Commit graph

9244 commits

Author SHA1 Message Date
Chung-Hsien Hsu
c3b8452e0e nl80211: SAE authentication offload support
Set WPA_DRIVER_FLAGS2_SAE_OFFLOAD flag if the driver indicates SAE
authentication offload support for STA mode. Allow SAE password to be
provided to the driver in such cases when using the CONNECT command.

Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu@infineon.com>
Signed-off-by: Daisuke Mizobuchi <mizo@atmark-techno.com>
2023-11-05 20:35:07 +02:00
Ze Gan
750403f3ad mka: Fix re-establishment by resetting MI
The key server may be removed due to the ingress packets delay. In this
situation, the endpoint of the key server may not be aware of this
participant who has removed the key server from the peer list. Because
the egress traffic is normal, the key server will not remove this
participant from the peer list of the key server. So in the next MKA
message, the key server will not dispatch a new SAK to this participant.
And this participant cannot be aware of that that is a new round of
communication so that it will not update its MI at re-adding the key
server to its peer list. So we need to update MI to avoid the failure of
re-establishment MKA session.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2023-11-05 19:25:27 +02:00
Ze Gan
61f0e19b86 mka: Fix unexpected cleanup on missing MKA_LIFE_TIME while installing SC/SA
The key server may not include dist sak and use sak in one packet.
Meanwhile, after dist sak, the current participant (non-key server) will
install SC or SA(s) after decoding the dist sak which may take few
seconds in real physical platforms. Meanwhile, the peer expire time is
always initialized at adding the key server to peer list. The gap
between adding the key server to peer list and processing next use sak
packet may exceed the threshold of MKA_LIFE_TIME (6 s). It will cause an
unexpected cleanup (delete SC and SA(s)), so update the expire timeout
at dist sak also.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2023-11-05 19:13:07 +02:00
David Ruth
c84388ee4c Compile-time config for dynamically loading libraries in wpa_supplicant
Prevent loading arbitrary executable code based on config at runtime,
while allowing libraries to be specified at compile time when they are
known in advance.

Add the ability to configure libraries to load at compile time.
	* CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location.
	* CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location.
	* CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location.

Add flags with the ability to set each of the libraries to NULL and
prevent loading them at runtime.
	* CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine
	  library.
	* CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module
	  library.
	* CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opensc_engine
	  library.
	* CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading EAP libraries at
	  runtime.

Signed-off-by: David Ruth <druth@chromium.org>
2023-11-05 10:23:29 +02:00
Juliusz Sosinowicz
890953a32c wolfSSL: Old FIPS APIs have void return
Fix the calls to wc_AesEncryptDirect(). Old versions of wolfCrypt FIPS
had wc_AesEncryptDirect() return void instead of int. Fix this build
issue.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
ec7f064fa7 wolfSSL: Implement DPP backend functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
b37238d3ac wolfSSL: Set up generator manually in FIPS build
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
8dabc1fede wolfSSL: Get EC generator for DPP
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
732ed5abe1 wolfSSL: Add crypto_ecdh_init2()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
15a7c9b9e3 wolfSSL: Refactor crypto ECC section
Use heap allocated objects and improve error checking.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
41b5c9d8dc wolfSSL: Use wc_ecc_get_curve_size_from_id()
Avoid use of direct member access.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
378bef3697 wolfSSL: Use wc_ecc_forcezero_point() in non-FIPS builds
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
de38571b86 wolfSSL: More complete crypto_ec_key_group()
Add more curves and check if brainpool support is built.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
d48f6b9138 wolfSSL: EC group-to-id conversion into a helper function
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a16916b749 wolfSSL: Improve logging
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
7ebb5469b3 wolfSSL: Improve error checking and logging in AES functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
10fd91d8fb wolfSSL: Better error message in pbkdf2_sha1() for FIPS password failure
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
aa4c4d079b wolfSSL: Always clean up resources and log errors in wolfssl_hmac_vector()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
644d87c34a wolfSSL: Improve error checking in vector hashing functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
5e20b924da wolfSSL: Add crypto logging macros
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a0e8d9ae71 wolfSSL: Add FIPS warning
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
48a65d47cd wolfSSL: Put wolfSSL headers in alphabetical order
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a2eeb7f6dd wolfSSL: Add more precise logging in wolfssl_handshake()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
83f144bf6a wolfSSL: Debug print ciphersuites
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Jouni Malinen
568a5a8159 EHT: Include crypto.h to avoid implicit function definition
crypto_ec_*() were not defined in some build configuration cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 15:05:15 +02:00
Ilan Peer
a8517c132c Add support for AKM suite 00-0F-AC:23
Add support for Authentication negotiated over IEEE Std 802.1X
with key derivation function using SHA-384.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-03 17:08:36 +02:00
Daniel Gabay
005b0ce367 defs: Enclose all structs between the pragmas
Many of the STRUCT_PACKED structs are not within the pragmas resulting
in wrong packing using MSVC. Fix it by moving pragma to EOF to ensure
proper packing.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
2023-11-03 16:29:55 +02:00
Vignesh C
41a60f6586 hostapd: Add support to send CW change notification
Add hostapd_cli command to notify channel width change to all
associated STAs.

Notify Channel Width frame for HT STAs.
(IEEE P802.11-REVme/D4.0, 9.6.11.2)

Operating Mode Notification frame for VHT STAs.
(IEEE P802.11-REVme/D4.0, 9.6.22.4)

Usage: hostapd_cli notify_cw_change <channel_width>
<channel_width> = 0 - 20 MHz, 1 - 40 MHz, 2 - 80 MHz, 3 - 160 MHz.

Co-developed-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
Signed-off-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
Signed-off-by: Vignesh C <quic_vignc@quicinc.com>
2023-11-03 16:19:11 +02:00
Jurijs Soloveckis
a5d0bb42a2 Reduce delay between Association Request and Association Response
There is a delay between sending Association Response frame after having
received Association Request frame, due to the fact that between
receiving the request and sending the response the Beacon frame contents
is updated, after analyzing inputs from the STA. There may be several
updates if multiple fields need to change. This can cause issues with
some devices in noisy environments with many BSSs and connected STAs.

Optimize this by updating the beacon only once, even if there are
multiple reasons for updates.

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-11-03 12:58:35 +02:00
Allen.Ye
3f2c41e318 Check max number of TBTT info when adding Neighbor AP Information field
If the number of TBTT info is greater than RNR_TBTT_INFO_COUNT_MAX, the
new Neighbor AP Information field would need to be added in the RNR
element. However, the condition of adding Neighbor AP Information field
does not consider number of TBTT info. That would cause invalid Neighbor
AP Information field (the while loop will fill data by eid pointer) when
setting RNR element.

Signed-off-by: Allen.Ye <allen.ye@mediatek.com>
2023-11-02 16:27:56 +02:00
Michael-CY Lee
fc0b0cdcb9 hostapd: Avoid unnecessary Beacon frame update for co-location
When it comes to set some BSS's beacon, there are two reasons to
update the beacon of co-located hostapd_iface(s) at the same time:
1. 6 GHz out-of-band discovery
2. MLD operational parameters update

BSS load update is unrelated with the above two reasons, and therefore
is not the case to update beacon for co-location. Moreover, updating
beacon for co-location when BSS load update makes hostapd set beacon too
frequently, which makes hostapd busy setting beacon in a multi-BSS case.

Add a new function to update beacon only for current BSS and use the
function during BSS load update.

Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: Money Wang <money.wang@mediatek.com>
2023-11-02 16:18:36 +02:00
Jurijs Soloveckis
8056b79ff1 Add DSSS Parameter Set element only for 2.4 GHz
From IEEE 802.11:
The DSSS Parameter Set element is present within Beacon frames
generated by STAs using Clause 15, Clause 16, and Clause 18
PHYs.
The element is present within Beacon frames generated by STAs
using a Clause 19 PHY in the 2.4 GHz band.

Same is applied to the Probe Response frame.

Do not include the DSSS Parameters Set element when operating on other
bands.

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-11-02 16:16:53 +02:00
Daniel Gabay
056e688290 common: Fix ieee802_11_rsnx_capab()
The function should return bool (0/1) and not int. In some environments
bool may be defined as unsigned char, so bits higher then 7 will be
discarded during the downcast. Fix it.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-02 16:09:08 +02:00
Jouni Malinen
ab3e679ae5 MBSSID: Check xrates_supported for all BSSs explicitly
This is needed to avoid generating an nontransmitted BSS profile that
would claim the Extended Rates element to be non-inherited.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-31 15:52:42 +02:00
Jouni Malinen
4bfc007b61 MBSSID: Fix Non-Inheritance element encoding
The List of Element ID Extensions field is not an optional field, so
include it in the Non-Inheritance element with Length=0 to indicate that
there is no Element ID Extension List.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-31 15:51:30 +02:00
Matthew Wang
41baf0159a nl80211: Fix uses_6ghz flag
Presence of any 6ghz channels indicates nl80211 driver 6 GHz support,
not non-DISABLED channels. This increases the timeout for scan
completion for cases where 6 GHz might get scanned even if all the
channel there are currently DISABLED.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2023-10-31 12:01:26 +02:00
Jouni Malinen
aac288914e OKC with Suite B AKMPs in hostapd
To support Opportunistic Key Caching for Suite B key management, KCK
needs to be stored on PMKSA to derive the new PMKID correctly when
processing reassociation from a STA to a new AP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-30 19:52:06 +02:00
Vinoth V
0c9df339f5 OKC with Suite B AKMPs in wpa_supplicant
To support Opportunistic Key Caching for Suite B key management, KCK
needs to be stored on PMKSA to derive the new PMKID correctly for the
new roaming AP.

Signed-off-by: Vinoth V <vinoth117@gmail.com>
2023-10-30 19:50:27 +02:00
Hu Wang
bffd2b3994 nl80211: Skip interface down/up when setting MAC address
A driver may not support setting MAC address when interface is UP, so
wpa_supplicant used to always sets the interface down for MAC address
change.

Try to change the address first without setting the interface down and
then fall back to DOWN/set addr/UP if the first attempt failed. This can
reduce the interface setup time for time-critical use cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-10-30 19:20:23 +02:00
Andrei Otcheretianski
e5ea30feef SME: MLD: Handle reconfiguration Multi-Link element
Parse the reconfiguration Multi-Link element and:

- Don't select a BSS for connection if it is part of an MLD
  and is going to be removed.
- Don't scan for missing links that are to be removed.
- Don't include removed links in association.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-10-29 16:43:34 +02:00
Andrei Otcheretianski
de5e01010c wpa_supplicant: Support ML probe request
Add support for building and sending ML probe requests. During connect,
try to send an ML probe request if we are going to connect to an MLD AP
and the BSS information for some of the links is missing.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-10-29 15:48:53 +02:00
Ilan Peer
a12f39ad4c nl80211: Add support for minimal probe request content
Extend 'struct wpa_driver_scan_params' to allow higher layer to indicate
if minimal probe request content should be included by the driver as part
of the scan logic.

Implement this with driver_nl80211, by setting
NL80211_SCAN_FLAG_MIN_PREQ_CONTENT.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-10-29 11:01:03 +02:00
Antonio Prcela
c84709c59d hostapd: Output BSS Color (he_bss_color) when using STATUS
Make the current HE BSS color available in STATUS command output since
this can change dynamically based on color collisions.

Signed-off-by: Antonio Prcela <antonio.prcela@gmail.com>
Signed-off-by: Antonio Prcela <antonio.prcela@sartura.hr>
2023-10-29 10:58:33 +02:00
Eran Gonen
f7f8ea0aaa nl80211: Change QoS Map configuration to be per bss, not radio
Previously the NL80211_CMD_SET_QOS_MAP command was sent to the radio
interface. Send this command using nl80211_cmd_msg() and the bss,
instead of drv.

Signed-off-by: Arnon Meydav <ameydav@maxlinear.com>
2023-10-28 19:54:41 +03:00
Jouni Malinen
fc7e744969 Sync with wireless-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2023-10-23.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-10-28 18:41:37 +03:00
R. Christian McDonald
5b21f4861c l2_packet_freebsd: Enable receiving priority tagged (VID=0) frames
Certain internet service providers transmit VLAN 0 priority tagged
EAPOL frames from the ONT towards the residential gateway. VID 0
should be ignored, and the frame processed according to the priority
set in the 802.1P bits and the encapsulated EtherType (i.e., EAPOL).

The pcap filter utilized by l2_packet_* is inadquate for this use case.

Here we modify the pcap filter on FreeBSD to accept both unencapsulated
and encapsulated (with VLAN 0) EAPOL EtherTypes. This preserves the
original filter behavior while also matching on encapsulated EAPOL.

Additional work is required to support this handling on other platforms.

We also modify the rx_receive handler to offset the packet buffer
and length when handling dot1q encapsulated frames so the existing
packet parsing code works as-is.

Signed-off-by: R. Christian McDonald <rcm@rcm.sh>
Sponsored by: Rubicon Communications, LLC ("Netgate")
2023-10-28 17:50:09 +03:00
Michael-CY Lee
18330d1f6b hostapd: Update op_class after AP channel switching
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
2023-10-28 13:19:21 +03:00
Michael-CY Lee
7a73399321 ACS: Fix typo in bw_40 frequency array
The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.

Fixes: ed8e13decc (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
2023-10-28 13:12:38 +03:00
Stefan Schake
cc5a008004 Ensure WDS is available on combined backhaul and fronthaul APs
It is valid to configure an AP to be both backhaul and
fronthaul (multi_ap=3), so we should not test for a missing
fronthaul flag but instead test directly for backhaul capability.

Signed-off-by: Stefan Schake <stefan.schake@devolo.de>
2023-10-28 11:50:33 +03:00
Jouni Malinen
8477fa7eb8 Check the need for SA Query earlier in association processing
The way these checks were done for WPS enabled APs were unnecessarily
complex and missed one of the cases. Simplify this by doing the check
only once and do that earlier in the process to minimize changes to STA
state.

Fixes: a7f55f7f68 ("WPS: Enable SA Query checks for WPS AP")
Signed-off-by: Jouni Malinen <j@w1.fi>
2023-10-28 11:31:42 +03:00