Use crypto.h API to implement ECDH in DPP. This needs a new
initialization function in crypto.h to initialize an ECDH with a given
EC key.
Using crypto_ecdh_set_peerkey() to generate the ECDH secret in an
intermediate and dynamically allocated buffer removed the need for the
DPP-specific workaround for inconsistent length returned by
EVP_PKEY_derive() since that crypto_ecdh_set_peerkey() implementation
already had functionality for covering the changing secret_len value
from commit d001fe31ab ("OpenSSL: Handle EVP_PKEY_derive() secret_len
changes for ECDH").
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Keep the locally defined ASN.1 sequence DPP_BOOTSTRAPPING_KEY for now to
avoid losing a workaround for BoringSSL from commit 746c1792ac ("DPP:
Build bootstrapping key DER encoding using custom routine").
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Instead of generating EC point with random coordinates, generate a
valid EC point and then corrupt the coordinates after exporting them
in binary format.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Remove one more direct call to OpenSSL using crypto_ec_key_group() to
compare group of c-sign-key and ppKey when creating Configurator from
backup data.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Rewrite functions related to reconfig feature using EC point/bignum
primitives defined in crypto.h API.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Add two new functions in crypto.h that "wrap" around already defined
signing function with (r,s) interface instead of DER Ecdsa-Sig-Value.
Using those functions implies to compute the hash to sign manually
before.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Rewrite dpp_auth_derive_l_responder/initiator() using EC point/bignum
primitives defined in crypto.h API.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Rewrite EC point/bignum computation done in PKEX protocol using EC
point/bignum primitives already defined in crypto.h and couple of small
new helper functions.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Function crypto_ec_key_parse_priv() already parses ASN.1 ECPrivateKey so
use it when possible.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
The extra validation steps through the OpenSSL X509 API are not really
necessary here and they most duplicate checks that happen implicitly
within d2i_PUBKEY() and the EVP_PKEY_get0_EC_KEY() checks in
crypto_ec_key_parse_pub().
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Move code of dpp_set_pubkey_point_group() into crypto.h API. This
function initializes an EC public key using coordinates of the EC point
in binary format.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Move code of dpp_get_pubkey_point() to a crypto library specific
function crypto_ec_key_get_pubkey_point().
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Add crypto_ec_key_get_ecprivate_key() function in crypto.h and use it
when possible in DPP code.
This function converts a struct crypto_ec_key into a DER encoded ASN.1
ECPrivateKey.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
To remove direct dependency to OpenSSL in DPP replace EVP_PKEY
by struct crypto_ec_key in all structures and function prototypes.
All direct calls to EVP_PKEY_free() are replaced by calls to
crypto_ec_key_deinit().
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Add the attribute QCA_WLAN_VENDOR_ATTR_SCAN_PRIORITY to configure the
priority of vendor scan relative to other scan requests. Add the valid
values that this attribute can take.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These code paths on the Controller were calling dpp_connection_remove()
twice for the same connection in the error cases. That would result in
double-freeing of the memory, so fix this by remove the
dpp_connection_remove() call from the called function and instead,
remove the connection in dpp_controller_rx() error handling.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Stop the DPP Controller instance, if one is started, when the hostapd
interface that was used to start that Controller is removed. This is
needed to remove the control pointers that point to the soon-to-be-freed
hostapd structures. This fixes an issue where a Controller operation
with multiple interfaces could have resulted in references to freed
memory if an interface is removed without explicitly stopping the DPP
Controller.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Existing logic to disable HE in hostapd_set_freq_params() is to check
he_cap != NULL, but this is not correct as he_cap is defined as a stack
member of hostapd_hw_modes which can't be NULL. Add one more check
!he_cap->he_supported to make sure HE can be disabled if the driver not
support it.
This fixes a case where a driver does not support HE, but hostapd.conf
enables HE/HT40 on the 2.4 GHz band and hostapd failed to start with
error '40 MHz channel width is not supported in 2.4 GHz'.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a QCA vendor attribute to indicate agile spectral scan support for
320 MHz mode. Add another attribute to indicate the number of detectors
used for spectral scan in 320 MHz mode.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Introduce a new vendor command QCA_NL80211_VENDOR_SUBCMD_ROAM_EVENTS
that aims to configure/trigger the roam events from the driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Indicate DSCP Policy capability by including a WFA Capabilities element
containing the relevant bit set to 1 in the (Re)Association Request
frames when enabled by user.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Add support to parse received DSCP Policy Request frames and send the
request details as control interface events.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
This new vendor command aims to indicate the driver to enable the
monitor mode for an interface on which this command is issued. Once
enabled, the frames (both TX and RX) on this interface are sent to an
active coexisting monitor interface.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add new attributes for supporting MBSSID multi groups notifications
to qca_wlan_vendor_attr_mbssid_tx_vdev_status
(QCA_NL80211_VENDOR_SUBCMD_MBSSID_TX_VDEV_STATUS).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
QCA_ROAM_REASON_USER_TRIGGER was wrongly documented as
QCA_ROAM_REASON_EXPLICIT_REQUEST, so correct it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Enhance the P2P_GROUP_ADD command to support DFS channel with 80 and 160
MHz bandwidth to be used for autonomous GO when using offloaded DFS.
For example, 'P2P_GROUP_ADD freq=5500 max_oper_chwidth=80 ht40 vht'
- Previous behavior: AP fallback to channel 100 using 20 MHz with
"No VHT higher bandwidth support for the selected channel 100"
- Enhanced behavior: AP starts on channel 100 using 80 MHz with
"VHT center channel 106 for 80 or 80+80 MHz bandwidth"
This functionality is on top of the driver's capability to offload DFS,
which is advertized through WPA_DRIVER_FLAGS_DFS_OFFLOAD.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add QCA vendor interface support for configuring background scan related
parameters to the driver/firmware.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 45c3e72952 ("Add frequency to operating class determination
for 5 GHz 100..140") extends ieee80211_freq_to_channel_ext() with
knowledge of the operating classes for the 5 GHz channels 100..140.
Per "Table E-4 - Global operating classes" in IEEE Std 802.11-2020, 5
GHz channel 144 also maps to same operating classes, so update hostapd
code to reflect the change.
This issue is found when OCV enabled and 4-way-handshake failed due
to client OCI includes op_class 0 for channel 144. This showed
up in following manner in the debug log:
WPA: OCI KDE in EAPOL-Key - hexdump(len=9): dd 07 00 0f ac 0d 00 90 00
Error interpreting OCI: unrecognized opclass/channel pair (0/144)
Signed-off-by: Hu Wang <huw@codeaurora.org>
Enable support for P2P connection in 6 GHz with the channel width of 40
MHz, 80 MHz, and 160 MHz. The flag max_oper_chwidth is used to configure
the maximum channel width for P2P connection in 6 GHz with the commands
P2P_CONNECT, P2P_INVITE, and P2P_GROUP_ADD.
Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
Current definition of wpas_p2p_get_ht40_mode() determines secondary
offset in the 5 GHz band. Enhance the functionality of this function to
determine offset to support 6 GHz channels also.
Signed-off-by: Sreeramya Soratkal <ssramya@codeaurora.org>
Add a new attribute into qca_wlan_vendor_attr_ll_stats_results to
support getting interface time slicing duty cycle info.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11ax-2021 added channel 177 into global operating class 125
and consequently channel 173 in global operating class 126 (HT40+) and
channel 177 in global operating class 127 (HT40-).
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Skip the test of HE PHY capability bit "Support for a 40 MHz and 80 MHz
channel width" when starting an AP with a 20 MHz channel on the 5 GHz
band.
Signed-off-by: Cedric Izoard <cedric.izoard@ceva-dsp.com>
Add a QCA vendor attribute to configure the driver/firmware the allowed
bands for roaming by userpace. This attribute is also used to get the
configured roam bands from the driver.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Generate an event on the control socket interface when a network is
added or removed. The event name CTRL-EVENT-NETWORK-<ADDED|REMOVED>
is followed by the network entry identifier. The event matches the
corresponding Network<Added|Removed> signal on the d-bus interface.
Signed-off-by: Andrew Beltrano <anbeltra@microsoft.com>
==19798==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000663f8 at pc 0x55a2c485a232 bp 0x7ffeb42dcaf0 sp 0x7ffeb42dcae0
READ of size 8 at 0x6110000663f8 thread T0
Connect STA wlan0 to AP
#0 0x55a2c485a231 in ptksa_cache_add ../src/common/ptksa_cache.c:310
#1 0x55a2c4398045 in hostapd_store_ptksa ../src/ap/wpa_auth_glue.c:943
#2 0x55a2c4430980 in wpa_auth_store_ptksa ../src/ap/wpa_auth.c:232
#3 0x55a2c44578e1 in sm_WPA_PTK_PTKINITDONE_Enter ../src/ap/wpa_auth.c:3650
#4 0x55a2c44578e1 in sm_WPA_PTK_Step ../src/ap/wpa_auth.c:3798
#5 0x55a2c44578e1 in wpa_sm_step ../src/ap/wpa_auth.c:4437
#6 0x55a2c445d99d in wpa_receive ../src/ap/wpa_auth.c:1411
#7 0x55a2c43e7747 in ieee802_1x_receive ../src/ap/ieee802_1x.c:1118
#8 0x55a2c43bbf73 in hostapd_event_eapol_rx ../src/ap/drv_callbacks.c:1542
#9 0x55a2c43bbf73 in wpa_supplicant_event ../src/ap/drv_callbacks.c:1932
#10 0x55a2c466cb2d in drv_event_eapol_rx ../src/drivers/driver.h:6074
#11 0x55a2c466cb2d in nl80211_control_port_frame ../src/drivers/driver_nl80211_event.c:2822
#12 0x55a2c466cb2d in process_bss_event ../src/drivers/driver_nl80211_event.c:3194
#13 0x7feed9e90b9b in nl_cb_call ./include/netlink-private/netlink.h:145
#14 0x7feed9e90b9b in recvmsgs ./lib/nl.c:1006
#15 0x7feed9e90b9b in nl_recvmsgs_report ./lib/nl.c:1057
#16 0x7feed9e91058 in nl_recvmsgs ./lib/nl.c:1081
#17 0x55a2c45f2e8c in wpa_driver_nl80211_event_receive ../src/drivers/driver_nl80211.c:1782
#18 0x55a2c44b9afa in eloop_sock_table_dispatch ../src/utils/eloop.c:603
#19 0x55a2c44be122 in eloop_run ../src/utils/eloop.c:1228
#20 0x55a2c43360bf in hostapd_global_run /home/mbr/hostapd/hostapd/main.c:451
#21 0x55a2c43360bf in main /home/mbr/hostapd/hostapd/main.c:898
#22 0x7feed8ce20b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#23 0x55a2c432f3fd in _start (/home/mbr/hostapd/hostapd/hostapd+0x9f23fd)
0x6110000663f8 is located 184 bytes inside of 216-byte region [0x611000066340,0x611000066418)
freed by thread T0 here:
#0 0x7feeda1477cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55a2c44ce56b in os_free ../src/utils/os_unix.c:773
#2 0x55a2c451a986 in radius_msg_free ../src/radius/radius.c:137
#3 0x55a2c4527104 in radius_client_msg_free ../src/radius/radius_client.c:261
#4 0x55a2c452f53c in radius_client_list_add ../src/radius/radius_client.c:715
#5 0x55a2c452f53c in radius_client_send ../src/radius/radius_client.c:807
#6 0x55a2c453b24c in accounting_sta_report ../src/ap/accounting.c:352
#7 0x55a2c453d6e9 in accounting_sta_stop ../src/ap/accounting.c:384
#8 0x55a2c44190fd in ap_free_sta ../src/ap/sta_info.c:194
#9 0x55a2c4934530 in handle_deauth ../src/ap/ieee802_11.c:6035
#10 0x55a2c4934530 in ieee802_11_mgmt ../src/ap/ieee802_11.c:6399
#11 0x55a2c43bf114 in hostapd_mgmt_rx ../src/ap/drv_callbacks.c:1468
#12 0x55a2c43bf114 in wpa_supplicant_event ../src/ap/drv_callbacks.c:1912
#13 0x55a2c465faf7 in mlme_event_mgmt ../src/drivers/driver_nl80211_event.c:823
#14 0x55a2c4661774 in mlme_event ../src/drivers/driver_nl80211_event.c:1135
#15 0x55a2c466c43b in process_bss_event ../src/drivers/driver_nl80211_event.c:3177
#16 0x7feed9e90b9b in nl_cb_call ./include/netlink-private/netlink.h:145
#17 0x7feed9e90b9b in recvmsgs ./lib/nl.c:1006
#18 0x7feed9e90b9b in nl_recvmsgs_report ./lib/nl.c:1057
previously allocated by thread T0 here:
#0 0x7feeda147bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55a2c44cd387 in os_malloc ../src/utils/os_unix.c:715
#2 0x55a2c44ceb7f in os_zalloc ../src/utils/os_unix.c:779
#3 0x55a2c451a9f2 in radius_msg_new ../src/radius/radius.c:109
#4 0x55a2c4539a6e in accounting_msg ../src/ap/accounting.c:46
#5 0x55a2c453be15 in accounting_report_state ../src/ap/accounting.c:439
#6 0x55a2c453d91d in accounting_init ../src/ap/accounting.c:534
#7 0x55a2c4378952 in hostapd_setup_bss ../src/ap/hostapd.c:1333
#8 0x55a2c4382530 in hostapd_setup_interface_complete_sync ../src/ap/hostapd.c:2094
#9 0x55a2c4382815 in hostapd_setup_interface_complete ../src/ap/hostapd.c:2229
#10 0x55a2c4384100 in setup_interface2 ../src/ap/hostapd.c:1726
#11 0x55a2c4386b58 in setup_interface ../src/ap/hostapd.c:1628
#12 0x55a2c4386b58 in hostapd_setup_interface ../src/ap/hostapd.c:2318
#13 0x55a2c4387a57 in hostapd_enable_iface ../src/ap/hostapd.c:2730
#14 0x55a2c455d723 in hostapd_ctrl_iface_enable /home/mbr/hostapd/hostapd/ctrl_iface.c:1606
#15 0x55a2c455d723 in hostapd_ctrl_iface_receive_process /home/mbr/hostapd/hostapd/ctrl_iface.c:3607
#16 0x55a2c456821e in hostapd_ctrl_iface_receive /home/mbr/hostapd/hostapd/ctrl_iface.c:4018
#17 0x55a2c44b9afa in eloop_sock_table_dispatch ../src/utils/eloop.c:603
#18 0x55a2c44be122 in eloop_run ../src/utils/eloop.c:1228
#19 0x55a2c43360bf in hostapd_global_run /home/mbr/hostapd/hostapd/main.c:451
#20 0x55a2c43360bf in main /home/mbr/hostapd/hostapd/main.c:898
#21 0x7feed8ce20b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/common/ptksa_cache.c:310 in ptksa_cache_add
Shadow bytes around the buggy address:
0x0c2280004c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2280004c30: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280004c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2280004c50: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c2280004c60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2280004c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
0x0c2280004c80: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280004c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280004ca0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c2280004cb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280004cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==19798==ABORTING
Fixes: a4e3691616 ("WPA: Add PTKSA cache implementation")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Add support to receive and process SCS Response frames from the AP and
indicate the status to upper layers.
Signed-off-by: Vinita S. Maloo <vmaloo@codeaurora.org>
