Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.
Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to depend on all uses (i.e., both hostapd and
wpa_supplicant) to verify that the length of the Rejected Groups field
in the Rejected Groups element is valid (i.e., a multiple of two octets)
since the common parser can reject the message when detecting this.
Signed-off-by: Jouni Malinen <j@w1.fi>
When registrar somehow misses the WSC_DONE sent by station and station
goes for next connection after sending deauth, make sure that softAP
disables the registrar.
1. Add support for SAE-PK and WPA3-Enterprise transition disable
2. Add support to handle OWE transition disable indication from AP
3. refactor: Backport common changes in scan/connect path from 90cc6158
- 90cc6158 adds support for Network Introduction Protocol in DPP
4. Fix issue of supplicant using wrong parameters to configure bss
- Ensure that wpa_supplicant's state machine registers the requirement for rsnxe
before deciding to add rsnxe to a assoc request.
Co-authored-by: jgujarathi <jash.gujarathi@espressif.com>
1. Fix issues related to mgmt packets encryption in GCMP
2. Fix issue of wrong decryption of mgmt packets when PMF is enabled
3. Fix frame subtype in send_mgmt_frame
4. Fix issue of wrong Rx control information of espnow packets for esp32 and esp32s2
5. Fix send mgmt err when eapol process
1. Free temporary data used by SAE before memsetting the same
2. Drop any received auth response that uses a different algorithm than the one currently in use
1) Add parameter to configure reason code of deauth frame
2) Add logs to indicate MIC failure 4-Way-Handshake
3) Process RSNXE capabilities only if AP advertises them
Make sure that WPS registrar public APIs do not modify supplicant
data in application task context. Execute API functionlity in eloop
context to prevent protential race conditions.
Avoid dereferencing a dangling function pointer in 'eap_server_sm_deinit()'.
This issue arises when hostap unregisteres EAP methods before it removes
the server state machine for station.
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.
Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.
Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
* 0 = do not require Phase 2 authentication
* 1 = require Phase 2 authentication when client certificate
(private_key/client_cert) is no used and TLS session resumption was
not used (default)
* 2 = require Phase 2 authentication in all cases
