diff options
| author | Damien Bergamini <damien@cvs.openbsd.org> | 2009-02-13 17:24:55 +0000 |
|---|---|---|
| committer | Damien Bergamini <damien@cvs.openbsd.org> | 2009-02-13 17:24:55 +0000 |
| commit | 3d032e5b8edc1b5f0e9fd2a005895a09978a50a8 (patch) | |
| tree | 1cf5da38e4655911976a953b2a853385b94ff769 | |
| parent | 47dd9ac8bda5158d345b6a4896cb92697035ae5d (diff) | |
Change ifconfig wpaakms default setting to `psk' instead of `psk,802.1x'.
Some supplicants will autoselect 802.1X without giving users the
possibility to choose between PSK or 802.1X.
Similarly, no longer announce `PSK with SHA-256 based KDF' AKMP (defined
in Draft 802.11w) by default in the RSN IE of beacons and probe responses
as it confuses some broken supplicants. This kind of sacrifies security
for interoperability with shitty (but unfortunately widespread) clients
that do not follow the 802.11 standard properly.
This fixes associations from Intel PROSet on XP and also reportedly fixes
some Mac OS clients. I will likely make `psk-sha256' configurable through
ifconfig wpaakms after the 4.5 release.
| -rw-r--r-- | sbin/ifconfig/ifconfig.8 | 6 | ||||
| -rw-r--r-- | sbin/ifconfig/ifconfig.c | 6 | ||||
| -rw-r--r-- | sys/net80211/ieee80211_crypto.c | 5 | ||||
| -rw-r--r-- | sys/net80211/ieee80211_ioctl.c | 32 | ||||
| -rw-r--r-- | sys/net80211/ieee80211_ioctl.h | 6 |
5 files changed, 29 insertions, 26 deletions
diff --git a/sbin/ifconfig/ifconfig.8 b/sbin/ifconfig/ifconfig.8 index 9db577bc0c9..1d2af36c305 100644 --- a/sbin/ifconfig/ifconfig.8 +++ b/sbin/ifconfig/ifconfig.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ifconfig.8,v 1.173 2008/12/12 22:09:26 claudio Exp $ +.\" $OpenBSD: ifconfig.8,v 1.174 2009/02/13 17:24:54 damien Exp $ .\" $NetBSD: ifconfig.8,v 1.11 1996/01/04 21:27:29 pk Exp $ .\" $FreeBSD: ifconfig.8,v 1.16 1998/02/01 07:03:29 steve Exp $ .\" @@ -31,7 +31,7 @@ .\" .\" @(#)ifconfig.8 8.4 (Berkeley) 6/1/94 .\" -.Dd $Mdocdate: December 12 2008 $ +.Dd $Mdocdate: February 13 2009 $ .Dt IFCONFIG 8 .Os .Sh NAME @@ -734,7 +734,7 @@ authentication (also known as personal mode) uses a 256-bit pre-shared key. authentication (also known as enterprise mode) is meant to be used with an external IEEE 802.1X authentication server. The default value is -.Dq psk,802.1x . +.Dq psk . .Dq psk can only be used if a pre-shared key is configured using the .Cm wpapsk diff --git a/sbin/ifconfig/ifconfig.c b/sbin/ifconfig/ifconfig.c index e8a499c0882..3b96b824382 100644 --- a/sbin/ifconfig/ifconfig.c +++ b/sbin/ifconfig/ifconfig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ifconfig.c,v 1.211 2009/02/06 22:07:04 grange Exp $ */ +/* $OpenBSD: ifconfig.c,v 1.212 2009/02/13 17:24:54 damien Exp $ */ /* $NetBSD: ifconfig.c,v 1.40 1997/10/01 02:19:43 enami Exp $ */ /* @@ -1517,7 +1517,7 @@ setifwpaakms(const char *val, int d) if (strcasecmp(str, "psk") == 0) rval |= IEEE80211_WPA_AKM_PSK; else if (strcasecmp(str, "802.1x") == 0) - rval |= IEEE80211_WPA_AKM_IEEE8021X; + rval |= IEEE80211_WPA_AKM_8021X; else errx(1, "wpaakms: unknown akm: %s", str); str = strtok(NULL, ","); @@ -1928,7 +1928,7 @@ ieee80211_status(void) fputs("psk", stdout); sep = ","; } - if (wpa.i_akms & IEEE80211_WPA_AKM_IEEE8021X) + if (wpa.i_akms & IEEE80211_WPA_AKM_8021X) printf("%s802.1x", sep); fputs(" wpaciphers ", stdout); diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c index c6a6a165cbf..64ab098eae5 100644 --- a/sys/net80211/ieee80211_crypto.c +++ b/sys/net80211/ieee80211_crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_crypto.c,v 1.57 2009/01/26 19:09:41 damien Exp $ */ +/* $OpenBSD: ieee80211_crypto.c,v 1.58 2009/02/13 17:24:54 damien Exp $ */ /*- * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> @@ -67,8 +67,7 @@ ieee80211_crypto_attach(struct ifnet *ifp) TAILQ_INIT(&ic->ic_pmksa); if (ic->ic_caps & IEEE80211_C_RSN) { ic->ic_rsnprotos = IEEE80211_PROTO_WPA | IEEE80211_PROTO_RSN; - ic->ic_rsnakms = IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK | - IEEE80211_AKM_8021X | IEEE80211_AKM_SHA256_8021X; + ic->ic_rsnakms = IEEE80211_AKM_PSK; ic->ic_rsnciphers = IEEE80211_CIPHER_TKIP | IEEE80211_CIPHER_CCMP; ic->ic_rsngroupcipher = IEEE80211_CIPHER_TKIP; diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c index 44903e5091f..37f7c6ae01a 100644 --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_ioctl.c,v 1.29 2009/01/26 19:09:41 damien Exp $ */ +/* $OpenBSD: ieee80211_ioctl.c,v 1.30 2009/02/13 17:24:54 damien Exp $ */ /* $NetBSD: ieee80211_ioctl.c,v 1.15 2004/05/06 02:58:16 dyoung Exp $ */ /*- @@ -237,15 +237,15 @@ ieee80211_ioctl_setwpaparms(struct ieee80211com *ic, ic->ic_rsnakms = 0; if (wpa->i_akms & IEEE80211_WPA_AKM_PSK) - ic->ic_rsnakms |= - IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK; - if (wpa->i_akms & IEEE80211_WPA_AKM_IEEE8021X) - ic->ic_rsnakms |= - IEEE80211_AKM_8021X | IEEE80211_AKM_SHA256_8021X; - if (ic->ic_rsnakms == 0) /* set to default (PSK+802.1X) */ - ic->ic_rsnakms = - IEEE80211_AKM_PSK | IEEE80211_AKM_8021X /*| - IEEE80211_AKM_SHA256_PSK | IEEE80211_AKM_SHA256_8021X*/; + ic->ic_rsnakms |= IEEE80211_AKM_PSK; + if (wpa->i_akms & IEEE80211_WPA_AKM_SHA256_PSK) + ic->ic_rsnakms |= IEEE80211_AKM_SHA256_PSK; + if (wpa->i_akms & IEEE80211_WPA_AKM_8021X) + ic->ic_rsnakms |= IEEE80211_AKM_8021X; + if (wpa->i_akms & IEEE80211_WPA_AKM_SHA256_8021X) + ic->ic_rsnakms |= IEEE80211_AKM_SHA256_8021X; + if (ic->ic_rsnakms == 0) /* set to default (PSK) */ + ic->ic_rsnakms = IEEE80211_AKM_PSK; if (wpa->i_groupcipher == IEEE80211_WPA_CIPHER_WEP40) ic->ic_rsngroupcipher = IEEE80211_CIPHER_WEP40; @@ -291,12 +291,14 @@ ieee80211_ioctl_getwpaparms(struct ieee80211com *ic, wpa->i_protos |= IEEE80211_WPA_PROTO_WPA2; wpa->i_akms = 0; - if (ic->ic_rsnakms & - (IEEE80211_AKM_PSK | IEEE80211_AKM_SHA256_PSK)) + if (ic->ic_rsnakms & IEEE80211_AKM_PSK) wpa->i_akms |= IEEE80211_WPA_AKM_PSK; - if (ic->ic_rsnakms & - (IEEE80211_AKM_8021X | IEEE80211_AKM_SHA256_8021X)) - wpa->i_akms |= IEEE80211_WPA_AKM_IEEE8021X; + if (ic->ic_rsnakms & IEEE80211_AKM_SHA256_PSK) + wpa->i_akms |= IEEE80211_WPA_AKM_SHA256_PSK; + if (ic->ic_rsnakms & IEEE80211_AKM_8021X) + wpa->i_akms |= IEEE80211_WPA_AKM_8021X; + if (ic->ic_rsnakms & IEEE80211_AKM_SHA256_8021X) + wpa->i_akms |= IEEE80211_WPA_AKM_SHA256_8021X; if (ic->ic_rsngroupcipher == IEEE80211_CIPHER_WEP40) wpa->i_groupcipher = IEEE80211_WPA_CIPHER_WEP40; diff --git a/sys/net80211/ieee80211_ioctl.h b/sys/net80211/ieee80211_ioctl.h index 9d8db88b3d5..e836b3ee832 100644 --- a/sys/net80211/ieee80211_ioctl.h +++ b/sys/net80211/ieee80211_ioctl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_ioctl.h,v 1.15 2009/01/26 19:09:41 damien Exp $ */ +/* $OpenBSD: ieee80211_ioctl.h,v 1.16 2009/02/13 17:24:54 damien Exp $ */ /* $NetBSD: ieee80211_ioctl.h,v 1.7 2004/04/30 22:51:04 dyoung Exp $ */ /*- @@ -205,7 +205,9 @@ struct ieee80211_wpapsk { #define IEEE80211_WPA_CIPHER_WEP104 0x10 #define IEEE80211_WPA_AKM_PSK 0x01 -#define IEEE80211_WPA_AKM_IEEE8021X 0x02 +#define IEEE80211_WPA_AKM_8021X 0x02 +#define IEEE80211_WPA_AKM_SHA256_PSK 0x04 +#define IEEE80211_WPA_AKM_SHA256_8021X 0x08 struct ieee80211_wpaparams { char i_name[IFNAMSIZ]; /* if_name, e.g. "wi0" */ |