Commit graph

14648 commits

Author SHA1 Message Date
Jouni Malinen
fea49f8f93 nl82011: Make wiphy-specific country (alpha2) available in STATUS-DRIVER
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-31 16:41:24 +02:00
Jouni Malinen
02d53ac351 nl80211: Debug print details from the beacon hint events
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-31 16:29:16 +02:00
Sam Voss
dd5d325b0a hostapd: Add configuration option check_crl_strict
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.

This causes the following:

- This setting does nothing when CRL checking is not enabled.

- When CRL is enabled, "strict mode" will cause CRL time errors to not
  be ignored and will continue behaving as it currently does.

- When CRL is enabled, disabling strict mode will cause CRL time
  errors to be ignored and will allow connections.

By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
2018-12-31 12:51:51 +02:00
Ben Greear
3518e3623f wpa_cli: Allow reconnect to global interface
Old code would just re-connect to a particular interface, even if user
had started wpa_cli with the '-g' option. Refactor global control
interface connection routine to allow it to be used in
wpa_cli_reconnect().

Signed-off-by: Ben Greear <greearb@candelatech.com>
2018-12-31 12:32:14 +02:00
Jouni Malinen
4fb6963b39 tests: Build tests for wpa_supplicant and hostapd
Allow multiple build configurations to be tested automatically.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-31 12:03:53 +02:00
Jouni Malinen
52e78198b7 Add internal HMAC-SHA512 implementation to fix NEED_SHA512 builds
Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due
to missing sha512.c file. Add that file even though this is not really
used in the currently available configuration combinations since DPP and
OWE are the only users of it and the internal crypto implementation
supports neither.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-31 11:57:37 +02:00
Michal Privoznik
1b8ed2cac1 wpa_supplicant: Fix build with !CONFIG_AP and CONFIG_CTRL_IFACE_DBUS_NEW
If the CONFIG_CTRL_IFACE_DBUS_NEW is enabled but CONFIG_AP is
disabled the build fails. This is because dbus getters try to
access ap_iface member of wpa_supplicant struct which is defined
if and only if CONFIG_AP is enabled.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2018-12-31 11:41:26 +02:00
Jouni Malinen
a1417c7f96 mka: Log MI update failure in debug log
One of the reset_participant_mi() callers did not log the error. Make
this more consistent with the other callers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-31 01:09:02 +02:00
Jouni Malinen
f9052d6ea5 nl80211: Note interface-removal-from-bridge errors in debug log
One of the linux_br_del_if() calls did not log nl80211-specific entry.
Make this more consistent with the other cases even though
linux_br_add_if() function itself is logging an error in the ioctl()
failure case (but not in the interface not found case).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-31 01:05:23 +02:00
Jouni Malinen
544b5a0d39 tests: hostapd configuration reload from file when disabled
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-30 17:35:54 +02:00
Hristo Venev
d01203cafc hostapd: Add openssl_ecdh_curves configuration parameter
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.

Signed-off-by: Hristo Venev <hristo@venev.name>
2018-12-30 17:27:34 +02:00
Hristo Venev
0521c6ebb3 OpenSSL: Add openssl_ecdh_curves parameter
Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.

Signed-off-by: Hristo Venev <hristo@venev.name>
2018-12-30 17:21:55 +02:00
Jouni Malinen
b98933eafc HS 2.0: DHCP broadcast-to-unicast conversion before address learning
handle_dhcp() was first trying to learn the IP address of an associated
STA before doing broadcast-to-unicast conversion. This could result in
not converting some DHCPACK messages since the address learning part
aborts processing by returning from the function in various cases.

Reorder these operations to allow broadcast-to-unicast conversion to
happen even if an associated STA entry is not updated based on a
DHCPACK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-30 01:05:18 +02:00
Jouni Malinen
0456b7d312 tests: Add UDP checksum into DHCP frames in ProxyARP/DGAF disabled case
Previously, the special value 0 was used to indicate no UDP checksum.
Replace that with the calculated checksum for more like use case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-30 01:04:58 +02:00
Jaap Keuter
23693c9dac mka: Make ICV Indicator dependant on ICV length
IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the
parameter sets before it. Due to its convenient layout the ICV Indicator
'body part' is used to encode the ICV as well.

IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In
bullet e) is desribed that the ICV Indicator itself is encoded when the
ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note
e) states that it will not be encoded unless the Algorithm Agility
parameter specifies the use of an ICV that is not 16 octets in length.

Therefore the length calculation for the ICV indicator body part must
take into account if the ICV Indicator is to be encoded or not. The
actual encoder of the ICV body already takes care of the rest.

In practice, this change will remove the ICV Indicator parameter set (4
octets before the ICV value itself) since the only defined algorithm
agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU
validation and decoding rules in 11.11.2 and 11.11.4 require the
receipient to handle both cases of ICV Indicator being included or not.

Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2018-12-30 01:03:30 +02:00
Jouni Malinen
cd803b6ccd tests: Clear regulatory Beacon hints more robustly in TDLS test cases
The ap_open_tdls_vht* test cases could leave some pending regulatory
Beacon hints waiting to be cleared during the following test case. This
would result in a failure if the following test case expected specific
regdom event behavior. For example, this caused "ap_open_tdls_vht160
dbus_country" sequence to result in failure in dbus_country. Fix this by
using more robust sequence in clearing regdom state at the end of the
TDLS test cases that have the AP advertising a country code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 17:02:54 +02:00
Jouni Malinen
90eb910ef5 tests: MKA MIB information
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 16:52:56 +02:00
Jouni Malinen
948ba8c294 mka: MIB information
Provide MKA information through the wpa_supplicant control interface MIB
command.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 16:52:31 +02:00
Jouni Malinen
a2acadf605 tests: MACsec PSK with bridge interface
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 12:26:52 +02:00
Jouni Malinen
0d09bd0832 tests: Use more robust way to determine MKA is done for MACsec testing
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 12:18:41 +02:00
Jouni Malinen
8c652ecfbe mka: Provide more status information over control interface
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 11:05:39 +02:00
Jouni Malinen
626bc1fac2 mka: Stop trying to generate and distribute new SAK when not key server
It was possible for a participant to first be elected as a key server
and schedule a new SAK to be generated and distributed just to be
followed by another participant being elected as the key server. That
did not stop the participant that disabled key server functionality to
stop generating the new SAK and then trying to distribute it. That is
not correct behavior, so make these steps conditional on the participant
still being a key server when going through the timer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 11:05:39 +02:00
Jouni Malinen
4060cb272b mka: Add more debug print details
This makes it a bit easier to try to figure out what is going on with
KaY operations and MKA setup.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 11:05:39 +02:00
Jouni Malinen
27859f5203 mka: Fix deleteSAs clearing of principal->new_key
This pointer needs to be cleared when the matching SAK is being removed
from the SAK list. The previous implementation was doing something
pretty strange in the loop by clearing the pointer for any non-matching
key that happened to be iterated through before finding the matching
key. This could probably result in incorrect behavior, but not clearing
the pointer for the matching key could do more harm by causing freed
memory to be referenced.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 11:05:39 +02:00
Jouni Malinen
4d91d4a7cc mka: Derive MACsec cipher suite and MKA algorithm table index
Instead of using a specifically set index value from table definition,
use the actual real index of the table entry. This removes need for
maintaining these index values separately. Furthermore, the
mka_alg_tbl[] index was already off-by-one (but not used anywhere).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-29 11:05:39 +02:00
Asbjørn Sloth Tønnesen
594b7fbdde wpa_supplicant: Document nl80211 driver in the man page
Signed-off-by: Asbjørn Sloth Tønnesen <hostap@asbjorn.st>
2018-12-27 16:03:46 +02:00
Jaap Keuter
a0bec739f1 mka: Clean up KaY log output
When running wpa_supplicant (with logging for testing) the log output is
somewhat disorganized for KaY related items. E.g., items are not
aligned, inconsistent type handling, wrong wording, missing labels, etc.
This change tries to clean up the log output, so it is somewhat more
accessible.

Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2018-12-27 16:03:46 +02:00
Jouni Malinen
344929a9ca tests: MACsec PSK local failures in CP state machine
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-27 16:03:46 +02:00
Jouni Malinen
1cb5082567 mka: Do not force entry into INIT state on CP state machine creation
Go through the SM_STEP_RUN() global transition to get into the INIT
state to follow the state machine design more closely.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-27 11:33:46 +02:00
Jouni Malinen
785b219abd mka: Remove unused authorization data from CP
While IEEE Std 802.1X-2010 talks about arbitrary authorization data that
could be passed to the CP from sources like RADIUS server, there is not
much point in trying to implement this as an arbitrary memory buffer in
wpa_supplicant. Should such data be supported in the future, it would
much more likely use more detailed data structures that encode the
received data in easier to use form.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-27 11:26:27 +02:00
Jouni Malinen
ead573d8a2 tests: MACsec
Add some coverage for MACsec with the macsec_linux driver interface in
wpa_supplicant.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-27 00:42:04 +02:00
Jouni Malinen
7251f0badc mka: Extend CAK/CKN-from-EAP-MSK API to pass in MSK length
This can be used to allow 256-bit key hierarchy to be derived from
EAP-based authentication. For now, the MSK length is hardcoded to 128
bits, so the previous behavior is maintained.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:44:58 +02:00
Jouni Malinen
871439b5d5 mka: Allow 256-bit CAK to be configured for PSK mode
This allows 256-bit CAK to be used as the root key in the MKA key
hierarchy.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:44:58 +02:00
Jouni Malinen
7a29984888 mka: Allow CAK length 32 (256-bit) to be initialized
The CAK length is not hardcoded in the algorithm agility parameter, so
remove that from the table. Instead, allow both 16 (128-bit) and 32
(256-bit) CAK to be used so that the following key derivations use
appropriate key lengths based on the configured/derived CAK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:44:58 +02:00
Jouni Malinen
73111a63cc mka: Determine KCK/ICK length from CAK length
The ICK and KEK are derived from a CAK and the length of the CAK
determines the length of the KCK/ICK. Remove the separate ICK/KEK length
parameters from the algorithm agility table.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:44:58 +02:00
Jouni Malinen
b452a76e54 mka: ICV calculation using 256-bit ICK
Add support for using AES-CMAC with 256-bit key (ICK) to calculate ICV.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:44:58 +02:00
Jouni Malinen
7c3d1cc040 mka: Support 256-bit ICK derivation
Support derivation of a 256-bit ICK and use of a 256-bit CAK in ICK
derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:44:58 +02:00
Jouni Malinen
175ebc1f7a mka: Support 256-bit KEK derivation
Support derivation of a 256-bit KEK and use of a 256-bit CAK in KEK
derivation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:44:58 +02:00
Jouni Malinen
9b4a266694 mka: Support 256-bit CAK in SAK derivation
Pass the configured CAK length to SAK derivation instead of using
hardcoded 128-bit length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:42:26 +02:00
Jouni Malinen
9dd701c12e mka: AES-CMAC-256 -based KDF
Extend the previously implemented KDF (IEEE Std 802.1X-2010, 6.2.1) to
support 256-bit input key and AES-CMAC-256. This does not change any
actual key derivation functionality yet, but is needed as a step towards
supporting 256-bit CAK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-26 16:42:26 +02:00
Andrey Kartashev
a8aeaf41df mka: Change MI if key invalid
It is possible to get a situation where a peer removes the Key Server
from its live peers list but the server still thinks that the peer is
alive (e.g., high packet loss in one direction). In such a case, the Key
Server will continue to advertise Last Key but this peer will not be
able to set up SA as it has already deleted its key.

Change the peer MI which will force the Key Server to distribute a new
SAK.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:26 +02:00
Andrey Kartashev
c20cc5833e mka: Speed up processing of duplicated SCI
Decrease timeout for a peer with duplicated SCI to speed up process in
case it is a valid peer after MI change.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Andrey Kartashev
c1576d44a8 mka: Support for 256-bit SAK generation
There is already partial support of GCM-AES-256. It is possible to
enable this mode by setting 'kay->macsec_csindex = 1;' in
ieee802_1x_kay_init() function, but the generated key contained only 128
bits of data while other 128 bits are in 0.

Enables KaY to generate full 256-bit SAK from the same 128-bit CAK. Note
that this does not support 256-bit CAK or AES-CMAC-256 -based KDF.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Andrey Kartashev
c9c93e7a24 mka: Remember LowestPN for each key server
According IEEE Std 802.1X-2010, 9.8 each participant shall record the
values of NextPN for last SAK accepted from each Key Server to use it in
case of a switch from one Key Server to another and back. Add LPN
recording and set saved value as the initial PN for the created channel.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Andrey Kartashev
54c6a69952 mka: Check for errors on create Secure Channel
It is possible that the driver fails to create Secure Channel (due to
hardware limitations for example). Add checks of create_*_sc() result
codes and abort procedure in case of failure.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Andrey Kartashev
52171e18c9 mka: Fix a memory leak on error path
Fix a minor memory leak in ieee802_1x_kay_create_mka() in
case of KEK/ICK derivation failure.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Andrey Kartashev
a6cd1be957 mka: Debug output cleanup/fix
Make debug output more consistent, fix several errors.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Andrey Kartashev
e49b78c0d5 mka: Allow configuration of MACsec replay protection
Add new configuration parameters macsec_replay_protect and
macsec_replay_window to allow user to set up MACsec replay protection
feature. Note that according to IEEE Std 802.1X-2010 replay protection
and delay protection are different features: replay protection is
related only to SecY and does not appear on MKA level while delay
protection is something that KaY can use to manage SecY state.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Andrey Kartashev
e47c5227bd wpa_debug: Support wpa_hexdump_ascii() outputting into syslog
When syslog logging is used output from wpa_hexdump_ascii() was silently
discarded. This patch enables wpa_hexdump_ascii() to print data to
syslog but without ASCII decoding.

Signed-off-by: Andrey Kartashev <andrey.kartashev@afconsult.com>
2018-12-26 16:42:25 +02:00
Mike Siedzik
302bbad5ac mka: Do not update potential peer liveness timer
To prevent a remote peer from getting stuck in a perpetual 'potential
peer' state, only update the peer liveness timer 'peer->expire' for live
peers and not for potential peers.

Per IEEE Std 802.1X-2010, 9.4.3 (Determining liveness), potential peers
need to show liveness by including our MI/MN in their transmitted MKPDU
(within potential or live parameter sets).

When a potential peer does include our MI/MN in an MKPDU, we respond by
moving the peer from 'potential_peers' to 'live_peers'.

If a potential peer does not include our MI/MN in an MKPDU within
MKPDU_LIFE_TIME, let the peer expire to facilitate getting back in sync
with the remote peer.

Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
2018-12-26 16:42:25 +02:00