Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

125 lines (122 sloc) 7.005 kb
To do:
- hostap: try other roaming modes
NOTE: current mode (manual roaming) does not really roam at all..
Firmware did not notice the current AP disappearing..
- add support for WPA with ap_scan=0 (update selected cipher etc. based on
AssocInfo; make sure these match with configuration)
- optional security separation (build time option): run EAPOL state machines
as non-root (need to add something like socketpair between privileged root
process and non-root handler; send EAPOL packets between processes
and send keying data from non-root -> privileged)
EAPOL-Key processing (WPA & WEP keys) could be in privileged part
at least in the beginning; some parts might end up being moved to
non-root part eventually
- consider closing smart card / PCSC connection when EAP-SIM/EAP-AKA
authentication has been completed (cache scard data based on serial#(?)
and try to optimize next connection if the same card is present for next
auth)
- EAP-AKA: AT_CHECKCODE
- EAP-SIM/AKA: AT_RESULT_IND
- on disconnect event, could try to associate with another AP if one is
present in scan results; would need to update scan results periodically..
- if driver/hw is not WPA2 capable, must remove WPA_PROTO_RSN flag from
ssid->proto fields to avoid detecting downgrade attacks when the driver
is not reporting RSN IE, but msg 3/4 has one
- Cisco AP and non-zero keyidx for unicast -> map to broadcast
(actually, this already works with driver_ndis; so maybe just change
driver_*.c to do the mapping for drivers that cannot handle non-zero keyidx
for unicast); worked also with Host AP driver and madwifi
- IEEE 802.1X and key update with driver_ndis?? wpa_supplicant did not seem
to see unencrypted EAPOL-Key frames at all..
- EAP-PAX with PAX_SEC
- EAP (RFC 3748)
* OTP Extended Responses (Sect. 5.5)
- test what happens if authenticator sends EAP-Success before real EAP
authentication ("canned" Success); this should be ignored based on
RFC 3748 Sect. 4.2
- test compilation with gcc -W options (more warnings?)
(Done once; number of unused function arguments still present)
- add proper support for using dot11RSNAConfigSATimeout
- ctrl_iface: get/set/remove blob
- use doc/docbook/*.sgml and docbook2{txt,html,pdf} to replace README and
web pages including the same information.. i.e., have this information only
in one page; how to build a PDF file with all the SGML included?
- test wait-for-interface and daemonize combinations with number of driver
interfaces
* 'test' worked with WPA-PSK
- EAP-POTP/RSA SecurID profile (draft-nystrom-eap-potp-03.txt)
- document wpa_gui build and consider adding it to 'make install'
- test madwifi with pairwise=TKIP group=WEP104
- possibility to link in WPA Authenticator state machine to wpa_supplicant
(new STAKey handshake, WPA2 IBSS)
- consider merging hostapd and wpa_supplicant PMKSA cache implementations
- add support for configuring password for MSCHAPv2 as NtPasswordHash in
the same way as was added to hostapd (hash:<hex value>)
- test_driver: configure directory and create AP-<mac> and STA-<mac> files
there to allow scanning multiple APs (e.g., for testing pre-auth and PMKSA
caching testing) and to exchange STA-STA EAPOL frames
- consider adding generic buffer functionality that could be used in number
of places
* allocate buffer (with default max size), allow reserving head room to
make it possible to add a header without having to reallocate buffer
* reallocate buffer (add head and/or tail room)
* ref count and free when count=0 ?
* add data (to tail): re-alloc more tailroom if needed and copy new data
* error flag so that caller can do multiple add()s and only in the end
check whether something has failed; this should make error handling
simpler
- consider redesigning pending EAP requests (identity/password/otp from
ctrl_iface) by moving the retrying of the previous request into EAP
state machine so that EAPOL state machine is not needed for this
- rfc4284.txt (network selection for eap)
- www pages about configuring wpa_supplicant:
* global options (ap_scan, ctrl_interfaces) based on OS/driver
* network block
* key_mgmt selection
* WPA parameters
* EAP options (one page for each method)
* "configuration wizard" (step 1: select OS, step 2: select driver, ...) to
generate example configuration
- error path in rsn_preauth_init: should probably deinit l2_packet handlers
if something fails; does something else need deinit?
- consider moving SIM card functionality (IMSI fetching) away from eap.c;
this should likely happen before EAP is initialized for authentication;
now IMSI is read only after receiving EAP-Identity/Request, but since it is
really needed for all cases, reading IMSI and generating Identity string
could very well be done before EAP has been started
- test all allowed EAP Phase 2 methods (i.e., anything else than PEAP, TTLS,
FAST): SIM AKA PAX PSK LEAP; if these work, include in eap_testing.txt; if
not, either fix or make eap_allowed_phase2_type reject
- try to work around race in receiving association event and first EAPOL
message
- helper function to do memcmp(addr, "\x00\x00\x00\x00\x00\x00", ETH_ALEN)
- add wpa_secure_memzero() macro and secure implementation (volatile u8*) to
clear memory; this would be used to clear temporary buffers containing
private data (e.g., keys); the macro can be defined to NOP in order to save
space (i.e., no code should depend on the macro doing something)
- make sure that TLS session cache is not shared between EAP types or if it
is, that the cache entries are bound to only one EAP type; e.g., cache entry
created with EAP-TLS must not be allowed to do fast re-auth with EAP-TTLS
- consider moving eap_tls_build_ack() call into eap_tls_process_helper()
(it seems to be called always if helper returns 1)
* could need to modify eap_{ttls,peap,fast}_decrypt to do same
- add support for fetching full user cert chain from Windows certificate
stores even when there are intermediate CA certs that are not in the
configured ca_cert store (e.g., ROOT) (they could be, e.g., in CA store)
0.6.x branch:
- clean up common.[ch]
- change TLS/crypto library interface to use a structure of function
pointers and helper inline functions (like driver_ops) instead of
requiring every TLS wrapper to implement all functions
- move from CVS to git (0.3.x, 0.4.x, 0.5.x releases will continue
to be updated only on CVS)
- move files into subdirectories and combine wpa_supplicant and hostapd
into a repository that matches in directory structure with the release
tarballs
(subdirs: eap_common, eap_peer, eap_server, driver, driver_ap, ...)
- make it clearer that EAP server/peer can be used as a separate library
for other programs
- add support for encrypted configuration fields (e.g., password, psk,
passphrase, pin)
- wpa_gui: add support for setting and showing priority, id_str, auth_alg
(open/shared for static WEP)
Jump to Line
Something went wrong with that request. Please try again.