Commit graph

17066 commits

Author SHA1 Message Date
Jouni Malinen
f214361581 SAE: Reuse previously generated PWE on a retry with the same STA
Do not start SAE authentication from scratch if a STA starts a new
attempt for the same group while we still have previously generated PWE
available. Instead, use the previously generated PWE as-is and skip
anti-clogging token exchange since the heavy processing is already
completed. This saves unnecessary processing on the AP side in case the
STA failed to complete authentication on the first attempt (e.g., due to
heavy SAE load on the AP causing a timeout) and makes it more likely for
a valid STA to be able to complete SAE authentication during a DoS
attack.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:07:20 +02:00
Jouni Malinen
fd83089120 SAE: Reuse previously generated PWE on a retry with the same AP
Do not start SAE authentication from scratch when the AP requests
anti-clogging token to be used. Instead, use the previously generated
PWE as-is if the retry is for the same AP and the same group. This saves
unnecessary processing on the station side in case the AP is under heavy
SAE authentiation load.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:07:11 +02:00
Jouni Malinen
a9af1da0b5 SAE: Enforce single use for anti-clogging tokens
Add a 16-bit token index into the anti-clogging token. This can be used
to enforce only a single use of each issued anti-clogging token request.
The token value is now token-index |
last-30-octets-of(HMAC-SHA256(sae_token_key, STA-MAC-address |
token-index)), i.e., the first two octets of the SHA256 hash value are
replaced with the token-index and token-index itself is protected as
part of the HMAC context data.

Track the used 16-bit token index values and accept received tokens only
if they use an index value that has been requested, but has not yet been
used. This makes it a bit more difficult for an attacker to perform DoS
attacks against the heavy CPU operations needed for processing SAE
commit since the attacker cannot simply replay the same frame multiple
times and instead, needs to request each token separately.

While this does not add significant extra processing/CPU need for the
attacker, this can be helpful in combination with the queued processing
of SAE commit messages in enforcing more delay during flooding of SAE
commit messages since the new anti-clogging token values are not
returned before the new message goes through the processing queue.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:07:03 +02:00
Jouni Malinen
ff9f40aee1 SAE: Process received commit message through a queue
This allows better control of processing new SAE sessions so that other
operations can be given higher priority during bursts of SAE requests,
e.g., during a potential DoS attack. The receive commit messages are
queued (up to maximum of 15 entries) and processed from eloop callback.
If the queue has multiple pending entries, more wait time is used to go
through the each new entry to reduce heavy CPU load from SAE processing.

Enable anti-clogging token use also based on the pending commit message
queue and not only based on the already started sessions.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:06:50 +02:00
Jouni Malinen
a053ab9590 tests: More complete group list for sae_groups
Add group 1 for completeness sake and also and Brainpool groups with
OpenSSL 1.1.*.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 13:05:23 +02:00
Jouni Malinen
a9fe13035e SAE: Enable only groups 19, 20, and 21 in station mode
Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP
Group) from the default SAE groups in station mode since those groups
are not as strong as the mandatory group 19 (NIST P-256).

In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 17:23:58 +02:00
Jouni Malinen
941bad5ef4 SAE: Enable only group 19 by default in AP mode
Change the AP mode default for SAE to enable only the group 19 instead
of enabling all ECC groups that are supported by the used crypto library
and the SAE implementations. The main reason for this is to avoid
enabling groups that are not as strong as the mandatory-to-support group
19 (i.e., groups 25 and 26). In addition, this disables heavier groups
by default.

In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 17:21:41 +02:00
Jouni Malinen
c097f12c8f tests: Enable needed SAE groups explicitly in sae_oom_wpas
Configure the sae_groups parameter for hostapd explicitly in preparation
for the default value change in the implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 17:14:05 +02:00
Jouni Malinen
656f4a3edd tests: Enable needed SAE groups explicitly in sigma_dut_sae
Configure the sae_groups parameter for hostapd explicitly in preparation
for the default value change in the implementation.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 17:12:44 +02:00
Jouni Malinen
b11fa98bcb Add explicit checks for peer's DH public key
Pass the group order (if known/specified) to crypto_dh_derive_secret()
(and also to OpenSSL DH_generate_key() in case of Group 5) and verify
that the public key received from the peer meets 1 < pubkey < p and
pubkey^q == 1 mod p conditions.

While all these use cases were using only ephemeral DH keys, it is
better to use more explicit checks while deriving the shared secret to
avoid unexpected behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 17:05:03 +02:00
Jouni Malinen
4a9531a755 bignum: Fix documentation for bignum_cmp_d()
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-05 16:10:33 +02:00
Jouni Malinen
3d5b88b5a0 tests: FT-SAE with Password Identifier
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-26 20:40:32 +02:00
Jouni Malinen
05103c400b tests: More robust connect command testing
Avoid an invalid failure case due to scan results being left behind from
connect_cmd_bssid_hint when executing connect_cmd_reject_assoc by
explicitly clearing the scan results from dev5. This fixes an error case
that happened with the following test case sequence:
connect_cmd_bssid_hint connect_cmd_reject_assoc

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 21:58:28 +02:00
Jouni Malinen
fe5400dda2 tests: Make MACsec test cases clear monitor socket more thoroughly
The wpas (dev5) control interface socket did not always get cleared in
the MACsec test cases and this could result in issues with following
test cases if the dev5 message queue hit the maximum limit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 21:40:23 +02:00
Lubomir Rintel
611308365e defconfig: Enable IEEE 802.11w management frame protection (wpa_supplicant)
NetworkManager can use these if available and the distros generally
enable this already.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
9515fa9250 defconfig: enable IEEE 802.11r fast BSS transition (wpa_supplicant)
Generally useful. Linux distros already enable these, upcoming
NetworkManager will support it too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
6b7a0da75b defconfig: Enable IEEE 802.11n and 802.11ac (wpa_supplicant)
I guess there's no reason anyone with capable hardware wouldn't want to
enable these. Debian and Fedora aleady do.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
467004d632 defconfig: Enable Hotspot 2.0 (wpa_supplicant)
Generally useful, Debian enables this. Other distros should too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
ec52faa2b2 defconfig: Enable RSN on IBSS networks (wpa_supplicant)
Fedora and Debian enable this. NetworkManager actually rejects such
configurations citing kernel bugs, but that actually might not be the
right thing to do anymore.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Jouni Malinen
67d99d2e07 defconfig: Remove obsolete notes about OpenSSL requirements for EAP-FAST
OpenSSL 0.9.8 reached its end-of-life long time ago, so remove these old
notes about need of a newer OpenSSL version for EAP-FAST since all
current OpenSSL versions include the needed functionality.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
eafc5fec22 defconfig: Enable a handful of EAP methods (wpa_supplicant)
Fedora uses AKA, FAST, GPSK_SHA256, GPSK, IKEV2, PAX, SAKE and TNC. I
don't know why these in particular. AKA wouldn't work, because
CONFIG_PCSC is off anyways; let's enable all the other ones, and also
PWD (openSUSE enabled it because users demanded it).

Debian enables all of the above uses, but also PWD, AKA_PRIME, SIM, PSK
and EKE.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
f64050da02 defconfig: Enable logging to file and syslog (wpa_supplicant)
Debian and Fedora enable both and log to syslog. openSUSE seems to log
to a flat file instead.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:50 +02:00
Lubomir Rintel
ae5240db86 defconfig: Enable simple bgscan module (wpa_supplicant)
Generally useful. Linux distros enable this and also utilize it via
NetworkManager.

Debian also enables the learn module. I'm leaving it off as it's marked
experimental.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
2d6d47219e defconfig: Enable AP (wpa_supplicant)
Generally useful. Debian and Fedora enable this and support creating
access points via NetworkManager too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
f87450a73f defconfig: Enable WPS (wpa_supplicant)
WPS is generally useful with consumer hardware, and exposed to desktop
users via NetworkManager.

The Linux distros, including Debian, Fedora, and openSUSE enable it.
Debian also enables external registar support and NFC.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Jouni Malinen
d989e67d07 defconfig: Fix typos in Wi-Fi Display description
These were supposed to be talking about Wi-Fi Display, not Wi-Fi Direct.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
c4eafad091 defconfig: Enable P2P and Wi-Fi Display (wpa_supplicant)
Generally useful. Debian and Fedora enable this, upcoming NetworkManager
provide some level of support too.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
bf46c6fca1 defconfig: Add SAE (wpa_supplicant)
Generally useful and the distros (Debian, Fedora) enable this already to
support WPA3-Personal and protected 802.11s mesh BSSs.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
ca098ee454 defconfig: Add DPP (wpa_supplicant)
Generally useful, already enabled in Debian and Fedora.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Lubomir Rintel
5644f0ce3a tests: Remove CONFIG_PEERKEY
The functionality has been removed in commit a0bf1b68c0 ('Remove all
PeerKey functionality').

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-02-25 19:48:49 +02:00
Jouni Malinen
2f7bc06816 UBSan: Avoid a warning on unsigned integer overflow
wpa_non_pref_chan_cmp() needs to use explicit typecasts to avoid UBSan
warnings for unsigned integer overflows.

mbo.c:298:26: runtime error: unsigned integer overflow: 1 - 2 cannot be represented in type 'unsigned int'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
f3e671591e tests: libFuzzer integration for test-json and test-x509
Allow these test tools to be used with libFuzzer in addition to
afl-fuzz.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
bb05d03606 Fix a regression from VLAN assignment using WPA/WPA2 passphrase/PSK
This extension of VLAN assignment code had a bug in one of the code
paths where vlan_id could have been left uninitialized. This could
result in SAE authentication getting rejected in cases where VLAN
assignment is not used if the uninitialized stack memory had nonzero
value.

Fixes: dbfa691df4 ("VLAN assignment based on used WPA/WPA2 passphrase/PSK")
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
429ed54a3d UBSan: Avoid a warning on signed left shift
Use unsigned 1 (1U) instead of signed (1) when doing left shift that
could potentially need to use all bits of the 32-bit unsigned variable.

radius_server.c:2254:14: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
b3957edbe9 UBSan: Split loop index decrementation into a separate step
Avoid an unnecessary unsigned integer overflow warning due to loop index
j-- use.

hostapd.c:661:10: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned int'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
5ac13f6d00 atheros: Avoid clang compiler warning on address of array check
ie.wps_ie is an array, so there is no point in checking whether it is
NULL.

driver_atheros.c:1221:9: error: address of array 'ie.wps_ie' will
      always evaluate to 'true' [-Werror,-Wpointer-bool-conversion]

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
aaa6b14984 Avoid compiler warning about potentially unaligned pointer value
(&mgmt->u.deauth.reason_code + 1) is not exactly clean and now that we
have the u8 variable[] member in the struct after this field, use that
directly to avoid clang compiler warning:
ctrl_iface_ap.c:454:18: error: taking address of packed member
      'reason_code' of class or structure 'ieee80211_mgmt::(anonymous
      union)::(anonymous)' may result in an unaligned pointer value
      [-Werror,-Waddress-of-packed-member]

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
cce974d367 UBSan: Define FST LLT macros without integer overflow
FST_MAX_LLT_MS definition depended on undefined behavior with unsigned
integer overflow. Avoid that and also optimize the
FST_LLT_{MS_TO_VAL,VAL_TO_MS} macros to handle larger values without
overflowing 32-bit unsigned integers.

fst_session.c:1274:52: runtime error: unsigned integer overflow: 4294967295 * 32 cannot be represented in type 'unsigned int'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
9140caf5fb UBSan: Avoid integer overflow in a loop index counter
Split the check and decrementation into separate steps to avoid an
unnecessary UBSan warning.

hostapd.c:1895:14: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
8fc22fdde6 UBSan: Avoid NULL pointer dereferences on an error path
hapd->conf might be NULL in case initialized failed, so better be
prepared for that when debug printing interface name in the deinit path.

hostapd.c:312:54: runtime error: member access within null pointer of type 'struct hostapd_bss_config'
hostapd.c:351:29: runtime error: member access within null pointer of type 'struct hostapd_bss_config'
hostapd.c:2158:18: runtime error: member access within null pointer of type 'struct hostapd_bss_config'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
43216777e5 UBSan: Avoid unsigned integer overflow in base64 encoding
Add a constraint on the base64 encoded buffer length to avoid an integer
overflow in the output length calculation.

common.c:1087:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
fed7d8fcba UBSan: Avoid unsigned integer overflow in utf8_{,un}escape()
Split the if/while loop condition into two independent steps so that
in_size-- happens only in the case in_size is nonzero. This gets rid of
unnecessary UBSan warnings.

common.c:1087:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
common.c:1076:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
common.c:1119:16: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
cc4cdefc7f UBSan: Avoid unnecessary warning
elems->mic might be NULL here, so do not try to decrement it by 2 even
if the result is not used anywhere due to a latter check for elems->mic
being NULL.

mesh_rsn.c:646:20: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xfffffffffffffffe

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
a9377bc380 UBSan: Avoid memcpy(ptr, NULL, 0)
This results in an UBSan warning that can be avoided easily.

os_unix.c:524:3: runtime error: null pointer passed as argument 2, which is declared to never be null

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
5a23c2528a UBSan: Avoid an unsigned integer overflow warning
ext_supp_rates_len would be 0 here, so decrementing it by 2 will result
in unsigned integer overflow even if that result is not actually used
anywhere. Avoid that to get rid of the UBSan warning.

tdls.c:1597:27: runtime error: unsigned integer overflow: 0 - 2 cannot be represented in type 'unsigned long'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
abde4eba45 UBSan: Pack MACsec peer id structure
This is needed to avoid an UBSan warning and since this struct is used
as part of a message construction, it needs to be packed anyway to
guarantee correct functionality.

ieee802_1x_kay.c:1021:3: runtime error: member access within misaligned address 0x0000031921e2 for type 'struct ieee802_1x_mka_peer_id', which requires 4 byte alignment

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
c4fccfc7a5 UBSan: Avoid memcmp(ptr, NULL, 0)
Skip the memcmp() call if ssid_len == 0 and entry->ssid might be NULL to
avoid an UBSan warning.

wpa_supplicant.c:3956:9: runtime error: null pointer passed as argument 2, which is declared to never be null

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:49 +02:00
Jouni Malinen
1b85cad29c UBSan: Use typecast to avoid unsigned integer overflow
iface->num_bss is unsigned integer, so need to explicit typecast it to
unsigned before decrementation by one even when the result is stored in
an unsigned integer.

../src/ap/hostapd.c:2185:26: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'unsigned long'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:48:46 +02:00
Jouni Malinen
e3b5bd81bd UBSan: Fix RRM beacon processing attempt without scan_info
Some driver interfaces (e.g., wext) might not include the
data->scan_info information and data could be NULL here. Do not try to
call the RRM handler in this case since that would dereference the NULL
pointer when determining where scan_info is located and could
potentially result in trying to read from unexpected location if RRM is
enabled with a driver interface that does not support it.

events.c:1907:59: runtime error: member access within null pointer of type 'union wpa_event_data'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:43:11 +02:00
Jouni Malinen
01d01a311c UBSan: Avoid size_t variable overflow in control interface
The loop "if (i-- == 0) break" style construction works in practice fine
since the check against 0 is done before decrementation. However, this
hits an UBSan warning, so split that decrementation to happen as a
separate step after the check and break from the loop.

ctrl_iface.c:5086:9: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-25 19:42:50 +02:00