It looks like the OpenSSL callbacks for SSL_SESSION can end up calling
the remove callback for multiple SSL_SESSION entries that share the same
ex data. This could result in double freeing the session data on the
server side.
Track the SSL_SESSION ex data in a separate list and free the
allocations only if they are pointing to a valid allocated wpabuf
pointer.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When a station receives either a Beacon frame or a Probe Response frame
from an AP that contains an MBO element with the Association Disallowed
attribute, the station should prevent association to that AP. When using
passive scanning, it is possible for the scan results to contain the
latest information in the Beacon frame elements instead of the Probe
Response frame elements. That could result in using old information and
not noticing the AP having changed its state to disallowing new
associations.
Make it more likely to follow the AP's change to disallow associations
by checking the Beacon frame elements instead of Probe Response frame
elements if the scan results are known to contain newer information for
the Beacon frame.
Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
It can be helpful to know whether the information elements from the
Beacon frame or the Probe Response frame are newer when using BSS table
entries, so make this information known, if available. This allows the
Beacon frame elements to be preferred over the Probe Response frame
elements when desired.
Signed-off-by: Jouni Malinen <j@w1.fi>
As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
built, its not installed during `make install`.
Fixes: cb41c214b7 ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
This feature does not work on all radios that advertise this feature
with the current driver implementation, and possibly some users don't
want to use it even if it works fine, so disable it by default for now,
but let users enable it as desired with enable_background_radar=1.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The result (y2) was cleared and freed in error cases, but the pointer
itself was not cleared to NULL, so the error path would have returned a
pointer to freed memory. Fix this by properly clearing the return value
in error cases. In addition, simplify the function to avoid tracking
success case separately.
Signed-off-by: Jouni Malinen <j@w1.fi>
wc_HmacSetKey() seems to initialize everything that is needed for the
actual operation, but at least valgrind is reporting use of
uninitialized values when this was done on a data structure that was not
explicitly cleared.
Call wc_HmacInit() before wc_HmacSetKey() to avoid any unexpected
behavior from potentially uninitialized values.
Signed-off-by: Jouni Malinen <j@w1.fi>
SSL_CTX_set_dh_auto() is not available in BoringSSL even though it
claims to be based on OpenSSL 1.1.1 in OPENSSL_VERSION_NUMBER.
Fixes: ebb3055e13 ("OpenSSL: Generate DH parameters automatically if not set with dh_file")
Signed-off-by: Jouni Malinen <j@w1.fi>
Anything older than OpenSSL 1.0.2 should not be used anymore, so drop
the build compatibility options for those old versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Compilation was failing even with LibreSSL 2.7 versions, so there is no
point in maintaining these old compatibility options for older versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 3.0 has deprecated the low-level EC_KEY functionality, so use
the EVP API (EVP_EC_gen() and EV_PKEY_derive()) for the crypto_ecdh
wrappers.
Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL 1.1.1 deprecated the function names with the _GFp postfix, so
move to the new function name. Add backwards compatibility wrappers for
older versions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Sometimes there is a program error to send a large number of commands to
wpa_supplicant, and the source address can help quickly find the program
that sends commands.
Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
EINTR will cause the loop to restart, which means that the total
time could be significantly longer than 10 seconds.
Signed-off-by: Alan DeKok <aland@deployingradius.com>
This is needed to work with TLS 1.3 key derivation. It looks the needed
functionality was added in wolfSSL 4.7.0.
Signed-off-by: Jouni Malinen <j@w1.fi>
These were testing only of SAE, not SAE-PK capability, and needs to be
skipped in SAE-PK is not included in the build.
Signed-off-by: Jouni Malinen <j@w1.fi>
priv_sz and pub_sz needs to be initialized to the buffer size before the
wc_DhGenerateKeyPair() call. The previous version happened to work in
some cases where a separate handled prime length was used, but not for
the generic case.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like crypto_ecdh_set_peerkey() had started failing at some
point with a wolfSSL update due to ECC_TIMING_RESISTANT from
--enable-harden requiring RNG to be set.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add support for EAP server to cache TLS sessions (see hostapd
configuration parameter tls_session_lifetime).
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
eapol_test.c contains variants of couple of functions from the hostapd
implementation. Those had not been updated for a while and this commit
brings in the main changes to keep the implementations closer to
each other.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to allow wpa_supplicant to be built with EAP-pwd, but
without any other EAP method that pulled in MS_FUNCS.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to miss the HMAC functions if some other build
configuration parameters ended up setting NEED_SHA384/512=y.
Signed-off-by: Jouni Malinen <j@w1.fi>
The acs_exclude_dfs parameter is documented as a way to exclude DFS
channels when performing ACS without disabling DFS altogether. The
problem is this parameter is only enforced when ACS is offloaded to the
driver (WPA_DRIVER_FLAGS_ACS_OFFLOAD). So from now on, lets also check
acs_exclude_dfs in the internal ACS implementation to exclude channels
marked with radar detection.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.
Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.
Fixes: 097ca6bf0b ("OpenSSL: Unload providers on deinit")
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit activates the functionality of the previous commits by
handling the actual events that will trigger the CCA process.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Process the color collision and color change related events.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
To start the CCA process we need to send NL80211_CMD_COLOR_CHANGE to the
kernel. This commit adds the required code.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
While we are doing CCA the BSS Color Disabled field inside the HE
Operation Parameters field needs to be set.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
This information element is similar to the CSA one. It contains a
counter and the target color. Once the counter expired, the change to
the new color happens.
Just note the current implementation is based on CCA counter attributes
that only take Beacon and Probe Response framesinto account.
(Re)Association Response frames do not currently have kernel APIs to
decrement the CCA counter since mediatek mcu firmware does not support
it yet and it will be added in future firmware release.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Add the core code for handling BSS color collision events and triggering
CCA inside the kernel. The caller of hostapd_switch_color() will be
added in the following commits.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
We don't particularly care about the quality of random numbers
during the test. So far, there hasn't been an issue with the
RNG not being initialized completely, we only get a few prints
about uninitialized reads from urandom. However, if some tool
were to actually use /dev/random, it might get stuck. Call the
RNDADDTOENTCNT ioctl to unblock this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The previous versions are going to be expiring soon, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.
Signed-off-by: Jouni Malinen <j@w1.fi>
Comment out the call to SSL_use_RSAPrivateKey_ASN1() function when using
OpenSSL 3.0 since that function was deprecated and there does not seem
to be any significant use case for supporting DER encoded RSAPrivateKey
structure in the private key blob.
Signed-off-by: Jouni Malinen <j@w1.fi>