Software: Apache/2.2.3 (CentOS). PHP/5.1.6 uname -a: Linux mx-ll-110-164-51-230.static.3bb.co.th 2.6.18-194.el5PAE #1 SMP Fri Apr 2 15:37:44 uid=48(apache) gid=48(apache) groups=48(apache) Safe-mode: OFF (not secure) /usr/share/doc/wpa_supplicant-0.5.10/ drwxr-xr-x |
Viewing file: todo.txt (6.84 KB) -rw-r--r-- Select action/file-type: (+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) | To do: - hostap: try other roaming modes NOTE: current mode (manual roaming) does not really roam at all.. Firmware did not notice the current AP disappearing.. - add support for WPA with ap_scan=0 (update selected cipher etc. based on AssocInfo; make sure these match with configuration) - optional security separation (build time option): run EAPOL state machines as non-root (need to add something like socketpair between privileged root process and non-root handler; send EAPOL packets between processes and send keying data from non-root -> privileged) EAPOL-Key processing (WPA & WEP keys) could be in privileged part at least in the beginning; some parts might end up being moved to non-root part eventually - consider closing smart card / PCSC connection when EAP-SIM/EAP-AKA authentication has been completed (cache scard data based on serial#(?) and try to optimize next connection if the same card is present for next auth) - EAP-AKA: AT_CHECKCODE - EAP-SIM/AKA: AT_RESULT_IND - on disconnect event, could try to associate with another AP if one is present in scan results; would need to update scan results periodically.. - if driver/hw is not WPA2 capable, must remove WPA_PROTO_RSN flag from ssid->proto fields to avoid detecting downgrade attacks when the driver is not reporting RSN IE, but msg 3/4 has one - Cisco AP and non-zero keyidx for unicast -> map to broadcast (actually, this already works with driver_ndis; so maybe just change driver_*.c to do the mapping for drivers that cannot handle non-zero keyidx for unicast); worked also with Host AP driver and madwifi - IEEE 802.1X and key update with driver_ndis?? wpa_supplicant did not seem to see unencrypted EAPOL-Key frames at all.. - EAP-PAX with PAX_SEC - EAP (RFC 3748) * OTP Extended Responses (Sect. 5.5) - test what happens if authenticator sends EAP-Success before real EAP authentication ("canned" Success); this should be ignored based on RFC 3748 Sect. 4.2 - test compilation with gcc -W options (more warnings?) (Done once; number of unused function arguments still present) - add proper support for using dot11RSNAConfigSATimeout - ctrl_iface: get/set/remove blob - use doc/docbook/*.sgml and docbook2{txt,html,pdf} to replace README and web pages including the same information.. i.e., have this information only in one page; how to build a PDF file with all the SGML included? - test wait-for-interface and daemonize combinations with number of driver interfaces * 'test' worked with WPA-PSK - EAP-POTP/RSA SecurID profile (draft-nystrom-eap-potp-03.txt) - document wpa_gui build and consider adding it to 'make install' - test madwifi with pairwise=TKIP group=WEP104 - possibility to link in WPA Authenticator state machine to wpa_supplicant (new STAKey handshake, WPA2 IBSS) - consider merging hostapd and wpa_supplicant PMKSA cache implementations - add support for configuring password for MSCHAPv2 as NtPasswordHash in the same way as was added to hostapd (hash:<hex value>) - test_driver: configure directory and create AP-<mac> and STA-<mac> files there to allow scanning multiple APs (e.g., for testing pre-auth and PMKSA caching testing) and to exchange STA-STA EAPOL frames - consider adding generic buffer functionality that could be used in number of places * allocate buffer (with default max size), allow reserving head room to make it possible to add a header without having to reallocate buffer * reallocate buffer (add head and/or tail room) * ref count and free when count=0 ? * add data (to tail): re-alloc more tailroom if needed and copy new data * error flag so that caller can do multiple add()s and only in the end check whether something has failed; this should make error handling simpler - consider redesigning pending EAP requests (identity/password/otp from ctrl_iface) by moving the retrying of the previous request into EAP state machine so that EAPOL state machine is not needed for this - rfc4284.txt (network selection for eap) - www pages about configuring wpa_supplicant: * global options (ap_scan, ctrl_interfaces) based on OS/driver * network block * key_mgmt selection * WPA parameters * EAP options (one page for each method) * "configuration wizard" (step 1: select OS, step 2: select driver, ...) to generate example configuration - error path in rsn_preauth_init: should probably deinit l2_packet handlers if something fails; does something else need deinit? - consider moving SIM card functionality (IMSI fetching) away from eap.c; this should likely happen before EAP is initialized for authentication; now IMSI is read only after receiving EAP-Identity/Request, but since it is really needed for all cases, reading IMSI and generating Identity string could very well be done before EAP has been started - test all allowed EAP Phase 2 methods (i.e., anything else than PEAP, TTLS, FAST): SIM AKA PAX PSK LEAP; if these work, include in eap_testing.txt; if not, either fix or make eap_allowed_phase2_type reject - try to work around race in receiving association event and first EAPOL message - helper function to do memcmp(addr, "\x00\x00\x00\x00\x00\x00", ETH_ALEN) - add wpa_secure_memzero() macro and secure implementation (volatile u8*) to clear memory; this would be used to clear temporary buffers containing private data (e.g., keys); the macro can be defined to NOP in order to save space (i.e., no code should depend on the macro doing something) - make sure that TLS session cache is not shared between EAP types or if it is, that the cache entries are bound to only one EAP type; e.g., cache entry created with EAP-TLS must not be allowed to do fast re-auth with EAP-TTLS - consider moving eap_tls_build_ack() call into eap_tls_process_helper() (it seems to be called always if helper returns 1) * could need to modify eap_{ttls,peap,fast}_decrypt to do same - add support for fetching full user cert chain from Windows certificate stores even when there are intermediate CA certs that are not in the configured ca_cert store (e.g., ROOT) (they could be, e.g., in CA store) 0.6.x branch: - clean up common.[ch] - change TLS/crypto library interface to use a structure of function pointers and helper inline functions (like driver_ops) instead of requiring every TLS wrapper to implement all functions - move from CVS to git (0.3.x, 0.4.x, 0.5.x releases will continue to be updated only on CVS) - move files into subdirectories and combine wpa_supplicant and hostapd into a repository that matches in directory structure with the release tarballs (subdirs: eap_common, eap_peer, eap_server, driver, driver_ap, ...) - make it clearer that EAP server/peer can be used as a separate library for other programs - add support for encrypted configuration fields (e.g., password, psk, passphrase, pin) - wpa_gui: add support for setting and showing priority, id_str, auth_alg (open/shared for static WEP) |
:: Command execute :: | |
:: Shadow's tricks :D :: | |
Useful Commands
|
:: Preddy's tricks :D :: | |
Php Safe-Mode Bypass (Read Files)
|
--[ c999shell v. 1.0 pre-release build #16 Modded by Shadow & Preddy | RootShell Security Group | r57 c99 shell | Generation time: 0.0108 ]-- |