Cumulative patch from commit 21cb63fffd1e766c8b989125394ed0bfb05e5a4b
21cb63f OpenSSL: Fix client certificate chain building after PKCS#12 use
12a81b6 ACS: Remove unreachable case from a debug print
896607d Remove a pointer check that can never be true
a95cc47 ACS: Be more consistent with iface->current_mode checks
6014e59 P2P: Print find_start in debug log when ignoring old scan results
64845c1 l2_packet: Extend bridge workaround RX processing to cover two frames
4a539ab l2_packet: Improve bridge workaround RX processing
7a36f11 EAP-PAX: Check hmac_sha1_vector() return value
1d20c66 P2P: Clear groups first on FLUSH command
27446e4 mesh: Do not force another peering exchange on driver event
cc64fe7 mesh: Do not clear link state on driver event if exchange was started
b5f5c32 mesh: Add some more details to MPM debug messages
7d41907 nl80211: Add a missing space to a debug message
6174de6 mesh: Connection and group started/removed events into debug log
2da4a56 Add more hostapd.conf documentation for hw_mode with HT/VHT
acc3943 EAP-PEAP peer: Cryptobinding in fast-reconnect case with inner EAP
cba9ebf P2P: Try SD Query with each non-ACK peer only once per search iteration
e9ccfc3 Clear wpa_supplicant state to DISCONNECTED on FLUSH command
aeb408f HS 2.0: Add some documentation for OSEN and network block use
4f6cd3f Fix wpa_supplicant AP mode P2P IE handling if P2P is disabled
92acb40 Fix wpa_supplicant build with CONFIG_L2_PACKET=pcap
15c5606 Update copyright notices for the new year 2016
6e379c6 WPS: Testing mechanism to force auth/encr type flags
ea31912 WPS: Add a workaround for WPA2PSK missing from Enrollee auth flags
db671e0 WPS: Do not build Credential with unsupported encr combination on AP
d7c3347 HS 2.0: Postpone WNM-Notification sending by 100 ms
750f5d9 EAP-FAST: Enable AES256-based TLS cipher suites with OpenSSL
1ebb24b OpenSSL: Share a single openssl_tls_prf() implementation
dea2051 OpenSSL: Clean up function to fetch client/server random
9a42d85 OpenSSL: Drop support for OpenSSL 1.0.0
de213e8 OpenSSL: Drop support for OpenSSL 0.9.8
e79eb0c P2P: Fix P2P_FIND while waiting for listen ROC to start in the driver
944f693 P2P: Stop offchannel TX wait on P2P_STOP_FIND/P2P_LISTEN
8edd9f1 P2P: Add an option to specify group SSID in P2P_CONNECT join case
70e0cb3 P2P: Provide group SSID, if specified, to P2P Client join step
438be60 P2P: Do not accept any GO BSS entry if SSID is specified for join
35510d5 P2P: Use join SSID in the skip-PD cases
8b8d4f4 P2P: Do not accept any BSS entry for join if SSID is already known
b875276 P2P: Use group SSID, if known, for join operation even if no BSS entry
aa256cb P2PS: Add group SSID, if known, to the P2PS-PROV-DONE event
071e3bf FST: Fix handling of Rx FST Setup Request when session already exists
Change-Id: Ia48764e8663232291160fb24153fa367b9ed3015
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
diff --git a/src/wps/wps.c b/src/wps/wps.c
index fbaf85a..7c6dcb2 100644
--- a/src/wps/wps.c
+++ b/src/wps/wps.c
@@ -19,6 +19,10 @@
int wps_version_number = 0x20;
int wps_testing_dummy_cred = 0;
int wps_corrupt_pkhash = 0;
+int wps_force_auth_types_in_use = 0;
+u16 wps_force_auth_types = 0;
+int wps_force_encr_types_in_use = 0;
+u16 wps_force_encr_types = 0;
#endif /* CONFIG_WPS_TESTING */
diff --git a/src/wps/wps.h b/src/wps/wps.h
index 2c91d16..ff4dd10 100644
--- a/src/wps/wps.h
+++ b/src/wps/wps.h
@@ -1,6 +1,6 @@
/*
* Wi-Fi Protected Setup
- * Copyright (c) 2007-2013, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2007-2016, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -664,6 +664,16 @@
u16 encr_types;
/**
+ * encr_types_rsn - Enabled encryption types for RSN (WPS_ENCR_*)
+ */
+ u16 encr_types_rsn;
+
+ /**
+ * encr_types_wpa - Enabled encryption types for WPA (WPS_ENCR_*)
+ */
+ u16 encr_types_wpa;
+
+ /**
* auth_types - Authentication types (bit field of WPS_AUTH_*)
*/
u16 auth_types;
diff --git a/src/wps/wps_attr_build.c b/src/wps/wps_attr_build.c
index b689357..748620f 100644
--- a/src/wps/wps_attr_build.c
+++ b/src/wps/wps_attr_build.c
@@ -1,6 +1,6 @@
/*
* Wi-Fi Protected Setup - attribute building
- * Copyright (c) 2008, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2008-2016, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -298,7 +298,16 @@
auth_types &= ~WPS_AUTH_WPA;
auth_types &= ~WPS_AUTH_WPA2;
auth_types &= ~WPS_AUTH_SHARED;
- wpa_printf(MSG_DEBUG, "WPS: * Authentication Type Flags");
+#ifdef CONFIG_WPS_TESTING
+ if (wps_force_auth_types_in_use) {
+ wpa_printf(MSG_DEBUG,
+ "WPS: Testing - replace auth type 0x%x with 0x%x",
+ auth_types, wps_force_auth_types);
+ auth_types = wps_force_auth_types;
+ }
+#endif /* CONFIG_WPS_TESTING */
+ wpa_printf(MSG_DEBUG, "WPS: * Authentication Type Flags (0x%x)",
+ auth_types);
wpabuf_put_be16(msg, ATTR_AUTH_TYPE_FLAGS);
wpabuf_put_be16(msg, 2);
wpabuf_put_be16(msg, auth_types);
@@ -310,7 +319,16 @@
{
u16 encr_types = WPS_ENCR_TYPES;
encr_types &= ~WPS_ENCR_WEP;
- wpa_printf(MSG_DEBUG, "WPS: * Encryption Type Flags");
+#ifdef CONFIG_WPS_TESTING
+ if (wps_force_encr_types_in_use) {
+ wpa_printf(MSG_DEBUG,
+ "WPS: Testing - replace encr type 0x%x with 0x%x",
+ encr_types, wps_force_encr_types);
+ encr_types = wps_force_encr_types;
+ }
+#endif /* CONFIG_WPS_TESTING */
+ wpa_printf(MSG_DEBUG, "WPS: * Encryption Type Flags (0x%x)",
+ encr_types);
wpabuf_put_be16(msg, ATTR_ENCR_TYPE_FLAGS);
wpabuf_put_be16(msg, 2);
wpabuf_put_be16(msg, encr_types);
diff --git a/src/wps/wps_defs.h b/src/wps/wps_defs.h
index a23b979..301864d 100644
--- a/src/wps/wps_defs.h
+++ b/src/wps/wps_defs.h
@@ -14,6 +14,10 @@
extern int wps_version_number;
extern int wps_testing_dummy_cred;
extern int wps_corrupt_pkhash;
+extern int wps_force_auth_types_in_use;
+extern u16 wps_force_auth_types;
+extern int wps_force_encr_types_in_use;
+extern u16 wps_force_encr_types;
#define WPS_VERSION wps_version_number
#else /* CONFIG_WPS_TESTING */
diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index 4ca3a42..25e88d5 100644
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -1,6 +1,6 @@
/*
* Wi-Fi Protected Setup - Registrar
- * Copyright (c) 2008-2013, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2008-2016, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -1606,6 +1606,9 @@
wps->cred.ssid_len = wps->wps->ssid_len;
/* Select the best authentication and encryption type */
+ wpa_printf(MSG_DEBUG,
+ "WPS: Own auth types 0x%x - masked Enrollee auth types 0x%x",
+ wps->wps->auth_types, wps->auth_type);
if (wps->auth_type & WPS_AUTH_WPA2PSK)
wps->auth_type = WPS_AUTH_WPA2PSK;
else if (wps->auth_type & WPS_AUTH_WPAPSK)
@@ -1619,6 +1622,14 @@
}
wps->cred.auth_type = wps->auth_type;
+ wpa_printf(MSG_DEBUG,
+ "WPS: Own encr types 0x%x (rsn: 0x%x, wpa: 0x%x) - masked Enrollee encr types 0x%x",
+ wps->wps->encr_types, wps->wps->encr_types_rsn,
+ wps->wps->encr_types_wpa, wps->encr_type);
+ if (wps->wps->ap && wps->auth_type == WPS_AUTH_WPA2PSK)
+ wps->encr_type &= wps->wps->encr_types_rsn;
+ else if (wps->wps->ap && wps->auth_type == WPS_AUTH_WPAPSK)
+ wps->encr_type &= wps->wps->encr_types_wpa;
if (wps->auth_type == WPS_AUTH_WPA2PSK ||
wps->auth_type == WPS_AUTH_WPAPSK) {
if (wps->encr_type & WPS_ENCR_AES)
@@ -2343,6 +2354,23 @@
wpa_printf(MSG_DEBUG, "WPS: Enrollee Authentication Type flags 0x%x",
auth_types);
+#ifdef WPS_WORKAROUNDS
+ /*
+ * Some deployed implementations seem to advertise incorrect information
+ * in this attribute. A value of 0x1b (WPA2 + WPA + WPAPSK + OPEN, but
+ * no WPA2PSK) has been reported to be used. Add WPA2PSK to the list to
+ * avoid issues with building Credentials that do not use the strongest
+ * actually supported authentication option (that device does support
+ * WPA2PSK even when it does not claim it here).
+ */
+ if ((auth_types &
+ (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK)) ==
+ (WPS_AUTH_WPA2 | WPS_AUTH_WPAPSK)) {
+ wpa_printf(MSG_DEBUG,
+ "WPS: Workaround - assume Enrollee supports WPA2PSK based on claimed WPA2 support");
+ auth_types |= WPS_AUTH_WPA2PSK;
+ }
+#endif /* WPS_WORKAROUNDS */
wps->auth_type = wps->wps->auth_types & auth_types;
if (wps->auth_type == 0) {
wpa_printf(MSG_DEBUG, "WPS: No match in supported "