OpenSSL: Fix TLS_CONN_TEAP_ANON_DH build with some library versions
The OPENSSL_VERSION_NUMBER ifdef block left out the local variable that
is needed with all versions. In addition, SSL_set_security_level() is
not available with LibreSSL or BoringSSL.
Fixes: 3ec65a8e38a0 ("OpenSSL: Allow anon-DH cipher suites to be added for TEAP") Signed-off-by: Jouni Malinen <j@w1.fi>
OpenSSL: Fix build with OpenSSL 1.0.2 and 1.1.0 and LibreSSL
The tls_connection_get_cipher_suite() implementation used
SSL_CIPHER_get_protocol_id which was added in OpenSSL 1.1.1. Need to use
compatibility code with older versions.
EAP-TLS server: Add application data to indicate end of v1.3 handshake
This adds an encrypted version of a one octet application data payload
to the end of the handshake when TLS v1.3 is used to indicate explicit
termination of the handshake (either after Finished message or after the
optional NewSessionTicket message). The current
draft-ietf-emu-eap-tls13-05 defines this to be a zero length payload,
but since that is not allowed by OpenSSL, use a one octet payload
instead for now with hopes of getting the draft specification updated
instead of having to modify OpenSSL for this.
EAP-TLS peer: Handle possible application data at the end
EAP-TLS with TLS 1.3 uses an empty application data record from the
server to indicate end of the exchange, so EAP-TLS peer will need to
check for this special case and finish the exchange with an empty
EAP-TLS (ACK) so that the server can send out EAP-Success.
This will hopefully not be needed for EAP-TLS use cases since there
should not really be a middlebox that looks at the TLS layer details in
case of EAP authentication.
OpenSSL: Allow two server certificates/keys to be configured on server
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.
Ervin Oro [Mon, 15 Apr 2019 17:05:49 +0000 (20:05 +0300)]
Add Type-Code context to EAP-TLS 1.3 exported Key_Material and Method-Id
Change to require the Type-Code in context for Key_Material and
Method-Id has now been published as draft-ietf-emu-eap-tls13-04.
https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-04#section-2.3
EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.
This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.
OpenSSL: Allow anon-DH cipher suites to be added for TEAP
Add a new TLS_CONN_* flag to provide a higher level mechanism for adding
(instead of fully replacing) allowed list of TLS ciphersuites for TEAP
provisioning purposes.
Silence static analyzer warning about null termination of a string
The buf[] array is initialized to zeros, so it was already null
terminated since the read() call did not allow the last character of the
buffer to be overwritten. Since that was apparently not enough to make
some static analyzers understand the design, use explicit null
termination after a successful read() call.
Now that the TLS peer_cert information is provided as a full struct to
handler functions, the altsubject pointer shows up as an array and
causes static analyzers to warn about unnecessary NULL comparison. Get
rid of that comparison now that it is clearly not needed anymore.
Jouni Malinen [Mon, 24 Jun 2019 20:02:51 +0000 (23:02 +0300)]
EAP-pwd: Run through prf result processing even if it >= prime
This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).
Jouni Malinen [Mon, 24 Jun 2019 20:01:06 +0000 (23:01 +0300)]
SAE: Run through prf result processing even if it >= prime
This reduces differences in timing and memory access within the
hunting-and-pecking loop for ECC groups that have a prime that is not
close to a power of two (e.g., Brainpool curves).
Sven Eckelmann [Fri, 14 Jun 2019 14:49:21 +0000 (16:49 +0200)]
mesh: Add support for HE mode
Mesh points can partially support HE features (when requiring no
controlling STA/AP) as long as hardware supports it. The kernel just
requires support for HE mesh and wpa_supplicant can forward the peer
capabilities to the kernel for further processing.
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Sven Eckelmann [Fri, 14 Jun 2019 14:49:20 +0000 (16:49 +0200)]
nl80211: Add driver multi iftype HE capability parsing
The HE capabilities are no longer per PHY but per iftype on this
specific PHY. It is therefore no longer enough to just parse the AP
capabilities.
The he_capabilities are now duplicated to store all information for
IEEE80211_MODE_* which hostap cares about. The nl80211 driver fills in
this information when the iftype supports HE. The rest of the code still
only uses the IEEE80211_HE_AP portion but can be extended later to also
use other HE capabilities.
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Sven Eckelmann [Fri, 14 Jun 2019 14:49:19 +0000 (16:49 +0200)]
wpa_supplicant: Fix type for ssid->mode comparisons
The ssid->mode is from type enum wpas_mode and all its constants start
with WPAS_MODE_*. Still some of the code sections used the
IEEE80211_MODE_* defines instead of WPAS_MODE_*.
This should have no impact on the actual code because the constants for
INFRA, IBSS, AP and MESH had the same values.
Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Sven Eckelmann [Wed, 12 Jun 2019 23:10:07 +0000 (01:10 +0200)]
HE: Fix HE capability check for PPE threshold present
The the mask for PPE threshold present in the HE phy capability byte 6 is
0x80 and not 0x6. This incorrect mask breaks the length calculation and as
result the acceptance of the HE capabilities for STAs which either:
* don't have the PPE threshold present bit set AND the Codebook Size={7,5}
MU Feedback or the Triggered SU Beamforming feedback bit set
* do have the PPE threshold present set AND neither the Codebook Size={7,5}
MU Feedback nor the Triggered SU Beamforming feedback bit set
Fixes: 8f5fc369e263 ("HE: Fix HE Capabilities element variable length encoding") Signed-off-by: Sven Eckelmann <seckelmann@datto.com>
Jouni Malinen [Sat, 22 Jun 2019 15:42:53 +0000 (18:42 +0300)]
libtommath: Make sure fast_s_mp_mul_digs initializes the W[] array
Some compilers have started to warn about this and the use of two loops
with ix 0..pa-1 and 0..pa loop a bit suspicious, so better make sure the
array is initialized with zeros before extracting the terms from it.
Jouni Malinen [Sat, 22 Jun 2019 15:36:57 +0000 (18:36 +0300)]
TLS: Move ASN.1 DER BOOLEAN validation into generic ASN.1 parsing
This does not need to be specific to X.509, so move the BOOLEAN DER
encoding validation into asn1_get_next() to make it apply for all cases
instead of having to have the caller handle this separately.
Jouni Malinen [Sat, 22 Jun 2019 15:27:36 +0000 (18:27 +0300)]
TLS: Only allow 0xff value as TRUE for ASN.1 DER encoded BOOLEAN
While BER encoding allows any nonzero value to be used for TRUE, DER is
explicitly allowing only the value 0xff. Enforce this constraint in
X.509 parsing to be more strict with what is acceptable.
Jouni Malinen [Sat, 22 Jun 2019 15:11:24 +0000 (18:11 +0300)]
TLS: Fix X.509v3 BasicConstraints parsing
Handling of the optional pathLenConstraint after cA was not done
properly. The position after cA needs to be compared to the end of the
SEQUENCE, not the end of the available buffer, to determine whether the
optional pathLenConstraint is present. In addition, when parsing
pathLenConstraint, the length of the remaining buffer was calculated
incorrectly by not subtracting the length of the header fields needed
for cA. This could result in reading couple of octets beyond the end of
the buffer before rejecting the ASN.1 data as invalid.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15408 Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 20 Jun 2019 20:44:51 +0000 (23:44 +0300)]
OpenSSL: Send cert event for the peer even on CA cert failure
This adds a CTRL-EVENT-EAP-PEER-CERT even for depth=0 even if a depth >
0 certificate results in peer certificate validation error. Previously,
this case resulted in the upper layers not getting any information about
the used peer certificate. Now that information is available, e.g., to
allow server certificate -based overriding of the trust to be done.
Liangwei Dong [Wed, 29 May 2019 09:11:48 +0000 (05:11 -0400)]
hostapd: Process OWE IE and update DH IE to the driver if needed
This implements the required functionality in hostapd to facilitate OWE
connection with the AP SME-in-driver cases. Stations can either send DH
IE or PMKID (in RSNE) (or both) in Association Request frame during the
OWE handshake. The drivers that use this offload mechanism do not
interpret this information and instead, pass the same to hostapd for
further processing. hostapd will either validate the PMKID obtained from
the STA or generate DH IE and further indicate the same to the driver.
The driver further sends this information in the Association Response
frame.
Liangwei Dong [Mon, 20 May 2019 05:17:38 +0000 (10:47 +0530)]
nl80211: Introduce the interface to update new DH IE
This command/event interface can be used by SME based host drivers that
rely on user space (hostapd/wpa_supplicant) for DH IE
processing/generation. This interface facilitates the OWE connection
with host drivers by offloading DH IE processing to the user space
(hostapd/wpa_supplicant).
HS 2.0: Skip credential without EAP method for roaming consortium match
EAP method is required for a credential that matches configured
roaming_consortium with an Interworking AP. Hence skip credentials which
do not have EAP method specified for this match. This fixes an issue
where a credential that cannot work without EAP method from NAI Realms
information is selected first based on roaming consortium.
Jouni Malinen [Fri, 14 Jun 2019 19:57:17 +0000 (22:57 +0300)]
tests: Specify EAP type in ap_hs20_set_profile_failures
Matching with roaming_consortium requires EAP type to be specified to
work for the connection. This test case was not really testing the
connection part, so this has not been much of an issue in the past, but
in preparation for the matching rules to start filtering out invalid
credential configurations from selection, the EAP type needs to be
explicitly set here.
Jouni Malinen [Wed, 12 Jun 2019 19:23:30 +0000 (22:23 +0300)]
wlantest: Allow duplicate frame processing after decryption failure
If a sniffer capture does not include FCS for each frame, but may
included frames with invalid FCS, it would be possible for wlantest to
try to decrypt the first received frame and fail (e.g., due to CCMP MIC
mismatch) because that particular frame was corrupted and then ignore
the following retry of that frame as a duplicate even if that retry has
different payload (e.g., if its reception did not show corruption).
Work around this by skipping duplicate frame detection immediately
following a decryption failure.
Jouni Malinen [Sun, 9 Jun 2019 01:41:15 +0000 (04:41 +0300)]
TLS: Be more careful in X.509 Time parsing
sscanf() can apparently read beyond the end of the buffer even if the
maximum length of the integer is specified in the format string. Replace
this parsing mechanism with helper functions that use sscanf() with NUL
terminated string to avoid this.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15158 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Fri, 7 Jun 2019 20:57:02 +0000 (23:57 +0300)]
tests: Fix CFLAGS passing for new fuzzing tools
src/*/Makefile needs to allow additional CFLAGS values to be provided
from the calling Makefiles so that the clang command line arguments to
enable sanitizers consistently. In addition, it can be useful to be able
to provide CC, CFLAGS, and LDFLAGS from external setup while still
requesing LIBFUZZER=y build. Allow that by not overriding these
variables if they are already set.
Jouni Malinen [Fri, 7 Jun 2019 20:54:20 +0000 (23:54 +0300)]
tests: Fix eapol-key-auth memory use for the callback pointer struct
This struct needs to remain valid through the lifetime of the
authenticator state machine, so move it to the context struct instead of
being a local stack variable inside the setup function that returns
before the actual test functionality is executed.
Vamsi Krishna [Mon, 27 May 2019 08:52:10 +0000 (14:22 +0530)]
Add a QCA vendor attr to disable auto resume beacon reporting
The driver automatically starts beacon reporting if it pauses the beacon
reporting for any reason other than disconnection. In specific cases,
userspace may not want the beacon reporting to be automatically resumed
after a pause. Add interface support for userspace to specify driver not
to start beacon reporting automatically after a pause.