
{
struct eapol_state_machine *sm = sta->eapol_sm;
if (sm == NULL)
return;
fprintf(f, "%sIEEE 802.1X:\n", prefix);
if (sm->identity) {
size_t i;
fprintf(f, "%sidentity=", prefix);
for (i = 0; i < sm->identity_len; i++)
fprint_char(f, sm->identity[i]);
fprintf(f, "\n");
}
fprintf(f, "%slast EAP type: Authentication Server: %d (%s) "
"Supplicant: %d (%s)\n", prefix,
sm->eap_type_authsrv,
eap_server_get_name(0, sm->eap_type_authsrv),
sm->eap_type_supp, eap_server_get_name(0, sm->eap_type_supp));
fprintf(f, "%scached_packets=%s\n", prefix,
sm->last_recv_radius ? "[RX RADIUS]" : "");
eapol_auth_dump_state(f, prefix, sm);
}
/**
* hostapd_dump_state - SIGUSR1 handler to dump hostapd state to a text file
*/
static void hostapd_dump_state(struct hostapd_data *hapd)
{
FILE *f;
time_t now;
struct sta_info *sta;
int i;
#ifndef CONFIG_NO_RADIUS
char *buf;
#endif /* CONFIG_NO_RADIUS */
if (!hapd->conf->dump_log_name) {
wpa_printf(MSG_DEBUG, "Dump file not defined - ignoring dump "
"request");
return;
}
wpa_printf(MSG_DEBUG, "Dumping hostapd state to '%s'",
hapd->conf->dump_log_name);
f = fopen(hapd->conf->dump_log_name, "w");
if (f == NULL) {
wpa_printf(MSG_WARNING, "Could not open dump file '%s' for "
"writing.", hapd->conf->dump_log_name);
return;
}
time(&now);
fprintf(f, "hostapd state dump - %s", ctime(&now));
fprintf(f, "num_sta=%d num_sta_non_erp=%d "
"num_sta_no_short_slot_time=%d\n"
"num_sta_no_short_preamble=%d\n",
hapd->num_sta, hapd->iface->num_sta_non_erp,
hapd->iface->num_sta_no_short_slot_time,
hapd->iface->num_sta_no_short_preamble);
for (sta = hapd->sta_list; sta != NULL; sta = sta->next) {
fprintf(f, "\nSTA=" MACSTR "\n", MAC2STR(sta->addr));
fprintf(f,
" AID=%d flags=0x%x %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"
"\n"
" capability=0x%x listen_interval=%d\n",
sta->aid,
sta->flags,
(sta->flags & WLAN_STA_AUTH ? "[AUTH]" : ""),
(sta->flags & WLAN_STA_ASSOC ? "[ASSOC]" : ""),
(sta->flags & WLAN_STA_PS ? "[PS]" : ""),
(sta->flags & WLAN_STA_TIM ? "[TIM]" : ""),
(sta->flags & WLAN_STA_PERM ? "[PERM]" : ""),
(ap_sta_is_authorized(sta) ? "[AUTHORIZED]" : ""),
(sta->flags & WLAN_STA_PENDING_POLL ? "[PENDING_POLL" :
""),
(sta->flags & WLAN_STA_SHORT_PREAMBLE ?
"[SHORT_PREAMBLE]" : ""),
(sta->flags & WLAN_STA_PREAUTH ? "[PREAUTH]" : ""),
(sta->flags & WLAN_STA_WMM ? "[WMM]" : ""),
(sta->flags & WLAN_STA_MFP ? "[MFP]" : ""),
(sta->flags & WLAN_STA_WPS ? "[WPS]" : ""),
(sta->flags & WLAN_STA_MAYBE_WPS ? "[MAYBE_WPS]" : ""),
(sta->flags & WLAN_STA_WDS ? "[WDS]" : ""),
(sta->flags & WLAN_STA_NONERP ? "[NonERP]" : ""),
(sta->flags & WLAN_STA_WPS2 ? "[WPS2]" : ""),
sta->capability,
sta->listen_interval);
fprintf(f, " supported_rates=");
for (i = 0; i < sta->supported_rates_len; i++)
fprintf(f, "%02x ", sta->supported_rates[i]);
fprintf(f, "\n");
fprintf(f,
" timeout_next=%s\n",
(sta->timeout_next == STA_NULLFUNC ? "NULLFUNC POLL" :
(sta->timeout_next == STA_DISASSOC ? "DISASSOC" :
"DEAUTH")));
ieee802_1x_dump_state(f, " ", sta);
}
#ifndef CONFIG_NO_RADIUS
buf = os_malloc(4096);
if (buf) {
int count = radius_client_get_mib(hapd->radius, buf, 4096);
if (count < 0)
count = 0;
else if (count > 4095)
count = 4095;
buf[count] = '\0';
fprintf(f, "%s", buf);
#ifdef RADIUS_SERVER
count = radius_server_get_mib(hapd->radius_srv, buf, 4096);
if (count < 0)
count = 0;
else if (count > 4095)
count = 4095;
buf[count] = '\0';
fprintf(f, "%s", buf);
#endif /* RADIUS_SERVER */
os_free(buf);
}
#endif /* CONFIG_NO_RADIUS */
fclose(f);
}
int handle_dump_state_iface(struct hostapd_iface *iface, void *ctx)
{
size_t i;
for (i = 0; i < iface->num_bss; i++)
hostapd_dump_state(iface->bss[i]);
return 0;
}
external/hostap/hostapd/dump_state.h
Vendored
+14
View File
@@ -0,0 +1,14 @@
/*
* hostapd / State dump
* Copyright (c) 2002-2009, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#ifndef DUMP_STATE_H
#define DUMP_STATE_H
int handle_dump_state_iface(struct hostapd_iface *iface, void *ctx);
#endif /* DUMP_STATE_H */
external/hostap/hostapd/eap_register.c
Vendored
+138
View File
@@ -0,0 +1,138 @@
/*
* EAP method registration
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "eap_server/eap_methods.h"
#include "eap_register.h"
/**
* eap_server_register_methods - Register statically linked EAP server methods
* Returns: 0 on success, -1 or -2 on failure
*
* This function is called at program initialization to register all EAP
* methods that were linked in statically.
*/
int eap_server_register_methods(void)
{
int ret = 0;
#ifdef EAP_SERVER_IDENTITY
if (ret == 0)
ret = eap_server_identity_register();
#endif /* EAP_SERVER_IDENTITY */
#ifdef EAP_SERVER_MD5
if (ret == 0)
ret = eap_server_md5_register();
#endif /* EAP_SERVER_MD5 */
#ifdef EAP_SERVER_TLS
if (ret == 0)
ret = eap_server_tls_register();
#endif /* EAP_SERVER_TLS */
#ifdef EAP_SERVER_UNAUTH_TLS
if (ret == 0)
ret = eap_server_unauth_tls_register();
#endif /* EAP_SERVER_TLS */
#ifdef EAP_SERVER_MSCHAPV2
if (ret == 0)
ret = eap_server_mschapv2_register();
#endif /* EAP_SERVER_MSCHAPV2 */
#ifdef EAP_SERVER_PEAP
if (ret == 0)
ret = eap_server_peap_register();
#endif /* EAP_SERVER_PEAP */
#ifdef EAP_SERVER_TLV
if (ret == 0)
ret = eap_server_tlv_register();
#endif /* EAP_SERVER_TLV */
#ifdef EAP_SERVER_GTC
if (ret == 0)
ret = eap_server_gtc_register();
#endif /* EAP_SERVER_GTC */
#ifdef EAP_SERVER_TTLS
if (ret == 0)
ret = eap_server_ttls_register();
#endif /* EAP_SERVER_TTLS */
#ifdef EAP_SERVER_SIM
if (ret == 0)
ret = eap_server_sim_register();
#endif /* EAP_SERVER_SIM */
#ifdef EAP_SERVER_AKA
if (ret == 0)
ret = eap_server_aka_register();
#endif /* EAP_SERVER_AKA */
#ifdef EAP_SERVER_AKA_PRIME
if (ret == 0)
ret = eap_server_aka_prime_register();
#endif /* EAP_SERVER_AKA_PRIME */
#ifdef EAP_SERVER_PAX
if (ret == 0)
ret = eap_server_pax_register();
#endif /* EAP_SERVER_PAX */
#ifdef EAP_SERVER_PSK
if (ret == 0)
ret = eap_server_psk_register();
#endif /* EAP_SERVER_PSK */
#ifdef EAP_SERVER_SAKE
if (ret == 0)
ret = eap_server_sake_register();
#endif /* EAP_SERVER_SAKE */
#ifdef EAP_SERVER_GPSK
if (ret == 0)
ret = eap_server_gpsk_register();
#endif /* EAP_SERVER_GPSK */
#ifdef EAP_SERVER_VENDOR_TEST
if (ret == 0)
ret = eap_server_vendor_test_register();
#endif /* EAP_SERVER_VENDOR_TEST */
#ifdef EAP_SERVER_FAST
if (ret == 0)
ret = eap_server_fast_register();
#endif /* EAP_SERVER_FAST */
#ifdef EAP_SERVER_WSC
if (ret == 0)
ret = eap_server_wsc_register();
#endif /* EAP_SERVER_WSC */
#ifdef EAP_SERVER_IKEV2
if (ret == 0)
ret = eap_server_ikev2_register();
#endif /* EAP_SERVER_IKEV2 */
#ifdef EAP_SERVER_TNC
if (ret == 0)
ret = eap_server_tnc_register();
#endif /* EAP_SERVER_TNC */
#ifdef EAP_SERVER_PWD
if (ret == 0)
ret = eap_server_pwd_register();
#endif /* EAP_SERVER_PWD */
return ret;
}
external/hostap/hostapd/eap_register.h
Vendored
+14
View File
@@ -0,0 +1,14 @@
/*
* EAP method registration
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#ifndef EAP_REGISTER_H
#define EAP_REGISTER_H
int eap_server_register_methods(void);
#endif /* EAP_REGISTER_H */
external/hostap/hostapd/eap_testing.txt
Vendored
+77
View File
@@ -0,0 +1,77 @@
Interoperability testing of hostapd's IEEE 802.1X/EAPOL authentication
Test matrix
+) tested successfully
F) failed
-) peer did not support
?) not tested
XSupplicant --------------------------------.
Intel PROSet ---------------------------. |
Windows XP -------------------------. | |
Mac OS X 10.4 ------------------. | | |
Nokia S60 ------------------. | | | |
wpa_supplicant ---------. | | | | |
| | | | | |
EAP-MD5 + - ? ? -
EAP-GTC + - ? - -
EAP-MSCHAPv2 + - ? - -
EAP-TLS + + +1 + +
EAP-PEAPv0/MSCHAPv2 + + + + + +
EAP-PEAPv0/GTC + + + - +
EAP-PEAPv0/MD5 + - + - -
EAP-PEAPv0/TLS + F - + +
EAP-PEAPv0/SIM + + - - -
EAP-PEAPv0/AKA + + - - -
EAP-PEAPv0/PSK + - - - -
EAP-PEAPv0/PAX + - - - -
EAP-PEAPv0/SAKE + - - - -
EAP-PEAPv0/GPSK + - - - -
EAP-PEAPv1/MSCHAPv2 + + + - + +
EAP-PEAPv1/GTC + + + - +
EAP-PEAPv1/MD5 + - + - -
EAP-PEAPv1/TLS + F - - +
EAP-PEAPv1/SIM + + - - -
EAP-PEAPv1/AKA + + - - -
EAP-PEAPv1/PSK + - - - -
EAP-PEAPv1/PAX + - - - -
EAP-PEAPv1/SAKE + - - - -
EAP-PEAPv1/GPSK + - - - -
EAP-TTLS/CHAP + - + - + +
EAP-TTLS/MSCHAP + - + - + +
EAP-TTLS/MSCHAPv2 + + + - + +
EAP-TTLS/PAP + - + - + +
EAP-TTLS/EAP-MD5 + - - - - +
EAP-TTLS/EAP-GTC + + - - -
EAP-TTLS/EAP-MSCHAPv2 + + - - -
EAP-TTLS/EAP-TLS + F - - -
EAP-TTLS/EAP-SIM + + - - -
EAP-TTLS/EAP-AKA + + - - -
EAP-TTLS + TNC + - - - -
EAP-SIM + + - - +
EAP-AKA + + - - -
EAP-PAX + - - - -
EAP-SAKE + - - - -
EAP-GPSK + - - - -
EAP-FAST/MSCHAPv2(prov) + - F - F
EAP-FAST/GTC(auth) + - + - +
EAP-FAST/MSCHAPv2(aprov)+ - F - F
EAP-FAST/GTC(aprov) + - F - F
EAP-FAST/MD5(aprov) + - - - -
EAP-FAST/TLS(aprov) + - - - -
EAP-FAST/SIM(aprov) + - - - -
EAP-FAST/AKA(aprov) + - - - -
EAP-FAST/MSCHAPv2(auth) + - + - +
EAP-FAST/MD5(auth) + - + - -
EAP-FAST/TLS(auth) + - - - -
EAP-FAST/SIM(auth) + - - - -
EAP-FAST/AKA(auth) + - - - -
EAP-FAST + TNC + - - - -
EAP-IKEv2 + - - - -
EAP-TNC + - - - -
1) EAP-TLS itself worked, but peer certificate validation failed at
least when using the internal TLS server (peer included incorrect
certificates in the chain?)
external/hostap/hostapd/hlr_auc_gw.c
Vendored
+1031
View File
File diff suppressed because it is too large Load Diff
external/hostap/hostapd/hlr_auc_gw.milenage_db
Vendored
+13
View File
@@ -0,0 +1,13 @@
# Parameters for Milenage (Example algorithms for AKA).
# The example Ki, OPc, and AMF values here are from 3GPP TS 35.208 v6.0.0
# 4.3.20 Test Set 20. SQN is the last used SQN value.
# These values can be used for both UMTS (EAP-AKA) and GSM (EAP-SIM)
# authentication. In case of GSM/EAP-SIM, AMF and SQN values are not used, but
# dummy values will need to be included in this file.
# IMSI Ki OPc AMF SQN
232010000000000 90dca4eda45b53cf0f12d7c9c3bc6a89 cb9cccc4b9258e6dca4760379fb82581 61df 000000000000
# These values are from Test Set 19 which has the AMF separation bit set to 1
# and as such, is suitable for EAP-AKA' test.
555444333222111 5122250214c33e723a5dd523fc145fc0 981d464c7c52eb6e5036234984ad0bcf c3ab 16f3b3f70fc1
external/hostap/hostapd/hlr_auc_gw.txt
Vendored
+104
View File
@@ -0,0 +1,104 @@
HLR/AuC testing gateway for hostapd EAP-SIM/AKA database/authenticator
hlr_auc_gw is an example implementation of the EAP-SIM/AKA/AKA'
database/authentication gateway interface to HLR/AuC. It could be
replaced with an implementation of SS7 gateway to GSM/UMTS
authentication center (HLR/AuC). hostapd will send SIM/AKA
authentication queries over a UNIX domain socket to and external
program, e.g., hlr_auc_gw.
hlr_auc_gw can be configured with GSM and UMTS authentication data with
text files: GSM triplet file (see hostapd.sim_db) and Milenage file (see
hlr_auc_gw.milenage_db). Milenage parameters can be used to generate
dynamic authentication data for EAP-SIM, EAP-AKA, and EAP-AKA' while the
GSM triplet data is used for a more static configuration (e.g., triplets
extracted from a SIM card).
Alternatively, hlr_auc_gw can be built with support for an SQLite
database for more dynamic operations. This is enabled by adding
"CONFIG_SQLITE=y" into hostapd/.config before building hlr_auc_gw ("make
clean; make hlr_auc_gw" in this directory).
hostapd is configured to use hlr_auc_gw with the eap_sim_db parameter in
hostapd.conf (e.g., "eap_sim_db=unix:/tmp/hlr_auc_gw.sock"). hlr_auc_gw
is configured with command line parameters:
hlr_auc_gw [-hu] [-s<socket path>] [-g<triplet file>] [-m<milenage file>] \
[-D<DB file>] [-i<IND len in bits>]
options:
-h = show this usage help
-u = update SQN in Milenage file on exit
-s<socket path> = path for UNIX domain socket
(default: /tmp/hlr_auc_gw.sock)
-g<triplet file> = path for GSM authentication triplets
-m<milenage file> = path for Milenage keys
-D<DB file> = path to SQLite database
-i<IND len in bits> = IND length for SQN (default: 5)
The SQLite database can be initialized with sqlite, e.g., by running
following commands in "sqlite3 /path/to/hlr_auc_gw.db":
CREATE TABLE milenage(
imsi INTEGER PRIMARY KEY NOT NULL,
ki CHAR(32) NOT NULL,
opc CHAR(32) NOT NULL,
amf CHAR(4) NOT NULL,
sqn CHAR(12) NOT NULL
);
INSERT INTO milenage(imsi,ki,opc,amf,sqn) VALUES(
232010000000000,
'90dca4eda45b53cf0f12d7c9c3bc6a89',
'cb9cccc4b9258e6dca4760379fb82581',
'61df',
'000000000000'
);
INSERT INTO milenage(imsi,ki,opc,amf,sqn) VALUES(
555444333222111,
'5122250214c33e723a5dd523fc145fc0',
'981d464c7c52eb6e5036234984ad0bcf',
'c3ab',
'16f3b3f70fc1'
);
hostapd (EAP server) can also be configured to store the EAP-SIM/AKA
pseudonyms and reauth information into a SQLite database. This is
configured with the db parameter within the eap_sim_db configuration
option.
"hlr_auc_gw -D /path/to/hlr_auc_gw.db" can then be used to fetch
Milenage parameters based on IMSI from the database. The database can be
updated dynamically while hlr_auc_gw is running to add/remove/modify
entries.
Example configuration files for hostapd to operate as a RADIUS
authentication server for EAP-SIM/AKA/AKA':
hostapd.conf:
driver=none
radius_server_clients=hostapd.radius_clients
eap_server=1
eap_user_file=hostapd.eap_user
eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/tmp/eap_sim.db
eap_sim_aka_result_ind=1
hostapd.radius_clients:
0.0.0.0/0 radius
hostapd.eap_user:
"0"* AKA
"1"* SIM
"2"* AKA
"3"* SIM
"4"* AKA
"5"* SIM
"6"* AKA'
"7"* AKA'
"8"* AKA'
external/hostap/hostapd/hostapd.8
Vendored
+59
View File
@@ -0,0 +1,59 @@
.TH HOSTAPD 8 "April 7, 2005" hostapd hostapd
.SH NAME
hostapd \- IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
.SH SYNOPSIS
.B hostapd
[\-hdBKtv] [\-P <PID file>] <configuration file(s)>
.SH DESCRIPTION
This manual page documents briefly the
.B hostapd
daemon.
.PP
.B hostapd
is a user space daemon for access point and authentication servers.
It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server.
The current version supports Linux (Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).
.B hostapd
is designed to be a "daemon" program that runs in the background and acts as the backend component controlling authentication.
.B hostapd
supports separate frontend programs and an example text-based frontend,
.BR hostapd_cli ,
is included with
.BR hostapd .
.SH OPTIONS
A summary of options is included below.
For a complete description, run
.BR hostapd
from the command line.
.TP
.B \-h
Show usage.
.TP
.B \-d
Show more debug messages.
.TP
.B \-dd
Show even more debug messages.
.TP
.B \-B
Run daemon in the background.
.TP
.B \-P <PID file>
Path to PID file.
.TP
.B \-K
Include key data in debug messages.
.TP
.B \-t
Include timestamps in some debug messages.
.TP
.B \-v
Show hostapd version.
.SH SEE ALSO
.BR hostapd_cli (1).
.SH AUTHOR
hostapd was written by Jouni Malinen <j@w1.fi>.
.PP
This manual page was written by Faidon Liambotis <faidon@cube.gr>,
for the Debian project (but may be used by others).
external/hostap/hostapd/hostapd.accept
Vendored
+6
View File
@@ -0,0 +1,6 @@
# List of MAC addresses that are allowed to authenticate (IEEE 802.11)
# with the AP. Optional VLAN ID can be assigned for clients based on the
# MAC address if dynamic VLANs (hostapd.conf dynamic_vlan option) are used.
00:11:22:33:44:55
00:66:77:88:99:aa
00:00:22:33:44:55 1
external/hostap/hostapd/hostapd.conf
Vendored
+1512
View File
File diff suppressed because it is too large Load Diff
external/hostap/hostapd/hostapd.deny
Vendored
+5
View File
@@ -0,0 +1,5 @@
# List of MAC addresses that are not allowed to authenticate (IEEE 802.11)
# with the AP.
00:20:30:40:50:60
00:ab:cd:ef:12:34
00:00:30:40:50:60
external/hostap/hostapd/hostapd.eap_user
Vendored
+97
View File
@@ -0,0 +1,97 @@
# hostapd user database for integrated EAP server
# Each line must contain an identity, EAP method(s), and an optional password
# separated with whitespace (space or tab). The identity and password must be
# double quoted ("user"). Password can alternatively be stored as
# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
# that the plaintext password does not need to be included in the user file.
# Password hash is stored as hash:<16-octets of hex data> without quotation
# marks.
# [2] flag in the end of the line can be used to mark users for tunneled phase
# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
# identity can be used in the unencrypted phase 1 and the real user identity
# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
# access is needed, two user entries is needed, one for phase 1 and another
# with the same username for phase 2.
#
# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
# password option.
# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
# password.
# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
#
# * can be used as a wildcard to match any user identity. The main purposes for
# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
# avoid having to configure every certificate for EAP-TLS authentication. The
# first matching entry is selected, so * should be used as the last phase 1
# user entry.
#
# "prefix"* can be used to match the given prefix and anything after this. The
# main purpose for this is to be able to avoid EAP method negotiation when the
# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
# is only allowed for phase 1 identities.
#
# Multiple methods can be configured to make the authenticator try them one by
# one until the peer accepts one. The method names are separated with a
# comma (,).
#
# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
# version based on the Phase 1 identity. Without this flag, the EAP
# authenticator advertises the highest supported version and select the version
# based on the first PEAP packet from the supplicant.
#
# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
# Tunneled EAP methods are configured with standard EAP method name and [2]
# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
# hash.
# Phase 1 users
"user" MD5 "password"
"test user" MD5 "secret"
"example user" TLS
"DOMAIN\user" MSCHAPV2 "password"
"gtc user" GTC "password"
"pax user" PAX "unknown"
"pax.user@example.com" PAX 0123456789abcdef0123456789abcdef
"psk user" PSK "unknown"
"psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
"sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
"ttls" TTLS
"not anonymous" PEAP
# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
"0"* AKA,TTLS,TLS,PEAP,SIM
"1"* SIM,TTLS,TLS,PEAP,AKA
"2"* AKA,TTLS,TLS,PEAP,SIM
"3"* SIM,TTLS,TLS,PEAP,AKA
"4"* AKA,TTLS,TLS,PEAP,SIM
"5"* SIM,TTLS,TLS,PEAP,AKA
"6"* AKA'
"7"* AKA'
"8"* AKA'
# Wildcard for all other identities
* PEAP,TTLS,TLS,SIM,AKA
# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"t-md5" MD5 "password" [2]
"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
"t-gtc" GTC "password" [2]
"not anonymous" MSCHAPV2 "password" [2]
"user" MD5,GTC,MSCHAPV2 "password" [2]
"test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]
"ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2]
# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
"0"* AKA [2]
"1"* SIM [2]
"2"* AKA [2]
"3"* SIM [2]
"4"* AKA [2]
"5"* SIM [2]
"6"* AKA' [2]
"7"* AKA' [2]
"8"* AKA' [2]
external/hostap/hostapd/hostapd.radius_clients
Vendored
+4
View File
@@ -0,0 +1,4 @@
# RADIUS client configuration for the RADIUS server
10.1.2.3 secret passphrase
192.168.1.0/24 another very secret passphrase
0.0.0.0/0 radius
external/hostap/hostapd/hostapd.sim_db
Vendored
+9
View File
@@ -0,0 +1,9 @@
# Example GSM authentication triplet file for EAP-SIM authenticator
# IMSI:Kc:SRES:RAND
# IMSI: ASCII string (numbers)
# Kc: hex, 8 octets
# SRES: hex, 4 octets
# RAND: hex, 16 octets
234567898765432:A0A1A2A3A4A5A6A7:D1D2D3D4:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
234567898765432:B0B1B2B3B4B5B6B7:E1E2E3E4:BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
234567898765432:C0C1C2C3C4C5C6C7:F1F2F3F4:CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
external/hostap/hostapd/hostapd.vlan
Vendored
+9
View File
@@ -0,0 +1,9 @@
# VLAN ID to network interface mapping
1 vlan1
2 vlan2
3 vlan3
100 guest
# Optional wildcard entry matching all VLAN IDs. The first # in the interface
# name will be replaced with the VLAN ID. The network interfaces are created
# (and removed) dynamically based on the use.
* vlan#
external/hostap/hostapd/hostapd.wpa_psk
Vendored
+9
View File
@@ -0,0 +1,9 @@
# List of WPA PSKs. Each line, except for empty lines and lines starting
# with #, must contain a MAC address and PSK separated with a space.
# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that
# anyone can use. PSK can be configured as an ASCII passphrase of 8..63
# characters or as a 256-bit hex PSK (64 hex digits).
00:00:00:00:00:00 secret passphrase
00:11:22:33:44:55 another passphrase
00:22:33:44:55:66 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
00:00:00:00:00:00 another passphrase for all STAs
external/hostap/hostapd/hostapd_cli.1
Vendored
+89
View File
@@ -0,0 +1,89 @@
.TH HOSTAPD_CLI 1 "April 7, 2005" hostapd_cli "hostapd command-line interface"
.SH NAME
hostapd_cli \- hostapd command-line interface
.SH SYNOPSIS
.B hostapd_cli
[\-p<path>] [\-i<ifname>] [\-a<path>] [\-hvB] [command..]
.SH DESCRIPTION
This manual page documents briefly the
.B hostapd_cli
utility.
.PP
.B hostapd_cli
is a command-line interface for the
.B hostapd
daemon.
.B hostapd
is a user space daemon for access point and authentication servers.
It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server.
For more information about
.B hostapd
refer to the
.BR hostapd (8)
man page.
.SH OPTIONS
A summary of options is included below.
For a complete description, run
.BR hostapd_cli
from the command line.
.TP
.B \-p<path>
Path to find control sockets.
Default: /var/run/hostapd
.TP
.B \-i<ifname>
Interface to listen on.
Default: first interface found in socket path.
.TP
.B \-a<path>
Run in daemon mode executing the action file based on events from hostapd.
.TP
.B \-B
Run a daemon in the background.
.TP
.B \-h
Show usage.
.TP
.B \-v
Show hostapd_cli version.
.SH COMMANDS
A summary of commands is included below.
For a complete description, run
.BR hostapd_cli
from the command line.
.TP
.B mib
Get MIB variables (dot1x, dot11, radius).
.TP
.B sta <addr>
Get MIB variables for one station.
.TP
.B all_sta
Get MIB variables for all stations.
.TP
.B help
Get usage help.
.TP
.B interface [ifname]
Show interfaces/select interface.
.TP
.B level <debug level>
Change debug level.
.TP
.B license
Show full
.B hostapd_cli
license.
.TP
.B quit
Exit hostapd_cli.
.SH SEE ALSO
.BR hostapd (8).
.SH AUTHOR
hostapd_cli was written by Jouni Malinen <j@w1.fi>.
.PP
This manual page was written by Faidon Liambotis <faidon@cube.gr>,
for the Debian project (but may be used by others).
external/hostap/hostapd/hostapd_cli.c
Vendored
+1248
View File
File diff suppressed because it is too large Load Diff
external/hostap/hostapd/hostapd_wps.c
Vendored
+82
View File
@@ -0,0 +1,82 @@
/*
* Copyright (c) 2009-2012 The Linux Foundation. All rights reserved
*
* Software was previously licensed under BSD license by Qualcomm Atheros, Inc.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
* Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
* Neither the name of The Linux Foundation nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO
* EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
* INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/types.h>
char **arg;
pid_t child_pid;
void start_hostapd(void)
{
child_pid = fork();
if ( child_pid == 0 ) {
//printf("Starting hostapd (%d)\n", getpid());
execv("./hostapd", arg);
_exit( 0 );
} else {
wait(NULL);
}
}
void kill_hostapd(void)
{
//printf("Kill hostapd (%d)\n", child_pid);
if(child_pid > 1) {
kill(child_pid, SIGTERM);
}
}
void sig_exit(int sig_num)
{
kill_hostapd();
_exit(0);
}
void sig_from_hostapd(int sig_num)
{
signal(SIGUSR1, sig_from_hostapd);
sleep(1);
kill_hostapd();
}
int main(int argc, char *argv[]) {
arg = argv;
signal(SIGTERM, sig_exit);
signal(SIGUSR1, sig_from_hostapd);
while(1) {
start_hostapd();
sleep(1);
}
return 0;
}
external/hostap/hostapd/logwatch/README
Vendored
+9
View File
@@ -0,0 +1,9 @@
Logwatch is a utility for analyzing system logs and provide a human
readable summary. This directory has a configuration file and a log
analyzer script for parsing hostapd system log entries for logwatch.
These files can be installed by copying them to following locations:
/etc/log.d/conf/services/hostapd.conf
/etc/log.d/scripts/services/hostapd
More information about logwatch is available from http://www.logwatch.org/
external/hostap/hostapd/logwatch/hostapd
Vendored Executable
+65
View File
@@ -0,0 +1,65 @@
#!/usr/bin/perl -w
#
# Logwatch script for hostapd
#
# Copyright 2005 Henrik Brix Andersen <brix@gentoo.org>
# Distributed under the terms of the GNU General Public License v2
# Alternatively, this file may be distributed under the terms of the BSD License
use strict;
my $debug = $ENV{'LOGWATCH_DEBUG'} || 0;
my $detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
my $debugcounter = 1;
my %hostapd;
my @unmatched;
if ($debug >= 5) {
print STDERR "\n\nDEBUG: Inside HOSTAPD Filter\n\n";
}
while (defined(my $line = <STDIN>)) {
if ($debug >= 5) {
print STDERR "DEBUG($debugcounter): $line";
$debugcounter++;
}
chomp($line);
if (my ($iface,$mac,$layer,$details) = ($line =~ /(.*?): STA (.*?) (.*?): (.*?)$/i)) {
unless ($detail == 10) {
# collapse association events
$details =~ s/^(associated) .*$/$1/i;
}
$hostapd{$iface}->{$mac}->{$layer}->{$details}++;
} else {
push @unmatched, "$line\n";
}
}
if (keys %hostapd) {
foreach my $iface (sort keys %hostapd) {
print "Interface $iface:\n";
foreach my $mac (sort keys %{$hostapd{$iface}}) {
print " Client MAC Address $mac:\n";
foreach my $layer (sort keys %{$hostapd{$iface}->{$mac}}) {
print " $layer:\n";
foreach my $details (sort keys %{$hostapd{$iface}->{$mac}->{$layer}}) {
print " $details";
my $count = $hostapd{$iface}->{$mac}->{$layer}->{$details};
if ($count > 1) {
print ": " . $count . " Times";
}
print "\n";
}
}
}
}
}
if ($#unmatched >= 0) {
print "\n**Unmatched Entries**\n";
print @unmatched;
}
exit(0);
external/hostap/hostapd/logwatch/hostapd.conf
Vendored
+10
View File
@@ -0,0 +1,10 @@
# Logwatch configuration for hostapd
#
# Copyright 2005 Henrik Brix Andersen <brix@gentoo.org>
# Distributed under the terms of the GNU General Public License v2
# Alternatively, this file may be distributed under the terms of the BSD License
Title = "hostapd"
LogFile = messages
*OnlyService = hostapd
*RemoveHeaders
external/hostap/hostapd/main.c
Vendored
+657
View File
@@ -0,0 +1,657 @@
/*
* hostapd / main()
* Copyright (c) 2002-2011, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "utils/includes.h"
#ifndef CONFIG_NATIVE_WINDOWS
#include <syslog.h>
#endif /* CONFIG_NATIVE_WINDOWS */
#include "utils/common.h"
#include "utils/eloop.h"
#include "crypto/random.h"
#include "crypto/tls.h"
#include "common/version.h"
#include "drivers/driver.h"
#include "eap_server/eap.h"
#include "eap_server/tncs.h"
#include "ap/hostapd.h"
#include "ap/ap_config.h"
#include "ap/ap_drv_ops.h"
#include "config_file.h"
#include "eap_register.h"
#include "dump_state.h"
#include "ctrl_iface.h"
extern int wpa_debug_level;
extern int wpa_debug_show_keys;
extern int wpa_debug_timestamp;
extern struct wpa_driver_ops *wpa_drivers[];
struct hapd_global {
void **drv_priv;
size_t drv_count;
};
static struct hapd_global global;
#ifndef CONFIG_NO_HOSTAPD_LOGGER
static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module,
int level, const char *txt, size_t len)
{
struct hostapd_data *hapd = ctx;
char *format, *module_str;
int maxlen;
int conf_syslog_level, conf_stdout_level;
unsigned int conf_syslog, conf_stdout;
maxlen = len + 100;
format = os_malloc(maxlen);
if (!format)
return;
if (hapd && hapd->conf) {
conf_syslog_level = hapd->conf->logger_syslog_level;
conf_stdout_level = hapd->conf->logger_stdout_level;
conf_syslog = hapd->conf->logger_syslog;
conf_stdout = hapd->conf->logger_stdout;
} else {
conf_syslog_level = conf_stdout_level = 0;
conf_syslog = conf_stdout = (unsigned int) -1;
}
switch (module) {
case HOSTAPD_MODULE_IEEE80211:
module_str = "IEEE 802.11";
break;
case HOSTAPD_MODULE_IEEE8021X:
module_str = "IEEE 802.1X";
break;
case HOSTAPD_MODULE_RADIUS:
module_str = "RADIUS";
break;
case HOSTAPD_MODULE_WPA:
module_str = "WPA";
break;
case HOSTAPD_MODULE_DRIVER:
module_str = "DRIVER";
break;
case HOSTAPD_MODULE_IAPP:
module_str = "IAPP";
break;
case HOSTAPD_MODULE_MLME:
module_str = "MLME";
break;
default:
module_str = NULL;
break;
}
if (hapd && hapd->conf && addr)
os_snprintf(format, maxlen, "%s: STA " MACSTR "%s%s: %s",
hapd->conf->iface, MAC2STR(addr),
module_str ? " " : "", module_str, txt);
else if (hapd && hapd->conf)
os_snprintf(format, maxlen, "%s:%s%s %s",
hapd->conf->iface, module_str ? " " : "",
module_str, txt);
else if (addr)
os_snprintf(format, maxlen, "STA " MACSTR "%s%s: %s",
MAC2STR(addr), module_str ? " " : "",
module_str, txt);
else
os_snprintf(format, maxlen, "%s%s%s",
module_str, module_str ? ": " : "", txt);
if ((conf_stdout & module) && level >= conf_stdout_level) {
wpa_debug_print_timestamp();
printf("%s\n", format);
}
#ifndef CONFIG_NATIVE_WINDOWS
if ((conf_syslog & module) && level >= conf_syslog_level) {
int priority;
switch (level) {
case HOSTAPD_LEVEL_DEBUG_VERBOSE:
case HOSTAPD_LEVEL_DEBUG:
priority = LOG_DEBUG;
break;
case HOSTAPD_LEVEL_INFO:
priority = LOG_INFO;
break;
case HOSTAPD_LEVEL_NOTICE:
priority = LOG_NOTICE;
break;
case HOSTAPD_LEVEL_WARNING:
priority = LOG_WARNING;
break;
default:
priority = LOG_INFO;
break;
}
syslog(priority, "%s", format);
}
#endif /* CONFIG_NATIVE_WINDOWS */
os_free(format);
}
#endif /* CONFIG_NO_HOSTAPD_LOGGER */
/**
* hostapd_init - Allocate and initialize per-interface data
* @config_file: Path to the configuration file
* Returns: Pointer to the allocated interface data or %NULL on failure
*
* This function is used to allocate main data structures for per-interface
* data. The allocated data buffer will be freed by calling
* hostapd_cleanup_iface().
*/
static struct hostapd_iface * hostapd_init(const char *config_file)
{
struct hostapd_iface *hapd_iface = NULL;
struct hostapd_config *conf = NULL;
struct hostapd_data *hapd;
size_t i;
hapd_iface = os_zalloc(sizeof(*hapd_iface));
if (hapd_iface == NULL)
goto fail;
hapd_iface->config_fname = os_strdup(config_file);
if (hapd_iface->config_fname == NULL)
goto fail;
conf = hostapd_config_read(hapd_iface->config_fname);
if (conf == NULL)
goto fail;
hapd_iface->conf = conf;
hapd_iface->num_bss = conf->num_bss;
hapd_iface->bss = os_calloc(conf->num_bss,
sizeof(struct hostapd_data *));
if (hapd_iface->bss == NULL)
goto fail;
for (i = 0; i < conf->num_bss; i++) {
hapd = hapd_iface->bss[i] =
hostapd_alloc_bss_data(hapd_iface, conf,
&conf->bss[i]);
if (hapd == NULL)
goto fail;
hapd->msg_ctx = hapd;
}
return hapd_iface;
fail:
if (conf)
hostapd_config_free(conf);
if (hapd_iface) {
os_free(hapd_iface->config_fname);
os_free(hapd_iface->bss);
os_free(hapd_iface);
}
return NULL;
}
static int hostapd_driver_init(struct hostapd_iface *iface)
{
struct wpa_init_params params;
size_t i;
struct hostapd_data *hapd = iface->bss[0];
struct hostapd_bss_config *conf = hapd->conf;
u8 *b = conf->bssid;
struct wpa_driver_capa capa;
if (hapd->driver == NULL || hapd->driver->hapd_init == NULL) {
wpa_printf(MSG_ERROR, "No hostapd driver wrapper available");
return -1;
}
/* Initialize the driver interface */
if (!(b[0] | b[1] | b[2] | b[3] | b[4] | b[5]))
b = NULL;
os_memset(&params, 0, sizeof(params));
for (i = 0; wpa_drivers[i]; i++) {
if (wpa_drivers[i] != hapd->driver)
continue;
if (global.drv_priv[i] == NULL &&
wpa_drivers[i]->global_init) {
global.drv_priv[i] = wpa_drivers[i]->global_init();
if (global.drv_priv[i] == NULL) {
wpa_printf(MSG_ERROR, "Failed to initialize "
"driver '%s'",
wpa_drivers[i]->name);
return -1;
}
}
params.global_priv = global.drv_priv[i];
break;
}
params.bssid = b;
params.ifname = hapd->conf->iface;
params.ssid = hapd->conf->ssid.ssid;
params.ssid_len = hapd->conf->ssid.ssid_len;
params.test_socket = hapd->conf->test_socket;
params.use_pae_group_addr = hapd->conf->use_pae_group_addr;
params.num_bridge = hapd->iface->num_bss;
params.bridge = os_calloc(hapd->iface->num_bss, sizeof(char *));
if (params.bridge == NULL)
return -1;
for (i = 0; i < hapd->iface->num_bss; i++) {
struct hostapd_data *bss = hapd->iface->bss[i];
if (bss->conf->bridge[0])
params.bridge[i] = bss->conf->bridge;
}
params.own_addr = hapd->own_addr;
hapd->drv_priv = hapd->driver->hapd_init(hapd, &params);
os_free(params.bridge);
if (hapd->drv_priv == NULL) {
wpa_printf(MSG_ERROR, "%s driver initialization failed.",
hapd->driver->name);
hapd->driver = NULL;
return -1;
}
if (hapd->driver->get_capa &&
hapd->driver->get_capa(hapd->drv_priv, &capa) == 0) {
iface->drv_flags = capa.flags;
iface->probe_resp_offloads = capa.probe_resp_offloads;
}
return 0;
}
static struct hostapd_iface *
hostapd_interface_init(struct hapd_interfaces *interfaces,
const char *config_fname, int debug)
{
struct hostapd_iface *iface;
int k;
wpa_printf(MSG_ERROR, "Configuration file: %s", config_fname);
iface = hostapd_init(config_fname);
if (!iface)
return NULL;
iface->interfaces = interfaces;
for (k = 0; k < debug; k++) {
if (iface->bss[0]->conf->logger_stdout_level > 0)
iface->bss[0]->conf->logger_stdout_level--;
}
if (iface->conf->bss[0].iface[0] != 0 ||
hostapd_drv_none(iface->bss[0])) {
if (hostapd_driver_init(iface) ||
hostapd_setup_interface(iface)) {
hostapd_interface_deinit_free(iface);
return NULL;
}
}
return iface;
}
/**
* handle_term - SIGINT and SIGTERM handler to terminate hostapd process
*/
static void handle_term(int sig, void *signal_ctx)
{
wpa_printf(MSG_DEBUG, "Signal %d received - terminating", sig);
eloop_terminate();
}
#ifndef CONFIG_NATIVE_WINDOWS
static int handle_reload_iface(struct hostapd_iface *iface, void *ctx)
{
if (hostapd_reload_config(iface) < 0) {
wpa_printf(MSG_WARNING, "Failed to read new configuration "
"file - continuing with old.");
}
return 0;
}
/**
* handle_reload - SIGHUP handler to reload configuration
*/
static void handle_reload(int sig, void *signal_ctx)
{
struct hapd_interfaces *interfaces = signal_ctx;
wpa_printf(MSG_DEBUG, "Signal %d received - reloading configuration",
sig);
hostapd_for_each_interface(interfaces, handle_reload_iface, NULL);
}
static void handle_dump_state(int sig, void *signal_ctx)
{
#ifdef HOSTAPD_DUMP_STATE
struct hapd_interfaces *interfaces = signal_ctx;
hostapd_for_each_interface(interfaces, handle_dump_state_iface, NULL);
#endif /* HOSTAPD_DUMP_STATE */
}
#endif /* CONFIG_NATIVE_WINDOWS */
static int hostapd_global_init(struct hapd_interfaces *interfaces,
const char *entropy_file)
{
int i;
os_memset(&global, 0, sizeof(global));
hostapd_logger_register_cb(hostapd_logger_cb);
if (eap_server_register_methods()) {
wpa_printf(MSG_ERROR, "Failed to register EAP methods");
return -1;
}
if (eloop_init()) {
wpa_printf(MSG_ERROR, "Failed to initialize event loop");
return -1;
}
random_init(entropy_file);
#ifndef CONFIG_NATIVE_WINDOWS
eloop_register_signal(SIGHUP, handle_reload, interfaces);
eloop_register_signal(SIGUSR1, handle_dump_state, interfaces);
#endif /* CONFIG_NATIVE_WINDOWS */
eloop_register_signal_terminate(handle_term, interfaces);
#ifndef CONFIG_NATIVE_WINDOWS
openlog("hostapd", 0, LOG_DAEMON);
#endif /* CONFIG_NATIVE_WINDOWS */
for (i = 0; wpa_drivers[i]; i++)
global.drv_count++;
if (global.drv_count == 0) {
wpa_printf(MSG_ERROR, "No drivers enabled");
return -1;
}
global.drv_priv = os_calloc(global.drv_count, sizeof(void *));
if (global.drv_priv == NULL)
return -1;
return 0;
}
static void hostapd_global_deinit(const char *pid_file)
{
int i;
for (i = 0; wpa_drivers[i] && global.drv_priv; i++) {
if (!global.drv_priv[i])
continue;
wpa_drivers[i]->global_deinit(global.drv_priv[i]);
}
os_free(global.drv_priv);
global.drv_priv = NULL;
#ifdef EAP_SERVER_TNC
tncs_global_deinit();
#endif /* EAP_SERVER_TNC */
random_deinit();
eloop_destroy();
#ifndef CONFIG_NATIVE_WINDOWS
closelog();
#endif /* CONFIG_NATIVE_WINDOWS */
eap_server_unregister_methods();
os_daemonize_terminate(pid_file);
}
static int hostapd_global_run(struct hapd_interfaces *ifaces, int daemonize,
const char *pid_file)
{
#ifdef EAP_SERVER_TNC
int tnc = 0;
size_t i, k;
for (i = 0; !tnc && i < ifaces->count; i++) {
for (k = 0; k < ifaces->iface[i]->num_bss; k++) {
if (ifaces->iface[i]->bss[0]->conf->tnc) {
tnc++;
break;
}
}
}
if (tnc && tncs_global_init() < 0) {
wpa_printf(MSG_ERROR, "Failed to initialize TNCS");
return -1;
}
#endif /* EAP_SERVER_TNC */
if (daemonize && os_daemonize(pid_file)) {
perror("daemon");
return -1;
}
eloop_run();
return 0;
}
static void show_version(void)
{
fprintf(stderr,
"hostapd v" VERSION_STR "\n"
"User space daemon for IEEE 802.11 AP management,\n"
"IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator\n"
"Copyright (c) 2002-2012, Jouni Malinen <j@w1.fi> "
"and contributors\n");
}
static void usage(void)
{
show_version();
fprintf(stderr,
"\n"
"usage: hostapd [-hdBKtv] [-P <PID file>] [-e <entropy file>] "
"\\\n"
" [-g <global ctrl_iface>] <configuration file(s)>\n"
"\n"
"options:\n"
" -h show this usage\n"
" -d show more debug messages (-dd for even more)\n"
" -B run daemon in the background\n"
" -e entropy file\n"
" -g global control interface path\n"
" -P PID file\n"
" -K include key data in debug messages\n"
#ifdef CONFIG_DEBUG_FILE
" -f log output to debug file instead of stdout\n"
#endif /* CONFIG_DEBUG_FILE */
" -t include timestamps in some debug messages\n"
" -v show hostapd version\n");
exit(1);
}
static const char * hostapd_msg_ifname_cb(void *ctx)
{
struct hostapd_data *hapd = ctx;
if (hapd && hapd->iconf && hapd->iconf->bss)
return hapd->iconf->bss->iface;
return NULL;
}
static int hostapd_get_global_ctrl_iface(struct hapd_interfaces *interfaces,
const char *path)
{
char *pos;
os_free(interfaces->global_iface_path);
interfaces->global_iface_path = os_strdup(path);
if (interfaces->global_iface_path == NULL)
return -1;
pos = os_strrchr(interfaces->global_iface_path, '/');
if (pos == NULL) {
os_free(interfaces->global_iface_path);
interfaces->global_iface_path = NULL;
return -1;
}
*pos = '\0';
interfaces->global_iface_name = pos + 1;
return 0;
}
int main(int argc, char *argv[])
{
struct hapd_interfaces interfaces;
int ret = 1;
size_t i;
int c, debug = 0, daemonize = 0;
char *pid_file = NULL;
const char *log_file = NULL;
const char *entropy_file = NULL;
if (os_program_init())
return -1;
os_memset(&interfaces, 0, sizeof(interfaces));
interfaces.reload_config = hostapd_reload_config;
interfaces.config_read_cb = hostapd_config_read;
interfaces.for_each_interface = hostapd_for_each_interface;
interfaces.ctrl_iface_init = hostapd_ctrl_iface_init;
interfaces.ctrl_iface_deinit = hostapd_ctrl_iface_deinit;
interfaces.driver_init = hostapd_driver_init;
interfaces.global_iface_path = NULL;
interfaces.global_iface_name = NULL;
interfaces.global_ctrl_sock = -1;
for (;;) {
c = getopt(argc, argv, "Bde:f:hKP:tvg:");
if (c < 0)
break;
switch (c) {
case 'h':
usage();
break;
case 'd':
debug++;
if (wpa_debug_level > 0)
wpa_debug_level--;
break;
case 'B':
daemonize++;
break;
case 'e':
entropy_file = optarg;
break;
case 'f':
log_file = optarg;
break;
case 'K':
wpa_debug_show_keys++;
break;
case 'P':
os_free(pid_file);
pid_file = os_rel2abs_path(optarg);
break;
case 't':
wpa_debug_timestamp++;
break;
case 'v':
show_version();
exit(1);
break;
case 'g':
hostapd_get_global_ctrl_iface(&interfaces, optarg);
break;
default:
usage();
break;
}
}
if (optind == argc && interfaces.global_iface_path == NULL)
usage();
wpa_msg_register_ifname_cb(hostapd_msg_ifname_cb);
if (log_file)
wpa_debug_open_file(log_file);
interfaces.count = argc - optind;
if (interfaces.count) {
interfaces.iface = os_calloc(interfaces.count,
sizeof(struct hostapd_iface *));
if (interfaces.iface == NULL) {
wpa_printf(MSG_ERROR, "malloc failed");
return -1;
}
}
if (hostapd_global_init(&interfaces, entropy_file))
return -1;
/* Initialize interfaces */
for (i = 0; i < interfaces.count; i++) {
interfaces.iface[i] = hostapd_interface_init(&interfaces,
argv[optind + i],
debug);
if (!interfaces.iface[i])
goto out;
}
hostapd_global_ctrl_iface_init(&interfaces);
if (hostapd_global_run(&interfaces, daemonize, pid_file))
goto out;
ret = 0;
out:
hostapd_global_ctrl_iface_deinit(&interfaces);
/* Deinitialize all interfaces */
for (i = 0; i < interfaces.count; i++)
hostapd_interface_deinit_free(interfaces.iface[i]);
os_free(interfaces.iface);
hostapd_global_deinit(pid_file);
os_free(pid_file);
if (log_file)
wpa_debug_close_file();
os_program_deinit();
return ret;
}
external/hostap/hostapd/nt_password_hash.c
Vendored
+47
View File
@@ -0,0 +1,47 @@
/*
* hostapd - Plaintext password to NtPasswordHash
* Copyright (c) 2005, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include "includes.h"
#include "common.h"
#include "crypto/ms_funcs.h"
int main(int argc, char *argv[])
{
unsigned char password_hash[16];
size_t i;
char *password, buf[64], *pos;
if (argc > 1)
password = argv[1];
else {
if (fgets(buf, sizeof(buf), stdin) == NULL) {
printf("Failed to read password\n");
return 1;
}
buf[sizeof(buf) - 1] = '\0';
pos = buf;
while (*pos != '\0') {
if (*pos == '\r' || *pos == '\n') {
*pos = '\0';
break;
}
pos++;
}
password = buf;
}
if (nt_password_hash((u8 *) password, strlen(password), password_hash))
return -1;
for (i = 0; i < sizeof(password_hash); i++)
printf("%02x", password_hash[i]);
printf("\n");
return 0;
}
external/hostap/hostapd/wired.conf
Vendored
+40
View File
@@ -0,0 +1,40 @@
##### hostapd configuration file ##############################################
# Empty lines and lines starting with # are ignored
# Example configuration file for wired authenticator. See hostapd.conf for
# more details.
interface=eth0
driver=wired
logger_stdout=-1
logger_stdout_level=1
debug=2
dump_file=/tmp/hostapd.dump
ieee8021x=1
eap_reauth_period=3600
use_pae_group_addr=1
##### RADIUS configuration ####################################################
# for IEEE 802.1X with external Authentication Server, IEEE 802.11
# authentication with external ACL for MAC addresses, and accounting
# The own IP address of the access point (used as NAS-IP-Address)
own_ip_addr=127.0.0.1
# Optional NAS-Identifier string for RADIUS messages. When used, this should be
# a unique to the NAS within the scope of the RADIUS server. For example, a
# fully qualified domain name can be used here.
nas_identifier=ap.example.com
# RADIUS authentication server
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=radius
# RADIUS accounting server
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=radius
external/hostap/mac80211_hwsim/tests/0001-wpa2-psk/hostapd.conf
Vendored
+11
View File
@@ -0,0 +1,11 @@
interface=wlan0
driver=nl80211
hw_mode=g
channel=1
ssid=mac80211 test
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_passphrase=12345678
external/hostap/mac80211_hwsim/tests/0001-wpa2-psk/test.txt
Vendored
+7
View File
@@ -0,0 +1,7 @@
# WPA2-Personal (PSK) with CCMP, AP and single client
modprobe mac80211_hwsim
hostapd hostapd.conf
wpa_supplicant -Dwext -iwlan1 -c wpa_supplicant.conf
external/hostap/mac80211_hwsim/tests/0001-wpa2-psk/wpa_supplicant.conf
Vendored
+10
View File
@@ -0,0 +1,10 @@
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="mac80211 test"
psk="12345678"
key_mgmt=WPA-PSK
proto=WPA2
pairwise=CCMP
group=CCMP
}
external/hostap/mac80211_hwsim/tests/0002-vlan/hostapd.accept
Vendored
+2
View File
@@ -0,0 +1,2 @@
02:00:00:00:01:00 1
02:00:00:00:02:00 2
external/hostap/mac80211_hwsim/tests/0002-vlan/hostapd.conf
Vendored
+12
View File
@@ -0,0 +1,12 @@
interface=wlan0
driver=nl80211
hw_mode=g
channel=1
ssid=mac80211 test
dynamic_vlan=2
vlan_file=hostapd.vlan
macaddr_acl=0
accept_mac_file=hostapd.accept
external/hostap/mac80211_hwsim/tests/0002-vlan/hostapd.vlan
Vendored
+1
View File
@@ -0,0 +1 @@
* vlan#
external/hostap/mac80211_hwsim/tests/0002-vlan/test.txt
Vendored
+15
View File
@@ -0,0 +1,15 @@
# Plaintext connection, two clients, different VLANs
modprobe mac80211_hwsim radios=3
hostapd hostapd.conf
ifconfig wlan1 up
iwconfig wlan1 essid "mac80211 test"
ifconfig wlan2 up
iwconfig wlan2 essid "mac80211 test"
# Expected results:
# STA1(wlan1) is bound to vlan1
# STA2(wlan2) is bound to vlan2
external/hostap/mac80211_hwsim/tools/Makefile
Vendored
+11
View File
@@ -0,0 +1,11 @@
all: hwsim_test
ifndef CC
CC=gcc
endif
ifndef CFLAGS
CFLAGS = -O2 -Wall -g
endif
hwsim_test: hwsim_test.o
external/hostap/mac80211_hwsim/tools/hwsim_test.c
Vendored
+238
View File
@@ -0,0 +1,238 @@
/*
* hwsim_test - Data connectivity test for mac80211_hwsim
* Copyright (c) 2009, Atheros Communications
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*/
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <netpacket/packet.h>
#include <net/ethernet.h>
#include <net/if.h>
#include <arpa/inet.h>
#define MAC2STR(a) (a)[0], (a)[1], (a)[2], (a)[3], (a)[4], (a)[5]
#define MACSTR "%02x:%02x:%02x:%02x:%02x:%02x"
#define HWSIM_ETHERTYPE ETHERTYPE_IP
#define HWSIM_PACKETLEN 1500
static unsigned char addr1[ETH_ALEN], addr2[ETH_ALEN], bcast[ETH_ALEN];
static void tx(int s, const char *ifname, int ifindex,
const unsigned char *src, const unsigned char *dst)
{
char buf[HWSIM_PACKETLEN], *pos;
struct ether_header *eth;
int i;
printf("TX: %s(ifindex=%d) " MACSTR " -> " MACSTR "\n",
ifname, ifindex, MAC2STR(src), MAC2STR(dst));
eth = (struct ether_header *) buf;
memcpy(eth->ether_dhost, dst, ETH_ALEN);
memcpy(eth->ether_shost, src, ETH_ALEN);
eth->ether_type = htons(HWSIM_ETHERTYPE);
pos = (char *) (eth + 1);
for (i = 0; i < sizeof(buf) - sizeof(*eth); i++)
*pos++ = i;
if (send(s, buf, sizeof(buf), 0) < 0)
perror("send");
}
struct rx_result {
int rx_unicast1:1;
int rx_broadcast1:1;
int rx_unicast2:1;
int rx_broadcast2:1;
};
static void rx(int s, int iface, const char *ifname, int ifindex,
struct rx_result *res)
{
char buf[HWSIM_PACKETLEN + 1], *pos;
struct ether_header *eth;
int len, i;
len = recv(s, buf, sizeof(buf), 0);
if (len < 0) {
perror("recv");
return;
}
eth = (struct ether_header *) buf;
printf("RX: %s(ifindex=%d) " MACSTR " -> " MACSTR " (len=%d)\n",
ifname, ifindex,
MAC2STR(eth->ether_shost), MAC2STR(eth->ether_dhost), len);
if (len != HWSIM_PACKETLEN) {
printf("Ignore frame with unexpected RX length\n");
return;
}
pos = (char *) (eth + 1);
for (i = 0; i < sizeof(buf) - 1 - sizeof(*eth); i++) {
if ((unsigned char) *pos != (unsigned char) i) {
printf("Ignore frame with unexpected contents\n");
printf("i=%d received=0x%x expected=0x%x\n",
i, (unsigned char) *pos, (unsigned char) i);
return;
}
pos++;
}
if (iface == 1 &&
memcmp(eth->ether_dhost, addr1, ETH_ALEN) == 0 &&
memcmp(eth->ether_shost, addr2, ETH_ALEN) == 0)
res->rx_unicast1 = 1;
else if (iface == 1 &&
memcmp(eth->ether_dhost, bcast, ETH_ALEN) == 0 &&
memcmp(eth->ether_shost, addr2, ETH_ALEN) == 0)
res->rx_broadcast1 = 1;
else if (iface == 2 &&
memcmp(eth->ether_dhost, addr2, ETH_ALEN) == 0 &&
memcmp(eth->ether_shost, addr1, ETH_ALEN) == 0)
res->rx_unicast2 = 1;
else if (iface == 2 &&
memcmp(eth->ether_dhost, bcast, ETH_ALEN) == 0 &&
memcmp(eth->ether_shost, addr1, ETH_ALEN) == 0)
res->rx_broadcast2 = 1;
}
int main(int argc, char *argv[])
{
int s1 = -1, s2 = -1, ret = -1;
struct ifreq ifr;
int ifindex1, ifindex2;
struct sockaddr_ll ll;
fd_set rfds;
struct timeval tv;
struct rx_result res;
if (argc != 3) {
fprintf(stderr, "usage: hwsim_test <ifname1> <ifname2>\n");
return -1;
}
memset(bcast, 0xff, ETH_ALEN);
s1 = socket(PF_PACKET, SOCK_RAW, htons(HWSIM_ETHERTYPE));
if (s1 < 0) {
perror("socket");
goto fail;
}
s2 = socket(PF_PACKET, SOCK_RAW, htons(HWSIM_ETHERTYPE));
if (s2 < 0) {
perror("socket");
goto fail;
}
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, argv[1], sizeof(ifr.ifr_name));
if (ioctl(s1, SIOCGIFINDEX, &ifr) < 0) {
perror("ioctl[SIOCGIFINDEX]");
goto fail;
}
ifindex1 = ifr.ifr_ifindex;
if (ioctl(s1, SIOCGIFHWADDR, &ifr) < 0) {
perror("ioctl[SIOCGIFHWADDR]");
goto fail;
}
memcpy(addr1, ifr.ifr_hwaddr.sa_data, ETH_ALEN);
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, argv[2], sizeof(ifr.ifr_name));
if (ioctl(s2, SIOCGIFINDEX, &ifr) < 0) {
perror("ioctl[SIOCGIFINDEX]");
goto fail;
}
ifindex2 = ifr.ifr_ifindex;
if (ioctl(s2, SIOCGIFHWADDR, &ifr) < 0) {
perror("ioctl[SIOCGIFHWADDR]");
goto fail;
}
memcpy(addr2, ifr.ifr_hwaddr.sa_data, ETH_ALEN);
memset(&ll, 0, sizeof(ll));
ll.sll_family = PF_PACKET;
ll.sll_ifindex = ifindex1;
ll.sll_protocol = htons(HWSIM_ETHERTYPE);
if (bind(s1, (struct sockaddr *) &ll, sizeof(ll)) < 0) {
perror("bind");
goto fail;
}
memset(&ll, 0, sizeof(ll));
ll.sll_family = PF_PACKET;
ll.sll_ifindex = ifindex2;
ll.sll_protocol = htons(HWSIM_ETHERTYPE);
if (bind(s2, (struct sockaddr *) &ll, sizeof(ll)) < 0) {
perror("bind");
goto fail;
}
tx(s1, argv[1], ifindex1, addr1, addr2);
tx(s1, argv[1], ifindex1, addr1, bcast);
tx(s2, argv[2], ifindex2, addr2, addr1);
tx(s2, argv[2], ifindex2, addr2, bcast);
tv.tv_sec = 1;
tv.tv_usec = 0;
memset(&res, 0, sizeof(res));
for (;;) {
int r;
FD_ZERO(&rfds);
FD_SET(s1, &rfds);
FD_SET(s2, &rfds);
r = select(s2 + 1, &rfds, NULL, NULL, &tv);
if (r < 0) {
perror("select");
goto fail;
}
if (r == 0)
break; /* timeout */
if (FD_ISSET(s1, &rfds))
rx(s1, 1, argv[1], ifindex1, &res);
if (FD_ISSET(s2, &rfds))
rx(s2, 2, argv[2], ifindex2, &res);
if (res.rx_unicast1 && res.rx_broadcast1 &&
res.rx_unicast2 && res.rx_broadcast2) {
ret = 0;
break;
}
}
if (ret) {
printf("Did not receive all expected frames:\n"
"rx_unicast1=%d rx_broadcast1=%d "
"rx_unicast2=%d rx_broadcast2=%d\n",
res.rx_unicast1, res.rx_broadcast1,
res.rx_unicast2, res.rx_broadcast2);
} else {
printf("Both unicast and broadcast working in both "
"directions\n");
}
fail:
close(s1);
close(s2);
return ret;
}
external/hostap/patches/openssl-0.9.8-tls-extensions.patch
Vendored
+429
View File
@@ -0,0 +1,429 @@
This patch is adding support for TLS hello extensions and externally
generated pre-shared key material to OpenSSL 0.9.8. This is
based on the patch from Alexey Kobozev <akobozev@cisco.com>
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
diff -uprN openssl-0.9.8.orig/include/openssl/ssl.h openssl-0.9.8/include/openssl/ssl.h
--- openssl-0.9.8.orig/include/openssl/ssl.h 2005-06-10 12:51:16.000000000 -0700
+++ openssl-0.9.8/include/openssl/ssl.h 2005-07-19 20:02:15.000000000 -0700
@@ -340,6 +340,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_extension_st TLS_EXTENSION;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -361,6 +362,8 @@ DECLARE_STACK_OF(SSL_CIPHER)
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -968,6 +971,15 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* TLS externsions */
+ TLS_EXTENSION *tls_extension;
+ int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg);
+ void *tls_extension_cb_arg;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
};
#ifdef __cplusplus
@@ -1533,6 +1545,13 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1714,6 +1733,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
diff -uprN openssl-0.9.8.orig/include/openssl/tls1.h openssl-0.9.8/include/openssl/tls1.h
--- openssl-0.9.8.orig/include/openssl/tls1.h 2003-07-22 05:34:21.000000000 -0700
+++ openssl-0.9.8/include/openssl/tls1.h 2005-07-19 20:02:15.000000000 -0700
@@ -282,6 +282,14 @@ extern "C" {
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS extension struct */
+struct tls_extension_st
+{
+ unsigned short type;
+ unsigned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -uprN openssl-0.9.8.orig/ssl/Makefile openssl-0.9.8/ssl/Makefile
--- openssl-0.9.8.orig/ssl/Makefile 2005-05-30 16:20:30.000000000 -0700
+++ openssl-0.9.8/ssl/Makefile 2005-07-19 20:02:15.000000000 -0700
@@ -24,7 +24,7 @@ LIBSRC= \
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
- t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
+ t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c t1_ext.c \
d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
d1_both.c d1_enc.c \
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
@@ -35,7 +35,7 @@ LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
- t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
+ t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o t1_ext.o \
d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \
d1_both.o d1_enc.o \
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
@@ -968,3 +968,4 @@ t1_srvr.o: ../include/openssl/ssl23.h ..
t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.c
+t1_ext.o: t1_ext.c ssl_locl.h
diff -uprN openssl-0.9.8.orig/ssl/s3_clnt.c openssl-0.9.8/ssl/s3_clnt.c
--- openssl-0.9.8.orig/ssl/s3_clnt.c 2005-05-16 03:11:03.000000000 -0700
+++ openssl-0.9.8/ssl/s3_clnt.c 2005-07-19 20:02:15.000000000 -0700
@@ -606,6 +606,20 @@ int ssl3_client_hello(SSL *s)
}
*(p++)=0; /* Add the NULL method */
+ /* send client hello extensions if any */
+ if (s->version >= TLS1_VERSION && s->tls_extension)
+ {
+ // set the total extensions length
+ s2n(s->tls_extension->length + 4, p);
+
+ // put the extensions with type and length
+ s2n(s->tls_extension->type, p);
+ s2n(s->tls_extension->length, p);
+
+ memcpy(p, s->tls_extension->data, s->tls_extension->length);
+ p+=s->tls_extension->length;
+ }
+
l=(p-d);
d=buf;
*(d++)=SSL3_MT_CLIENT_HELLO;
@@ -628,7 +642,7 @@ int ssl3_get_server_hello(SSL *s)
STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
unsigned char *p,*d;
- int i,al,ok;
+ int i,al,ok,pre_shared;
unsigned int j;
long n;
SSL_COMP *comp;
@@ -693,7 +707,24 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
- if (j != 0 && j == s->session->session_id_length
+ /* check if we want to resume the session based on external pre-shared secret */
+ pre_shared = 0;
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j);
+ s->session->session_id_length = j;
+ memcpy(s->session->session_id, p, j);
+ pre_shared = 1;
+ }
+ }
+
+ if ((pre_shared || j != 0) && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
if(s->sid_ctx_length != s->session->sid_ctx_length
diff -uprN openssl-0.9.8.orig/ssl/s3_srvr.c openssl-0.9.8/ssl/s3_srvr.c
--- openssl-0.9.8.orig/ssl/s3_srvr.c 2005-05-22 17:32:55.000000000 -0700
+++ openssl-0.9.8/ssl/s3_srvr.c 2005-07-19 20:02:15.000000000 -0700
@@ -955,6 +955,75 @@ int ssl3_get_client_hello(SSL *s)
}
#endif
+ /* Check for TLS client hello extension here */
+ if (p < (d+n) && s->version >= TLS1_VERSION)
+ {
+ if (s->tls_extension_cb)
+ {
+ TLS_EXTENSION tls_ext;
+ unsigned short ext_total_len;
+
+ n2s(p, ext_total_len);
+ n2s(p, tls_ext.type);
+ n2s(p, tls_ext.length);
+
+ // sanity check in TLS extension len
+ if (tls_ext.length > (d+n) - p)
+ {
+ // just cut the lenth to packet border
+ tls_ext.length = (d+n) - p;
+ }
+
+ tls_ext.data = p;
+
+ // returns an alert code or 0
+ al = s->tls_extension_cb(s, &tls_ext, s->tls_extension_cb_arg);
+ if (al != 0)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
+ goto f_err;
+ }
+ }
+ }
+
+ /* Check if we want to use external pre-shared secret for this handshake */
+ /* for not reused session only */
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->ciphers=ciphers;
+ s->session->verify_result=X509_V_OK;
+
+ ciphers=NULL;
+
+ /* check if some cipher was preferred by call back */
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ if (pref_cipher == NULL)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
+ goto f_err;
+ }
+
+ s->session->cipher=pref_cipher;
+
+ if (s->cipher_list)
+ sk_SSL_CIPHER_free(s->cipher_list);
+
+ if (s->cipher_list_by_id)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ }
+ }
+
/* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
diff -uprN openssl-0.9.8.orig/ssl/ssl_err.c openssl-0.9.8/ssl/ssl_err.c
--- openssl-0.9.8.orig/ssl/ssl_err.c 2005-06-10 12:51:16.000000000 -0700
+++ openssl-0.9.8/ssl/ssl_err.c 2005-07-19 20:02:15.000000000 -0700
@@ -242,6 +242,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_SET_HELLO_EXTENSION), "SSL_set_hello_extension"},
{0,NULL}
};
diff -uprN openssl-0.9.8.orig/ssl/ssl.h openssl-0.9.8/ssl/ssl.h
--- openssl-0.9.8.orig/ssl/ssl.h 2005-06-10 12:51:16.000000000 -0700
+++ openssl-0.9.8/ssl/ssl.h 2005-07-19 20:02:15.000000000 -0700
@@ -340,6 +340,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_extension_st TLS_EXTENSION;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -361,6 +362,8 @@ DECLARE_STACK_OF(SSL_CIPHER)
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -968,6 +971,15 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* TLS externsions */
+ TLS_EXTENSION *tls_extension;
+ int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg);
+ void *tls_extension_cb_arg;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
};
#ifdef __cplusplus
@@ -1533,6 +1545,13 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1714,6 +1733,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
diff -uprN openssl-0.9.8.orig/ssl/ssl_sess.c openssl-0.9.8/ssl/ssl_sess.c
--- openssl-0.9.8.orig/ssl/ssl_sess.c 2005-04-29 13:10:06.000000000 -0700
+++ openssl-0.9.8/ssl/ssl_sess.c 2005-07-19 20:02:15.000000000 -0700
@@ -656,6 +656,15 @@ long SSL_CTX_get_timeout(const SSL_CTX *
return(s->session_timeout);
}
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+{
+ if (s == NULL) return(0);
+ s->tls_session_secret_cb = tls_session_secret_cb;
+ s->tls_session_secret_cb_arg = arg;
+ return(1);
+}
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
diff -uprN openssl-0.9.8.orig/ssl/t1_ext.c openssl-0.9.8/ssl/t1_ext.c
--- openssl-0.9.8.orig/ssl/t1_ext.c 1969-12-31 16:00:00.000000000 -0800
+++ openssl-0.9.8/ssl/t1_ext.c 2005-07-19 20:03:29.000000000 -0700
@@ -0,0 +1,48 @@
+
+#include <stdio.h>
+#include "ssl_locl.h"
+
+
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ s->tls_extension = NULL;
+ }
+
+ if(ext_data)
+ {
+ s->tls_extension = OPENSSL_malloc(sizeof(TLS_EXTENSION) + ext_len);
+ if(!s->tls_extension)
+ {
+ SSLerr(SSL_F_SSL_SET_HELLO_EXTENSION, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ s->tls_extension->type = ext_type;
+ s->tls_extension->length = ext_len;
+ s->tls_extension->data = s->tls_extension + 1;
+ memcpy(s->tls_extension->data, ext_data, ext_len);
+ }
+
+ return 1;
+ }
+
+ return 0;
+}
+
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ s->tls_extension_cb = cb;
+ s->tls_extension_cb_arg = arg;
+
+ return 1;
+ }
+
+ return 0;
+}
diff -uprN openssl-0.9.8.orig/ssl/t1_lib.c openssl-0.9.8/ssl/t1_lib.c
--- openssl-0.9.8.orig/ssl/t1_lib.c 2005-04-26 09:02:40.000000000 -0700
+++ openssl-0.9.8/ssl/t1_lib.c 2005-07-19 20:02:15.000000000 -0700
@@ -131,6 +131,10 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ }
ssl3_free(s);
}
diff -uprN openssl-0.9.8.orig/ssl/tls1.h openssl-0.9.8/ssl/tls1.h
--- openssl-0.9.8.orig/ssl/tls1.h 2003-07-22 05:34:21.000000000 -0700
+++ openssl-0.9.8/ssl/tls1.h 2005-07-19 20:02:15.000000000 -0700
@@ -282,6 +282,14 @@ extern "C" {
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS extension struct */
+struct tls_extension_st
+{
+ unsigned short type;
+ unsigned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -uprN openssl-0.9.8.orig/util/ssleay.num openssl-0.9.8/util/ssleay.num
--- openssl-0.9.8.orig/util/ssleay.num 2005-05-08 17:22:02.000000000 -0700
+++ openssl-0.9.8/util/ssleay.num 2005-07-19 20:02:15.000000000 -0700
@@ -226,3 +226,6 @@ DTLSv1_server_method
SSL_COMP_get_compression_methods 276 EXIST:!VMS:FUNCTION:COMP
SSL_COMP_get_compress_methods 276 EXIST:VMS:FUNCTION:COMP
SSL_SESSION_get_id 277 EXIST::FUNCTION:
+SSL_set_hello_extension 278 EXIST::FUNCTION:
+SSL_set_hello_extension_cb 279 EXIST::FUNCTION:
+SSL_set_session_secret_cb 280 EXIST::FUNCTION:
external/hostap/patches/openssl-0.9.8d-tls-extensions.patch
Vendored
+429
View File
@@ -0,0 +1,429 @@
This patch is adding support for TLS hello extensions and externally
generated pre-shared key material to OpenSSL 0.9.8d. This is
based on the patch from Alexey Kobozev <akobozev@cisco.com>
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
diff -uprN openssl-0.9.8d.orig/include/openssl/ssl.h openssl-0.9.8d/include/openssl/ssl.h
--- openssl-0.9.8d.orig/include/openssl/ssl.h 2006-06-14 06:52:49.000000000 -0700
+++ openssl-0.9.8d/include/openssl/ssl.h 2006-12-10 08:20:02.000000000 -0800
@@ -345,6 +345,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_extension_st TLS_EXTENSION;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -366,6 +367,8 @@ DECLARE_STACK_OF(SSL_CIPHER)
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -973,6 +976,15 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* TLS externsions */
+ TLS_EXTENSION *tls_extension;
+ int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg);
+ void *tls_extension_cb_arg;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
};
#ifdef __cplusplus
@@ -1538,6 +1550,13 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1719,6 +1738,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
diff -uprN openssl-0.9.8d.orig/include/openssl/tls1.h openssl-0.9.8d/include/openssl/tls1.h
--- openssl-0.9.8d.orig/include/openssl/tls1.h 2006-06-14 10:52:01.000000000 -0700
+++ openssl-0.9.8d/include/openssl/tls1.h 2006-12-10 08:20:02.000000000 -0800
@@ -296,6 +296,14 @@ extern "C" {
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS extension struct */
+struct tls_extension_st
+{
+ unsigned short type;
+ unsigned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -uprN openssl-0.9.8d.orig/ssl/Makefile openssl-0.9.8d/ssl/Makefile
--- openssl-0.9.8d.orig/ssl/Makefile 2006-02-03 17:49:35.000000000 -0800
+++ openssl-0.9.8d/ssl/Makefile 2006-12-10 08:20:02.000000000 -0800
@@ -24,7 +24,7 @@ LIBSRC= \
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
- t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
+ t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c t1_ext.c \
d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
d1_both.c d1_enc.c \
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
@@ -35,7 +35,7 @@ LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
- t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
+ t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o t1_ext.o \
d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \
d1_both.o d1_enc.o \
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
@@ -968,3 +968,4 @@ t1_srvr.o: ../include/openssl/ssl23.h ..
t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.c
+t1_ext.o: t1_ext.c ssl_locl.h
diff -uprN openssl-0.9.8d.orig/ssl/s3_clnt.c openssl-0.9.8d/ssl/s3_clnt.c
--- openssl-0.9.8d.orig/ssl/s3_clnt.c 2005-12-12 23:41:46.000000000 -0800
+++ openssl-0.9.8d/ssl/s3_clnt.c 2006-12-10 08:20:02.000000000 -0800
@@ -601,6 +601,20 @@ int ssl3_client_hello(SSL *s)
#endif
*(p++)=0; /* Add the NULL method */
+ /* send client hello extensions if any */
+ if (s->version >= TLS1_VERSION && s->tls_extension)
+ {
+ // set the total extensions length
+ s2n(s->tls_extension->length + 4, p);
+
+ // put the extensions with type and length
+ s2n(s->tls_extension->type, p);
+ s2n(s->tls_extension->length, p);
+
+ memcpy(p, s->tls_extension->data, s->tls_extension->length);
+ p+=s->tls_extension->length;
+ }
+
l=(p-d);
d=buf;
*(d++)=SSL3_MT_CLIENT_HELLO;
@@ -623,7 +637,7 @@ int ssl3_get_server_hello(SSL *s)
STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
unsigned char *p,*d;
- int i,al,ok;
+ int i,al,ok,pre_shared;
unsigned int j;
long n;
#ifndef OPENSSL_NO_COMP
@@ -690,7 +704,24 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
- if (j != 0 && j == s->session->session_id_length
+ /* check if we want to resume the session based on external pre-shared secret */
+ pre_shared = 0;
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j);
+ s->session->session_id_length = j;
+ memcpy(s->session->session_id, p, j);
+ pre_shared = 1;
+ }
+ }
+
+ if ((pre_shared || j != 0) && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
if(s->sid_ctx_length != s->session->sid_ctx_length
diff -uprN openssl-0.9.8d.orig/ssl/s3_srvr.c openssl-0.9.8d/ssl/s3_srvr.c
--- openssl-0.9.8d.orig/ssl/s3_srvr.c 2006-09-28 04:29:03.000000000 -0700
+++ openssl-0.9.8d/ssl/s3_srvr.c 2006-12-10 08:20:02.000000000 -0800
@@ -943,6 +943,75 @@ int ssl3_get_client_hello(SSL *s)
}
#endif
+ /* Check for TLS client hello extension here */
+ if (p < (d+n) && s->version >= TLS1_VERSION)
+ {
+ if (s->tls_extension_cb)
+ {
+ TLS_EXTENSION tls_ext;
+ unsigned short ext_total_len;
+
+ n2s(p, ext_total_len);
+ n2s(p, tls_ext.type);
+ n2s(p, tls_ext.length);
+
+ // sanity check in TLS extension len
+ if (tls_ext.length > (d+n) - p)
+ {
+ // just cut the lenth to packet border
+ tls_ext.length = (d+n) - p;
+ }
+
+ tls_ext.data = p;
+
+ // returns an alert code or 0
+ al = s->tls_extension_cb(s, &tls_ext, s->tls_extension_cb_arg);
+ if (al != 0)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
+ goto f_err;
+ }
+ }
+ }
+
+ /* Check if we want to use external pre-shared secret for this handshake */
+ /* for not reused session only */
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->ciphers=ciphers;
+ s->session->verify_result=X509_V_OK;
+
+ ciphers=NULL;
+
+ /* check if some cipher was preferred by call back */
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ if (pref_cipher == NULL)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
+ goto f_err;
+ }
+
+ s->session->cipher=pref_cipher;
+
+ if (s->cipher_list)
+ sk_SSL_CIPHER_free(s->cipher_list);
+
+ if (s->cipher_list_by_id)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ }
+ }
+
/* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
diff -uprN openssl-0.9.8d.orig/ssl/ssl.h openssl-0.9.8d/ssl/ssl.h
--- openssl-0.9.8d.orig/ssl/ssl.h 2006-06-14 06:52:49.000000000 -0700
+++ openssl-0.9.8d/ssl/ssl.h 2006-12-10 08:20:02.000000000 -0800
@@ -345,6 +345,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_extension_st TLS_EXTENSION;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -366,6 +367,8 @@ DECLARE_STACK_OF(SSL_CIPHER)
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -973,6 +976,15 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* TLS externsions */
+ TLS_EXTENSION *tls_extension;
+ int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg);
+ void *tls_extension_cb_arg;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
};
#ifdef __cplusplus
@@ -1538,6 +1550,13 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1719,6 +1738,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
diff -uprN openssl-0.9.8d.orig/ssl/ssl_err.c openssl-0.9.8d/ssl/ssl_err.c
--- openssl-0.9.8d.orig/ssl/ssl_err.c 2006-01-08 13:52:46.000000000 -0800
+++ openssl-0.9.8d/ssl/ssl_err.c 2006-12-10 08:20:02.000000000 -0800
@@ -242,6 +242,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_SET_HELLO_EXTENSION), "SSL_set_hello_extension"},
{0,NULL}
};
diff -uprN openssl-0.9.8d.orig/ssl/ssl_sess.c openssl-0.9.8d/ssl/ssl_sess.c
--- openssl-0.9.8d.orig/ssl/ssl_sess.c 2005-12-30 15:51:57.000000000 -0800
+++ openssl-0.9.8d/ssl/ssl_sess.c 2006-12-10 08:20:02.000000000 -0800
@@ -656,6 +656,15 @@ long SSL_CTX_get_timeout(const SSL_CTX *
return(s->session_timeout);
}
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+{
+ if (s == NULL) return(0);
+ s->tls_session_secret_cb = tls_session_secret_cb;
+ s->tls_session_secret_cb_arg = arg;
+ return(1);
+}
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
diff -uprN openssl-0.9.8d.orig/ssl/t1_ext.c openssl-0.9.8d/ssl/t1_ext.c
--- openssl-0.9.8d.orig/ssl/t1_ext.c 1969-12-31 16:00:00.000000000 -0800
+++ openssl-0.9.8d/ssl/t1_ext.c 2006-12-10 08:20:02.000000000 -0800
@@ -0,0 +1,48 @@
+
+#include <stdio.h>
+#include "ssl_locl.h"
+
+
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ s->tls_extension = NULL;
+ }
+
+ if(ext_data)
+ {
+ s->tls_extension = OPENSSL_malloc(sizeof(TLS_EXTENSION) + ext_len);
+ if(!s->tls_extension)
+ {
+ SSLerr(SSL_F_SSL_SET_HELLO_EXTENSION, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ s->tls_extension->type = ext_type;
+ s->tls_extension->length = ext_len;
+ s->tls_extension->data = s->tls_extension + 1;
+ memcpy(s->tls_extension->data, ext_data, ext_len);
+ }
+
+ return 1;
+ }
+
+ return 0;
+}
+
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ s->tls_extension_cb = cb;
+ s->tls_extension_cb_arg = arg;
+
+ return 1;
+ }
+
+ return 0;
+}
diff -uprN openssl-0.9.8d.orig/ssl/t1_lib.c openssl-0.9.8d/ssl/t1_lib.c
--- openssl-0.9.8d.orig/ssl/t1_lib.c 2005-08-05 16:52:07.000000000 -0700
+++ openssl-0.9.8d/ssl/t1_lib.c 2006-12-10 08:20:02.000000000 -0800
@@ -97,6 +97,10 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ }
ssl3_free(s);
}
diff -uprN openssl-0.9.8d.orig/ssl/tls1.h openssl-0.9.8d/ssl/tls1.h
--- openssl-0.9.8d.orig/ssl/tls1.h 2006-06-14 10:52:01.000000000 -0700
+++ openssl-0.9.8d/ssl/tls1.h 2006-12-10 08:20:02.000000000 -0800
@@ -296,6 +296,14 @@ extern "C" {
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS extension struct */
+struct tls_extension_st
+{
+ unsigned short type;
+ unsigned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -uprN openssl-0.9.8d.orig/util/ssleay.num openssl-0.9.8d/util/ssleay.num
--- openssl-0.9.8d.orig/util/ssleay.num 2005-05-08 17:22:02.000000000 -0700
+++ openssl-0.9.8d/util/ssleay.num 2006-12-10 08:20:02.000000000 -0800
@@ -226,3 +226,6 @@ DTLSv1_server_method
SSL_COMP_get_compression_methods 276 EXIST:!VMS:FUNCTION:COMP
SSL_COMP_get_compress_methods 276 EXIST:VMS:FUNCTION:COMP
SSL_SESSION_get_id 277 EXIST::FUNCTION:
+SSL_set_hello_extension 278 EXIST::FUNCTION:
+SSL_set_hello_extension_cb 279 EXIST::FUNCTION:
+SSL_set_session_secret_cb 280 EXIST::FUNCTION:
external/hostap/patches/openssl-0.9.8e-tls-extensions.patch
Vendored
+353
View File
@@ -0,0 +1,353 @@
This patch is adding support for TLS hello extensions and externally
generated pre-shared key material to OpenSSL 0.9.8e. This is
based on the patch from Alexey Kobozev <akobozev@cisco.com>
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
diff -uprN openssl-0.9.8e.orig/ssl/Makefile openssl-0.9.8e/ssl/Makefile
--- openssl-0.9.8e.orig/ssl/Makefile 2006-02-03 17:49:35.000000000 -0800
+++ openssl-0.9.8e/ssl/Makefile 2007-03-22 20:23:19.000000000 -0700
@@ -24,7 +24,7 @@ LIBSRC= \
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
- t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
+ t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c t1_ext.c \
d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
d1_both.c d1_enc.c \
ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
@@ -35,7 +35,7 @@ LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
- t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
+ t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o t1_ext.o \
d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \
d1_both.o d1_enc.o \
ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
@@ -968,3 +968,4 @@ t1_srvr.o: ../include/openssl/ssl23.h ..
t1_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
t1_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
t1_srvr.o: ../include/openssl/x509_vfy.h ssl_locl.h t1_srvr.c
+t1_ext.o: t1_ext.c ssl_locl.h
diff -uprN openssl-0.9.8e.orig/ssl/s3_clnt.c openssl-0.9.8e/ssl/s3_clnt.c
--- openssl-0.9.8e.orig/ssl/s3_clnt.c 2006-09-28 05:23:15.000000000 -0700
+++ openssl-0.9.8e/ssl/s3_clnt.c 2007-03-22 20:23:19.000000000 -0700
@@ -601,6 +601,20 @@ int ssl3_client_hello(SSL *s)
#endif
*(p++)=0; /* Add the NULL method */
+ /* send client hello extensions if any */
+ if (s->version >= TLS1_VERSION && s->tls_extension)
+ {
+ // set the total extensions length
+ s2n(s->tls_extension->length + 4, p);
+
+ // put the extensions with type and length
+ s2n(s->tls_extension->type, p);
+ s2n(s->tls_extension->length, p);
+
+ memcpy(p, s->tls_extension->data, s->tls_extension->length);
+ p+=s->tls_extension->length;
+ }
+
l=(p-d);
d=buf;
*(d++)=SSL3_MT_CLIENT_HELLO;
@@ -623,7 +637,7 @@ int ssl3_get_server_hello(SSL *s)
STACK_OF(SSL_CIPHER) *sk;
SSL_CIPHER *c;
unsigned char *p,*d;
- int i,al,ok;
+ int i,al,ok,pre_shared;
unsigned int j;
long n;
#ifndef OPENSSL_NO_COMP
@@ -690,7 +704,24 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
- if (j != 0 && j == s->session->session_id_length
+ /* check if we want to resume the session based on external pre-shared secret */
+ pre_shared = 0;
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j);
+ s->session->session_id_length = j;
+ memcpy(s->session->session_id, p, j);
+ pre_shared = 1;
+ }
+ }
+
+ if ((pre_shared || j != 0) && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
if(s->sid_ctx_length != s->session->sid_ctx_length
diff -uprN openssl-0.9.8e.orig/ssl/s3_srvr.c openssl-0.9.8e/ssl/s3_srvr.c
--- openssl-0.9.8e.orig/ssl/s3_srvr.c 2007-02-07 12:36:40.000000000 -0800
+++ openssl-0.9.8e/ssl/s3_srvr.c 2007-03-22 20:23:19.000000000 -0700
@@ -945,6 +945,75 @@ int ssl3_get_client_hello(SSL *s)
}
#endif
+ /* Check for TLS client hello extension here */
+ if (p < (d+n) && s->version >= TLS1_VERSION)
+ {
+ if (s->tls_extension_cb)
+ {
+ TLS_EXTENSION tls_ext;
+ unsigned short ext_total_len;
+
+ n2s(p, ext_total_len);
+ n2s(p, tls_ext.type);
+ n2s(p, tls_ext.length);
+
+ // sanity check in TLS extension len
+ if (tls_ext.length > (d+n) - p)
+ {
+ // just cut the lenth to packet border
+ tls_ext.length = (d+n) - p;
+ }
+
+ tls_ext.data = p;
+
+ // returns an alert code or 0
+ al = s->tls_extension_cb(s, &tls_ext, s->tls_extension_cb_arg);
+ if (al != 0)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PEER_ERROR);
+ goto f_err;
+ }
+ }
+ }
+
+ /* Check if we want to use external pre-shared secret for this handshake */
+ /* for not reused session only */
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->ciphers=ciphers;
+ s->session->verify_result=X509_V_OK;
+
+ ciphers=NULL;
+
+ /* check if some cipher was preferred by call back */
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ if (pref_cipher == NULL)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
+ goto f_err;
+ }
+
+ s->session->cipher=pref_cipher;
+
+ if (s->cipher_list)
+ sk_SSL_CIPHER_free(s->cipher_list);
+
+ if (s->cipher_list_by_id)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ }
+ }
+
/* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
diff -uprN openssl-0.9.8e.orig/ssl/ssl.h openssl-0.9.8e/ssl/ssl.h
--- openssl-0.9.8e.orig/ssl/ssl.h 2007-02-19 09:55:07.000000000 -0800
+++ openssl-0.9.8e/ssl/ssl.h 2007-03-22 20:23:19.000000000 -0700
@@ -345,6 +345,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_extension_st TLS_EXTENSION;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -366,6 +367,8 @@ DECLARE_STACK_OF(SSL_CIPHER)
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -973,6 +976,15 @@ struct ssl_st
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ /* TLS externsions */
+ TLS_EXTENSION *tls_extension;
+ int (*tls_extension_cb)(SSL *s, TLS_EXTENSION *tls_ext, void *arg);
+ void *tls_extension_cb_arg;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
};
#ifdef __cplusplus
@@ -1538,6 +1550,13 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1719,6 +1738,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
diff -uprN openssl-0.9.8e.orig/ssl/ssl_err.c openssl-0.9.8e/ssl/ssl_err.c
--- openssl-0.9.8e.orig/ssl/ssl_err.c 2006-11-21 12:14:46.000000000 -0800
+++ openssl-0.9.8e/ssl/ssl_err.c 2007-03-22 20:23:19.000000000 -0700
@@ -242,6 +242,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_SET_HELLO_EXTENSION), "SSL_set_hello_extension"},
{0,NULL}
};
diff -uprN openssl-0.9.8e.orig/ssl/ssl_sess.c openssl-0.9.8e/ssl/ssl_sess.c
--- openssl-0.9.8e.orig/ssl/ssl_sess.c 2007-02-10 02:40:24.000000000 -0800
+++ openssl-0.9.8e/ssl/ssl_sess.c 2007-03-22 20:23:19.000000000 -0700
@@ -656,6 +656,15 @@ long SSL_CTX_get_timeout(const SSL_CTX *
return(s->session_timeout);
}
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+{
+ if (s == NULL) return(0);
+ s->tls_session_secret_cb = tls_session_secret_cb;
+ s->tls_session_secret_cb_arg = arg;
+ return(1);
+}
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
diff -uprN openssl-0.9.8e.orig/ssl/t1_ext.c openssl-0.9.8e/ssl/t1_ext.c
--- openssl-0.9.8e.orig/ssl/t1_ext.c 1969-12-31 16:00:00.000000000 -0800
+++ openssl-0.9.8e/ssl/t1_ext.c 2007-03-22 20:23:19.000000000 -0700
@@ -0,0 +1,48 @@
+
+#include <stdio.h>
+#include "ssl_locl.h"
+
+
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ s->tls_extension = NULL;
+ }
+
+ if(ext_data)
+ {
+ s->tls_extension = OPENSSL_malloc(sizeof(TLS_EXTENSION) + ext_len);
+ if(!s->tls_extension)
+ {
+ SSLerr(SSL_F_SSL_SET_HELLO_EXTENSION, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ s->tls_extension->type = ext_type;
+ s->tls_extension->length = ext_len;
+ s->tls_extension->data = s->tls_extension + 1;
+ memcpy(s->tls_extension->data, ext_data, ext_len);
+ }
+
+ return 1;
+ }
+
+ return 0;
+}
+
+int SSL_set_hello_extension_cb(SSL *s, int (*cb)(SSL *, TLS_EXTENSION *, void *), void *arg)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ s->tls_extension_cb = cb;
+ s->tls_extension_cb_arg = arg;
+
+ return 1;
+ }
+
+ return 0;
+}
diff -uprN openssl-0.9.8e.orig/ssl/t1_lib.c openssl-0.9.8e/ssl/t1_lib.c
--- openssl-0.9.8e.orig/ssl/t1_lib.c 2007-01-21 08:07:25.000000000 -0800
+++ openssl-0.9.8e/ssl/t1_lib.c 2007-03-22 20:23:19.000000000 -0700
@@ -97,6 +97,10 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ }
ssl3_free(s);
}
diff -uprN openssl-0.9.8e.orig/ssl/tls1.h openssl-0.9.8e/ssl/tls1.h
--- openssl-0.9.8e.orig/ssl/tls1.h 2006-06-14 10:52:01.000000000 -0700
+++ openssl-0.9.8e/ssl/tls1.h 2007-03-22 20:23:19.000000000 -0700
@@ -296,6 +296,14 @@ extern "C" {
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS extension struct */
+struct tls_extension_st
+{
+ unsigned short type;
+ unsigned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -uprN openssl-0.9.8e.orig/util/ssleay.num openssl-0.9.8e/util/ssleay.num
--- openssl-0.9.8e.orig/util/ssleay.num 2006-11-30 05:04:43.000000000 -0800
+++ openssl-0.9.8e/util/ssleay.num 2007-03-22 20:24:07.000000000 -0700
@@ -238,3 +238,6 @@ SSL_CTX_set_info_callback
SSL_CTX_sess_get_new_cb 287 EXIST::FUNCTION:
SSL_CTX_get_client_cert_cb 288 EXIST::FUNCTION:
SSL_CTX_sess_get_remove_cb 289 EXIST::FUNCTION:
+SSL_set_hello_extension 290 EXIST::FUNCTION:
+SSL_set_hello_extension_cb 291 EXIST::FUNCTION:
+SSL_set_session_secret_cb 292 EXIST::FUNCTION:
external/hostap/patches/openssl-0.9.8g-tls-extensions.patch
Vendored
+330
View File
@@ -0,0 +1,330 @@
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev <akobozev@cisco.com>
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
OpenSSL 0.9.8g does not enable TLS extension support by default, so it
will need to be enabled by adding enable-tlsext to config script
command line.
diff -upr openssl-0.9.8g.orig/ssl/s3_clnt.c openssl-0.9.8g/ssl/s3_clnt.c
--- openssl-0.9.8g.orig/ssl/s3_clnt.c 2007-08-31 03:28:51.000000000 +0300
+++ openssl-0.9.8g/ssl/s3_clnt.c 2008-04-15 17:11:46.000000000 +0300
@@ -727,6 +727,20 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared secret */
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j);
+ }
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
diff -upr openssl-0.9.8g.orig/ssl/s3_srvr.c openssl-0.9.8g/ssl/s3_srvr.c
--- openssl-0.9.8g.orig/ssl/s3_srvr.c 2007-09-30 21:55:59.000000000 +0300
+++ openssl-0.9.8g/ssl/s3_srvr.c 2008-04-15 17:10:37.000000000 +0300
@@ -928,6 +928,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
+
+ /* Check if we want to use external pre-shared secret for this
+ * handshake for not reused session only. We need to generate
+ * server_random before calling tls_session_secret_cb in order to allow
+ * SessionTicket processing to use it in key derivation. */
+ {
+ unsigned long Time;
+ unsigned char *pos;
+ Time=(unsigned long)time(NULL); /* Time */
+ pos=s->s3->server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
+ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ }
+
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->ciphers=ciphers;
+ s->session->verify_result=X509_V_OK;
+
+ ciphers=NULL;
+
+ /* check if some cipher was preferred by call back */
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ if (pref_cipher == NULL)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
+ goto f_err;
+ }
+
+ s->session->cipher=pref_cipher;
+
+ if (s->cipher_list)
+ sk_SSL_CIPHER_free(s->cipher_list);
+
+ if (s->cipher_list_by_id)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ }
+ }
#endif
/* Worst case, we will use the NULL compression, but if we have other
* options, we will now look for them. We have i-1 compression
@@ -1066,16 +1119,22 @@ int ssl3_send_server_hello(SSL *s)
unsigned char *buf;
unsigned char *p,*d;
int i,sl;
- unsigned long l,Time;
+ unsigned long l;
+#ifdef OPENSSL_NO_TLSEXT
+ unsigned long Time;
+#endif
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
{
buf=(unsigned char *)s->init_buf->data;
+#ifdef OPENSSL_NO_TLSEXT
p=s->s3->server_random;
+ /* Generate server_random if it was not needed previously */
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
+#endif
/* Do the message type and length last */
d=p= &(buf[4]);
diff -upr openssl-0.9.8g.orig/ssl/ssl.h openssl-0.9.8g/ssl/ssl.h
--- openssl-0.9.8g.orig/ssl/ssl.h 2007-10-19 10:42:38.000000000 +0300
+++ openssl-0.9.8g/ssl/ssl.h 2008-04-15 17:10:37.000000000 +0300
@@ -342,6 +342,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_extension_st TLS_EXTENSION;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -363,6 +364,8 @@ DECLARE_STACK_OF(SSL_CIPHER)
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -1004,6 +1007,14 @@ struct ssl_st
*/
/* RFC4507 session ticket expected to be received or sent */
int tlsext_ticket_expected;
+
+ /* TLS extensions */
+ TLS_EXTENSION *tls_extension;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
+
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
#define session_ctx initial_ctx
#else
@@ -1589,6 +1600,12 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1778,6 +1795,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
diff -upr openssl-0.9.8g.orig/ssl/ssl_err.c openssl-0.9.8g/ssl/ssl_err.c
--- openssl-0.9.8g.orig/ssl/ssl_err.c 2007-10-11 17:36:59.000000000 +0300
+++ openssl-0.9.8g/ssl/ssl_err.c 2008-04-15 17:10:37.000000000 +0300
@@ -250,6 +250,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_SET_HELLO_EXTENSION), "SSL_set_hello_extension"},
{0,NULL}
};
diff -upr openssl-0.9.8g.orig/ssl/ssl_sess.c openssl-0.9.8g/ssl/ssl_sess.c
--- openssl-0.9.8g.orig/ssl/ssl_sess.c 2007-10-19 10:36:34.000000000 +0300
+++ openssl-0.9.8g/ssl/ssl_sess.c 2008-04-15 17:10:37.000000000 +0300
@@ -704,6 +704,52 @@ long SSL_CTX_get_timeout(const SSL_CTX *
return(s->session_timeout);
}
+#ifndef OPENSSL_NO_TLSEXT
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+{
+ if (s == NULL) return(0);
+ s->tls_session_secret_cb = tls_session_secret_cb;
+ s->tls_session_secret_cb_arg = arg;
+ return(1);
+}
+
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ s->tls_extension = NULL;
+ }
+
+ s->tls_extension = OPENSSL_malloc(sizeof(TLS_EXTENSION) + ext_len);
+ if(!s->tls_extension)
+ {
+ SSLerr(SSL_F_SSL_SET_HELLO_EXTENSION, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ s->tls_extension->type = ext_type;
+
+ if(ext_data)
+ {
+ s->tls_extension->length = ext_len;
+ s->tls_extension->data = s->tls_extension + 1;
+ memcpy(s->tls_extension->data, ext_data, ext_len);
+ } else {
+ s->tls_extension->length = 0;
+ s->tls_extension->data = NULL;
+ }
+
+ return 1;
+ }
+
+ return 0;
+}
+#endif /* OPENSSL_NO_TLSEXT */
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
diff -upr openssl-0.9.8g.orig/ssl/t1_lib.c openssl-0.9.8g/ssl/t1_lib.c
--- openssl-0.9.8g.orig/ssl/t1_lib.c 2007-10-19 10:44:10.000000000 +0300
+++ openssl-0.9.8g/ssl/t1_lib.c 2008-04-15 17:10:37.000000000 +0300
@@ -105,6 +105,12 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
+#ifndef OPENSSL_NO_TLSEXT
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ }
+#endif
ssl3_free(s);
}
@@ -174,8 +180,24 @@ unsigned char *ssl_add_clienthello_tlsex
int ticklen;
if (s->session && s->session->tlsext_tick)
ticklen = s->session->tlsext_ticklen;
+ else if (s->session && s->tls_extension &&
+ s->tls_extension->type == TLSEXT_TYPE_session_ticket &&
+ s->tls_extension->data)
+ {
+ ticklen = s->tls_extension->length;
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
+ if (!s->session->tlsext_tick)
+ return NULL;
+ memcpy(s->session->tlsext_tick, s->tls_extension->data,
+ ticklen);
+ s->session->tlsext_ticklen = ticklen;
+ }
else
ticklen = 0;
+ if (ticklen == 0 && s->tls_extension &&
+ s->tls_extension->type == TLSEXT_TYPE_session_ticket &&
+ s->tls_extension->data == NULL)
+ goto skip_ext;
/* Check for enough room 2 for extension type, 2 for len
* rest for ticket
*/
@@ -189,6 +211,7 @@ unsigned char *ssl_add_clienthello_tlsex
ret += ticklen;
}
}
+ skip_ext:
if ((extdatalen = ret-p-2)== 0)
return p;
@@ -543,6 +566,8 @@ int tls1_process_ticket(SSL *s, unsigned
s->tlsext_ticket_expected = 1;
return 0; /* Cache miss */
}
+ if (s->tls_session_secret_cb)
+ return 0;
return tls_decrypt_ticket(s, p, size, session_id, len,
ret);
}
diff -upr openssl-0.9.8g.orig/ssl/tls1.h openssl-0.9.8g/ssl/tls1.h
--- openssl-0.9.8g.orig/ssl/tls1.h 2007-08-28 04:12:44.000000000 +0300
+++ openssl-0.9.8g/ssl/tls1.h 2008-04-15 17:10:37.000000000 +0300
@@ -365,6 +365,14 @@ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SER
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS extension struct */
+struct tls_extension_st
+{
+ unsigned short type;
+ unsigned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -upr openssl-0.9.8g.orig/util/ssleay.num openssl-0.9.8g/util/ssleay.num
--- openssl-0.9.8g.orig/util/ssleay.num 2007-08-13 01:31:16.000000000 +0300
+++ openssl-0.9.8g/util/ssleay.num 2008-04-15 17:10:37.000000000 +0300
@@ -241,3 +241,5 @@ SSL_CTX_sess_get_remove_cb
SSL_set_SSL_CTX 290 EXIST::FUNCTION:
SSL_get_servername 291 EXIST::FUNCTION:TLSEXT
SSL_get_servername_type 292 EXIST::FUNCTION:TLSEXT
+SSL_set_hello_extension 305 EXIST::FUNCTION:TLSEXT
+SSL_set_session_secret_cb 306 EXIST::FUNCTION:TLSEXT
external/hostap/patches/openssl-0.9.8h-tls-extensions.patch
Vendored
+344
View File
@@ -0,0 +1,344 @@
This patch adds support for TLS SessionTicket extension (RFC 5077) for
the parts used by EAP-FAST (RFC 4851).
This is based on the patch from Alexey Kobozev <akobozev@cisco.com>
(sent to openssl-dev mailing list on Tue, 07 Jun 2005 15:40:58 +0300).
OpenSSL 0.9.8h does not enable TLS extension support by default, so it
will need to be enabled by adding enable-tlsext to config script
command line.
diff -upr openssl-0.9.8h.orig/ssl/s3_clnt.c openssl-0.9.8h/ssl/s3_clnt.c
--- openssl-0.9.8h.orig/ssl/s3_clnt.c 2008-05-28 10:29:27.000000000 +0300
+++ openssl-0.9.8h/ssl/s3_clnt.c 2008-05-29 10:44:25.000000000 +0300
@@ -752,6 +752,20 @@ int ssl3_get_server_hello(SSL *s)
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* check if we want to resume the session based on external pre-shared secret */
+ if (s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if (s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ NULL, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->session->cipher=pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s,p+j);
+ }
+ }
+#endif /* OPENSSL_NO_TLSEXT */
+
if (j != 0 && j == s->session->session_id_length
&& memcmp(p,s->session->session_id,j) == 0)
{
@@ -2693,11 +2707,8 @@ static int ssl3_check_finished(SSL *s)
{
int ok;
long n;
- /* If we have no ticket or session ID is non-zero length (a match of
- * a non-zero session length would never reach here) it cannot be a
- * resumed session.
- */
- if (!s->session->tlsext_tick || s->session->session_id_length)
+ /* If we have no ticket it cannot be a resumed session. */
+ if (!s->session->tlsext_tick)
return 1;
/* this function is called when we really expect a Certificate
* message, so permit appropriate message length */
diff -upr openssl-0.9.8h.orig/ssl/s3_srvr.c openssl-0.9.8h/ssl/s3_srvr.c
--- openssl-0.9.8h.orig/ssl/s3_srvr.c 2008-04-30 19:11:32.000000000 +0300
+++ openssl-0.9.8h/ssl/s3_srvr.c 2008-05-28 18:49:34.000000000 +0300
@@ -959,6 +959,59 @@ int ssl3_get_client_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
+
+ /* Check if we want to use external pre-shared secret for this
+ * handshake for not reused session only. We need to generate
+ * server_random before calling tls_session_secret_cb in order to allow
+ * SessionTicket processing to use it in key derivation. */
+ {
+ unsigned long Time;
+ unsigned char *pos;
+ Time=(unsigned long)time(NULL); /* Time */
+ pos=s->s3->server_random;
+ l2n(Time,pos);
+ if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
+ {
+ al=SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ }
+
+ if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb)
+ {
+ SSL_CIPHER *pref_cipher=NULL;
+
+ s->session->master_key_length=sizeof(s->session->master_key);
+ if(s->tls_session_secret_cb(s, s->session->master_key, &s->session->master_key_length,
+ ciphers, &pref_cipher, s->tls_session_secret_cb_arg))
+ {
+ s->hit=1;
+ s->session->ciphers=ciphers;
+ s->session->verify_result=X509_V_OK;
+
+ ciphers=NULL;
+
+ /* check if some cipher was preferred by call back */
+ pref_cipher=pref_cipher ? pref_cipher : ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ if (pref_cipher == NULL)
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
+ goto f_err;
+ }
+
+ s->session->cipher=pref_cipher;
+
+ if (s->cipher_list)
+ sk_SSL_CIPHER_free(s->cipher_list);
+
+ if (s->cipher_list_by_id)
+ sk_SSL_CIPHER_free(s->cipher_list_by_id);
+
+ s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
+ s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
+ }
+ }
#endif
/* Worst case, we will use the NULL compression, but if we have other
* options, we will now look for them. We have i-1 compression
@@ -1097,16 +1150,22 @@ int ssl3_send_server_hello(SSL *s)
unsigned char *buf;
unsigned char *p,*d;
int i,sl;
- unsigned long l,Time;
+ unsigned long l;
+#ifdef OPENSSL_NO_TLSEXT
+ unsigned long Time;
+#endif
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
{
buf=(unsigned char *)s->init_buf->data;
+#ifdef OPENSSL_NO_TLSEXT
p=s->s3->server_random;
+ /* Generate server_random if it was not needed previously */
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
return -1;
+#endif
/* Do the message type and length last */
d=p= &(buf[4]);
diff -upr openssl-0.9.8h.orig/ssl/ssl.h openssl-0.9.8h/ssl/ssl.h
--- openssl-0.9.8h.orig/ssl/ssl.h 2008-04-30 19:11:32.000000000 +0300
+++ openssl-0.9.8h/ssl/ssl.h 2008-05-28 18:49:34.000000000 +0300
@@ -343,6 +343,7 @@ extern "C" {
* 'struct ssl_st *' function parameters used to prototype callbacks
* in SSL_CTX. */
typedef struct ssl_st *ssl_crock_st;
+typedef struct tls_extension_st TLS_EXTENSION;
/* used to hold info on the particular ciphers used */
typedef struct ssl_cipher_st
@@ -364,6 +365,8 @@ DECLARE_STACK_OF(SSL_CIPHER)
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
+typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
+
/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */
typedef struct ssl_method_st
{
@@ -1027,6 +1030,14 @@ struct ssl_st
/* RFC4507 session ticket expected to be received or sent */
int tlsext_ticket_expected;
+
+ /* TLS extensions */
+ TLS_EXTENSION *tls_extension;
+
+ /* TLS pre-shared secret session resumption */
+ tls_session_secret_cb_fn tls_session_secret_cb;
+ void *tls_session_secret_cb_arg;
+
SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */
#define session_ctx initial_ctx
#else
@@ -1625,6 +1636,12 @@ void *SSL_COMP_get_compression_methods(v
int SSL_COMP_add_compression_method(int id,void *cm);
#endif
+/* TLS extensions functions */
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len);
+
+/* Pre-shared secret session resumption functions */
+int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1815,6 +1832,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_TLS1_ENC 210
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
#define SSL_F_WRITE_PENDING 212
+#define SSL_F_SSL_SET_HELLO_EXTENSION 213
/* Reason codes. */
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
diff -upr openssl-0.9.8h.orig/ssl/ssl_err.c openssl-0.9.8h/ssl/ssl_err.c
--- openssl-0.9.8h.orig/ssl/ssl_err.c 2007-10-12 03:00:30.000000000 +0300
+++ openssl-0.9.8h/ssl/ssl_err.c 2008-05-28 18:49:34.000000000 +0300
@@ -251,6 +251,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_TLS1_ENC), "TLS1_ENC"},
{ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "TLS1_SETUP_KEY_BLOCK"},
{ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"},
+{ERR_FUNC(SSL_F_SSL_SET_HELLO_EXTENSION), "SSL_set_hello_extension"},
{0,NULL}
};
diff -upr openssl-0.9.8h.orig/ssl/ssl_sess.c openssl-0.9.8h/ssl/ssl_sess.c
--- openssl-0.9.8h.orig/ssl/ssl_sess.c 2007-10-17 20:30:15.000000000 +0300
+++ openssl-0.9.8h/ssl/ssl_sess.c 2008-05-28 18:49:34.000000000 +0300
@@ -704,6 +704,52 @@ long SSL_CTX_get_timeout(const SSL_CTX *
return(s->session_timeout);
}
+#ifndef OPENSSL_NO_TLSEXT
+int SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, void *secret, int *secret_len,
+ STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg), void *arg)
+{
+ if (s == NULL) return(0);
+ s->tls_session_secret_cb = tls_session_secret_cb;
+ s->tls_session_secret_cb_arg = arg;
+ return(1);
+}
+
+int SSL_set_hello_extension(SSL *s, int ext_type, void *ext_data, int ext_len)
+{
+ if(s->version >= TLS1_VERSION)
+ {
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ s->tls_extension = NULL;
+ }
+
+ s->tls_extension = OPENSSL_malloc(sizeof(TLS_EXTENSION) + ext_len);
+ if(!s->tls_extension)
+ {
+ SSLerr(SSL_F_SSL_SET_HELLO_EXTENSION, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ s->tls_extension->type = ext_type;
+
+ if(ext_data)
+ {
+ s->tls_extension->length = ext_len;
+ s->tls_extension->data = s->tls_extension + 1;
+ memcpy(s->tls_extension->data, ext_data, ext_len);
+ } else {
+ s->tls_extension->length = 0;
+ s->tls_extension->data = NULL;
+ }
+
+ return 1;
+ }
+
+ return 0;
+}
+#endif /* OPENSSL_NO_TLSEXT */
+
typedef struct timeout_param_st
{
SSL_CTX *ctx;
diff -upr openssl-0.9.8h.orig/ssl/t1_lib.c openssl-0.9.8h/ssl/t1_lib.c
--- openssl-0.9.8h.orig/ssl/t1_lib.c 2008-05-28 10:26:33.000000000 +0300
+++ openssl-0.9.8h/ssl/t1_lib.c 2008-05-28 18:49:34.000000000 +0300
@@ -106,6 +106,12 @@ int tls1_new(SSL *s)
void tls1_free(SSL *s)
{
+#ifndef OPENSSL_NO_TLSEXT
+ if(s->tls_extension)
+ {
+ OPENSSL_free(s->tls_extension);
+ }
+#endif
ssl3_free(s);
}
@@ -175,8 +181,24 @@ unsigned char *ssl_add_clienthello_tlsex
int ticklen;
if (s->session && s->session->tlsext_tick)
ticklen = s->session->tlsext_ticklen;
+ else if (s->session && s->tls_extension &&
+ s->tls_extension->type == TLSEXT_TYPE_session_ticket &&
+ s->tls_extension->data)
+ {
+ ticklen = s->tls_extension->length;
+ s->session->tlsext_tick = OPENSSL_malloc(ticklen);
+ if (!s->session->tlsext_tick)
+ return NULL;
+ memcpy(s->session->tlsext_tick, s->tls_extension->data,
+ ticklen);
+ s->session->tlsext_ticklen = ticklen;
+ }
else
ticklen = 0;
+ if (ticklen == 0 && s->tls_extension &&
+ s->tls_extension->type == TLSEXT_TYPE_session_ticket &&
+ s->tls_extension->data == NULL)
+ goto skip_ext;
/* Check for enough room 2 for extension type, 2 for len
* rest for ticket
*/
@@ -190,6 +212,7 @@ unsigned char *ssl_add_clienthello_tlsex
ret += ticklen;
}
}
+ skip_ext:
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp)
{
@@ -774,6 +797,8 @@ int tls1_process_ticket(SSL *s, unsigned
s->tlsext_ticket_expected = 1;
return 0; /* Cache miss */
}
+ if (s->tls_session_secret_cb)
+ return 0;
return tls_decrypt_ticket(s, p, size, session_id, len,
ret);
}
diff -upr openssl-0.9.8h.orig/ssl/tls1.h openssl-0.9.8h/ssl/tls1.h
--- openssl-0.9.8h.orig/ssl/tls1.h 2008-04-30 19:11:33.000000000 +0300
+++ openssl-0.9.8h/ssl/tls1.h 2008-05-28 18:49:34.000000000 +0300
@@ -398,6 +398,14 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T
#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" /*master secret*/
#endif
+/* TLS extension struct */
+struct tls_extension_st
+{
+ unsigned short type;
+ unsigned short length;
+ void *data;
+};
+
#ifdef __cplusplus
}
#endif
diff -upr openssl-0.9.8h.orig/util/ssleay.num openssl-0.9.8h/util/ssleay.num
--- openssl-0.9.8h.orig/util/ssleay.num 2007-08-13 01:31:16.000000000 +0300
+++ openssl-0.9.8h/util/ssleay.num 2008-05-28 18:49:34.000000000 +0300
@@ -241,3 +241,5 @@ SSL_CTX_sess_get_remove_cb
SSL_set_SSL_CTX 290 EXIST::FUNCTION:
SSL_get_servername 291 EXIST::FUNCTION:TLSEXT
SSL_get_servername_type 292 EXIST::FUNCTION:TLSEXT
+SSL_set_hello_extension 305 EXIST::FUNCTION:TLSEXT
+SSL_set_session_secret_cb 306 EXIST::FUNCTION:TLSEXT

Some files were not shown because too many files have changed in this diff Show More