Legacy ioctl() through SIOCDEVPRIVATE are deprecated. Follow the
approach taken by bridge-utils and make use of new bridge ioctl's
whenever possible.
For example, using legacy ioctl() breaks dynamic VLAN mode on 32-bit
Linux systems running 64-bit kernels.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
If the internal EAP server is used instead of an external RADIUS server,
sm->identity does not get set. Use the identity from the internal EAP
server in such case to get the dot1xAuthSessionUserName value in STA MIB
information.
Signed-off-by: Jouni Malinen <j@w1.fi>
The SSL_METHOD patching hack to get proper OCSP validation for Hotspot
2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the
SSL_METHOD structure is not exposed anymore. Fall back to using the
incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build.
Signed-off-by: Ben Greear <greearb@candelatech.com>
SKM_sk_num() is not available anymore, so use DEFINE_STACK_OF() to get
the appropriate accessor functions.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The direct ssl->ctx access are not allowed anymore in newer OpenSSL
versions, so use the SSL_get_SSL_CTX() helper for this.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Try to make RSSI-based rejection of associating stations a bit less
likely to trigger false rejections by considering RSSI from the last
received Authentication frame. Association is rejected only if both the
Authentication and (Re)Association Request frames are below the RSSI
threshold.
Signed-off-by: Jouni Malinen <j@w1.fi>
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.
Signed-off-by: Beni Lev <beni.lev@intel.com>
An AP might refuse to connect a STA if it has a low RSSI. In such case,
the AP informs the STA with the desired RSSI delta and a retry timeout.
Any subsequent association attempt with that AP (BSS) should be avoided,
unless the RSSI level improved by the desired delta or the timeout has
expired.
Defined in Wi-Fi Alliance Optimized Connectivity Experience technical
specification v1.0, section 3.14 (RSSI-based association rejection
information).
Signed-off-by: Beni Lev <beni.lev@intel.com>
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.
This causes the following:
- This setting does nothing when CRL checking is not enabled.
- When CRL is enabled, "strict mode" will cause CRL time errors to not
be ignored and will continue behaving as it currently does.
- When CRL is enabled, disabling strict mode will cause CRL time
errors to be ignored and will allow connections.
By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.
Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due
to missing sha512.c file. Add that file even though this is not really
used in the currently available configuration combinations since DPP and
OWE are the only users of it and the internal crypto implementation
supports neither.
Signed-off-by: Jouni Malinen <j@w1.fi>
One of the reset_participant_mi() callers did not log the error. Make
this more consistent with the other callers.
Signed-off-by: Jouni Malinen <j@w1.fi>
One of the linux_br_del_if() calls did not log nl80211-specific entry.
Make this more consistent with the other cases even though
linux_br_add_if() function itself is logging an error in the ioctl()
failure case (but not in the interface not found case).
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.
Signed-off-by: Hristo Venev <hristo@venev.name>
Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.
Signed-off-by: Hristo Venev <hristo@venev.name>
handle_dhcp() was first trying to learn the IP address of an associated
STA before doing broadcast-to-unicast conversion. This could result in
not converting some DHCPACK messages since the address learning part
aborts processing by returning from the function in various cases.
Reorder these operations to allow broadcast-to-unicast conversion to
happen even if an associated STA entry is not updated based on a
DHCPACK.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the
parameter sets before it. Due to its convenient layout the ICV Indicator
'body part' is used to encode the ICV as well.
IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In
bullet e) is desribed that the ICV Indicator itself is encoded when the
ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note
e) states that it will not be encoded unless the Algorithm Agility
parameter specifies the use of an ICV that is not 16 octets in length.
Therefore the length calculation for the ICV indicator body part must
take into account if the ICV Indicator is to be encoded or not. The
actual encoder of the ICV body already takes care of the rest.
In practice, this change will remove the ICV Indicator parameter set (4
octets before the ICV value itself) since the only defined algorithm
agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU
validation and decoding rules in 11.11.2 and 11.11.4 require the
receipient to handle both cases of ICV Indicator being included or not.
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
It was possible for a participant to first be elected as a key server
and schedule a new SAK to be generated and distributed just to be
followed by another participant being elected as the key server. That
did not stop the participant that disabled key server functionality to
stop generating the new SAK and then trying to distribute it. That is
not correct behavior, so make these steps conditional on the participant
still being a key server when going through the timer.
Signed-off-by: Jouni Malinen <j@w1.fi>
This pointer needs to be cleared when the matching SAK is being removed
from the SAK list. The previous implementation was doing something
pretty strange in the loop by clearing the pointer for any non-matching
key that happened to be iterated through before finding the matching
key. This could probably result in incorrect behavior, but not clearing
the pointer for the matching key could do more harm by causing freed
memory to be referenced.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of using a specifically set index value from table definition,
use the actual real index of the table entry. This removes need for
maintaining these index values separately. Furthermore, the
mka_alg_tbl[] index was already off-by-one (but not used anywhere).
Signed-off-by: Jouni Malinen <j@w1.fi>
When running wpa_supplicant (with logging for testing) the log output is
somewhat disorganized for KaY related items. E.g., items are not
aligned, inconsistent type handling, wrong wording, missing labels, etc.
This change tries to clean up the log output, so it is somewhat more
accessible.
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Go through the SM_STEP_RUN() global transition to get into the INIT
state to follow the state machine design more closely.
Signed-off-by: Jouni Malinen <j@w1.fi>
While IEEE Std 802.1X-2010 talks about arbitrary authorization data that
could be passed to the CP from sources like RADIUS server, there is not
much point in trying to implement this as an arbitrary memory buffer in
wpa_supplicant. Should such data be supported in the future, it would
much more likely use more detailed data structures that encode the
received data in easier to use form.
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be used to allow 256-bit key hierarchy to be derived from
EAP-based authentication. For now, the MSK length is hardcoded to 128
bits, so the previous behavior is maintained.
Signed-off-by: Jouni Malinen <j@w1.fi>
The CAK length is not hardcoded in the algorithm agility parameter, so
remove that from the table. Instead, allow both 16 (128-bit) and 32
(256-bit) CAK to be used so that the following key derivations use
appropriate key lengths based on the configured/derived CAK.
Signed-off-by: Jouni Malinen <j@w1.fi>
The ICK and KEK are derived from a CAK and the length of the CAK
determines the length of the KCK/ICK. Remove the separate ICK/KEK length
parameters from the algorithm agility table.
Signed-off-by: Jouni Malinen <j@w1.fi>
Extend the previously implemented KDF (IEEE Std 802.1X-2010, 6.2.1) to
support 256-bit input key and AES-CMAC-256. This does not change any
actual key derivation functionality yet, but is needed as a step towards
supporting 256-bit CAK.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible to get a situation where a peer removes the Key Server
from its live peers list but the server still thinks that the peer is
alive (e.g., high packet loss in one direction). In such a case, the Key
Server will continue to advertise Last Key but this peer will not be
able to set up SA as it has already deleted its key.
Change the peer MI which will force the Key Server to distribute a new
SAK.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
Decrease timeout for a peer with duplicated SCI to speed up process in
case it is a valid peer after MI change.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
There is already partial support of GCM-AES-256. It is possible to
enable this mode by setting 'kay->macsec_csindex = 1;' in
ieee802_1x_kay_init() function, but the generated key contained only 128
bits of data while other 128 bits are in 0.
Enables KaY to generate full 256-bit SAK from the same 128-bit CAK. Note
that this does not support 256-bit CAK or AES-CMAC-256 -based KDF.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
According IEEE Std 802.1X-2010, 9.8 each participant shall record the
values of NextPN for last SAK accepted from each Key Server to use it in
case of a switch from one Key Server to another and back. Add LPN
recording and set saved value as the initial PN for the created channel.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
It is possible that the driver fails to create Secure Channel (due to
hardware limitations for example). Add checks of create_*_sc() result
codes and abort procedure in case of failure.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
Fix a minor memory leak in ieee802_1x_kay_create_mka() in
case of KEK/ICK derivation failure.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
Add new configuration parameters macsec_replay_protect and
macsec_replay_window to allow user to set up MACsec replay protection
feature. Note that according to IEEE Std 802.1X-2010 replay protection
and delay protection are different features: replay protection is
related only to SecY and does not appear on MKA level while delay
protection is something that KaY can use to manage SecY state.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
When syslog logging is used output from wpa_hexdump_ascii() was silently
discarded. This patch enables wpa_hexdump_ascii() to print data to
syslog but without ASCII decoding.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
To prevent a remote peer from getting stuck in a perpetual 'potential
peer' state, only update the peer liveness timer 'peer->expire' for live
peers and not for potential peers.
Per IEEE Std 802.1X-2010, 9.4.3 (Determining liveness), potential peers
need to show liveness by including our MI/MN in their transmitted MKPDU
(within potential or live parameter sets).
When a potential peer does include our MI/MN in an MKPDU, we respond by
moving the peer from 'potential_peers' to 'live_peers'.
If a potential peer does not include our MI/MN in an MKPDU within
MKPDU_LIFE_TIME, let the peer expire to facilitate getting back in sync
with the remote peer.
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
The previous commit introduced parameter set error checking. This commit
extends upon that by considering missing parameter sets a failure.
Two checks are added by this commit. First, verify that live peers start
encoding MKA_SAK_USE within a reasonable amount of time after going live
(10 MKPDUs). Second, verify that once a live peer starts encoding
MKA_SAK_USE it continues to do so indefinitely.
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>