Date: Fri, 25 Apr 2008 22:56:58 GMT From: John Birrell <jb@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 140644 for review Message-ID: <200804252256.m3PMuwcx005662@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=140644 Change 140644 by jb@freebsd3 on 2008/04/25 22:56:47 IF7 Affected files ... .. //depot/projects/dtrace7/src/contrib/hostapd/ChangeLog#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/Makefile#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/README#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/aes_wrap.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/aes_wrap.h#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/common.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/common.h#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/defconfig#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/driver.h#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/driver_test.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/driver_wired.c#2 delete .. //depot/projects/dtrace7/src/contrib/hostapd/eap_aka.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/eap_gpsk.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/eap_gpsk_common.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/eap_gpsk_common.h#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/eap_sim.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/eap_sim_common.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/eap_sim_db.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/eap_tls_common.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/hostapd.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/hostapd.conf#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/ieee802_11.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/ieee802_11_auth.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/ieee802_1x.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/madwifi.conf#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/os.h#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/os_unix.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/radius.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/radius.h#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/radius_client.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/radius_server.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/tls_openssl.c#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/version.h#2 integrate .. //depot/projects/dtrace7/src/contrib/hostapd/wpa.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/ChangeLog#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/FREEBSD-Xlist#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/FREEBSD-upgrade#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/Makefile#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/README#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/aes_wrap.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/aes_wrap.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/asn1.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/common.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/common.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/config.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/config_ssid.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/ctrl_iface.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/ctrl_iface_dbus.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/ctrl_iface_dbus_handlers.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/ctrl_iface_dbus_handlers.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/ctrl_iface_unix.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/dbus-wpa_supplicant.conf#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/dbus-wpa_supplicant.service#1 branch .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/defconfig#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/ctrl_iface.doxygen#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/docbook/wpa_background.8#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/docbook/wpa_cli.8#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/docbook/wpa_cli.sgml#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/docbook/wpa_passphrase.8#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/docbook/wpa_supplicant.8#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/docbook/wpa_supplicant.conf.5#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/doc/docbook/wpa_supplicant.sgml#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/driver_ndis.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_gpsk.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_gpsk_common.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_gpsk_common.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_peap.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_sim.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_sim_common.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_tlv.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eap_tlv.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eapol_sm.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/eapol_test.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/events.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/main.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/os.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/os_unix.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/pcsc_funcs.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/radius.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/radius.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/radius_client.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/tls_openssl.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/version.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_cli.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_gui-qt4/networkconfig.cpp#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_gui-qt4/wpagui.cpp#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_gui/networkconfig.ui.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_gui/setup-mingw-cross-compiling#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_gui/wpagui.ui.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_supplicant.c#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_supplicant.conf#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/wpa_supplicant_i.h#2 integrate .. //depot/projects/dtrace7/src/contrib/wpa_supplicant/x509v3.c#2 integrate .. //depot/projects/dtrace7/src/etc/rc.d/wpa_supplicant#2 integrate .. //depot/projects/dtrace7/src/sbin/dhclient/dhclient.c#2 integrate .. //depot/projects/dtrace7/src/sbin/ifconfig/ifclone.c#2 integrate .. //depot/projects/dtrace7/src/sbin/ifconfig/ifconfig.c#3 integrate .. //depot/projects/dtrace7/src/sbin/ifconfig/ifconfig.h#2 integrate .. //depot/projects/dtrace7/src/sbin/ifconfig/ifvlan.c#2 integrate .. //depot/projects/dtrace7/src/sbin/ipfw/ipfw.8#5 integrate .. //depot/projects/dtrace7/src/sbin/ipfw/ipfw2.c#5 integrate .. //depot/projects/dtrace7/src/share/man/man4/uart.4#2 integrate .. //depot/projects/dtrace7/src/sys/arm/conf/AVILA.hints#2 integrate .. //depot/projects/dtrace7/src/sys/arm/xscale/ixp425/ixdp425_pci.c#2 integrate .. //depot/projects/dtrace7/src/sys/cddl/contrib/opensolaris/common/atomic/sparc64/atomic.S#2 integrate .. //depot/projects/dtrace7/src/sys/cddl/contrib/opensolaris/uts/common/sys/asm_linkage.h#3 integrate .. //depot/projects/dtrace7/src/sys/conf/files#9 integrate .. //depot/projects/dtrace7/src/sys/ddb/db_command.c#4 integrate .. //depot/projects/dtrace7/src/sys/ddb/db_ps.c#2 integrate .. //depot/projects/dtrace7/src/sys/ddb/ddb.h#4 integrate .. //depot/projects/dtrace7/src/sys/dev/ath/if_ath.c#3 integrate .. //depot/projects/dtrace7/src/sys/dev/ral/rt2661.c#2 integrate .. //depot/projects/dtrace7/src/sys/dev/uart/uart.h#2 integrate .. //depot/projects/dtrace7/src/sys/dev/uart/uart_dev_ns8250.c#2 integrate .. //depot/projects/dtrace7/src/sys/dev/usb/ucom.c#3 integrate .. //depot/projects/dtrace7/src/sys/dev/usb/ucomvar.h#2 integrate .. //depot/projects/dtrace7/src/sys/dev/usb/usbdevs#6 integrate .. //depot/projects/dtrace7/src/sys/modules/Makefile#9 integrate .. //depot/projects/dtrace7/src/sys/modules/zfs/Makefile#6 integrate .. //depot/projects/dtrace7/src/sys/net/if_bridge.c#4 integrate .. //depot/projects/dtrace7/src/sys/net/if_ethersubr.c#2 integrate .. //depot/projects/dtrace7/src/sys/net/if_media.h#2 integrate .. //depot/projects/dtrace7/src/sys/net80211/ieee80211_scan_sta.c#3 integrate .. //depot/projects/dtrace7/src/sys/netinet/ip_dummynet.c#2 integrate .. //depot/projects/dtrace7/src/sys/netinet/ip_dummynet.h#2 integrate .. //depot/projects/dtrace7/src/sys/netinet/ip_fw_pfil.c#3 integrate .. //depot/projects/dtrace7/src/sys/sys/cdefs.h#3 integrate .. //depot/projects/dtrace7/src/sys/sys/mbuf.h#3 integrate .. //depot/projects/dtrace7/src/usr.sbin/arp/arp.8#2 integrate .. //depot/projects/dtrace7/src/usr.sbin/arp/arp.c#2 integrate .. //depot/projects/dtrace7/src/usr.sbin/wpa/wpa_supplicant/Makefile#4 integrate .. //depot/projects/dtrace7/src/usr.sbin/wpa/wpa_supplicant/driver_freebsd.c#2 integrate .. //depot/projects/dtrace7/src/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.8#3 integrate Differences ... ==== //depot/projects/dtrace7/src/contrib/hostapd/ChangeLog#2 (text+ko) ==== @@ -1,5 +1,25 @@ ChangeLog for hostapd +2008-02-19 - v0.5.10 + * fixed EAP-SIM and EAP-AKA message parser to validate attribute + lengths properly to avoid potential crash caused by invalid messages + * fixed Reassociation Response callback processing when using internal + MLME (driver_{hostap,devicescape,test}.c) + * fixed EAP-SIM/AKA realm processing to allow decorated usernames to + be used + * added a workaround for EAP-SIM/AKA peers that include incorrect null + termination in the username + * fixed EAP-SIM Start response processing for fast reauthentication + case + * copy optional Proxy-State attributes into RADIUS response when acting + as a RADIUS authentication server + +2007-12-02 - v0.5.9 + * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest + draft (draft-ietf-emu-eap-gpsk-07.txt) + * fixed debugging code not to use potentially unaligned read to fetch + IPv4 addresses + 2007-05-28 - v0.5.8 * updated driver_devicescape.c to build with the current wireless-dev.git tree and net/d80211 changes ==== //depot/projects/dtrace7/src/contrib/hostapd/Makefile#2 (text+ko) ==== @@ -313,6 +313,10 @@ CFLAGS += -DCONFIG_IPV6 endif +ifdef CONFIG_DRIVER_RADIUS_ACL +CFLAGS += -DCONFIG_DRIVER_RADIUS_ACL +endif + ifdef CONFIG_FULL_DYNAMIC_VLAN # define CONFIG_FULL_DYNAMIC_VLAN to have hostapd manipulate bridges # and vlan interfaces for the vlan feature. ==== //depot/projects/dtrace7/src/contrib/hostapd/README#2 (text+ko) ==== @@ -2,7 +2,7 @@ Authenticator and RADIUS authentication server ================================================================ -Copyright (c) 2002-2007, Jouni Malinen <j@w1.fi> and contributors +Copyright (c) 2002-2008, Jouni Malinen <j@w1.fi> and contributors All Rights Reserved. This program is dual-licensed under both the GPL version 2 and BSD ==== //depot/projects/dtrace7/src/contrib/hostapd/aes_wrap.c#2 (text+ko) ==== @@ -7,7 +7,7 @@ * - AES-128 EAX mode encryption/decryption * - AES-128 CBC * - * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> + * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -34,10 +34,11 @@ /** * aes_wrap - Wrap keys with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) - * @kek: Key encryption key (KEK) - * @n: Length of the wrapped key in 64-bit units; e.g., 2 = 128-bit = 16 bytes - * @plain: Plaintext key to be wrapped, n * 64 bit - * @cipher: Wrapped key, (n + 1) * 64 bit + * @kek: 16-octet Key encryption key (KEK) + * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 + * bytes + * @plain: Plaintext key to be wrapped, n * 64 bits + * @cipher: Wrapped key, (n + 1) * 64 bits * Returns: 0 on success, -1 on failure */ int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher) @@ -93,9 +94,10 @@ /** * aes_unwrap - Unwrap key with AES Key Wrap Algorithm (128-bit KEK) (RFC3394) * @kek: Key encryption key (KEK) - * @n: Length of the wrapped key in 64-bit units; e.g., 2 = 128-bit = 16 bytes - * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bit - * @plain: Plaintext key, n * 64 bit + * @n: Length of the plaintext key in 64-bit units; e.g., 2 = 128-bit = 16 + * bytes + * @cipher: Wrapped key to be unwrapped, (n + 1) * 64 bits + * @plain: Plaintext key, n * 64 bits * Returns: 0 on success, -1 on failure (e.g., integrity verification failed) */ int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain) @@ -167,28 +169,45 @@ /** - * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) + * omac1_aes_128_vector - One-Key CBC MAC (OMAC1) hash with AES-128 * @key: 128-bit key for the hash operation - * @data: Data buffer for which a MAC is determined - * @data: Length of data buffer in bytes + * @num_elem: Number of elements in the data vector + * @addr: Pointers to the data areas + * @len: Lengths of the data blocks * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) * Returns: 0 on success, -1 on failure */ -int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) +int omac1_aes_128_vector(const u8 *key, size_t num_elem, + const u8 *addr[], const size_t *len, u8 *mac) { void *ctx; u8 cbc[BLOCK_SIZE], pad[BLOCK_SIZE]; - const u8 *pos = data; - size_t i, left = data_len; + const u8 *pos, *end; + size_t i, e, left, total_len; ctx = aes_encrypt_init(key, 16); if (ctx == NULL) return -1; os_memset(cbc, 0, BLOCK_SIZE); + total_len = 0; + for (e = 0; e < num_elem; e++) + total_len += len[e]; + left = total_len; + + e = 0; + pos = addr[0]; + end = pos + len[0]; + while (left >= BLOCK_SIZE) { - for (i = 0; i < BLOCK_SIZE; i++) + for (i = 0; i < BLOCK_SIZE; i++) { cbc[i] ^= *pos++; + if (pos >= end) { + e++; + pos = addr[e]; + end = pos + len[e]; + } + } if (left > BLOCK_SIZE) aes_encrypt(ctx, cbc, cbc); left -= BLOCK_SIZE; @@ -198,9 +217,15 @@ aes_encrypt(ctx, pad, pad); gf_mulx(pad); - if (left || data_len == 0) { - for (i = 0; i < left; i++) + if (left || total_len == 0) { + for (i = 0; i < left; i++) { cbc[i] ^= *pos++; + if (pos >= end) { + e++; + pos = addr[e]; + end = pos + len[e]; + } + } cbc[left] ^= 0x80; gf_mulx(pad); } @@ -212,6 +237,24 @@ return 0; } + +/** + * omac1_aes_128 - One-Key CBC MAC (OMAC1) hash with AES-128 (aka AES-CMAC) + * @key: 128-bit key for the hash operation + * @data: Data buffer for which a MAC is determined + * @data_len: Length of data buffer in bytes + * @mac: Buffer for MAC (128 bits, i.e., 16 bytes) + * Returns: 0 on success, -1 on failure + * + * This is a mode for using block cipher (AES in this case) for authentication. + * OMAC1 was standardized with the name CMAC by NIST in a Special Publication + * (SP) 800-38B. + */ +int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac) +{ + return omac1_aes_128_vector(key, 1, &data, &data_len, mac); +} + #endif /* CONFIG_NO_AES_OMAC1 */ ==== //depot/projects/dtrace7/src/contrib/hostapd/aes_wrap.h#2 (text+ko) ==== @@ -7,7 +7,7 @@ * - AES-128 EAX mode encryption/decryption * - AES-128 CBC * - * Copyright (c) 2003-2005, Jouni Malinen <j@w1.fi> + * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -24,6 +24,8 @@ int aes_wrap(const u8 *kek, int n, const u8 *plain, u8 *cipher); int aes_unwrap(const u8 *kek, int n, const u8 *cipher, u8 *plain); +int omac1_aes_128_vector(const u8 *key, size_t num_elem, + const u8 *addr[], const size_t *len, u8 *mac); int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac); int aes_128_encrypt_block(const u8 *key, const u8 *in, u8 *out); int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce, ==== //depot/projects/dtrace7/src/contrib/hostapd/common.c#2 (text+ko) ==== @@ -20,7 +20,6 @@ #ifdef CONFIG_DEBUG_FILE static FILE *out_file = NULL; #endif /* CONFIG_DEBUG_FILE */ -int wpa_debug_use_file = 0; int wpa_debug_level = MSG_INFO; int wpa_debug_show_keys = 0; int wpa_debug_timestamp = 0; @@ -344,32 +343,29 @@ } -int wpa_debug_open_file(void) +int wpa_debug_open_file(const char *path) { #ifdef CONFIG_DEBUG_FILE - static int count = 0; - char fname[64]; - if (!wpa_debug_use_file) + if (!path) return 0; -#ifdef _WIN32 - os_snprintf(fname, sizeof(fname), "\\Temp\\wpa_supplicant-log-%d.txt", - count++); -#else /* _WIN32 */ - os_snprintf(fname, sizeof(fname), "/tmp/wpa_supplicant-log-%d.txt", - count++); + out_file = fopen(path, "a"); + if (out_file == NULL) { + wpa_printf(MSG_ERROR, "wpa_debug_open_file: Failed to open " + "output file, using standard output"); + return -1; + } +#ifndef _WIN32 + setvbuf(out_file, NULL, _IOLBF, 0); #endif /* _WIN32 */ - out_file = fopen(fname, "w"); - return out_file == NULL ? -1 : 0; -#else /* CONFIG_DEBUG_FILE */ +#endif /* CONFIG_DEBUG_FILE */ return 0; -#endif /* CONFIG_DEBUG_FILE */ } void wpa_debug_close_file(void) { #ifdef CONFIG_DEBUG_FILE - if (!wpa_debug_use_file) + if (!out_file) return; fclose(out_file); out_file = NULL; ==== //depot/projects/dtrace7/src/contrib/hostapd/common.h#2 (text+ko) ==== @@ -264,12 +264,12 @@ #define wpa_hexdump_key(l,t,b,le) do { } while (0) #define wpa_hexdump_ascii(l,t,b,le) do { } while (0) #define wpa_hexdump_ascii_key(l,t,b,le) do { } while (0) -#define wpa_debug_open_file() do { } while (0) +#define wpa_debug_open_file(p) do { } while (0) #define wpa_debug_close_file() do { } while (0) #else /* CONFIG_NO_STDOUT_DEBUG */ -int wpa_debug_open_file(void); +int wpa_debug_open_file(const char *path); void wpa_debug_close_file(void); /** ==== //depot/projects/dtrace7/src/contrib/hostapd/defconfig#2 (text+ko) ==== @@ -102,3 +102,7 @@ # Build IPv6 support for RADIUS operations CONFIG_IPV6=y + +# Use the hostapd's IEEE 802.11 authentication (ACL), but without +# the IEEE 802.11 Management capability +CONFIG_DRIVER_RADIUS_ACL=y ==== //depot/projects/dtrace7/src/contrib/hostapd/driver.h#2 (text+ko) ==== @@ -141,6 +141,10 @@ * this handler will be called after initial setup has been completed. */ int (*commit)(void *priv); + + int (*set_radius_acl_auth)(void *priv, const u8 *mac, int accepted, + u32 session_timeout); + int (*set_radius_acl_expire)(void *priv, const u8 *mac); }; static inline int @@ -653,4 +657,22 @@ return hapd->driver->commit(hapd->driver); } +static inline int +hostapd_set_radius_acl_auth(struct hostapd_data *hapd, const u8 *mac, int accepted, + u32 session_timeout) +{ + if (hapd->driver == NULL || hapd->driver->set_radius_acl_auth == NULL) + return 0; + return hapd->driver->set_radius_acl_auth(hapd->driver, mac, accepted, + session_timeout); +} + +static inline int +hostapd_set_radius_acl_expire(struct hostapd_data *hapd, const u8 *mac) +{ + if (hapd->driver == NULL || hapd->driver->set_radius_acl_expire == NULL) + return 0; + return hapd->driver->set_radius_acl_expire(hapd->driver, mac); +} + #endif /* DRIVER_H */ ==== //depot/projects/dtrace7/src/contrib/hostapd/driver_test.c#2 (text+ko) ==== @@ -170,9 +170,10 @@ u16 fc; if (drv->test_socket < 0 || len < 10 || drv->socket_dir == NULL) { - wpa_printf(MSG_DEBUG, "%s: invalid parameters (sock=%d len=%d " - "socket_dir=%p)", - __func__, drv->test_socket, len, drv->socket_dir); + wpa_printf(MSG_DEBUG, "%s: invalid parameters (sock=%d len=%lu" + " socket_dir=%p)", + __func__, drv->test_socket, (unsigned long) len, + drv->socket_dir); return -1; } ==== //depot/projects/dtrace7/src/contrib/hostapd/eap_aka.c#2 (text+ko) ==== @@ -1,6 +1,6 @@ /* * hostapd / EAP-AKA (RFC 4187) - * Copyright (c) 2005-2007, Jouni Malinen <j@w1.fi> + * Copyright (c) 2005-2008, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -124,6 +124,14 @@ sm->identity_len)) { wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0); + } else { + /* + * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is + * ignored and the AKA/Identity is used to request the + * identity. + */ + wpa_printf(MSG_DEBUG, " AT_ANY_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0); } return eap_sim_msg_finish(msg, reqDataLen, NULL, NULL, 0); } @@ -445,10 +453,16 @@ sm->method_pending = METHOD_PENDING_NONE; } + identity_len = sm->identity_len; + while (identity_len > 0 && sm->identity[identity_len - 1] == '\0') { + wpa_printf(MSG_DEBUG, "EAP-AKA: Workaround - drop last null " + "character from identity"); + identity_len--; + } wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Identity for MK derivation", - sm->identity, sm->identity_len); + sm->identity, identity_len); - eap_aka_derive_mk(sm->identity, sm->identity_len, data->ik, data->ck, + eap_aka_derive_mk(sm->identity, identity_len, data->ik, data->ck, data->mk); eap_sim_derive_keys(data->mk, data->k_encr, data->k_aut, data->msk, data->emsk); ==== //depot/projects/dtrace7/src/contrib/hostapd/eap_gpsk.c#2 (text+ko) ==== @@ -1,5 +1,5 @@ /* - * hostapd / EAP-GPSK (draft-ietf-emu-eap-gpsk-03.txt) server + * hostapd / EAP-GPSK (draft-ietf-emu-eap-gpsk-08.txt) server * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify @@ -23,15 +23,15 @@ struct eap_gpsk_data { enum { GPSK_1, GPSK_3, SUCCESS, FAILURE } state; u8 rand_server[EAP_GPSK_RAND_LEN]; - u8 rand_client[EAP_GPSK_RAND_LEN]; + u8 rand_peer[EAP_GPSK_RAND_LEN]; u8 msk[EAP_MSK_LEN]; u8 emsk[EAP_EMSK_LEN]; u8 sk[EAP_GPSK_MAX_SK_LEN]; size_t sk_len; u8 pk[EAP_GPSK_MAX_PK_LEN]; size_t pk_len; - u8 *id_client; - size_t id_client_len; + u8 *id_peer; + size_t id_peer_len; u8 *id_server; size_t id_server_len; #define MAX_NUM_CSUITES 2 @@ -85,17 +85,17 @@ data->csuite_count = 0; if (eap_gpsk_supported_ciphersuite(EAP_GPSK_VENDOR_IETF, EAP_GPSK_CIPHER_AES)) { - WPA_PUT_BE24(data->csuite_list[data->csuite_count].vendor, + WPA_PUT_BE32(data->csuite_list[data->csuite_count].vendor, EAP_GPSK_VENDOR_IETF); - WPA_PUT_BE24(data->csuite_list[data->csuite_count].specifier, + WPA_PUT_BE16(data->csuite_list[data->csuite_count].specifier, EAP_GPSK_CIPHER_AES); data->csuite_count++; } if (eap_gpsk_supported_ciphersuite(EAP_GPSK_VENDOR_IETF, EAP_GPSK_CIPHER_SHA256)) { - WPA_PUT_BE24(data->csuite_list[data->csuite_count].vendor, + WPA_PUT_BE32(data->csuite_list[data->csuite_count].vendor, EAP_GPSK_VENDOR_IETF); - WPA_PUT_BE24(data->csuite_list[data->csuite_count].specifier, + WPA_PUT_BE16(data->csuite_list[data->csuite_count].specifier, EAP_GPSK_CIPHER_SHA256); data->csuite_count++; } @@ -108,7 +108,7 @@ { struct eap_gpsk_data *data = priv; free(data->id_server); - free(data->id_client); + free(data->id_peer); free(data); } @@ -174,8 +174,8 @@ wpa_printf(MSG_DEBUG, "EAP-GPSK: Request/GPSK-3"); miclen = eap_gpsk_mic_len(data->vendor, data->specifier); - len = 1 + 2 * EAP_GPSK_RAND_LEN + sizeof(struct eap_gpsk_csuite) + 2 + - miclen; + len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + data->id_server_len + + sizeof(struct eap_gpsk_csuite) + 2 + miclen; req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, reqDataLen, len, EAP_CODE_REQUEST, id, &pos); if (req == NULL) { @@ -188,13 +188,18 @@ *pos++ = EAP_GPSK_OPCODE_GPSK_3; start = pos; - memcpy(pos, data->rand_client, EAP_GPSK_RAND_LEN); + memcpy(pos, data->rand_peer, EAP_GPSK_RAND_LEN); pos += EAP_GPSK_RAND_LEN; memcpy(pos, data->rand_server, EAP_GPSK_RAND_LEN); pos += EAP_GPSK_RAND_LEN; + WPA_PUT_BE16(pos, data->id_server_len); + pos += 2; + if (data->id_server) + memcpy(pos, data->id_server, data->id_server_len); + pos += data->id_server_len; csuite = (struct eap_gpsk_csuite *) pos; - WPA_PUT_BE24(csuite->vendor, data->vendor); - WPA_PUT_BE24(csuite->specifier, data->specifier); + WPA_PUT_BE32(csuite->vendor, data->vendor); + WPA_PUT_BE16(csuite->specifier, data->specifier); pos += sizeof(*csuite); /* no PD_Payload_2 */ @@ -282,7 +287,7 @@ if (end - pos < 2) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Too short message for " - "ID_Client length"); + "ID_Peer length"); eap_gpsk_state(data, FAILURE); return; } @@ -290,21 +295,21 @@ pos += 2; if (end - pos < alen) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Too short message for " - "ID_Client"); + "ID_Peer"); eap_gpsk_state(data, FAILURE); return; } - free(data->id_client); - data->id_client = malloc(alen); - if (data->id_client == NULL) { + free(data->id_peer); + data->id_peer = malloc(alen); + if (data->id_peer == NULL) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Not enough memory to store " - "%d-octet ID_Client", alen); + "%d-octet ID_Peer", alen); return; } - memcpy(data->id_client, pos, alen); - data->id_client_len = alen; - wpa_hexdump_ascii(MSG_DEBUG, "EAP-GPSK: ID_Client", - data->id_client, data->id_client_len); + memcpy(data->id_peer, pos, alen); + data->id_peer_len = alen; + wpa_hexdump_ascii(MSG_DEBUG, "EAP-GPSK: ID_Peer", + data->id_peer, data->id_peer_len); pos += alen; if (end - pos < 2) { @@ -332,13 +337,13 @@ if (end - pos < EAP_GPSK_RAND_LEN) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Too short message for " - "RAND_Client"); + "RAND_Peer"); eap_gpsk_state(data, FAILURE); return; } - memcpy(data->rand_client, pos, EAP_GPSK_RAND_LEN); - wpa_hexdump(MSG_DEBUG, "EAP-GPSK: RAND_Client", - data->rand_client, EAP_GPSK_RAND_LEN); + memcpy(data->rand_peer, pos, EAP_GPSK_RAND_LEN); + wpa_hexdump(MSG_DEBUG, "EAP-GPSK: RAND_Peer", + data->rand_peer, EAP_GPSK_RAND_LEN); pos += EAP_GPSK_RAND_LEN; if (end - pos < EAP_GPSK_RAND_LEN) { @@ -397,13 +402,13 @@ if (i == data->csuite_count) { wpa_printf(MSG_DEBUG, "EAP-GPSK: Peer selected unsupported " "ciphersuite %d:%d", - WPA_GET_BE24(csuite->vendor), - WPA_GET_BE24(csuite->specifier)); + WPA_GET_BE32(csuite->vendor), + WPA_GET_BE16(csuite->specifier)); eap_gpsk_state(data, FAILURE); return; } - data->vendor = WPA_GET_BE24(csuite->vendor); - data->specifier = WPA_GET_BE24(csuite->specifier); + data->vendor = WPA_GET_BE32(csuite->vendor); + data->specifier = WPA_GET_BE16(csuite->specifier); wpa_printf(MSG_DEBUG, "EAP-GPSK: CSuite_Sel %d:%d", data->vendor, data->specifier); pos += sizeof(*csuite); @@ -434,8 +439,8 @@ if (eap_gpsk_derive_keys(sm->user->password, sm->user->password_len, data->vendor, data->specifier, - data->rand_client, data->rand_server, - data->id_client, data->id_client_len, + data->rand_peer, data->rand_server, + data->id_peer, data->id_peer_len, data->id_server, data->id_server_len, data->msk, data->emsk, data->sk, &data->sk_len, ==== //depot/projects/dtrace7/src/contrib/hostapd/eap_gpsk_common.c#2 (text+ko) ==== @@ -18,8 +18,9 @@ #include "eap_defs.h" #include "aes_wrap.h" #include "crypto.h" -#include "sha1.h" +#ifdef EAP_GPSK_SHA256 #include "sha256.h" +#endif /* EAP_GPSK_SHA256 */ #include "eap_gpsk_common.h" @@ -43,31 +44,29 @@ } -static int eap_gpsk_gkdf(const u8 *psk /* Y */, size_t psk_len, - const u8 *data /* Z */, size_t data_len, - u8 *buf, size_t len /* X */) +static int eap_gpsk_gkdf_cmac(const u8 *psk /* Y */, + const u8 *data /* Z */, size_t data_len, + u8 *buf, size_t len /* X */) { u8 *opos; size_t i, n, hashlen, left, clen; - u8 ibuf[2], hash[SHA1_MAC_LEN]; - const u8 *addr[3]; - size_t vlen[3]; + u8 ibuf[2], hash[16]; + const u8 *addr[2]; + size_t vlen[2]; - hashlen = SHA1_MAC_LEN; - /* M_i = Hash-Function (i || Y || Z); */ + hashlen = sizeof(hash); + /* M_i = MAC_Y (i || Z); (MAC = AES-CMAC-128) */ addr[0] = ibuf; vlen[0] = sizeof(ibuf); - addr[1] = psk; - vlen[1] = psk_len; - addr[2] = data; - vlen[2] = data_len; + addr[1] = data; + vlen[1] = data_len; opos = buf; left = len; n = (len + hashlen - 1) / hashlen; for (i = 1; i <= n; i++) { WPA_PUT_BE16(ibuf, i); - sha1_vector(3, addr, vlen, hash); + omac1_aes_128_vector(psk, 2, addr, vlen, hash); clen = left > hashlen ? hashlen : left; os_memcpy(opos, hash, clen); opos += clen; @@ -78,112 +77,30 @@ } -static int eap_gpsk_derive_keys_aes(const u8 *psk, size_t psk_len, - const u8 *seed, size_t seed_len, - u8 *msk, u8 *emsk, u8 *sk, size_t *sk_len, - u8 *pk, size_t *pk_len) -{ -#define EAP_GPSK_SK_LEN_AES 16 -#define EAP_GPSK_PK_LEN_AES 16 - u8 zero_string[1], mk[32], *pos, *data; - u8 kdf_out[EAP_MSK_LEN + EAP_EMSK_LEN + EAP_GPSK_SK_LEN_AES + - EAP_GPSK_PK_LEN_AES]; - size_t data_len; - - /* - * inputString = RAND_Client || ID_Client || RAND_Server || ID_Server - * (= seed) - * KS = 16, PL = psk_len, CSuite_Sel = 0x000000 0x000001 - * MK = GKDF-32 (0x00, PL || PSK || CSuite_Sel || inputString) - * MSK = GKDF-160 (MK, inputString)[0..63] - * EMSK = GKDF-160 (MK, inputString)[64..127] - * SK = GKDF-160 (MK, inputString)[128..143] - * PK = GKDF-160 (MK, inputString)[144..159] - * MID = GKDF-16(0x00, "Method ID" || EAP_Method_Type || CSuite_Sel || - * inputString) - * Hash-Function = SHA-1 (see [RFC3174]) - * hashlen = 20 octets (160 bits) - */ - - os_memset(zero_string, 0, sizeof(zero_string)); - - data_len = 2 + psk_len + 6 + seed_len; - data = os_malloc(data_len); - if (data == NULL) - return -1; - pos = data; - WPA_PUT_BE16(pos, psk_len); - pos += 2; - os_memcpy(pos, psk, psk_len); - pos += psk_len; - WPA_PUT_BE24(pos, 0); /* CSuite/Vendor = IETF */ - pos += 3; - WPA_PUT_BE24(pos, EAP_GPSK_CIPHER_AES); /* CSuite/Specifier */ - pos += 3; - os_memcpy(pos, seed, seed_len); /* inputString */ - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: Data to MK derivation (AES)", - data, data_len); - - if (eap_gpsk_gkdf(zero_string, sizeof(zero_string), data, data_len, - mk, sizeof(mk)) < 0) { - os_free(data); - return -1; - } - os_free(data); - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MK", mk, sizeof(mk)); - - if (eap_gpsk_gkdf(mk, sizeof(mk), seed, seed_len, - kdf_out, sizeof(kdf_out)) < 0) - return -1; - - pos = kdf_out; - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MSK", pos, EAP_MSK_LEN); - os_memcpy(msk, pos, EAP_MSK_LEN); - pos += EAP_MSK_LEN; - - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: EMSK", pos, EAP_EMSK_LEN); - os_memcpy(emsk, pos, EAP_EMSK_LEN); - pos += EAP_EMSK_LEN; - - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: SK", pos, EAP_GPSK_SK_LEN_AES); - os_memcpy(sk, pos, EAP_GPSK_SK_LEN_AES); - *sk_len = EAP_GPSK_SK_LEN_AES; - pos += EAP_GPSK_SK_LEN_AES; - - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: PK", pos, EAP_GPSK_PK_LEN_AES); - os_memcpy(pk, pos, EAP_GPSK_PK_LEN_AES); - *pk_len = EAP_GPSK_PK_LEN_AES; - - return 0; -} - - #ifdef EAP_GPSK_SHA256 -static int eap_gpsk_gkdf_sha256(const u8 *psk /* Y */, size_t psk_len, +static int eap_gpsk_gkdf_sha256(const u8 *psk /* Y */, const u8 *data /* Z */, size_t data_len, u8 *buf, size_t len /* X */) { u8 *opos; size_t i, n, hashlen, left, clen; u8 ibuf[2], hash[SHA256_MAC_LEN]; - const u8 *addr[3]; - size_t vlen[3]; + const u8 *addr[2]; + size_t vlen[2]; hashlen = SHA256_MAC_LEN; - /* M_i = Hash-Function (i || Y || Z); */ + /* M_i = MAC_Y (i || Z); (MAC = HMAC-SHA256) */ addr[0] = ibuf; vlen[0] = sizeof(ibuf); - addr[1] = psk; - vlen[1] = psk_len; - addr[2] = data; - vlen[2] = data_len; + addr[1] = data; + vlen[1] = data_len; opos = buf; left = len; n = (len + hashlen - 1) / hashlen; for (i = 1; i <= n; i++) { WPA_PUT_BE16(ibuf, i); - sha256_vector(3, addr, vlen, hash); + hmac_sha256_vector(psk, 32, 2, addr, vlen, hash); clen = left > hashlen ? hashlen : left; os_memcpy(opos, hash, clen); opos += clen; @@ -192,37 +109,40 @@ return 0; } +#endif /* EAP_GPSK_SHA256 */ -static int eap_gpsk_derive_keys_sha256(const u8 *psk, size_t psk_len, +static int eap_gpsk_derive_keys_helper(u32 csuite_specifier, + u8 *kdf_out, size_t kdf_out_len, + const u8 *psk, size_t psk_len, const u8 *seed, size_t seed_len, u8 *msk, u8 *emsk, - u8 *sk, size_t *sk_len, - u8 *pk, size_t *pk_len) + u8 *sk, size_t sk_len, + u8 *pk, size_t pk_len) { -#define EAP_GPSK_SK_LEN_SHA256 SHA256_MAC_LEN -#define EAP_GPSK_PK_LEN_SHA256 SHA256_MAC_LEN - u8 mk[SHA256_MAC_LEN], zero_string[1], *pos, *data; - u8 kdf_out[EAP_MSK_LEN + EAP_EMSK_LEN + EAP_GPSK_SK_LEN_SHA256 + - EAP_GPSK_PK_LEN_SHA256]; - size_t data_len; + u8 mk[32], *pos, *data; + size_t data_len, mk_len; + int (*gkdf)(const u8 *psk, const u8 *data, size_t data_len, + u8 *buf, size_t len); - /* - * inputString = RAND_Client || ID_Client || RAND_Server || ID_Server - * (= seed) - * KS = 32, PL = psk_len, CSuite_Sel = 0x000000 0x000002 - * MK = GKDF-32 (0x00, PL || PSK || CSuite_Sel || inputString) - * MSK = GKDF-192 (MK, inputString)[0..63] - * EMSK = GKDF-192 (MK, inputString)[64..127] - * SK = GKDF-192 (MK, inputString)[128..159] - * PK = GKDF-192 (MK, inputString)[160..191] - * MID = GKDF-16(0x00, "Method ID" || EAP_Method_Type || CSuite_Sel || - * inputString) - * Hash-Function = SHA256 (see [RFC4634]) - * hashlen = 32 octets (256 bits) - */ + gkdf = NULL; + switch (csuite_specifier) { + case EAP_GPSK_CIPHER_AES: + gkdf = eap_gpsk_gkdf_cmac; + mk_len = 16; + break; +#ifdef EAP_GPSK_SHA256 + case EAP_GPSK_CIPHER_SHA256: + gkdf = eap_gpsk_gkdf_sha256; + mk_len = SHA256_MAC_LEN; + break; +#endif /* EAP_GPSK_SHA256 */ + default: + return -1; + } - os_memset(zero_string, 0, sizeof(zero_string)); + if (psk_len < mk_len) + return -1; data_len = 2 + psk_len + 6 + seed_len; data = os_malloc(data_len); @@ -233,24 +153,22 @@ pos += 2; os_memcpy(pos, psk, psk_len); pos += psk_len; - WPA_PUT_BE24(pos, 0); /* CSuite/Vendor = IETF */ - pos += 3; - WPA_PUT_BE24(pos, EAP_GPSK_CIPHER_SHA256); /* CSuite/Specifier */ - pos += 3; + WPA_PUT_BE32(pos, EAP_GPSK_VENDOR_IETF); /* CSuite/Vendor = IETF */ + pos += 4; + WPA_PUT_BE16(pos, csuite_specifier); /* CSuite/Specifier */ + pos += 2; os_memcpy(pos, seed, seed_len); /* inputString */ - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: Data to MK derivation (SHA256)", + wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: Data to MK derivation", data, data_len); - if (eap_gpsk_gkdf_sha256(zero_string, sizeof(zero_string), - data, data_len, mk, sizeof(mk)) < 0) { + if (gkdf(psk, data, data_len, mk, mk_len) < 0) { os_free(data); return -1; } os_free(data); - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MK", mk, sizeof(mk)); + wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: MK", mk, mk_len); - if (eap_gpsk_gkdf_sha256(mk, sizeof(mk), seed, seed_len, - kdf_out, sizeof(kdf_out)) < 0) + if (gkdf(mk, seed, seed_len, kdf_out, kdf_out_len) < 0) return -1; pos = kdf_out; @@ -262,46 +180,113 @@ os_memcpy(emsk, pos, EAP_EMSK_LEN); pos += EAP_EMSK_LEN; - wpa_hexdump_key(MSG_DEBUG, "EAP-GPSK: SK", >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804252256.m3PMuwcx005662>