Commit graph

18966 commits

Author SHA1 Message Date
Juliusz Sosinowicz
7ebb5469b3 wolfSSL: Improve error checking and logging in AES functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
10fd91d8fb wolfSSL: Better error message in pbkdf2_sha1() for FIPS password failure
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
aa4c4d079b wolfSSL: Always clean up resources and log errors in wolfssl_hmac_vector()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
644d87c34a wolfSSL: Improve error checking in vector hashing functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
5e20b924da wolfSSL: Add crypto logging macros
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a0e8d9ae71 wolfSSL: Add FIPS warning
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
48a65d47cd wolfSSL: Put wolfSSL headers in alphabetical order
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a2eeb7f6dd wolfSSL: Add more precise logging in wolfssl_handshake()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
83f144bf6a wolfSSL: Debug print ciphersuites
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Jouni Malinen
effe5bbff7 tests: Fix DPP test case skipping without CONFIG_DPP
dpp_config_legacy_gen_two_conf_psk and dpp_config_legacy_gen_two_conf
tried to set a DPP parameter before having verified that CONFIG_DPP was
used in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 18:18:25 +02:00
Jouni Malinen
568a5a8159 EHT: Include crypto.h to avoid implicit function definition
crypto_ec_*() were not defined in some build configuration cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 15:05:15 +02:00
Jouni Malinen
004f618613 tests: Wait before initiating DPP from thread in sigma_dut testing
Starting a thread to initiate DPP before starting the responder through
sigma_dut can result in unexpected testing behavior since there may not
be enough time to get the responder enabled before timing out som
initiator actions. Wait a second at the beginning of the initiator
thread in dpp_init_conf() similarly to how this was handled in other
initiator-from-thread cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 12:41:02 +02:00
Jouni Malinen
cefd959566 tests: Terminate sigma_dut more forcefully if needed
Wait for stdout/stderr in a more robust manner to avoid blocking the
pipes and kill the sigma_dut process if it fails to terminate cleanly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 12:31:23 +02:00
Jouni Malinen
0776c51ed7 DPP: Handle wpas_dpp_connected() processing in eloop callback
wpas_dpp_connected() is called from wpa_supplicant_set_state(), i.e.,
from the middle of processing of the post 4-way handshake steps. Sending
a DPP Public Action frame at that point can delay other operations, so
allow those steps to be completed first before sending out the DPP
connection status result.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 11:58:14 +02:00
Jouni Malinen
8dd272fded tests: Avoid race condition in DPP GAS protocol testing
Responder receives Authentication Request and Config Request in a
sequence and it is possible for the Config Request to be received before
MGMT_RX_PROCESS has been processed for Authentication Request in the
cases where the test script is in the middle of RX processing. This can
result in DPP-AUTH-SUCCESS being delivered only after the MGMT-RX event
for Config Reques which means that wait_auth_success() would lose that
MGMT-RX event.

Avoid this issue by caching the "extra" MGMT-RX event within
wait_auth_success() and having the caller verify if the Config Request
(GAS Initial Request) has already been received before waiting to
receive it.

This makes dpp_gas, dpp_gas_comeback_after_failure, and
dpp_gas_timeout_handling more robust.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 11:33:15 +02:00
Jouni Malinen
5c5f86900b DPP: Start next auth init from driver event to avoid race condition
It looks like mac80211 ROC handling can end up postponing offchannel TX
operation by the previously started and already canceled wait time if
the new NL80211_CMD_FRAME is issued immediately after
NL80211_CMD_FRAME_WAIT_CANCEL. Make this more robust by waiting for the
driver event that indicates completion of the cancel operation (i.e.,
NL80211_CMD_FRAME_WAIT_CANCEL as an event) before issuing
NL80211_CMD_FRAME for another channel. If the driver event is not
received within 10 ms, start the operation anyway to avoid unexpected
behavior if there are drivers that do not end up notifying end of the
wait.

This fixes some issues with authentication initiation for cases where
multiple channels are iterated. This can also significantly speed up
that process.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 11:11:46 +02:00
Jouni Malinen
7e9efc3cdf tests: Handle race condition in eap_proto_md5_server
UML time travel allows the deauthentication event to be processed more
quickly than the delivery of EAP-Success to the client through the test
script, so accept either sequence here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 09:53:58 +02:00
Jouni Malinen
69be335a5d tests: Do not dump pending monitor events after connection
connect_network() tried to make test log more readable with a
dump_monitor() call at the end of the function. However, this could end
up practically dropping an event that arrives more or less immediately
after CTRL-EVENT-CONNECTED. This could happen with UML time travel,
e.g., in suite_b_192_pmksa_caching_roam.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 22:59:33 +02:00
Jouni Malinen
7fbd391138 tests: ap_hs20_remediation_required_ctrl with UML time travel
Wait for hostapd connection event before issue HS20_WNM_NOTIF to avoid a
race condition with UML time travel.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 22:28:22 +02:00
Jouni Malinen
f9965a6505 Use os_reltime_initialized() for Michael MIC failure event
The first event could have theoretically been received with reltime
sec=0, so use the helper function to check whether the reltime value is
actually set so that the usec part is checked as well. This is not going
to have a difference in practice, but it was possible to hit this corner
case with mac80211_hwsim testing (ap_cipher_tkip_countermeasures_sta)
using UML and time travel.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 22:02:18 +02:00
Ilan Peer
f321705e31 tests: Add basic test for 802.1X-SHA384 with EAP-PSK
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-03 17:08:36 +02:00
Ilan Peer
a8517c132c Add support for AKM suite 00-0F-AC:23
Add support for Authentication negotiated over IEEE Std 802.1X
with key derivation function using SHA-384.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-03 17:08:36 +02:00
Daniel Gabay
005b0ce367 defs: Enclose all structs between the pragmas
Many of the STRUCT_PACKED structs are not within the pragmas resulting
in wrong packing using MSVC. Fix it by moving pragma to EOF to ensure
proper packing.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
2023-11-03 16:29:55 +02:00
Jouni Malinen
dacadc3f68 tests: HE AP on 80 MHz channel and CW change notification
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 16:28:13 +02:00
Vignesh C
41a60f6586 hostapd: Add support to send CW change notification
Add hostapd_cli command to notify channel width change to all
associated STAs.

Notify Channel Width frame for HT STAs.
(IEEE P802.11-REVme/D4.0, 9.6.11.2)

Operating Mode Notification frame for VHT STAs.
(IEEE P802.11-REVme/D4.0, 9.6.22.4)

Usage: hostapd_cli notify_cw_change <channel_width>
<channel_width> = 0 - 20 MHz, 1 - 40 MHz, 2 - 80 MHz, 3 - 160 MHz.

Co-developed-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
Signed-off-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
Signed-off-by: Vignesh C <quic_vignc@quicinc.com>
2023-11-03 16:19:11 +02:00
Jouni Malinen
835479b3d6 tests: Mesh BSS on 5 GHz band channel 140
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 16:05:03 +02:00
Ramya Gnanasekar
544801d74c wpa_supplicant: Add channel 140 to ht40plus allowed list for mesh/IBSS
When channel 140 is configured in mesh, interface fails to come up due
to channel bond (136,140). Since Channel 136 is not HT40+ capable,
validation for HT channel bonding fails when it checks whether first
channel in the bond (channel 136) is HT40+ capable.

In mesh, during channel setup, secondary channel offset for the
configured channel will be selected as +1 if primary channel is capable
of HT40+. In current code, channel 140 is not allowed as HT40+ and hence
secondary channel offset is selected as -1, which makes 136 as secondary
channel. But channel 136 is not HT40+ supported and fails in channel
bonding validation.

Add 140 to HT40+ allowed list as HT40+ is supported for the channel.

Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
2023-11-03 16:04:58 +02:00
Hu Wang
75d33c988f OWE: Fix for entry->ssid possibly NULL dereference
Pointer entry->ssid might be passed to owe_trans_ssid_match() function
as argument 3 with NULL value, and it may be dereferenced there. This
looks like a theoretical case that would not be reached in practice, but
anyway, it is better to check entry->ssid != NULL more consistently.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-03 15:49:50 +02:00
Sebastian Priebe
e97d7c5a6a Only advertise MSCS and SCS in Association Request if supported by AP
Since wpa_supplicant version 2.10 the extended capabilities MSCS and SCS
are advertised in the (Re)Association Request frames.

This causes the association request to be rejected by several access
points. Issue was observed with:
- D-Link DIR600
- TP-Link AC1900
- Synology MR2200ac

To avoid this issue the extended capabilities MSCS and SCS shall only be
added if the bss also supports them. While this may not follow the exact
behavior described in IEEE 802.11, this is a reasonable compromise to
avoid interoperability issues since these capabilities cannot be used
with an AP that does not support them anyway.

Note: The Extended Capabilities element is only included in the
Association Request frames if the AP also sent its extended capabilities
(see wpas_populate_assoc_ies()) as a workaround for misbehaving APs.
This workaround exists since version 2.1.

Signed-off-by: Sebastian Priebe <sebastian.priebe@konplan.com>
2023-11-03 13:10:01 +02:00
Jurijs Soloveckis
a5d0bb42a2 Reduce delay between Association Request and Association Response
There is a delay between sending Association Response frame after having
received Association Request frame, due to the fact that between
receiving the request and sending the response the Beacon frame contents
is updated, after analyzing inputs from the STA. There may be several
updates if multiple fields need to change. This can cause issues with
some devices in noisy environments with many BSSs and connected STAs.

Optimize this by updating the beacon only once, even if there are
multiple reasons for updates.

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-11-03 12:58:35 +02:00
Allen.Ye
3f2c41e318 Check max number of TBTT info when adding Neighbor AP Information field
If the number of TBTT info is greater than RNR_TBTT_INFO_COUNT_MAX, the
new Neighbor AP Information field would need to be added in the RNR
element. However, the condition of adding Neighbor AP Information field
does not consider number of TBTT info. That would cause invalid Neighbor
AP Information field (the while loop will fill data by eid pointer) when
setting RNR element.

Signed-off-by: Allen.Ye <allen.ye@mediatek.com>
2023-11-02 16:27:56 +02:00
Michael-CY Lee
fc0b0cdcb9 hostapd: Avoid unnecessary Beacon frame update for co-location
When it comes to set some BSS's beacon, there are two reasons to
update the beacon of co-located hostapd_iface(s) at the same time:
1. 6 GHz out-of-band discovery
2. MLD operational parameters update

BSS load update is unrelated with the above two reasons, and therefore
is not the case to update beacon for co-location. Moreover, updating
beacon for co-location when BSS load update makes hostapd set beacon too
frequently, which makes hostapd busy setting beacon in a multi-BSS case.

Add a new function to update beacon only for current BSS and use the
function during BSS load update.

Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: Money Wang <money.wang@mediatek.com>
2023-11-02 16:18:36 +02:00
Jurijs Soloveckis
8056b79ff1 Add DSSS Parameter Set element only for 2.4 GHz
From IEEE 802.11:
The DSSS Parameter Set element is present within Beacon frames
generated by STAs using Clause 15, Clause 16, and Clause 18
PHYs.
The element is present within Beacon frames generated by STAs
using a Clause 19 PHY in the 2.4 GHz band.

Same is applied to the Probe Response frame.

Do not include the DSSS Parameters Set element when operating on other
bands.

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-11-02 16:16:53 +02:00
Daniel Gabay
056e688290 common: Fix ieee802_11_rsnx_capab()
The function should return bool (0/1) and not int. In some environments
bool may be defined as unsigned char, so bits higher then 7 will be
discarded during the downcast. Fix it.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-02 16:09:08 +02:00
Jouni Malinen
ed4e845576 tests: Work around race condition for TRANSITION-DISABLE processing
This event may be sent before CTRL-EVENT-CONNECTED, so modify the test
cases to wait directly for TRANSITION-DISABLE by skipping the separate
wait for CTRL-EVENT-CONNECTED.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-02 15:57:39 +02:00
Jouni Malinen
4a28e0cb9c tests: Fix sigma_dut interaction with multiple status lines
It is possible for the sigma_dut process to be scheduled in a manner
that ends up combining the status,RUNNING and status,COMPLETE lines into
a single TCP message. This was supposed to be handled in the
sigma_dut_cmd() implementations, but that design had been broken by code
refactoring that changed the indentation level incorrectly.

Fixes: d68946d510 ("tests: sigma_dut and DPP push button first on Enrollee")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-02 15:54:29 +02:00
Jouni Malinen
f851ac2b60 test: Beacon protection and unicast Beacon frame
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-02 15:31:32 +02:00
Jouni Malinen
ddf026b1c6 tests: HE AP MBSSID with mixed security (WPA2-Personal + WPA3-Personal)
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-31 16:07:36 +02:00
Jouni Malinen
ab3e679ae5 MBSSID: Check xrates_supported for all BSSs explicitly
This is needed to avoid generating an nontransmitted BSS profile that
would claim the Extended Rates element to be non-inherited.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-31 15:52:42 +02:00
Jouni Malinen
4bfc007b61 MBSSID: Fix Non-Inheritance element encoding
The List of Element ID Extensions field is not an optional field, so
include it in the Non-Inheritance element with Length=0 to indicate that
there is no Element ID Extension List.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-31 15:51:30 +02:00
Matthew Wang
42add3c27b Scan 6 GHz channels after change to 6 GHz-allowed regdom
Drivers will often report regdom changes in the middle of a scan if they
detect during that scan that the regulatory domain has changed. If this
happens and we enter a regdom that supports 6 GHz channels when the
previous one didn't (this often happens in 6 GHz-capable regdoms for
devices after suspend/resume), immediately trigger a 6 GHz-only scan if
we were not able to connect to an AP on a legacy band.

This should significantly improve connection time to 6 GHz AP after
regdom has been reset.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Matthew Wang
0b8a672253 Parse 6 GHz capability from driver capabilities
Store 6 GHz capability on channel list update for wpa_supplicant use.
This will be used in the next commit to extend scanning behavior based
on changes to 6 GHz channel availability.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Matthew Wang
41baf0159a nl80211: Fix uses_6ghz flag
Presence of any 6ghz channels indicates nl80211 driver 6 GHz support,
not non-DISABLED channels. This increases the timeout for scan
completion for cases where 6 GHz might get scanned even if all the
channel there are currently DISABLED.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Matthew Wang
17bdf34c49 Use default IEs in wpa_supplicant_trigger_scan()
wpa_supplicant_trigger_scan() previously wouldn't include any of the IEs
generated by wpa_supplicant_extra_ies(). Instruct it to do so in most
cases. This is necessary because MBO STAs are required to include MBO
capabilities in their Probe Request frames.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Jouni Malinen
ccefa6419c tests: rrm_beacon_req_active_scan_fail to allow implementation change
Use more specific condition for the allocation failure to allow
wpa_supplicant_trigger_scan() implementation to be modified without
making this test case fail.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-31 12:01:15 +02:00
Jouni Malinen
909361e28e tests: Redesign bgscan_*_scan_failure to work with implementation change
Wait for allocation failure using wait_fail_trigger() instead of waiting
for a scan failure event since that failure event will go away with
implementation change.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-31 11:57:20 +02:00
Jouni Malinen
77785da667 tests: WPA3/GCMP-256 connection at Suite B 192-bit level and OKC
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-30 19:53:18 +02:00
Jouni Malinen
aac288914e OKC with Suite B AKMPs in hostapd
To support Opportunistic Key Caching for Suite B key management, KCK
needs to be stored on PMKSA to derive the new PMKID correctly when
processing reassociation from a STA to a new AP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-30 19:52:06 +02:00
Vinoth V
0c9df339f5 OKC with Suite B AKMPs in wpa_supplicant
To support Opportunistic Key Caching for Suite B key management, KCK
needs to be stored on PMKSA to derive the new PMKID correctly for the
new roaming AP.

Signed-off-by: Vinoth V <vinoth117@gmail.com>
2023-10-30 19:50:27 +02:00
Qiwei Cai
2bd8887e9f P2P: Pass the known BSSID to the driver to optimize scan time
After GO negotiation is completed, the P2P Client needs to scan the GO
before connecting. Only SSID was specified for this and the driver still
might need to scan all channels which wastes time. wpa_supplicant can
pass the known BSSID in the scan request in additional P2P cases and
this allows the driver sto stop the scan once the specific BSSID is
found. This helps reduce some time for P2P connection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-30 19:25:42 +02:00