wpa2_enterprise fixes

diff --git a/components/wpa_supplicant/port/include/os.h b/components/wpa_supplicant/port/include/os.h
index 48f7ab85e4116c3543ea39d845619cce0abcd213..0028c21e9cb747a5c7886e3941223099fda8a205 100644 (file)
--- a/components/wpa_supplicant/port/include/os.h
+++ b/components/wpa_supplicant/port/include/os.h
@@ -270,7 +270,7 @@ char * ets_strdup(const char *s);
 #ifdef _MSC_VER
 #define os_snprintf _snprintf
 #else
-#define os_snprintf vsnprintf
+#define os_snprintf snprintf
 #endif
 #endif
 

diff --git a/components/wpa_supplicant/src/wpa2/eap_peer/eap.c b/components/wpa_supplicant/src/wpa2/eap_peer/eap.c
index 10fc2257bd6f9b95d3c8e2625088653669cbfca4..3ddd294274ab0a9e4da07001ffddb94761348ab2 100644 (file)
--- a/components/wpa_supplicant/src/wpa2/eap_peer/eap.c
+++ b/components/wpa_supplicant/src/wpa2/eap_peer/eap.c
@@ -300,6 +300,17 @@ struct wpabuf * eap_sm_build_nak(struct eap_sm *sm, EapType type, u8 id)
        }
 
        for (m = methods; m; m = m->next) {
+               //do not propose insecure unencapsulated MSCHAPv2 as Phase 1 Method
+               if(m->vendor == EAP_VENDOR_IETF && m->method == EAP_TYPE_MSCHAPV2)
+                       continue;
+
+               //do not propose EAP_TYPE_TLS if no client cert/key are configured
+               if(m->vendor == EAP_VENDOR_IETF && m->method == EAP_TYPE_TLS) {
+                       struct eap_peer_config *config = eap_get_config(sm);
+                       if (config == NULL || config->private_key == 0 || config->client_cert == 0)
+                               continue;
+               }
+
                if (type == EAP_TYPE_EXPANDED) {
                        wpabuf_put_u8(resp, EAP_TYPE_EXPANDED);
                        wpabuf_put_be24(resp, m->vendor);

diff --git a/components/wpa_supplicant/src/wpa2/eap_peer/eap_mschapv2.c b/components/wpa_supplicant/src/wpa2/eap_peer/eap_mschapv2.c
index 89d7b8fc19b94f6f5fa74ea807d3e8a30d11a871..b28c1eabc77d6b604b5cb01dbf79d89cb0fbe2ac 100644 (file)
--- a/components/wpa_supplicant/src/wpa2/eap_peer/eap_mschapv2.c
+++ b/components/wpa_supplicant/src/wpa2/eap_peer/eap_mschapv2.c
@@ -95,6 +95,11 @@ static void *
 eap_mschapv2_init(struct eap_sm *sm)
 {
        struct eap_mschapv2_data *data;
+
+       //Do not init insecure unencapsulated MSCHAPv2 as Phase 1 method, only init if Phase 2
+       if(!sm->init_phase2)
+               return NULL;
+
        data = (struct eap_mschapv2_data *)os_zalloc(sizeof(*data));
        if (data == NULL)
                return NULL;

diff --git a/components/wpa_supplicant/src/wpa2/tls/x509v3.c b/components/wpa_supplicant/src/wpa2/tls/x509v3.c
index 66a0e448e6366cb1597902cb60c5117dfd00f75a..ba331cdecbc489ca0c5c15897962553eef88ff94 100644 (file)
--- a/components/wpa_supplicant/src/wpa2/tls/x509v3.c
+++ b/components/wpa_supplicant/src/wpa2/tls/x509v3.c
@@ -543,8 +543,7 @@ void x509_name_string(struct x509_name *name, char *buf, size_t len)
        end = buf + len;
 
        for (i = 0; i < name->num_attr; i++) {
-               //ret = os_snprintf(pos, end - pos, "%s=%s, ",
-               ret = sprintf(pos, "%s=%s, ",
+               ret = os_snprintf(pos, end - pos, "%s=%s, ",
                                  x509_name_attr_str(name->attr[i].type),
                                  name->attr[i].value);
                if (ret < 0 || ret >= end - pos)
@@ -560,8 +559,7 @@ void x509_name_string(struct x509_name *name, char *buf, size_t len)
        }
 
        if (name->email) {
-               //ret = os_snprintf(pos, end - pos, "/emailAddress=%s",
-               ret = sprintf(pos, "/emailAddress=%s",
+               ret = os_snprintf(pos, end - pos, "/emailAddress=%s",
                                  name->email);
                if (ret < 0 || ret >= end - pos)
                        goto done;