Commit graph

7251 commits

Author SHA1 Message Date
Jouni Malinen
305000e160 WPS: Check wps_build_wfa_ext() return value consistently (CID 68104)
While this call cannot really fail, check the return value to be more
consistent with all the other wps_build_wfa_ext() calls.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 12:32:52 +03:00
Jouni Malinen
2485835ba3 EAP-MSCHAPv2: Check hash function results more consistently (CID 68105)
While the hash functions would be very unlikely to fail in practice,
they do have option of returning an error. Check that return value more
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 12:32:45 +03:00
Jouni Malinen
b7c61c9d4e Fix validation of EAPOL-Key length with AES key wrap (CID 62859)
The additional eight octet field was removed from keydatalen without
proper validation of the Key Data Length field. It would have been
possible for an invalid EAPOL-Key frame to be processed in a way that
ends up reading beyond the buffer. In theory, this could have also
resulted in writing beyond the EAPOL-Key frame buffer, but that is
unlikely to be feasible due to the AES key wrap validation step on
arbitrary memory contents.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-14 00:20:04 +03:00
Jouni Malinen
6590b6400f EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
Since there is a limit on the EAP exchange due to maximum number of
roundtrips, there is no point in allowing excessively large buffers to
be allocated based on what the peer device claims the total message to
be. Instead, reject the message if it would not be possible to receive
it in full anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 16:03:45 +03:00
Jouni Malinen
e862968d18 tests: Validate parsing and rejection of invalid WFD subelement
This is a regression test for wifi_display_subelem_hex() bounds checking
issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 15:29:48 +03:00
Jouni Malinen
49d13df63c P2P: Fix wfd_dev_info parsing for P2P-DEVICE-FOUND (CID 68127)
Commit b125c48fce ('P2P: Add wfd_dev_info=
field for device found event') added Wi-Fi Display device info to the
P2P-DEVICE-FOUND events. However, it did not include proper bounds
checking in wifi_display_subelem_hex() and could accept subelements with
invalid length field values. This could result in buffer read overflow
of up to 64 kB and inclusion of heap memory in the local control
interface event and/or process crash due to invalid memory access. Fix
this by checking the validity of the length field before writing a
hexdump of the data.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 15:25:39 +03:00
Jouni Malinen
1851e17a64 dbus: Clean up P2P group vendor ext getter
The vendor_ext[i] = NULL setting did not make any sense since
num_vendor_ext should have been used to index the vendor_ext array. The
old code did not do any harm since i >= num_vendor_ext and none of the
already set entries could have been cleared. Anyway, better clean this
by making it skip the setting to NULL similarly to what was already done
in the P2P peer vendor ext getter.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:48:21 +03:00
Jouni Malinen
137ff332fd HS 2.0R2: Fix OSEN IE parsing for in cipher setup (CID 68132)
The OSEN code path hardcodes number of struct wpa_ie_data items.
However, it did not clear the full structure and some uninitialized
fields could have been used (e.g., ie.mgmt_group_cipher for a debug
print and ie.capabilities for checking MFPC). Fix this by clearing the
ie data before filling in the hardcoded OSEN values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:36:42 +03:00
Jouni Malinen
2703fb4ad9 WNM: Use cleaner way of generating pointer to a field (CID 68100)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
da995b2e11 WNM: Use cleaner way of generating pointer to a field (CID 68099)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
062833c67c GAS server: Fix request frame length validation (CID 68098)
There seemed to be an off-by-one error in the validation of GAS request
frames. If a Public Action frame without the Action code field would
have reached this function, the length could have been passed as
(size_t) -1 which would likely have resulted in a crash due to reading
beyond the buffer. However, it looks like such frame would not be
delivered to hostapd at least with mac80211-based drivers. Anyway, this
function better be more careful with length validation should some other
driver end up reporting invalid Action frames.

In addition, the Action code field is in a fixed location, so the
IEEE80211_HDRLEN can be used here to clean up bounds checking to avoid
false reports from static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
6ec64f3ec8 tests: Truncated GAS query request
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
5ce3ae4c8f HT: Use cleaner way of generating pointer to a field (CID 68097)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
fb5d417178 P2P: Use cleaner way of generating pointer to a field (CID 68096)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
35c03184df P2P: Use cleaner way of generating pointer to a field (CID 68095)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
e987c70c85 dbus: Add explicit break statements to switch-default
There were couple of missing breaks in switch-default (before/after).
While these did not have any noticeable issues due to falling over to
the next step that just exited from the switch statement, it is cleaner
and more robust to have each case use an explicit break.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
6446420b24 dbus: Initialize temporary entry properly (CID 62877)
The tmpentry variable was not initialized and
_wpa_dbus_dict_entry_get_byte_array() does not set tmpentry.type, so it
would have been possible for the error path to end up trying to free
unexpected type of an entry or not free the memory at all.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:15 +03:00
Jouni Malinen
70d9537361 Use clearer way of getting pointer to a frame (CID 62835)
This avoids an incorrect ARRAY_VS_SINGLETON report for a case where a
pointer is taken to the specified field in a frame and not to a single
octet. Bounds checking was already handled separately.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-13 00:27:11 +03:00
Jouni Malinen
c02f35fb59 WPS: Clean up indentation level (CID 68109)
The implementation here was doing what it was supposed to, but the code
was indented in a way that made it quite confusing in the context of a
single line if statement body.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-12 19:45:31 +03:00
Jouni Malinen
0e87e798b5 Fix HS20_GET_NAI_HOME_REALM_LIST hex length check (CID 68108)
Due to an incorrect operation (MOD vs. AND), the code that was supposed
to return an error if the hex string has odd length was not really
reporting any failures. Instead of reporting an error, the invalid
control interface command would have been truncated. This is not an
issue in practice, but better fix the implementation anyway.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-12 19:45:27 +03:00
Jouni Malinen
beb9e1171e dbus: Avoid theoretical memory leaks with duplicated dict entries
If a dict would include duplicated items, the parsing code here would
have leaked memory by overwriting old os_strdup() result with the new
one. Fix this by explicitly freeing the previous entry. This addresses
CID 62852, CID 62851, CID 62850, CID 62849, CID 62847, CID 62846.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-12 19:45:06 +03:00
Jouni Malinen
ceb4cd89c9 dbus: Fix a potential double-free in on error path (CID 62880)
It would have been at least theoretically possible to hit the first
error in the loop and end up jumping to error handling which would call
os_free(value) without the value having been cleared after the os_free()
call at the end of the previous loop iteration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-12 19:45:02 +03:00
Philippe De Swert
68e2b8882a TNC: Fix minor memory leak (CID 62848)
In tncc_read_config(), the memory allocted for the config
did not get freed if an error occured.

Signed-off-by: Philippe De Swert <philippe.deswert@jollamobile.com>
2014-06-12 19:44:58 +03:00
Jouni Malinen
5519241676 GAS: Limit TX wait time based on driver maximum value
The GAS query TX operation used a fixed wait time of 1000 ms for the
reply. However, it would be possible for the driver to not support this
long remain-on-channel maximum. Limit this wait time based on driver
support, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-12 10:56:06 +03:00
Jouni Malinen
a0ab408d3b P2P: Fix SD and DevDisc to limit maximum wait time per driver support
The driver may reject offchannel TX operation if the requested wait time
is longer than what the driver indicates as the maximum
remain-on-channel time. Two of the P2P action frame cases used long
enough wait times (1000 ms for DevDisc and 5000 ms for SD) that could go
beyond the limit with some drivers. Fix these to limit the maximum wait
to what the driver indicates as supported.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-12 10:49:19 +03:00
Jouni Malinen
2e9f8ee723 tests: EAP-GPSK protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-12 01:00:56 +03:00
Jouni Malinen
d5c14b25fd tests: EAP-OTP protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-11 21:23:54 +03:00
Jouni Malinen
43c5bc94f5 tests: cfg80211 offchannel TX vs. operating channel
This test case shows an example case where an uncancelled offchannel TX
frame command seems to end up getting following CMD_FRAME TX operations
transmitting on incorrect channel.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-11 11:48:02 +03:00
Jouni Malinen
8604a68eec tests: EAP-MD5 protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-11 00:54:45 +03:00
Jouni Malinen
18fc8f40fd tests: EAP-LEAP protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-11 00:46:38 +03:00
Nirav Shah
d3b204694a P2P: Make the default p2p_find delay value configurable
This makes the p2p_find default delay value configurable as
p2p_search_delay parameter through the configuration file (and through
control interface "SET p2p_search_delay <value>" on the P2P management
interface.

This parameter controls the number milliseconds of extra delay that is
added between search iterations when there is a concurrent operation in
progress. This can be used, e.g., p2p_search_delay=100 to make p2p_find
friendlier to concurrent operations by avoiding it from taking 100% of
the radio resources. The default value is the previous default, i.e.,
500 ms. Smaller values can be used to find peers more quickly at the
cost of larger effect to concurrent operations while a larger value
leaves more time for the concurrent operations at the cost of making
device discovery take longer time.

The optional p2p_find delay argument can still be used to override the
search delay for each search operation.

Since the P2P_CONCURRENT_SEARCH_DELAY macro is not used anymore, the
driver specific build parameter for bcmdhd from Android.mk is also
removed. Similar configuration can now be achieved with
p2p_search_delay=0 in the p2p0 interface configuration file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-09 19:43:26 +03:00
Ashok Kumar Ponnaiah
3dacd3ece7 atheros: Add support for new GCMP/CCMP/CMAC/GMAC cipher suites
Extend the set of supported cipher suites to include CCMP-256, GCMP,
GCMP-256, CMAC-256, GMAC, and GMAC-256 when ATH_GCM_SUPPORT=y is set in
the build configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-09 19:21:48 +03:00
Jouni Malinen
d81731e681 tests: Framework for EAP peer protocol tests
This introduces a minimal RADIUS authentication server using pyrad to
allow simple EAP handler functions to be used for writing protocol tests
for EAP peer methods. This initial commit includes test cases for
EAP-SAKE.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-09 00:30:44 +03:00
Jouni Malinen
a47f815ff3 tests: Extend RADIUS protocol testing coverage
Test RADIUS client behavior with various invalid Access-Accept messages.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-08 18:17:08 +03:00
Jouni Malinen
737754dc2b EAP-IKEv2: Remove obsolete ccns.pl project workarounds
It does not look like there is going to be any additional use for this
old build option that could be used to build the EAP-IKEv2 peer
implementation in a way that interoperates with the eap-ikev2.ccns.pl
project. Remove the workarounds that matches incorrect implementation in
that project to clean up implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-08 12:28:36 +03:00
Jouni Malinen
aa6bf6dabc eap_proxy: Check sm != NULL more consistently
While it does not look like that eapol_sm_get_key() would ever be called
with sm == NULL, the current implementation is inconsistent on whether
that is allowed or not. Check sm != NULL consistently to avoid warnings
from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:26:41 +03:00
Jouni Malinen
4f4d51e059 TDLS: Add extra validation step for responder RSN IE length
The following kde.rsn_ie_len != peer->rsnie_i_len was already taking
care of enforcing the length to be within the target buffer length.
Anyway, this explicit check makes this clearer and matches the design in
TPK M1 processing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:21:48 +03:00
Jouni Malinen
a01acc50d5 Check for EVENT_ASSOC data to be present for AP mode operation
wpa_supplicant_event() is required to include the event data for AP mode
events. In theory, a non-AP mode event could be sent here from the
driver wrapper, so reject such event.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:15:50 +03:00
Jouni Malinen
1fde15a20a GAS server: Explicitly check that home realm is available
This makes the code easier to understand for static analyzers to avoid
false reports.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:05:33 +03:00
Jouni Malinen
aff0bee78a GAS server: Remove unused function parameter
This parameter was not used at all, so just remove the argument instead
of passing NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 19:04:17 +03:00
Jouni Malinen
86388afa56 WPS: Check for theoretical gmtime() failure
In theory, gmtime() could return NULL if the year value would not fit
into an integer. However, that cannot really happen with the current
time() value in practice. Anyway, clean up static analyzer reports by
checking for this corner case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 17:39:51 +03:00
Jouni Malinen
d75a5ae018 WPS ER: Fix UDN parser to handle missing field
Must check that UDN was present before trying to parse it. Avoid a NULL
pointer dereference by checking the result before using os_strstr() when
parsing device description from an AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 17:35:22 +03:00
Jouni Malinen
0bbaa9b93f Validate driver extended capabilities length against buffer length
Prepare for new extended capabilities bits by checking that the local
buffer is large enough to contain all the bits the driver requests. The
existing buffers are large enough to include anything defined until now,
but it would be possible to add more definitions in the future, so
increase them a bit as well to make this more future proof.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 16:35:30 +03:00
Jouni Malinen
9c6c5589e0 Interworking: Reject EAP configuration with unsupported inner method
Instead of allowing the connection attempt to occur with an unsupported
inner method, check for that explicitly at the time the network block is
added and drop the network if the identified inner method is not
supported.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 16:18:30 +03:00
Jouni Malinen
f2ca0e9770 Check eap_get_name() return against NULL to silence static analyzer
This cannot really be NULL in practice since cred->eap_method would
point to a valid EAP method. Anyway, to avoid false positive from
analyzers, check the pointer explicitly before printing it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 15:42:07 +03:00
Jouni Malinen
bc32bb70d7 Make a code path easier for static analyzers to understand
prev cannot be NULL here in the hostapd_eid_country_add() call since
prev is set whenever start becomes non-NULL. That seems to be a bit too
difficult for some static analyzers, so check the prev pointer
explicitly to avoid false warnings.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 15:37:31 +03:00
Jouni Malinen
9a921f9a84 tests: Verify behavior on unexpected association event
This verifies association event processing in case the association was
not requested by wpa_supplicant.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 13:35:03 +03:00
Jouni Malinen
fb958ea76e Check current_ssid on unexpected association event
This is mainly to keep static analyzers silent since it does not look
like this code path can be reached in practice due to the way
association events are handled and current_ssid is either set before
resched here or the association is rejected. Anyway, if this could be
reached, the wpa_supplicant_set_wpa_none_key() call would end up
dereferencing a NULL pointer, so add an explicit check to make sure that
does not happen.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-07 13:32:13 +03:00
Jouni Malinen
f5fa824e9a Update OpenSSL 0.9.8 patch for EAP-FAST support
The 0.9.9 branch was for development purposes only, so no one should be
using that in production and there is not much point in maintaining the
obsolete patch here either. Similarly, the old 0.9.8 versions are
obsolete at this point in time and taken into account the recent OpenSSL
vulnerabilities, anything older than 0.9.8za should not really be used.

Prepare an updated version of the TLS session ticket patch based on the
current OpenSSL 0.9.8za release and remove all the older TLS extension
patches.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-06-05 20:43:00 +03:00
Jouni Malinen
2a57c33e25 Reserve QCA vendor specific nl80211 commands 20..33
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-06-05 17:03:17 +03:00