Commit graph

16319 commits

Author SHA1 Message Date
Jouni Malinen
cc79eb725f Check against integer overflow in int_array functions
int_array_concat() and int_array_add_unique() could potentially end up
overflowing the int type variable used to calculate their length. While
this is mostly theoretical for platforms that use 32-bit int, there
might be cases where a 16-bit int overflow could be hit. This could
result in accessing memory outside buffer bounds and potentially a
double free when realloc() ends up freeing the buffer.

All current uses of int_array_add_unique() and most uses of
int_array_concat() are currently limited by the buffer limits for the
local configuration parameter or frame length and as such, cannot hit
this overflow cases. The only case where a long enough int_array could
be generated is the combination of scan_freq values for a scan. The
memory and CPU resource needs for generating an int_array with 2^31
entries would not be realistic to hit in practice, but a device using
LP32 data model with 16-bit int could hit this case.

It is better to have more robust checks even if this could not be
reached in practice, so handle cases where more than INT_MAX entries
would be added to an int_array as memory allocation failures instead of
allowing the overflow case to proceed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 17:12:17 +02:00
Jouni Malinen
2af3d99cd3 tests: Additional FT-SAE with RSNXE testing
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:24:03 +02:00
Jouni Malinen
a55ecfeabe Allow RSNXE to be removed from Beacon frames for testing purposes
The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to
remove RSNXE from Beacon frames. This can be used to test protection
mechanisms for downgrade attacks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:24:03 +02:00
Jouni Malinen
b7366a942a FT: Omit RSNXE from FT protocol Reassociation Response when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Response frame so
that a STA not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
6140cca819 FT: Omit RSNXE from FT protocol Reassociation Request when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Request frame so
that an AP not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
35936cd2cf FT: Verify that RSNXE is used consistently in Reassociation Response
Verify that the AP included RSNXE in Beacon/Probe Response frames if it
indicated in FTE that RSNXE is used. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
497ae9f004 FT: Verify that RSNXE is used consistently in Reassociation Request
Verify that the STA includes RSNXE if it indicated in FTE that RSNXE is
used and the AP is also using RSNXE. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:33:02 +02:00
Jouni Malinen
51d1924bd8 FT: Set the new RSNXE Used subfield in FT reassociation
This is a workaround needed to keep FT protocol backwards compatible for
the cases where either the AP or the STA uses RSNXE, but the other one
does not. This commit adds setting of the new field to 1 in
Reassociation Request/Response frame during FT protocol when the STA/AP
uses RSNXE in other frames. This mechanism is described in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:23:48 +02:00
Jouni Malinen
c557720ef0 tests: sigma_dut AP configuration for different channels
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-16 16:22:32 +02:00
Jouni Malinen
5732e57423 tests: Use hostapd_logdir in sigma_dut_ap_psk_sha256
logdir was prepared for this test case, but it was not actually used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-16 15:38:27 +02:00
Alexander Wetzel
6ea7a152c6 wlantest: Basic Extended Key ID support
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-16 00:07:20 +02:00
Jouni Malinen
796253a65f nl80211: Debug print set_key() command names
This makes it easier to understand the debug log for various set_key()
operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:42:21 +02:00
Alexander Wetzel
ac22241532 nl80211: Extended Key ID support
Add key configuration parameters needed to support Extended Key ID with
pairwise keys. Add a driver capability flag to indicate support forusing
this.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:39:57 +02:00
Jouni Malinen
a1afa2df8a Remove unnecessary and confusing length check from the PMKID KDE case
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.

This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:24:18 +02:00
Alexander Wetzel
094c9cdc7e Add parsing of Key ID KDE for Extended Key ID
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:17:56 +02:00
Alexander Wetzel
f5c0104f3b Add KEY_FLAG_MODIFY for Extended Key ID support
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").

Add it again and update check_key_flag() accordingly.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:00:10 +02:00
Jouni Malinen
e9d2cd71af tests: Scanning in AP mode
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:22:47 +02:00
Jouni Malinen
9e30180a30 nl80211: Allow scanning in wpa_supplicant AP mode
If the driver supports this, request cfg80211 to allow the explicitly
requested scan to go through in AP mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:21:35 +02:00
Jouni Malinen
fab94f16e6 Indicate scan completion in active AP mode even when ignoring results
This is needed to avoid leaving external components (through control
interface or D-Bus) timing out while waiting for the scan completion
events. This was already taken care of for the scan-only case
("TYPE=only"), but the scan-and-allow-roaming case did not report the
scan completion event when operating in AP mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:18:16 +02:00
Jouni Malinen
037e004c16 nl80211: Remove extraneous space from send_mlme debug print
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:09:27 +02:00
Jouni Malinen
2e22f3e82e tests: Check more details in pmksa_cache_ap_expiration
It looks like this test case can fail if the STA goes to power save mode
and the Deauthentication frame from the AP after session timeout is not
actually sent at all. Check more details to make it clear that this is
indeed the reason behind the failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:07:52 +02:00
Jouni Malinen
81fa7730d3 nl80211: Add more TX status details in debug log in AP mode
The actual TX status (whether ACK frame was received) was not included
in the debug log in AP mode. Add that for all cases. In addition, add
some more details in the debug log to make the log more helpful in
debugging issues related to frame delivery.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:06:35 +02:00
Jouni Malinen
60c435493d tests: SAE and RSNE mismatch in EAPOL-Key msg 2/4
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 11:16:22 +02:00
Jouni Malinen
f21fbfb977 Allow RSNE in EAPOL-Key msg 2/4 to be overridden for testing purposes
The new wpa_supplicant control interface parameter rsne_override_eapol
can be used similarly to the earlier rsnxe_override_eapol to override
the RSNE value added into EAPOL-Key msg 2/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 11:11:38 +02:00
Jouni Malinen
2b8f8a4721 tests: FT protocol RSNE/RSNXE mismatch in Reassociation Response frame
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
46e147fcdc Allow RSNE/RSNXE to be replaced in FT protocol Reassocation Response frame
This can be used to test station side behavior for FT protocol
validation steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
1a8e9334c0 FT: Check RSNE/RSNXE match in FT protocol Reassociation Response frame
While 13.7.1 (FT reassociation in an RSN) in P802.11-REVmd/D3.0 did not
explicitly require this to be done, this is implied when describing the
contents of the fourth message in the FT authentication sequence (see
13.8.5). Furthermore, 20/332r2 is proposing an explicit validation step
to be added into 13.7.1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
a8d2ca9e23 wlantest: Do not report PMF failure without BSS supporting PMF
Previously, missing CCMP protection on Robust Management frames was
reported based on the STA having indicated MFPC=1. That is not accurate
since the AP/BSS may have MFPC=0. Report this failure only if both the
AP and STA have indicated MFPC=1, i.e., when PMF has been negotiated for
the association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-14 18:20:31 +02:00
Jouni Malinen
80d4122159 wlantest: Detect and report plaintext payload in protected frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-14 17:36:41 +02:00
Jouni Malinen
839bab785b nl80211: Debug print driver capabilities
This can be helpful in understanding driver behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-13 20:03:14 +02:00
Jouni Malinen
e861fa1f6b Move the "WPA: AP key_mgmt" debug print to be after final changes
Driver capabilities may end up masking out some WPA_KEY_MGMT_* bits, so
debug print the outcome only after having performed all these steps.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-13 20:01:53 +02:00
Gurumoorthi Gnanasambandhan
1d9cff86bd Multi-AP: Set 4-address mode after network selection
Split multi_ap_process_assoc_resp() to set 4-address mode after network
selection. Previously, wpa_s->current_ssid might have been NULL in some
cases and that would have resulted in 4-address mode not getting enabled
properly.

Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
2020-03-13 17:00:19 +02:00
Ben Greear
e0fb468a7d HS 2.0 server: Add a note on OCSP server hostname
Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-03-13 16:52:29 +02:00
Ben Greear
440dac7558 hs20-osu-client: Use more specific debug message on OSU connection
Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-03-13 16:52:29 +02:00
Jouni Malinen
55093c8014 tests: Current Operating Class value from STA
Verify Supported Operating Classes element contents from STA in various
HT and VHT cases.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-11 18:30:51 +02:00
Ananya Barat
2b9713d616 Fill the current opclass in (Re)AssocRequest depending on HT/VHT IEs
The previous implementation was assuming a fixed 20 MHz channel
bandwidth when determining which operating class value to indicate as
the Current Operating Class in the Supported Operating Classes element.
This is not accurate for many HT/VHT cases.

Fix this by determining the current operating class (i.e., the operating
class used for the requested association) based on the HT/VHT operation
elements from scan results.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-11 18:30:31 +02:00
Hrishikesh Vidwans
d9a7b71a78 AP: Fix regression in frequency check for a usable EDMG channel
Commit 5f9b4afd ("Use frequency in HT/VHT validation steps done before
starting AP") modified hostapd_is_usable_edmg() to use freq instead of
channel numbers. Unfortunately, it did not convert the frequency
calculation correctly and this broke EDMG functionality.

Fix the frequency calculation so that EDMG channel 9 works again.

Fixes: 5f9b4afdfa ("Use frequency in HT/VHT validation steps done before starting AP")
Signed-off-by: Hrishikesh Vidwans <hvidwans@codeaurora.org>
2020-03-11 17:54:13 +02:00
Arturo Buzarra
1f13c1393c mesh: Fix CONFIG_HT_OVERRIDES build without CONFIG_VHT_OVERRIDES
Commit e5a9b1e8a3 ("mesh: Implement use of VHT20 config in mesh mode")
introduced the possibility to check the disable_vht param. However, this
entry is only available when CONFIG_VHT_OVERRIDES is enabled and as
such, this broke the build for some cases.

Fix this by encapsulating VHT property with the proper CONFIG entry.

Fixes: e5a9b1e8a3 ("mesh: Implement use of VHT20 config in mesh mode")
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
2020-03-10 22:55:16 +02:00
Jouni Malinen
52efde2aaa WPS: Do not set auth_alg=OPEN for PSK+SAE case
When wps_cred_add_sae=1 is used, WPS_AUTH_WPA2PSK credential gets
converted to enabling both PSK and SAE AKMs. However, this case was
still hardcoded auth_alg=OPEN which is not really correct for SAE. While
the SME-in-wpa_supplicant case can handle that, the SME-in-driver case
might not. Remove the unnecessary auth_alg=OPEN configuration to get the
normal PSK+SAE configuration enabled for the network profile.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-10 20:48:15 +02:00
Janusz Dziedzic
60b06d8750 tests: Set device_name for WPS test cases
Set device_name in the test cases instead of relying on the
wpa_supplicant configuration file. This fixes problems when we run WPS
test cases in remote test environment.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-03-08 17:14:48 +02:00
Janusz Dziedzic
fbf877b012 tests: Clear regulatory domain on the correct remote device
In case we run remote tests we need to clear/set regulatory domain on
the correct device.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-03-08 17:13:47 +02:00
Janusz Dziedzic
12a508a11f tests: remote: Allow to run module tests
Add a new command line option -f (--modules) that will run all test
cases from the specified module(s).

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-03-08 17:10:57 +02:00
Jouni Malinen
10223b501b SAE: Expose sae_write_commit() error cases to callers
Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:59:42 +02:00
Jouni Malinen
7f1f69e897 SAE: Check hmac_sha256() result in sae_token_hash()
In theory, hmac_sha256() might fail, so check for that possibility
instead of continuing with undetermined index value that could point to
an arbitrary token entry.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:51:30 +02:00
Jouni Malinen
b0927e5d06 nl80211: Fix error print for hapd_send_eapol()
The return value from nl80211_send_monitor() is not suitable for use
with strerror(). Furthermore, nl80211_send_monitor() itself is printing
out a more detailed error reason.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:48:00 +02:00
Jouni Malinen
a17cbcd698 os_unix: Call srandom() only if os_get_random() succeeds
Don't use uninitialized stack memory if /dev/urandom is not available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:43:09 +02:00
Jouni Malinen
17ba51b14d nl80211: Fix tx_control_port error print
send_and_recv_msgs() returns a negative number as the error code and
that needs to be negated for strerror().

Fixes: 8759e9116a ("nl80211: Control port over nl80211 helpers")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:38:57 +02:00
Jouni Malinen
bb2ea8e5e3 DPP: Remove unreachable return statement
This was forgotten from an earlier development version.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:35:45 +02:00
Jouni Malinen
7dcc5f7feb SAE: Check sta pointer more consistently in testing code
send_auth_reply() could be called with sta == NULL in certain error
conditions. While that is not applicable for this special test
functionality for SAE, the inconsistent checks for the sta pointer could
result in warnings from static analyzers. Address this by explicitly
checking the sta pointer here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:32:47 +02:00
Jouni Malinen
15d63c6043 Clean up hostapd_get_he_twt_responder() processing
mode->he_capab is an array and as such, there is no point in checking
whether it is NULL since that cannot be the case. Check for the
he_supported flag instead. In addition, convert the TWT responder
capability bit into a fixed value 1 to avoid any surprising to the
callers. In practice, neither of these changes results in different
behavior in the current implementation, but this is more robust.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-08 16:28:03 +02:00