Commit graph

17106 commits

Author SHA1 Message Date
Jouni Malinen
173e7eedef RSA: Use ASN.1 helper functions
Simplify ASN.1 parser operations by using the shared helper functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
72b0217ab1 PKCS: Use ASN.1 helper functions
Simplify ASN.1 parser operations by using the shared helper functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
a0541334a6 ASN.1: Validate DigestAlgorithmIdentifier parameters
The supported hash algorithms do not use AlgorithmIdentifier parameters.
However, there are implementations that include NULL parameters in
addition to ones that omit the parameters. Previous implementation did
not check the parameters value at all which supported both these cases,
but did not reject any other unexpected information.

Use strict validation of digest algorithm parameters and reject any
unexpected value when validating a signature. This is needed to prevent
potential forging attacks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
94beb8e367 ASN.1: Fix AlgorithmInfo parsing for signatures
Digest is within the DigestInfo SEQUENCE and as such, parsing for it
should use the end of that data instead of the end of the decrypted
signature as the end point. Fix this in the PKCS #1 and X.509
implementations to avoid accepting invalid digest data that is
constructed to get the hash value from after the actual DigestInfo
container.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
ee76493bbd ASN.1: Reject invalid definite long form length values in DER encoding
The definite long form for the length is allowed only for cases where
the definite short form cannot be used, i.e., if the length is 128 or
greater. This was not previously enforced and as such, multiple
different encoding options for the same length could have been accepted.

Perform more strict checks to reject invalid cases for the definite long
form for the length. This is needed for a compliant implementation and
this is especially important for the case of verifying DER encoded
signatures to prevent potential forging attacks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
3af75f23b0 ASN.1: Reject invalid extended tags in DER encoding
The extended tag case is allowed only for tag values that are 31 or
larger (i.e., the ones that would not fit in the single octet identifier
case with five bits). Extended tag format was previously accepted even
for the values 0..31 and this would enable multiple different encodings
for the same tag value. That is not allowed for DER.

Perform more strict checks to reject invalid extended tag values. This
is needed for a compliant implementation and this is especially
important for the case of verifying DER encoded signatures to prevent
potential forging attacks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
d6831a0e93 ASN.1: Explicitly validate constructed bit while parsing DER
The identifier octet in DER encoding includes three components. Only two
of these (Class and Tag) were checked in most cases when looking for a
specific data type. Also check the Primitive/Constructed bit to avoid
accepting invalid encoding.

This is needed for correct behavior in DER parsing and especially
important for the case of verifying DER encoded signatures to prevent
potential forging attacks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
b421a7cf2a ASN.1: Use the helper functions for recognizing tags and debug prints
Simplify the core ASN.1 parser implementation by using the helper
functions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
9a990e8c4e ASN.1: Add helper functions for recognizing tag values
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-14 11:37:58 +02:00
Jouni Malinen
9bf4c0539b ASN.1: Verify that NULL value has zero length
This value is required to contain no octets, so verify that its length
octet agrees with that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-13 23:15:55 +02:00
Jouni Malinen
f629bfe225 ASN.1: Add helper functions for debug printing identifier/length info
These can be helpful in cleaning up implementation of more or less
identical debug printing operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-13 23:15:55 +02:00
Jouni Malinen
429f725d9b ASN.1: Define tag value for TIME
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-13 23:15:55 +02:00
Jouni Malinen
4481b03ee3 ASN.1: Fix a typo in a not-used tag name
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-13 23:15:55 +02:00
Jouni Malinen
4ca8ef3df1 tests: Allow test-rsa-sig-ver data files to be set on command line
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-12 23:24:29 +02:00
Jouni Malinen
2b4db417d5 tests: Work around race conditions in OWE test cases
Need to explicitly wait for hostapd to report STA connection before
starting the traffic test to avoid the potential race condition when
testing with UML and time travel mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-12 19:59:52 +02:00
Jouni Malinen
f164dd87b9 tests: Make INTERWORKING_SELECT test cases more reliable
These could fail if a scan entry from a previous test case was still
present in the BSS table, e.g., by wpa_supplicant selecting the SSID
from that old entry instead of the new SSID. Try to avoid that by
explicitly flushing the scan results before starting these tests.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-12 11:46:22 +02:00
Peter Åstrand
2f2a570755 nl80211: Restore station mode on deinit only if station when started
With the earlier code, a mesh interface was changed to station after
deinit.

Signed-off-by: Peter Astrand <peter.astrand@etteplan.com>
2021-03-12 11:00:15 +02:00
Jouni Malinen
5013897532 tests: TWT_SETUP with the control argument
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-12 10:54:14 +02:00
Ben Greear
a746393dcf TWT: Allow specifying Control field value in TWT Request
See IEEE P802.11ax/D8.0, Figure 9-687 (Control field format) for
details.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-12 10:53:02 +02:00
Jouni Malinen
a3c94d61cd tests: Disabling HE support in STA
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-12 10:47:50 +02:00
Ben Greear
a6b2007c2f nl80211: Support disabling HE in infrastructure BSS as station
Send a flag to the kernel when user has specified disable_he=1 in the
network configuration block. This extends the functionality added in
commit 7c8f540ee0 ("wpa_supplicant: Add HE override support") to cover
the cases that need kernel functionality.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-12 10:40:25 +02:00
Andrei Otcheretianski
01f2e54ce7 P2P: Clear pending_listen_freq when stopping listen
If listen work never started, pending_listen_freq might be left
uncleared, preventing the subsequent listen to start. This could happen
in p2p_timeout_wait_peer_idle() after the commit 13256b8cf ("P2P: Stop
old listen radio work before go to WAIT_PEER_IDLE state") added a
stop_listen() call there.

Fixes: 13256b8cf3 ("P2P: Stop old listen radio work before go to WAIT_PEER_IDLE state")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-03-12 10:38:14 +02:00
Andrei Otcheretianski
82a348eda4 wpa_supplicant: Don't process EAPOL frames while disconnecting
An EAPOL frame may be pending when wpa_supplicant requests to
deauthenticate. At this stage the EAP SM cache is already cleaned by
calling eapol_sm_invalidate_cached_session(). Since at this stage the
wpa_supplicant's state is still set to associated, the EAPOL frame is
processed and results in a crash due to NULL dereference.

This wasn't seen previously as nl80211 wouldn't process the
NL80211_CMD_CONTROL_PORT_FRAME, since wpa_driver_nl80211_mlme() would
set the valid_handler to NULL. This behavior was changed in commit
ab89291928 exposing this race.

Fix it by ignoring EAPOL frames while the deauthentication is in
progress.

Fixes: ab89291928 ("nl80211: Use process_bss_event() for the nl_connect handler")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2021-03-12 09:57:23 +02:00
Stefan Paetow
e80e6a2f17 eapol_test: Add address family for IPv4 in Windows build
Add the address family when manually constructing IPv4 addresses in
eapol_test on Windows. Otherwise other functions, like hostapd_ip_txt()
in src/utils/ip_addr.c, that rely on addr->af being set fail miserably.
The non-Windows option uses hostapd_parse_ip_addr() which does this as
part of the helper function.

Signed-off-by: Stefan Paetow <oss@eons.net>
2021-03-12 09:49:20 +02:00
Swarn Singh
cd2f8151ee Add support to return bandwidth for channel 2 of the 6 GHz band
The 6 GHz band operating class 136 is defined to use 20 MHz bandwidth.
Return the value accordingly from center_idx_to_bw_6ghz() to cover this
special case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-12 00:12:16 +02:00
Mohammad Asaad Akram
6b4e32da89 New vendor attribute to configure TWT mantissa in microseconds
Define the following additional TWT attribute for
qca_wlan_vendor_attr_twt_setup:
QCA_WLAN_VENDOR_ATTR_TWT_SETUP_WAKE_INTVL2_MANTISSA to configure the
mantissa in microseconds.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-12 00:10:13 +02:00
Jouni Malinen
e90ededb4b wlantest: Skip Mesh Control field from the beginning of payload
This allows correct processing of Data frames with Mesh Control field by
finding the LLC/SNAP header after that field.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-09 20:20:24 +02:00
Jouni Malinen
503901e72d wlantest: Check all configured TKs if no matching GTK is known
This allows group-addressed frames to be decrypted by listing all
possible GTKs in the PTK file.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2021-03-09 17:29:48 +02:00
Jouni Malinen
9216929ab6 tests: HE and TWT
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 22:08:52 +02:00
Ben Greear
7fd2f24962 TWT: Support sending TWT Setup and Teardown Action frames
This adds new control interface commands TWT_SETUP and TWT_TEARDOWN. For
now, these are only for testing purposes to be able to trigger
transmission of the TWT Action frames without configuring any local
behavior for TWT in the driver.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2021-03-07 22:07:37 +02:00
Jouni Malinen
edbaffc4f6 wpabuf: Add helper functions for writing 64-bit integers
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 21:31:41 +02:00
Jouni Malinen
cf47a43335 tests: EAP-SIM DB error cases (SQLite)
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 17:58:14 +02:00
Jouni Malinen
ac2dddf7d1 tests: DPP NFC with hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 17:38:27 +02:00
Jouni Malinen
96279a5c51 tests: DPP chirp with an AP as a standalone Configurator
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 13:18:01 +02:00
Jouni Malinen
fd13693cac tests: DPP PKEX errors with hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 13:12:37 +02:00
Jouni Malinen
d28c2de249 tests: DPP chirp errors in hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 13:02:59 +02:00
Jouni Malinen
692ff6f002 tests: DPP Controller management in hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:57:25 +02:00
Jouni Malinen
39ff1a67ad tests: Invalid DAC_REQUEST values
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:46:38 +02:00
Jouni Malinen
ea82abc18a tests: hostapd ATTACH errors
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:41:16 +02:00
Jouni Malinen
234761082a tests: hostapd PMKSA_ADD failures
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:34:32 +02:00
Jouni Malinen
17d85158cf Fix hostapd PMKSA_ADD with Authenticator disabled
This function can get called with hapd->wpa_auth == NULL from the
control interface handler, so explicitly check for that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:33:30 +02:00
Jouni Malinen
e6dae30ce1 tests: EAPOL/key config test command failures
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:25:38 +02:00
Jouni Malinen
261dbf7341 tests: hostapd GET_CAPABILITY
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:14:54 +02:00
Jouni Malinen
b385b4765d tests: ADD_MAC/DEL_MAC special cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:11:56 +02:00
Jouni Malinen
b0ded7d273 tests: Additional invalid SET_NEIGHBOR coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:08:02 +02:00
Jouni Malinen
924c17aad5 tests: hostapd ctrl_iface SHOW_NEIGHBOR while neighbor report disabled
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:05:09 +02:00
Jouni Malinen
8e6a56b6e0 tests: Additional invalid REQ_BEACON cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 12:02:46 +02:00
Jouni Malinen
9c47624fc8 tests: VENDOR command
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 11:51:54 +02:00
Jouni Malinen
0a549776ce tests: VHT CSA with VHT80+80 getting enabled
Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 01:42:48 +02:00
Jouni Malinen
147d6d3727 Update VHT capabilities info on channel switch event
This is needed to be able to move from 80 MHz or lower bandwidth to 160
or 80+80 MHz bandwidth (and back) properly without leaving the Beacon
frame VHT elements showing incorrect information.

Signed-off-by: Jouni Malinen <j@w1.fi>
2021-03-07 01:35:25 +02:00