When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was
decrypted using a temporary heap buffer with aes_unwrap(). That buffer
was not explicitly cleared, so it was possible for the group keys to
remain in memory unnecessarily until the allocated area was reused.
Clean this up by clearing the temporary allocation explicitly before
freeing it.
Signed-off-by: Jouni Malinen <j@w1.fi>
IPMK and CMK are derived from TK when using TLS session resumption with
PEAPv0 crypto binding. The EAP-PEAP peer implementation already
supported this, but the server side did not.
Signed-off-by: Jouni Malinen <j@w1.fi>
eap_peap_parse_phase1() returned 0 unconditionally, so there was no need
for that return value or the code path that tried to address the error
case.
Signed-off-by: Jouni Malinen <j@w1.fi>
On systems that have multiple WLAN rfkill instances, the rfkill code
can become confused into thinking that the device was unblocked when
in fact it wasn't, because it only matches on the WLAN type.
Since it then stores the new (unblocked) state from the wrong rfkill
instance, it will never retry the failing IFF_UP operation and the
user has to toggle rfkill again, or otherwise intervene manually, in
this case to get back to operational state.
Fix this by using the existing (but unused) ifname argument when the
rfkill instance is created to match to a specific rfkill index only.
As a P2P Device interface does not have a netdev interface associated
with it, use the name of a sibling interface to initialize the rfkill
context for the P2P Device interface. For nl80211, as the wiphy index
is known only after getting the driver capabilities from the kernel,
move the initialization of the rfkill object to
wpa_driver_nl80211_finish_drv_init().
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The rfkill processing in nl80211 driver assumes that the
INTERFACE_ENABLED/DISABLED will be also issued, so does not do much in
the rfkill callbacks. However, as a P2P Device interface is not
associated with a network interface, these events are not issued for it.
Handle rfkill events for the P2P_DEVICE interface by faking the
INTERFACE_ENABLED/DISABLED.
Signed-off-by: Moshe Benji <Moshe.Benji@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The Setup Response timer is relatively fast (500 ms) and there are
instances where it fires on the responder side after the initiator has
already sent out the TDLS Setup Confirm frame. Prevent the processing of
this stale TDLS Setup Response frame on the initiator side.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Fix mostly theoretical NULL pointer dereference in
wpa_debug_open_linux_tracing() if /proc/mounts were to return a
malformed line.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
This patch fixes an issue with an invalid phase2 parameter value
auth=MSCHAPv2 getting interpreted as auth=MSCHAP (v1) which could
degrade security (though, only within a protected TLS tunnel). Now when
invalid or unsupported auth= phase2 parameter combinations are
specified, EAP-TTLS initialization throws an error instead of silently
doing something.
More then one auth= phase2 type cannot be specified and also both auth= and
autheap= options cannot be specified.
Parsing phase2 type is case sensitive (as in other EAP parts), so phase2
parameter auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
[Use cstr_token() to get rid of unnecessary allocation; cleanup]
Signed-off-by: Jouni Malinen <j@w1.fi>
There are two types of memory processing functions in the file
atheros_driver.c, such as memory and os_memory. Unify the processing
functions into one type which has the prefix "os_".
Signed-off-by: Matt Woods <matt.woods@aliyun.com>
This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS
messages with 'bad certificate status response' for cases where no valid
OCSP response was received, but the network profile requires OCSP to be
used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This completes OCSP stapling support on the TLS client side. Each
SingleResponse value is iterated until a response matching the server
certificate is found. The validity time of the SingleResponse is
verified and certStatus good/revoked is reported if all validation step
succeed.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds the next step in completing TLS client support for OCSP
stapling. The BasicOCSPResponse is parsed, a signing certificate is
found, and the signature is verified. The actual sequence of OCSP
responses (SignleResponse) is not yet processed in this commit.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds the next step for OCSP stapling. The received OCSPResponse is
parsed to get the BasicOCSPResponse. This commit does not yet process
the BasicOCSPResponse.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows the internal TLS client implementation to accept
CertificateStatus message from the server when trying to use OCSP
stapling. The actual OCSPResponse is not yet processed in this commit,
but the CertificateStatus message is accepted to allow the TLS handshake
to continue.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows the internal TLS implementation to request server
certificate status using OCSP stapling. This commit is only adding code
to add the request. The response is not yet used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This prints the received ServerHello extensions into the debug log and
allows handshake to continue even if such extensions are included.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows the internal TLS implementation to parse a private key and a
certificate from a PKCS #12 file protected with
pbeWithSHAAnd3-KeyTripleDES-CBC.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for decrypting private keys protected with the old
PKCS #12 mechanism using OID pbeWithSHAAnd3-KeyTripleDES-CBC.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.
This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.
By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.
The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>
Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).
The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>
It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not override the parsing error with the "PAC block not terminated
with END" message if the reason for the END line not yet being seen is
in failure to parse an earlier line.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to hit a NULL pointer dereference if Session-Id
derivation failed due to a memory allocation failure.
Signed-off-by: Jouni Malinen <j@w1.fi>
The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications
using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using
the new API for allocating these structures.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This FTIE needs to be an exact copy of the one in (Re)Association
Response frame. Copy the stored element rather than building a new copy
that would not have the correct MIC value. This is needed to fix PTK
rekeying after FT protocol run.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The FTIE from (Re)Association Response frame was copied before
calculating the MIC. This resulted in incorrect value being used when
comparing the EAPOL-Key msg 2/4 value in case PTK rekeying was used
after FT protocol run. Fix this by storing the element after the MIC
field has been filled in.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_insert_pmkid() did not support cases where the original RSN IE
included any PMKIDs. That case can happen when PTK rekeying through
4-way handshake is used after FT protocol run. Such a 4-way handshake
used to fail with wpa_supplicant being unable to build the EAPOL-Key msg
2/4.
Fix this by extending wpa_insert_pmkid() to support removal of the old
PMKIDs, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to interpret AP side debug log for a case where a
station specifies in unsupported management group cipher.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new wpa_supplicant control interface command "TEST_ASSOC_IE
<hexdump>" can now be used to override the WPA/RSN IE for Association
Request frame and following 4-way handshake to allow protocol testing of
AP side processing of WPA/RSN IE.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the internal TLS support for PKCS #5 v2.0 PBES2 private key
format with des-ede3-cbc encryption and PBKDF2 SHA-1.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds experimental support for using OCSP with libcurl that is built
against BoringSSL. This needs small modifications to libcurl to allow
CURLOPT_SSL_VERIFYSTATUS to be used to call
SSL_enable_ocsp_stapling(connssl->handle) in ossl_connect_step1().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier to share the OCSP implementation needed for
BoringSSL outside tls_openssl.c. For now, this is mainly for
http_curl.c.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL modified the struct sha_state_st (SHA_CTX) definition by
converting h0..h4 with h[5] array. This broke wpa_supplicant/hostapd
build with EAP-SIM enabled. BoringSSL restored the old version for
ANDROID builds, but only the new version is currently defined for
non-Android cases. For now, fix this by having matching selection in
fips_prf_openssl.c based on OPENSSL_IS_BORINGSSL and ANDROID defines.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
OpenSSL 1.1.x will apparently go out with "SSLeay" renamed in the API to
"OpenSSL", which broke the build here for fetching the version of the
running OpenSSL library when wpa_supplicant/hostapd is built against the
current OpenSSL snapshot.
Signed-off-by: Jouni Malinen <j@w1.fi>
These needs to be cancelled so that the kernel driver does not get left
with all old entries blocking other offchannel operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows multiple external registrars to execute a WPS protocol run
with a WPS AP over UPnP. Previously, hostapd supported only a single WPS
peer entry at a time and if multiple ERs tried to go through a WPS
protocol instance concurrently, only one such exchange could succeed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add 'scan plans' to driver scan parameters for scheduled scan.
Each 'scan plan' specifies the number of iterations to run the scan
request and the interval between iterations. When a scan plan
finishes (i.e., it was run for the specified number of iterations),
the next scan plan is executed. The last scan plan will run
infinitely.
The maximum number of supported scan plans, the maximum number of
iterations for a single scan plan and the maximum scan interval
are advertised by the driver.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
conn->session_resumed was not set to 1 after successful use of a TLS
session ticket with EAP-FAST. This resulted in the wpa_supplicant STATUS
tls_session_reused showing incorrect value (0 instead of 1) when
EAP-FAST PAC was used. Fix this by setting conn->session_resumed = 1
when TLS handshake using the session ticket succeeds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit af851914f8 ('Make
tls_connection_get_keyblock_size() internal to tls_*.c') broke
tls_connection_prf() with the internal TLS implementation when using
skip_keyblock=1. In practice, this broke EAP-FAST. Fix this by deriving
the correct number of PRF bytes before skipping the keyblock.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the server/client certificate includes the extKeyUsage extension,
verify that the listed key purposes include either the
anyExtendedKeyUsage wildcard or id-kp-serverAuth/id-kp-clientAuth,
respectively.
Signed-off-by: Jouni Malinen <j@w1.fi>
md4_vector(), md5_vector(), sha1_vector(), and sha256_vector() already
supported TEST_FAIL() with the OpenSSL crypto implementation, but the
same test functionality is needed for the internal crypto implementation
as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for some NFC DH generation error paths to leak memory
since the old private/public key was not freed if an allocation failed.
Signed-off-by: Jouni Malinen <j@w1.fi>