From 51ec09b37e650017e0856bfdae86e58caa9ee303 Mon Sep 17 00:00:00 2001 From: Karsten Sperling <113487422+ksperling-apple@users.noreply.github.com> Date: Tue, 21 May 2024 11:22:53 +1200 Subject: [PATCH] Move PDC patches to `next` branch and prepare for moving to a later OpenWrt base version (#15) * Revert "Add an initial set of hostap patches and a hwsim-based test workflow (#13)" This feature has been moved to the 'next' branch. This reverts commit 69671d9233ddbbbf4a0703edbadaec1a965a2a5c. * Include OpenWrt version in Docker image tag --- .../workflows/build-matter-openwrt-build.yaml | 6 + .github/workflows/hostap-hwsim-tests.yaml | 152 ------ overlay/hostapd/README.md | 55 -- overlay/hostapd/patches.base | 1 - overlay/hostapd/patches.import | 39 -- ...l-tls-1.3-ciphersuites-from-openssl_.patch | 206 -------- ..._curves-support-to-wpa_supplicant-an.patch | 167 ------ ...nt-add-support-for-fallback_key_mgmt.patch | 479 ------------------ ...upport-for-wpa_unadvertised_key_mgmt.patch | 323 ------------ ...-tests-for-matter-pdc-authentication.patch | 311 ------------ 10 files changed, 6 insertions(+), 1733 deletions(-) delete mode 100644 .github/workflows/hostap-hwsim-tests.yaml delete mode 100644 overlay/hostapd/README.md delete mode 100644 overlay/hostapd/patches.base delete mode 100755 overlay/hostapd/patches.import delete mode 100644 overlay/hostapd/patches/o0001-configure-openssl-tls-1.3-ciphersuites-from-openssl_.patch delete mode 100644 overlay/hostapd/patches/o0002-add-openssl_ecdh_curves-support-to-wpa_supplicant-an.patch delete mode 100644 overlay/hostapd/patches/o0003-wpa_supplicant-add-support-for-fallback_key_mgmt.patch delete mode 100644 overlay/hostapd/patches/o0004-hostapd-add-support-for-wpa_unadvertised_key_mgmt.patch delete mode 100644 overlay/hostapd/patches/o0005-add-hwsim-tests-for-matter-pdc-authentication.patch diff --git a/.github/workflows/build-matter-openwrt-build.yaml b/.github/workflows/build-matter-openwrt-build.yaml index 8705a1a..9ecfa00 100644 --- a/.github/workflows/build-matter-openwrt-build.yaml +++ b/.github/workflows/build-matter-openwrt-build.yaml @@ -24,12 +24,18 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 + - name: Prepare meta-data + id: prepare + shell: bash + run: grep '^ARG OPENWRT_VERSION=' .containers/matter-openwrt-build/Dockerfile | cut -c 5- | tee -a "$GITHUB_OUTPUT" + - name: Build and push uses: elgohr/Publish-Docker-Github-Action@v5 with: name: project-chip/matter-openwrt-build context: .containers/matter-openwrt-build registry: ghcr.io + tags: "latest,${{ steps.prepare.outputs.OPENWRT_VERSION }}" username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} no_push: ${{ github.repository_owner != 'project-chip' || github.event_name != 'push' || github.event.ref != 'refs/heads/main' }} diff --git a/.github/workflows/hostap-hwsim-tests.yaml b/.github/workflows/hostap-hwsim-tests.yaml deleted file mode 100644 index 91568cc..0000000 --- a/.github/workflows/hostap-hwsim-tests.yaml +++ /dev/null @@ -1,152 +0,0 @@ -name: hostap hwsim tests - -on: - pull_request: - push: - -jobs: - hostap-hwsim-tests: - # This job builds hostap with the patches from this repository, and then runs a sub-set of the - # hostap hwsim test suite. Note that this is not exactly identical to building the hostapd - # package within OpenWrt, since the patches carried by OpenWrt itself are not included here. - # - # The tests rely on the mac80211_hwsim Linux kernel module to simulate a Wi-Fi network. Because - # this module is not available for the kernel used by the GitHub-hosted Ubuntu runner, the test - # is executed in a nested qemu vm running a generic Ubuntu kernel. - runs-on: ubuntu-latest - timeout-minutes: 30 - steps: - - name: Install dependencies - run: | - sudo apt-get install -y --no-install-recommends \ - binutils-dev libiberty-dev libnl-genl-3-dev libnl-route-3-dev libpcap-dev libsqlite3-dev libssl-dev \ - bridge-utils net-tools openssl psmisc python3 - sudo pip3 install pycryptodome pyrad # deb versions don't work - - - name: Prepare qemu - run: | - KERNEL="$(apt-cache depends linux-image-generic | grep -o 'linux-image-.*-generic')" - KERNEL="${KERNEL#linux-image-}" - KERNEL="${KERNEL%-generic}" - echo ">>> Selecting linux-image-generic $KERNEL for qemu" - - ### Disable kernel post-install hooks - sudo mv /etc/kernel/postinst.d /etc/kernel/postinst.d.disabled - sudo install -m 0644 /dev/stdin /etc/kernel-img.conf <<'END' - do_symlinks=no - do_bootloader=no - END - - ### Install qemu and generic kernel - sudo apt-get install -y --no-install-recommends \ - initramfs-tools-core qemu-system-x86 \ - "linux-image-$KERNEL-generic" "linux-modules-extra-$KERNEL-generic" - KERNEL_IMAGE="$(dpkg -L "linux-image-$KERNEL-generic" | grep /vmlinuz-)" - KERNEL_RELEASE="${KERNEL_IMAGE#*/vmlinuz-}" # can have a suffix e.g. "-amd64" - sudo chmod a+r "$KERNEL_IMAGE" - - ### Prepare initramfs - echo ">>> Creating minimal initramfs for kernel $KERNEL_RELEASE" - INITRAMFS="$(mktemp -d)" - install -d "${INITRAMFS}/scripts" - install -m 0644 /dev/stdin "${INITRAMFS}/initramfs.conf" <<'END' - MODULES=list - BUSYBOX=n - KEYMAP=n - RESUME=none - FSTYPE=virtiofs - COMPRESS=gzip - END - install -m 0644 /dev/stdin "${INITRAMFS}/modules" <<'END' - virtiofs - virtio_pci - virtio_rng - END - sudo mkinitramfs -d "${INITRAMFS}" -o "${INITRAMFS}/initramfs.gz" "$KERNEL_RELEASE" - - ### Create qemu-run script for use by later steps - install /dev/stdin qemu-run </proc/sys/kernel/hostname; cd %q; echo ===>&2 - trap "echo \\\$?>%q/rc; echo ===>&2; echo o>/proc/sysrq-trigger; sleep 999" exit - ' "\$HOSTNAME" "\$PWD" "\$JOB"; cat; } | install /dev/stdin "\${JOB}/run" - # run qemu (memory: 80% of host, root fs: is entire host fs via virtiofsd) - MEM="\$(awk '/^MemTotal:/{print int(\$2/1024*0.8)}' /dev/null || echo "Failed to read job exit code" - rm -rf -- "\$JOB" - exit "\${REPLY:-127}" - END - - - name: Checkout - uses: actions/checkout@v3 - with: - path: matter - - - name: Determine hostap base revision - run: echo "hostap_ref=$(cat matter/overlay/hostapd/patches.base)" >>"$GITHUB_ENV" - - - name: Checkout hostap - uses: actions/checkout@v3 - with: - path: hostap - github-server-url: https://w1.fi/ - repository: ./hostap.git - ref: ${{ env.hostap_ref }} - fetch-depth: 0 # server does not support fetching unadvertised commits - token: anonymous # don't send our github token - - - name: Patch - run: | - for patch in "matter/overlay/hostapd/patches"/*.patch; do - echo "Applying $(basename "$patch")" - patch -d hostap -p1 <"$patch" - done - - - name: Build - run: | - for module in hostapd wpa_supplicant; do - cp "hostap/tests/hwsim/example-$module.config" "hostap/$module/.config" - CFLAGS=-Wno-deprecated-declarations make -j "$(nproc)" -C "hostap/$module" - done - make -j "$(nproc)" -C hostap/wlantest - - - name: Test - id: test - timeout-minutes: 15 - run: | - ./qemu-run <<'END' - cd hostap/tests/hwsim - ./run-all.sh 'matter_*' - END - - - name: Fix log permissions - if: always() - run: | - sudo chmod -R a+r hostap/tests/hwsim/logs || true - sudo rm -f hostap/tests/hwsim/logs/current # zip follows symlinks - - - name: Upload test logs - if: always() - uses: actions/upload-artifact@v3 - with: - name: test-logs - path: hostap/tests/hwsim/logs diff --git a/overlay/hostapd/README.md b/overlay/hostapd/README.md deleted file mode 100644 index 9a02777..0000000 --- a/overlay/hostapd/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# Matter hostap patches - -This overlay augments the hostapd package with a patch set that implements Matter PDC authentication. This is currently a proof-of-concept only, and as such has various limitations. In particular, only a single client certificate can be configured on the hostapd side. - -### Access Point Configuration - -The following settings can be added to a network configured for WPA2 or WPA3 Personal mode to enable PDC authentication: - -`hostapd.conf` - -``` -wpa_pairwise=CCMP -wpa_unadvertised_key_mgmt=WPA-EAP-SHA256 -vendor_elements=dd064a191b010100 -ieee80211w=1 -ieee8021x=1 -eap_server=1 -eap_user_file=/path/to/eap-users.conf -tls_flags=[DISABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][ENABLE-TLSv1.3] -openssl_ciphers=TLS_AES_128_CCM_SHA256 -openssl_ecdh_curves=P-256 -server_cert=/path/to/network.cert -private_key=/path/to/network.key -ca_cert=/path/to/client.cert -``` - -`eap-users.conf` - -``` -"@pdc.csa-iot.org" TLS -``` - -### Client Configuration - -`wpa_supplicant.conf` - -``` -network={ - ssid="My Home" - key_mgmt=WPA-EAP-SHA256 - fallback_key_mgmt=WPA-EAP-SHA256 - pairwise=CCMP - group=CCMP - ieee80211w=2 - eap=TLS - eap_workaround=0 - identity="@pdc.csa-iot.org" - phase1="tls_disable_tlsv1_0=1,tls_disable_tlsv1_1=1,tls_disable_tlsv1_2=1,tls_disable_tlsv1_3=0" - openssl_ciphers="TLS_AES_128_CCM_SHA256" - openssl_ecdh_curves="P-256" - ca_cert="/path/to/network.cert" - client_cert="/path/to/client.cert" - private_key="/path/to/client.key" -} -``` diff --git a/overlay/hostapd/patches.base b/overlay/hostapd/patches.base deleted file mode 100644 index fd90171..0000000 --- a/overlay/hostapd/patches.base +++ /dev/null @@ -1 +0,0 @@ -cff80b4f7d3c0a47c052e8187d671710f48939e4 diff --git a/overlay/hostapd/patches.import b/overlay/hostapd/patches.import deleted file mode 100755 index f976341..0000000 --- a/overlay/hostapd/patches.import +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -e - -# Copyright (c) 2023 Project CHIP Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Maintainer script to generate the patch series from a hostap WC -if ! [[ -d "$1/.git" ]]; then - echo "Usage: $0 HOSTAP-WC [BRANCH]" >&2 - exit 1 -fi - -pkgdir="$(cd "$(dirname "$0")" && pwd)" - -# Get the base hash for the tag 'matter-base' and export a patch -# set starting from that tag to the specified branch (or HEAD). -base="$(git -C "$1" rev-parse matter-base)" -echo "$base" >"$pkgdir/patches.base" -git -C "$1" format-patch --output-directory "$pkgdir/patches" --quiet --no-numbered "${base}..${2:-HEAD}" - -# Prefix patch file names with "o" (for overlay) so they sort after other patches -cd "$pkgdir/patches" -shopt -s nullglob -rm -f -- o*.patch -for src in *.patch; do - dst="$(echo "o${src}" | tr "[:upper:]" "[:lower:]")" - mv "$src" "$dst" - echo "$dst" -done diff --git a/overlay/hostapd/patches/o0001-configure-openssl-tls-1.3-ciphersuites-from-openssl_.patch b/overlay/hostapd/patches/o0001-configure-openssl-tls-1.3-ciphersuites-from-openssl_.patch deleted file mode 100644 index 5204e18..0000000 --- a/overlay/hostapd/patches/o0001-configure-openssl-tls-1.3-ciphersuites-from-openssl_.patch +++ /dev/null @@ -1,206 +0,0 @@ -From eaeaaf35c52740d072689de99f0c2305b846623e Mon Sep 17 00:00:00 2001 -From: Karsten Sperling -Date: Tue, 21 Mar 2023 23:15:53 +1300 -Subject: [PATCH] Configure OpenSSL TLS 1.3 ciphersuites from openssl_ciphers - -OpenSSL has separated out TLS 1.3 ciphersuites from ciphers for TLS -versions <=1.2, whereas other implementations (e.g. WolfSSL, BoringSSL) -use a single parameter. This change adds support for configuring TLS1.3 -ciphersuites in OpenSSL in the same way as those other implementations. - -This is done by separating the combined list into TLS 1.3 ciphersuites -(they all start with "TLS_"), and legacy (pre-1.3) ciphers. If the list -contains no TLS 1.3 ciphersuites, the default suites are left untouched -(matching current / desired behavior). If the list contains no legacy -ciphers then that list is explicitly cleared. This allows for TLS -1.3-only configurations. - ---- - -Copyright (c) 2023 Project CHIP Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---- - src/crypto/tls_openssl.c | 114 ++++++++++++++++++++++++++++++++++++--- - 1 file changed, 108 insertions(+), 6 deletions(-) - -diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c -index c9e00b3af..34df7a087 100644 ---- a/src/crypto/tls_openssl.c -+++ b/src/crypto/tls_openssl.c -@@ -111,6 +111,108 @@ static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, - - #endif - -+ -+#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(OPENSSL_IS_BORINGSSL) -+/* -+ * OpenSSL has separated out TLS 1.3 ciphersuites from ciphers for TLS versions -+ * <=1.2, whereas other implementations (e.g. WolfSSL) use a single parameter. -+ * -+ * Provide a shim that separates the combined list into TLS 1.3 ciphersuites -+ * (they all start with "TLS_"), and pre-1.3 ciphers. If the list contains no -+ * TLS 1.3 ciphersuites, the default suites are left untouched (matching -+ * current / desired behavior), but if there are no pre-1.3 ciphers that list -+ * is explicitly cleared. This allows for TLS 1.3-only configurations. -+ */ -+static int _set_cipher_list_and_suites(void *ssl, char const *combined, -+ int (*set_cipher_list)(void *, char const *), -+ int (*set_ciphersuites)(void *, char const *)) -+{ -+ int success = 1; -+ char *ciphers = NULL, *ciphers_end; -+ char *suites = NULL, *suites_end; -+ int len = os_strlen(combined); -+ char const *combined_end = combined + len; -+ -+ ciphers = os_malloc(len); -+ suites = os_malloc(len); -+ if (!ciphers || !suites) { -+ success = 0; -+ goto done; -+ } -+ -+ ciphers_end = ciphers; -+ suites_end = suites; -+ while (combined < combined_end) { -+ char const *sep = os_strchr(combined, ':'); -+ len = (sep ? sep : combined_end) - combined; -+ if (os_strncmp(combined, "TLS_", 4) == 0) { -+ os_memcpy(suites_end, combined, len); -+ suites_end += len; -+ *suites_end++ = ':'; -+ } else { -+ os_memcpy(ciphers_end, combined, len); -+ ciphers_end += len; -+ *ciphers_end++ = ':'; -+ } -+ combined += len + 1; -+ } -+ -+ if (ciphers_end > ciphers) { -+ *--ciphers_end = '\0'; -+ wpa_printf(MSG_DEBUG, -+ "OpenSSL: setting cipher_list '%s'", -+ ciphers); -+ success = set_cipher_list(ssl, ciphers); -+ } else { -+ wpa_printf(MSG_DEBUG, "OpenSSL: clearing cipher_list"); -+ if (!set_cipher_list(ssl, "")) { -+ unsigned long err = ERR_peek_error(); -+ if (ERR_GET_LIB(err) == ERR_LIB_SSL && ERR_GET_REASON(err) == SSL_R_NO_CIPHER_MATCH) { -+ ERR_get_error(); /* consume the error */ -+ } else { -+ success = 0; -+ goto done; -+ } -+ } -+ } -+ -+ if (success && suites_end > suites) { -+ *--suites_end = '\0'; -+ wpa_printf(MSG_DEBUG, -+ "OpenSSL: setting ciphersuites '%s'", -+ suites); -+ success = set_ciphersuites(ssl, suites); -+ } -+ -+done: -+ os_free(ciphers); -+ os_free(suites); -+ return success; -+} -+ -+static inline int SSL_CTX_set_cipher_list_and_ciphersuites(SSL_CTX *ctx, -+ const char *combined) -+{ -+ return _set_cipher_list_and_suites(ctx, combined, -+ (int (*)(void *, char const *))SSL_CTX_set_cipher_list, -+ (int (*)(void *, char const *))SSL_CTX_set_ciphersuites); -+} -+ -+static inline int SSL_set_cipher_list_and_ciphersuites(SSL *ssl, -+ const char *combined) -+{ -+ return _set_cipher_list_and_suites(ssl, combined, -+ (int (*)(void *, char const *))SSL_set_cipher_list, -+ (int (*)(void *, char const *))SSL_set_ciphersuites); -+} -+#else /* >= 1.1.1 and !OPENSSL_IS_BORINGSSL */ -+#define SSL_CTX_set_cipher_list_and_ciphersuites(ctx, ciphers) \ -+ SSL_CTX_set_cipher_list(ctx, ciphers) -+#define SSL_set_cipher_list_and_ciphersuites(ssl, ciphers) \ -+ SSL_set_cipher_list(ssl, ciphers) -+#endif /* >= 1.1.1 and !OPENSSL_IS_BORINGSSL */ -+ -+ - #if OPENSSL_VERSION_NUMBER < 0x10100000L || \ - (defined(LIBRESSL_VERSION_NUMBER) && \ - LIBRESSL_VERSION_NUMBER < 0x20700000L) -@@ -1104,7 +1206,7 @@ void * tls_init(const struct tls_config *conf) - ciphers = conf->openssl_ciphers; - else - ciphers = TLS_DEFAULT_CIPHERS; -- if (SSL_CTX_set_cipher_list(ssl, ciphers) != 1) { -+ if (SSL_CTX_set_cipher_list_and_ciphersuites(ssl, ciphers) != 1) { - wpa_printf(MSG_ERROR, - "OpenSSL: Failed to set cipher string '%s'", - ciphers); -@@ -3075,7 +3177,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, - openssl_ciphers); - ciphers = openssl_ciphers; - } -- if (SSL_set_cipher_list(ssl, ciphers) != 1) { -+ if (SSL_set_cipher_list_and_ciphersuites(ssl, ciphers) != 1) { - wpa_printf(MSG_INFO, - "OpenSSL: Failed to set Suite B ciphers"); - return -1; -@@ -3147,7 +3249,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, - } - #else /* OPENSSL_IS_BORINGSSL */ - if (!(flags & (TLS_CONN_SUITEB | TLS_CONN_SUITEB_NO_ECDH)) && -- openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) { -+ openssl_ciphers && SSL_set_cipher_list_and_ciphersuites(ssl, openssl_ciphers) != 1) { - wpa_printf(MSG_INFO, - "OpenSSL: Failed to set openssl_ciphers '%s'", - openssl_ciphers); -@@ -3155,7 +3257,7 @@ static int tls_set_conn_flags(struct tls_connection *conn, unsigned int flags, - } - #endif /* OPENSSL_IS_BORINGSSL */ - #else /* CONFIG_SUITEB */ -- if (openssl_ciphers && SSL_set_cipher_list(ssl, openssl_ciphers) != 1) { -+ if (openssl_ciphers && SSL_set_cipher_list_and_ciphersuites(ssl, openssl_ciphers) != 1) { - wpa_printf(MSG_INFO, - "OpenSSL: Failed to set openssl_ciphers '%s'", - openssl_ciphers); -@@ -5241,7 +5343,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, - } - #endif /* OPENSSL_IS_BORINGSSL */ - #endif /* CONFIG_SUITEB */ -- if (ciphers && SSL_set_cipher_list(conn->ssl, ciphers) != 1) { -+ if (ciphers && SSL_set_cipher_list_and_ciphersuites(conn->ssl, ciphers) != 1) { - wpa_printf(MSG_INFO, - "OpenSSL: Failed to set cipher string '%s'", - ciphers); -@@ -5464,7 +5566,7 @@ int tls_global_set_params(void *tls_ctx, - } - - if (params->openssl_ciphers && -- SSL_CTX_set_cipher_list(ssl_ctx, params->openssl_ciphers) != 1) { -+ SSL_CTX_set_cipher_list_and_ciphersuites(ssl_ctx, params->openssl_ciphers) != 1) { - wpa_printf(MSG_INFO, - "OpenSSL: Failed to set cipher string '%s'", - params->openssl_ciphers); --- -2.40.1 - diff --git a/overlay/hostapd/patches/o0002-add-openssl_ecdh_curves-support-to-wpa_supplicant-an.patch b/overlay/hostapd/patches/o0002-add-openssl_ecdh_curves-support-to-wpa_supplicant-an.patch deleted file mode 100644 index 90734cb..0000000 --- a/overlay/hostapd/patches/o0002-add-openssl_ecdh_curves-support-to-wpa_supplicant-an.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 606216e5e65931fb3d36c90139d44edebbd329b2 Mon Sep 17 00:00:00 2001 -From: Karsten Sperling -Date: Wed, 22 Mar 2023 10:58:42 +1300 -Subject: [PATCH] Add openssl_ecdh_curves support to wpa_supplicant and WolfSSL - -Add a openssl_ecdh_curves configuration option to wpa_supplicant (hostapd -already has this option). Also add support for it in the WolfSSL backend. - ---- - -Copyright (c) 2023 Project CHIP Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---- - src/crypto/tls_wolfssl.c | 11 +++++++++++ - src/eap_peer/eap_config.h | 8 ++++++++ - src/eap_peer/eap_tls_common.c | 1 + - wpa_supplicant/config.c | 2 ++ - wpa_supplicant/config.h | 9 +++++++++ - wpa_supplicant/config_file.c | 3 +++ - wpa_supplicant/wpa_cli.c | 3 ++- - 7 files changed, 36 insertions(+), 1 deletion(-) - -diff --git a/src/crypto/tls_wolfssl.c b/src/crypto/tls_wolfssl.c -index cf482bfc3..7bb0f97d6 100644 ---- a/src/crypto/tls_wolfssl.c -+++ b/src/crypto/tls_wolfssl.c -@@ -1549,9 +1549,20 @@ int tls_global_set_params(void *tls_ctx, - } - - if (params->openssl_ecdh_curves) { -+#if LIBWOLFSSL_VERSION_HEX >= 0x04004000 -+ if (wolfSSL_CTX_set1_groups_list(tls_ctx, -+ /* should take a const char* ... */ -+ (char *)params->openssl_ecdh_curves) != 1) { -+ wpa_printf(MSG_INFO, -+ "wolfSSL: Failed to set ecdh curves (groups) '%s'", -+ params->openssl_ecdh_curves); -+ return -1; -+ } -+#else - wpa_printf(MSG_INFO, - "wolfSSL: openssl_ecdh_curves not supported"); - return -1; -+#endif /* LIBWOLFSSL_VERSION_HEX >= 0x04004000 */ - } - - #ifdef HAVE_SESSION_TICKET -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h -index 3238f74f9..827790f3a 100644 ---- a/src/eap_peer/eap_config.h -+++ b/src/eap_peer/eap_config.h -@@ -684,6 +684,14 @@ struct eap_peer_config { - */ - char *openssl_ciphers; - -+ /** -+ * openssl_ecdh_curves - OpenSSL ECDH curves / groups string -+ * -+ * Configures the ECDH curves / groups for this connection. -+ * Not all TLS backends support this option. -+ */ -+ char *openssl_ecdh_curves; -+ - /** - * erp - Whether EAP Re-authentication Protocol (ERP) is enabled - */ -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c -index c1837db06..4ed7b0ef1 100644 ---- a/src/eap_peer/eap_tls_common.c -+++ b/src/eap_peer/eap_tls_common.c -@@ -236,6 +236,7 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, - } - - params->openssl_ciphers = config->openssl_ciphers; -+ params->openssl_ecdh_curves = config->openssl_ecdh_curves; - - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); - -diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c -index bf062b079..b33624636 100644 ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -2507,6 +2507,7 @@ static const struct parse_data ssid_fields[] = { - { INT(eapol_flags) }, - { INTe(sim_num, sim_num) }, - { STRe(openssl_ciphers, openssl_ciphers) }, -+ { STRe(openssl_ecdh_curves, openssl_ecdh_curves) }, - { INTe(erp, erp) }, - #endif /* IEEE8021X_EAPOL */ - #ifdef CONFIG_WEP -@@ -2789,6 +2790,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap) - bin_clear_free(eap->new_password, eap->new_password_len); - str_clear_free(eap->external_sim_resp); - os_free(eap->openssl_ciphers); -+ os_free(eap->openssl_ecdh_curves); - } - - #endif /* IEEE8021X_EAPOL */ -diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h -index d22ef05fb..ed0bf27a0 100644 ---- a/wpa_supplicant/config.h -+++ b/wpa_supplicant/config.h -@@ -615,6 +615,15 @@ struct wpa_config { - */ - char *openssl_ciphers; - -+ /** -+ * openssl_ecdh_curves - OpenSSL ECDH curves / groups string -+ * -+ * Configures the ECDH curves for the EAP-TLS/TTLS/PEAP/FAST client. -+ * This is a colon separated list of the supported curves (e.g. -+ * "P-521:P-384:P-256"). Not all TLS backends support this option. -+ */ -+ char *openssl_ecdh_curves; -+ - /** - * pcsc_reader - PC/SC reader name prefix - * -diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c -index 6db5010db..6e6e8a9e1 100644 ---- a/wpa_supplicant/config_file.c -+++ b/wpa_supplicant/config_file.c -@@ -746,6 +746,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) - INTe(machine_engine, machine_cert.engine); - INT_DEF(eapol_flags, DEFAULT_EAPOL_FLAGS); - STR(openssl_ciphers); -+ STR(openssl_ecdh_curves); - INTe(erp, erp); - #endif /* IEEE8021X_EAPOL */ - #ifdef CONFIG_WEP -@@ -1103,6 +1104,8 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config) - config->pkcs11_module_path); - if (config->openssl_ciphers) - fprintf(f, "openssl_ciphers=%s\n", config->openssl_ciphers); -+ if (config->openssl_ecdh_curves) -+ fprintf(f, "openssl_ecdh_curves=%s\n", config->openssl_ecdh_curves); - if (config->pcsc_reader) - fprintf(f, "pcsc_reader=%s\n", config->pcsc_reader); - if (config->pcsc_pin) -diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c -index 033589f76..2d4b174c4 100644 ---- a/wpa_supplicant/wpa_cli.c -+++ b/wpa_supplicant/wpa_cli.c -@@ -453,7 +453,8 @@ static char ** wpa_cli_complete_set(const char *str, int pos) - "dot11RSNASAERetransPeriod", - #endif /* CONFIG_MESH */ - "disable_scan_offload", "fast_reauth", "opensc_engine_path", -- "pkcs11_engine_path", "pkcs11_module_path", "openssl_ciphers", -+ "pkcs11_engine_path", "pkcs11_module_path", -+ "openssl_ciphers", "openssl_ecdh_curves", - "pcsc_reader", "pcsc_pin", "external_sim", "driver_param", - "dot11RSNAConfigPMKLifetime", - "dot11RSNAConfigPMKReauthThreshold", --- -2.40.1 - diff --git a/overlay/hostapd/patches/o0003-wpa_supplicant-add-support-for-fallback_key_mgmt.patch b/overlay/hostapd/patches/o0003-wpa_supplicant-add-support-for-fallback_key_mgmt.patch deleted file mode 100644 index a5c137f..0000000 --- a/overlay/hostapd/patches/o0003-wpa_supplicant-add-support-for-fallback_key_mgmt.patch +++ /dev/null @@ -1,479 +0,0 @@ -From 11bf4c1be79b57ac9e14a0c03546764e9be531d9 Mon Sep 17 00:00:00 2001 -From: Karsten Sperling -Date: Thu, 9 Mar 2023 21:38:30 +1300 -Subject: [PATCH] wpa_supplicant: Add support for fallback_key_mgmt - -When set and a given BSS is not advertising any of the AKMs configured in -key_mgmt, fall back to the AKM from this setting and attempt to associated -anyway. - ---- - -Copyright (c) 2023 Project CHIP Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---- - wpa_supplicant/config.c | 109 +++++++++++++++++++++-------- - wpa_supplicant/config_file.c | 8 +++ - wpa_supplicant/config_ssid.h | 9 +++ - wpa_supplicant/events.c | 2 +- - wpa_supplicant/wpa_cli.c | 2 +- - wpa_supplicant/wpa_supplicant.c | 9 ++- - wpa_supplicant/wpa_supplicant.conf | 4 ++ - 7 files changed, 108 insertions(+), 35 deletions(-) - -diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c -index b33624636..1ea51f81b 100644 ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -750,10 +750,9 @@ static char * wpa_config_write_proto(const struct parse_data *data, - } - #endif /* NO_CONFIG_WRITE */ - -- --static int wpa_config_parse_key_mgmt(const struct parse_data *data, -- struct wpa_ssid *ssid, int line, -- const char *value) -+static int wpa_config_parse_key_mgmt_value(const struct parse_data *data, -+ int *key_mgmt, int single, int line, -+ const char *value) - { - int val = 0, last, errors = 0; - char *start, *end, *buf; -@@ -773,6 +772,11 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data, - end++; - last = *end == '\0'; - *end = '\0'; -+ if (single && val) { -+ wpa_printf(MSG_ERROR, "Line %d: more than one %s", -+ line, data->name); -+ errors++; -+ } - if (os_strcmp(start, "WPA-PSK") == 0) - val |= WPA_KEY_MGMT_PSK; - else if (os_strcmp(start, "WPA-EAP") == 0) -@@ -840,8 +844,8 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data, - val |= WPA_KEY_MGMT_DPP; - #endif /* CONFIG_DPP */ - else { -- wpa_printf(MSG_ERROR, "Line %d: invalid key_mgmt '%s'", -- line, start); -+ wpa_printf(MSG_ERROR, "Line %d: invalid %s '%s'", -+ line, data->name, start); - errors++; - } - -@@ -851,6 +855,18 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data, - } - os_free(buf); - -+ *key_mgmt = val; -+ return errors; -+} -+ -+static int wpa_config_parse_key_mgmt(const struct parse_data *data, -+ struct wpa_ssid *ssid, int line, -+ const char *value) -+{ -+ int val; -+ int errors = wpa_config_parse_key_mgmt_value(data, &val, 0, -+ line, value); -+ - if (val == 0) { - wpa_printf(MSG_ERROR, - "Line %d: no key_mgmt values configured.", line); -@@ -861,13 +877,33 @@ static int wpa_config_parse_key_mgmt(const struct parse_data *data, - return 1; - wpa_printf(MSG_MSGDUMP, "key_mgmt: 0x%x", val); - ssid->key_mgmt = val; -+ ssid->fallback_key_mgmt &= val; - return errors ? -1 : 0; - } - -+static int wpa_config_parse_fallback_key_mgmt(const struct parse_data *data, -+ struct wpa_ssid *ssid, int line, -+ const char *value) -+{ -+ int val; -+ int errors = wpa_config_parse_key_mgmt_value(data, &val, 1, -+ line, value); -+ -+ if (val & ~ssid->key_mgmt) { -+ wpa_printf(MSG_ERROR, -+ "Line %d: fallback_key_mgmt value must be listed in key_mgmt", line); -+ errors++; -+ } -+ -+ if (!errors && ssid->fallback_key_mgmt == val) -+ return 1; -+ wpa_printf(MSG_MSGDUMP, "fallback_key_mgmt: 0x%x", val); -+ ssid->fallback_key_mgmt = val; -+ return errors ? -1 : 0; -+} - - #ifndef NO_CONFIG_WRITE --static char * wpa_config_write_key_mgmt(const struct parse_data *data, -- struct wpa_ssid *ssid) -+static char * wpa_config_write_key_mgmt_value(int key_mgmt) - { - char *buf, *pos, *end; - int ret; -@@ -877,7 +913,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - return NULL; - end = buf + 100; - -- if (ssid->key_mgmt & WPA_KEY_MGMT_PSK) { -+ if (key_mgmt & WPA_KEY_MGMT_PSK) { - ret = os_snprintf(pos, end - pos, "%sWPA-PSK", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -887,7 +923,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - -- if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) { - ret = os_snprintf(pos, end - pos, "%sWPA-EAP", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -897,7 +933,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - -- if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_NO_WPA) { - ret = os_snprintf(pos, end - pos, "%sIEEE8021X", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -907,7 +943,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - -- if (ssid->key_mgmt & WPA_KEY_MGMT_NONE) { -+ if (key_mgmt & WPA_KEY_MGMT_NONE) { - ret = os_snprintf(pos, end - pos, "%sNONE", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -917,7 +953,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - -- if (ssid->key_mgmt & WPA_KEY_MGMT_WPA_NONE) { -+ if (key_mgmt & WPA_KEY_MGMT_WPA_NONE) { - ret = os_snprintf(pos, end - pos, "%sWPA-NONE", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -928,7 +964,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - } - - #ifdef CONFIG_IEEE80211R -- if (ssid->key_mgmt & WPA_KEY_MGMT_FT_PSK) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_PSK) { - ret = os_snprintf(pos, end - pos, "%sFT-PSK", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -938,7 +974,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - -- if (ssid->key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) { - ret = os_snprintf(pos, end - pos, "%sFT-EAP", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -949,7 +985,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - } - - #ifdef CONFIG_SHA384 -- if (ssid->key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) { - ret = os_snprintf(pos, end - pos, "%sFT-EAP-SHA384", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -961,7 +997,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_SHA384 */ - #endif /* CONFIG_IEEE80211R */ - -- if (ssid->key_mgmt & WPA_KEY_MGMT_PSK_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_PSK_SHA256) { - ret = os_snprintf(pos, end - pos, "%sWPA-PSK-SHA256", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -971,7 +1007,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - -- if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { - ret = os_snprintf(pos, end - pos, "%sWPA-EAP-SHA256", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -982,7 +1018,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - } - - #ifdef CONFIG_WPS -- if (ssid->key_mgmt & WPA_KEY_MGMT_WPS) { -+ if (key_mgmt & WPA_KEY_MGMT_WPS) { - ret = os_snprintf(pos, end - pos, "%sWPS", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -994,7 +1030,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_WPS */ - - #ifdef CONFIG_SAE -- if (ssid->key_mgmt & WPA_KEY_MGMT_SAE) { -+ if (key_mgmt & WPA_KEY_MGMT_SAE) { - ret = os_snprintf(pos, end - pos, "%sSAE", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1004,7 +1040,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - -- if (ssid->key_mgmt & WPA_KEY_MGMT_FT_SAE) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_SAE) { - ret = os_snprintf(pos, end - pos, "%sFT-SAE", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1016,7 +1052,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_SAE */ - - #ifdef CONFIG_HS20 -- if (ssid->key_mgmt & WPA_KEY_MGMT_OSEN) { -+ if (key_mgmt & WPA_KEY_MGMT_OSEN) { - ret = os_snprintf(pos, end - pos, "%sOSEN", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1028,7 +1064,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_HS20 */ - - #ifdef CONFIG_SUITEB -- if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { - ret = os_snprintf(pos, end - pos, "%sWPA-EAP-SUITE-B", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1040,7 +1076,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_SUITEB */ - - #ifdef CONFIG_SUITEB192 -- if (ssid->key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { - ret = os_snprintf(pos, end - pos, "%sWPA-EAP-SUITE-B-192", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1052,7 +1088,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_SUITEB192 */ - - #ifdef CONFIG_FILS -- if (ssid->key_mgmt & WPA_KEY_MGMT_FILS_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_FILS_SHA256) { - ret = os_snprintf(pos, end - pos, "%sFILS-SHA256", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1061,7 +1097,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - } - pos += ret; - } -- if (ssid->key_mgmt & WPA_KEY_MGMT_FILS_SHA384) { -+ if (key_mgmt & WPA_KEY_MGMT_FILS_SHA384) { - ret = os_snprintf(pos, end - pos, "%sFILS-SHA384", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1071,7 +1107,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - pos += ret; - } - #ifdef CONFIG_IEEE80211R -- if (ssid->key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) { - ret = os_snprintf(pos, end - pos, "%sFT-FILS-SHA256", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1080,7 +1116,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - } - pos += ret; - } -- if (ssid->key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) { - ret = os_snprintf(pos, end - pos, "%sFT-FILS-SHA384", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1093,7 +1129,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_FILS */ - - #ifdef CONFIG_DPP -- if (ssid->key_mgmt & WPA_KEY_MGMT_DPP) { -+ if (key_mgmt & WPA_KEY_MGMT_DPP) { - ret = os_snprintf(pos, end - pos, "%sDPP", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1105,7 +1141,7 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - #endif /* CONFIG_DPP */ - - #ifdef CONFIG_OWE -- if (ssid->key_mgmt & WPA_KEY_MGMT_OWE) { -+ if (key_mgmt & WPA_KEY_MGMT_OWE) { - ret = os_snprintf(pos, end - pos, "%sOWE", - pos == buf ? "" : " "); - if (os_snprintf_error(end - pos, ret)) { -@@ -1123,6 +1159,18 @@ static char * wpa_config_write_key_mgmt(const struct parse_data *data, - - return buf; - } -+ -+static char * wpa_config_write_key_mgmt(const struct parse_data *data, -+ struct wpa_ssid *ssid) -+{ -+ return wpa_config_write_key_mgmt_value(ssid->key_mgmt); -+} -+ -+static char * wpa_config_write_fallback_key_mgmt(const struct parse_data *data, -+ struct wpa_ssid *ssid) -+{ -+ return wpa_config_write_key_mgmt_value(ssid->fallback_key_mgmt); -+} - #endif /* NO_CONFIG_WRITE */ - - -@@ -2424,6 +2472,7 @@ static const struct parse_data ssid_fields[] = { - { STR(sae_password_id) }, - { FUNC(proto) }, - { FUNC(key_mgmt) }, -+ { FUNC(fallback_key_mgmt) }, /* must be after key_mgmt */ - { INT(bg_scan_period) }, - { FUNC(pairwise) }, - { FUNC(group) }, -diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c -index 6e6e8a9e1..bf7dfc635 100644 ---- a/wpa_supplicant/config_file.c -+++ b/wpa_supplicant/config_file.c -@@ -489,6 +489,13 @@ static void write_key_mgmt(FILE *f, struct wpa_ssid *ssid) - } - - -+static void write_fallback_key_mgmt(FILE *f, struct wpa_ssid *ssid) -+{ -+ if (ssid->fallback_key_mgmt) -+ write_str(f, "fallback_key_mgmt", ssid); -+} -+ -+ - static void write_pairwise(FILE *f, struct wpa_ssid *ssid) - { - char *value; -@@ -678,6 +685,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid) - write_int(f, "sae_pwe", ssid->sae_pwe, DEFAULT_SAE_PWE); - write_proto(f, ssid); - write_key_mgmt(f, ssid); -+ write_fallback_key_mgmt(f, ssid); - INT_DEF(bg_scan_period, DEFAULT_BG_SCAN_PERIOD); - write_pairwise(f, ssid); - write_group(f, ssid); -diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h -index 724534dd0..b58e24429 100644 ---- a/wpa_supplicant/config_ssid.h -+++ b/wpa_supplicant/config_ssid.h -@@ -271,6 +271,15 @@ struct wpa_ssid { - */ - int key_mgmt; - -+ /** -+ * fallback_key_mgmt - Fallback key management protocol -+ * -+ * A single WPA_KEY_MGMT_* value that is used if none of the key -+ * management protocols advertised by the AP match our key_mgmt -+ * configuration. If 0, no fallback is performed. -+ */ -+ int fallback_key_mgmt; -+ - /** - * bg_scan_period - Background scan period in seconds, 0 to disable, or - * -1 to indicate no change to default driver configuration -diff --git a/wpa_supplicant/events.c b/wpa_supplicant/events.c -index f55e1846e..50ea72110 100644 ---- a/wpa_supplicant/events.c -+++ b/wpa_supplicant/events.c -@@ -635,7 +635,7 @@ static int wpa_supplicant_ssid_bss_match(struct wpa_supplicant *wpa_s, - break; - } - -- if (!(ie.key_mgmt & ssid->key_mgmt)) { -+ if (!(ie.key_mgmt & ssid->key_mgmt) && !ssid->fallback_key_mgmt) { - if (debug_print) - wpa_dbg(wpa_s, MSG_DEBUG, - " skip RSN IE - key mgmt mismatch"); -diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c -index 2d4b174c4..82f536efe 100644 ---- a/wpa_supplicant/wpa_cli.c -+++ b/wpa_supplicant/wpa_cli.c -@@ -1412,7 +1412,7 @@ static int wpa_cli_cmd_get_network(struct wpa_ctrl *ctrl, int argc, - - static const char *network_fields[] = { - "ssid", "scan_ssid", "bssid", "bssid_ignore", -- "bssid_accept", "psk", "proto", "key_mgmt", -+ "bssid_accept", "psk", "proto", "key_mgmt", "fallback_key_mgmt", - "bg_scan_period", "pairwise", "group", "auth_alg", "scan_freq", - "freq_list", "max_oper_chwidth", "ht40", "vht", "vht_center_freq1", - "vht_center_freq2", "ht", "edmg", -diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c -index d37a994f9..77d9abae5 100644 ---- a/wpa_supplicant/wpa_supplicant.c -+++ b/wpa_supplicant/wpa_supplicant.c -@@ -1372,7 +1372,7 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, - if (bss_rsn && (ssid->proto & WPA_PROTO_RSN) && - wpa_parse_wpa_ie(bss_rsn, 2 + bss_rsn[1], &ie) == 0 && - matching_ciphers(ssid, &ie, bss->freq) && -- (ie.key_mgmt & ssid->key_mgmt)) { -+ ((ie.key_mgmt & ssid->key_mgmt) || ssid->fallback_key_mgmt)) { - wpa_dbg(wpa_s, MSG_DEBUG, "RSN: using IEEE 802.11i/D9.0"); - proto = WPA_PROTO_RSN; - } else if (bss_wpa && (ssid->proto & WPA_PROTO_WPA) && -@@ -1536,6 +1536,9 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, - #endif /* CONFIG_NO_WPA */ - - sel = ie.key_mgmt & ssid->key_mgmt; -+ if (!sel) { -+ sel = ssid->fallback_key_mgmt; -+ } - #ifdef CONFIG_SAE - if (!(wpa_s->drv_flags & WPA_DRIVER_FLAGS_SAE)) - sel &= ~(WPA_KEY_MGMT_SAE | WPA_KEY_MGMT_FT_SAE); -@@ -1546,8 +1549,8 @@ int wpa_supplicant_set_suites(struct wpa_supplicant *wpa_s, - sel &= ~WPA_KEY_MGMT_FT; - #endif /* CONFIG_IEEE80211R */ - wpa_dbg(wpa_s, MSG_DEBUG, -- "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x; available key_mgmt 0x%x", -- ie.key_mgmt, ssid->key_mgmt, sel); -+ "WPA: AP key_mgmt 0x%x network profile key_mgmt 0x%x (0x%x); available key_mgmt 0x%x", -+ ie.key_mgmt, ssid->key_mgmt, ssid->fallback_key_mgmt, sel); - if (0) { - #ifdef CONFIG_IEEE80211R - #ifdef CONFIG_SHA384 -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf -index 6619d6ba7..3f273b9f6 100644 ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -979,6 +979,10 @@ fast_reauth=1 - # DPP = Device Provisioning Protocol - # If not set, this defaults to: WPA-PSK WPA-EAP - # -+# fallback_key_mgmt: a single optional AKM protocol to try as a fallback when -+# none of the protocols configured in key_mgmt are advertised as supported by -+# the AP. If not set, no fallback will be performed. -+# - # ieee80211w: whether management frame protection is enabled - # 0 = disabled (default unless changed with the global pmf parameter) - # 1 = optional --- -2.40.1 - diff --git a/overlay/hostapd/patches/o0004-hostapd-add-support-for-wpa_unadvertised_key_mgmt.patch b/overlay/hostapd/patches/o0004-hostapd-add-support-for-wpa_unadvertised_key_mgmt.patch deleted file mode 100644 index bb7ec85..0000000 --- a/overlay/hostapd/patches/o0004-hostapd-add-support-for-wpa_unadvertised_key_mgmt.patch +++ /dev/null @@ -1,323 +0,0 @@ -From 5598bd1db1d564ec456ffaaed313b5855800b652 Mon Sep 17 00:00:00 2001 -From: Karsten Sperling -Date: Fri, 10 Mar 2023 13:46:05 +1300 -Subject: [PATCH] hostapd: Add support for wpa_unadvertised_key_mgmt - -AKMs listed in this setting are accepted in association requests from clients, -but are not advertised in beacons / probe responses. - ---- - -Copyright (c) 2023 Project CHIP Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---- - hostapd/config_file.c | 14 +++++----- - hostapd/ctrl_iface.c | 61 +++++++++++++++++++++++++++--------------- - hostapd/hostapd.conf | 4 +++ - src/ap/ap_config.h | 1 + - src/ap/wpa_auth.h | 1 + - src/ap/wpa_auth_glue.c | 1 + - src/ap/wpa_auth_ie.c | 2 +- - 7 files changed, 55 insertions(+), 29 deletions(-) - -diff --git a/hostapd/config_file.c b/hostapd/config_file.c -index b14728d1b..05ad6eeb4 100644 ---- a/hostapd/config_file.c -+++ b/hostapd/config_file.c -@@ -772,12 +772,6 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value) - } - - os_free(buf); -- if (val == 0) { -- wpa_printf(MSG_ERROR, "Line %d: no key_mgmt values " -- "configured.", line); -- return -1; -- } -- - return val; - } - -@@ -2969,8 +2963,16 @@ static int hostapd_config_fill(struct hostapd_config *conf, - } - } else if (os_strcmp(buf, "wpa_key_mgmt") == 0) { - bss->wpa_key_mgmt = hostapd_config_parse_key_mgmt(line, pos); -+ if (bss->wpa_key_mgmt == 0) { -+ wpa_printf(MSG_ERROR, "Line %d: no key_mgmt values configured.", line); -+ return 1; -+ } - if (bss->wpa_key_mgmt == -1) - return 1; -+ } else if (os_strcmp(buf, "wpa_unadvertised_key_mgmt") == 0) { -+ bss->wpa_unadvertised_key_mgmt = hostapd_config_parse_key_mgmt(line, pos); -+ if (bss->wpa_unadvertised_key_mgmt == -1) -+ return 1; - } else if (os_strcmp(buf, "wpa_psk_radius") == 0) { - bss->wpa_psk_radius = atoi(pos); - if (bss->wpa_psk_radius != PSK_RADIUS_IGNORED && -diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c -index 86adf18e5..ba9c46b23 100644 ---- a/hostapd/ctrl_iface.c -+++ b/hostapd/ctrl_iface.c -@@ -1039,7 +1039,7 @@ static int hostapd_ctrl_iface_coloc_intf_req(struct hostapd_data *hapd, - #endif /* CONFIG_WNM_AP */ - - --static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, -+static int hostapd_ctrl_iface_get_key_mgmt(int key_mgmt, - char *buf, size_t buflen) - { - int ret = 0; -@@ -1048,35 +1048,33 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, - pos = buf; - end = buf + buflen; - -- WPA_ASSERT(hapd->conf->wpa_key_mgmt); -- -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK) { -+ if (key_mgmt & WPA_KEY_MGMT_PSK) { - ret = os_snprintf(pos, end - pos, "WPA-PSK "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X) { - ret = os_snprintf(pos, end - pos, "WPA-EAP "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } - #ifdef CONFIG_IEEE80211R_AP -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_PSK) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_PSK) { - ret = os_snprintf(pos, end - pos, "FT-PSK "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X) { - ret = os_snprintf(pos, end - pos, "FT-EAP "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } - #ifdef CONFIG_SHA384 -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_IEEE8021X_SHA384) { - ret = os_snprintf(pos, end - pos, "FT-EAP-SHA384 "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; -@@ -1084,7 +1082,7 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, - } - #endif /* CONFIG_SHA384 */ - #ifdef CONFIG_SAE -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_SAE) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_SAE) { - ret = os_snprintf(pos, end - pos, "FT-SAE "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; -@@ -1092,13 +1090,13 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, - } - #endif /* CONFIG_SAE */ - #ifdef CONFIG_FILS -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA256) { - ret = os_snprintf(pos, end - pos, "FT-FILS-SHA256 "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) { -+ if (key_mgmt & WPA_KEY_MGMT_FT_FILS_SHA384) { - ret = os_snprintf(pos, end - pos, "FT-FILS-SHA384 "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; -@@ -1106,33 +1104,33 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, - } - #endif /* CONFIG_FILS */ - #endif /* CONFIG_IEEE80211R_AP */ -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_PSK_SHA256) { - ret = os_snprintf(pos, end - pos, "WPA-PSK-SHA256 "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SHA256) { - ret = os_snprintf(pos, end - pos, "WPA-EAP-SHA256 "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } - #ifdef CONFIG_SAE -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_SAE) { -+ if (key_mgmt & WPA_KEY_MGMT_SAE) { - ret = os_snprintf(pos, end - pos, "SAE "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } - #endif /* CONFIG_SAE */ -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { -+ if (key_mgmt & WPA_KEY_MGMT_IEEE8021X_SUITE_B) { - ret = os_snprintf(pos, end - pos, "WPA-EAP-SUITE-B "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } -- if (hapd->conf->wpa_key_mgmt & -+ if (key_mgmt & - WPA_KEY_MGMT_IEEE8021X_SUITE_B_192) { - ret = os_snprintf(pos, end - pos, - "WPA-EAP-SUITE-B-192 "); -@@ -1141,13 +1139,13 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, - pos += ret; - } - #ifdef CONFIG_FILS -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FILS_SHA256) { -+ if (key_mgmt & WPA_KEY_MGMT_FILS_SHA256) { - ret = os_snprintf(pos, end - pos, "FILS-SHA256 "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; - pos += ret; - } -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_FILS_SHA384) { -+ if (key_mgmt & WPA_KEY_MGMT_FILS_SHA384) { - ret = os_snprintf(pos, end - pos, "FILS-SHA384 "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; -@@ -1156,7 +1154,7 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, - #endif /* CONFIG_FILS */ - - #ifdef CONFIG_OWE -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_OWE) { -+ if (key_mgmt & WPA_KEY_MGMT_OWE) { - ret = os_snprintf(pos, end - pos, "OWE "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; -@@ -1165,7 +1163,7 @@ static int hostapd_ctrl_iface_get_key_mgmt(struct hostapd_data *hapd, - #endif /* CONFIG_OWE */ - - #ifdef CONFIG_DPP -- if (hapd->conf->wpa_key_mgmt & WPA_KEY_MGMT_DPP) { -+ if (key_mgmt & WPA_KEY_MGMT_DPP) { - ret = os_snprintf(pos, end - pos, "DPP "); - if (os_snprintf_error(end - pos, ret)) - return pos - buf; -@@ -1290,7 +1288,21 @@ static int hostapd_ctrl_iface_get_config(struct hostapd_data *hapd, - return pos - buf; - pos += ret; - -- pos += hostapd_ctrl_iface_get_key_mgmt(hapd, pos, end - pos); -+ pos += hostapd_ctrl_iface_get_key_mgmt(hapd->conf->wpa_key_mgmt, pos, end - pos); -+ -+ ret = os_snprintf(pos, end - pos, "\n"); -+ if (os_snprintf_error(end - pos, ret)) -+ return pos - buf; -+ pos += ret; -+ } -+ -+ if (hapd->conf->wpa && hapd->conf->wpa_unadvertised_key_mgmt) { -+ ret = os_snprintf(pos, end - pos, "unadvertised_key_mgmt="); -+ if (os_snprintf_error(end - pos, ret)) -+ return pos - buf; -+ pos += ret; -+ -+ pos += hostapd_ctrl_iface_get_key_mgmt(hapd->conf->wpa_unadvertised_key_mgmt, pos, end - pos); - - ret = os_snprintf(pos, end - pos, "\n"); - if (os_snprintf_error(end - pos, ret)) -@@ -4607,7 +4619,12 @@ static int hostapd_ctrl_iface_dup_param(struct hostapd_data *src_hapd, - } else if (os_strcmp(param, "wpa_key_mgmt") == 0 && - src_hapd->conf->wpa_key_mgmt) { - res = hostapd_ctrl_iface_get_key_mgmt( -- src_hapd, value, HOSTAPD_CLI_DUP_VALUE_MAX_LEN); -+ src_hapd->conf->wpa_key_mgmt, value, HOSTAPD_CLI_DUP_VALUE_MAX_LEN); -+ if (os_snprintf_error(HOSTAPD_CLI_DUP_VALUE_MAX_LEN, res)) -+ goto error_stringify; -+ } else if (os_strcmp(param, "wpa_unadvertised_key_mgmt") == 0) { -+ res = hostapd_ctrl_iface_get_key_mgmt( -+ src_hapd->conf->wpa_unadvertised_key_mgmt, value, HOSTAPD_CLI_DUP_VALUE_MAX_LEN); - if (os_snprintf_error(HOSTAPD_CLI_DUP_VALUE_MAX_LEN, res)) - goto error_stringify; - } else if (os_strcmp(param, "wpa_pairwise") == 0 && -diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf -index 3c2019f73..127ceb675 100644 ---- a/hostapd/hostapd.conf -+++ b/hostapd/hostapd.conf -@@ -1682,6 +1682,10 @@ own_ip_addr=127.0.0.1 - # (dot11RSNAConfigAuthenticationSuitesTable) - #wpa_key_mgmt=WPA-PSK WPA-EAP - -+# An additional set of accepted key management algorithms that are not -+# advertised in the RSN IE in beacons or probe responses. (default: none) -+#wpa_unadvertised_key_mgmt= -+ - # Set of accepted cipher suites (encryption algorithms) for pairwise keys - # (unicast packets). This is a space separated list of algorithms: - # CCMP = AES in Counter mode with CBC-MAC (CCMP-128) -diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h -index 49cd3168a..d476dd6d2 100644 ---- a/src/ap/ap_config.h -+++ b/src/ap/ap_config.h -@@ -351,6 +351,7 @@ struct hostapd_bss_config { - int wpa; /* bitfield of WPA_PROTO_WPA, WPA_PROTO_RSN */ - int extended_key_id; - int wpa_key_mgmt; -+ int wpa_unadvertised_key_mgmt; - enum mfp_options ieee80211w; - int group_mgmt_cipher; - int beacon_prot; -diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h -index fe47723b9..cb44c5b10 100644 ---- a/src/ap/wpa_auth.h -+++ b/src/ap/wpa_auth.h -@@ -172,6 +172,7 @@ struct wpa_auth_config { - int wpa; - int extended_key_id; - int wpa_key_mgmt; -+ int wpa_unadvertised_key_mgmt; - int wpa_pairwise; - int wpa_group; - int wpa_group_rekey; -diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c -index 3e9921553..513a15508 100644 ---- a/src/ap/wpa_auth_glue.c -+++ b/src/ap/wpa_auth_glue.c -@@ -44,6 +44,7 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf, - wconf->wpa = conf->wpa; - wconf->extended_key_id = conf->extended_key_id; - wconf->wpa_key_mgmt = conf->wpa_key_mgmt; -+ wconf->wpa_unadvertised_key_mgmt = conf->wpa_unadvertised_key_mgmt; - wconf->wpa_pairwise = conf->wpa_pairwise; - wconf->wpa_group = conf->wpa_group; - wconf->wpa_group_rekey = conf->wpa_group_rekey; -diff --git a/src/ap/wpa_auth_ie.c b/src/ap/wpa_auth_ie.c -index 524922e4e..a168307f6 100644 ---- a/src/ap/wpa_auth_ie.c -+++ b/src/ap/wpa_auth_ie.c -@@ -737,7 +737,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth, - return WPA_INVALID_GROUP; - } - -- key_mgmt = data.key_mgmt & wpa_auth->conf.wpa_key_mgmt; -+ key_mgmt = data.key_mgmt & (wpa_auth->conf.wpa_key_mgmt | wpa_auth->conf.wpa_unadvertised_key_mgmt); - if (!key_mgmt) { - wpa_printf(MSG_DEBUG, "Invalid WPA key mgmt (0x%x) from " - MACSTR, data.key_mgmt, MAC2STR(sm->addr)); --- -2.40.1 - diff --git a/overlay/hostapd/patches/o0005-add-hwsim-tests-for-matter-pdc-authentication.patch b/overlay/hostapd/patches/o0005-add-hwsim-tests-for-matter-pdc-authentication.patch deleted file mode 100644 index 7447b7d..0000000 --- a/overlay/hostapd/patches/o0005-add-hwsim-tests-for-matter-pdc-authentication.patch +++ /dev/null @@ -1,311 +0,0 @@ -From 8fb8db830d0d8b593367333750441e4ed2f245eb Mon Sep 17 00:00:00 2001 -From: Karsten Sperling -Date: Thu, 20 Jul 2023 12:20:47 +1200 -Subject: [PATCH] Add hwsim tests for Matter PDC authentication - -Test that PSK, SAE, and PDC all work with the same BSS configuration. - ---- - -Copyright (c) 2023 Project CHIP Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. ---- - tests/hwsim/matter-client-cert.pem | 42 ++++++++++ - tests/hwsim/matter-client-key.pem | 5 ++ - tests/hwsim/matter-network-cert.pem | 42 ++++++++++ - tests/hwsim/matter-network-key.pem | 5 ++ - tests/hwsim/matter-users | 1 + - tests/hwsim/test_ap_matter.py | 117 ++++++++++++++++++++++++++++ - tests/hwsim/wpasupplicant.py | 4 +- - 7 files changed, 214 insertions(+), 2 deletions(-) - create mode 100644 tests/hwsim/matter-client-cert.pem - create mode 100644 tests/hwsim/matter-client-key.pem - create mode 100644 tests/hwsim/matter-network-cert.pem - create mode 100644 tests/hwsim/matter-network-key.pem - create mode 100644 tests/hwsim/matter-users - create mode 100644 tests/hwsim/test_ap_matter.py - -diff --git a/tests/hwsim/matter-client-cert.pem b/tests/hwsim/matter-client-cert.pem -new file mode 100644 -index 000000000..774c60406 ---- /dev/null -+++ b/tests/hwsim/matter-client-cert.pem -@@ -0,0 +1,42 @@ -+Certificate: -+ Data: -+ Version: 3 (0x2) -+ Serial Number: 1 (0x1) -+ Signature Algorithm: ecdsa-with-SHA256 -+ Issuer: CN=* -+ Validity -+ Not Before: Jan 1 00:00:01 2000 GMT -+ Not After : Dec 31 23:59:59 9999 GMT -+ Subject: CN=* -+ Subject Public Key Info: -+ Public Key Algorithm: id-ecPublicKey -+ Public-Key: (256 bit) -+ pub: -+ 04:a0:f1:66:f6:17:17:53:6d:1d:23:27:1e:94:6e: -+ 34:70:96:db:9a:8e:af:dd:06:26:9a:d6:33:e3:7b: -+ 68:4b:f4:99:df:6d:c5:7e:9a:2f:19:db:63:08:de: -+ a4:f0:5e:7d:7c:52:0b:d8:03:a4:af:eb:de:90:1d: -+ f4:b9:9a:8d:74 -+ ASN1 OID: prime256v1 -+ NIST CURVE: P-256 -+ X509v3 extensions: -+ X509v3 Basic Constraints: critical -+ CA:FALSE -+ X509v3 Key Usage: critical -+ Digital Signature -+ X509v3 Extended Key Usage: critical -+ TLS Web Client Authentication, TLS Web Server Authentication -+ Signature Algorithm: ecdsa-with-SHA256 -+ 30:45:02:20:6c:76:81:bd:0c:2b:df:08:16:f3:25:05:3f:c8: -+ d2:e6:0b:47:a0:35:e6:c6:7c:a5:df:b0:c8:de:f5:cf:c7:cb: -+ 02:21:00:af:61:fd:42:22:4e:41:c8:4a:b2:5b:7f:0b:72:a9: -+ 0d:90:4f:7d:93:1f:34:87:12:b1:ff:76:b0:f0:e0:13:cb -+-----BEGIN CERTIFICATE----- -+MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMAwxCjAIBgNVBAMMASowIBcNMDAw -+MTAxMDAwMDAxWhgPOTk5OTEyMzEyMzU5NTlaMAwxCjAIBgNVBAMMASowWTATBgcq -+hkjOPQIBBggqhkjOPQMBBwNCAASg8Wb2FxdTbR0jJx6UbjRwltuajq/dBiaa1jPj -+e2hL9JnfbcV+mi8Z22MI3qTwXn18UgvYA6Sv696QHfS5mo10o0IwQDAMBgNVHRMB -+Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYI -+KwYBBQUHAwEwCgYIKoZIzj0EAwIDSAAwRQIgbHaBvQwr3wgW8yUFP8jS5gtHoDXm -+xnyl37DI3vXPx8sCIQCvYf1CIk5ByEqyW38LcqkNkE99kx80hxKx/3aw8OATyw== -+-----END CERTIFICATE----- -diff --git a/tests/hwsim/matter-client-key.pem b/tests/hwsim/matter-client-key.pem -new file mode 100644 -index 000000000..6a03454bc ---- /dev/null -+++ b/tests/hwsim/matter-client-key.pem -@@ -0,0 +1,5 @@ -+-----BEGIN EC PRIVATE KEY----- -+MHcCAQEEIEqNUvN3/qRqbCarHnt4BAXpHB5CyVHOl4KPDuTnV9htoAoGCCqGSM49 -+AwEHoUQDQgAEoPFm9hcXU20dIycelG40cJbbmo6v3QYmmtYz43toS/SZ323Ffpov -+GdtjCN6k8F59fFIL2AOkr+vekB30uZqNdA== -+-----END EC PRIVATE KEY----- -diff --git a/tests/hwsim/matter-network-cert.pem b/tests/hwsim/matter-network-cert.pem -new file mode 100644 -index 000000000..f4f75cc50 ---- /dev/null -+++ b/tests/hwsim/matter-network-cert.pem -@@ -0,0 +1,42 @@ -+Certificate: -+ Data: -+ Version: 3 (0x2) -+ Serial Number: 1 (0x1) -+ Signature Algorithm: ecdsa-with-SHA256 -+ Issuer: CN=* -+ Validity -+ Not Before: Jan 1 00:00:01 2000 GMT -+ Not After : Dec 31 23:59:59 9999 GMT -+ Subject: CN=* -+ Subject Public Key Info: -+ Public Key Algorithm: id-ecPublicKey -+ Public-Key: (256 bit) -+ pub: -+ 04:0f:31:ca:80:a9:a8:63:82:72:24:0e:36:b8:cc: -+ cf:d9:83:d5:f5:7a:1c:03:5b:29:48:37:c6:b3:59: -+ cb:58:b3:e9:18:ec:ae:bb:02:d1:d3:07:37:b8:8b: -+ 99:c1:7c:88:51:e5:19:41:c0:32:c6:a0:b7:e3:60: -+ 77:c9:31:30:f9 -+ ASN1 OID: prime256v1 -+ NIST CURVE: P-256 -+ X509v3 extensions: -+ X509v3 Basic Constraints: critical -+ CA:FALSE -+ X509v3 Key Usage: critical -+ Digital Signature -+ X509v3 Extended Key Usage: critical -+ TLS Web Client Authentication, TLS Web Server Authentication -+ Signature Algorithm: ecdsa-with-SHA256 -+ 30:46:02:21:00:b5:01:17:e4:9a:5f:4a:f6:24:01:4e:1c:cc: -+ 14:e2:a5:ea:9a:03:11:f1:1c:7b:29:96:91:e9:82:1d:60:6c: -+ 8f:02:21:00:de:c1:48:64:2e:e1:48:30:40:9c:71:c9:fb:2c: -+ 07:fb:e4:9d:3e:c7:dd:f9:61:f1:29:80:e9:52:41:44:fc:6d -+-----BEGIN CERTIFICATE----- -+MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMAwxCjAIBgNVBAMMASowIBcNMDAw -+MTAxMDAwMDAxWhgPOTk5OTEyMzEyMzU5NTlaMAwxCjAIBgNVBAMMASowWTATBgcq -+hkjOPQIBBggqhkjOPQMBBwNCAAQPMcqAqahjgnIkDja4zM/Zg9X1ehwDWylIN8az -+WctYs+kY7K67AtHTBze4i5nBfIhR5RlBwDLGoLfjYHfJMTD5o0IwQDAMBgNVHRMB -+Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAgYI -+KwYBBQUHAwEwCgYIKoZIzj0EAwIDSQAwRgIhALUBF+SaX0r2JAFOHMwU4qXqmgMR -+8Rx7KZaR6YIdYGyPAiEA3sFIZC7hSDBAnHHJ+ywH++SdPsfd+WHxKYDpUkFE/G0= -+-----END CERTIFICATE----- -diff --git a/tests/hwsim/matter-network-key.pem b/tests/hwsim/matter-network-key.pem -new file mode 100644 -index 000000000..467738914 ---- /dev/null -+++ b/tests/hwsim/matter-network-key.pem -@@ -0,0 +1,5 @@ -+-----BEGIN EC PRIVATE KEY----- -+MHcCAQEEIFO7j0xV/l6UXL+uTyG9ZKplBNdhT0nX7AKaNr3zXLB9oAoGCCqGSM49 -+AwEHoUQDQgAEDzHKgKmoY4JyJA42uMzP2YPV9XocA1spSDfGs1nLWLPpGOyuuwLR -+0wc3uIuZwXyIUeUZQcAyxqC342B3yTEw+Q== -+-----END EC PRIVATE KEY----- -diff --git a/tests/hwsim/matter-users b/tests/hwsim/matter-users -new file mode 100644 -index 000000000..8496898cd ---- /dev/null -+++ b/tests/hwsim/matter-users -@@ -0,0 +1 @@ -+"@pdc.csa-iot.org" TLS -diff --git a/tests/hwsim/test_ap_matter.py b/tests/hwsim/test_ap_matter.py -new file mode 100644 -index 000000000..9d82c892d ---- /dev/null -+++ b/tests/hwsim/test_ap_matter.py -@@ -0,0 +1,117 @@ -+# Matter Per-Device Credentials Tests -+# Copyright (c) 2023 Project CHIP Authors -+# -+# This software may be distributed under the terms of the BSD license. -+# See README for more details. -+ -+import hostapd -+import hwsim_utils -+import logging -+from utils import HwsimSkip -+ -+logger = logging.getLogger() -+ -+SSID = "test-matter" -+PASSWORD = "SecretMatterAP" -+ -+ -+def test_matter_wpa2_psk_client(dev, apdev): -+ """Matter AP - WPA2 PSK client""" -+ hapd, sta = prepare(dev, apdev) -+ connect_sta(sta, key_mgmt="WPA-PSK", pairwise="CCMP") -+ verify_sta_connection(sta, hapd) -+ -+def test_matter_wpa3_sae_client(dev, apdev): -+ """Matter AP - WPA3 SAE client""" -+ hapd, sta = prepare(dev, apdev) -+ connect_sta(sta, key_mgmt="SAE", pairwise="CCMP", ieee80211w="2") -+ verify_sta_connection(sta, hapd) -+ -+def test_matter_pdc_client(dev, apdev): -+ """Matter AP - PDC client""" -+ hapd, sta = prepare(dev, apdev) -+ connect_pdc_sta(sta) -+ verify_sta_connection(sta, hapd) -+ sta_info = hapd.get_sta(sta.own_addr()) -+ identity = sta_info["dot1xAuthSessionUserName"] -+ if not identity.endswith("@pdc.csa-iot.org"): -+ raise Exception("Unexpected client identity: " + identity) -+ -+def test_matter_pdc_client_no_mfp_rejected(dev, apdev): -+ """Matter AP - PDC client rejected if MFP is disabled""" -+ raise HwsimSkip("TODO: MFP enforcement") -+ hapd, sta = prepare(dev, apdev) -+ connect_pdc_sta(sta, wait_connect=False, ieee80211w="0") -+ disconnect = expect_event(sta, "CTRL-EVENT-DISCONNECTED", reject="CTRL-EVENT-CONNECTED") -+ if "locally_generated=1" in disconnect: -+ raise Exception("Disconnect should be AP-generated") -+ -+ -+def prepare(dev, apdev): -+ sta = dev[0] -+ check_support(sta) -+ hapd = hostapd.add_ap(apdev[0], hapd_params()) -+ return hapd, sta -+ -+def check_support(dev): -+ tls = dev.request("GET tls_library") -+ if tls.startswith("internal"): -+ raise HwsimSkip("Matter authentication not supported with this TLS library: " + tls) -+ -+def hapd_params(**kwargs): -+ return merged_dict(kwargs, -+ ssid=SSID, -+ wpa_passphrase=PASSWORD, -+ wpa="2", -+ rsn_pairwise="CCMP", -+ wpa_key_mgmt="WPA-PSK SAE", -+ vendor_elements="dd064a191b010100", -+ wpa_unadvertised_key_mgmt="WPA-EAP-SHA256", -+ ieee80211w="1", -+ ieee8021x="1", -+ eap_server="1", -+ openssl_ciphers="TLS_AES_128_CCM_SHA256", -+ openssl_ecdh_curves="P-256", -+ tls_flags="[DISABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][ENABLE-TLSv1.3]", -+ eap_user_file="matter-users", -+ server_cert="matter-network-cert.pem", -+ private_key="matter-network-key.pem", -+ ca_cert="matter-client-cert.pem") -+ -+def connect_sta(dev, **kwargs): -+ dev.connect(SSID, **merged_dict(kwargs, psk=PASSWORD, scan_freq="2412")) -+ -+def connect_pdc_sta(dev, **kwargs): -+ connect_sta(dev, **merged_dict(kwargs, -+ key_mgmt="WPA-EAP-SHA256", -+ fallback_key_mgmt="WPA-EAP-SHA256", -+ pairwise="CCMP", -+ ieee80211w="2", -+ eap="TLS", -+ eap_workaround="0", -+ identity="@pdc.csa-iot.org", -+ phase1="tls_disable_tlsv1_0=1,tls_disable_tlsv1_1=1,tls_disable_tlsv1_2=1,tls_disable_tlsv1_3=0", -+ openssl_ciphers="TLS_AES_128_CCM_SHA256", -+ openssl_ecdh_curves="P-256", -+ client_cert="matter-client-cert.pem", -+ private_key="matter-client-key.pem", -+ ca_cert="matter-network-cert.pem")) -+ -+def verify_sta_connection(dev, hapd): -+ hapd.wait_sta() -+ hwsim_utils.test_connectivity(dev, hapd) -+ -+def expect_event(dev, events, reject=[], timeout=5): -+ ev = dev.wait_event(ensure_list(events) + ensure_list(reject), timeout) -+ if not ev: -+ raise Exception("Timed out waiting for expected event(s): " + str(events)) -+ for r in ensure_list(reject): -+ if r in ev: -+ raise Exception("Unexpected event: " + r) -+ return ev -+ -+def merged_dict(overrides, **defaults): -+ return dict(defaults, **overrides) -+ -+def ensure_list(arg): -+ return arg if isinstance(arg, list) else [arg] -diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py -index 160aa3e2d..363276046 100644 ---- a/tests/hwsim/wpasupplicant.py -+++ b/tests/hwsim/wpasupplicant.py -@@ -1078,7 +1078,7 @@ class WpaSupplicant: - "private_key_passwd", "ca_cert2", "client_cert2", - "private_key2", "phase1", "phase2", "domain_suffix_match", - "altsubject_match", "subject_match", "pac_file", "dh_file", -- "bgscan", "ht_mcs", "id_str", "openssl_ciphers", -+ "bgscan", "ht_mcs", "id_str", "openssl_ciphers", "openssl_ecdh_curves", - "domain_match", "dpp_connector", "sae_password", - "sae_password_id", "check_cert_subject", - "machine_ca_cert", "machine_client_cert", -@@ -1087,7 +1087,7 @@ class WpaSupplicant: - if field in kwargs and kwargs[field]: - self.set_network_quoted(id, field, kwargs[field]) - -- not_quoted = ["proto", "key_mgmt", "ieee80211w", "pairwise", -+ not_quoted = ["proto", "key_mgmt", "fallback_key_mgmt", "ieee80211w", "pairwise", - "group", "wep_key0", "wep_key1", "wep_key2", "wep_key3", - "wep_tx_keyidx", "scan_freq", "freq_list", "eap", - "eapol_flags", "fragment_size", "scan_ssid", "auth_alg", --- -2.40.1 -