From owner-p4-projects@FreeBSD.ORG Mon Jun 13 22:09:48 2005 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id C80C716A420; Mon, 13 Jun 2005 22:09:47 +0000 (GMT) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C9BA16A41C for ; Mon, 13 Jun 2005 22:09:47 +0000 (GMT) (envelope-from peter@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60D5E43D49 for ; Mon, 13 Jun 2005 22:09:47 +0000 (GMT) (envelope-from peter@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j5DM9lpe026112 for ; Mon, 13 Jun 2005 22:09:47 GMT (envelope-from peter@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j5DM9lhD026109 for perforce@freebsd.org; Mon, 13 Jun 2005 22:09:47 GMT (envelope-from peter@freebsd.org) Date: Mon, 13 Jun 2005 22:09:47 GMT Message-Id: <200506132209.j5DM9lhD026109@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to peter@freebsd.org using -f From: Peter Wemm To: Perforce Change Reviews Cc: Subject: PERFORCE change 78499 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jun 2005 22:09:48 -0000 http://perforce.freebsd.org/chv.cgi?CH=78499 Change 78499 by peter@peter_overcee on 2005/06/13 22:09:36 IFC @78498 Affected files ... .. //depot/projects/hammer/contrib/hostapd/ChangeLog#2 integrate .. //depot/projects/hammer/contrib/hostapd/Makefile#2 integrate .. //depot/projects/hammer/contrib/hostapd/common.h#2 integrate .. //depot/projects/hammer/contrib/hostapd/config.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/ctrl_iface.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/eapol_sm.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/eapol_sm.h#2 integrate .. //depot/projects/hammer/contrib/hostapd/ieee802_1x.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/ms_funcs.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/radius_client.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/radius_server.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/tls_openssl.c#2 integrate .. //depot/projects/hammer/contrib/hostapd/version.h#2 integrate .. //depot/projects/hammer/contrib/hostapd/wpa.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/ChangeLog#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/README#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/config.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/ctrl_iface.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/eap.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/eap_mschapv2.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/eap_peap.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/eap_tls_common.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/eap_ttls.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/eapol_sm.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/ms_funcs.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/radius.c#1 branch .. //depot/projects/hammer/contrib/wpa_supplicant/radius.h#1 branch .. //depot/projects/hammer/contrib/wpa_supplicant/tls_openssl.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/version.h#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/wpa.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/wpa_ctrl.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/wpa_supplicant.c#2 integrate .. //depot/projects/hammer/contrib/wpa_supplicant/wpa_supplicant_i.h#2 integrate .. //depot/projects/hammer/lib/libpam/modules/pam_radius/pam_radius.c#10 integrate .. //depot/projects/hammer/sys/net/if_stf.c#20 integrate .. //depot/projects/hammer/sys/net80211/ieee80211_input.c#19 integrate Differences ... ==== //depot/projects/hammer/contrib/hostapd/ChangeLog#2 (text+ko) ==== @@ -1,5 +1,19 @@ ChangeLog for hostapd +2005-06-10 - v0.3.9 + * fixed a bug which caused some RSN pre-authentication cases to use + freed memory and potentially crash hostapd + * fixed private key loading for cases where passphrase is not set + * fixed WPA2 to add PMKSA cache entry when using integrated EAP + authenticator + * driver_madwifi: fixed pairwise key removal to allow WPA reauth + without disassociation + * fixed RADIUS attribute Class processing to only use Access-Accept + packets to update Class; previously, other RADIUS authentication + packets could have cleared Class attribute + * fixed PMKSA caching (EAP authentication was not skipped correctly + with the new state machine changes from IEEE 802.1X draft) + 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) 2005-01-23 - v0.3.5 ==== //depot/projects/hammer/contrib/hostapd/Makefile#2 (text+ko) ==== @@ -228,6 +228,6 @@ $(CC) -o hostapd_cli hostapd_cli.o hostapd_ctrl.o clean: - rm -f core *~ *.o hostapd *.d driver_conf.c + rm -f core *~ *.o hostapd hostapd_cli *.d driver_conf.c -include $(OBJS:%.o=%.d) ==== //depot/projects/hammer/contrib/hostapd/common.h#2 (text+ko) ==== @@ -8,8 +8,12 @@ #ifdef __FreeBSD__ #include #include +#define __BYTE_ORDER _BYTE_ORDER +#define __LITTLE_ENDIAN _LITTLE_ENDIAN +#define __BIG_ENDIAN _BIG_ENDIAN #define bswap_16 bswap16 #define bswap_32 bswap32 +#define bswap_64 bswap64 #endif #ifdef CONFIG_NATIVE_WINDOWS ==== //depot/projects/hammer/contrib/hostapd/config.c#2 (text+ko) ==== @@ -597,7 +597,8 @@ } if (conf->wpa && (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK) && - conf->wpa_psk == NULL && conf->wpa_passphrase == NULL) { + conf->wpa_psk == NULL && conf->wpa_passphrase == NULL && + conf->wpa_psk_file == NULL) { printf("WPA-PSK enabled, but PSK or passphrase is not " "configured.\n"); return -1; ==== //depot/projects/hammer/contrib/hostapd/ctrl_iface.c#2 (text+ko) ==== @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -383,7 +384,8 @@ unlink(fname); free(fname); - if (rmdir(hapd->conf->ctrl_interface) < 0) { + if (hapd->conf->ctrl_interface && + rmdir(hapd->conf->ctrl_interface) < 0) { if (errno == ENOTEMPTY) { wpa_printf(MSG_DEBUG, "Control interface " "directory not empty - leaving it " ==== //depot/projects/hammer/contrib/hostapd/eapol_sm.c#2 (text+ko) ==== @@ -12,7 +12,7 @@ * * See README and COPYING for more details. * - * $FreeBSD: src/contrib/hostapd/eapol_sm.c,v 1.2 2005/06/05 22:41:14 sam Exp $ + * $FreeBSD: src/contrib/hostapd/eapol_sm.c,v 1.3 2005/06/13 17:07:31 sam Exp $ */ #include @@ -767,22 +767,22 @@ prev_ctrl_dir = sm->ctrl_dir.state; SM_STEP_RUN(AUTH_PAE); - if (!eapol_sm_sta_entry_alive(hapd, addr)) + if (!sm->initializing && !eapol_sm_sta_entry_alive(hapd, addr)) break; SM_STEP_RUN(BE_AUTH); - if (!eapol_sm_sta_entry_alive(hapd, addr)) + if (!sm->initializing && !eapol_sm_sta_entry_alive(hapd, addr)) break; SM_STEP_RUN(REAUTH_TIMER); - if (!eapol_sm_sta_entry_alive(hapd, addr)) + if (!sm->initializing && !eapol_sm_sta_entry_alive(hapd, addr)) break; SM_STEP_RUN(AUTH_KEY_TX); - if (!eapol_sm_sta_entry_alive(hapd, addr)) + if (!sm->initializing && !eapol_sm_sta_entry_alive(hapd, addr)) break; SM_STEP_RUN(KEY_RX); - if (!eapol_sm_sta_entry_alive(hapd, addr)) + if (!sm->initializing && !eapol_sm_sta_entry_alive(hapd, addr)) break; SM_STEP_RUN(CTRL_DIR); - if (!eapol_sm_sta_entry_alive(hapd, addr)) + if (!sm->initializing && !eapol_sm_sta_entry_alive(hapd, addr)) break; } while (prev_auth_pae != sm->auth_pae.state || prev_be_auth != sm->be_auth.state || @@ -803,12 +803,14 @@ void eapol_sm_initialize(struct eapol_state_machine *sm) { + sm->initializing = TRUE; /* Initialize the state machines by asserting initialize and then * deasserting it after one step */ sm->initialize = TRUE; eapol_sm_step(sm); sm->initialize = FALSE; eapol_sm_step(sm); + sm->initializing = FALSE; /* Start one second tick for port timers state machine */ eloop_cancel_timeout(eapol_port_timers_tick, sm->hapd, sm); ==== //depot/projects/hammer/contrib/hostapd/eapol_sm.h#2 (text+ko) ==== @@ -195,6 +195,8 @@ */ u8 currentId; + Boolean initializing; /* in process of initializing state machines */ + /* Somewhat nasty pointers to global hostapd and STA data to avoid * passing these to every function */ struct hostapd_data *hapd; ==== //depot/projects/hammer/contrib/hostapd/ieee802_1x.c#2 (text+ko) ==== @@ -12,7 +12,7 @@ * * See README and COPYING for more details. * - * $FreeBSD: src/contrib/hostapd/ieee802_1x.c,v 1.2 2005/06/05 22:41:14 sam Exp $ + * $FreeBSD: src/contrib/hostapd/ieee802_1x.c,v 1.3 2005/06/13 17:07:31 sam Exp $ */ #include @@ -1157,6 +1157,7 @@ session_timeout_set ? session_timeout : -1); } + ieee802_1x_store_radius_class(hapd, sta, msg); break; case RADIUS_CODE_ACCESS_REJECT: sm->eapFail = TRUE; @@ -1180,7 +1181,6 @@ break; } - ieee802_1x_store_radius_class(hapd, sta, msg); ieee802_1x_decapsulate_radius(hapd, sta); if (override_eapReq) sm->be_auth.eapReq = FALSE; @@ -1669,6 +1669,7 @@ return len; } + void ieee802_1x_finished(struct hostapd_data *hapd, struct sta_info *sta, int success) { @@ -1682,4 +1683,3 @@ pmksa_cache_add(hapd, sta, key, dot11RSNAConfigPMKLifetime); } } - ==== //depot/projects/hammer/contrib/hostapd/ms_funcs.c#2 (text+ko) ==== @@ -158,12 +158,14 @@ }; const unsigned char *addr[3]; const size_t len[3] = { 16, 24, sizeof(magic1) }; + u8 hash[SHA1_MAC_LEN]; addr[0] = password_hash_hash; addr[1] = nt_response; addr[2] = magic1; - sha1_vector(3, addr, len, master_key); + sha1_vector(3, addr, len, hash); + memcpy(master_key, hash, 16); } ==== //depot/projects/hammer/contrib/hostapd/radius_client.c#2 (text+ko) ==== @@ -506,7 +506,7 @@ rconf = hapd->conf->auth_server; } - len = recv(sock, buf, sizeof(buf), 0); + len = recv(sock, buf, sizeof(buf), MSG_DONTWAIT); if (len < 0) { perror("recv[RADIUS]"); return; ==== //depot/projects/hammer/contrib/hostapd/radius_server.c#2 (text+ko) ==== @@ -325,6 +325,7 @@ { struct radius_msg *msg; int ret = 0; + struct eap_hdr eapfail; RADIUS_DEBUG("Reject invalid request from %s:%d", inet_ntoa(from->sin_addr), ntohs(from->sin_port)); @@ -335,6 +336,16 @@ return -1; } + memset(&eapfail, 0, sizeof(eapfail)); + eapfail.code = EAP_CODE_FAILURE; + eapfail.identifier = 0; + eapfail.length = htons(sizeof(eapfail)); + + if (!radius_msg_add_eap(msg, (u8 *) &eapfail, sizeof(eapfail))) { + RADIUS_DEBUG("Failed to add EAP-Message attribute"); + } + + if (radius_msg_finish_srv(msg, (u8 *) client->shared_secret, client->shared_secret_len, request->hdr->authenticator) < 0) { @@ -395,6 +406,7 @@ sess = radius_server_get_new_session(data, client, msg); if (sess == NULL) { RADIUS_DEBUG("Could not create a new session"); + radius_server_reject(data, client, msg, from); return -1; } } ==== //depot/projects/hammer/contrib/hostapd/tls_openssl.c#2 (text+ko) ==== @@ -489,9 +489,12 @@ if (private_key == NULL) return 0; - passwd = strdup(private_key_passwd); - if (passwd == NULL) - return -1; + if (private_key_passwd) { + passwd = strdup(private_key_passwd); + if (passwd == NULL) + return -1; + } else + passwd = NULL; SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); ==== //depot/projects/hammer/contrib/hostapd/version.h#2 (text+ko) ==== @@ -1,6 +1,6 @@ #ifndef VERSION_H #define VERSION_H -#define VERSION_STR "0.3.7" +#define VERSION_STR "0.3.9" #endif /* VERSION_H */ ==== //depot/projects/hammer/contrib/hostapd/wpa.c#2 (text+ko) ==== @@ -12,7 +12,7 @@ * * See README and COPYING for more details. * - * $FreeBSD: src/contrib/hostapd/wpa.c,v 1.2 2005/06/05 22:41:14 sam Exp $ + * $FreeBSD: src/contrib/hostapd/wpa.c,v 1.3 2005/06/13 17:07:31 sam Exp $ */ #include @@ -1416,6 +1416,14 @@ key = (struct wpa_eapol_key *) (hdr + 1); key_info = ntohs(key->key_info); key_data_length = ntohs(key->key_data_length); + if (key_data_length > data_len - sizeof(*hdr) - sizeof(*key)) { + wpa_printf(MSG_INFO, "WPA: Invalid EAPOL-Key frame - " + "key_data overflow (%d > %lu)", + key_data_length, + (unsigned long) (data_len - sizeof(*hdr) - + sizeof(*key))); + return; + } /* FIX: verify that the EAPOL-Key frame was encrypted if pairwise keys * are set */ ==== //depot/projects/hammer/contrib/wpa_supplicant/ChangeLog#2 (text+ko) ==== @@ -1,5 +1,28 @@ ChangeLog for wpa_supplicant +2005-06-10 - v0.3.9 + * modified the EAP workaround that accepts EAP-Success with incorrect + Identifier to be even less strict about verification in order to + interoperate with some authentication servers + * fixed RSN IE in 4-Way Handshake message 2/4 for the case where + Authenticator rejects PMKSA caching attempt and the driver is not + using assoc_info events + * fixed a possible double free in EAP-TTLS fast-reauthentication when + identity or password is entered through control interface + * added -P argument for wpa_supplicant to write the current + process id into a file + * driver_madwifi: fixed association in plaintext mode + * driver_madwifi: added preliminary support for compiling against 'BSD' + branch of madwifi CVS tree + * added EAP workaround for PEAPv1 session resumption: allow outer, + i.e., not tunneled, EAP-Success to terminate session since; this can + be disabled with eap_workaround=0 + * driver_ipw: updated driver structures to match with ipw2200-1.0.4 + (note: ipw2100-1.1.0 is likely to require an update to work with + this) + * driver_broadcom: fixed couple of memory leaks in scan result + processing + 2005-02-13 - v0.3.8 * fixed EAPOL-Key validation to drop packets with invalid Key Data Length; such frames could have crashed wpa_supplicant due to buffer ==== //depot/projects/hammer/contrib/wpa_supplicant/README#2 (text+ko) ==== @@ -6,9 +6,7 @@ All Rights Reserved. This program is dual-licensed under both the GPL version 2 and BSD -license. Either license may be used at your option. Please note that -some of the driver interface implementations (driver_*.c) may be -licensed under a different license. +license. Either license may be used at your option. ==== //depot/projects/hammer/contrib/wpa_supplicant/config.c#2 (text+ko) ==== @@ -245,7 +245,7 @@ return -1; start = buf; - while (start != '\0') { + while (*start != '\0') { while (*start == ' ' || *start == '\t') start++; if (*start == '\0') @@ -295,7 +295,7 @@ return -1; start = buf; - while (start != '\0') { + while (*start != '\0') { while (*start == ' ' || *start == '\t') start++; if (*start == '\0') @@ -349,7 +349,7 @@ return -1; start = buf; - while (start != '\0') { + while (*start != '\0') { while (*start == ' ' || *start == '\t') start++; if (*start == '\0') @@ -441,7 +441,7 @@ return -1; start = buf; - while (start != '\0') { + while (*start != '\0') { while (*start == ' ' || *start == '\t') start++; if (*start == '\0') @@ -494,7 +494,7 @@ return -1; start = buf; - while (start != '\0') { + while (*start != '\0') { while (*start == ' ' || *start == '\t') start++; if (*start == '\0') ==== //depot/projects/hammer/contrib/wpa_supplicant/ctrl_iface.c#2 (text+ko) ==== @@ -248,8 +248,9 @@ return -1; *pos++ = '\0'; id = atoi(id_pos); - wpa_printf(MSG_DEBUG, "CTRL_IFACE: field=%s id=%d value='%s'", - rsp, id, pos); + wpa_printf(MSG_DEBUG, "CTRL_IFACE: field=%s id=%d", rsp, id); + wpa_hexdump_ascii_key(MSG_DEBUG, "CTRL_IFACE: value", + (u8 *) pos, strlen(pos)); ssid = wpa_s->conf->ssid; while (ssid) { @@ -606,6 +607,16 @@ if (wpa_s->ctrl_sock > -1) { char *fname; eloop_unregister_read_sock(wpa_s->ctrl_sock); + if (wpa_s->ctrl_dst) { + /* + * Wait a second before closing the control socket if + * there are any attached monitors in order to allow + * them to receive any pending messages. + */ + wpa_printf(MSG_DEBUG, "CTRL_IFACE wait for attached " + "monitors to receive messages"); + sleep(1); + } close(wpa_s->ctrl_sock); wpa_s->ctrl_sock = -1; fname = wpa_supplicant_ctrl_iface_path(wpa_s); ==== //depot/projects/hammer/contrib/wpa_supplicant/eap.c#2 (text+ko) ==== @@ -458,19 +458,27 @@ static int eap_success_workaround(struct eap_sm *sm, int reqId, int lastId) { - /* At least Microsoft IAS and Meetinghouse Aegis seem to be sending + /* + * At least Microsoft IAS and Meetinghouse Aegis seem to be sending * EAP-Success/Failure with lastId + 1 even though RFC 3748 and * draft-ietf-eap-statemachine-05.pdf require that reqId == lastId. + * In addition, it looks like Ringmaster v2.1.2.0 would be using + * lastId + 2 in EAP-Success. + * * Accept this kind of Id if EAP workarounds are enabled. These are * unauthenticated plaintext messages, so this should have minimal - * security implications (bit easier to fake EAP-Success/Failure). */ - if (sm->workaround && reqId == ((lastId + 1) & 0xff)) { + * security implications (bit easier to fake EAP-Success/Failure). + */ + if (sm->workaround && (reqId == ((lastId + 1) & 0xff) || + reqId == ((lastId + 2) & 0xff))) { wpa_printf(MSG_DEBUG, "EAP: Workaround for unexpected " "identifier field in EAP Success: " "reqId=%d lastId=%d (these are supposed to be " "same)", reqId, lastId); return 1; } + wpa_printf(MSG_DEBUG, "EAP: EAP-Success Id mismatch - reqId=%d " + "lastId=%d", reqId, lastId); return 0; } ==== //depot/projects/hammer/contrib/wpa_supplicant/eap_mschapv2.c#2 (text+ko) ==== @@ -126,8 +126,8 @@ { struct wpa_ssid *config = eap_get_config(sm); u8 *challenge, *peer_challenge, *username, *pos; - int challenge_len, i, ms_len; - size_t len, username_len; + int i, ms_len; + size_t len, challenge_len, username_len; struct eap_mschapv2_hdr *resp; u8 password_hash[16], password_hash_hash[16]; @@ -155,10 +155,12 @@ return NULL; } - if (len - challenge_len - 10 < 0) { + if (len < 10 || len - 10 < challenge_len) { wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Too short challenge" " packet: len=%lu challenge_len=%d", (unsigned long) len, challenge_len); + ret->ignore = TRUE; + return NULL; } challenge = pos; @@ -469,7 +471,8 @@ req = (struct eap_mschapv2_hdr *) reqData; len = be_to_host16(req->length); - if (len < sizeof(*req) + 2 || req->type != EAP_TYPE_MSCHAPV2) { + if (len < sizeof(*req) + 2 || req->type != EAP_TYPE_MSCHAPV2 || + len > reqDataLen) { wpa_printf(MSG_INFO, "EAP-MSCHAPV2: Invalid frame"); ret->ignore = TRUE; return NULL; ==== //depot/projects/hammer/contrib/wpa_supplicant/eap_peap.c#2 (text+ko) ==== @@ -380,6 +380,12 @@ if (data->pending_phase2_req) { wpa_printf(MSG_DEBUG, "EAP-PEAP: Pending Phase 2 request - " "skip decryption and use old data"); + /* Clear TLS reassembly state. */ + free(data->ssl.tls_in); + data->ssl.tls_in = NULL; + data->ssl.tls_in_len = 0; + data->ssl.tls_in_left = 0; + data->ssl.tls_in_total = 0; in_decrypted = data->pending_phase2_req; data->pending_phase2_req = NULL; len_decrypted = data->pending_phase2_req_len; @@ -391,6 +397,19 @@ if (res < 0 || res == 1) return res; + if (in_len == 0 && sm->workaround && data->phase2_success) { + /* + * Cisco ACS seems to be using TLS ACK to terminate + * EAP-PEAPv0/GTC. Try to reply with TLS ACK. + */ + wpa_printf(MSG_DEBUG, "EAP-PEAP: Received TLS ACK, but " + "expected data - acknowledge with TLS ACK since " + "Phase 2 has been completed"); + ret->decision = DECISION_COND_SUCC; + ret->methodState = METHOD_DONE; + return 1; + } + buf_len = in_len; if (data->ssl.tls_in_total > buf_len) buf_len = data->ssl.tls_in_total; @@ -713,6 +732,25 @@ wpa_printf(MSG_DEBUG, "EAP-PEAP: Failed to " "derive key"); } + + if (sm->workaround && data->peap_version == 1 && + data->resuming) { + /* + * At least one RADIUS server (Aegis v1.1.6; + * but not v1.1.4) seems to be terminating + * PEAPv1 session resumption with outer + * EAP-Success. This does not seem to follow + * draft-josefsson-pppext-eap-tls-eap-05.txt + * section 4.2, so only allow this if EAP + * workarounds are enabled. + */ + wpa_printf(MSG_DEBUG, "EAP-PEAP: Workaround - " + "allow outer EAP-Success to " + "terminate PEAPv1 resumption"); + ret->decision = DECISION_COND_SUCC; + data->phase2_success = 1; + } + data->resuming = 0; } } ==== //depot/projects/hammer/contrib/wpa_supplicant/eap_tls_common.c#2 (text+ko) ==== @@ -160,6 +160,17 @@ u8 *buf; if (data->tls_in_left > *in_len || data->tls_in) { + if (data->tls_in_len + *in_len == 0) { + free(data->tls_in); + data->tls_in = NULL; + data->tls_in_len = 0; + wpa_printf(MSG_WARNING, "SSL: Invalid reassembly " + "state: tls_in_left=%d tls_in_len=%d " + "*in_len=%d", + data->tls_in_left, data->tls_in_len, + *in_len); + return -1; + } buf = realloc(data->tls_in, data->tls_in_len + *in_len); if (buf == NULL) { free(data->tls_in); ==== //depot/projects/hammer/contrib/wpa_supplicant/eap_ttls.c#2 (text+ko) ==== @@ -194,7 +194,7 @@ * add TLS Message Length field, if the frame is fragmented. */ resp = malloc(sizeof(struct eap_hdr) + 2 + data->ssl.tls_out_limit); if (resp == NULL) - return 0; + return -1; resp->code = EAP_CODE_RESPONSE; resp->identifier = id; @@ -210,7 +210,7 @@ wpa_printf(MSG_INFO, "EAP-TTLS: Failed to encrypt Phase 2 " "data"); free(resp); - return 0; + return -1; } *out_len = sizeof(struct eap_hdr) + 2 + res; @@ -265,6 +265,7 @@ avp = malloc(sizeof(struct ttls_avp) + *resp_len + 4); if (avp == NULL) { free(*resp); + *resp = NULL; *resp_len = 0; return -1; } @@ -782,6 +783,13 @@ if (data->pending_phase2_req) { wpa_printf(MSG_DEBUG, "EAP-TTLS: Pending Phase 2 request - " "skip decryption and use old data"); + /* Clear TLS reassembly state. */ + free(data->ssl.tls_in); + data->ssl.tls_in = NULL; + data->ssl.tls_in_len = 0; + data->ssl.tls_in_left = 0; + data->ssl.tls_in_total = 0; + in_decrypted = data->pending_phase2_req; data->pending_phase2_req = NULL; len_decrypted = data->pending_phase2_req_len; ==== //depot/projects/hammer/contrib/wpa_supplicant/eapol_sm.c#2 (text+ko) ==== @@ -194,9 +194,8 @@ "heldWhile=%d startWhen=%d idleWhile=%d", sm->authWhile, sm->heldWhile, sm->startWhen, sm->idleWhile); + eloop_register_timeout(1, 0, eapol_port_timers_tick, eloop_ctx, sm); eapol_sm_step(sm); - - eloop_register_timeout(1, 0, eapol_port_timers_tick, eloop_ctx, sm); } ==== //depot/projects/hammer/contrib/wpa_supplicant/ms_funcs.c#2 (text+ko) ==== @@ -158,12 +158,14 @@ }; const unsigned char *addr[3]; const size_t len[3] = { 16, 24, sizeof(magic1) }; + u8 hash[SHA1_MAC_LEN]; addr[0] = password_hash_hash; addr[1] = nt_response; addr[2] = magic1; - sha1_vector(3, addr, len, master_key); + sha1_vector(3, addr, len, hash); + memcpy(master_key, hash, 16); } ==== //depot/projects/hammer/contrib/wpa_supplicant/tls_openssl.c#2 (text+ko) ==== @@ -489,9 +489,12 @@ if (private_key == NULL) return 0; - passwd = strdup(private_key_passwd); - if (passwd == NULL) - return -1; + if (private_key_passwd) { + passwd = strdup(private_key_passwd); + if (passwd == NULL) + return -1; + } else + passwd = NULL; SSL_CTX_set_default_passwd_cb(ssl_ctx, tls_passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, passwd); ==== //depot/projects/hammer/contrib/wpa_supplicant/version.h#2 (text+ko) ==== @@ -1,6 +1,6 @@ #ifndef VERSION_H #define VERSION_H -#define VERSION_STR "0.3.8" +#define VERSION_STR "0.3.9" #endif /* VERSION_H */ ==== //depot/projects/hammer/contrib/wpa_supplicant/wpa.c#2 (text+ko) ==== @@ -1035,6 +1035,7 @@ if (hostapd_get_rand(wpa_s->snonce, WPA_NONCE_LEN)) { wpa_msg(wpa_s, MSG_WARNING, "WPA: Failed to get " "random data for SNonce"); + free(rbuf); return; } wpa_s->renew_snonce = 0; @@ -1100,6 +1101,7 @@ wpa_s->cur_pmksa = NULL; abort_cached = 1; } else { + free(rbuf); return; } } @@ -1110,6 +1112,7 @@ "been received from the external IEEE " "802.1X Supplicant - ignoring WPA " "EAPOL-Key frame"); + free(rbuf); return; #endif /* CONFIG_XSUPPLICANT_IFACE */ } @@ -1120,6 +1123,7 @@ "full EAP authenication"); wpa_eapol_send(wpa_s, IEEE802_1X_TYPE_EAPOL_START, (u8 *) "", 0); + free(rbuf); return; } @@ -1963,8 +1967,9 @@ if (be_to_host16(key->key_data_length) > extra_len) { wpa_msg(wpa_s, MSG_INFO, "WPA: Invalid EAPOL-Key frame - " - "key_data overflow (%d > %d)", - be_to_host16(key->key_data_length), extra_len); + "key_data overflow (%d > %lu)", + be_to_host16(key->key_data_length), + (unsigned long) extra_len); return; } @@ -2009,6 +2014,12 @@ wpa_printf(MSG_DEBUG, "RX EAPOL from " MACSTR, MAC2STR(src_addr)); wpa_hexdump(MSG_MSGDUMP, "RX EAPOL", buf, len); + if (wpa_s->key_mgmt == WPA_KEY_MGMT_NONE) { + wpa_printf(MSG_DEBUG, "Ignored received EAPOL frame since " + "no key management is configured"); + return; + } + if (wpa_s->eapol_received == 0) { /* Timeout for completing IEEE 802.1X and WPA authentication */ wpa_supplicant_req_auth_timeout( @@ -2252,6 +2263,7 @@ } memset(ctx, 0, sizeof(*ctx)); ctx->ctx = wpa_s; + ctx->msg_ctx = wpa_s; ctx->preauth = 1; ctx->cb = rsn_preauth_eapol_cb; ctx->cb_ctx = wpa_s; ==== //depot/projects/hammer/contrib/wpa_supplicant/wpa_ctrl.c#2 (text+ko) ==== @@ -11,7 +11,7 @@ * * See README and COPYING for more details. * - * $FreeBSD: src/contrib/wpa_supplicant/wpa_ctrl.c,v 1.2 2005/06/05 21:13:08 sam Exp $ + * $FreeBSD: src/contrib/wpa_supplicant/wpa_ctrl.c,v 1.3 2005/06/13 16:54:21 sam Exp $ */ #include @@ -93,8 +93,7 @@ snprintf(ctrl->local.sun_path, sizeof(ctrl->local.sun_path) - 1, "/tmp/wpa_ctrl_%d-%d", getpid(), counter++); if (bind(ctrl->s, (struct sockaddr *) &ctrl->local, - sizeof(ctrl->local.sun_family) + - strlen(ctrl->local.sun_path)) < 0) { + sizeof(ctrl->local)) < 0) { close(ctrl->s); free(ctrl); return NULL; ==== //depot/projects/hammer/contrib/wpa_supplicant/wpa_supplicant.c#2 (text+ko) ==== @@ -360,18 +360,19 @@ } -static int wpa_blacklisted(struct wpa_supplicant *wpa_s, const u8 *bssid) +static struct wpa_blacklist * +wpa_blacklist_get(struct wpa_supplicant *wpa_s, const u8 *bssid) { struct wpa_blacklist *e; e = wpa_s->blacklist; while (e) { if (memcmp(e->bssid, bssid, ETH_ALEN) == 0) - return 1; + return e; e = e->next; } - return 0; + return NULL; } @@ -379,14 +380,21 @@ { struct wpa_blacklist *e; - if (wpa_blacklisted(wpa_s, bssid)) + e = wpa_blacklist_get(wpa_s, bssid); + if (e) { + e->count++; + wpa_printf(MSG_DEBUG, "BSSID " MACSTR " blacklist count " + "incremented to %d", + MAC2STR(bssid), e->count); return 0; + } e = malloc(sizeof(*e)); if (e == NULL) return -1; memset(e, 0, sizeof(*e)); memcpy(e->bssid, bssid, ETH_ALEN); + e->count = 1; e->next = wpa_s->blacklist; wpa_s->blacklist = e; wpa_printf(MSG_DEBUG, "Added BSSID " MACSTR " into blacklist", @@ -1341,6 +1349,18 @@ return -1; } wpa_hexdump(MSG_DEBUG, "WPA: Own WPA IE", wpa_ie, *wpa_ie_len); + if (wpa_s->assoc_wpa_ie == NULL) { + /* + * Make a copy of the WPA/RSN IE so that 4-Way Handshake gets + * the correct version of the IE even if PMKSA caching is + * aborted (which would remove PMKID from IE generation). + */ + wpa_s->assoc_wpa_ie = malloc(*wpa_ie_len); + if (wpa_s->assoc_wpa_ie) { + memcpy(wpa_s->assoc_wpa_ie, wpa_ie, *wpa_ie_len); + wpa_s->assoc_wpa_ie_len = *wpa_ie_len; + } + } if (ssid->key_mgmt & WPA_KEY_MGMT_PSK) { wpa_s->pmk_len = PMK_LEN; @@ -1651,6 +1671,7 @@ struct wpa_ssid *ssid; struct wpa_scan_result *bss, *selected = NULL; int i; + struct wpa_blacklist *e; wpa_printf(MSG_DEBUG, "Selecting BSS from priority group %d", group->priority); @@ -1666,7 +1687,8 @@ wpa_ssid_txt(bss->ssid, bss->ssid_len), (unsigned long) bss->wpa_ie_len, (unsigned long) bss->rsn_ie_len); - if (wpa_blacklisted(wpa_s, bss->bssid)) { + if ((e = wpa_blacklist_get(wpa_s, bss->bssid)) && + e->count > 1) { wpa_printf(MSG_DEBUG, " skip - blacklisted"); continue; } @@ -1733,7 +1755,8 @@ * allows this. */ for (i = 0; i < num && !selected; i++) { bss = &results[i]; - if (wpa_blacklisted(wpa_s, bss->bssid)) { + if ((e = wpa_blacklist_get(wpa_s, bss->bssid)) && + e->count > 1) { continue; } for (ssid = group; ssid; ssid = ssid->pnext) { @@ -2088,7 +2111,8 @@ "usage:\n" " wpa_supplicant [-BddehLqqvw] -i -c " "[-D] \\\n" - " [-N -i -c [-D] ...]\n" + " [-P] " + "[-N -i -c [-D] ...]\n" "\n" "drivers:\n", wpa_supplicant_version, wpa_supplicant_license); @@ -2135,6 +2159,7 @@ if (wpa_s == NULL) return NULL; memset(wpa_s, 0, sizeof(*wpa_s)); + wpa_s->ctrl_sock = -1; #ifdef CONFIG_XSUPPLICANT_IFACE wpa_s->dot1x_s = -1; #endif /* CONFIG_XSUPPLICANT_IFACE */ @@ -2279,6 +2304,7 @@ wpa_drv_set_drop_unencrypted(wpa_s, 0); wpa_drv_set_countermeasures(wpa_s, 0); + wpa_clear_keys(wpa_s, NULL); wpa_drv_deinit(wpa_s); } @@ -2291,6 +2317,7 @@ struct wpa_supplicant *head, *wpa_s; int c; const char *confname, *driver, *ifname; + char *pid_file = NULL; int daemonize = 0, wait_for_interface = 0, disable_eapol = 0, exitcode; #ifdef CONFIG_NATIVE_WINDOWS @@ -2312,7 +2339,7 @@ ifname = confname = driver = NULL; for (;;) { - c = getopt(argc, argv, "Bc:D:dehi:KLNqtvw"); + c = getopt(argc, argv, "Bc:D:dehi:KLNP:qtvw"); if (c < 0) break; switch (c) { @@ -2347,6 +2374,9 @@ case 'L': license(); return -1; + case 'P': + pid_file = rel2abs_path(optarg); + break; case 'q': wpa_debug_level++; break; @@ -2407,6 +2437,14 @@ } } + if (pid_file) { + FILE *f = fopen(pid_file, "w"); + if (f) { + fprintf(f, "%u\n", getpid()); + fclose(f); + } + } + eloop_register_signal(SIGINT, wpa_supplicant_terminate, NULL); >>> TRUNCATED FOR MAIL (1000 lines) <<<