The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
Add changes to use fast_pbkdf2 as default for PMK calculations.
fast_pbkdf2 is significantly faster than current implementations
for esp chips.
Also removes unnecessary code for pbkdf-sha256 and pbkdf-sha512.
1) Fix crash in dpp Listen without bootstrap
2) Fix crash on receiving dpp auth_req from hostapd with dpp akm
3) Ensures that the mode is set to station before dpp init
4) Ensures that dpp follows the path of init->bootstrap->listen
1. Update documentation for WPA3 Enterprise and WPA3 Enterprise 192-bit
mode
2. Update documentation for WPA3 OWE and OWE transition mode
3. Update documentation related to SAE PK, SAE PWE and Transition Disable
4. Update documnetation for wifi connect API
5. Fix config paramter information for wifi scan start
6. Fix documentation related to scan threshold config setting
7. Replace ESP_ERR_WIFI_ARG error code as ESP_ERR_INVALID_ARG
8. Update documentation for 802.11R Fast transition
9. Fix sta connecting with wpa security in enterprise mode
Fix crash in sending new RRM neighbour report requests by removing
the call to neighbour report request timeout callback in case of
already ongoing neighbour report request timer.
1. Discard commit frame received at confirmed state in SAE STA
2. Bugfix NVS get values for sae pwe
3. Bugfix memory leak caused by assoc retry timer and assoc IE
Fix crash due to premature deallocation of neighbour report elements
by scan_done. Post event to btm_rrm_t task to handle scan_done serially
rather than when btm_rrm_t task is processing btm request rx frame.
This fixes a subtle bug in which ESP_ERR_DPP_TX_FAILURE errors would
call esp_supp_dpp_stop_listen which sets the s_dpp_stop_listening flag
to true. Subsequent attempts to restart listening with
esp_supp_dpp_start_listen then only attempt to listen once more for
500ms before reading the s_dpp_stop_listening flag again and giving up.
This contributes greatly to #10615, but the fix here is still largely
a work-around as it sometimes requires manually retrying a couple times
before it works. Without this fix, any number of retries by
deinit/init again will seemingly not work as the retries for currently
unknown reasons.
Signed-off-by: Shreyas Sheth <shreyas.sheth@espressif.com>
Closes https://github.com/espressif/esp-idf/pull/10865
