Commit Graph

5003 Commits

Author SHA1 Message Date
Jouni Malinen
0764dd6849 TLS client: Multi-OCSP check to cover intermediate CAs
This extends multi-OCSP support to verify status for intermediate CAs in
the server certificate chain.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
d6b536f7e5 Add ocsp=3 configuration parameter for multi-OCSP
ocsp=3 extends ocsp=2 by require all not-trusted certificates in the
server certificate chain to receive a good OCSP status. This requires
support for ocsp_multi (RFC 6961). This commit is only adding the
configuration value, but all the currently included TLS library wrappers
are rejecting this as unsupported for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
02683830b5 TLS: Move variable declaration to the beginning of the block
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-24 00:54:30 +02:00
Jouni Malinen
b5677752b2 TLS client: OCSP stapling with ocsp_multi option (RFC 6961)
This adds a minimal support for using status_request_v2 extension and
ocsp_multi format (OCSPResponseList instead of OCSPResponse) for
CertificateStatus. This commit does not yet extend use of OCSP stapling
to validate the intermediate CA certificates.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 20:44:56 +02:00
Jouni Malinen
8ea6a27003 TLS server: OCSP stapling with ocsp_multi option (RFC 6961)
This allows hostapd with the internal TLS server implementation to
support the extended OCSP stapling mechanism with multiple responses
(ocsp_stapling_response_multi).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 20:44:52 +02:00
Jouni Malinen
5addb0df59 Server configuration for OCSP stapling with ocsp_multi (RFC 6961)
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 19:42:07 +02:00
Jouni Malinen
bca0872dd5 TLS server: OCSP stapling
This adds support for hostapd-as-authentication-server to be build with
the internal TLS implementation and OCSP stapling server side support.
This is more or less identical to the design used with OpenSSL, i.e.,
the cached response is read from the ocsp_stapling_response=<file> and
sent as a response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 17:53:45 +02:00
Jouni Malinen
9532bd2b44 GnuTLS: OCSP stapling on the server side
This adds support for hostapd-as-authentication-server to be build
against GnuTLS with OCSP stapling server side support. This is more or
less identical to the design used with OpenSSL, i.e., the cached
response is read from the ocsp_stapling_response=<file> and sent as a
response if the client requests it during the TLS handshake.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 16:47:29 +02:00
Jouni Malinen
6241766709 Use wpa_msg() for the "RSN: PMKID mismatch" message
This message is sent at MSG_INFO level and it is supposed to go out even
even debug messages were to be removed from the build. As such, use
wpa_msg() instead of wpa_dbg() for it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 11:22:19 +02:00
Jouni Malinen
e161451fc8 EAP-EKE: Merge identical error return paths
There is no need to maintain multiple copies of the same error return
path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-22 00:10:22 +02:00
Jouni Malinen
13cb0a66d5 EAP-EKE: Reject too long Prot() data when building a frame
This error case in own buffer lengths being too short was not handled
properly. While this should not really happen since the wpabuf
allocation is made large for the fixed cases that are currently
supported, better make eap_eke_prot() safer if this functionally ever
gets extended with a longer buffer need.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-22 00:10:22 +02:00
Jouni Malinen
a587666cba GAS server: Replenish temporary STA entry timeout on comeback request
Previously, the five second timeout was added at the beginning of the
full GAS query and it was not replenished during fragmented exchanges.
This could result in timing out a query if it takes significant time to
go through the possibly multiple fragments and long comeback delay.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 19:43:23 +02:00
Jouni Malinen
cb73008594 EAP-TTLS/PEAP/FAST: Reject unsupported Phase 2 method in configuration
Instead of using default list of methods, reject a configuration with an
unsupported EAP method at the time the main TLS method is being
initialized.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:32:10 +02:00
Jouni Malinen
18704f6cdc EAP-TLS: Merge common error paths
There is no need to keep these identical error paths separate.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:25:41 +02:00
Jouni Malinen
4f5c86e7bd EAP-PEAP peer: Fix a memory leak on an error path
If memory allocation for adding SoH response fails, the SoH response was
not freed properly on the error path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 17:25:41 +02:00
Jouni Malinen
cd5895e8c5 WPA: Explicitly clear the buffer used for decrypting Key Data
When AES-WRAP was used to protect the EAPOL-Key Key Data field, this was
decrypted using a temporary heap buffer with aes_unwrap(). That buffer
was not explicitly cleared, so it was possible for the group keys to
remain in memory unnecessarily until the allocated area was reused.
Clean this up by clearing the temporary allocation explicitly before
freeing it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-20 10:52:30 +02:00
Jouni Malinen
4b90fcdb76 EAP-PEAP peer: Check SHA1 result when deriving Compond_MAC
This handles a mostly theoretical case where hmac_sha1_vector() might
fail for some reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 20:34:27 +02:00
Jouni Malinen
6ca5838b01 EAP-PEAP server: Add support for fast-connect crypto binding
IPMK and CMK are derived from TK when using TLS session resumption with
PEAPv0 crypto binding. The EAP-PEAP peer implementation already
supported this, but the server side did not.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 20:22:43 +02:00
Jouni Malinen
6560caf2ca EAP-PEAP peer: Remove unused return value and error path
eap_peap_parse_phase1() returned 0 unconditionally, so there was no need
for that return value or the code path that tried to address the error
case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-19 19:54:56 +02:00
Johannes Berg
0e92fb8fae rfkill: Match only the correct expected wiphy rfkill
On systems that have multiple WLAN rfkill instances, the rfkill code
can become confused into thinking that the device was unblocked when
in fact it wasn't, because it only matches on the WLAN type.

Since it then stores the new (unblocked) state from the wrong rfkill
instance, it will never retry the failing IFF_UP operation and the
user has to toggle rfkill again, or otherwise intervene manually, in
this case to get back to operational state.

Fix this by using the existing (but unused) ifname argument when the
rfkill instance is created to match to a specific rfkill index only.

As a P2P Device interface does not have a netdev interface associated
with it, use the name of a sibling interface to initialize the rfkill
context for the P2P Device interface. For nl80211, as the wiphy index
is known only after getting the driver capabilities from the kernel,
move the initialization of the rfkill object to
wpa_driver_nl80211_finish_drv_init().

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-12-18 22:26:18 +02:00
Ilan Peer
6da504a1f5 nl80211: Handle rfkill for P2P Device interface
The rfkill processing in nl80211 driver assumes that the
INTERFACE_ENABLED/DISABLED will be also issued, so does not do much in
the rfkill callbacks. However, as a P2P Device interface is not
associated with a network interface, these events are not issued for it.

Handle rfkill events for the P2P_DEVICE interface by faking the
INTERFACE_ENABLED/DISABLED.

Signed-off-by: Moshe Benji <Moshe.Benji@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-12-18 22:26:18 +02:00
Arik Nemtsov
dabdef9e04 TDLS: Ignore incoming TDLS Setup Response retries
The Setup Response timer is relatively fast (500 ms) and there are
instances where it fires on the responder side after the initiator has
already sent out the TDLS Setup Confirm frame. Prevent the processing of
this stale TDLS Setup Response frame on the initiator side.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2015-12-18 20:32:39 +02:00
Ayala Beker
819ad5b70b utils: Fix NULL pointer dereference with unexpected kernel behavior
Fix mostly theoretical NULL pointer dereference in
wpa_debug_open_linux_tracing() if /proc/mounts were to return a
malformed line.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2015-12-18 00:24:52 +02:00
Pali Rohár
f24e48861d EAP-TTLS peer: Fix parsing auth= and autheap= phase2 params
This patch fixes an issue with an invalid phase2 parameter value
auth=MSCHAPv2 getting interpreted as auth=MSCHAP (v1) which could
degrade security (though, only within a protected TLS tunnel). Now when
invalid or unsupported auth= phase2 parameter combinations are
specified, EAP-TTLS initialization throws an error instead of silently
doing something.

More then one auth= phase2 type cannot be specified and also both auth= and
autheap= options cannot be specified.

Parsing phase2 type is case sensitive (as in other EAP parts), so phase2
parameter auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.

Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
[Use cstr_token() to get rid of unnecessary allocation; cleanup]
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-18 00:24:30 +02:00
Matt Woods
47c1de20a4 atheros: Unify memory processing functions
There are two types of memory processing functions in the file
atheros_driver.c, such as memory and os_memory. Unify the processing
functions into one type which has the prefix "os_".

Signed-off-by: Matt Woods <matt.woods@aliyun.com>
2015-12-17 23:29:25 +02:00
Jouni Malinen
8ba8c01d0c TLS: Report OCSP rejection cases when no valid response if found
This adds a CTRL-EVENT-EAP-TLS-CERT-ERROR and CTRL-EVENT-EAP-STATUS
messages with 'bad certificate status response' for cases where no valid
OCSP response was received, but the network profile requires OCSP to be
used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-17 11:47:38 +02:00
Jouni Malinen
f163ed8bae TLS: Process OCSP SingleResponse(s)
This completes OCSP stapling support on the TLS client side. Each
SingleResponse value is iterated until a response matching the server
certificate is found. The validity time of the SingleResponse is
verified and certStatus good/revoked is reported if all validation step
succeed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-17 11:28:38 +02:00
Jouni Malinen
8e3271dcd1 TLS: Store DER encoded version of Subject DN for X.509 certificates
This is needed for OCSP issuerNameHash matching.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-17 11:28:38 +02:00
Jouni Malinen
32ce69092e TLS: Share digest OID checkers from X.509
These will be used by the OCSP implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-17 11:28:38 +02:00
Jouni Malinen
b72a36718f TLS: Support longer X.509 serialNumber values
This extends the old support from 32 or 64 bit value to full 20 octets
maximum (RFC 5280, 4.1.2.2).

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-17 01:41:45 +02:00
Jouni Malinen
af4eba16ce TLS: Parse and validate BasicOCSPResponse
This adds the next step in completing TLS client support for OCSP
stapling. The BasicOCSPResponse is parsed, a signing certificate is
found, and the signature is verified. The actual sequence of OCSP
responses (SignleResponse) is not yet processed in this commit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-17 00:48:34 +02:00
Jouni Malinen
06f14421ea TLS: Parse OCSPResponse to extract BasicOCSPResponse
This adds the next step for OCSP stapling. The received OCSPResponse is
parsed to get the BasicOCSPResponse. This commit does not yet process
the BasicOCSPResponse.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-14 15:49:01 +02:00
Jouni Malinen
d560288a44 TLS: Parse CertificateStatus message
This allows the internal TLS client implementation to accept
CertificateStatus message from the server when trying to use OCSP
stapling. The actual OCSPResponse is not yet processed in this commit,
but the CertificateStatus message is accepted to allow the TLS handshake
to continue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-14 15:49:01 +02:00
Jouni Malinen
eeba168453 TLS: Add status_request ClientHello extension if OCSP is requested
This allows the internal TLS implementation to request server
certificate status using OCSP stapling. This commit is only adding code
to add the request. The response is not yet used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-14 15:49:01 +02:00
Jouni Malinen
4303d531a8 TLS: Parse ServerHello extensions
This prints the received ServerHello extensions into the debug log and
allows handshake to continue even if such extensions are included.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-14 15:49:01 +02:00
Jouni Malinen
6b7bb42923 TLS: Add minimal support for PKCS #12
This allows the internal TLS implementation to parse a private key and a
certificate from a PKCS #12 file protected with
pbeWithSHAAnd3-KeyTripleDES-CBC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-14 15:49:01 +02:00
Jouni Malinen
5ce2941bfe TLS: Extend PKCS #5 to support PKCS #12 style key decryption
This adds support for decrypting private keys protected with the old
PKCS #12 mechanism using OID pbeWithSHAAnd3-KeyTripleDES-CBC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-14 15:49:01 +02:00
Jouni Malinen
f6a62df8e1 TLS: Fix and complete ASN.1 tag list
One of the unused defines had incorrect value and couple of tags were
missing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-13 22:12:07 +02:00
Jouni Malinen
3c108b7573 EAP peer: External server certificate chain validation
This adds support for optional functionality to validate server
certificate chain in TLS-based EAP methods in an external program.
wpa_supplicant control interface is used to indicate when such
validation is needed and what the result of the external validation is.

This external validation can extend or replace the internal validation.
When ca_cert or ca_path parameter is set, the internal validation is
used. If these parameters are omitted, only the external validation is
used. It needs to be understood that leaving those parameters out will
disable most of the validation steps done with the TLS library and that
configuration is not really recommend.

By default, the external validation is not used. It can be enabled by
addingtls_ext_cert_check=1 into the network profile phase1 parameter.
When enabled, external validation is required through the CTRL-REQ/RSP
mechanism similarly to other EAP authentication parameters through the
control interface.

The request to perform external validation is indicated by the following
event:
CTRL-REQ-EXT_CERT_CHECK-<id>:External server certificate validation needed for SSID <ssid>

Before that event, the server certificate chain is provided with the
CTRL-EVENT-EAP-PEER-CERT events that include the cert=<hexdump>
parameter. depth=# indicates which certificate is in question (0 for the
server certificate, 1 for its issues, and so on).

The result of the external validation is provided with the following
command:
CTRL-RSP-EXT_CERT_CHECK-<id>:<good|bad>

It should be noted that this is currently enabled only for OpenSSL (and
BoringSSL/LibreSSL). Due to the constraints in the library API, the
validation result from external processing cannot be reported cleanly
with TLS alert. In other words, if the external validation reject the
server certificate chain, the pending TLS handshake is terminated
without sending more messages to the server.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 18:24:27 +02:00
Jouni Malinen
b6e5e14fd4 EAP-FAST peer: Fix PAC parser error messages
Do not override the parsing error with the "PAC block not terminated
with END" message if the reason for the END line not yet being seen is
in failure to parse an earlier line.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 12:00:28 +02:00
Jouni Malinen
5b904b3e42 EAP-FAST: Check T-PRF result in MSK/EMSK derivation
Pass the error return from sha1_t_prf() to callers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 11:20:05 +02:00
Jouni Malinen
b1d8c5ce6a EAP-FAST peer: Fix error path handling for Session-Id
It was possible to hit a NULL pointer dereference if Session-Id
derivation failed due to a memory allocation failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-12 11:12:32 +02:00
Jouni Malinen
36478a16e6 OpenSSL: Support new API for HMAC/EVP_MD_CTX in OpenSSL 1.1.x-pre1
The EVP_MD_CTX and HMAC_CTX definitions are now hidden from applications
using OpenSSL. Fix compilation issues with OpenSSL 1.1.x-pre1 by using
the new API for allocating these structures.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 18:11:39 +02:00
Jouni Malinen
9257610a6e FT: Fix FTIE generation for EAPOL-Key msg 3/4
This FTIE needs to be an exact copy of the one in (Re)Association
Response frame. Copy the stored element rather than building a new copy
that would not have the correct MIC value. This is needed to fix PTK
rekeying after FT protocol run.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 00:14:36 +02:00
Jouni Malinen
e44bd28cd1 FT: Fix sm->assoc_resp_ftie storing on the AP side
The FTIE from (Re)Association Response frame was copied before
calculating the MIC. This resulted in incorrect value being used when
comparing the EAPOL-Key msg 2/4 value in case PTK rekeying was used
after FT protocol run. Fix this by storing the element after the MIC
field has been filled in.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 00:14:35 +02:00
Jouni Malinen
59e78c2408 FT: Fix FTIE generation for 4-way handshake after FT protocol run
wpa_insert_pmkid() did not support cases where the original RSN IE
included any PMKIDs. That case can happen when PTK rekeying through
4-way handshake is used after FT protocol run. Such a 4-way handshake
used to fail with wpa_supplicant being unable to build the EAPOL-Key msg
2/4.

Fix this by extending wpa_insert_pmkid() to support removal of the old
PMKIDs, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-10 00:14:35 +02:00
Jouni Malinen
b0ecbd3a4a AP: Use more readable version of management group cipher in error cases
This makes it easier to interpret AP side debug log for a case where a
station specifies in unsupported management group cipher.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 20:01:05 +02:00
Jouni Malinen
651c6a84af Add TEST_ASSOC_IE for WPA/RSN IE testing on AP side
The new wpa_supplicant control interface command "TEST_ASSOC_IE
<hexdump>" can now be used to override the WPA/RSN IE for Association
Request frame and following 4-way handshake to allow protocol testing of
AP side processing of WPA/RSN IE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-06 19:33:16 +02:00
Jouni Malinen
5c8acf7d96 EAP-IKEv2: Check HMAC SHA1/MD5 result
Make the IKEv2 helper functions return a possible error return from the
HMAC routines.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-05 21:49:04 +02:00
Jouni Malinen
4db29e6a8a TLS: Add support for PKCS #5 v2.0 PBES2
This extends the internal TLS support for PKCS #5 v2.0 PBES2 private key
format with des-ede3-cbc encryption and PBKDF2 SHA-1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-12-05 20:23:12 +02:00