Nishant Chaprana [Fri, 16 Feb 2018 12:02:39 +0000 (17:32 +0530)]
dbus: Add vendor specific information element in peer properties
Make vendor specific information elements (VSIE) available in peer
properties, so that VSIE of a specific peer can be retrieved using
peer's object path.
Jouni Malinen [Wed, 2 Jan 2019 10:28:16 +0000 (12:28 +0200)]
tests: Data connectivity after REAUTHENTICATE
Verify that not updating GTK (i.e., only update PTK) in the driver does
not break connectivity. This case is different after the check for
"already in-use GTK" and rejection of GTK reinstallation.
Jouni Malinen [Wed, 2 Jan 2019 10:11:52 +0000 (12:11 +0200)]
eloop: Fix kqueue event deletion filter
EV_SET() for EV_ADD used a specific filter type, but that same filter
type was not provided to the matching EV_DELETE case. This resulted in
the kernel rejecting the deletion with "Invalid argument". Fix this by
setting the same filter type for both operations.
Fixes: f9982b321222 ("Implement kqueue(2) support via CONFIG_ELOOP_KQUEUE") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 2 Jan 2019 09:57:00 +0000 (11:57 +0200)]
eloop: Fix fd_table allocation for epoll and kqueue
The previous implementation did not work if the first registered socket
had fd > 16 or if the fd was more than double the largest value used in
previous registrations. Those cases could result in too small a memory
allocation being used and writes/reads beyond the end of that buffer.
This fix is applicable to CONFIG_ELOOP_EPOLL=y and CONFIG_ELOOP_KQUEUE=y
builds.
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:
"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."
An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.
It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).
Ben Greear [Mon, 4 Dec 2017 17:18:26 +0000 (09:18 -0800)]
wpa_ctrl: Make wpa_cli ping/pong work more reliably
In 2013 or so, IFNAME=foo was prepended to at least the Unix socket
communication from wpa_supplicant to wpa_cli. This broke the (fragile)
logic that made ping/pong work more often when wpa_supplicant is busy
sending logging info to wpa_cli.
Adding check for IFNAME=foo makes this work better.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Isaac Boukris [Sun, 21 Jan 2018 01:36:44 +0000 (01:36 +0000)]
OpenSSL: Load chain certificates from client_cert file
This helps the server to build the chain to trusted CA when PEM encoding
of client_cert is used with multiple listed certificates. This was
already done for the server certificate configuration, but the client
certificate was limited to using only the first certificate in the file.
Jouni Malinen [Tue, 1 Jan 2019 21:30:16 +0000 (23:30 +0200)]
tests: Use different country in p2p_go_move_reg_change
Use of country=00 (world roaming) seemed to not work anymore with the
current cfg80211 regulatory implementation since the existing channel is
left enabled when moving to country=00. Use a specific country code that
does enforce the selected channel from being used anymore to make this
test case pass again.
The change in cfg80211 behavior is from the kernel commit 113f3aaa81bd
("cfg80211: Prevent regulatory restore during STA disconnect in
concurrent interfaces").
Jouni Malinen [Tue, 1 Jan 2019 19:27:54 +0000 (21:27 +0200)]
Use internal EAP server identity as dot1xAuthSessionUserName
If the internal EAP server is used instead of an external RADIUS server,
sm->identity does not get set. Use the identity from the internal EAP
server in such case to get the dot1xAuthSessionUserName value in STA MIB
information.
Ben Greear [Tue, 12 Sep 2017 17:43:36 +0000 (10:43 -0700)]
HTTP (curl): Fix build with newer OpenSSL versions
The SSL_METHOD patching hack to get proper OCSP validation for Hotspot
2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the
SSL_METHOD structure is not exposed anymore. Fall back to using the
incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Jouni Malinen [Tue, 1 Jan 2019 16:17:02 +0000 (18:17 +0200)]
OCE: RSSI-based rejection to consider Authentication frames (AP)
Try to make RSSI-based rejection of associating stations a bit less
likely to trigger false rejections by considering RSSI from the last
received Authentication frame. Association is rejected only if both the
Authentication and (Re)Association Request frames are below the RSSI
threshold.
Beni Lev [Mon, 21 Aug 2017 16:43:54 +0000 (19:43 +0300)]
tests: Add a command for setting TX power/RSSI
With this command, RSSI signal can be controlled. Due to restrictions in
kernel, only values in the range of [-30, -50] can be used. The command
is implemented by changing the TX power.
Beni Lev [Mon, 21 Aug 2017 16:43:53 +0000 (19:43 +0300)]
OCE: Add RSSI based association rejection support (AP)
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.
Beni Lev [Mon, 21 Aug 2017 16:43:52 +0000 (19:43 +0300)]
OCE: Add RSSI based association rejection support (STA)
An AP might refuse to connect a STA if it has a low RSSI. In such case,
the AP informs the STA with the desired RSSI delta and a retry timeout.
Any subsequent association attempt with that AP (BSS) should be avoided,
unless the RSSI level improved by the desired delta or the timeout has
expired.
Defined in Wi-Fi Alliance Optimized Connectivity Experience technical
specification v1.0, section 3.14 (RSSI-based association rejection
information).
Aloni, Adiel [Mon, 21 Aug 2017 16:36:22 +0000 (19:36 +0300)]
P2P: Set global->p2p_group_formation in wpas_p2p_join_start() for p2pdev
When a dedicated P2P device interface is used, the
global->p2p_group_formation was not set in wpas_p2p_join_start() if no
separate group interface is used. This would cause that in case of a
failure in group formation, the cleaning of p2p_in_provisioning is done
on the wrong interface. Furthermore, P2P_CANCEL command could not be
used to stop such a group-join operation. Fix this by setting the
global->p2p_group_formation correctly in case that the group interface
is reusing wpa_s->parent.
Jouni Malinen [Tue, 1 Jan 2019 14:17:13 +0000 (16:17 +0200)]
tests: Make dpp_pkex_no_responder handle enabled 5 GHz channels
It was possible for the 5 GHz PKEX channels to be enabled, e.g., when
running "ap_ht40_csa2 dpp_pkex_no_responder" test sequence, and that
resulted in a failure in dpp_pkex_no_responder due to the unexpectedly
long wait needed for the DPP-FAIL event. Increase the wait time to allow
for 5 GHz PKEX channels to be probed.
Jouni Malinen [Tue, 1 Jan 2019 13:58:46 +0000 (15:58 +0200)]
Update wpa_supplicant channel list on FLUSH
Try to make sure the driver channel list state is synchronized with
wpa_supplicant whenever explicitly clearing state (e.g., between hwsim
test cases).
Jouni Malinen [Mon, 31 Dec 2018 15:05:03 +0000 (17:05 +0200)]
tests: Check per-wiphy specific country code between test cases
This allows more accurate logging of failures related to the cfg80211
country=98 (intersection) case. This version is trying to give some more
time to allow the country code to clear, but that does not seem to be
sufficient with the current cfg80211 implementation for country=98 (but
might be for other cases).
The additional check for country=98 at the beginning of each test case
is an attempt to force cfg80211 to restore world roaming state with a
new association and disconnection at the station side detected after the
AP side has already stopped. This is needed after the Linux kernel
commit 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA
disconnect in concurrent interfaces").
Ben Greear [Thu, 8 Jun 2017 17:58:54 +0000 (10:58 -0700)]
wpa_cli: Allow reconnect to global interface
Old code would just re-connect to a particular interface, even if user
had started wpa_cli with the '-g' option. Refactor global control
interface connection routine to allow it to be used in
wpa_cli_reconnect().
Signed-off-by: Ben Greear <greearb@candelatech.com>
Jouni Malinen [Mon, 31 Dec 2018 09:51:45 +0000 (11:51 +0200)]
Add internal HMAC-SHA512 implementation to fix NEED_SHA512 builds
Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due
to missing sha512.c file. Add that file even though this is not really
used in the currently available configuration combinations since DPP and
OWE are the only users of it and the internal crypto implementation
supports neither.
Michal Privoznik [Sun, 30 Dec 2018 18:36:22 +0000 (19:36 +0100)]
wpa_supplicant: Fix build with !CONFIG_AP and CONFIG_CTRL_IFACE_DBUS_NEW
If the CONFIG_CTRL_IFACE_DBUS_NEW is enabled but CONFIG_AP is
disabled the build fails. This is because dbus getters try to
access ap_iface member of wpa_supplicant struct which is defined
if and only if CONFIG_AP is enabled.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Jouni Malinen [Sun, 30 Dec 2018 23:05:23 +0000 (01:05 +0200)]
nl80211: Note interface-removal-from-bridge errors in debug log
One of the linux_br_del_if() calls did not log nl80211-specific entry.
Make this more consistent with the other cases even though
linux_br_add_if() function itself is logging an error in the ioctl()
failure case (but not in the interface not found case).
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.
Some versions of OpenSSL need server support for ECDH to be explicitly
enabled, so provide a new parameter for doing so and all
SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic
selection.
Jouni Malinen [Sat, 29 Dec 2018 23:05:18 +0000 (01:05 +0200)]
HS 2.0: DHCP broadcast-to-unicast conversion before address learning
handle_dhcp() was first trying to learn the IP address of an associated
STA before doing broadcast-to-unicast conversion. This could result in
not converting some DHCPACK messages since the address learning part
aborts processing by returning from the function in various cases.
Reorder these operations to allow broadcast-to-unicast conversion to
happen even if an associated STA entry is not updated based on a
DHCPACK.
IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the
parameter sets before it. Due to its convenient layout the ICV Indicator
'body part' is used to encode the ICV as well.
IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In
bullet e) is desribed that the ICV Indicator itself is encoded when the
ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note
e) states that it will not be encoded unless the Algorithm Agility
parameter specifies the use of an ICV that is not 16 octets in length.
Therefore the length calculation for the ICV indicator body part must
take into account if the ICV Indicator is to be encoded or not. The
actual encoder of the ICV body already takes care of the rest.
In practice, this change will remove the ICV Indicator parameter set (4
octets before the ICV value itself) since the only defined algorithm
agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU
validation and decoding rules in 11.11.2 and 11.11.4 require the
receipient to handle both cases of ICV Indicator being included or not.
Jouni Malinen [Sat, 29 Dec 2018 15:01:01 +0000 (17:01 +0200)]
tests: Clear regulatory Beacon hints more robustly in TDLS test cases
The ap_open_tdls_vht* test cases could leave some pending regulatory
Beacon hints waiting to be cleared during the following test case. This
would result in a failure if the following test case expected specific
regdom event behavior. For example, this caused "ap_open_tdls_vht160
dbus_country" sequence to result in failure in dbus_country. Fix this by
using more robust sequence in clearing regdom state at the end of the
TDLS test cases that have the AP advertising a country code.
Jouni Malinen [Fri, 28 Dec 2018 23:27:22 +0000 (01:27 +0200)]
mka: Stop trying to generate and distribute new SAK when not key server
It was possible for a participant to first be elected as a key server
and schedule a new SAK to be generated and distributed just to be
followed by another participant being elected as the key server. That
did not stop the participant that disabled key server functionality to
stop generating the new SAK and then trying to distribute it. That is
not correct behavior, so make these steps conditional on the participant
still being a key server when going through the timer.
Jouni Malinen [Thu, 27 Dec 2018 22:47:53 +0000 (00:47 +0200)]
mka: Fix deleteSAs clearing of principal->new_key
This pointer needs to be cleared when the matching SAK is being removed
from the SAK list. The previous implementation was doing something
pretty strange in the loop by clearing the pointer for any non-matching
key that happened to be iterated through before finding the matching
key. This could probably result in incorrect behavior, but not clearing
the pointer for the matching key could do more harm by causing freed
memory to be referenced.
Jouni Malinen [Thu, 27 Dec 2018 14:37:57 +0000 (16:37 +0200)]
mka: Derive MACsec cipher suite and MKA algorithm table index
Instead of using a specifically set index value from table definition,
use the actual real index of the table entry. This removes need for
maintaining these index values separately. Furthermore, the
mka_alg_tbl[] index was already off-by-one (but not used anywhere).
Jaap Keuter [Fri, 15 Jun 2018 15:06:41 +0000 (17:06 +0200)]
mka: Clean up KaY log output
When running wpa_supplicant (with logging for testing) the log output is
somewhat disorganized for KaY related items. E.g., items are not
aligned, inconsistent type handling, wrong wording, missing labels, etc.
This change tries to clean up the log output, so it is somewhat more
accessible.
Jouni Malinen [Thu, 27 Dec 2018 09:26:27 +0000 (11:26 +0200)]
mka: Remove unused authorization data from CP
While IEEE Std 802.1X-2010 talks about arbitrary authorization data that
could be passed to the CP from sources like RADIUS server, there is not
much point in trying to implement this as an arbitrary memory buffer in
wpa_supplicant. Should such data be supported in the future, it would
much more likely use more detailed data structures that encode the
received data in easier to use form.
Jouni Malinen [Wed, 26 Dec 2018 14:37:49 +0000 (16:37 +0200)]
mka: Extend CAK/CKN-from-EAP-MSK API to pass in MSK length
This can be used to allow 256-bit key hierarchy to be derived from
EAP-based authentication. For now, the MSK length is hardcoded to 128
bits, so the previous behavior is maintained.
Jouni Malinen [Wed, 26 Dec 2018 14:28:27 +0000 (16:28 +0200)]
mka: Allow CAK length 32 (256-bit) to be initialized
The CAK length is not hardcoded in the algorithm agility parameter, so
remove that from the table. Instead, allow both 16 (128-bit) and 32
(256-bit) CAK to be used so that the following key derivations use
appropriate key lengths based on the configured/derived CAK.
Jouni Malinen [Wed, 26 Dec 2018 14:23:29 +0000 (16:23 +0200)]
mka: Determine KCK/ICK length from CAK length
The ICK and KEK are derived from a CAK and the length of the CAK
determines the length of the KCK/ICK. Remove the separate ICK/KEK length
parameters from the algorithm agility table.
Jouni Malinen [Wed, 26 Dec 2018 10:13:40 +0000 (12:13 +0200)]
mka: AES-CMAC-256 -based KDF
Extend the previously implemented KDF (IEEE Std 802.1X-2010, 6.2.1) to
support 256-bit input key and AES-CMAC-256. This does not change any
actual key derivation functionality yet, but is needed as a step towards
supporting 256-bit CAK.
It is possible to get a situation where a peer removes the Key Server
from its live peers list but the server still thinks that the peer is
alive (e.g., high packet loss in one direction). In such a case, the Key
Server will continue to advertise Last Key but this peer will not be
able to set up SA as it has already deleted its key.
Change the peer MI which will force the Key Server to distribute a new
SAK.
There is already partial support of GCM-AES-256. It is possible to
enable this mode by setting 'kay->macsec_csindex = 1;' in
ieee802_1x_kay_init() function, but the generated key contained only 128
bits of data while other 128 bits are in 0.
Enables KaY to generate full 256-bit SAK from the same 128-bit CAK. Note
that this does not support 256-bit CAK or AES-CMAC-256 -based KDF.
According IEEE Std 802.1X-2010, 9.8 each participant shall record the
values of NextPN for last SAK accepted from each Key Server to use it in
case of a switch from one Key Server to another and back. Add LPN
recording and set saved value as the initial PN for the created channel.
It is possible that the driver fails to create Secure Channel (due to
hardware limitations for example). Add checks of create_*_sc() result
codes and abort procedure in case of failure.
mka: Allow configuration of MACsec replay protection
Add new configuration parameters macsec_replay_protect and
macsec_replay_window to allow user to set up MACsec replay protection
feature. Note that according to IEEE Std 802.1X-2010 replay protection
and delay protection are different features: replay protection is
related only to SecY and does not appear on MKA level while delay
protection is something that KaY can use to manage SecY state.
wpa_debug: Support wpa_hexdump_ascii() outputting into syslog
When syslog logging is used output from wpa_hexdump_ascii() was silently
discarded. This patch enables wpa_hexdump_ascii() to print data to
syslog but without ASCII decoding.
Mike Siedzik [Tue, 20 Feb 2018 19:28:45 +0000 (14:28 -0500)]
mka: Do not update potential peer liveness timer
To prevent a remote peer from getting stuck in a perpetual 'potential
peer' state, only update the peer liveness timer 'peer->expire' for live
peers and not for potential peers.
Per IEEE Std 802.1X-2010, 9.4.3 (Determining liveness), potential peers
need to show liveness by including our MI/MN in their transmitted MKPDU
(within potential or live parameter sets).
When a potential peer does include our MI/MN in an MKPDU, we respond by
moving the peer from 'potential_peers' to 'live_peers'.
If a potential peer does not include our MI/MN in an MKPDU within
MKPDU_LIFE_TIME, let the peer expire to facilitate getting back in sync
with the remote peer.
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
Mike Siedzik [Tue, 20 Feb 2018 19:28:44 +0000 (14:28 -0500)]
mka: Consider missing MKPDU parameter sets a failure
The previous commit introduced parameter set error checking. This commit
extends upon that by considering missing parameter sets a failure.
Two checks are added by this commit. First, verify that live peers start
encoding MKA_SAK_USE within a reasonable amount of time after going live
(10 MKPDUs). Second, verify that once a live peer starts encoding
MKA_SAK_USE it continues to do so indefinitely.
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
Mike Siedzik [Tue, 20 Feb 2018 19:28:43 +0000 (14:28 -0500)]
mka: Do not ignore MKPDU parameter set decoding failures
The status values returned by mka_param_body_handler.body_rx functions
are currently ignored by ieee802_1x_kay_decode_mkpdu(). If a failure is
detected the KaY should (a) stop processing the MKDPU and (b) do not
update the associated peer's liveliness.
IEEE Std 802.1X-2010, Table 11-7 (MKPDU parameter sets) and 11.11.3
(Encoding MKPDUs) dictate that MKA_SAK_USE (set type 3) will always be
encoded before MKA_DISTRIBUTED_SAK (set type 4) in MKPDUs. Due to
implementation of mka_param_body_handler, the code will always decode
MKA_SAK_USE before MKA_DISTRIBUTED_SAK. When MKA_DISTRUBUTED_SAK
contains a new SAK the code should decode MKA_DISTRUBUTED_SAK first so
that the latest SAK is in known before decoding MKA_SAK_USE.
The ideal solution would be to make two passes at MKDPU decoding: the
first pass decodes MKA_DISTRIBUTED_SAK, the second pass decodes all
other parameter sets.
A simpler and less risky solution is presented here: ignore MKA_SAK_USE
failures if MKA_DISTRIBUTED_SAK is also present. The new SAK will be
saved so that the next MKPDU's MKA_SAK_USE can be properly decoded. This
is basically what the code prior to this commit was doing (by ignoring
all errors).
Also, the only real recourse the KaY has when detecting any bad
parameter set is to ignore the MKPDU by not updating the corresponding
peer's liveliness timer, 'peer->expire'.
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
Mike Siedzik [Tue, 20 Feb 2018 19:28:42 +0000 (14:28 -0500)]
mka: Fix resource leak when detecting duplicated SCI
If a live peer ever changes its Member Identifier (MI), the KaY
correctly detects a "duplicated SCI" but then proceeds to delete the
peer without deleting the peer's resources (i.e., RxSC, RxSAs, TxSAs).
Note that a remote peer's MI will change if and when an
ieee8021XPaePortInitialize is executed on the remote port.
The solution here is to ignore all MKPDUs containing the new MI until
after the peer (that corresponds to the old MI) expires and cleans up
its resources. After the old peer is removed reception of the next MKPDU
containing the new MI will result in the creation of a new peer with the
new MI.
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
Mike Siedzik [Tue, 20 Feb 2018 19:28:39 +0000 (14:28 -0500)]
mka: Fix lowest acceptable Packet Number (LPN) calculation and use
The purpose of the Lowest Acceptable PN (lpn) parameters in the MACsec
SAK Use parameter set is to enforce delay protection. Per IEEE Std
802.1X-2010, Clause 9, "Each SecY uses MKA to communicate the lowest PN
used for transmission with the SAK within the last two seconds, allowing
receivers to bound transmission delays."
When encoding the SAK Use parameter set the KaY should set llpn and olpn
to the lowest PN transmitted by the latest SAK and oldest SAK (if
active) within the last two seconds. Because MKPDUs are transmitted
every 2 seconds (MKA_HELLO_TIME), the solution implemented here
calculates lpn based on the txsc->next_pn read during the previous MKPDU
transmit.
Upon receiving and decoding a SAK Use parameter set with delay
protection enabled, the KaY will update the SecY's lpn if the delay
protect lpn is greater than the SecY's current lpn (which is a product
of last PN received and replay protection and window size).
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
Mike Siedzik [Tue, 20 Feb 2018 19:28:38 +0000 (14:28 -0500)]
mka: Fix MKPDU SAK Use Body's Delay Protect bit setting
Delay Protect and Replay Protect are two separate and distinct features
of MKA. Per IEEE Std 802.1X-2010, 9.10.1 "Delay Protect, TRUE if LPNs
are being reported sufficiently frequently to allow the recipient to
provide data delay protection. If FALSE, the LPN can be reported as
zero", and per 9.10 "NOTE--Enforcement of bounded received delay
necessitates transmission of MKPDUs at frequent (0.5 s) intervals, to
meet a maximum data delay of 2 s while minimizing connectivity
interruption due to the possibility of lost or delayed MKPDUs."
This means struct ieee802_1x_mka_sak_use_body::delay_protect should only
be set TRUE when MKPDUs are being transmitted every 0.5 s (or faster).
By default the KaY sends MKPDUs every MKA_HELLO_TIME (2.0 s), so by
default delay_protect should be FALSE.
Add a new 'u32 mka_hello_time' parameter to struct ieee802_1x_kay. If
delay protection is desired, the KaY initialization code should set
kay->mka_hello_time to MKA_BOUNDED_HELLO_TIME (500 ms).
Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
Mike Siedzik [Fri, 2 Mar 2018 20:10:51 +0000 (15:10 -0500)]
mka: Fix conf_offset value in MKPDU when in policy mode SHOULD_SECURE
Commit 7b4d546e ("wpa_supplicant: Add macsec_integ_only setting for
MKA") introduced policy setting SHOULD_ENCRYPT (MACsec provides
integrity+confidentiality) in addition to SHOULD_SECURE (MACsec provides
integrity only). In both cases the KaY is populating the
"Confidentiality Offset" parameter within the "Distributed SAK parameter
set" with CONFIDENTIALITY_OFFSET_0=1. In the case of SHOULD_SECURE the
parameter should be populated with CONFIDENTIALITY_NONE=0.
IEEE Std 802.1X-2010, Table 11-6 and Figure 11-11 define how the two
Confidentiality Offset bits in the "Distributed SAK parameter set" must
be set: "0 if confidentiality not used" and "1 if confidentiality with
no offset". When policy is SHOULD_SECURE KaY should to send the former,
and when policy is SHOULD_ENCRYPT KaY should send the latter.
Fixes: 7b4d546e3dae ("wpa_supplicant: Add macsec_integ_only setting for MKA") Signed-off-by: Michael Siedzik <msiedzik@extremenetworks.com>
michael-dev [Tue, 15 Aug 2017 15:21:03 +0000 (17:21 +0200)]
macsec: Make pre-shared CKN variable length
IEEE Std 802.1X-2010, 9.3.1 defines following restrictions for CKN:
"MKA places no restriction on the format of the CKN, save that it comprise
an integral number of octets, between 1 and 32 (inclusive), and that all
potential members of the CA use the same CKN. No further constraints are
placed on the CKNs used with PSKs, ..."
Hence do not require a 32 octet long CKN but instead allow a shorter CKN
to be configured.
This fixes interoperability with some Aruba switches, that do not accept
a 32 octet long CKN (only support shorter ones).
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
projects / thirdparty / hostap.git / log
