It looks like Microsoft implementation does not match with their
specification as far as PRF+ label usage is concerned.. IPMK|CMK is derived
without null termination on the label, but the label for CSK derivation
must be null terminated.
This allows cryptobinding to be used with PEAPv0 in a way that
interoperates with Windows XP SP3 (RC2) and as such, this functionality is
now enabled as an optional addition to PEAPv0.
EAP-PEAP was the only method that used the external eap_tlv.c server
implementation. This worked fine just for the simple protected result
notification, but extending the TLV support for cryptobinding etc. is not
trivial with such separation. With the TLV processing integrated into
eap_peap.c, all the needed information is now available for using
additional TLVs.
Sam Leffler <sam@errno.com>:
Attached are changes from Chris Zimmerman (cc'd) to allow drivers to handle
radius ACL's. The patch is against 0.5.10 but I suspect will also apply to
your latest code. These mods enable radius acl support in freebsd w/ my
vap code.
You may want to do the changes to ieee802_11_auth.c differently as they
currently require all participating drivers to work the same. You might be
able to check the return value from hostapd_set_radius_acl_auth and use
that to decide whether the alternate code should be run so you can have 1
driver using this stuff while the other does not.
(jm: Added without more dynamic check for now; in addition, none of the
current in-tree driver wrappers actually implement these handlers, so this
is in preparation for future changes)
session_timeout and acct_interim_interval set to NULL. Without checking
these before accessing, we'd cause a NULL pointer access in this case. In
ieee802_11.c calls hostapd_allowed_address() with valid pointers.
This adds EAP-TNC method and TNCS (IF-IMV and IF-TNCCS) functionality.
There is no integration with EAP-TTLS and EAP-FAST at this point, so this
version is not yet suitable for real use (i.e., EAP-TNC can only be tested
outside a tunnel which is not an allowed configuration for deployment).
However, the basic TNCS functionality is more or less complete and this
version seems to interoperate with wpa_supplicant.
Number of TLVs were processed in groups and these cases were now separated
into more flexible processing of one TLV at the time. wpabuf_concat()
function was added to make it easier to concatenate TLVs. EAP Sequences are
now supported in both server and peer code, but the server side is not
enabled by default.
This allows Phase 2 Identity Request to be skipped if the identity is
already known from PAC-Opaque received in TLS handshake in order to save
one roundtrip from normal authentication.
This allows associations to be denied if the STA tries to use too large
listen interval. The default value is 65535 which matches with the field
size limits.
