Commit graph

18359 commits

Author SHA1 Message Date
Jouni Malinen
1e34bc49cd OpenSSL: Track SSL_SESSION ex data separately
It looks like the OpenSSL callbacks for SSL_SESSION can end up calling
the remove callback for multiple SSL_SESSION entries that share the same
ex data. This could result in double freeing the session data on the
server side.

Track the SSL_SESSION ex data in a separate list and free the
allocations only if they are pointing to a valid allocated wpabuf
pointer.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-27 20:43:41 +03:00
Jouni Malinen
b5b5a3951a tests: MBO and dynamic association disallowed change with passive scanning
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-24 12:12:21 +03:00
Kuan-Chung Chen
734fa392f7 MBO: Check association disallowed in Beacon frames, if newer
When a station receives either a Beacon frame or a Probe Response frame
from an AP that contains an MBO element with the Association Disallowed
attribute, the station should prevent association to that AP. When using
passive scanning, it is possible for the scan results to contain the
latest information in the Beacon frame elements instead of the Probe
Response frame elements. That could result in using old information and
not noticing the AP having changed its state to disallowing new
associations.

Make it more likely to follow the AP's change to disallow associations
by checking the Beacon frame elements instead of Probe Response frame
elements if the scan results are known to contain newer information for
the Beacon frame.

Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
2022-04-24 12:12:21 +03:00
Jouni Malinen
284e3ad196 Determine whether Beacon frame information is newer in scan results
It can be helpful to know whether the information elements from the
Beacon frame or the Probe Response frame are newer when using BSS table
entries, so make this information known, if available. This allows the
Beacon frame elements to be preferred over the Probe Response frame
elements when desired.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-24 12:08:28 +03:00
xinpeng wang
28c9f29a31 scan: Print SSID in scan results dump
Add printing of SSID into the "Sorted scan reslts" dump for easy reading
and debugging.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2022-04-23 23:50:23 +03:00
Alex Kiernan
5a04715793 Install wpa_passphrase when not disabled
As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
built, its not installed during `make install`.

Fixes: cb41c214b7 ("build: Re-enable options for libwpa_client.so and wpa_passphrase")
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
2022-04-23 23:41:32 +03:00
Ben Greear
f1686d7761 hostapd: Allow enabling background radar
This feature does not work on all radios that advertise this feature
with the current driver implementation, and possibly some users don't
want to use it even if it works fine, so disable it by default for now,
but let users enable it as desired with enable_background_radar=1.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2022-04-23 23:38:58 +03:00
Jouni Malinen
08d7738bb2 wolfSSL: Speed up crypto_ec_point_compute_y_sqr()
Optimize the calculation by computing (x^2 + a) first to get rid of one
separate multiplication by x.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 16:12:49 +03:00
Jouni Malinen
f50d5c9a83 wolfSSL: Fix crypto_ec_point_compute_y_sqr() error case processing
The result (y2) was cleared and freed in error cases, but the pointer
itself was not cleared to NULL, so the error path would have returned a
pointer to freed memory. Fix this by properly clearing the return value
in error cases. In addition, simplify the function to avoid tracking
success case separately.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 16:04:49 +03:00
赵军涛
7302aa7614 wolfSSL: Fix the memory leak of crypto_ec_point_compute_y_sqr()
Local variable "t" needs to be cleared whether "calced" is 0 or 1.

Signed-off-by: 赵军涛 <d2014zjt@163.com>
2022-04-23 15:55:06 +03:00
Jouni Malinen
e7dd0fff1d wolfSSL: Use wc_HmacInit() to avoid potential use of uninitialized values
wc_HmacSetKey() seems to initialize everything that is needed for the
actual operation, but at least valgrind is reporting use of
uninitialized values when this was done on a data structure that was not
explicitly cleared.

Call wc_HmacInit() before wc_HmacSetKey() to avoid any unexpected
behavior from potentially uninitialized values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 15:45:31 +03:00
Jouni Malinen
f7be558d69 OpenSSL: Fix build with BoringSSL
SSL_CTX_set_dh_auto() is not available in BoringSSL even though it
claims to be based on OpenSSL 1.1.1 in OPENSSL_VERSION_NUMBER.

Fixes: ebb3055e13 ("OpenSSL: Generate DH parameters automatically if not set with dh_file")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 13:05:49 +03:00
Jouni Malinen
6d33ef362e OpenSSL: Remove compatibility options for older versions than 1.0.2
Anything older than OpenSSL 1.0.2 should not be used anymore, so drop
the build compatibility options for those old versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 13:02:37 +03:00
Jouni Malinen
78c2a4cd07 OpenSSL: Drop compatibility options for LibreSSL older than 2.7
Compilation was failing even with LibreSSL 2.7 versions, so there is no
point in maintaining these old compatibility options for older versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 12:52:27 +03:00
Jouni Malinen
b062507670 OpenSSL: Implement crypto_ecdh routines without EC_KEY for OpenSSL 3.0
OpenSSL 3.0 has deprecated the low-level EC_KEY functionality, so use
the EVP API (EVP_EC_gen() and EV_PKEY_derive()) for the crypto_ecdh
wrappers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 12:46:17 +03:00
Jouni Malinen
fc96f6802e OpenSSL: Use new name for the EC_POINT set/get coordinate functions
OpenSSL 1.1.1 deprecated the function names with the _GFp postfix, so
move to the new function name. Add backwards compatibility wrappers for
older versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-23 11:09:28 +03:00
xinpeng wang
0aae045af0 ctrl: Print the source address of the received commands
Sometimes there is a program error to send a large number of commands to
wpa_supplicant, and the source address can help quickly find the program
that sends commands.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2022-04-18 17:57:21 +03:00
Alan T. DeKok
f942149684 wpa_ctrl: Wait for a total of 10 seconds, not 10 seconds per iteration
EINTR will cause the loop to restart, which means that the total
time could be significantly longer than 10 seconds.

Signed-off-by: Alan DeKok <aland@deployingradius.com>
2022-04-18 17:18:40 +03:00
Jouni Malinen
0d9be88551 wolfSSL: Fix certificate commonName checking
wolfSSL_X509_NAME_get_index_by_NID() uses NID_* to identify the entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-18 16:45:42 +03:00
Jouni Malinen
94e0f39d97 wolfSSL: Use wolfSSL_export_keying_material() when available
This is needed to work with TLS 1.3 key derivation. It looks the needed
functionality was added in wolfSSL 4.7.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-18 16:27:47 +03:00
Jouni Malinen
387b341ead tests: Fix SAE-PK capability checks for sigma_dut test cases
These were testing only of SAE, not SAE-PK capability, and needs to be
skipped in SAE-PK is not included in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-18 11:20:33 +03:00
Jouni Malinen
cc821f1c32 tests: Check DPP in build for couple of missing cases
These test cases need to be skipped in DPP is not included in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-18 11:11:29 +03:00
Jouni Malinen
c31fc7a64c wolfSSL: Fix crypto_dh_init() and dh5_init()
priv_sz and pub_sz needs to be initialized to the buffer size before the
wc_DhGenerateKeyPair() call. The previous version happened to work in
some cases where a separate handled prime length was used, but not for
the generic case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-18 11:03:55 +03:00
Jouni Malinen
d7b8c6eef2 wolfSSL: Fix crypto_ecdh_* with ECC_TIMING_RESISTANT
It looks like crypto_ecdh_set_peerkey() had started failing at some
point with a wolfSSL update due to ECC_TIMING_RESISTANT from
--enable-harden requiring RNG to be set.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-18 00:54:37 +03:00
Jouni Malinen
ae1fb64550 EAP-EKE server: Fix a memory leak on an error path
The allocated Response/Commit message was not freed if DH initialization
failed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 23:37:50 +03:00
Juliusz Sosinowicz
af052e6e11 tests: Include additional tests for wolfSSL builds
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:55 +03:00
Juliusz Sosinowicz
1cda3e76fc tests: Include EAP-pwd for wolfSSL builds
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:55 +03:00
Juliusz Sosinowicz
166acab4e6 wolfSSL: TLS session caching
Add support for EAP server to cache TLS sessions (see hostapd
configuration parameter tls_session_lifetime).

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:55 +03:00
Juliusz Sosinowicz
12dee16d71 wolfSSL: Add a debug logging callback
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:55 +03:00
Juliusz Sosinowicz
a5d190650b wolfSSL: Implement tls_get_tls_unique()
This is needed for EAP-TEAP. This needs wolfSSL 5.0.0 or newer.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:50 +03:00
Juliusz Sosinowicz
a419fef367 wolfSSL: Implement tls_connection_get_cipher_suite()
This is needed for EAP-TEAP.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:41 +03:00
Juliusz Sosinowicz
364876b7da wolfSSL: Implement tls_connection_get_peer_subject()
This is needed for EAP-TEAP server implementation.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:36 +03:00
Juliusz Sosinowicz
d9c7164001 wolfSSL: Implement tls_connection_get_own_cert_used()
This is needed for EAP-TEAP client implementation. This needs wolfSSL
5.0.0 or newer.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 22:02:28 +03:00
Juliusz Sosinowicz
d677b9dc65 wolfSSL: Conditional build for aes_wrap/aes_unwrap()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2022-04-17 21:47:43 +03:00
Jouni Malinen
b0f016b873 eapol_test: Update with src/ap/ieee802_1x.c changes
eapol_test.c contains variants of couple of functions from the hostapd
implementation. Those had not been updated for a while and this commit
brings in the main changes to keep the implementations closer to
each other.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 19:51:09 +03:00
Jouni Malinen
747c5f2281 Include MS_FUNCS=y for EAP-pwd peer build
This is needed to allow wpa_supplicant to be built with EAP-pwd, but
without any other EAP method that pulled in MS_FUNCS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 19:50:23 +03:00
Jouni Malinen
c7f71fb867 Include HMAC-SHA384/512 KDF for SAE if SHA384/512 is included
It was possible to miss the HMAC functions if some other build
configuration parameters ended up setting NEED_SHA384/512=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-17 19:50:23 +03:00
Nicolas Escande
3a759dcc8c ACS: Honor acs_exclude_dfs with hostapd's ACS implementation
The acs_exclude_dfs parameter is documented as a way to exclude DFS
channels when performing ACS without disabling DFS altogether. The
problem is this parameter is only enforced when ACS is offloaded to the
driver (WPA_DRIVER_FLAGS_ACS_OFFLOAD). So from now on, lets also check
acs_exclude_dfs in the internal ACS implementation to exclude channels
marked with radar detection.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2022-04-17 19:50:23 +03:00
Alan T. DeKok
3240cedd6a eapol_test: Print out names for additional known EAP types
And order the names by number.

Signed-off-by: Alan DeKok <aland@freeradius.org>
2022-04-17 11:50:25 +03:00
Jouni Malinen
f5c711c855 OpenSSL: Unload providers only at process exit
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.

Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.

Fixes: 097ca6bf0b ("OpenSSL: Unload providers on deinit")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-16 18:51:32 +03:00
John Crispin
33c4dd26cd BSS coloring: Handle the collision and CCA events coming from the kernel
This commit activates the functionality of the previous commits by
handling the actual events that will trigger the CCA process.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:30:30 +03:00
John Crispin
27b4cc712f nl80211: Handle driver events for BSS coloring
Process the color collision and color change related events.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:30:30 +03:00
John Crispin
399d6e64d9 nl80211: Add the switch_color() handler for BSS color changes
To start the CCA process we need to send NL80211_CMD_COLOR_CHANGE to the
kernel. This commit adds the required code.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:30:09 +03:00
John Crispin
86bd90eb37 BSS coloring: Disable BSS color during CCA
While we are doing CCA the BSS Color Disabled field inside the HE
Operation Parameters field needs to be set.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:13:51 +03:00
John Crispin
f7d0b740e7 BSS coloring: BSS Color Change Announcement element generation
This information element is similar to the CSA one. It contains a
counter and the target color. Once the counter expired, the change to
the new color happens.

Just note the current implementation is based on CCA counter attributes
that only take Beacon and Probe Response framesinto account.
(Re)Association Response frames do not currently have kernel APIs to
decrement the CCA counter since mediatek mcu firmware does not support
it yet and it will be added in future firmware release.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:13:08 +03:00
John Crispin
654d2395dd BSS coloring: Handling of collision events and triggering CCA
Add the core code for handling BSS color collision events and triggering
CCA inside the kernel. The caller of hostapd_switch_color() will be
added in the following commits.

Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
2022-04-16 17:06:06 +03:00
Johannes Berg
2f336ca580 tests: Pretend the RNG is initialized withinthe VM
We don't particularly care about the quality of random numbers
during the test. So far, there hasn't been an issue with the
RNG not being initialized completely, we only get a few prints
about uninitialized reads from urandom. However, if some tool
were to actually use /dev/random, it might get stuck. Call the
RNDADDTOENTCNT ioctl to unblock this.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2022-04-16 16:51:54 +03:00
Yegor Yefremov
52e2516f1d wpa_supplicant: Add the CONFIG_HE_OVERRIDES option to the defconfig
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2022-04-16 16:48:35 +03:00
Jouni Malinen
698c05da2b tests: Update server and user certificates (2022)
The previous versions are going to be expiring soon, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-16 13:22:16 +03:00
Jouni Malinen
6a2a60f1db OpenSSL: Do not use the deprecated RSAPrivateKey function
Comment out the call to SSL_use_RSAPrivateKey_ASN1() function when using
OpenSSL 3.0 since that function was deprecated and there does not seem
to be any significant use case for supporting DER encoded RSAPrivateKey
structure in the private key blob.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-04-16 12:45:32 +03:00