Commit graph

18851 commits

Author SHA1 Message Date
Jouni Malinen
2be1bcaf74 EAP-TLS peer: Fix protected success indication check for resumed session
The internal flag prot_success_received was not cleared between the
sessions and that resulted in the resumed session not mandating the
protected success indication to be received. Fix this by clearing the
internal flag so that the EAP-TLS handshake using session resumption
with TLS 1.3 takes care of the required check before marking the
authentication successfully completed. This will make the EAP-TLS peer
reject an EAP-Success message should it be received without the
protected success indication.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 17:16:44 +03:00
Jouni Malinen
1c66276d9a EAP-TLS server: Send final TLS message for resumed session with TLS 1.3
The final message with NewSessionTicket and ApplicationData(0x00) was
already generated, but that was not sent out due the session considered
to be already completed. Fix this by actually sending out that message
to allow the peer to receive the new session ticket and protected
success indication when using resuming a session with TLS 1.3.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 17:16:44 +03:00
Jouni Malinen
81e2498889 OpenSSL: Limit the number of TLS 1.3 session tickets to one
One session ticket is sufficient for EAP-TLS, so do not bother
generating more than a single session ticket.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-02 17:16:39 +03:00
Yegor Yefremov
d26247c3de wpa_supplicant/README-WPS: Beautifications
Fix grammar, remove spaces, and new lines.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-05-01 18:24:23 +03:00
Alexander Clouter
a8d058c939 OpenSSL: SSLKEYLOGFILE capability to allow Wireshark TLS decoding
A port of the trivial patch I wrote for FreeRADIUS to allow TLS decoding
in Wireshark for hostapd/wpa_supplicant:

df0eb0a884

Signed-off-by: Alexander Clouter <alex@coremem.com>
2022-05-01 18:23:59 +03:00
Juliusz Sosinowicz
3890fa5031 tests: Enable additional TLS test cases with wolfSSL
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:27:11 +03:00
Juliusz Sosinowicz
23f389068e wolfSSL: Fix OCSP stapling
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:27:04 +03:00
Juliusz Sosinowicz
a2971f8d8e wolfSSL: Allow TLS version 1.3 to be disabled
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:26:59 +03:00
Juliusz Sosinowicz
a40e48fbe1 wolfSSL: Fix TLS 1.3 session handling
Uses the changes to wolfSSL found in
https://github.com/wolfSSL/wolfssl/pull/5078

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:26:52 +03:00
Juliusz Sosinowicz
0c3f68f2a0 wolfSSL: Check for the too-short-password error in pbkdf2_sha1()
This may fail with FIPS builds because the FIPS requirement is that the
password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:13:34 +03:00
Juliusz Sosinowicz
ca26224815 Check the return of pbkdf2_sha1() for errors
pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:13:31 +03:00
Juliusz Sosinowicz
013cd694d9 wolfSSL: Fixes for FIPS builds
Some API is not available when using FIPS. We need to allocate memory
and initialize the structs directly.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:04:16 +03:00
Juliusz Sosinowicz
9d5f8168fc wolfSSL: Register a FIPS callback
Register a callback with wolfCrypt_SetCb_fips to inform the user of
errors in the wolfCrypt FIPS module.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:03:50 +03:00
Juliusz Sosinowicz
b3333a9f4c tests: Add a note for wolfSSL testing with Brainpool curves
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:02:31 +03:00
Juliusz Sosinowicz
8f36e6c0f4 wolfSSL: Implement crypto_ec_key wrappers
These are needed to support SAEK-PK with the wolfSSL backend.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 17:01:34 +03:00
Juliusz Sosinowicz
1f7e10177a wolfSSL: Add missing free calls for wolfSSL structs
In some configurations the wc_Init*() functions may either allocate
memory or other system resources. These resources need to be freed.

Co-authored-by: JacobBarthelmeh <jacob@wolfssl.com>
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 16:35:36 +03:00
Juliusz Sosinowicz
ec1cd91e72 wolfSSL: Support both DER and PEM blobs
Add support for loading private keys and certificates in both PEM and
DER formats with wolfSSL.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-05-01 16:34:39 +03:00
Jouni Malinen
924fa4c5d9 tests: IMSI privacy with imsi_privacy_key on peer
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:16 +03:00
Jouni Malinen
42871a5d25 EAP-SIM/AKA peer: IMSI privacy
Add support for IMSI privacy in the EAP-SIM/AKA peer implementation. If
the new wpa_supplicant network configuration parameter imsi_privacy_key
is used to specify an RSA public key in a form of a PEM encoded X.509v3
certificate, that key will be used to encrypt the permanent identity
(IMSI) in the transmitted EAP messages.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:16 +03:00
Jouni Malinen
9dd2ea5368 tests: IMSI privacy with imsi_identity
Add RSA public key (in an X.509v3 certificate) and private key for IMSI
privacy. These were generated with
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -days 7500 \
	-keyout imsi-privacy-key.pem -out imsi-privacy-cert.pem

Test the case where wpa_supplicant side RSA-OAEP operation for IMSI
privacy is done in an external component while the hostapd (EAP server)
processing of the encrypted identity is internal.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:16 +03:00
Jouni Malinen
21098e39fe EAP-SIM/AKA server: IMSI privacy
Add support for IMSI privacy in the EAP-SIM/AKA server implementation.
If the new hostapd configuration parameter imsi_privacy_key is used to
specify an RSA private key, that key will be used to decrypt encrypted
permanent identity.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:16 +03:00
Jouni Malinen
36b11bbcff OpenSSL: RSA-OAEP-SHA-256 encryption/decryption
Add new crypto wrappers for performing RSA-OAEP-SHA-256 encryption and
decryption. These are needed for IMSI privacy.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-01 16:25:06 +03:00
Muna Sinada
c3d389b72f EHT: Channel switch command support
Add option to hostapd control interface CHAN_SWITCH command to allow
switch in EHT mode.

Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:44:18 +03:00
Muna Sinada
dae7940a48 EHT: Additions to hostapd_set_freq_params()
Modify hostapd_set_freq_params() to include EHT parameters and update
the calling functions to match.

Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:40:13 +03:00
Aloka Dixit
e646b11fea EHT: Indicate EHT support in Neighbor Report element
Set bit 21 in the neighbor report for an EHT AP as described in IEEE
P802.11be/D1.5, 9.4.2.36. Also move the check for HE outside the check
for HT as neither HT nor VHT are enabled in the 6 GHz band.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:30:26 +03:00
Aloka Dixit
f915d52dee EHT: Provide EHT capabilities in STA addition path
Add support for EHT capabilities in the addition of a new station entry
to the driver.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
a6d1b4c46c EHT: Process (Re)Association Request frame capabilities
Parse EHT capabilities sent by a non-AP STA in (Re)Association Request
frames. Validate the length of the element, matching MCS rates between
AP TX and STA RX. Store the capabilities in the station info structure.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
340c0e2122 EHT: Parse elements received in Management frames
Parse and store pointers to EHT Capabilities and Operation elements
received in Management frames.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
d54e3d0495 EHT: Add operation element in AP mode Management frames
Add EHT Operation element in Beacon, Probe Response, and (Re)Association
Response frames using the format described in IEEE P802.11be/D1.5,
9.4.2.311.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
9b7202d665 EHT: Add capabilities element in AP mode Management frames
Add EHT Capabilities element in Beacon, Probe Response, and
(Re)Association Response frames.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:40 +03:00
Aloka Dixit
a7ea721889 EHT: Add configuration options for beamforming capabilities
Add configuration options to set EHT SU/MU beamforming capabilities.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Aloka Dixit
8db3881c76 EHT: Add operating channel width configuration
Add new configuration options to configure EHT operating channel
width and center frequency.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Aloka Dixit
8dcc2139ff EHT: AP mode configuration options to enable/disable the support
Add compilation support for IEEE 802.11be along with options to enable
EHT support per radio and disable per interface.

Enabling HE is mandatory to enable EHT mode.

Tested-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:28:39 +03:00
Aloka Dixit
9f7da264bd nl80211: Pass station's EHT capabilities to the driver in sta_add()
Pass non-AP STA's EHT capabilities to the driver using the
NL80211_ATTR_EHT_CAPABILITY attribute.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 17:27:52 +03:00
Aloka Dixit
0c8a9aa5d2 nl80211: Parse EHT capabilities from the driver
Add nl80211 support to parse the EHT capabilities passed by the kernel
using new attributes added in NL80211_BAND_ATTR_IFTYPE_DATA.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 15:31:07 +03:00
Aloka Dixit
c08b735fdb EHT: Define EHT elements
Define the following fields described in IEEE P802.11be/D1.5:
- 9.4.2.311 EHT Operation element
- 9.4.2.313 EHT Capabilities element

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
2022-04-29 15:13:08 +03:00
Jouni Malinen
1a716f86af defconfig: Document IEEE 802.11ax as a published amendment
The comment about the IEEE 802.11ax functionality being experimental and
based on a not yet finalized standard is not accurate anymore since IEEE
Std 802.11ax-2021 has already been published. Remove that comment and
add the entry for wpa_supplicant as well.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-29 15:13:08 +03:00
Jouni Malinen
894b0a120f tests: HE with 20 MHz channel width on 6 GHz
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-29 11:19:43 +03:00
Jouni Malinen
794011d465 tests: Update regulatory database to VMs
Update the wireless-regdb database to the wireless-regdb.git version of
2022-04-08.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-29 11:19:43 +03:00
Jouni Malinen
86310c2202 Set hostapd hw_mode automatically based on 6 GHz op_class
Allow hostapd configuration to specify use of the 6 GHz band with the
specific op_class values without having to set the hw_mode=a parameter
explicitly.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-29 11:19:43 +03:00
Jouni Malinen
664fd83d59 nl80211: Increase the buffer length for debug printing channels
The previously used buffer was not large enough to be able to print out
all 6 GHz channels, so use a larger buffer to avoid leaving out
supported channels from the debug print.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-28 21:15:41 +03:00
Gururaj Pandurangi
563162a5f5 QCA vendor attribute to allow eMLSR HW mode
Add QCA_WLAN_VENDOR_ATTR_WIFI_TEST_CONFIG_11BE_EMLSR_MODE value to allow
or disallow eMLSR hardware mode for IEEE 802.11be MLO capable devices.
If this attribute is set to 1, and if the firmware supports this
capability too, the STA advertises this capability to the AP over
Association Request frame. This attribute will not have any effect on
legacy devices with no IEEE 802.11be support.

Signed-off-by: Gururaj Pandurangi <quic_panduran@quicinc.com>
2022-04-28 21:09:41 +03:00
Jouni Malinen
1e34bc49cd OpenSSL: Track SSL_SESSION ex data separately
It looks like the OpenSSL callbacks for SSL_SESSION can end up calling
the remove callback for multiple SSL_SESSION entries that share the same
ex data. This could result in double freeing the session data on the
server side.

Track the SSL_SESSION ex data in a separate list and free the
allocations only if they are pointing to a valid allocated wpabuf
pointer.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-27 20:43:41 +03:00
Jouni Malinen
b5b5a3951a tests: MBO and dynamic association disallowed change with passive scanning
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-24 12:12:21 +03:00
Kuan-Chung Chen
734fa392f7 MBO: Check association disallowed in Beacon frames, if newer
When a station receives either a Beacon frame or a Probe Response frame
from an AP that contains an MBO element with the Association Disallowed
attribute, the station should prevent association to that AP. When using
passive scanning, it is possible for the scan results to contain the
latest information in the Beacon frame elements instead of the Probe
Response frame elements. That could result in using old information and
not noticing the AP having changed its state to disallowing new
associations.

Make it more likely to follow the AP's change to disallow associations
by checking the Beacon frame elements instead of Probe Response frame
elements if the scan results are known to contain newer information for
the Beacon frame.

Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
2022-04-24 12:12:21 +03:00
Jouni Malinen
284e3ad196 Determine whether Beacon frame information is newer in scan results
It can be helpful to know whether the information elements from the
Beacon frame or the Probe Response frame are newer when using BSS table
entries, so make this information known, if available. This allows the
Beacon frame elements to be preferred over the Probe Response frame
elements when desired.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-24 12:08:28 +03:00
xinpeng wang
28c9f29a31 scan: Print SSID in scan results dump
Add printing of SSID into the "Sorted scan reslts" dump for easy reading
and debugging.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2022-04-23 23:50:23 +03:00
Alex Kiernan
5a04715793 Install wpa_passphrase when not disabled
As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
built, its not installed during `make install`.

Fixes: cb41c214b7 ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
2022-04-23 23:41:32 +03:00
Ben Greear
f1686d7761 hostapd: Allow enabling background radar
This feature does not work on all radios that advertise this feature
with the current driver implementation, and possibly some users don't
want to use it even if it works fine, so disable it by default for now,
but let users enable it as desired with enable_background_radar=1.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2022-04-23 23:38:58 +03:00
Jouni Malinen
08d7738bb2 wolfSSL: Speed up crypto_ec_point_compute_y_sqr()
Optimize the calculation by computing (x^2 + a) first to get rid of one
separate multiplication by x.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 16:12:49 +03:00