headers
David Smith | 1 May 2008 18:36
Picon
Favicon

[PATCH] enhanced smartcard support

Hi all,

I've attached three patches to extend the existing smartcard support to handle 
client certificates and CA certificates as well as EAP-TLS phase2 auth. I've 
added the following ssid configuration variables to wpasupplicant for this:

 cert_id, ca_cert_id, key2_id, cert2_id, and ca_cert2_id

I'm looking for people to help test this. At the current time, it relies on 
the LOAD_CERT_CTRL extension provided by the PKCS#11 OpenSSL engine from the 
OpenSC project. If any other OpenSSL engines support a similar extension, 
inform me and I'll support for them. But since the PKCS#11 engine is probably 
by far the most used one with wpasupplicant, I think this is a good start.

Again, this code should definitely be tested more before it is ready for 
merging but please give it a read and a try.

Cheers,
dds
--

-- 
man perl | tail -6 | head -2
Attachment (0001-Add-support-to-crypto-tls-for-client-cert-and-CA-cer.patch): text/x-diff, 7782 bytes
Attachment (0002-Add-support-to-eap_peer-for-client-cert-and-CA-cert.patch): text/x-diff, 2576 bytes
Attachment (0003-Add-support-to-wpa_supplicant-configuring-eap_peer-f.patch): text/x-diff, 2501 bytes
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
(Continue reading)

Permalink | Reply | 13 comments |
headers
Dan Williams | 1 May 2008 18:45
Picon
Favicon

Re: [PATCH] enhanced smartcard support

On Fri, 2008-05-02 at 01:36 +0900, David Smith wrote:
> Hi all,
> 
> I've attached three patches to extend the existing smartcard support to handle 
> client certificates and CA certificates as well as EAP-TLS phase2 auth. I've 
> added the following ssid configuration variables to wpasupplicant for this:
> 
>  cert_id, ca_cert_id, key2_id, cert2_id, and ca_cert2_id

Quick question; are these paths to certificate files, or some other
token?  In many cases we don't want wpa_supplicant reading all around
the disk because it's a lot harder to confine the supplicant with things
like SELinux if it just gets passed filenames.  That's one of the
reasons why NetworkManager passes the actual binary data of the
certificate to the supplicant instead of passing a path.

Dan

> I'm looking for people to help test this. At the current time, it relies on 
> the LOAD_CERT_CTRL extension provided by the PKCS#11 OpenSSL engine from the 
> OpenSC project. If any other OpenSSL engines support a similar extension, 
> inform me and I'll support for them. But since the PKCS#11 engine is probably 
> by far the most used one with wpasupplicant, I think this is a good start.
> 
> Again, this code should definitely be tested more before it is ready for 
> merging but please give it a read and a try.
> 
> Cheers,
> dds
(Continue reading)

Permalink | Reply | 2 comments |
headers
Francis Galiegue | 1 May 2008 18:54
Picon

hostapd and b43: can do unencrypted, cannot do WPA - continued

I managed to drop the sigsegv when setting up WPA, however, the WPA
negotiation completes but... The station is deassociated just
afterwards due to inactivity (uh, what activity? I didn't even get the
chance to send anything!):

----
[lots of stuff before]
WPA: 00:15:00:35:12:e0 WPA_PTK_GROUP entering state REKEYESTABLISHED
wlan0: STA 00:15:00:35:12:e0 WPA: group key handshake completed (WPA)
WPA: 00:15:00:35:12:e0 WPA_PTK_GROUP entering state IDLE
MGMT
mgmt::disassoc
disassocation: STA=00:15:00:35:12:e0 reason_code=1
wlan0: STA 00:15:00:35:12:e0 WPA: event 2 notification
WPA: 00:15:00:35:12:e0 WPA_PTK entering state DISCONNECTED
WPA: 00:15:00:35:12:e0 WPA_PTK entering state INITIALIZE
wlan0: STA 00:15:00:35:12:e0 IEEE 802.1X: unauthorizing port
Could not set station 00:15:00:35:12:e0 flags for kernel driver (errno=17).
wlan0: STA 00:15:00:35:12:e0 IEEE 802.11: disassociated
wlan0: STA 00:15:00:35:12:e0 MLME: MLME-DISASSOCIATE.indication(00:15:00:35:12:e
0, 1)
wlan0: STA 00:15:00:35:12:e0 MLME: MLME-DELETEKEYS.request(00:15:00:35:12:e0)
STA 00:15:00:35:12:e0 sent probe request for our SSID [a few times]
Sending deauthentication info to STA 00:15:00:35:12:e0
wlan0: STA 00:15:00:35:12:e0 IEEE 802.11: deauthenticated due to inactivity
wlan0: STA 00:15:00:35:12:e0 MLME:
MLME-DEAUTHENTICATE.indication(00:15:00:35:12:e0, 2)
wlan0: STA 00:15:00:35:12:e0 MLME: MLME-DELETEKEYS.request(00:15:00:35:12:e0)
----
(Continue reading)

Permalink | Reply | 1 comment |
headers
David Smith | 1 May 2008 19:09
Picon
Favicon

Re: [PATCH] enhanced smartcard support

2008/05/02 (Fri) 01:45:11 に Dan Williams さんは書きました:
> On Fri, 2008-05-02 at 01:36 +0900, David Smith wrote:
> > Hi all,
> >
> > I've attached three patches to extend the existing smartcard support to
> > handle client certificates and CA certificates as well as EAP-TLS phase2
> > auth. I've added the following ssid configuration variables to
> > wpasupplicant for this:
> >
> >  cert_id, ca_cert_id, key2_id, cert2_id, and ca_cert2_id
>
> Quick question; are these paths to certificate files, or some other
> token?

They are specified the same as the current "key_id" setting, as a PKCS#11 
object id. For example, in the TPM chip in my laptop accessed via 
opencryptoki pkcs#11, the cert and key for my companies wireless acess both 
have ID "4".

Consider this output:
# 
pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so --login --list-objects
Please enter User PIN:
Private Key Object; RSA
  label:      IPsec VPN RSA private key
  ID:         01
  Usage:      decrypt, sign, unwrap
Private Key Object; RSA
  label:      GPG System Sign key
  ID:         03
(Continue reading)

Permalink | Reply | 1 comment |
headers
Francis Galiegue | 2 May 2008 10:43
Picon

hostapd, b43, nl80211 driver, WPA: report, and two questions

Hello everyone,

I finally managed to get hostapd to work with the b43 driver. Components:

* wireless-testing kernel tree, with two patches from Johannes Berg
(*-mac80211-fix-debugfs-key.patch, *-allow-ap-vlan-modes.patch);
* libnl 1.1;
* git master branch of hostapd;
* using nl80211 driver;
* WPA PSK.

Two questions remain:

* if the b43 network interface is within a bridge (the bridge's MAC
address is _not_ the one of the b43 FWIW), unencrypted works, however
WPA does not; is this a hostapd only problem, or does the kernel need
some more support for this? Would it be helpful that I provide some
logs (I have a problem with the 25k message limit though, since logs
are HUGE with hostapd in debug mode)?

* with WPA PSK working, I get this loop in hostapd's stdout:

----
wlan0: STA 00:15:00:35:12:e0 IEEE 802.11: disassociated
wlan0: STA 00:15:00:35:12:e0 IEEE 802.11: authenticated
# accounting session number increases by 1 every iteration
wlan0: STA 00:15:00:35:12:e0 IEEE 802.11: associated (aid 1,
accounting session 481A24F5-0000003C)
wlan0: STA 00:15:00:35:12:e0 WPA: pairwise key handshake completed (WPA)
wlan0: STA 00:15:00:35:12:e0 WPA: group key handshake completed (WPA)
(Continue reading)

Permalink | Reply | 4 comments |
headers
娟 严 | 2 May 2008 11:18
Picon
Favicon

Why EAPOL packet are sended but never received.

Hi,everyone!
      My problem is:
      EAPOL packet are sended but never received. Switch:Cisco Catalyst 2950 series; PC/os: linux
plus: When I use windows XP to authentication, the switch will  response normally.
      The logs of wpa_supplicant are as follows:
############################################################################
#wpa_supplicant -ieth0 -c/etc/wpa_supplicant.conf -Dwired -dd
Initializing interface 'eth0' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel' (DEPRECATED)
ap_scan=0
Line: 4 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00
identity - hexdump_ascii(len=10):
     74 65 73 74 40 6c 6f 63 61 6c                     test   
password - hexdump_ascii(len=4):
     74 65 73 74                                       test           
eapol_flags=0 (0x0)
Priority group 0
   id=0 ssid=''
Initializing interface (2) 'eth0'
wpa_driver_wired_init: Added multicast membership with packet socket
Own MAC address: 00:19:db:89:79:21
RSN: flushing PMKID list in the driver
Setting scan request: 0 sec 100000 usec
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
ctrl_interface_group=10 (from group name 'wheel')
Added interface eth0
EAPOL: External notification - portControl=Auto
Already associated with a configured network - generating associated event
Association info event
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Select network based on association information
Network configuration found for the current AP
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: clearing own WPA/RSN IE
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00
EAPOL: idleWhile --> 0
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed unsuccessfully
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: disable timer tick
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: enable timer tick
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed unsuccessfully   //repeat
.....
####################################################
And My wpa_supplicant.conf is as follows:
####################################################
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
 key_mgmt=IEEE8021X
 eap=MD5
 identity="test"
 password="test"
 eapol_flags=0
}
 
 

雅虎邮箱,您的终生邮箱! 
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply | 1 comment |
headers
娟 严 | 2 May 2008 11:23
Picon
Favicon

Why EAPOL packet are sended but never received.

Hi,everyone!
      My problem is:
      EAPOL packet are sended but never received. Switch:Cisco Catalyst 2950 series; PC/os: linux
plus: When I use windows XP to authentication, the switch will  response normally.
      The logs of wpa_supplicant are as follows:
############################################################################
#wpa_supplicant -ieth0 -c/etc/wpa_supplicant.conf -Dwired -dd
Initializing interface 'eth0' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group='wheel' (DEPRECATED)
ap_scan=0
Line: 4 - start of a new network block
key_mgmt: 0x8
eap methods - hexdump(len=16): 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00
identity - hexdump_ascii(len=10):
     74 65 73 74 40 6c 6f 63 61 6c                     test   
password - hexdump_ascii(len=4):
     74 65 73 74                                       test           
eapol_flags=0 (0x0)
Priority group 0
   id=0 ssid=''
Initializing interface (2) 'eth0'
wpa_driver_wired_init: Added multicast membership with packet socket
Own MAC address: 00:19:db:89:79:21
RSN: flushing PMKID list in the driver
Setting scan request: 0 sec 100000 usec
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
ctrl_interface_group=10 (from group name 'wheel')
Added interface eth0
EAPOL: External notification - portControl=Auto
Already associated with a configured network - generating associated event
Association info event
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Select network based on association information
Network configuration found for the current AP
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: clearing own WPA/RSN IE
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
TX EAPOL - hexdump(len=4): 01 01 00 00
EAPOL: idleWhile --> 0
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed unsuccessfully
EAPOL: startWhen --> 0
EAPOL: heldWhile --> 0
EAPOL: disable timer tick
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: enable timer tick
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state IDLE
EAPOL authentication completed unsuccessfully   //repeat
.....
####################################################
And My wpa_supplicant.conf is as follows:
####################################################
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
 key_mgmt=IEEE8021X
 eap=MD5
 identity="test"
 password="test"
 eapol_flags=0
}
 
 

雅虎邮箱,您的终生邮箱!

雅虎邮箱,您的终生邮箱! 
_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply | 0 comments |
headers
Jeff Sadowski | 6 May 2008 00:07
Picon

wrong time?

I have a mobile linux device that has no RTC as such if I start the
device to connect without setting the clock first I get

wpa_supplicant -Dmarvell -iwlan0 -c/etc/wpa_supplicant.conf -w
ioctl[SIOCSIWPMKSA]: Invalid argument
Trying to associate with 00:0b:0e:26:d2:80 (SSID='ABBA1X' freq=2437 MHz)
Associated with 00:0b:0e:26:d2:80
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
X509: Certificate not valid (now=1210001377 not_before=1156333193
not_after=1187869193)
CTRL-EVENT-TERMINATING - signal 2 received

I would like to have the device set the time automatically but only if
it has to.
Is there a way to have it try and connect first without really connecting?
Just have it spit the above information to a script so that it can
determin it needs to set the time to half way between
not_before=1156333193 and not_after=1187869193

Or better yet is there a way to have wpa_supplicant set the time as it
is connecting?
Permalink | Reply | 17 comments |
headers
Johannes Berg | 6 May 2008 00:45
Favicon

Re: wrong time?


> I would like to have the device set the time automatically but only if
> it has to.
> Is there a way to have it try and connect first without really connecting?
> Just have it spit the above information to a script so that it can
> determin it needs to set the time to half way between
> not_before=1156333193 and not_after=1187869193
> 
> Or better yet is there a way to have wpa_supplicant set the time as it
> is connecting?

IMHO, neither makes sense. Just make it ignore the certificate lifetime
if you cannot check it because you have no time.

johannes

_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply | 0 comments |
headers
Johannes Berg | 6 May 2008 00:55
Favicon

Re: wrong time?

On Mon, 2008-05-05 at 16:53 -0600, Jeff Sadowski wrote:
> great how do I do that then?

I don't think you can easily, the code seems to be in
x509_certificate_chain_validate()

johannes

_______________________________________________
HostAP mailing list
HostAP <at> lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap
Permalink | Reply | 0 comments |

Gmane