[wpa_supplicant] Cumulative patch from b8491ae5a
Also revert local solution for encrypted IMSI and use the upstream version.
Bug: 134177972
Test: Device boots up and connects to WPA3/OWE wifi networks, run traffic.
Test: Able to turn on/off softap, associate wifi STA, run traffic.
Test: Regression test passed (Bug: 137653009)
Change-Id: Ie34a0138a3a2039b03101c788b43acbb33f8332a
diff --git a/src/tls/asn1.c b/src/tls/asn1.c
index 822f87c..a08c2e1 100644
--- a/src/tls/asn1.c
+++ b/src/tls/asn1.c
@@ -22,6 +22,36 @@
};
+static int asn1_valid_der_boolean(struct asn1_hdr *hdr)
+{
+ /* Enforce DER requirements for a single way of encoding a BOOLEAN */
+ if (hdr->length != 1) {
+ wpa_printf(MSG_DEBUG, "ASN.1: Unexpected BOOLEAN length (%u)",
+ hdr->length);
+ return 0;
+ }
+
+ if (hdr->payload[0] != 0 && hdr->payload[0] != 0xff) {
+ wpa_printf(MSG_DEBUG,
+ "ASN.1: Invalid BOOLEAN value 0x%x (DER requires 0 or 0xff)",
+ hdr->payload[0]);
+ return 0;
+ }
+
+ return 1;
+}
+
+
+static int asn1_valid_der(struct asn1_hdr *hdr)
+{
+ if (hdr->class != ASN1_CLASS_UNIVERSAL)
+ return 1;
+ if (hdr->tag == ASN1_TAG_BOOLEAN && !asn1_valid_der_boolean(hdr))
+ return 0;
+ return 1;
+}
+
+
int asn1_get_next(const u8 *buf, size_t len, struct asn1_hdr *hdr)
{
const u8 *pos, *end;
@@ -91,7 +121,8 @@
}
hdr->payload = pos;
- return 0;
+
+ return asn1_valid_der(hdr) ? 0 : -1;
}
diff --git a/src/tls/libtommath.c b/src/tls/libtommath.c
index 4f7a148..7156744 100644
--- a/src/tls/libtommath.c
+++ b/src/tls/libtommath.c
@@ -2441,6 +2441,7 @@
/* clear the carry */
_W = 0;
+ os_memset(W, 0, sizeof(W));
for (ix = 0; ix < pa; ix++) {
int tx, ty;
int iy;
diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c
index fa4d442..1bd5aa0 100644
--- a/src/tls/x509v3.c
+++ b/src/tls/x509v3.c
@@ -538,9 +538,43 @@
}
+static int parse_uint2(const char *pos, size_t len)
+{
+ char buf[3];
+ int ret;
+
+ if (len < 2)
+ return -1;
+ buf[0] = pos[0];
+ buf[1] = pos[1];
+ buf[2] = 0x00;
+ if (sscanf(buf, "%2d", &ret) != 1)
+ return -1;
+ return ret;
+}
+
+
+static int parse_uint4(const char *pos, size_t len)
+{
+ char buf[5];
+ int ret;
+
+ if (len < 4)
+ return -1;
+ buf[0] = pos[0];
+ buf[1] = pos[1];
+ buf[2] = pos[2];
+ buf[3] = pos[3];
+ buf[4] = 0x00;
+ if (sscanf(buf, "%4d", &ret) != 1)
+ return -1;
+ return ret;
+}
+
+
int x509_parse_time(const u8 *buf, size_t len, u8 asn1_tag, os_time_t *val)
{
- const char *pos;
+ const char *pos, *end;
int year, month, day, hour, min, sec;
/*
@@ -554,6 +588,7 @@
*/
pos = (const char *) buf;
+ end = pos + len;
switch (asn1_tag) {
case ASN1_TAG_UTCTIME:
@@ -562,7 +597,8 @@
"UTCTime format", buf, len);
return -1;
}
- if (sscanf(pos, "%02d", &year) != 1) {
+ year = parse_uint2(pos, end - pos);
+ if (year < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse "
"UTCTime year", buf, len);
return -1;
@@ -579,7 +615,8 @@
"GeneralizedTime format", buf, len);
return -1;
}
- if (sscanf(pos, "%04d", &year) != 1) {
+ year = parse_uint4(pos, end - pos);
+ if (year < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse "
"GeneralizedTime year", buf, len);
return -1;
@@ -592,35 +629,40 @@
return -1;
}
- if (sscanf(pos, "%02d", &month) != 1) {
+ month = parse_uint2(pos, end - pos);
+ if (month < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(month)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &day) != 1) {
+ day = parse_uint2(pos, end - pos);
+ if (day < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(day)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &hour) != 1) {
+ hour = parse_uint2(pos, end - pos);
+ if (hour < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(hour)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &min) != 1) {
+ min = parse_uint2(pos, end - pos);
+ if (min < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(min)", buf, len);
return -1;
}
pos += 2;
- if (sscanf(pos, "%02d", &sec) != 1) {
+ sec = parse_uint2(pos, end - pos);
+ if (sec < 0) {
wpa_hexdump_ascii(MSG_DEBUG, "X509: Failed to parse Time "
"(sec)", buf, len);
return -1;
@@ -773,6 +815,7 @@
struct asn1_hdr hdr;
unsigned long value;
size_t left;
+ const u8 *end_seq;
/*
* BasicConstraints ::= SEQUENCE {
@@ -794,6 +837,7 @@
if (hdr.length == 0)
return 0;
+ end_seq = hdr.payload + hdr.length;
if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL) {
wpa_printf(MSG_DEBUG, "X509: Failed to parse "
@@ -802,22 +846,16 @@
}
if (hdr.tag == ASN1_TAG_BOOLEAN) {
- if (hdr.length != 1) {
- wpa_printf(MSG_DEBUG, "X509: Unexpected "
- "Boolean length (%u) in BasicConstraints",
- hdr.length);
- return -1;
- }
cert->ca = hdr.payload[0];
- if (hdr.length == pos + len - hdr.payload) {
+ pos = hdr.payload + hdr.length;
+ if (pos >= end_seq) {
+ /* No optional pathLenConstraint */
wpa_printf(MSG_DEBUG, "X509: BasicConstraints - cA=%d",
cert->ca);
return 0;
}
-
- if (asn1_get_next(hdr.payload + hdr.length, len - hdr.length,
- &hdr) < 0 ||
+ if (asn1_get_next(pos, end_seq - pos, &hdr) < 0 ||
hdr.class != ASN1_CLASS_UNIVERSAL) {
wpa_printf(MSG_DEBUG, "X509: Failed to parse "
"BasicConstraints");
@@ -1263,11 +1301,6 @@
}
if (hdr.tag == ASN1_TAG_BOOLEAN) {
- if (hdr.length != 1) {
- wpa_printf(MSG_DEBUG, "X509: Unexpected "
- "Boolean length (%u)", hdr.length);
- return -1;
- }
critical_ext = hdr.payload[0];
pos = hdr.payload;
if (asn1_get_next(pos, end - pos, &hdr) < 0 ||