pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.
Jouni Malinen [Sun, 1 May 2022 08:34:49 +0000 (11:34 +0300)]
EAP-SIM/AKA peer: IMSI privacy
Add support for IMSI privacy in the EAP-SIM/AKA peer implementation. If
the new wpa_supplicant network configuration parameter imsi_privacy_key
is used to specify an RSA public key in a form of a PEM encoded X.509v3
certificate, that key will be used to encrypt the permanent identity
(IMSI) in the transmitted EAP messages.
Add RSA public key (in an X.509v3 certificate) and private key for IMSI
privacy. These were generated with
openssl req -new -x509 -sha256 -newkey rsa:2048 -nodes -days 7500 \
-keyout imsi-privacy-key.pem -out imsi-privacy-cert.pem
Test the case where wpa_supplicant side RSA-OAEP operation for IMSI
privacy is done in an external component while the hostapd (EAP server)
processing of the encrypted identity is internal.
Add support for IMSI privacy in the EAP-SIM/AKA server implementation.
If the new hostapd configuration parameter imsi_privacy_key is used to
specify an RSA private key, that key will be used to decrypt encrypted
permanent identity.
Aloka Dixit [Tue, 19 Apr 2022 18:04:15 +0000 (11:04 -0700)]
EHT: Indicate EHT support in Neighbor Report element
Set bit 21 in the neighbor report for an EHT AP as described in IEEE
P802.11be/D1.5, 9.4.2.36. Also move the check for HE outside the check
for HT as neither HT nor VHT are enabled in the 6 GHz band.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com> Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Aloka Dixit [Tue, 19 Apr 2022 18:04:12 +0000 (11:04 -0700)]
EHT: Process (Re)Association Request frame capabilities
Parse EHT capabilities sent by a non-AP STA in (Re)Association Request
frames. Validate the length of the element, matching MCS rates between
AP TX and STA RX. Store the capabilities in the station info structure.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com> Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
defconfig: Document IEEE 802.11ax as a published amendment
The comment about the IEEE 802.11ax functionality being experimental and
based on a not yet finalized standard is not accurate anymore since IEEE
Std 802.11ax-2021 has already been published. Remove that comment and
add the entry for wpa_supplicant as well.
Set hostapd hw_mode automatically based on 6 GHz op_class
Allow hostapd configuration to specify use of the 6 GHz band with the
specific op_class values without having to set the hw_mode=a parameter
explicitly.
nl80211: Increase the buffer length for debug printing channels
The previously used buffer was not large enough to be able to print out
all 6 GHz channels, so use a larger buffer to avoid leaving out
supported channels from the debug print.
Add QCA_WLAN_VENDOR_ATTR_WIFI_TEST_CONFIG_11BE_EMLSR_MODE value to allow
or disallow eMLSR hardware mode for IEEE 802.11be MLO capable devices.
If this attribute is set to 1, and if the firmware supports this
capability too, the STA advertises this capability to the AP over
Association Request frame. This attribute will not have any effect on
legacy devices with no IEEE 802.11be support.
It looks like the OpenSSL callbacks for SSL_SESSION can end up calling
the remove callback for multiple SSL_SESSION entries that share the same
ex data. This could result in double freeing the session data on the
server side.
Track the SSL_SESSION ex data in a separate list and free the
allocations only if they are pointing to a valid allocated wpabuf
pointer.
Kuan-Chung Chen [Fri, 28 Jan 2022 09:25:46 +0000 (17:25 +0800)]
MBO: Check association disallowed in Beacon frames, if newer
When a station receives either a Beacon frame or a Probe Response frame
from an AP that contains an MBO element with the Association Disallowed
attribute, the station should prevent association to that AP. When using
passive scanning, it is possible for the scan results to contain the
latest information in the Beacon frame elements instead of the Probe
Response frame elements. That could result in using old information and
not noticing the AP having changed its state to disallowing new
associations.
Make it more likely to follow the AP's change to disallow associations
by checking the Beacon frame elements instead of Probe Response frame
elements if the scan results are known to contain newer information for
the Beacon frame.
Determine whether Beacon frame information is newer in scan results
It can be helpful to know whether the information elements from the
Beacon frame or the Probe Response frame are newer when using BSS table
entries, so make this information known, if available. This allows the
Beacon frame elements to be preferred over the Probe Response frame
elements when desired.
Alex Kiernan [Thu, 21 Apr 2022 14:38:42 +0000 (15:38 +0100)]
Install wpa_passphrase when not disabled
As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets
built, its not installed during `make install`.
Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") Signed-off-by: Alex Kiernan <alexk@zuma.ai> Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Ben Greear [Thu, 21 Apr 2022 23:02:39 +0000 (16:02 -0700)]
hostapd: Allow enabling background radar
This feature does not work on all radios that advertise this feature
with the current driver implementation, and possibly some users don't
want to use it even if it works fine, so disable it by default for now,
but let users enable it as desired with enable_background_radar=1.
Signed-off-by: Ben Greear <greearb@candelatech.com>
wolfSSL: Fix crypto_ec_point_compute_y_sqr() error case processing
The result (y2) was cleared and freed in error cases, but the pointer
itself was not cleared to NULL, so the error path would have returned a
pointer to freed memory. Fix this by properly clearing the return value
in error cases. In addition, simplify the function to avoid tracking
success case separately.
wolfSSL: Use wc_HmacInit() to avoid potential use of uninitialized values
wc_HmacSetKey() seems to initialize everything that is needed for the
actual operation, but at least valgrind is reporting use of
uninitialized values when this was done on a data structure that was not
explicitly cleared.
Call wc_HmacInit() before wc_HmacSetKey() to avoid any unexpected
behavior from potentially uninitialized values.
OpenSSL: Use new name for the EC_POINT set/get coordinate functions
OpenSSL 1.1.1 deprecated the function names with the _GFp postfix, so
move to the new function name. Add backwards compatibility wrappers for
older versions.
xinpeng wang [Wed, 5 Jan 2022 08:54:59 +0000 (16:54 +0800)]
ctrl: Print the source address of the received commands
Sometimes there is a program error to send a large number of commands to
wpa_supplicant, and the source address can help quickly find the program
that sends commands.
Signed-off-by: xinpeng wang <wangxinpeng@uniontech.com>
priv_sz and pub_sz needs to be initialized to the buffer size before the
wc_DhGenerateKeyPair() call. The previous version happened to work in
some cases where a separate handled prime length was used, but not for
the generic case.
wolfSSL: Fix crypto_ecdh_* with ECC_TIMING_RESISTANT
It looks like crypto_ecdh_set_peerkey() had started failing at some
point with a wolfSSL update due to ECC_TIMING_RESISTANT from
--enable-harden requiring RNG to be set.
eapol_test: Update with src/ap/ieee802_1x.c changes
eapol_test.c contains variants of couple of functions from the hostapd
implementation. Those had not been updated for a while and this commit
brings in the main changes to keep the implementations closer to
each other.
Nicolas Escande [Thu, 24 Mar 2022 12:46:00 +0000 (13:46 +0100)]
ACS: Honor acs_exclude_dfs with hostapd's ACS implementation
The acs_exclude_dfs parameter is documented as a way to exclude DFS
channels when performing ACS without disabling DFS altogether. The
problem is this parameter is only enforced when ACS is offloaded to the
driver (WPA_DRIVER_FLAGS_ACS_OFFLOAD). So from now on, lets also check
acs_exclude_dfs in the internal ACS implementation to exclude channels
marked with radar detection.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.
Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.
John Crispin [Mon, 21 Mar 2022 11:10:34 +0000 (12:10 +0100)]
BSS coloring: Handle the collision and CCA events coming from the kernel
This commit activates the functionality of the previous commits by
handling the actual events that will trigger the CCA process.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:34 +0000 (12:10 +0100)]
nl80211: Handle driver events for BSS coloring
Process the color collision and color change related events.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:33 +0000 (12:10 +0100)]
nl80211: Add the switch_color() handler for BSS color changes
To start the CCA process we need to send NL80211_CMD_COLOR_CHANGE to the
kernel. This commit adds the required code.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:32 +0000 (12:10 +0100)]
BSS coloring: Disable BSS color during CCA
While we are doing CCA the BSS Color Disabled field inside the HE
Operation Parameters field needs to be set.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:31 +0000 (12:10 +0100)]
BSS coloring: BSS Color Change Announcement element generation
This information element is similar to the CSA one. It contains a
counter and the target color. Once the counter expired, the change to
the new color happens.
Just note the current implementation is based on CCA counter attributes
that only take Beacon and Probe Response framesinto account.
(Re)Association Response frames do not currently have kernel APIs to
decrement the CCA counter since mediatek mcu firmware does not support
it yet and it will be added in future firmware release.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:30 +0000 (12:10 +0100)]
BSS coloring: Handling of collision events and triggering CCA
Add the core code for handling BSS color collision events and triggering
CCA inside the kernel. The caller of hostapd_switch_color() will be
added in the following commits.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Johannes Berg [Mon, 11 Apr 2022 09:41:20 +0000 (11:41 +0200)]
tests: Pretend the RNG is initialized withinthe VM
We don't particularly care about the quality of random numbers
during the test. So far, there hasn't been an issue with the
RNG not being initialized completely, we only get a few prints
about uninitialized reads from urandom. However, if some tool
were to actually use /dev/random, it might get stuck. Call the
RNDADDTOENTCNT ioctl to unblock this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The previous versions are going to be expiring soon, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.
OpenSSL: Do not use the deprecated RSAPrivateKey function
Comment out the call to SSL_use_RSAPrivateKey_ASN1() function when using
OpenSSL 3.0 since that function was deprecated and there does not seem
to be any significant use case for supporting DER encoded RSAPrivateKey
structure in the private key blob.
This was used earlier in the wpa_supplicant configuration, but there was
no real use for that, so remove the now completely unused parameter to
simplify implementation.
Remove useless DH file configuration from TLS library wrappers
These operations do not really have any effect since
tls_connection_set_params() is used only in the TLS client case and the
client receives the DH parameters from the server instead of local
configuration.
Remove DH file configuration from TLS client functionality
The DH file parameters are applicable only for the TLS server, so this
parameter did not really have any impact to functionality. Remove it to
get rid of useless code and confusing documentation for the network
block configuration.
Use vendor specific RADIUS attributes for sending ANonce and EAPOL-Key
msg 2/4 for the wpa_psk_radius=3 case. The vendor specific attributes
for this are defined in FreeRADIUS as follows:
BoringSSL: Use accessor functions for X509 key usage flags
BoringSSL commit dddb60eb9700110835ff6e2b429de40a17006429 ("Make most of
crypto/x509 opaque.") broke the direct access to these variables, so use
the accessor functions instead.
BoringSSL: Replace stack-allocated X509_STORE_CTX with heap one
BoringSSL commit dddb60eb9700110835ff6e2b429de40a17006429 ("Make most of
crypto/x509 opaque.") broke the stack-allocated version, so move to
using X509_STORE_CTX_new() to get an opaque pointer to X509_STORE_CTX
instead.
projects / thirdparty / hostap.git / log
