EV_SET() for EV_ADD used a specific filter type, but that same filter
type was not provided to the matching EV_DELETE case. This resulted in
the kernel rejecting the deletion with "Invalid argument". Fix this by
setting the same filter type for both operations.
Fixes: f9982b3212 ("Implement kqueue(2) support via CONFIG_ELOOP_KQUEUE")
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous implementation did not work if the first registered socket
had fd > 16 or if the fd was more than double the largest value used in
previous registrations. Those cases could result in too small a memory
allocation being used and writes/reads beyond the end of that buffer.
This fix is applicable to CONFIG_ELOOP_EPOLL=y and CONFIG_ELOOP_KQUEUE=y
builds.
Fixes: f0356ec85c ("eloop: Add epoll option for better performance")
Signed-off-by: Jouni Malinen <j@w1.fi>
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:
"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."
An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.
It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
In 2013 or so, IFNAME=foo was prepended to at least the Unix socket
communication from wpa_supplicant to wpa_cli. This broke the (fragile)
logic that made ping/pong work more often when wpa_supplicant is busy
sending logging info to wpa_cli.
Adding check for IFNAME=foo makes this work better.
Signed-off-by: Ben Greear <greearb@candelatech.com>
This helps the server to build the chain to trusted CA when PEM encoding
of client_cert is used with multiple listed certificates. This was
already done for the server certificate configuration, but the client
certificate was limited to using only the first certificate in the file.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Legacy ioctl() through SIOCDEVPRIVATE are deprecated. Follow the
approach taken by bridge-utils and make use of new bridge ioctl's
whenever possible.
For example, using legacy ioctl() breaks dynamic VLAN mode on 32-bit
Linux systems running 64-bit kernels.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
If the internal EAP server is used instead of an external RADIUS server,
sm->identity does not get set. Use the identity from the internal EAP
server in such case to get the dot1xAuthSessionUserName value in STA MIB
information.
Signed-off-by: Jouni Malinen <j@w1.fi>
The SSL_METHOD patching hack to get proper OCSP validation for Hotspot
2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the
SSL_METHOD structure is not exposed anymore. Fall back to using the
incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build.
Signed-off-by: Ben Greear <greearb@candelatech.com>
SKM_sk_num() is not available anymore, so use DEFINE_STACK_OF() to get
the appropriate accessor functions.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The direct ssl->ctx access are not allowed anymore in newer OpenSSL
versions, so use the SSL_get_SSL_CTX() helper for this.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Try to make RSSI-based rejection of associating stations a bit less
likely to trigger false rejections by considering RSSI from the last
received Authentication frame. Association is rejected only if both the
Authentication and (Re)Association Request frames are below the RSSI
threshold.
Signed-off-by: Jouni Malinen <j@w1.fi>
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.
Signed-off-by: Beni Lev <beni.lev@intel.com>
An AP might refuse to connect a STA if it has a low RSSI. In such case,
the AP informs the STA with the desired RSSI delta and a retry timeout.
Any subsequent association attempt with that AP (BSS) should be avoided,
unless the RSSI level improved by the desired delta or the timeout has
expired.
Defined in Wi-Fi Alliance Optimized Connectivity Experience technical
specification v1.0, section 3.14 (RSSI-based association rejection
information).
Signed-off-by: Beni Lev <beni.lev@intel.com>
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.
This causes the following:
- This setting does nothing when CRL checking is not enabled.
- When CRL is enabled, "strict mode" will cause CRL time errors to not
be ignored and will continue behaving as it currently does.
- When CRL is enabled, disabling strict mode will cause CRL time
errors to be ignored and will allow connections.
By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.
Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due
to missing sha512.c file. Add that file even though this is not really
used in the currently available configuration combinations since DPP and
OWE are the only users of it and the internal crypto implementation
supports neither.
Signed-off-by: Jouni Malinen <j@w1.fi>
One of the reset_participant_mi() callers did not log the error. Make
this more consistent with the other callers.
Signed-off-by: Jouni Malinen <j@w1.fi>
One of the linux_br_del_if() calls did not log nl80211-specific entry.
Make this more consistent with the other cases even though
linux_br_add_if() function itself is logging an error in the ioctl()
failure case (but not in the interface not found case).
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.
Signed-off-by: Hristo Venev <hristo@venev.name>
Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.
Signed-off-by: Hristo Venev <hristo@venev.name>
handle_dhcp() was first trying to learn the IP address of an associated
STA before doing broadcast-to-unicast conversion. This could result in
not converting some DHCPACK messages since the address learning part
aborts processing by returning from the function in various cases.
Reorder these operations to allow broadcast-to-unicast conversion to
happen even if an associated STA entry is not updated based on a
DHCPACK.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the
parameter sets before it. Due to its convenient layout the ICV Indicator
'body part' is used to encode the ICV as well.
IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In
bullet e) is desribed that the ICV Indicator itself is encoded when the
ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note
e) states that it will not be encoded unless the Algorithm Agility
parameter specifies the use of an ICV that is not 16 octets in length.
Therefore the length calculation for the ICV indicator body part must
take into account if the ICV Indicator is to be encoded or not. The
actual encoder of the ICV body already takes care of the rest.
In practice, this change will remove the ICV Indicator parameter set (4
octets before the ICV value itself) since the only defined algorithm
agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU
validation and decoding rules in 11.11.2 and 11.11.4 require the
receipient to handle both cases of ICV Indicator being included or not.
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
It was possible for a participant to first be elected as a key server
and schedule a new SAK to be generated and distributed just to be
followed by another participant being elected as the key server. That
did not stop the participant that disabled key server functionality to
stop generating the new SAK and then trying to distribute it. That is
not correct behavior, so make these steps conditional on the participant
still being a key server when going through the timer.
Signed-off-by: Jouni Malinen <j@w1.fi>
This pointer needs to be cleared when the matching SAK is being removed
from the SAK list. The previous implementation was doing something
pretty strange in the loop by clearing the pointer for any non-matching
key that happened to be iterated through before finding the matching
key. This could probably result in incorrect behavior, but not clearing
the pointer for the matching key could do more harm by causing freed
memory to be referenced.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of using a specifically set index value from table definition,
use the actual real index of the table entry. This removes need for
maintaining these index values separately. Furthermore, the
mka_alg_tbl[] index was already off-by-one (but not used anywhere).
Signed-off-by: Jouni Malinen <j@w1.fi>
When running wpa_supplicant (with logging for testing) the log output is
somewhat disorganized for KaY related items. E.g., items are not
aligned, inconsistent type handling, wrong wording, missing labels, etc.
This change tries to clean up the log output, so it is somewhat more
accessible.
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
Go through the SM_STEP_RUN() global transition to get into the INIT
state to follow the state machine design more closely.
Signed-off-by: Jouni Malinen <j@w1.fi>
While IEEE Std 802.1X-2010 talks about arbitrary authorization data that
could be passed to the CP from sources like RADIUS server, there is not
much point in trying to implement this as an arbitrary memory buffer in
wpa_supplicant. Should such data be supported in the future, it would
much more likely use more detailed data structures that encode the
received data in easier to use form.
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be used to allow 256-bit key hierarchy to be derived from
EAP-based authentication. For now, the MSK length is hardcoded to 128
bits, so the previous behavior is maintained.
Signed-off-by: Jouni Malinen <j@w1.fi>
The CAK length is not hardcoded in the algorithm agility parameter, so
remove that from the table. Instead, allow both 16 (128-bit) and 32
(256-bit) CAK to be used so that the following key derivations use
appropriate key lengths based on the configured/derived CAK.
Signed-off-by: Jouni Malinen <j@w1.fi>
The ICK and KEK are derived from a CAK and the length of the CAK
determines the length of the KCK/ICK. Remove the separate ICK/KEK length
parameters from the algorithm agility table.
Signed-off-by: Jouni Malinen <j@w1.fi>
Extend the previously implemented KDF (IEEE Std 802.1X-2010, 6.2.1) to
support 256-bit input key and AES-CMAC-256. This does not change any
actual key derivation functionality yet, but is needed as a step towards
supporting 256-bit CAK.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible to get a situation where a peer removes the Key Server
from its live peers list but the server still thinks that the peer is
alive (e.g., high packet loss in one direction). In such a case, the Key
Server will continue to advertise Last Key but this peer will not be
able to set up SA as it has already deleted its key.
Change the peer MI which will force the Key Server to distribute a new
SAK.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
Decrease timeout for a peer with duplicated SCI to speed up process in
case it is a valid peer after MI change.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
There is already partial support of GCM-AES-256. It is possible to
enable this mode by setting 'kay->macsec_csindex = 1;' in
ieee802_1x_kay_init() function, but the generated key contained only 128
bits of data while other 128 bits are in 0.
Enables KaY to generate full 256-bit SAK from the same 128-bit CAK. Note
that this does not support 256-bit CAK or AES-CMAC-256 -based KDF.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
According IEEE Std 802.1X-2010, 9.8 each participant shall record the
values of NextPN for last SAK accepted from each Key Server to use it in
case of a switch from one Key Server to another and back. Add LPN
recording and set saved value as the initial PN for the created channel.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
It is possible that the driver fails to create Secure Channel (due to
hardware limitations for example). Add checks of create_*_sc() result
codes and abort procedure in case of failure.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
Fix a minor memory leak in ieee802_1x_kay_create_mka() in
case of KEK/ICK derivation failure.
Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
