* Fix issues related to mgmt packets encryption in GCMP
* Fix issue of wrong decryption of mgmt packets when PMF is enabled
* Fix softAP bug in handling of SAE Reauthentication
- Any scanning currently updates the bss table held by supplicant anyway,
but the time record used to maintain the recency of the last scan is
only updated by supplicant issued scans. Updating the last scan time
for application trigerred scanning will prevent the needless scanning
by supplicant if there has been an application trigerred scan in
the time diff threshold(currently 10s).
- Add default durations to supplicant issued scans based on results from
initial experiments where probe response times were recorded in a
significantly noisy environment. It was noticed that within 70ms
we receive over 80% of the responses 90% of the time
- Clear the bssid set flag and channel in supplicant disconnect handler as this
can cause the station to recursively connect to the wrong AP in case
roaming through BTM mechanisms fails.
- Fix issue with incorrect blocking time calculation when blocking scan
issued for a single channel.
- Deprecate the existing esp_rrm_send_neighbor_rep_request() API
- Adds a new API to send neighbor report requests esp_rrm_send_neighbor_report_request().
This replaces the older API's callback procedure with a new Wi-Fi
event that is posted when the neighbor report is received.
This moves the execution of the callback from supplicant
context to freertos context.
- Avoid downgrading TLS ciphersuites when client RSA keys are larger than RSA-2048 bit.
- Note that when using bigger certificates on low-power chips without crypto
hardware acceleration, it is recommended to adjust the task watchdog timer (TWDT)
if it is enabled. For precise information on timing requirements, you can check
performance numbers at https://github.com/espressif/mbedtls/wiki/Performance-Numbers.
Taking sizeof(ptr) is incorrect to determine size of passed in hash and
results in hlen getting set to a very large value since MD5_MAC_LEN >
sizeof(ptr). Provide the actual size of the hash buffer from the caller
to fix this.
tls_key_x_server_params_hash() callers src/tls/tlsv1_client_read.c and
src/tls/tlsv1_server_write.c both pass in a large enough hash (hash[64]
or hash[100]) that this does not appear to have an impact, though it is
still wrong.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This new value was added to verify peer certificate if it is provided,
but not reject the TLS handshake if no peer certificate is provided.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Some of the TLS library wrappers defined only an empty function for
tls_connection_set_success_data(). That could result in memory leaks in
TLS server cases, so update these to do the minimal thing and free the
provided buffer as unused.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
These operations do not really have any effect since
tls_connection_set_params() is used only in the TLS client case and the
client receives the DH parameters from the server instead of local
configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
While the drafts for RFC 9190 used a separate Commitment Message term,
that term was removed from the published RFC. Update the debug prints to
match that final language.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The previously used references were pointing to an obsoleted RFC and
draft versions. Replace these with current versions.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TTLS with TLS
1.3.
Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
Recognize the explicitly defined Commitment Message per
draft-ietf-emu-eap-tls13-13 at the conclusion of the EAP-TLS with TLS
1.3.
Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
This newer Session-Id/Method-Id derivation is used with PEAP and
EAP-TTLS when using TLS 1.3 per draft-ietf-emu-tls-eap-types-00, so do
not limit this to only EAP-TLS.
Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for EAP-TTLS with TLS
1.3.
Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
Use the TLS-Exporter with the label and context as defined in
draft-ietf-emu-tls-eap-types-00 when deriving keys for PEAP with TLS
1.3.
Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
EAP peer does not expect data present when beginning the Phase 2 in
EAP-{TTLS,PEAP} but in TLS 1.3 session tickets are sent after the
handshake completes.
There are several strategies that can be used to handle this, but this
patch picks up from the discussion[1] and implements the proposed use of
SSL_MODE_AUTO_RETRY. SSL_MODE_AUTO_RETRY has already been enabled by
default in OpenSSL 1.1.1, but it needs to be enabled for older versions.
The main OpenSSL wrapper change in tls_connection_decrypt() takes care
of the new possible case with SSL_MODE_AUTO_RETRY for
SSL_ERROR_WANT_READ to indicate that a non-application_data was
processed. That is not really an error case with TLS 1.3, so allow it to
complete and return an empty decrypted application data buffer.
EAP-PEAP/TTLS processing can then use this to move ahead with starting
Phase 2.
[1] https://www.spinics.net/lists/hostap/msg05376.html
Signed-off-by: Alexander Clouter <alex@digriz.org.uk>
The implementation was previously hardcoded to use only the non-expanded
IETF EAP methods in Phase 2. Extend that to allow vendor EAP methods
with expanded header to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
EAP-TLS with TLS 1.3 uses an empty application data record from the
server to indicate end of the exchange, so EAP-TLS peer will need to
check for this special case and finish the exchange with an empty
EAP-TLS (ACK) so that the server can send out EAP-Success.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow an additional context value to be passed to TLS exporter as
specified in RFC 5705 section 4.
This does not yet implement it for the internal TLS implementation.
However, as currently nothing uses context yet, this will not break
anything right now. WolfSSL maintainers also stated that they are not
going to add context support yet, but would look into it if/when this is
required by a published draft or a standard.
Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
These buffers in TLS-based EAP methods might contain keys or password
(e.g., when using TTLS-PAP or PEAP-GTC), so clear them explicitly to
avoid leaving such material into heap memory unnecessarily.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Derive EMSK when using EAP-PEAP to enable ERP. In addition, change the
MSK derivation for EAP-PEAP to always derive 128 octets of key material
instead of the 64 octets to cover just the MSK. This is needed with the
PRF used in TLS 1.3 since the output length is mixed into the PRF
context.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reduce the amount of time keying material (MSK, EMSK, temporary private
data) remains in memory in EAP methods. This provides additional
protection should there be any issues that could expose process memory
to external observers.
Signed-off-by: Jouni Malinen <j@w1.fi>
Move to the version used in draft-ietf-emu-eap-tls13-03.txt, i.e.,
include the 0x0D prefix and use a different TLS-Exporter() label string.
Signed-off-by: Jouni Malinen <j@w1.fi>
The label strings used for deriving Key_Material with TLS v1.3 were
changed, so update the implementation to match the new values.
Signed-off-by: Jouni Malinen <j@w1.fi>
The EAP session cannot be marked fully completed on sending Client
Finished with TLS v1.3 since the server may still send NewSessionTicket
before EAP-Success.
Signed-off-by: Jouni Malinen <j@w1.fi>
With TLS v1.3, the Finished message from the client can require
fragmentation. Postpone key derivation and marking of the EAP session
fully completed until all the fragments of that last message are sent to
avoid losing all the subsequent fragments.
Signed-off-by: Jouni Malinen <j@w1.fi>
