Commit graph

4899 commits

Author SHA1 Message Date
Purushottam Kushwaha
a3dff7dc0c P2P: Fix a typo in debug message
Signed-off-by: Dilshad Ahmad <dilshad.a@samsung.com>
2015-11-15 18:55:23 +02:00
Jouni Malinen
95577884ca EAP-pwd peer: Fix error path for unexpected Confirm message
If the Confirm message is received from the server before the Identity
exchange has been completed, the group has not yet been determined and
data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
did not take this corner case into account and could end up
dereferencing a NULL pointer and terminating the process if invalid
message sequence is received. (CVE-2015-5316)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
bef802ece0 EAP-pwd server: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5314)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Jouni Malinen
8057821706 EAP-pwd peer: Fix last fragment length validation
All but the last fragment had their length checked against the remaining
room in the reassembly buffer. This allowed a suitably constructed last
fragment frame to try to add extra data that would go beyond the buffer.
The length validation code in wpabuf_put_data() prevents an actual
buffer write overflow from occurring, but this results in process
termination. (CVE-2015-5315)

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-10 18:40:54 +02:00
Somdas Bandyopadhyay
fcdb35928c Use "STATUS-NO_EVENTS" instead of "STATUS" in get_wpa_status function
Using "STATUS" command triggers CTRL-EVENT-STATE-CHANGE and
CTRL-EVENT-CONNECTED (if connected to some AP) events. These events
cause problems in Android WifiStateMachine in Marshmallow. Due to these
events WifiStateMachine sometimes disconnects the OSU SSID connection,
while hs20-osu-client waits for IP address.

Signed-off-by: Somdas Bandyopadhyay <somdas.bandyopadhyay@intel.com>
2015-11-01 21:05:10 +02:00
Max Stepanov
73ed03f333 wpa_supplicant: Add GTK RSC relaxation workaround
Some APs may send RSC octets in EAPOL-Key message 3 of 4-Way Handshake
or in EAPOL-Key message 1 of Group Key Handshake in the opposite byte
order (or by some other corrupted way). Thus, after a successful
EAPOL-Key exchange the TSC values of received multicast packets, such as
DHCP, don't match the RSC one and as a result these packets are dropped
on replay attack TSC verification. An example of such AP is Sapido
RB-1732.

Work around this by setting RSC octets to 0 on GTK installation if the
AP RSC value is identified as a potentially having the byte order issue.
This may open a short window during which older (but valid)
group-addressed frames could be replayed. However, the local receive
counter will be updated on the first received group-addressed frame and
the workaround is enabled only if the common invalid cases are detected,
so this workaround is acceptable as not decreasing security
significantly. The wpa_rsc_relaxation global configuration property
allows the GTK RSC workaround to be disabled if it's not needed.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2015-11-01 21:00:22 +02:00
Jouni Malinen
d129b02247 EAP-pwd: Add support for Brainpool Elliptic Curves
This allows the IKE groups 27-30 (RFC 6932) to be used with OpenSSL
1.0.2 and newer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-11-01 11:29:06 +02:00
Jouni Malinen
17b7032891 EAP peer: Clear ignore flag in INITIALIZE state
While this is not part of RFC 4137, the way m.check(eapReqData) is
implemented in wpa_supplicant allows an EAP method to not update the
ignore value even though each such call is really supposed to get a new
response. It seems to be possible to hit a sequence where a previous EAP
authentication attempt terminates with sm->ignore set from the last
m.check() call and the following EAP authentication attempt could fail
to go through the expected code path if it does not clear the ignore
flag. This is likely only hit in some error cases, though. The hwsim
test cases could trigger this with the following sequence:
eap_proto_ikev2 ap_wps_m1_oom

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 21:56:59 +02:00
Jouni Malinen
2e38079531 TLS: Fix memory leak with multiple TLS server instances
When using CONFIG_TLS=internal and starting hostapd with multiple
configuration files that each initialize TLS server, the server
certificate and related data was not freed for all the interfaces on
exit path. Fix this by freeing the credential data that is stored
separately for each call to tls_init().

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-31 18:15:22 +02:00
Frederic Leroy
7b0f5500b0 eap_sim_db: Implement eap_sim_db_expire_pending()
Expire pending DB request for EAP-SIM/AKA/AKA'. Timeout defaults to 1
second and is user configurable in hostapd.conf (eap_sim_db_timeout).

Signed-off-by: Frederic Leroy <frederic.leroy@b-com.com>
2015-10-31 16:28:16 +02:00
Jouni Malinen
45c3e72952 Add frequency to operating class determination for 5 GHz 100..140
This extends ieee80211_freq_to_channel_ext() with knowledge of the
operating classes for the 5 GHz channels 100..140.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-30 11:45:50 +02:00
Avichal Agarwal
c93b7e1888 RSN: Check result of EAPOL-Key frame send request
Provide information on whether EAPOL-Key frame was sent successfully to
kernel for transmittion. wpa_eapol_key_send() will return
>= 0 on success and < 0 on failure. After receiving EAPOL-Key msg 3/4,
wpa_supplicant sends EAPOL-Key msg 4/4 and shows CTRL-EVENT-CONNECTED
only after verifying that the msg 4/4 was sent to kernel for
transmission successfully.

Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2015-10-28 22:42:16 +02:00
Srinivasa Duvvuri
053693d266 hostapd: Add feature to start all interfaces at the same time in sync
When multiple interfaces across mutiple radios are started using a
single instance of hostapd, they all come up at different times
depending upon how long the ACS and HT scan take on each radio. This
will result in stations (that already have the AP profile) associating
with the first interfaces that comes up. For example in a dual band
radio case (2G and 5G) with ACS enabled, 2G always comes up first
because the ACS scan takes less time on 2G and this results in all
stations associating with the 2G interface first.

This feature brings up all the interfaces at the same time. The list of
interfaces specified via hostapd.conf files on the command line are all
marked as sync interfaces. All the interfaces are synchronized in
hostapd_setup_interface_complete().

This feature is turned on with '-S' commmand line option.

Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
2015-10-28 19:47:17 +02:00
Jouni Malinen
9578413455 Reserve QCA vendor specific nl80211 commands 110..114
These are reserved for QCA use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-27 00:10:29 +02:00
Peng Xu
5d4c508969 Assign QCA commands and attributes for Tx power scaling and OTA testing
Assign nl80211vendor commands QCA_NL80211_VENDOR_SUBCMD_OTA_TEST and
QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE as well as corresponding
attributes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-27 00:07:15 +02:00
Hu Wang
5d1d69a10f P2P: Filter control chars in group client device name similarly to peer
P2P device discovery can add peer entries based on a message directly
from a peer and from a Probe Response frame from a GO for all the P2P
Clients in the group. The former case for filtering out control
characters from the device name while the latter was not. Make this
consistent and filter both cases in the same way to avoid confusing
external programs using the device name of a P2P peer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-26 23:43:45 +02:00
Sunil Dutt
f67d1a0099 TDLS: Do not send error case of TPK M3 if TX fails
There is no point in sending TPK M3 (TDLS Setup Confirm) with a failure
status if the first transmission attempt fails. Instead, just return a
failure by disabling the link rather than retransmitting the TPK M3
frame with an error status.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-26 22:54:39 +02:00
Jouni Malinen
8f3ea3175f tests: Fix build without CONFIG_ERP=y
hmac_sha256_kdf() got pulled in only if CONFIG_ERP=y is set. Fix
test_sha256() by making the test case conditional on the function being
present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-26 00:42:14 +02:00
Jouni Malinen
d8fd633ebb Do not write ERROR level log entries if debug file is not used
wpa_debug_reopen_file() used to write an error message at MSG_ERROR
level if it was called with last_path == NULL (the last debug log file
path not known). This is not a fatal error, but a normal case if
wpa_debug_open_file() has not been used. Remove the error message and
return success in such case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 20:45:02 +02:00
Mohammed Shafi Shajakhan
67deaa582d l2_packet: Add build option to disable Linux packet socket workaround
Linux packet socket workaround(*) has an impact in performance when the
workaround socket needs to be kept open to receive EAPOL frames. While
this is normally avoided with a kernel that has the issue addressed by
closing the workaround packet socket when detecting a frame through the
main socket, it is possible for that mechanism to not be sufficient,
e.g., when an open network connection (no EAPOL frames) is used.

Add a build option (CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y) to disable the
workaround. This build option is disabled by default and can be enabled
explicitly on distributions which have an older kernel or a fix for the
kernel regression.

Also remove the unused variable num_rx.

(*) Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596
('bridge: respect RFC2863 operational state') from 2012 introduced a
regression for using wpa_supplicant with EAPOL frames and a station
interface in a bridge.

Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
2015-10-25 19:56:53 +02:00
Jouni Malinen
ceb19ff7a6 privsep: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 19:37:16 +02:00
Jouni Malinen
45a283e6d0 wext: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 19:37:16 +02:00
Jouni Malinen
336869f05a nl80211: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
78c8ee488f ndis: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
d717126aa2 hostap: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
d034f498ce atheros: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
40762fcede PCSC: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:35:00 +02:00
Jouni Malinen
80c620dbd7 SAE: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
f88bcad015 GAS server: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
1e72ba2e61 RSN auth: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
a5a2f252cb AP: Avoid undefined behavior in pointer arithmetic in IE parsing
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
de7fe64df5 RADIUS: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
d2eb91e08f TLS: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
2461724c05 RSN: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-25 15:34:59 +02:00
Jouni Malinen
3991cb7b3c EAP-IKEv2 peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
0421d47e34 EAP-IKEv2 server: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
72bb05a033 EAP-FAST peer: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
ed5e3a5888 EAP-FAST server: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
b6f961ab25 Avoid undefined behavior in pointer arithmetic in IE parsing
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
7b5880fcf4 FT: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
d6ee858c3b P2P: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-24 21:43:54 +03:00
Jouni Malinen
625745c297 WPS: Avoid undefined behavior in pointer arithmetic
Reorder terms in a way that no invalid pointers are generated with
pos+len operations. end-pos is always defined (with a valid pos pointer)
while pos+len could end up pointing beyond the end pointer which would
be undefined behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-18 11:37:47 +03:00
Jouni Malinen
cc4f3d6ea7 tests: Add TEST_FAIL() condition to omac1_aes_vector()
This enables more error path testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 20:40:36 +03:00
Jouni Malinen
0504d2da12 EAP-GPSK: Check HMAC-SHA256 result in GKDF and MIC
hmac_sha256() and hmac_sha256_vector() return a result code now, so use
that return value to terminate HMAC-SHA256-based GKDF/MIC similarly to
what was already done with the CMAC-based GKDF/MIC.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 20:40:01 +03:00
Jouni Malinen
1166b20c95 Add Framed-IP-Address to Accounting-Request if STA address is known
The recently added ProxyARP support (proxy_arp=1) in hostapd allows a
STA IPv4 address to be learned from DHCP or ARP messages. If that
information is available, add it to Account-Request messages in
Framed-IP-Address attribute.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 19:53:29 +03:00
Jouni Malinen
9b7a1bd7ed Option to reduce Probe Response frame responses during max STA
The new hostapd configuration parameter no_probe_resp_if_max_sta=1 can
be used to request hostapd not to reply to broadcast Probe Request
frames from unassociated STA if there is no room for additional stations
(max_num_sta). This can be used to discourage a STA from trying to
associate with this AP if the association would be rejected due to
maximum STA limit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 19:30:49 +03:00
Jouni Malinen
ca33a5e895 Add "git describe" based version string postfix
If hostapd or wpa_supplicant is built from a git repository, add a
VERSION_STR postfix from the current git branch state. This is from "git
describe --dirty=+". VERSION_STR will thus look something like
"2.6-devel-hostap_2_5-132-g4363c0d+" for development builds from a
modified repository.

This behavior is enabled automatically if a build within git repository
is detected (based on ../.git existing). This can be disabled with
CONFIG_NO_GITVER=y in wpa_supplicant/.config and hostapd/.config.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-16 22:20:55 +03:00
Pradeep Reddy POTTETI
2bd5bdcd4b TDLS: On a TPK timeout, tear down the link before renewal by the initiator
On TPK lifetime expiration, tear down the direct link before renewing
the link in the case of TDLS initiator processing. The expired key
cannot be used anymore, so it is better to explicitly tear down the old
link first.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-16 11:35:19 +03:00
Jouni Malinen
2b12b3602a P2P: Do not reply to GO Negotiation Request if peer is waiting for us
This improves robustness of GO Negotiation in special cases where GO
Negotiation Request frames from the peer may end up getting delivered
multiple times, e.g., due to interference and retransmitted frames not
getting properly filtered out in duplicate detection (which is something
that number of drivers do not implement for pre-associated state).

If we have already replied with GO Negotiation Response frame with
Status 1 (not yet ready), do not reply to another GO Negotiation Request
frame from the peer if we have already received authorization from the
user (P2P_CONNECT command) for group formation and have sent out our GO
Negotiation Request frame. This avoids a possible sequence where two
independent GO Negotiation instances could go through in parallel if the
MAC address based rule on avoiding duplicate negotiations is not able to
prevent the case. This can allow GO Negotiation to complete successfully
whereas the previous behavior would have likely resulted in a failure
with neither device sending a GO Negotiation Confirm frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-15 21:21:28 +03:00
Rui Paulo
22e8df3a98 Portability fixes for FreeBSD - os_fdatasync()
Use fsync() when fdatasync() and F_FULLSYNC isn't available.

Signed-off-by: Rui Paulo <rpaulo@freebsd.org>
2015-10-15 16:14:30 +03:00