0%

wpa_supplicant模块及代码结构

Posted on Edited on In
Symbols count in article: 8k Reading time ≈ 7 mins.

wpa_supplicant is a WPA(Wi-Fi Protected Access) Supplicant for Linux,
BSD and Windows with support for WPA and WPA2 (IEEE 802.11i / RSN).
Supplicant is the IEEE 802.1X/WPA component that is used in the client stations.
It implements key negotiation with a WPA Authenticator
and it can optionally control roaming
and IEEE 802.11 authentication/association of the wlan driver.

wpa_supplicant模块结构

wpa_supplicant模块图如下:

Event loop/事件循环模块

wpa_supplicant uses a single process/thread model
and an event loop to provide callbacks on events
(registered timeout, received packet, signal).
eloop.h defines the event loop interface. eloop.c is
an implementation of such an event loop using select() and sockets.
This is suitable for most UNIX/POSIX systems.
When porting to other operating systems,
it may be necessary to replace that implementation with OS specific
mechanisms that provide similar functionality.

wpa_supplicant采用单线程模式,基于事件驱动(event loop)。

wpa_supplicant needs to have access to
sending and receiving layer 2 (link layer) packets with two Ethertypes:
EAP-over-LAN (EAPOL) 0x888e and RSN pre-authentication 0x88c7. l2_packet.h
defines the interfaces used for this in the core wpa_supplicant implementation.

Configuration/配置模块

wpa_supplicant implements a configuration interface
that allows the backend to be easily replaced in order to read
configuration data from a suitable source depending on the target
platform. config.c implements the generic code that can be shared with
all configuration backends. Each backend is implemented in its own config_*.c file.

Driver interface/驱动接口模块

Unless the target OS and driver is already supported,
most porting projects have to implement a driver wrapper.
This may be done by adding a new driver interface module or
modifying an existing module (driver_*.c) if the new target
is similar to one of them. Driver wrapper implementation describes
the details of the driver interface
and discusses the tasks involved in porting this part of wpa_supplicant.

Control interface/控制接口模块

wpa_supplicant uses a control interface
to allow external processed to get status information
and to control the operations. Currently, this is implemented with
socket based communication; both UNIX domain sockets and UDP sockets are supported.
If the target OS does not support sockets,
this interface will likely need to be modified to
use another mechanism like message queues.
The control interface is optional component,
so it is also possible to run wpa_supplicant without porting this part.

Driver events/驱动事件模块

wpa_supplicant needs to receive event callbacks
when certain events occur
(association, disassociation, Michael MIC failure, scan results available, PMKSA caching candidate).
These events and the callback details are defined in
driver.h (wpa_supplicant_event() function and enum wpa_event_type).

XXX state machine/状态机模块

WPA/WPA2 state machine,EAP state machine(RFC4137),EAPOL state machine(802.1X).

wpa_supplicant代码结构

wpa_supplicant implementation is divided into number of independent modules.
Core code includes functionality for controlling the network selection,
association, and configuration. Independent modules include WPA code
(key handshake, PMKSA caching, pre-authentication),
EAPOL state machine, and EAP state machine and methods.
In addition, there are number of separate files for generic helper functions.

Both WPA and EAPOL/EAP state machines can be used separately
in other programs than wpa_supplicant. As an example,
the included test programs eapol_test and preauth_test are using these modules.

Driver interface API is defined in driver.h
and all hardware/driver dependent functionality is implemented in driver_*.c.

wpa_supplicant的实现被分成几个独立的模块。
核心代码功能包括控制网络选择、连接和配置。
独立模块包括WPA代码(key handshake,PMKSA缓存,预认证),EAPOL状态机和EAP状态机和方法。
另外,还有一些具有通用帮助功能的单独文件。

WPA和EAPOL/EAP状态机可以单独的用于其它的程序中。
代码中有eapol_test和preauth_test实例代码使用这另个模块。

  • wpa_supplicant core functionality/核心功能
  • Generic helper functions/通用辅助
  • Cryptographic functions/加密功能
  • TLS library/TLS库
  • Configuration/配置
  • Control interface/控制接口
  • WPA supplicant/WPA提供
  • EAP peer/EAP点
  • EAPOL supplicant/EAPOL提供
  • Windows port/windosw端口
  • Test programs/测试程序

Driver interface API在driver.h中定义的,所有硬件/驱动相关的功能都是在driver_*.c中实现的。

wpa_supplicant core functionality/核心功能

  • wpa_supplicant.c 程序初始化、控制主循环。
  • main.c main()用于类UNIX或Windows操作系统设置参数配置wpa_supplicant。
  • events.c 驱动事件处理;wpa_supplicant_enent()和相关功能。
  • wpa_supplicant_i.h 核心功能和的内部定义;在独立的模块中不应该包含这个头文件。

Generic helper functions/通用辅助

wpa_supplicant使用同样的辅助功能,其中的一些与hostapd共用的。目前使用代码如下:

  • eloop.c和eloop.h 事件循环(select()循环,具有可选超时、socket读数据回调和信号回调)
  • common.c和common.h Common辅助函数。
  • defs.h 多个文件共用定义
  • l2_packet.h, l2_packet_linux.c,和 l2_packet_pcap.c Layer2(连接层)访问包装
    (包括linux本地的实现和对libdnet/libpcap的包装)函数。
    在移植到libdnet/libpcap不支持的新系统的时候需要添加新的l2_packet实现。
    可以用Makefile来选择包含那个l2_packet实现。
    l2_packet_linux.c使用linux packet sockets,l2_packet_pcap.c使用libpcap和libdnet,具有更好的移植性
  • pcsc_funcs.c and pcsc_funcs.h Wrapper for PC/SC lite SIM and smart card readers
  • priv_netlink.h 来自linux内核文件的私有版本的网络连接定义,它可以被C库头文件替代once suitable version becomes commonly available。
  • version.h 版本号定义
  • wireless.h 来自内核的linux wireless extension私有版本定义;可以被C库头文件代替once suitable version becomes commonly available。

Cryptographic functions/加密功能

  • md5.c and md5.h MD5算法 (如果TLS支持开启,使用加密库取代) HMAC-MD5 (键入校验码以验证信息真伪)
  • rc4.c and rc4.h RC4算法(广播/默认密钥加密)
  • sha1.c and sha1.h SHA-1算法 (如果TLS支持开启,使用加密库取代) HMAC-SHA-1 (键入校验码以验证信息真伪) PRF-SHA-1 (pseudorandom (key/nonce generation) function) PBKDF2-SHA-1 (ASCII passphrase to shared secret) T-PRF (for EAP-FAST) TLS-PRF (RFC 2246)
  • sha256.c and sha256.h SHA-256算法 (如果TLS支持开启,使用加密库取代)
  • aes_wrap.c, aes_wrap.h, aes.c AES算法 (如果TLS支持开启,使用加密库取代), AES Key Wrap Algorithm with 128-bit KEK, RFC3394 (broadcast/default key encryption), One-Key CBC MAC (OMAC1) hash with AES-128, AES-128 CTR mode encryption, AES-128 EAX mode encryption/decryption, AES-128 CBC
  • crypto.h crypto库封装定义
  • crypto_openssl.c libcrypto封装函数 (OpenSSL)
  • crypto_internal.c crypto封装函数内部实现
  • crypto_gnutls.c libgcrypt封装函数(used by GnuTLS)
  • ms_funcs.c and ms_funcs.h MSCHAPV2 和 LEAP 帮助函数
  • tls.h TLS库封装定义
  • tls_none.c Dummy implementation of TLS library wrapper for cases where TLS functionality is not included.
  • tls_openssl.c TLS library wrapper for openssl
  • tls_internal.c TLS library for internal TLS implementation
  • tls_gnutls.c TLS library wrapper for GnuTLS

TLS(Transport Layer Security,传输层安全协议) library/TLS库

  • asn1.c and asn1.h ASN.1 DER编码分析
  • bignum.c and bignum.h 大数运算(Big number math)
  • rsa.c and rsa.h RSA加密算法
  • x509v3.c and x509v3.h X.509v3数字证书分析和处理
  • tlsv1_client.c, tlsv1_client.h TLSv1客户端 (RFC 2246)
  • tlsv1_client_i.h TLSv1 client内部结构体
  • tlsv1_client_read.c TLSv1 客户端: 读握手信息
  • tlsv1_client_write.c TLSv1 客户端: 写握手信息
  • tlsv1_common.c and tlsv1_common.h TLSv1通用规则和定义(routines and definitions)
  • tlsv1_cred.c and tlsv1_cred.h TLSv1证书
  • tlsv1_record.c and tlsv1_record.h TLSv1记录协议

Configuration/配置

  • config_ssid.h 每个网络的配置项定义
  • config.h wpa_supplicant的配置定义
  • config.c 配置解析器和命令函数
  • config_file.c 文本配置文件后端(e.g., wpa_supplicant.conf)
  • config_winreg.c 配置Windows注册表后端(Configuration backend for Windows registry)

Control interface/控制接口

wpa_supplicant有一个可以被外部程序用来得到状态信息和进行管理操作的控制接口。
在wpa_supplicant的发行版中包括命令行接口(wpa_cli)和图形接口(wpa_gui)。

  • ctrl_iface.c 和 ctrl_iface.h wpa_supplicant-side的控制接口
  • ctrl_iface_unix.c 基于 UNIX domain sockets 的控制接口后端
  • ctrl_iface_udp.c 基于 UDP sockets 的控制接口后端
  • ctrl_iface_named_pipe.c 基于 Windows named pipes 的控制接口后端
  • wpa_ctrl.c and wpa_ctrl.h 提供给外部程序访问wpa_supplicant控制接口的库函数
  • wpa_cli.c 使用wpa_supplicant控制接口的示例程序

WPA supplicant/WPA提供

  • wpa.c and wpa.h WPA 的状态机和4-Way/Group Key握手处理
  • preauth.c and preauth.h PMKSA缓存 和 预认证 (RSN/WPA2)
  • wpa_i.h WPA代码内部定义;其他模块不要包含该头文件

EAP peer/EAP点

EAP点实现作为一个独立模块可以用在其他程序中。

  • eap.c and eap.h EAP状态机和方法接口
  • eap_defs.h EAP通用定义
  • eap_i.h EAP状态机和方法内部定义,不应该被其他模块包含
  • eap_sim_common.c and eap_sim_common.h EAP-SIM 和 EAP-AKA 通用代码
  • eap_tls_common.c and eap_tls_common.h EAP-PEAP, EAP-TTLS, 和 EAP-FAST 通用代码
  • eap_tlv.c and eap_tlv.h EAP-PEAP 和 EAP-FAST 的 EAP-TLV 代码
  • eap_ttls.c and eap_ttls.h EAP-TTLS
  • eap_pax.c, eap_pax_common.h, eap_pax_common.c EAP-PAX
  • eap_psk.c, eap_psk_common.h, eap_psk_common.c EAP-PSK (note: WPA-PSK不需要)
  • eap_sake.c, eap_sake_common.h, eap_sake_common.c EAP-SAKE
  • eap_gpsk.c, eap_gpsk_common.h, eap_gpsk_common.c EAP-GPSK
  • eap_aka.c, eap_fast.c, eap_gtc.c, eap_leap.c, eap_md5.c, eap_mschapv2.c, eap_otp.c, eap_peap.c, eap_sim.c, eap_tls.c 其他EPA实现方法

EAPOL supplicant/EAPOL提供

  • eapol_supp_sm.c and eapol_supp_sm.h EAPOL supplicant state machine and IEEE 802.1X processing

Windows port/windosw端口

  • ndis_events.c 代码以更易于使用的方式从NdisMIndicateStatus()接收事件并分发它们到wpa_supplicant driver_ndis.c
  • win_if_list.c 监听当前网络接口的外部程序

Test programs/测试程序

  • radius_client.c and radius_client.h 用于eapol测试的RADIUS认证客户端
  • radius.c and radius.h 用于eapol测试的RADIUS消息处理
  • eapol_test.c 独立EAP测试工具和集成RADIUS认证客户端
  • preauth_test.c 独立RSN预认证工具
  • wpa_passphrase.c WPA ASCII密码转为PSK

References