Commit graph

18244 commits

Author SHA1 Message Date
Jouni Malinen
cd92f7f98a FIPS PRF: Avoid duplicate SHA1Init() functionality
The initialization values used for the FIPS 186-2 PRF are identical to
the ones used in SHA1Init(), so use that internal function instead of
maintaining a duplicate set of values here. fips186_2_prf() was already
using an internal SHA1Transform() function so using another internal
function does not make this any worse.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-27 00:32:12 +03:00
Jouni Malinen
5c87fcc154 OpenSSL: Use internal FIPS 186-2 PRF with OpenSSL 3.0
OpenSSL 3.0 has deprecated the low-level SHA1 functions and does not
include an upper layer interface that could be used to use the
SHA1_Transform() function. Use the internal SHA-1 implementation instead
as a workaround.

While this type of duplicate implementation of SHA-1 is not really
ideal, this PRF is needed only for EAP-SIM/AKA and there does not seem
to be sufficient justification to try to get this working more cleanly
with OpenSSL 3.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-27 00:32:10 +03:00
Jouni Malinen
9e305878c0 SAE-PK: Fix build without AES-SIV
CONFIG_SAE_PK=y was not pulling in AES-SIV implementation even though it
needs this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:23 +03:00
Jouni Malinen
c41004d861 OpenSSL: Convert more crypto_ec_key routines to new EVP API
This avoids some more uses of the deprecated EC_KEY API when using
OpenSSL 3.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:23 +03:00
Jouni Malinen
667a2959c2 OpenSSL: crypto_ec_key_get_public_key() using new EVP_PKEY API
Implement crypto_ec_key_get_public_key() without the deprecated EC_KEY
API when using OpenSSL 3.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:22 +03:00
Jouni Malinen
5b97395b3e OpenSSL: crypto_ec_key_get_private_key() using new EVP_PKEY API
Implement crypto_ec_key_get_private_key() without the deprecated EC_KEY
API when using OpenSSL 3.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:20 +03:00
Jouni Malinen
177ebfe109 crypto: Convert crypto_ec_key_get_public_key() to return new ec_point
This makes it easier for the crypto library/wrapper to avoid direct
references to internal EC key parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:19 +03:00
Jouni Malinen
26780d92f3 crypto: Convert crypto_ec_key_get_private_key() to return new bignum
This makes it easier for the crypto library/wrapper to avoid direct
references to internal EC key parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:18 +03:00
Jouni Malinen
c9c2c2d9c7 OpenSSL: Fix a memory leak on crypto_hash_init() error path
The EVP_MAC context data needs to be freed on error paths.

Fixes: e31500adea ("OpenSSL: Implement HMAC using the EVP_MAC API")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:17 +03:00
Jouni Malinen
6d19dccf94 OpenSSL: Free OSSL_DECODER_CTX in tls_global_dh()
The conversion to the new OpenSSL 3.0 API had forgotten to free the
context structure.

Fixes: bcd299b326 ("OpenSSL: Convert DH/DSA parameter loading to new API")
Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:16 +03:00
Jouni Malinen
4f4479ef9e OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API
Avoid using the deprecated EC_KEY API when building these functions with
OpenSSL 3.0.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-26 20:51:15 +03:00
Jouni Malinen
b092d8ee63 tests: imsi_privacy_attr
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-25 20:19:52 +03:00
Jouni Malinen
5636991749 EAP-SIM/AKA peer: IMSI privacy attribute
Extend IMSI privacy functionality to allow an attribute (in name=value
format) to be added using the new imsi_privacy_attr parameter.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-25 20:18:40 +03:00
Jouni Malinen
1004fb7ee4 tests: Testing functionality to discard DPP Public Action frames
This can be used to make sure wpa_supplicant does not process DPP
messages sent in Public Action frames when a test setup is targeting
DPP-over-TCP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 23:30:39 +03:00
Jouni Malinen
3550696160 tests: Add forgotten files for expired IMSI privacy cert tests
Fixes: 426932f061 ("tests: EAP-AKA and expired imsi_privacy_key")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 21:16:36 +03:00
Jouni Malinen
b9a222cdd7 tests: sigma_dut and DPP curve-from-URI special functionality
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 12:49:27 +03:00
Jouni Malinen
fa36e7ee48 tests: sigma_dut controlled STA and EAP-AKA parameters
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:44:03 +03:00
Jouni Malinen
99165cc4b0 Rename wpa_supplicant imsi_privacy_key configuration parameter
Use imsi_privacy_cert as the name of the configuration parameter for the
X.509v3 certificate that contains the RSA public key needed for IMSI
privacy. The only allowed format for this information is a PEM-encoded
X.509 certificate, so the previous name was somewhat confusing.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:44:03 +03:00
Jouni Malinen
dde7f90a41 tests: Update VM setup example to use Ubuntu 22.04 and UML
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:34:08 +03:00
Jouni Malinen
426932f061 tests: EAP-AKA and expired imsi_privacy_key
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:34:08 +03:00
Jouni Malinen
35eda6e700 EAP-SIM peer: Free imsi_privacy_key on an error path
This is an allocated resource so it needs to be free on the error path.

Fixes: 42871a5d25 ("EAP-SIM/AKA peer: IMSI privacy")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:34:08 +03:00
Jouni Malinen
1328cdeb19 Do not try to use network profile with invalid imsi_privacy_key
Disable a network profile that has set the imsi_privacy_key if a valid
key cannot be read from the specified file. Previously, this check was
done only after having associated, but there is no point in associating
just to see EAP authentication fail in such a case. This is needed for
avoiding connection attempts if the X.509 certificate for IMSI privacy
has expired.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:34:08 +03:00
Jouni Malinen
d1652dc7cc OpenSSL: Refuse to accept expired RSA certificate
This is needed for IMSI privacy to avoid trying to use an expired public
key.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:32:56 +03:00
Jouni Malinen
866e7b7458 OpenSSL: Include rsa.h for OpenSSL 3.0
This is needed to get RSA_PKCS1_OAEP_PADDING.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-22 23:13:28 +03:00
Jouni Malinen
bc99366f9b OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
Commit 9afb68b039 ("OpenSSL: Allow systemwide secpolicy overrides for
TLS version") with commit 58bbcfa31b ("OpenSSL: Update security level
drop for TLS 1.0/1.1 with OpenSSL 3.0") allow this workaround to be
enabled with an explicit network configuration parameter. However, the
default settings are still allowing TLS 1.0 and 1.1 to be negotiated
just to see them fail immediately when using OpenSSL 3.0. This is not
exactly helpful especially when the OpenSSL error message for this
particular case is "internal error" which does not really say anything
about the reason for the error.

It is is a bit inconvenient to update the security policy for this
particular issue based on the negotiated TLS version since that happens
in the middle of processing for the first message from the server.
However, this can be done by using the debug callback for printing out
the received TLS messages during processing.

Drop the OpenSSL security level to 0 if that is the only option to
continue the TLS negotiation, i.e., when TLS 1.0/1.1 are still allowed
in wpa_supplicant default configuration and OpenSSL 3.0 with the
constraint on MD5-SHA1 use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-22 17:01:35 +03:00
Johannes Berg
39e6623082 tests: Work around reentrant logging issues due to __del__ misuse
Unfortunately, some objects (WlantestCapture, WpaSupplicant
and wpaspy.Ctrl) use __del__ and actually have some logic
there. This is more or less wrong, and we should be using
context managers for it. However, cleaning that up is a
pretty large task.

Unfortunately, __del__ can cause reentrant logging which is
wrong too, because it might be invoked while in the middle
of a logging call, and the __del__ of these objects closes
connections and logs while doing that.

Since we're (likely) using cpython, we can work around this
by explicitly calling gc.collect() in a context where the
logging and close is fine, not only ensuring that all the
connections are closed properly before the next test, but
also fixing the issue with reentrant logging.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2022-05-22 11:46:57 +03:00
Jouni Malinen
72641f924e tests: Clean up failed test list in parallel-vm.py
Instead of printing a very long line of the failed tests, print the test
case names on separate lines up to the number of available lines at the
bottom of the screen. This avoids some issues with curses and overlong
lines. Furthermore, display the last failed test cases instead of
somewhat confusing sequence of test case names from the VMs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-22 11:43:38 +03:00
Jouni Malinen
e36a7c7940 tests: Support pycryptodome
This is a drop-in replacement for pycrypto and the only version that is
now available in Ubuntu 22.04.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-22 11:08:59 +03:00
Jouni Malinen
a44744d3bb tests: Set ECB mode for AES explicitly to work with cryptodome
AES.new() needs the mode to be set explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-22 11:08:23 +03:00
Jouni Malinen
e90ea900a9 tests: sigma_dut DPP TCP Configurator as initiator with addr from URI
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-19 22:54:44 +03:00
Jouni Malinen
ed325ff0f9 DPP: Allow TCP destination (address/port) to be used from peer URI
tcp_addr=from-uri can now be used as a special case for initiating
DPP-over-TCP to the destination indicated in the peer bootstrapping URI.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-19 22:53:36 +03:00
Jouni Malinen
e58dabbcfb tests: DPP URI with host info
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-19 17:55:25 +03:00
Jouni Malinen
37bb4178b5 DPP: Host information in bootstrapping URI
Parse the host information, if present, in bootstrapping URI and allow
such information to be added when generating the URI.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-19 17:55:25 +03:00
Jouni Malinen
1142b6e415 EHT: Do not check HE PHY capability info reserved fields
Only use the bandwidth bits that are applicable for the current
operating band. This avoids use of reserved bits when determining the
length of the Support EHT-MCS And NSS Set field length.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 19:39:57 +03:00
Jouni Malinen
7173992b96 tests: Flush scan table in ap_wps_priority to make it more robust
This test case could fail if there was an old BSS entry from a previous
test case in the scan results.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 19:09:23 +03:00
Jouni Malinen
b9313e17e8 tests: Update ap_wpa2_psk_ext_delayed_ptk_rekey to match implementation
This test case was checking the exact key info bits in EAPOL-Key frames
during PTK rekeying as such, needs to be updated to match the
implementation change on the Secure bit setting.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 19:06:47 +03:00
Jouni Malinen
bc36991791 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
IEEE Std 802.11-2020 is ambiguous on how the Secure bit is set in
EAPOL-Key msg 1/4 and 2/4 in the case where 4-way handshake is use to
rekey the PTK. 12.7.2 describes this with "set to 1 once the initial key
exchange is complete" while 12.7.6 shows EAPOL-Key msg 1/4 and 2/4 using
Secure=0 without any consideration on whether the handshake is for
rekeying.

TGme seems to be moving towards clarifying this to use Secure=1 based on
there being a shared PTKSA between the Authenticator and the Supplicant.
In other words, this would use Secure=1 in EAPOL-Key msg 1/4 and 2/4 in
the case of rekeying. Change implementation to match that. This bit was
already practically ignored on the reception side, so this should not
have impact on actual functionality beyond this one bit changing its
value in the frame.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-16 17:47:17 +03:00
Jouni Malinen
d2ce1b4d6c tests: Wait for request before responding in dscp_response
There was a possible race condition here between the hostapd request
transmission and wpa_supplicant response command. Wait for the
wpa_supplicant event that indicates reception of the request before
issuing the DSCP_RESP command to avoid failures.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-09 11:45:33 +03:00
Jouni Malinen
b859b9bcea Simplify wpa_bss_get_vendor_ie_multi_beacon() bounds checking
This makes it easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:28:58 +03:00
Jouni Malinen
fc9648a6a1 DPP: Debug print if not relay is available for PKEX exchange
This makes it easier to see what happened with the received PKEX frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:25:09 +03:00
Jouni Malinen
1739d50c20 FST: More robust bounds checking of local data in fst_dump_mb_ies()
Check the full MBIE length against the buffer length explicitly before
the debug print. This is for locally generated data, so the bounds
checking is not critical here, but it is better to use proper checking
anyway to avoid static analyzer complaints.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:18:58 +03:00
Jouni Malinen
63eb98a8ee SAE: Make Anti-Clogging token element parsing simpler
This will hopefully be easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:14:34 +03:00
Jouni Malinen
a6e04a0676 Simplify DSCP policy parsing
Make the bounds checking easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 17:09:08 +03:00
Jouni Malinen
77bb12a604 P2P: Maintain ip_pool bitfield index separately
Avoid the somewhat confusing mechanism of determining the bitfield index
from the assigned IP address to make this easier for static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:59:31 +03:00
Jouni Malinen
3f3ce0571c Check sscanf() return value in TWT_SETUP parsing
Reject invalid values instead of proceeding.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:55:45 +03:00
Jouni Malinen
2982e50c15 EAP-SAKA: Simplify attribute parser for static analyzers
Make bounds checking in eap_sake_parse_attributes() easier to analyze.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:53:38 +03:00
Jouni Malinen
6e8518749f GAS: Limit maximum comeback delay value
Limit the GAS comeback delay to 60000 TUs, i.e., about 60 seconds. This
is mostly to silence static analyzers that complain about unbounded
value from external sources even though this is clearly bounded by being
a 16-bit value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:41:37 +03:00
Jouni Malinen
fe1dc9ba77 WNM: Try to make bounds checking easier for static analyzers
The length of the URL, i.e., pos[0], is verified here to be within the
bounds of the recieved message, but that seemed to be done in a manner
that might bee too complex for static analyzers to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:41:31 +03:00
Jouni Malinen
f8615990e2 Simplify wpa_parse_kde_ies()
Use a local variable to store the full IE length instead of calculating
it multiple times.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:36:09 +03:00
Jouni Malinen
61d37f44b7 Simplify wpa_parse_generic()
Use local variables and common checking of the selector (or vendor
specific IE header) to make the bounds checking easier to understand.

Signed-off-by: Jouni Malinen <j@w1.fi>
2022-05-08 16:36:09 +03:00