55 lines
2.9 KiB
Plaintext
55 lines
2.9 KiB
Plaintext
|
To do:
|
||
|
- add WPA support to Linux Wireless Extensions
|
||
|
- add support for other drivers
|
||
|
- implement GUI for WPA Supplicant/Xsupplicant/iwconfig/iwlist
|
||
|
(easy to use configuration and network stats, etc.)
|
||
|
- add support for opportunistic PMKSA caching
|
||
|
- hostap: try other roaming modes
|
||
|
NOTE: current mode (manual roaming) does not really roam at all..
|
||
|
Firmware did not notice the current AP disappearing..
|
||
|
- EAP-MSCHAPv2: add support for password changing
|
||
|
- add support for WPA with ap_scan=0 (update selected cipher etc. based on
|
||
|
AssocInfo; make sure these match with configuration)
|
||
|
- add driver interface for using wpa_supplicant with wired interface
|
||
|
(or a separate program using EAPOL library)
|
||
|
- wpa_supplicant.conf g+rw so that frontend can change wpa_supplicant.conf
|
||
|
and RECONFIG wpa_supplicant (?)
|
||
|
(or wpa_supplicant changes .conf and ctrl interface gets support for
|
||
|
changing config?)
|
||
|
- optional security separation (build time option): run EAPOL state machines
|
||
|
as non-root (need to add something like socketpair between privileged root
|
||
|
process and non-root handler; send EAPOL packets between processes
|
||
|
and send keying data from non-root -> privileged)
|
||
|
EAPOL-Key processing (WPA & WEP keys) could be in privileged part
|
||
|
at least in the beginning; some parts might end up being moved to
|
||
|
non-root part eventually
|
||
|
- consider closing smart card / PCSC connection when EAP-SIM/EAP-AKA
|
||
|
authentication has been completed (cache scard data based on serial#(?)
|
||
|
and try to optimize next connection if the same card is present for next
|
||
|
auth)
|
||
|
- EAP-AKA: AT_CHECKCODE
|
||
|
- EAP-SIM/AKA: AT_RESULT_IND
|
||
|
- abort auth if EAP method initialization fails and there no other
|
||
|
accepted methods (i.e., do not send NAK for the same method that just
|
||
|
failed)
|
||
|
- on disconnect event, could try to associate with another AP if one is
|
||
|
present in scan results; would need to update scan results periodically..
|
||
|
- add flag scan_requested and only try to re-associate if this is set when
|
||
|
new scan results are received; this would allow background scans without
|
||
|
triggering re-assoc..
|
||
|
- if driver/hw is not WPA2 capable, must remove WPA_PROTO_RSN flag from
|
||
|
ssid->proto fields to avoid detecting downgrade attacks when the driver
|
||
|
is not reporting RSN IE, but msg 3/4 has one
|
||
|
- read CA certs from PFX file
|
||
|
- EAP-SIM/AKA: if SIM reader initialization fails, do not start authentication
|
||
|
- Cisco AP and non-zero keyidx for unicast -> map to broadcast
|
||
|
(actually, this already works with driver_ndis; so maybe just change
|
||
|
driver_*.c to do the mapping for drivers that cannot handle non-zero keyidx
|
||
|
for unicast)
|
||
|
- IEEE 802.1X and key update with driver_ndis?? wpa_supplicant did not seem
|
||
|
to see unencrypted EAPOL-Key frames at all..
|
||
|
- update developer.txt to match with current implementation
|
||
|
(driver API updates, EAP methods)
|
||
|
- driver_wext.c and driver that does not support WPA -> fix plaintext, WEP, and
|
||
|
IEEE 802.1X operation (e.g., use capabilities to report no support for WPA)
|