NetBSD/dist/wpa_supplicant/todo.txt

56 lines
2.9 KiB
Plaintext

To do:
- hostap: try other roaming modes
NOTE: current mode (manual roaming) does not really roam at all..
Firmware did not notice the current AP disappearing..
- add support for WPA with ap_scan=0 (update selected cipher etc. based on
AssocInfo; make sure these match with configuration)
- optional security separation (build time option): run EAPOL state machines
as non-root (need to add something like socketpair between privileged root
process and non-root handler; send EAPOL packets between processes
and send keying data from non-root -> privileged)
EAPOL-Key processing (WPA & WEP keys) could be in privileged part
at least in the beginning; some parts might end up being moved to
non-root part eventually
- consider closing smart card / PCSC connection when EAP-SIM/EAP-AKA
authentication has been completed (cache scard data based on serial#(?)
and try to optimize next connection if the same card is present for next
auth)
- EAP-AKA: AT_CHECKCODE
- EAP-SIM/AKA: AT_RESULT_IND
- on disconnect event, could try to associate with another AP if one is
present in scan results; would need to update scan results periodically..
- add flag scan_requested and only try to re-associate if this is set when
new scan results are received; this would allow background scans without
triggering re-assoc..
- if driver/hw is not WPA2 capable, must remove WPA_PROTO_RSN flag from
ssid->proto fields to avoid detecting downgrade attacks when the driver
is not reporting RSN IE, but msg 3/4 has one
- EAP-SIM/AKA: if SIM reader initialization fails, do not start authentication
- Cisco AP and non-zero keyidx for unicast -> map to broadcast
(actually, this already works with driver_ndis; so maybe just change
driver_*.c to do the mapping for drivers that cannot handle non-zero keyidx
for unicast); worked also with Host AP driver and madwifi
- IEEE 802.1X and key update with driver_ndis?? wpa_supplicant did not seem
to see unencrypted EAPOL-Key frames at all..
- -Dwired: if ssid is set in network block, authentication gets "stuck" since
driver_wired.c only reports empty SSID and association is not assumed to be
ok
- EAP-PAX with PAX_SEC
- EAP: extended nak, vendor method; go through rfc
RFC 3748
* Expanded Type (Sect. 5.7)
* Experimental Type
* Expanded Nak (Sect. 5.3.2)
* OTP Extended Responses (Sect. 5.5)
- test what happens if authenticator sends EAP-Success before real EAP
authentication ("canned" Success); this should be ignored based on
RFC 3748 Sect. 4.2
- test compilation with gcc -W options (more warnings?)
- add proper support for using dot11RSNAConfigSATimeout
- ctrl_iface: get/set/remove blob
- use doc/docbook/*.sgml and docbook2{txt,html,pdf} to replace README and
web pages including the same information.. i.e., have this information only
in one page; how to build a PDF file with all the SGML included?
- test wait-for-interface and daemonize combinations with number of driver
interfaces