mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-17 10:26:15 +00:00
56 lines
2.9 KiB
Plaintext
56 lines
2.9 KiB
Plaintext
To do:
|
|
- hostap: try other roaming modes
|
|
NOTE: current mode (manual roaming) does not really roam at all..
|
|
Firmware did not notice the current AP disappearing..
|
|
- add support for WPA with ap_scan=0 (update selected cipher etc. based on
|
|
AssocInfo; make sure these match with configuration)
|
|
- optional security separation (build time option): run EAPOL state machines
|
|
as non-root (need to add something like socketpair between privileged root
|
|
process and non-root handler; send EAPOL packets between processes
|
|
and send keying data from non-root -> privileged)
|
|
EAPOL-Key processing (WPA & WEP keys) could be in privileged part
|
|
at least in the beginning; some parts might end up being moved to
|
|
non-root part eventually
|
|
- consider closing smart card / PCSC connection when EAP-SIM/EAP-AKA
|
|
authentication has been completed (cache scard data based on serial#(?)
|
|
and try to optimize next connection if the same card is present for next
|
|
auth)
|
|
- EAP-AKA: AT_CHECKCODE
|
|
- EAP-SIM/AKA: AT_RESULT_IND
|
|
- on disconnect event, could try to associate with another AP if one is
|
|
present in scan results; would need to update scan results periodically..
|
|
- add flag scan_requested and only try to re-associate if this is set when
|
|
new scan results are received; this would allow background scans without
|
|
triggering re-assoc..
|
|
- if driver/hw is not WPA2 capable, must remove WPA_PROTO_RSN flag from
|
|
ssid->proto fields to avoid detecting downgrade attacks when the driver
|
|
is not reporting RSN IE, but msg 3/4 has one
|
|
- EAP-SIM/AKA: if SIM reader initialization fails, do not start authentication
|
|
- Cisco AP and non-zero keyidx for unicast -> map to broadcast
|
|
(actually, this already works with driver_ndis; so maybe just change
|
|
driver_*.c to do the mapping for drivers that cannot handle non-zero keyidx
|
|
for unicast); worked also with Host AP driver and madwifi
|
|
- IEEE 802.1X and key update with driver_ndis?? wpa_supplicant did not seem
|
|
to see unencrypted EAPOL-Key frames at all..
|
|
- -Dwired: if ssid is set in network block, authentication gets "stuck" since
|
|
driver_wired.c only reports empty SSID and association is not assumed to be
|
|
ok
|
|
- EAP-PAX with PAX_SEC
|
|
- EAP: extended nak, vendor method; go through rfc
|
|
RFC 3748
|
|
* Expanded Type (Sect. 5.7)
|
|
* Experimental Type
|
|
* Expanded Nak (Sect. 5.3.2)
|
|
* OTP Extended Responses (Sect. 5.5)
|
|
- test what happens if authenticator sends EAP-Success before real EAP
|
|
authentication ("canned" Success); this should be ignored based on
|
|
RFC 3748 Sect. 4.2
|
|
- test compilation with gcc -W options (more warnings?)
|
|
- add proper support for using dot11RSNAConfigSATimeout
|
|
- ctrl_iface: get/set/remove blob
|
|
- use doc/docbook/*.sgml and docbook2{txt,html,pdf} to replace README and
|
|
web pages including the same information.. i.e., have this information only
|
|
in one page; how to build a PDF file with all the SGML included?
|
|
- test wait-for-interface and daemonize combinations with number of driver
|
|
interfaces
|