Commit graph

17441 commits

Author SHA1 Message Date
Cedric Izoard
fa193c1a73 tests: Fix DPP test cases for BoringSSL
When checking DPP capabilities the Brainpool flag was not always set
when needed, leading to run a test with the Brainpool curves not
supported by BoringSSL.

Use a short form for the DER length of EC privateKey with NIST P-521
curve. Indeed BoringSSL returns an error when parsing DER sequence 30 81
50 ... because the length 81 50 could have been encoded as 50 and
according comment in BoringSSL:
ITU-T X.690 section 10.1 (DER length forms) requires encoding the
length with the minimum number of octets.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-11-03 15:48:45 +02:00
Cedric Izoard
2086ae46b3 DPP: Replace dpp_bootstrap_key_der() with crypto_ec_key_get_subject_public_key()
As BoringSSL version of i2d_PUBKEY() doesn't respect the
POINT_CONVERSION_COMPRESSED flag redefine a specific
crypto_ec_key_get_subject_public_key() version for BoringSSL based on
dpp_bootstrap_key_der().

The only other user of crypto_ec_key_get_subject_public_key() is SAE-PK
for which the public key should also be formatted using compressed
format.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-11-03 15:45:00 +02:00
Cedric Izoard
e9f8f81a82 DPP: Use ECDH from crypto.h
Use crypto.h API to implement ECDH in DPP. This needs a new
initialization function in crypto.h to initialize an ECDH with a given
EC key.

Using crypto_ecdh_set_peerkey() to generate the ECDH secret in an
intermediate and dynamically allocated buffer removed the need for the
DPP-specific workaround for inconsistent length returned by
EVP_PKEY_derive() since that crypto_ecdh_set_peerkey() implementation
already had functionality for covering the changing secret_len value
from commit d001fe31ab ("OpenSSL: Handle EVP_PKEY_derive() secret_len
changes for ECDH").

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-11-03 13:52:52 +02:00
Cedric Izoard
4aed5668b4 OpenSSL: Clear the correct flag in crypto_ec_key_get_ecprivate_key()
In case the public key was not included in the EC private key ASN.1
sequence, the flag that was cleared was not the right one. Fix this by
using EC_KEY_set_enc_flags() for both setting and clearing the
EC_PKEY_NO_PUBKEY flag instead of trying to clear that with the
unrelated EC_KEY_clear_flags() function.

Fixes: 2d5772e691 ("DPP: Factorize conversion to ASN.1 ECPrivateKey")
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-11-03 13:35:36 +02:00
Masashi Honma
bf161b6609 Ignore CONFIG_WIFI_DISPLAY without CONFIG_P2P
Wi-Fi Display functionality needs P2P to be enabled. Ignore
CONFIG_WIFI_DISPLAY if CONFIG_P2P is not enabled for the build. This
avoids following compilation issue with invalid build configuration:

../src/ap/ap_drv_ops.c: In function 'hostapd_build_ap_extra_ies':
../src/ap/ap_drv_ops.c:163:10: error: 'struct hostapd_data' has no member named 'p2p_group'
  163 |  if (hapd->p2p_group) {
      |          ^~
../src/ap/ap_drv_ops.c:165:35: error: 'struct hostapd_data' has no member named 'p2p_group'
  165 |   a = p2p_group_assoc_resp_ie(hapd->p2p_group, P2P_SC_SUCCESS);
      |                                   ^~

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-03 13:19:30 +02:00
Masashi Honma
b306a92dfc Fix compiler error on CONFIG_AP without CONFIG_P2P builds
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/ap.o: in function `wpas_conf_ap_he_6ghz':
/home/honma/git/hostap/wpa_supplicant/ap.c:245: undefined reference to `wpas_p2p_get_sec_channel_offset_40mhz'

Fixes: e5173e8b12 ("P2P: Enable multiple channel widths for P2P in 6 GHz band")
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-03 13:19:30 +02:00
Masashi Honma
726eda65fb wolfSSL: Fix a link error when WPS NFC is disabled
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/src/wps/wps.o: in function `wps_deinit':
/home/honma/git/hostap/wpa_supplicant/../src/wps/wps.c:184: undefined reference to `dh5_free'
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/src/wps/wps_common.o: in function `wps_derive_keys':
/home/honma/git/hostap/wpa_supplicant/../src/wps/wps_common.c:83: undefined reference to `dh5_derive_shared'
/usr/bin/ld: /home/honma/git/hostap/wpa_supplicant/../src/wps/wps_common.c:84: undefined reference to `dh5_free'
/usr/bin/ld: /home/honma/git/hostap/build/wpa_supplicant/src/wps/wps_attr_build.o: in function `wps_build_public_key':
/home/honma/git/hostap/wpa_supplicant/../src/wps/wps_attr_build.c:68: undefined reference to `dh5_free'
/usr/bin/ld: /home/honma/git/hostap/wpa_supplicant/../src/wps/wps_attr_build.c:69: undefined reference to `dh5_init'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1892: wpa_supplicant] Error 1

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2021-11-03 13:04:16 +02:00
Cedric Izoard
b8402ab085 DPP: Use crypto_ec_key_get_subject_public_key() when possible
Keep the locally defined ASN.1 sequence DPP_BOOTSTRAPPING_KEY for now to
avoid losing a workaround for BoringSSL from commit 746c1792ac ("DPP:
Build bootstrapping key DER encoding using custom routine").

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-28 00:45:07 +03:00
Cedric Izoard
d51939f2c4 DPP: Move CSR routines to use crypto.h
Add basic CSR API in crypto.h.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-28 00:39:56 +03:00
Cedric Izoard
d56352b551 DPP: Move dpp_pkcs7_certs() into crypto_pkcs7_get_certificates()
Move implementation of dpp_pkcs7_certs() into OpenSSL specific files.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-28 00:05:42 +03:00
Cedric Izoard
b89176fa6f DPP: Move debug print of EC key to crypto.h
Move the crypto lib specific print of an EC key in dpp_debug_print_key()
to crypto.h.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-27 23:50:23 +03:00
Cedric Izoard
87f2fb8863 DPP: Remove direct call to OpenSSL in dpp_test_gen_invalid_key()
Instead of generating EC point with random coordinates, generate a
valid EC point and then corrupt the coordinates after exporting them
in binary format.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-27 23:41:32 +03:00
Cedric Izoard
c88b7fcaef DPP: Add crypto_ec_key_cmp() in crypto.h and use it
This gets rid of one more direct OpenSSL call in the DPP implementation.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-27 23:33:54 +03:00
Cedric Izoard
984faf9634 DPP: Use crypto_ec_key_group() to compare EC key's group
Remove one more direct call to OpenSSL using crypto_ec_key_group() to
compare group of c-sign-key and ppKey when creating Configurator from
backup data.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-27 23:29:00 +03:00
Cedric Izoard
f5334f9b5b DPP: Use crypto API for reconfig part
Rewrite functions related to reconfig feature using EC point/bignum
primitives defined in crypto.h API.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-27 23:24:20 +03:00
Cedric Izoard
eac41656ee DPP: Update connector signing to use crypto.h
Add two new functions in crypto.h that "wrap" around already defined
signing function with (r,s) interface instead of DER Ecdsa-Sig-Value.

Using those functions implies to compute the hash to sign manually
before.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-27 00:08:36 +03:00
Cedric Izoard
da63d30997 DPP: Remove unused EVP_PKEY_CTX variable
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 23:42:01 +03:00
Cedric Izoard
4767de3a42 DPP: Use crypto.h for authentication computation
Rewrite dpp_auth_derive_l_responder/initiator() using EC point/bignum
primitives defined in crypto.h API.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 23:41:48 +03:00
Cedric Izoard
0d1d74107b DPP: Update PKEX part to use crypto.h API
Rewrite EC point/bignum computation done in PKEX protocol using EC
point/bignum primitives already defined in crypto.h and couple of small
new helper functions.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 23:20:57 +03:00
Cedric Izoard
50708770f0 DPP: Use crypto_ec_key_parse_priv() when possible
Function crypto_ec_key_parse_priv() already parses ASN.1 ECPrivateKey so
use it when possible.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 22:49:44 +03:00
Cedric Izoard
e294a73d0c DPP: Use crypto_ec_key_parse_pub() in dpp_get_subject_public_key()
The extra validation steps through the OpenSSL X509 API are not really
necessary here and they most duplicate checks that happen implicitly
within d2i_PUBKEY() and the EVP_PKEY_get0_EC_KEY() checks in
crypto_ec_key_parse_pub().

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 20:44:17 +03:00
Cedric Izoard
9c1632908d DPP: Move dpp_set_pubkey_point_group() to crypto.h
Move code of dpp_set_pubkey_point_group() into crypto.h API. This
function initializes an EC public key using coordinates of the EC point
in binary format.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 19:50:54 +03:00
Cedric Izoard
e84b143e1a OpenSSL: Add Brainpool curves to crypto_ec_key_group()
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 18:07:16 +03:00
Cedric Izoard
c6f2103cac DPP: Replace dpp_get_pubkey_point() with crypto_ec_key_get_pubkey_point()
Move code of dpp_get_pubkey_point() to a crypto library specific
function crypto_ec_key_get_pubkey_point().

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 18:06:32 +03:00
Cedric Izoard
2d5772e691 DPP: Factorize conversion to ASN.1 ECPrivateKey
Add crypto_ec_key_get_ecprivate_key() function in crypto.h and use it
when possible in DPP code.

This function converts a struct crypto_ec_key into a DER encoded ASN.1
ECPrivateKey.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 17:08:39 +03:00
Cedric Izoard
63bf3d25ab OpenSSL: Mark crypto_ec_key_gen() key compressed
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 16:51:49 +03:00
Cedric Izoard
86cde01cbd DPP: Move dpp_gen_keypair() to crypto
Move code in dpp_gen_keypair() to function crypto_ec_key_gen() in
crypto.h.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 16:50:42 +03:00
Cedric Izoard
0517948d77 DPP: Replace EVP_PKEY by struct crypto_ec_key
To remove direct dependency to OpenSSL in DPP replace EVP_PKEY
by struct crypto_ec_key in all structures and function prototypes.

All direct calls to EVP_PKEY_free() are replaced by calls to
crypto_ec_key_deinit().

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 15:57:31 +03:00
Cedric Izoard
cd0c1d2561 OpenSSL: Use EVP_PKEY as struct crypto_ec_key
Remove definition of struct crypto_ec_key and directly cast struct
crypto_ec_key * to EVP_PKEY * (and vice versa).

Indeed EVP_PKEY already has a pointer to EC_KEY and removing this
intermediate structure allows smoother transition in removing direct
OpenSSL dependency in DPP.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 15:34:52 +03:00
Cedric Izoard
15275c53d8 Complete documentation in crypto.h
Add missing documentation for crypto_ecdh and crypt_ec_key functions.

Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
2021-10-26 13:17:31 +03:00
Hu Wang
cb285e80c4 SAE: Fix sm->cur_pmksa assignment
Commit b0f457b619 ("SAE: Do not expire the current PMKSA cache entry")
depends on sm->cur_pmksa to determine if it is the current PMKSA cache
entry, but sm->cur_pmksa was not always correct for SAE in the current
implementation.

Set sm->cur_pmksa in wpa_sm_set_pmk() (which is used with SAE), and skip
clearing of sm->cur_pmksa for SAE in wpa_find_assoc_pmkid(). This latter
case was added by commit c2080e8657 ("Clear current PMKSA cache
selection on association/roam") for driver-based roaming indication and
Suite B, so skipping it for SAE should be fine.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-25 19:03:32 +03:00
Shiva Krishna Pittala
aa5c4f9322 Add QCA vendor attribute to configure priority of vendor scan
Add the attribute QCA_WLAN_VENDOR_ATTR_SCAN_PRIORITY to configure the
priority of vendor scan relative to other scan requests. Add the valid
values that this attribute can take.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-25 12:56:32 +03:00
Jouni Malinen
8a54c252a4 tests: Configuration file comment with "" after #
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-22 17:48:08 +03:00
xinpeng wang
aca4d4963a Fix handling of complex configuration lines with mixed "" and #
The original code wants to remove # comments unless they are within a
double quoted string, but it doesn’t consider the "" after #, for
example in the following line: a=b #"a=c"

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2021-10-22 17:47:29 +03:00
xinpeng wang
0ae677c7b4 eloop: Extend overflow check in eloop_register_timeout() to cover usec
Processing of usec could result in an additional +1 increment to sec and
that might overflow. Extend the previously used overflow check to cover
this special case as well.

Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
2021-10-22 17:24:32 +03:00
Johannes Berg
a29c2399a7 tests: Add regulatory database to VMs
Add a common well-known regulatory database to the test VMs during runs
to remove one thing to have correct in the host.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2021-10-22 17:17:28 +03:00
Jouni Malinen
139202a116 tests: BSS_TM_REQ with dialog_token parameter
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-22 17:14:20 +03:00
David Bauer
979f197165 WNM: Allow specifying dialog token for BSS transition request
Adds the ability to specify the dialog token of a WNM BSS Transition
Management Request frame via the hostapd control interface.

For this, the new 'dialog_token' option can be used with the BSS_TM_REQ
command. It accepts values as an 8 bit unsigned integer. If not
specified, the dialog token is set to 1 like before.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-22 17:11:36 +03:00
Reinhard Tartler
3f6c02f29a Use pkg-config for libpcsclite linkage flags
Using pkg-config for libpcsclite can provide more accurate linking
flags.

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2021-10-22 17:04:33 +03:00
Stefan Lippers-Hollmann
e797959b86 systemd: Order wpa_supplicant after dbus
Make sure that D-Bus isn't shut down before wpa_supplicant, as that would
also bring down wireless links which are still holding open NFS shares.

Debian bug: https://bugs.debian.org/785579
systemd upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=89847

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2021-10-22 17:01:20 +03:00
Andrej Shadura
95bf9fc93d Remove extra slash from BIN/INC/LIBDIR defaults
Every usage of these variables appends an extra slash, so keeping
a slash in the default values leads to double slashes in resulting
paths.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2021-10-22 16:58:10 +03:00
Arowa Suliman
5a4ae6e3ad Replace "native" with a more specific description
Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-22 16:54:58 +03:00
Arowa Suliman
2fb33ce4b6 wpa_supplicant: hostapd: Remove man-in-the-middle
Replace man-in-the-middle attacks with on-path attacks which
is gender-neutral and commonly used.

Signed-off-by: Arowa Suliman <arowa@chromium.org>
2021-10-22 16:53:30 +03:00
Jouni Malinen
2e122945fa DPP2: Do not try to remove Controller TCP connection twice on error
These code paths on the Controller were calling dpp_connection_remove()
twice for the same connection in the error cases. That would result in
double-freeing of the memory, so fix this by remove the
dpp_connection_remove() call from the called function and instead,
remove the connection in dpp_controller_rx() error handling.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-19 00:32:02 +03:00
Jouni Malinen
a47d484919 tests: DPP Controller management in hostapd over interface addition/removal
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-19 00:32:02 +03:00
Jouni Malinen
5bac420e5e DPP2: Clean up Controller on hostapd interface removal
Stop the DPP Controller instance, if one is started, when the hostapd
interface that was used to start that Controller is removed. This is
needed to remove the control pointers that point to the soon-to-be-freed
hostapd structures. This fixes an issue where a Controller operation
with multiple interfaces could have resulted in references to freed
memory if an interface is removed without explicitly stopping the DPP
Controller.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-19 00:32:02 +03:00
leiwei
d8b3d08159 macsec_qca: Support macsec secy id getting from driver
Use the new nss_macsec_secy_id_get() function, if available, instead of
the hardcoded ifname to secy_id mapping.

Signed-off-by: leiwei <leiwei@codeaurora.org>
2021-10-18 23:32:34 +03:00
David Bauer
08bdf4f90d proxyarp: Fix compilation with Hotspot 2.0 disabled
The disable_dgaf config field is only available in case hostapd is
compiled with Hotspot 2.0 support (CONFIG_HS20=y), however Proxy-ARP
(CONFIG_PROXYARP=y) does not depend on Hotspot 2.0.

Only add the code related to this config field when Hotspot 2.0 is
enabled to fix compilation with the aformentioned preconditions.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-18 21:24:59 +03:00
Jouni Malinen
8601356e3b tests: Update sae_pmk_lifetime to match implementation
The current PMKSA cache entry with SAE does not expire during the
association anymore.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-18 21:21:07 +03:00
Jouni Malinen
b0f457b619 SAE: Do not expire the current PMKSA cache entry
There is no convenient mechanism for reauthenticating and generating a
new PMK during an association with SAE. As such, forced PMK update would
mean having to disassociate and reauthenticate which is not really
desired especially when the default PMKLifetime is only 12 hours.

Postpone PMKSA cache entry expiration of the currently used entry with
SAE until the association is lost. In addition, do not try to force the
EAPOL state machine to perform reauthentication for SAE since that won't
work.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-10-18 21:20:52 +03:00