CONFIG_INTERNAL_LIBTOMMATH_FAST=y in .config can now be used to enable all
optimized routines at a cost of about 4 kB. This is small enough increase
in size to justify simplified configuration.
At the cost of about 1 kB of additional binary size, the internal
LibTomMath can be configured to include faster div routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_DIV=y in
.config.
This gets rid of potential warnings about buffer bounds errors. The earlier
code works fine, but it is not the cleanest way of using the struct wpa_ptk
definition for TK1/TK2.
At the cost of about 0.5 kB of additional binary size, the internal
LibTomMath can be configured to include faster sqr routine to speed up DH
and RSA. This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_SQR=y in
.config.
struct wpa_ie_hdr had separate fields for 24-bit OUI and 8-bit oui_type
for WPA/RSN selectors. {WPA,RSN}_SELECTOR_{GET,PUT} access these four
octets through oui and the "out-of-bounds" access for the fourth octet is
actually reading/writing oui_type. This works fine, but some tools complain
about the array bounds "failure". Since oui_type is never accessed
separately, the simplest fix is to just combine these into a single 4-octet
field.
Depending on how the driver implements IBSS searching and creation, it
may need to perform one or more scans before successfully completing the
association operation. Therefore, increase the timeout for IBSS
association operations so that the supplicant doesn't interrupt the
driver as much.
Since mac80211 requires that the device be !IFF_UP to change the mode
(and I think the old prism54 fullmac driver does too), do that. This
shouldn't harm fullmac devices since they can handle mode switches on
the fly and usually don't care about up/down that much.
Add a cost of about 2.5 kB of additional cost, the internal LibTomMath can
be configured to include fast exptmod routine to speed up DH and RSA.
This can be enabled with CONFIG_INTERNAL_LIBTOMMATH_FAST_EXPTMOD=y in
.config.
In situations where the driver does background scanning and sends a
steady stream of scan results, wpa_supplicant would continually
reschedule the scan. This resulted in specific SSID scans never
happening for a hidden AP, and the supplicant never connecting to the AP
because it never got found. Instead, if there's an already scheduled
scan, and a request comes in to reschedule it, and there are enabled
scan_ssid=1 network blocks, let the scan happen anyway so the hidden
SSID has a chance to be found.
linux/wireless.h ends up including number of Linux kernel header files and
many of the definitions are conflicting with (or at least duplicating)
definitions in net/if.h.
mac80211 sends _both_ channel and frequency in it's scan results, with
frequency first and channel second (it's since been fixed to send
channel first and frequency second to work around this issue). This
results in wpa_supplicant getting the right value when the frequency
comes, but overwriting the value with '0' when the channel comes because
wpa_supplicant can't handle 5GHz channel numbers. So if a valid
previous SIOCGIWFREQ event came in, don't try to overwrite it.
The internal TLS implementation can now use both PKCS #1 RSA private key
and PKCS #8 encapsulated RSA private key. PKCS #8 encrypted private key is
not yet supported.
The server handshake processing was still using SSL_read() to get OpenSSL
to perform the handshake. While this works for most cases, it caused some
issues for re-authentication. This is now changed to use SSL_accept() which
is more approriate here since we know that the handshake is still going on
and there will not be any tunneled data available. This resolves some of
the re-authentication issues and makes it possible for the server to notice
if TLS processing fails (SSL_read() did not return an error in many of
these cases while SSL_accept() does).
Set session id context to a unique value in order to avoid fatal errors
when client tries session resumption (SSL_set_session_id_context() must be
called for that to work), but disable session resumption with the unique
value for the time being since not all server side code is ready for it yet
(e.g., EAP-TTLS needs special Phase 2 processing when using abbreviated
handshake).
Changed EAP-TLS server not to call TLS library when processing the final
ACK (empty data) from the client in order to avoid starting a new TLS
handshake with SSL_accept().
Move the basic processing of received frames into eap_tls_common.c and use
callback functions to handle EAP type specific processing of the version
field and payload.
Fragmentation is now done as a separate step to clean up the design and to
allow the same code to be used in both Phase 1 and Phase 2. This adds
support for fragmenting EAP-PEAP/TTLS/FAST Phase 2 (tunneled) data.
Need to clear the state back to MSG after having processed all incoming
fragments. Without this, the server got stuck in sending the fragment ACK
even after having received the full message.
Even though we try to disable TLS compression, it is possible that this
cannot be done with all TLS libraries. For example, OpenSSL 0.9.8 does not
seem to have a configuration item for disabling all compression (0.9.9 has
such an option). If compression is used, Phase 2 decryption may end up
producing more data than the input buffer due to compressed data. This
shows up especially with EAP-TNC that uses very compressible data format.
As a workaround, increase the decryption buffer length to (orig_len+500)*3.
This is a hack, but at least it handles most cases. TLS compression should
really be disabled for EAP use of TLS, but since this can show up with
common setups, it is better to handle this case.
It looks like this SSL_set_options() value was added in 0.9.9 and it does
not exist in stable releases of OpenSSL. Fix build by using #ifdef on this
variable before use.
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
The TLS client changes in ssl3_get_server_hello() were based on the
pre-RFC 5077 version of OpenSSL and they hardcoded s->hit to 1 in case
PAC-Opaque was used. This prevented fallback to full TLS handshake in case
the server rejected PAC-Opaque in ClientHello. The fixed version simplifies
ssl3_get_server_hello() and uses the new RFC 5077 functionality in OpenSSL
(ssl3_check_finished) to allow the state machine handle start of
abbreviated handshake based on the used ticket.
The middle byte of the secret (key for PRF) is shared with key halfs in
case the key length is odd. This does not happen in any of the current
tls_prf() uses, but it's better to fix this function to avoid future issues
should someone end up defining a use that uses an odd length for the key.