Some deployed authentication servers seem to be unable to handle the TLS
Session Ticket extension (they are supposed to ignore unrecognized TLS
extensions, but end up rejecting the ClientHello instead). As a
workaround, disable use of TLS Sesson Ticket extension for EAP-TLS,
EAP-PEAP, and EAP-TTLS (EAP-FAST uses session ticket, so any server that
supports EAP-FAST does not need this workaround).
Signed-hostap: Jouni Malinen <j@w1.fi>
tls_disable_session_ticket=1 in phase1/phase2 can now be used to disable
use of TLS Session Ticket extension (which is enabled by default in
recent OpenSSL versions). This can be used to work around issues with
broken authentication servers that do not ignore unrecognized TLS
extensions properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used to implement workaround for authentication servers that
do not handle TLS extensions in ClientHello properly.
Signed-hostap: Jouni Malinen <j@w1.fi>
If bgscan is enabled, then bgscan is initiated after the connection,
with no bss scan result information. Since a scan was performed prior to
the connection, the information exists and can be used to initialize the
bgscan's cache.
Signed-hostap: Yoni Divinsky <yoni.divinsky@ti.com>
WSC 2.0 deprecates use of WPA (TKIP) and does not allow WPA/TKIP only
configuration (i.e., WPA2/CCMP needs to be enabled in mixed mode for
WPA/TKIP to be acceptable). Enforce this by disabling WPS if
configuration enables WPA/TKIP without WPA2/CCMP.
Signed-off-by: Avinash Patil <patila@marvell.com>
The PKCS5_PBKDF2_HMAC_SHA1() function in OpenSSL 0.9.7 did not mark
the salt parameter const even though it was not modified. Hide the
compiler warning with a type cast when an old OpenSSL version is
used.
Signed-hostap: Jouni Malinen <j@w1.fi>
When CONFIG_FIPS=y is used, do not include MD5 in the build and disable
EAPOL-Key frames that use MD5 (WPA/TKIP and dynamic WEP with IEEE
802.1X).
Signed-hostap: Jouni Malinen <j@w1.fi>
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.
Signed-hostap: Jouni Malinen <j@w1.fi>
OpenSSL-based builds may need libdl in the linker line after the OpenSSL
library. CONFIG_TLS_ADD_DL=y can now be used to force that if needed.
Signed-hostap: Jouni Malinen <j@w1.fi>
Use SSL_export_keying_material() if possible, i.e., if OpenSSL is
version 1.0.1 or newer and if client random value is used first. This
allows MSK derivation with TLS-based EAP methods (apart from EAP-FAST)
without exporting the master key from OpenSSL.
Signed-hostap: Jouni Malinen <j@w1.fi>
Previously, CONFIG_EAP_MSCHAPV2=y was assumed to be set for
CONFIG_EAP_TTLS=y. Avoid this dependency by making including the
MSCHAPv2 parts in EAP-TTLS conditionally.
Signed-hostap: Jouni Malinen <j@w1.fi>
In theory, the SHA1 operation may fail (e.g., if SHA1 becomes disallowed
in some security policies), so better check the return code from
challenge_hash().
Signed-hostap: Jouni Malinen <j@w1.fi>
This can be used for convenience to build wpa_supplicant with OpenSSL
FIPS object module. CONFIG_FIPS=y is expected to be used in
wpa_supplicant/.config when using this option.
Signed-hostap: Jouni Malinen <j@w1.fi>
Do not leave the tls_global context allocated if the global OpenSSL
initialization fails. This was possible in case of FIPS builds if
the FIPS mode cannot be initialized.
Signed-hostap: Jouni Malinen <j@w1.fi>
Increase GO config timeout if HT40 is used since it takes some time
to scan channels for coex purposes before the BSS can be started.
Signed-hostap: Jouni Malinen <j@w1.fi>
Add optional "ht40" argument for p2p_group_add command to enable 40 MHz
in 5GHz band. This configures the secondary channel, when HT support is
enabled and if the HW supports 40 MHz channel width.
Signed-hostap: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
These helper functions can be used to implement most of the common
wpa_cli commands to simplify the implementation.
Signed-hostap: Jouni Malinen <j@w1.fi>
If key_mgmt was set to allow both WPA and non-WPA IEEE 802.1X (i.e., to
IEEE8021X WPA-EAP), non-WPA IEEE 802.1X was rejected while preparing
association parameters. Allow this special case to be handled by
selecting non-WPA case if the scan results for the AP do not include
either WPA or RSN elements.
Signed-hostap: Jouni Malinen <j@w1.fi>
Refactoring done in commit 46ee0427b1
(IEEE 802.11u: Allow Interworking and HESSID to be configured)
broke adding extra IEs in sched scan. The IEs stopped being added
to the scan params within wpa_supplicant_extra_ies() but no code
was added to add them in wpa_supplicant_req_sched_scan().
Fix this and remove unused params arg in wpa_supplicant_extra_ies().
Signed-hostap: Eyal Shapira <eyal@wizery.com>
intended-for: hostap-1
GAS_QUERY_TIMEOUT value was used for two different things - enum for
status callback and #define for internal eloop timeout). The latter
overwrites the former and as such, the timeout reported ended up going
out with value 5 which matches with GAS_QUERY_CANCELLED instead of
GAS_QUERY_TIMEOUT. This value was not used in existing code, so this
should not modify the current behavior. Anyway, the correct reason for
the failure should be reported. Rename the internal #define for the
timeout period to avoid the name conflict. [Bug 463]
Signed-hostap: Jouni Malinen <j@w1.fi>
This function can be used as a wrapper for os_realloc(ptr, nmemb * size)
when a reallocation is used for an array. The main benefit over
os_realloc() is in having an extra check to catch integer overflows in
multiplication. This is similar to the os_zalloc() to os_calloc() move.
Signed-hostap: Jouni Malinen <j@w1.fi>
This function can be used as a wrapper for os_zalloc(nmemb * size) when
an allocation is used for an array. The main benefit over os_zalloc() is
in having an extra check to catch integer overflows in multiplication.
Signed-hostap: Jouni Malinen <j@w1.fi>
Multiple memcmps of nonces were actually comparing only the first byte
instead of all 16 bytes. [Bug 462]
Signed-hostap: Eyal Shapira <eyal@wizery.com>
intended-for: hostap-1
There is no need to mandate admission control (ACM=1) by default, so
clear that flag in the case the configuration file does not specify
wmm_ac_{vo,vi}_acm value. This gets closer to the values mentioned
in the sample hostapd.conf file and reduces the need to specify WMM
parameters in the configuration file for most common use cases.
Signed-hostap: Jouni Malinen <j@w1.fi>
In case of P2P GO and AP mode, wpa_supplicant uses the default hostapd
parameters for WMM. In the default parameters the ACM bit for video and
voice are set to 1, meaning, P2P devices and stations which are
connected to the GO cannot pass voice or video data packets. Allow this
to be changed through wpa_supplicant configuration file with wmm_ac_*
parameters.
Signed-hostap: Yoni Divinsky <yoni.divinsky@ti.com>
p2p_set_timeout() calls in GO Neg Req/Resp TX callbacks used timeout of
100 ms which is the value given in the P2P specification for GO
Negotiation, but this was actually shorter than the
wait-for-offchannel-TX value (200 ms) used for the driver call. In
addition, it looks like some devices (e.g., Galaxy Nexus with JB image)
can take longer time to reply to GO Negotiation Response (somewhere
between 200 and 250 ms has been observed).
Increase the wait-for-GO-Neg-Resp timeout from 100 ms to 200 ms if GO
Negotiation Request frame was acknowledged (this matches with the
offchannel wait timeout that used previously). The no-ack case is left
at 100 ms since we use GO Negotiation Request frame also to discover
whether the peer is on its Listen channel.
Increase the wait-for-GO-Neg-Conf timeout from 100 ms to 250 ms (and
increase the offchannel wait timeout to matching 250 ms) as a workaround
for devices that take over 200 ms to reply to GO Negotiation Response.
Signed-hostap: Jouni Malinen <j@w1.fi>
The os_memcmp of bssid and wpa_s->bssid cannot return 0 in this
code path since identical os_memcmp was already done above.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is the normal flow for association:
wpa_supplicant <--(EVENT_ASSOC event )-- device driver
wpa_supplicant --( get_bssid() )--> device driver
wpa_supplicant <--( return BSSID )-- device driver
However, a device driver could return EINVAL for get_bssid() because it
recognizes it has already been disconnected. When the wpa_supplicant
received EINVAL, the bssid field could be used uninitialized in the
following flow:
wpa_supplicant <--(EVENT_ASSOC event )-- device driver
device driver (receive deauth)
wpa_supplicant --( get_bssid() )--> device driver
wpa_supplicant <--( return EINVAL )-- device driver
Prevent this by requiring the get_bssid() call to succeed when
processing association events.
Don't assume the 11g mode is always first in the list of mode (sometimes
it isn't). Traverse the array of modes and check the HT40 capability is
turned on for 11g.
Signed-hostap: Arik Nemtsov <arik@wizery.com>