Commit graph

17578 commits

Author SHA1 Message Date
Jouni Malinen
092efd45a6 OpenSSL: Implement AES keywrap using the EVP API
OpenSSL 3.0 deprecated the low-level encryption functions, so use the
EVP API for this. Maintain the previous version for BoringSSL and
LibreSSL since not all versions seem to have the EVP_aes_*_wrap()
functions needed for the EVP API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-09 21:11:10 +03:00
Jouni Malinen
7e4984d9ca OpenSSL: Use a correct EVP_CIPHER_CTX freeing function on an error path
aes_encrypt_init() used incorrect function to free the EVP_CIPHER_CTX
allocated within this function. Fix that to use the OpenSSL function for
freeing the context.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-09 20:42:36 +03:00
Jouni Malinen
658296ea5b tests: Use build_beacon_request() to make beacon request more readable
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-09 19:37:58 +03:00
Jouni Malinen
060a522576 tests: Beacon request - active scan mode and NO_IR channel
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-09 19:17:00 +03:00
Avraham Stern
8e0ac53660 RRM: Include passive channels in active beacon report scan
When receiving a beacon report request with the mode set to active,
channels that are marked as NO_IR were not added to the scan request.
However, active mode just mean that active scan is allowed, but not
that it is a must, so these channels should not be omitted.
Include channels that are marked as NO_IR in the scan request even
if the mode is set to active.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2022-04-09 19:16:35 +03:00
Naïm Favier
0adc67612d wpa_supplicant: Use unique IDs for networks and credentials
The id and cred_id variables are reset to 0 every time the
wpa_config_read() function is called, which is fine as long as it is
only called once. However, this is not the case when using both the -c
and -I options to specify two config files.

This is a problem because the GUI, since commit eadfeb0e93 ("wpa_gui:
Show entire list of networks"), relies on the network IDs being unique
(and increasing), and might get into an infinite loop otherwise.

This is solved by simply making the variables static.

Signed-off-by: Naïm Favier <n@monade.li>
2022-04-09 18:47:01 +03:00
Jouni Malinen
dacb6d278d Update IEEE P802.11ax draft references to published amendment
Get rid of the old references to drafts since the amendment has been
published.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-08 19:50:32 +03:00
Pradeep Kumar Chitrapu
8128ea76af Add Transmit Power Envelope element in 6 GHz
Add Transmit Power Envelope element for 6 GHz per IEEE Std
802.11ax-2021.

Currently, this uses hard coded EIRP/PSD limits which are applicable to
6 GHz operation in United states, Japan, and Korea. Support to extract
power limits from kernel data will be added after complete regulatory
support is added for the 6 GHz band.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 19:50:26 +03:00
Pradeep Kumar Chitrapu
bc3dc72a3a Extend 6 GHz Operation Info field in HE Operation element
Add new field definitions for the 6 GHz Operation Information field in
the HE Operation element per IEEE Std 802.11ax-2021, 9.4.2.249. These
will be used for TPC operation in the 6 GHz band.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 13:22:31 +03:00
Pradeep Kumar Chitrapu
0eb686637d hostapd: Add config option to specify 6 GHz regulatory AP type
IEEE Std 802.11ax-2021 introduces Regulatory Info subfield to specify
the 6 GHz access point type per regulatory. Add a user config option for
specifying this.

When not specified, Indoor AP type is selected for the 6 GHz AP by
default.

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 13:19:10 +03:00
Pradeep Kumar Chitrapu
ee06165e96 hostapd: Extend Country element to support 6 GHz band
Add support for the Country element for the 6 GHz band per IEEE Std
802.11ax-2021, 9.4.2.8 (Country element).

Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-08 12:57:46 +03:00
Jouni Malinen
f5ad972455 PASN: Fix build without CONFIG_TESTING_OPTIONS=y
force_kdk_derivation is defined within CONFIG_TESTING_OPTIONS, so need
to use matching condition when accessing it.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:47:31 +03:00
Ilan Peer
3467a701cd wpa_supplicant: Do not associate on 6 GHz with forbidden configurations
On the 6 GHz band the following is not allowed (see IEEE Std
802.11ax-2021, 12.12.2), so do not allow association with an AP using
these configurations:

- WEP/TKIP pairwise or group ciphers
- WPA PSK AKMs
- SAE AKM without H2E

In addition, do not allow association if the AP does not advertise a
matching RSNE or does not declare that it is MFP capable.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2022-04-07 00:47:31 +03:00
Yegor Yefremov
43c6eb5e47 SAE-PK: Add the option to the defconfigs
So far, this option was only present in the Makefiles. Document it as
being available for configuration since the WFA program has already been
launched.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-04-07 00:47:31 +03:00
Jouni Malinen
7310995d87 tests: EAP-TLSv1.3 with OCSP stapling
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:47:31 +03:00
Jouni Malinen
1ba0043034 tests: EAP-TLSv1.3 and fragmentation
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:47:31 +03:00
Jouni Malinen
0482251a6d EAP-TLS: Allow TLSv1.3 support to be enabled with build config
The default behavior in wpa_supplicant is to disable use of TLSv1.3 in
EAP-TLS unless explicitly enabled in network configuration. The new
CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to
enable TLSv1.3 by default (if supported by the TLS library).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:45:40 +03:00
Jouni Malinen
202842b8b3 tests: EAP-TLSv1.3 and missing protected success indication
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:45:40 +03:00
Jouni Malinen
7114e56060 EAP-TLS: Testing functionality to skip protected success indication
This server side testing functionality can be used to test EAP-TLSv1.3
peer behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-07 00:43:12 +03:00
Jouni Malinen
95fd54b862 Disconnect STA on continuous EAP reauth without 4-way handshake completion
It could have been possible to get into an endless loop of retried EAP
authentication followed by failing or not completed 4-way handshake if
there was a different interpretation of EAP authentication result
(success on AP, failure on STA). Avoid this by limiting the number of
consecutive EAPOL reauth attempts without completing the following 4-way
handshake.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:28:49 +03:00
Jouni Malinen
9e11e746fa EAP-TLS: Do not allow TLSv1.3 success without protected result indication
RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:28:49 +03:00
Jouni Malinen
6135a8a6aa Stop authentication attemps if AP does not disconnect us
It would have been possible for the authentication attemps to go into a
loop if the AP/Authenticator/authentication server were to believe EAP
authentication succeeded when the local conclusion in Supplicant was
failure. Avoid this by timing out authentication immediately on the
second consecutive EAP authentication failure.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 15:28:49 +03:00
Jouni Malinen
88ab59d71b EAP-TLS: Replace the Commitment Message term with RFC 9190 language
While the drafts for RFC 9190 used a separate Commitment Message term,
that term was removed from the published RFC. Update the debug prints to
match that final language.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 23:05:45 +03:00
Jouni Malinen
63f311b107 EAP-TLS: Update specification references to RFC 5216 and 9190
The previously used references were pointing to an obsoleted RFC and
draft versions. Replace these with current versions.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 22:57:51 +03:00
Chenming Huang
74ae4cf757 Android: Avoid LOCAL_PATH conflicts in builds
Change the top level Android.mk's LOCAL_PATH to S_LOCAL_PATH to
avoid potential LOCAL_PATH conflict in subdirectory's LOCAL_PATH.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 19:48:08 +03:00
Jouni Malinen
5ab3853211 Revert "Android: Compile hs20-osu-client to /vendor/bin in test builds"
This reverts commit 1192d5721b. That
commit disabled hostapd and wpa_supplicant build in user build variants.
Furthermore, it used duplicated TARGET_BUILD_VARIANT checks between the
Android.mk files.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 19:47:44 +03:00
Jouni Malinen
e955998220 tests: WPA2-PSK AP and GTK rekey failing with one STA
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 17:25:24 +03:00
Veerendranath Jakkam
b746cb28bc Add support for not transmitting EAPOL-Key group msg 2/2
To support the STA testbed role, the STA has to disable transmitting
EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to
disable sending EAPOL-Key group msg 2/2 of Group Key Handshake.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2022-04-05 17:06:32 +03:00
Karthikeyan Kathirvel
d27f7bd946 FILS: Fix config check to allow unsolicited broadcast Probe Response
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.

Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
2022-04-05 00:33:33 +03:00
Jouni Malinen
b1cc775cf3 tests: Opportunistic Wireless Encryption - duplicated association attempt
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
65a3a273cd OWE: Reuse own DH private key in AP if STA tries OWE association again
This is a workaround for mac80211 behavior of retransmitting the
Association Request frames multiple times if the link layer retries
(i.e., seq# remains same) fail. The mac80211 initiated retransmission
will use a different seq# and as such, will go through duplicate
detection. If we were to change our DH key for that attempt, there would
be two different DH shared secrets and the STA would likely select the
wrong one.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Yegor Yefremov
6ff8bda992 hostapd: Add the missing CONFIG_SAE option to the defconfig
CONFIG_SAE was added to wpa_supplicant's defconfig but wasn't
added to the hostapd's defconfig file.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-04-02 17:52:50 +03:00
Masashi Honma
1f5b6085c1 Fix SIGSEGV of eapol_test
Running eapol_test to FreeRADIUS 3.0.25 causes trailing SIGSEGV.

WPA_TRACE: eloop SIGSEGV - START
[1]: ./eapol_test(+0x67de6) [0x55b84fa4ade6]
     eloop_sigsegv_handler() ../src/utils/eloop.c:123
[2]: /lib/x86_64-linux-gnu/libc.so.6(+0x430c0) [0x7fec94ad20c0]
[3]: ./eapol_test(dpp_tcp_conn_status_requested+0x4) [0x55b84fa7e674]
     dpp_tcp_conn_status_requested() ../src/common/dpp_tcp.c:2246
[4]: ./eapol_test(wpas_dpp_connected+0x3c) [0x55b84fa816dc]
     wpas_dpp_connected() dpp_supplicant.c:437
[5]: ./eapol_test(wpa_supplicant_set_state+0x48d) [0x55b84fc12c9d]
     wpa_supplicant_set_state() wpa_supplicant.c:1067
[6]: ./eapol_test(eapol_sm_step+0x4b4) [0x55b84fb3b994]
     sm_SUPP_PAE_Step() ../src/eapol_supp/eapol_supp_sm.c:419
     eapol_sm_step() ../src/eapol_supp/eapol_supp_sm.c:989
[7]: ./eapol_test(eapol_sm_rx_eapol+0x190) [0x55b84fb3c060]
     eapol_sm_rx_eapol() ../src/eapol_supp/eapol_supp_sm.c:1293
[8]: ./eapol_test(+0x24760f) [0x55b84fc2a60f]
     ieee802_1x_decapsulate_radius() eapol_test.c:834
     ieee802_1x_receive_auth() eapol_test.c:945
[9]: ./eapol_test(+0x248d46) [0x55b84fc2bd46]
     radius_client_receive() ../src/radius/radius_client.c:937
[10]: ./eapol_test(+0x68323) [0x55b84fa4b323]
     eloop_sock_table_dispatch() ../src/utils/eloop.c:606
[11]: ./eapol_test(eloop_run+0x251) [0x55b84fa4be51]
     eloop_sock_table_dispatch() ../src/utils/eloop.c:597
     eloop_run() ../src/utils/eloop.c:1234
[12]: ./eapol_test(main+0x8cf) [0x55b84fa30d6f]
     main() eapol_test.c:1517
WPA_TRACE: eloop SIGSEGV - END
Aborted (core dumped)

Fixes: 33cb47cf01 ("DPP: Fix connection result reporting when using TCP")
Reported-by: Alexander Clouter <alex+hostapd@coremem.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2022-04-02 17:52:50 +03:00
Jouni Malinen
576662d277 ieee802_11_auth: Coding style cleanup - NULL comparison
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
945acf3ef0 ieee802_11_auth: Coding style cleanup - no string constant splitting
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
1a630283db tests: wpa_psk_radius=3
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:50 +03:00
Jouni Malinen
1c3438fec4 RADIUS ACL/PSK check during 4-way handshake
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 17:52:32 +03:00
Jouni Malinen
5b5c954c04 Fix AP config check to recognize all PSK AKMs
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-02 16:26:02 +03:00
Kiran Kumar Lokere
c5d9f9064b QCA vendor attribute to indicate NDP interface managemtn using nl80211
Add a QCA_WLAN_VENDOR_FEATURE_USE_ADD_DEL_VIRTUAL_INTF_FOR_NDI
flag to indicate that the driver requires add/del virtual interface
path using the generic nl80211 commands for NDP interface create/delete
and to register/unregister of netdev instead of creating/deleting
the NDP interface using vendor commands.

With the latest Linux kernel (5.12 version onward), interface
creation/deletion is not allowed using vendor commands as it leads to a
deadlock while acquiring the RTNL_LOCK during the register/unregister of
netdev. Create and delete NDP interface using NL80211_CMD_NEW_INTERFACE
and NL80211_CMD_DEL_INTERFACE commands respectively if the driver
advertises this capability.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-01 18:57:09 +03:00
Xin Deng
a9c90475bb FT: Update current_bss to target AP before check for SME-in-driver
STA needs to check AP's information after receive reassociation
response. STA uses connected AP's Beacon/Probe Response frame to compare
with Reassociation Response frame of the target AP currently. However,
if one AP supports OCV and the other AP doesn't support OCV, STA will
fail to verify RSN capability, then disconnect. Update current_bss to
the target AP before check, so that STA can compare correct AP's RSN
information in Reassociation Response frame.

Signed-off-by: Xin Deng <quic_deng@quicinc.com>
2022-04-01 12:22:47 +03:00
Jouni Malinen
0c88d1487c Debug print on CONFIG_NO_TKIP=y prevent RSNE with TKIP as group cipher
This makes the debug log clearer for one of the more likely cases of
"invalid group cipher" preventing RSNE parsing.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-01 11:13:10 +03:00
Sreeramya Soratkal
d5a9331f97 P2P: Copy only valid opclasses while filtering out 6 GHz channels
Copy channels from only valid operating classes in the source channel
list while preparing a non-6 GHz channel/op-classes list when the 6 GHz
band is not used for P2P GO negotiation.

Earlier, during preparation of P2P channels for GO negotiation, a union
of the GO channels and the P2P Client channels is used. While generating
the union in p2p_channels_union_inplace() as the first list itself has
P2P_MAX_REG_CLASSES number of entries, the operating classes from the
second list which are not in the first list were not getting considered.

Fix this by not setting the dst->reg_classes to too large a value.

Fixes: f7d4f1cbec ("P2P: Add a mechanism for allowing 6 GHz channels in channel lists")
Signed-off-by: Sreeramya Soratkal <quic_ssramya@quicinc.com>
2022-03-30 20:42:14 +03:00
Jouni Malinen
99c91beaad Sync with wireless-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2022-03-11.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-03-28 19:40:23 +03:00
Jouni Malinen
1fb907a684 tests: wpa_supplicant AP mode - ACL management
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-03-24 23:22:42 +02:00
Chaoli Zhou
d9121335a0 wpa_cli: Add ACL and BTM control commands
Add AP mode commands for ACL and BTM into wpa_cli similarly to the way
these were already available in hostapd_cli.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
00622fcfef Extend ACL to install allow/deny list to the driver dynamically
Support installing the updated allow/deny list to the driver if it
supports ACL offload. Previously, only the not-offloaded cases were
updated dynamically.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
077bce96f3 Set drv_max_acl_mac_addrs in wpa_supplicant AP mode
hostapd code will need this for offloading ACL to the driver.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
9828aba16e Support ACL operations in wpa_supplicant AP mode
Extend AP mode ACL control interface commands to work from
wpa_supplicant in addition to the previously supported hostapd case.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:50 +02:00
Chaoli Zhou
fd0d738ff4 Add return value to ACL functions
While these do not return error code within the current hostapd
implementation, matching functions in wpa_supplicant AP functionality
will have an error case and using consistent return type will make the
control interface code more consistent.

In addition, export hostapd_set_acl() in preparation for the
wpa_supplicant control interface implementation extension.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 20:53:28 +02:00
Chaoli Zhou
f5ac428116 Move ACL control interface commands into shared files
This is a step towards allowing these commands to be used from
wpa_supplicant.

Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
2022-03-24 14:22:24 +02:00