According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:
"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."
An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.
It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
In 2013 or so, IFNAME=foo was prepended to at least the Unix socket
communication from wpa_supplicant to wpa_cli. This broke the (fragile)
logic that made ping/pong work more often when wpa_supplicant is busy
sending logging info to wpa_cli.
Adding check for IFNAME=foo makes this work better.
Signed-off-by: Ben Greear <greearb@candelatech.com>
This helps the server to build the chain to trusted CA when PEM encoding
of client_cert is used with multiple listed certificates. This was
already done for the server certificate configuration, but the client
certificate was limited to using only the first certificate in the file.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Legacy ioctl() through SIOCDEVPRIVATE are deprecated. Follow the
approach taken by bridge-utils and make use of new bridge ioctl's
whenever possible.
For example, using legacy ioctl() breaks dynamic VLAN mode on 32-bit
Linux systems running 64-bit kernels.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Use of country=00 (world roaming) seemed to not work anymore with the
current cfg80211 regulatory implementation since the existing channel is
left enabled when moving to country=00. Use a specific country code that
does enforce the selected channel from being used anymore to make this
test case pass again.
The change in cfg80211 behavior is from the kernel commit 113f3aaa81bd
("cfg80211: Prevent regulatory restore during STA disconnect in
concurrent interfaces").
Signed-off-by: Jouni Malinen <j@w1.fi>
If the internal EAP server is used instead of an external RADIUS server,
sm->identity does not get set. Use the identity from the internal EAP
server in such case to get the dot1xAuthSessionUserName value in STA MIB
information.
Signed-off-by: Jouni Malinen <j@w1.fi>
The SSL_METHOD patching hack to get proper OCSP validation for Hotspot
2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the
SSL_METHOD structure is not exposed anymore. Fall back to using the
incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build.
Signed-off-by: Ben Greear <greearb@candelatech.com>
SKM_sk_num() is not available anymore, so use DEFINE_STACK_OF() to get
the appropriate accessor functions.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The direct ssl->ctx access are not allowed anymore in newer OpenSSL
versions, so use the SSL_get_SSL_CTX() helper for this.
Signed-off-by: Ben Greear <greearb@candelatech.com>
SKM_sk_value() is not available anymore, so use DEFINE_STACK_OF() to get
the appropriate accessor functions.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Try to make RSSI-based rejection of associating stations a bit less
likely to trigger false rejections by considering RSSI from the last
received Authentication frame. Association is rejected only if both the
Authentication and (Re)Association Request frames are below the RSSI
threshold.
Signed-off-by: Jouni Malinen <j@w1.fi>
With this command, RSSI signal can be controlled. Due to restrictions in
kernel, only values in the range of [-30, -50] can be used. The command
is implemented by changing the TX power.
Signed-off-by: Beni Lev <beni.lev@intel.com>
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.
Signed-off-by: Beni Lev <beni.lev@intel.com>
An AP might refuse to connect a STA if it has a low RSSI. In such case,
the AP informs the STA with the desired RSSI delta and a retry timeout.
Any subsequent association attempt with that AP (BSS) should be avoided,
unless the RSSI level improved by the desired delta or the timeout has
expired.
Defined in Wi-Fi Alliance Optimized Connectivity Experience technical
specification v1.0, section 3.14 (RSSI-based association rejection
information).
Signed-off-by: Beni Lev <beni.lev@intel.com>
When a dedicated P2P device interface is used, the
global->p2p_group_formation was not set in wpas_p2p_join_start() if no
separate group interface is used. This would cause that in case of a
failure in group formation, the cleaning of p2p_in_provisioning is done
on the wrong interface. Furthermore, P2P_CANCEL command could not be
used to stop such a group-join operation. Fix this by setting the
global->p2p_group_formation correctly in case that the group interface
is reusing wpa_s->parent.
Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
It was possible for the 5 GHz PKEX channels to be enabled, e.g., when
running "ap_ht40_csa2 dpp_pkex_no_responder" test sequence, and that
resulted in a failure in dpp_pkex_no_responder due to the unexpectedly
long wait needed for the DPP-FAIL event. Increase the wait time to allow
for 5 GHz PKEX channels to be probed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Try to make sure the driver channel list state is synchronized with
wpa_supplicant whenever explicitly clearing state (e.g., between hwsim
test cases).
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows more accurate logging of failures related to the cfg80211
country=98 (intersection) case. This version is trying to give some more
time to allow the country code to clear, but that does not seem to be
sufficient with the current cfg80211 implementation for country=98 (but
might be for other cases).
The additional check for country=98 at the beginning of each test case
is an attempt to force cfg80211 to restore world roaming state with a
new association and disconnection at the station side detected after the
AP side has already stopped. This is needed after the Linux kernel
commit 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA
disconnect in concurrent interfaces").
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to avoid leaving unexpected cfg80211 regulatory country
code in place at the point when a test case terminates.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.
This causes the following:
- This setting does nothing when CRL checking is not enabled.
- When CRL is enabled, "strict mode" will cause CRL time errors to not
be ignored and will continue behaving as it currently does.
- When CRL is enabled, disabling strict mode will cause CRL time
errors to be ignored and will allow connections.
By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.
Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
Old code would just re-connect to a particular interface, even if user
had started wpa_cli with the '-g' option. Refactor global control
interface connection routine to allow it to be used in
wpa_cli_reconnect().
Signed-off-by: Ben Greear <greearb@candelatech.com>
Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due
to missing sha512.c file. Add that file even though this is not really
used in the currently available configuration combinations since DPP and
OWE are the only users of it and the internal crypto implementation
supports neither.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the CONFIG_CTRL_IFACE_DBUS_NEW is enabled but CONFIG_AP is
disabled the build fails. This is because dbus getters try to
access ap_iface member of wpa_supplicant struct which is defined
if and only if CONFIG_AP is enabled.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
One of the reset_participant_mi() callers did not log the error. Make
this more consistent with the other callers.
Signed-off-by: Jouni Malinen <j@w1.fi>
One of the linux_br_del_if() calls did not log nl80211-specific entry.
Make this more consistent with the other cases even though
linux_br_add_if() function itself is logging an error in the ioctl()
failure case (but not in the interface not found case).
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.
Signed-off-by: Hristo Venev <hristo@venev.name>
Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.
Signed-off-by: Hristo Venev <hristo@venev.name>
handle_dhcp() was first trying to learn the IP address of an associated
STA before doing broadcast-to-unicast conversion. This could result in
not converting some DHCPACK messages since the address learning part
aborts processing by returning from the function in various cases.
Reorder these operations to allow broadcast-to-unicast conversion to
happen even if an associated STA entry is not updated based on a
DHCPACK.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the special value 0 was used to indicate no UDP checksum.
Replace that with the calculated checksum for more like use case.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the
parameter sets before it. Due to its convenient layout the ICV Indicator
'body part' is used to encode the ICV as well.
IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In
bullet e) is desribed that the ICV Indicator itself is encoded when the
ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note
e) states that it will not be encoded unless the Algorithm Agility
parameter specifies the use of an ICV that is not 16 octets in length.
Therefore the length calculation for the ICV indicator body part must
take into account if the ICV Indicator is to be encoded or not. The
actual encoder of the ICV body already takes care of the rest.
In practice, this change will remove the ICV Indicator parameter set (4
octets before the ICV value itself) since the only defined algorithm
agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU
validation and decoding rules in 11.11.2 and 11.11.4 require the
receipient to handle both cases of ICV Indicator being included or not.
Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
The ap_open_tdls_vht* test cases could leave some pending regulatory
Beacon hints waiting to be cleared during the following test case. This
would result in a failure if the following test case expected specific
regdom event behavior. For example, this caused "ap_open_tdls_vht160
dbus_country" sequence to result in failure in dbus_country. Fix this by
using more robust sequence in clearing regdom state at the end of the
TDLS test cases that have the AP advertising a country code.
Signed-off-by: Jouni Malinen <j@w1.fi>