Commit graph

19618 commits

Author SHA1 Message Date
Benjamin Berg
f6ba44d6f9 tests: Use more specific alloc_fail location
The test here is triggering the allocation failure in the static
wpa_config_parse_password() helper. Use this and decrease the count
instead of matching both wpa_config_set_quoted() and wpa_config_set()
and counting down based on that.

This is in preparation to fix the failure function matching to not do a
prefix match.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 19:50:42 +03:00
Benjamin Berg
050bd6e2b1 tests: Specify correct function name for failure
The test expects rsn_pmkid_suite_b_192() to fail but specified only
rsn_pmkid_suite_b without the _192 postfix. Add the postfix so that the
function matching can be fixed later.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 19:49:46 +03:00
Benjamin Berg
ac15b79fe5 PMKSA: Guard against NULL KCK for memcpy()
If the kck_len is 0 then the pointer may be NULL. If that happens UBSAN
complains about the NULL pointer as memcpy() has the arguments declared
to never be NULL even if the copied number of bytes were zero.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 19:48:11 +03:00
Benjamin Berg
7bcede06e0 MLD: Ensure link_bssid array has space for sentinel
The consumer of the link_bssid array assumes it is a NULL terminated
array of BSSIDs. As such, add one to the maximum number of links to
ensure that there is always a sentinel value.

Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 18:53:59 +03:00
Benjamin Berg
cf3883f3d1 MLD: Ensure link BSSIDs remain on stack for ignore
When ignoring a link BSSID the multi-link information was parsed out
into a struct ml_sta_link_info on the stack. However, this stack
variable went out of scope before it was used by passing the link_bssids
pointer array to another function.

Fixes: 5af986c75a ("MLD: Also mark links as failed after association failure")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 18:53:59 +03:00
Jouni Malinen
9f0429c9e1 dbus: Make sure ServiceDiscoveryRequest/Result does not override pointers
Explicitly free the previously allocated copy if ServiceDiscoveryRequest
or Service DiscvoveryResponse parsing loop finds multiple instances of
the same dict entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-11 18:47:12 +03:00
Davide Caratti
d22401d895 dbus: Fix memory leak in case dbus provides 'tlvs' in invalid P2P SD response
Using D-Bus it is possible to request an invalid SD response where
"tlvs" is specified and there is an unknown key (e.g. "bar": "foo"). In
this case, "tlv" is allocated and then never used nor freed. Valgrind
complains as follows:

 36 bytes in 1 blocks are definitely lost in loss record 20 of 74
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix it ensuring that "tlv" is freed both in the error and non-error path
of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in
test_dbus.py to verify correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-11 18:39:39 +03:00
Davide Caratti
0c2d8417c6 dbus: Fix memory leak in case dbus provides tlv in P2P UPnP SD request
Using D-Bus it is possible to trigger a valid UPnP SD request where
"tlv" is specified: in this case "tlv" is allocated, and then not used
nor freed. Valgrind complains as follows:

 72 bytes in 2 blocks are definitely lost in loss record 46 of 68
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix it ensuring that "tlv" is freed, both in the error and non-error
path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in
test_dbus.py to verify correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-11 18:37:14 +03:00
Sascha Hauer
3b4f127084 nl80211: Use actual number of supported AKMs for AP setup
Since 0ce1545dcb ("nl80211: Determine maximum number of supported
AKMs") we get the maximum number of supported AKMs from the kernel.
Let's use that instead of the legacy NL80211_MAX_NR_AKM_SUITES when
setting up AP mode operation.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
2024-07-11 18:30:21 +03:00
Sai Pratyusha Magam
8f69e538a9 SecureLTF: Work around misbehaving STAs for PTK derivation without KDK
Some deployed STAs that advertise SecureLTF support in the RSNXE in
(Re)Association Request frames, do not derive KDK during PTK generation.
Since the correct key calculations in the AP includes an additional KDK
generation in such cases, this causes different PTK-KCK being derived
and the AP ultimately discarding EAPOL-Key message 2/4 due to MIC
validation failure.

Try to derive a PTK without KDK as a workaround in such cases and allow
the 4-way handshake to continue if this results in a matching MIC.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
2024-07-11 18:23:49 +03:00
Hu Wang
438a27b369 Do not derive SAE PT if the network profile does not include SAE
wpa_s_setup_sae_pt() derived SAE PT even when the configured key
management options did not include SAE if the global sae_pwe
configuration parameter had been changed to enable H2E. This adds
unnecessary extra delay, so derive PT only if SAE is actually enabled in
the network profile.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 17:39:19 +03:00
Aditya Kumar Singh
b7c6aa3ac6 tests: Extend color change test for a non-first link of an AP MLD
Currently color change test is supported only on the first link of the
AP MLD. Extend the support to test on non-first link as well.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-07-11 17:25:25 +03:00
Aditya Kumar Singh
61eb89d5fd nl80211: AP MLD: Parse link ID to determine the BSS for color event
When an HE BSS color event is received from the driver, the event was
delevered to the first link BSS ctx. To support HE BSS color with MLO,
there is a need to identify the correct link for which the event is
intended.

Add link ID parsing support in the event handler and pass the link ID
(if included) down to the event handler so that appropriate link can be
selected.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-07-11 17:23:47 +03:00
Aditya Kumar Singh
5d16ad9ab0 nl80211: Refactor color collision related nl80211 commands handling
Almost same logic is there in handling four different commands related
to color collision. Later when link ID needs to be parsed, it would be
more duplicate logic at four different places. Hence refactor and bring
it in a single function.

No functionality changes.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-07-11 17:21:03 +03:00
Aditya Kumar Singh
22a592d119 hostapd: Fix updating Beacon frames during association handling
In function handle_assoc(), ieee802_11_update_beacons() was used to
update the Beacon frames. However, with commit a5d0bb42a2 ("Reduce
delay between Association Request and Association Response"), it was
changed to ieee802_11_set_beacons() which basically overturned what
commit e59d2a31cf ("hostapd: Fix premature beacon set during
association handling") did which is not correct.

Fix this and use ieee802_11_update_beacons() instead of
ieee802_11_set_beacons().

Fixes: a5d0bb42a2 ("Reduce delay between Association Request and Association Response")
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-07-11 17:13:45 +03:00
Jouni Malinen
9716bf1160 SAE: Reject invalid Rejected Groups element in the parser
There is no need to depend on all uses (i.e., both hostapd and
wpa_supplicant) to verify that the length of the Rejected Groups field
in the Rejected Groups element is valid (i.e., a multiple of two octets)
since the common parser can reject the message when detecting this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 23:37:45 +03:00
Jouni Malinen
593a7c2f8c SAE: Check for invalid Rejected Groups element length explicitly on STA
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Fixes: 444d76f74f ("SAE: Check that peer's rejected groups are not enabled")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 23:34:21 +03:00
Aleti Nageshwar Reddy
5f98c853e4 nl80211: Send link ID with NL80211_CMD_TDLS_MGMT to enable TDLS with MLO
The latest Linux kernel is mandating link ID with NL80211_CMD_TDLS_MGMT
for MLO connections. This resulted in not being able to perform TDLS
operations during a multi-link association.

Fix this by sending link ID in NL80211_CMD_TDLS_MGMT when available. If
link ID info is not available, send the link ID of the association link.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-09 23:20:50 +03:00
Jouni Malinen
f302d9f964 RADIUS: Check Message-Authenticator if it is present even if not required
Always check the Message-Authenticator attribute in a received RADIUS
message if it is present. Previously, this would have been skipped if
the attribute was not required to be present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
58097123ec RADIUS: Require Message-Authenticator attribute in MAC ACL cases
hostapd required Message-Authenticator attribute to be included in EAP
authentication cases, but that requirement was not in place for MAC ACL
cases. Start requiring Message-Authenticator attribute for MAC ACL by
default. Unlike the EAP case, this can still be disabled with
radius_require_message_authenticator=1 to maintain compatibility with
some RADIUS servers when used in a network where the connection to such
a server is secure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
934b0c3a45 Require Message-Authenticator in Access-Reject even without EAP-Message
Do not allow the exception for missing Message-Authenticator in
Access-Reject without EAP-Message. While such exception is allowed in
RADIUS definition, there is no strong reason to maintain this since
Access-Reject is supposed to include EAP-Message and even if it doesn't,
discarding Access-Reject will result in the connection not completing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
f54157077f RADIUS DAS: Move Message-Authenticator attribute to be the first one
Even if this might not be strictly speaking necessary for mitigating
certain RADIUS protocol attacks, be consistent with the RADIUS server
behavior and move the Message-Authenticator attribute to be the first
attribute in the RADIUS DAS responses from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
37fe8e48ab hostapd: Move Message-Authenticator attribute to be the first one in req
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
689a248260 eapol_test: Move Message-Authenticator attribute to be the first one
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
54abb0d3cf RADIUS server: Place Message-Authenticator attribute as the first one
Move the Message-Authenticator attribute to be the first attribute in
the RADIUS messages. This mitigates certain MD5 attacks against
RADIUS/UDP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
adac846bd0 RADIUS: Allow Message-Authenticator attribute as the first attribute
If a Message-Authenticator attribute was already added to a RADIUS
message, use that attribute instead of adding a new one when finishing
message building. This allows the Message-Authenticator attribute to be
placed as the first attribute in the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
566dc139a0 tests: Include Message-Authenticator attribute in RADIUS tests
This is in preparation for hostapd requiring this attribute for all
cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
2846b74f14 tests: SAE H2E and rejected groups with different APs and different config
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 12:14:34 +03:00
Jouni Malinen
d944ef1c01 SAE: Clear rejected groups list on completing authentication
The rejected groups list is valid only during each individual SAE
authentication instance and it should not be maintained between separate
instances. In particular, it should not be maintained when roaming to
another AP since the APs might use different configuration for the
allowed SAE groups.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 12:14:34 +03:00
Jouni Malinen
368aa0230b tests: SAE protocol testing - Invalid Rejected Groups element
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 12:14:33 +03:00
Jouni Malinen
0ab009db3c SAE: Clear rejected groups list on continuous failures
wpa_supplicant used to maintain the list of rejected groups for SAE over
multiple failed attempts. This could have some DoS issues, so clear this
list if SAE authentication attempts fails continuously.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 11:58:18 +03:00
Jouni Malinen
21fe042815 SAE: Clear peer_rejected_groups when no element is included
When parsing a SAE Commit message, the temporary peer_rejected_groups
parameter was left to its old value in cases where the new SAE Commit
message did not include the Rejected Groups element. This could result
in unexpected behavior if a previously processed SAE Commit message
included a Rejected Groups element that claimed one of the enabled
groups to be rejected.

Explicitly clear the peer_rejected_groups value when parsing an SAE
Commit message without a Rejected Groups element to avoid rejecting the
new message based on some previously received incorrect information.
This avoids some potential denial-of-service issues during the lifetime
of the SAE temporary data.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 11:48:35 +03:00
Jouni Malinen
364c2da874 SAE: Check for invalid Rejected Groups element length explicitly
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 11:46:49 +03:00
Gururaj Pandurangi
c9db4925f6 Vendor attribute to configure STA to follow AP preference for candidates
Add a vendor attribute to configure a STA to follow AP advertised
preference values to select roam candidates with BTM.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-20 18:59:00 +03:00
Purushottam Kushwaha
0cb42655fb Vendor command extension for Responder PM Mode bit in TWT SET Request
Use the existing QCA_WLAN_VENDOR_ATTR_TWT_SETUP_RESPONDER_PM_MODE
attribute for TWT setup request to configure the Responder PM Mode bit
in the control field of the TWT element or broadcast TWT schedule.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-06-20 18:54:51 +03:00
Purushottam Kushwaha
9832f13242 Add vendor flag to indicate unavailability mode in TWT responder mode
Add a flag attribute
QCA_WLAN_VENDOR_ATTR_TWT_SET_PARAM_UNAVAILABILITY_MODE into enum
qca_wlan_vendor_attr_twt_set_param to configure the TWT responder
unavailability outside of the SPs of its broadcast TWT schedule.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-06-20 18:52:53 +03:00
Jouni Malinen
7cf0021267 tests: SAE protocol testing and a valid commit after a failed one
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-20 18:24:10 +03:00
Chenming Huang
761041b18a SAE: Free password identifier if SAE commit is rejected due to it
Authentication rejection was found when doing fuzz testing even with a
valid SAE commit message when it was sent after a SAE commit message
that included an incorrect password identifier. The test steps for this
are as below:

1. Peer sends an abnormal commit message with incorrect password
   identifier
2. APUT rejects as expected
3. Peer sends a valid commit message
4. APUT rejects again, which is not expected

In step 2, as the abnormal data fakes an empty password identifier
element, it passes sae_is_password_id_elem() checking. Memory is then
allocated for sae->tmp->pw_id. The authentication process then fails
due to no available password with this invalid password identifier.

In step 4, though the peer sends a valid commit message, APUT rejects
this SAE commit again due to no password identifier element (due to that
sae->tmp->pw_id being set), which is not expected.

Free the sae->tmp->pw_id field and set it to NULL when SAE commit
message processing fails due to an unknown password identifier so that
the bogus value is not used as a requirement for any consecutive SAE
commit from the same STA before the STA entry gets cleared.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-06-20 18:19:26 +03:00
Nidhi Jain
d97b5c6492 Define Link Id attribute for secure ranging context vendor command
The Link Id attribute is required for secure ranging context to identify
the link on which the command is received for an MLD.

Signed-off-by: Nidhi Jain <quic_nidhjain@quicinc.com>
2024-06-19 22:33:52 +03:00
Nidhi Jain
2097de2a6a Define Link Id attribute for QCA_NL80211_VENDOR_SUBCMD_PASN
The Link Id attribute is required for QCA_NL80211_VENDOR_SUBCMD_PASN to
identify the link on which the command is received for an MLD.

Signed-off-by: Nidhi Jain <quic_nidhjain@quicinc.com>
2024-06-19 22:31:59 +03:00
Diya Sati
c6e55fb96b Add Link ID for External ACS vendor command
The Link Id attribute is required for external ACS context to identify
the link on which the command is received for an AP MLD.

Signed-off-by: Diya Sati <quic_dsati@quicinc.com>
2024-06-19 22:28:50 +03:00
Jouni Malinen
b54ccd4129 tests: SAE with SSID protection in 4-way handshake
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-19 12:38:14 +03:00
Jouni Malinen
37a289f8bc SSID protection in 4-way handshake on AP
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).

This functionality is disabled by default and can be enabled with
ssid_protection=1. Once there has been more testing of this to confirm
there is no significant interoperability issues, the goal is to be able
to change this to be enabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-19 12:38:14 +03:00
Jouni Malinen
dab7549d68 SSID protection in 4-way handshake on STA
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).

This functionality is disabled by default and can be enabled with
ssid_protection=1 in the network profile. Once there has been more
testing of this to confirm there is no significant interoperability
issues, the goal is to be able to change this to be enabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-19 12:31:04 +03:00
Veerendranath Jakkam
9a022cdc70 STA: Update scan results when BSS entry with current SSID is not found
wpa_supplicant might use a wrong BSS entry with the SSID different from
the current SSID of the current BSS while processing a roam event from
the driver when wpa_supplicant has a stale BSS entry with the old SSID
and the driver roams to the same BSS after it is restarted with a new
SSID.

To avoid this, update scan results from the driver when a BSS entry is
not found with the current SSID and try to fetch the BSS entry again
with the current SSID after this.

Also, with this change wpa_supplicant_get_new_bss() itself will update
the BSS table and search for the current BSS entry if it is not found in
the BSS table. So, remove the BSS table update and search logic from the
callers of wpa_supplicant_get_new_bss().

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-06-13 18:36:08 +03:00
Aditya Kumar Singh
cb5c4e49c7 tests: Add color change test for an AP MLD
Add the eht_mlo_color_change test case to perform color change on the
first link of an AP MLD. Performing on non-first link will be done
later.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-06-12 12:42:33 +03:00
Aditya Kumar Singh
72203b8fe3 tests: Add HE BSS color change test
Add the he_bss_color_change test case which brings up an HE AP and
performs color change operations and validates the result.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-06-12 12:38:32 +03:00
Aditya Kumar Singh
320c4c8f8d AP MLD: Send link id to the driver during color change
Send the link ID in the nl80211 command to switch color if the AP is
affiliated with an AP MLD.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-06-12 12:31:45 +03:00
Aditya Kumar Singh
ecfe2aa61b Update Beacon frames after color change
Once CCA is finished, Beacon frames need to be updated. The BCCA element
needs to be removed and the new color value shall be advertised in the
BSS Color Information field of the HE Operation element.

Update the Beacon frames accordingly.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-06-12 12:25:26 +03:00
Aditya Kumar Singh
5913d1a187 Remove double "on" from debug prints in CCA event callbacks
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-06-12 12:22:34 +03:00