path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Use internal EAP server identity as dot1xAuthSessionUserNameJouni Malinen2019-01-011-2/+12
| | | | | | | | | If the internal EAP server is used instead of an external RADIUS server, sm->identity does not get set. Use the identity from the internal EAP server in such case to get the dot1xAuthSessionUserName value in STA MIB information. Signed-off-by: Jouni Malinen <j@w1.fi>
* browser: Replace deprecated gtk_window_set_wmclass()Jouni Malinen2019-01-011-2/+1
| | | | | | | Use gtk_window_set_role() instead of the deprecated gtk_window_set_wmclass(). Signed-off-by: Jouni Malinen <j@w1.fi>
* HTTP (curl): Replace deprecated ASN1_STRING_data()Jouni Malinen2019-01-011-4/+13
| | | | | | | Use ASN1_STRING_get0_data() instead of the older ASN1_STRING_data() that got deprecated in OpenSSL 1.1.0. Signed-off-by: Jouni Malinen <j@w1.fi>
* HTTP (curl): Fix build with newer OpenSSL versionsBen Greear2019-01-011-1/+5
| | | | | | | | | The SSL_METHOD patching hack to get proper OCSP validation for Hotspot 2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the SSL_METHOD structure is not exposed anymore. Fall back to using the incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HTTP (curl): Use DEFINE_STACK_OF() with newer OpenSSL versionsBen Greear2019-01-011-0/+8
| | | | | | | SKM_sk_num() is not available anymore, so use DEFINE_STACK_OF() to get the appropriate accessor functions. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HTTP (curl): Use SSL_get_SSL_CTX() helperBen Greear2019-01-011-2/+2
| | | | | | | The direct ssl->ctx access are not allowed anymore in newer OpenSSL versions, so use the SSL_get_SSL_CTX() helper for this. Signed-off-by: Ben Greear <greearb@candelatech.com>
* hostap: Silence compiler warnings about IFNAMSIZ buffersJouni Malinen2019-01-011-2/+9
| | | | | | | Report interface name truncation and reject such cases in Host AP driver initialization of the AP interface. Signed-off-by: Jouni Malinen <j@w1.fi>
* OCE: RSSI-based rejection to consider Authentication frames (AP)Jouni Malinen2019-01-012-3/+10
| | | | | | | | | | Try to make RSSI-based rejection of associating stations a bit less likely to trigger false rejections by considering RSSI from the last received Authentication frame. Association is rejected only if both the Authentication and (Re)Association Request frames are below the RSSI threshold. Signed-off-by: Jouni Malinen <j@w1.fi>
* OCE: Add RSSI based association rejection support (AP)Beni Lev2019-01-015-6/+47
| | | | | | | | | An AP might reject a STA association request due to low RSSI. In such case, the AP informs the STA the desired RSSI improvement and a retry timeout. The STA might retry to associate even if the RSSI hasn't improved if the retry timeout expired. Signed-off-by: Beni Lev <beni.lev@intel.com>
* OCE: Add RSSI based association rejection support (STA)Beni Lev2019-01-012-0/+19
| | | | | | | | | | | | | | An AP might refuse to connect a STA if it has a low RSSI. In such case, the AP informs the STA with the desired RSSI delta and a retry timeout. Any subsequent association attempt with that AP (BSS) should be avoided, unless the RSSI level improved by the desired delta or the timeout has expired. Defined in Wi-Fi Alliance Optimized Connectivity Experience technical specification v1.0, section 3.14 (RSSI-based association rejection information). Signed-off-by: Beni Lev <beni.lev@intel.com>
* nl80211: Debug print channel listJouni Malinen2019-01-011-2/+61
| | | | | | | This makes it a bit easier to figure out how channel list update from the kernel is taken into use. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl82011: Make wiphy-specific country (alpha2) available in STATUS-DRIVERJouni Malinen2018-12-311-0/+19
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Debug print details from the beacon hint eventsJouni Malinen2018-12-311-6/+49
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Add configuration option check_crl_strictSam Voss2018-12-319-7/+26
| | | | | | | | | | | | | | | | | | | | Add the ability to ignore time-based CRL errors from OpenSSL by specifying a new configuration parameter, check_crl_strict=0. This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
* Add internal HMAC-SHA512 implementation to fix NEED_SHA512 buildsJouni Malinen2018-12-311-0/+104
| | | | | | | | | | Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due to missing sha512.c file. Add that file even though this is not really used in the currently available configuration combinations since DPP and OWE are the only users of it and the internal crypto implementation supports neither. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Log MI update failure in debug logJouni Malinen2018-12-301-1/+6
| | | | | | | One of the reset_participant_mi() callers did not log the error. Make this more consistent with the other callers. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Note interface-removal-from-bridge errors in debug logJouni Malinen2018-12-301-3/+6
| | | | | | | | | One of the linux_br_del_if() calls did not log nl80211-specific entry. Make this more consistent with the other cases even though linux_br_add_if() function itself is logging an error in the ioctl() failure case (but not in the interface not found case). Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Add openssl_ecdh_curves configuration parameterHristo Venev2018-12-303-0/+3
| | | | | | | | | This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc. It should be noted that when using Suite B, different mechanism is used to specify the allowed ECDH curves and this new parameter must not be used in such cases. Signed-off-by: Hristo Venev <hristo@venev.name>
* OpenSSL: Add openssl_ecdh_curves parameterHristo Venev2018-12-305-0/+90
| | | | | | | | | Some versions of OpenSSL need server support for ECDH to be explicitly enabled, so provide a new parameter for doing so and all SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic selection. Signed-off-by: Hristo Venev <hristo@venev.name>
* HS 2.0: DHCP broadcast-to-unicast conversion before address learningJouni Malinen2018-12-291-9/+9
| | | | | | | | | | | | | handle_dhcp() was first trying to learn the IP address of an associated STA before doing broadcast-to-unicast conversion. This could result in not converting some DHCPACK messages since the address learning part aborts processing by returning from the function in various cases. Reorder these operations to allow broadcast-to-unicast conversion to happen even if an associated STA entry is not updated based on a DHCPACK. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Make ICV Indicator dependant on ICV lengthJaap Keuter2018-12-291-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the parameter sets before it. Due to its convenient layout the ICV Indicator 'body part' is used to encode the ICV as well. IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In bullet e) is desribed that the ICV Indicator itself is encoded when the ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note e) states that it will not be encoded unless the Algorithm Agility parameter specifies the use of an ICV that is not 16 octets in length. Therefore the length calculation for the ICV indicator body part must take into account if the ICV Indicator is to be encoded or not. The actual encoder of the ICV body already takes care of the rest. In practice, this change will remove the ICV Indicator parameter set (4 octets before the ICV value itself) since the only defined algorithm agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU validation and decoding rules in 11.11.2 and 11.11.4 require the receipient to handle both cases of ICV Indicator being included or not. Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
* mka: MIB informationJouni Malinen2018-12-293-1/+103
| | | | | | | Provide MKA information through the wpa_supplicant control interface MIB command. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Provide more status information over control interfaceJouni Malinen2018-12-291-6/+63
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Stop trying to generate and distribute new SAK when not key serverJouni Malinen2018-12-291-2/+3
| | | | | | | | | | | | It was possible for a participant to first be elected as a key server and schedule a new SAK to be generated and distributed just to be followed by another participant being elected as the key server. That did not stop the participant that disabled key server functionality to stop generating the new SAK and then trying to distribute it. That is not correct behavior, so make these steps conditional on the participant still being a key server when going through the timer. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Add more debug print detailsJouni Malinen2018-12-292-121/+263
| | | | | | | This makes it a bit easier to try to figure out what is going on with KaY operations and MKA setup. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Fix deleteSAs clearing of principal->new_keyJouni Malinen2018-12-291-2/+7
| | | | | | | | | | | | This pointer needs to be cleared when the matching SAK is being removed from the SAK list. The previous implementation was doing something pretty strange in the loop by clearing the pointer for any non-matching key that happened to be iterated through before finding the matching key. This could probably result in incorrect behavior, but not clearing the pointer for the matching key could do more harm by causing freed memory to be referenced. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Derive MACsec cipher suite and MKA algorithm table indexJouni Malinen2018-12-292-12/+9
| | | | | | | | | Instead of using a specifically set index value from table definition, use the actual real index of the table entry. This removes need for maintaining these index values separately. Furthermore, the mka_alg_tbl[] index was already off-by-one (but not used anywhere). Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Clean up KaY log outputJaap Keuter2018-12-271-18/+19
| | | | | | | | | | When running wpa_supplicant (with logging for testing) the log output is somewhat disorganized for KaY related items. E.g., items are not aligned, inconsistent type handling, wrong wording, missing labels, etc. This change tries to clean up the log output, so it is somewhat more accessible. Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
* mka: Do not force entry into INIT state on CP state machine creationJouni Malinen2018-12-271-1/+0
| | | | | | | Go through the SM_STEP_RUN() global transition to get into the INIT state to follow the state machine design more closely. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Remove unused authorization data from CPJouni Malinen2018-12-272-18/+0
| | | | | | | | | | | While IEEE Std 802.1X-2010 talks about arbitrary authorization data that could be passed to the CP from sources like RADIUS server, there is not much point in trying to implement this as an arbitrary memory buffer in wpa_supplicant. Should such data be supported in the future, it would much more likely use more detailed data structures that encode the received data in easier to use form. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Extend CAK/CKN-from-EAP-MSK API to pass in MSK lengthJouni Malinen2018-12-264-22/+22
| | | | | | | | This can be used to allow 256-bit key hierarchy to be derived from EAP-based authentication. For now, the MSK length is hardcoded to 128 bits, so the previous behavior is maintained. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Allow CAK length 32 (256-bit) to be initializedJouni Malinen2018-12-262-4/+3
| | | | | | | | | The CAK length is not hardcoded in the algorithm agility parameter, so remove that from the table. Instead, allow both 16 (128-bit) and 32 (256-bit) CAK to be used so that the following key derivations use appropriate key lengths based on the configured/derived CAK. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Determine KCK/ICK length from CAK lengthJouni Malinen2018-12-262-7/+2
| | | | | | | | The ICK and KEK are derived from a CAK and the length of the CAK determines the length of the KCK/ICK. Remove the separate ICK/KEK length parameters from the algorithm agility table. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: ICV calculation using 256-bit ICKJouni Malinen2018-12-264-13/+24
| | | | | | Add support for using AES-CMAC with 256-bit key (ICK) to calculate ICV. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Support 256-bit ICK derivationJouni Malinen2018-12-264-10/+15
| | | | | | | Support derivation of a 256-bit ICK and use of a 256-bit CAK in ICK derivation. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Support 256-bit KEK derivationJouni Malinen2018-12-264-13/+18
| | | | | | | Support derivation of a 256-bit KEK and use of a 256-bit CAK in KEK derivation. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Support 256-bit CAK in SAK derivationJouni Malinen2018-12-263-10/+10
| | | | | | | Pass the configured CAK length to SAK derivation instead of using hardcoded 128-bit length. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: AES-CMAC-256 -based KDFJouni Malinen2018-12-261-13/+23
| | | | | | | | | Extend the previously implemented KDF (IEEE Std 802.1X-2010, 6.2.1) to support 256-bit input key and AES-CMAC-256. This does not change any actual key derivation functionality yet, but is needed as a step towards supporting 256-bit CAK. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Change MI if key invalidAndrey Kartashev2018-12-261-0/+1
| | | | | | | | | | | | | It is possible to get a situation where a peer removes the Key Server from its live peers list but the server still thinks that the peer is alive (e.g., high packet loss in one direction). In such a case, the Key Server will continue to advertise Last Key but this peer will not be able to set up SA as it has already deleted its key. Change the peer MI which will force the Key Server to distribute a new SAK. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Speed up processing of duplicated SCIAndrey Kartashev2018-12-261-0/+7
| | | | | | | Decrease timeout for a peer with duplicated SCI to speed up process in case it is a valid peer after MI change. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Support for 256-bit SAK generationAndrey Kartashev2018-12-263-9/+12
| | | | | | | | | | | | There is already partial support of GCM-AES-256. It is possible to enable this mode by setting 'kay->macsec_csindex = 1;' in ieee802_1x_kay_init() function, but the generated key contained only 128 bits of data while other 128 bits are in 0. Enables KaY to generate full 256-bit SAK from the same 128-bit CAK. Note that this does not support 256-bit CAK or AES-CMAC-256 -based KDF. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Remember LowestPN for each key serverAndrey Kartashev2018-12-261-1/+6
| | | | | | | | | According IEEE Std 802.1X-2010, 9.8 each participant shall record the values of NextPN for last SAK accepted from each Key Server to use it in case of a switch from one Key Server to another and back. Add LPN recording and set saved value as the initial PN for the created channel. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Check for errors on create Secure ChannelAndrey Kartashev2018-12-261-3/+13
| | | | | | | | It is possible that the driver fails to create Secure Channel (due to hardware limitations for example). Add checks of create_*_sc() result codes and abort procedure in case of failure. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Fix a memory leak on error pathAndrey Kartashev2018-12-261-0/+1
| | | | | | | Fix a minor memory leak in ieee802_1x_kay_create_mka() in case of KEK/ICK derivation failure. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Debug output cleanup/fixAndrey Kartashev2018-12-262-17/+19
| | | | | | Make debug output more consistent, fix several errors. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Allow configuration of MACsec replay protectionAndrey Kartashev2018-12-262-3/+6
| | | | | | | | | | | Add new configuration parameters macsec_replay_protect and macsec_replay_window to allow user to set up MACsec replay protection feature. Note that according to IEEE Std 802.1X-2010 replay protection and delay protection are different features: replay protection is related only to SecY and does not appear on MKA level while delay protection is something that KaY can use to manage SecY state. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* wpa_debug: Support wpa_hexdump_ascii() outputting into syslogAndrey Kartashev2018-12-261-0/+6
| | | | | | | | When syslog logging is used output from wpa_hexdump_ascii() was silently discarded. This patch enables wpa_hexdump_ascii() to print data to syslog but without ASCII decoding. Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
* mka: Do not update potential peer liveness timerMike Siedzik2018-12-261-5/+13
| | | | | | | | | | | | | | | | | | | To prevent a remote peer from getting stuck in a perpetual 'potential peer' state, only update the peer liveness timer 'peer->expire' for live peers and not for potential peers. Per IEEE Std 802.1X-2010, 9.4.3 (Determining liveness), potential peers need to show liveness by including our MI/MN in their transmitted MKPDU (within potential or live parameter sets). When a potential peer does include our MI/MN in an MKPDU, we respond by moving the peer from 'potential_peers' to 'live_peers'. If a potential peer does not include our MI/MN in an MKPDU within MKPDU_LIFE_TIME, let the peer expire to facilitate getting back in sync with the remote peer. Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* mka: Consider missing MKPDU parameter sets a failureMike Siedzik2018-12-262-2/+37
| | | | | | | | | | | | The previous commit introduced parameter set error checking. This commit extends upon that by considering missing parameter sets a failure. Two checks are added by this commit. First, verify that live peers start encoding MKA_SAK_USE within a reasonable amount of time after going live (10 MKPDUs). Second, verify that once a live peer starts encoding MKA_SAK_USE it continues to do so indefinitely. Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
* mka: Do not ignore MKPDU parameter set decoding failuresMike Siedzik2018-12-261-5/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The status values returned by mka_param_body_handler.body_rx functions are currently ignored by ieee802_1x_kay_decode_mkpdu(). If a failure is detected the KaY should (a) stop processing the MKDPU and (b) do not update the associated peer's liveliness. IEEE Std 802.1X-2010, Table 11-7 (MKPDU parameter sets) and 11.11.3 (Encoding MKPDUs) dictate that MKA_SAK_USE (set type 3) will always be encoded before MKA_DISTRIBUTED_SAK (set type 4) in MKPDUs. Due to implementation of mka_param_body_handler, the code will always decode MKA_SAK_USE before MKA_DISTRIBUTED_SAK. When MKA_DISTRUBUTED_SAK contains a new SAK the code should decode MKA_DISTRUBUTED_SAK first so that the latest SAK is in known before decoding MKA_SAK_USE. The ideal solution would be to make two passes at MKDPU decoding: the first pass decodes MKA_DISTRIBUTED_SAK, the second pass decodes all other parameter sets. A simpler and less risky solution is presented here: ignore MKA_SAK_USE failures if MKA_DISTRIBUTED_SAK is also present. The new SAK will be saved so that the next MKPDU's MKA_SAK_USE can be properly decoded. This is basically what the code prior to this commit was doing (by ignoring all errors). Also, the only real recourse the KaY has when detecting any bad parameter set is to ignore the MKPDU by not updating the corresponding peer's liveliness timer, 'peer->expire'. Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>