eapol_test: Update with src/ap/ieee802_1x.c changes
eapol_test.c contains variants of couple of functions from the hostapd
implementation. Those had not been updated for a while and this commit
brings in the main changes to keep the implementations closer to
each other.
Nicolas Escande [Thu, 24 Mar 2022 12:46:00 +0000 (13:46 +0100)]
ACS: Honor acs_exclude_dfs with hostapd's ACS implementation
The acs_exclude_dfs parameter is documented as a way to exclude DFS
channels when performing ACS without disabling DFS altogether. The
problem is this parameter is only enforced when ACS is offloaded to the
driver (WPA_DRIVER_FLAGS_ACS_OFFLOAD). So from now on, lets also check
acs_exclude_dfs in the internal ACS implementation to exclude channels
marked with radar detection.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
The previous mechanism of unloaded the providers from tls_deinit() did
not work correctly for some cases. In particular, it was possible for
hostapd to end up unloading both providers and not being able to recover
from this if TLS server was not enabled.
Address this more cleanly by introducing a new crypto_unload() function
that will be called when the process is exiting.
John Crispin [Mon, 21 Mar 2022 11:10:34 +0000 (12:10 +0100)]
BSS coloring: Handle the collision and CCA events coming from the kernel
This commit activates the functionality of the previous commits by
handling the actual events that will trigger the CCA process.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:34 +0000 (12:10 +0100)]
nl80211: Handle driver events for BSS coloring
Process the color collision and color change related events.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:33 +0000 (12:10 +0100)]
nl80211: Add the switch_color() handler for BSS color changes
To start the CCA process we need to send NL80211_CMD_COLOR_CHANGE to the
kernel. This commit adds the required code.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:32 +0000 (12:10 +0100)]
BSS coloring: Disable BSS color during CCA
While we are doing CCA the BSS Color Disabled field inside the HE
Operation Parameters field needs to be set.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:31 +0000 (12:10 +0100)]
BSS coloring: BSS Color Change Announcement element generation
This information element is similar to the CSA one. It contains a
counter and the target color. Once the counter expired, the change to
the new color happens.
Just note the current implementation is based on CCA counter attributes
that only take Beacon and Probe Response framesinto account.
(Re)Association Response frames do not currently have kernel APIs to
decrement the CCA counter since mediatek mcu firmware does not support
it yet and it will be added in future firmware release.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
John Crispin [Mon, 21 Mar 2022 11:10:30 +0000 (12:10 +0100)]
BSS coloring: Handling of collision events and triggering CCA
Add the core code for handling BSS color collision events and triggering
CCA inside the kernel. The caller of hostapd_switch_color() will be
added in the following commits.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com> Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Johannes Berg [Mon, 11 Apr 2022 09:41:20 +0000 (11:41 +0200)]
tests: Pretend the RNG is initialized withinthe VM
We don't particularly care about the quality of random numbers
during the test. So far, there hasn't been an issue with the
RNG not being initialized completely, we only get a few prints
about uninitialized reads from urandom. However, if some tool
were to actually use /dev/random, it might get stuck. Call the
RNDADDTOENTCNT ioctl to unblock this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The previous versions are going to be expiring soon, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.
OpenSSL: Do not use the deprecated RSAPrivateKey function
Comment out the call to SSL_use_RSAPrivateKey_ASN1() function when using
OpenSSL 3.0 since that function was deprecated and there does not seem
to be any significant use case for supporting DER encoded RSAPrivateKey
structure in the private key blob.
This was used earlier in the wpa_supplicant configuration, but there was
no real use for that, so remove the now completely unused parameter to
simplify implementation.
Remove useless DH file configuration from TLS library wrappers
These operations do not really have any effect since
tls_connection_set_params() is used only in the TLS client case and the
client receives the DH parameters from the server instead of local
configuration.
Remove DH file configuration from TLS client functionality
The DH file parameters are applicable only for the TLS server, so this
parameter did not really have any impact to functionality. Remove it to
get rid of useless code and confusing documentation for the network
block configuration.
Use vendor specific RADIUS attributes for sending ANonce and EAPOL-Key
msg 2/4 for the wpa_psk_radius=3 case. The vendor specific attributes
for this are defined in FreeRADIUS as follows:
BoringSSL: Use accessor functions for X509 key usage flags
BoringSSL commit dddb60eb9700110835ff6e2b429de40a17006429 ("Make most of
crypto/x509 opaque.") broke the direct access to these variables, so use
the accessor functions instead.
BoringSSL: Replace stack-allocated X509_STORE_CTX with heap one
BoringSSL commit dddb60eb9700110835ff6e2b429de40a17006429 ("Make most of
crypto/x509 opaque.") broke the stack-allocated version, so move to
using X509_STORE_CTX_new() to get an opaque pointer to X509_STORE_CTX
instead.
OpenSSL: CMAC using the OpenSSL library for non-FIPS cases as well
Commit 0b5e98557eca ("FIPS: Use OpenSSL CMAC implementation instead of
aes-omac1.c") added this implementation initially only for the FIPS
builds. However, there does not seem to be any remaining need to avoid
depending on the OpenSSL library implementation for builds, so move to
that implementation unconditionally to reduce the binary size a bit.
This is used with DPP and SAE when using P-384, so prepare the OpenSSL
implementation to support these cases to allow the internal CMAC
implementation in aes-omac1.c to be replaced.
Android: Compile hs20-osu-client to /vendor/bin in test builds
hs20-osu-client compilation fails on Android O onwards because of
undefined reference for __android_log_print/__android_log_vprint.
Modify hs20-osu-client's Android.mk to include liblog library and
use tag 'hs20-osu-client' in logcat logs. Additionally, compile
hs20-osu-client to /vendor/bin in non-production builds.
DPP: Allow a list of supported curves to be used in bootstrapping URI
The new DPP_BOOTSTRAP_GEN command parameter supported_curves can be used
to specify a colon separated list of supported curves. Information from
a parsed URI shows this information with a new supp_curves line in the
DPP_BOOTSTRAP_INFO output.
tests: Fetch commitid on the host when running tests in a VM
git has started rejecting repositories owned by other users and refusing
to run the "git rev-parse HEAD" command in this type of cases. That
resulted in issues with the VM testing model where the VM is practically
running everything as root while the host is a normal development
environment and likely a non-root user owned files.
Fix this by fetching the commitid on the host and pass it to the VM so
that no git operations need to be run within the VM itself.
tests: Handle git rev-parse failures more robustly
Do not add the --commit argument if the current git commitid cannot be
determined. This prevents complete failure to run the tests if the git
command cannot be used for some reason (like a recent change that
stopped allowing root user within the VM from running the git operation
for the case where the host system uses non-root account).
Sumit Agre [Mon, 28 Mar 2022 12:42:17 +0000 (18:12 +0530)]
QCA vendor command support to reset configuration for eLNA bypass
Add support to reset eLNA bypass configuration to default behavior.
If value of 2 is configured, the driver can choose either to
disable/enable eLNA bypass control and there is no enforcement
from userspace.
OpenSSL 3.0 deprecated the low-level encryption functions, so use the
EVP API for this. Maintain the previous version for BoringSSL and
LibreSSL since not all versions seem to have the EVP_aes_*_wrap()
functions needed for the EVP API.
OpenSSL: Use a correct EVP_CIPHER_CTX freeing function on an error path
aes_encrypt_init() used incorrect function to free the EVP_CIPHER_CTX
allocated within this function. Fix that to use the OpenSSL function for
freeing the context.
Avraham Stern [Thu, 3 Mar 2022 23:39:03 +0000 (01:39 +0200)]
RRM: Include passive channels in active beacon report scan
When receiving a beacon report request with the mode set to active,
channels that are marked as NO_IR were not added to the scan request.
However, active mode just mean that active scan is allowed, but not
that it is a must, so these channels should not be omitted.
Include channels that are marked as NO_IR in the scan request even
if the mode is set to active.
Naïm Favier [Mon, 7 Feb 2022 20:01:39 +0000 (21:01 +0100)]
wpa_supplicant: Use unique IDs for networks and credentials
The id and cred_id variables are reset to 0 every time the
wpa_config_read() function is called, which is fine as long as it is
only called once. However, this is not the case when using both the -c
and -I options to specify two config files.
This is a problem because the GUI, since commit eadfeb0e9374 ("wpa_gui:
Show entire list of networks"), relies on the network IDs being unique
(and increasing), and might get into an infinite loop otherwise.
This is solved by simply making the variables static.
Add Transmit Power Envelope element for 6 GHz per IEEE Std
802.11ax-2021.
Currently, this uses hard coded EIRP/PSD limits which are applicable to
6 GHz operation in United states, Japan, and Korea. Support to extract
power limits from kernel data will be added after complete regulatory
support is added for the 6 GHz band.
Extend 6 GHz Operation Info field in HE Operation element
Add new field definitions for the 6 GHz Operation Information field in
the HE Operation element per IEEE Std 802.11ax-2021, 9.4.2.249. These
will be used for TPC operation in the 6 GHz band.
hostapd: Add config option to specify 6 GHz regulatory AP type
IEEE Std 802.11ax-2021 introduces Regulatory Info subfield to specify
the 6 GHz access point type per regulatory. Add a user config option for
specifying this.
When not specified, Indoor AP type is selected for the 6 GHz AP by
default.
Ilan Peer [Sun, 6 Mar 2022 15:49:34 +0000 (17:49 +0200)]
wpa_supplicant: Do not associate on 6 GHz with forbidden configurations
On the 6 GHz band the following is not allowed (see IEEE Std
802.11ax-2021, 12.12.2), so do not allow association with an AP using
these configurations:
- WEP/TKIP pairwise or group ciphers
- WPA PSK AKMs
- SAE AKM without H2E
In addition, do not allow association if the AP does not advertise a
matching RSNE or does not declare that it is MFP capable.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
So far, this option was only present in the Makefiles. Document it as
being available for configuration since the WFA program has already been
launched.
EAP-TLS: Allow TLSv1.3 support to be enabled with build config
The default behavior in wpa_supplicant is to disable use of TLSv1.3 in
EAP-TLS unless explicitly enabled in network configuration. The new
CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to
enable TLSv1.3 by default (if supported by the TLS library).
Disconnect STA on continuous EAP reauth without 4-way handshake completion
It could have been possible to get into an endless loop of retried EAP
authentication followed by failing or not completed 4-way handshake if
there was a different interpretation of EAP authentication result
(success on AP, failure on STA). Avoid this by limiting the number of
consecutive EAPOL reauth attempts without completing the following 4-way
handshake.
EAP-TLS: Do not allow TLSv1.3 success without protected result indication
RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.
Stop authentication attemps if AP does not disconnect us
It would have been possible for the authentication attemps to go into a
loop if the AP/Authenticator/authentication server were to believe EAP
authentication succeeded when the local conclusion in Supplicant was
failure. Avoid this by timing out authentication immediately on the
second consecutive EAP authentication failure.
EAP-TLS: Replace the Commitment Message term with RFC 9190 language
While the drafts for RFC 9190 used a separate Commitment Message term,
that term was removed from the published RFC. Update the debug prints to
match that final language.
Revert "Android: Compile hs20-osu-client to /vendor/bin in test builds"
This reverts commit 1192d5721b49a77579abf469d150b9e18e32be16. That
commit disabled hostapd and wpa_supplicant build in user build variants.
Furthermore, it used duplicated TARGET_BUILD_VARIANT checks between the
Android.mk files.
Add support for not transmitting EAPOL-Key group msg 2/2
To support the STA testbed role, the STA has to disable transmitting
EAPOL-Key group msg 2/2 of Group Key Handshake. Add test parameter to
disable sending EAPOL-Key group msg 2/2 of Group Key Handshake.
FILS: Fix config check to allow unsolicited broadcast Probe Response
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.
OWE: Reuse own DH private key in AP if STA tries OWE association again
This is a workaround for mac80211 behavior of retransmitting the
Association Request frames multiple times if the link layer retries
(i.e., seq# remains same) fail. The mac80211 initiated retransmission
will use a different seq# and as such, will go through duplicate
detection. If we were to change our DH key for that attempt, there would
be two different DH shared secrets and the STA would likely select the
wrong one.
Fixes: 33cb47cf0191 ("DPP: Fix connection result reporting when using TCP") Reported-by: Alexander Clouter <alex+hostapd@coremem.com> Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.
QCA vendor attribute to indicate NDP interface managemtn using nl80211
Add a QCA_WLAN_VENDOR_FEATURE_USE_ADD_DEL_VIRTUAL_INTF_FOR_NDI
flag to indicate that the driver requires add/del virtual interface
path using the generic nl80211 commands for NDP interface create/delete
and to register/unregister of netdev instead of creating/deleting
the NDP interface using vendor commands.
With the latest Linux kernel (5.12 version onward), interface
creation/deletion is not allowed using vendor commands as it leads to a
deadlock while acquiring the RTNL_LOCK during the register/unregister of
netdev. Create and delete NDP interface using NL80211_CMD_NEW_INTERFACE
and NL80211_CMD_DEL_INTERFACE commands respectively if the driver
advertises this capability.
Xin Deng [Thu, 10 Feb 2022 08:29:19 +0000 (16:29 +0800)]
FT: Update current_bss to target AP before check for SME-in-driver
STA needs to check AP's information after receive reassociation
response. STA uses connected AP's Beacon/Probe Response frame to compare
with Reassociation Response frame of the target AP currently. However,
if one AP supports OCV and the other AP doesn't support OCV, STA will
fail to verify RSN capability, then disconnect. Update current_bss to
the target AP before check, so that STA can compare correct AP's RSN
information in Reassociation Response frame.
P2P: Copy only valid opclasses while filtering out 6 GHz channels
Copy channels from only valid operating classes in the source channel
list while preparing a non-6 GHz channel/op-classes list when the 6 GHz
band is not used for P2P GO negotiation.
Earlier, during preparation of P2P channels for GO negotiation, a union
of the GO channels and the P2P Client channels is used. While generating
the union in p2p_channels_union_inplace() as the first list itself has
P2P_MAX_REG_CLASSES number of entries, the operating classes from the
second list which are not in the first list were not getting considered.
Fix this by not setting the dst->reg_classes to too large a value.
Fixes: f7d4f1cbec34 ("P2P: Add a mechanism for allowing 6 GHz channels in channel lists") Signed-off-by: Sreeramya Soratkal <quic_ssramya@quicinc.com>
Chaoli Zhou [Thu, 24 Mar 2022 07:19:25 +0000 (15:19 +0800)]
Extend ACL to install allow/deny list to the driver dynamically
Support installing the updated allow/deny list to the driver if it
supports ACL offload. Previously, only the not-offloaded cases were
updated dynamically.
Chaoli Zhou [Thu, 24 Mar 2022 07:19:25 +0000 (15:19 +0800)]
Add return value to ACL functions
While these do not return error code within the current hostapd
implementation, matching functions in wpa_supplicant AP functionality
will have an error case and using consistent return type will make the
control interface code more consistent.
In addition, export hostapd_set_acl() in preparation for the
wpa_supplicant control interface implementation extension.
projects / thirdparty / hostap.git / log
