int_array_concat() and int_array_add_unique() could potentially end up
overflowing the int type variable used to calculate their length. While
this is mostly theoretical for platforms that use 32-bit int, there
might be cases where a 16-bit int overflow could be hit. This could
result in accessing memory outside buffer bounds and potentially a
double free when realloc() ends up freeing the buffer.
All current uses of int_array_add_unique() and most uses of
int_array_concat() are currently limited by the buffer limits for the
local configuration parameter or frame length and as such, cannot hit
this overflow cases. The only case where a long enough int_array could
be generated is the combination of scan_freq values for a scan. The
memory and CPU resource needs for generating an int_array with 2^31
entries would not be realistic to hit in practice, but a device using
LP32 data model with 16-bit int could hit this case.
It is better to have more robust checks even if this could not be
reached in practice, so handle cases where more than INT_MAX entries
would be added to an int_array as memory allocation failures instead of
allowing the overflow case to proceed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to
remove RSNXE from Beacon frames. This can be used to test protection
mechanisms for downgrade attacks.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Response frame so
that a STA not supporting RSNXE can still validate the FTE MIC
correctly.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Request frame so
that an AP not supporting RSNXE can still validate the FTE MIC
correctly.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Verify that the AP included RSNXE in Beacon/Probe Response frames if it
indicated in FTE that RSNXE is used. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Verify that the STA includes RSNXE if it indicated in FTE that RSNXE is
used and the AP is also using RSNXE. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is a workaround needed to keep FT protocol backwards compatible for
the cases where either the AP or the STA uses RSNXE, but the other one
does not. This commit adds setting of the new field to 1 in
Reassociation Request/Response frame during FT protocol when the STA/AP
uses RSNXE in other frames. This mechanism is described in 20/332r3.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add key configuration parameters needed to support Extended Key ID with
pairwise keys. Add a driver capability flag to indicate support forusing
this.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.
This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").
Add it again and update check_key_flag() accordingly.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
This is needed to avoid leaving external components (through control
interface or D-Bus) timing out while waiting for the scan completion
events. This was already taken care of for the scan-only case
("TYPE=only"), but the scan-and-allow-roaming case did not report the
scan completion event when operating in AP mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like this test case can fail if the STA goes to power save mode
and the Deauthentication frame from the AP after session timeout is not
actually sent at all. Check more details to make it clear that this is
indeed the reason behind the failure.
Signed-off-by: Jouni Malinen <j@w1.fi>
The actual TX status (whether ACK frame was received) was not included
in the debug log in AP mode. Add that for all cases. In addition, add
some more details in the debug log to make the log more helpful in
debugging issues related to frame delivery.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new wpa_supplicant control interface parameter rsne_override_eapol
can be used similarly to the earlier rsnxe_override_eapol to override
the RSNE value added into EAPOL-Key msg 2/4.
Signed-off-by: Jouni Malinen <j@w1.fi>
While 13.7.1 (FT reassociation in an RSN) in P802.11-REVmd/D3.0 did not
explicitly require this to be done, this is implied when describing the
contents of the fourth message in the FT authentication sequence (see
13.8.5). Furthermore, 20/332r2 is proposing an explicit validation step
to be added into 13.7.1.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, missing CCMP protection on Robust Management frames was
reported based on the STA having indicated MFPC=1. That is not accurate
since the AP/BSS may have MFPC=0. Report this failure only if both the
AP and STA have indicated MFPC=1, i.e., when PMF has been negotiated for
the association.
Signed-off-by: Jouni Malinen <j@w1.fi>
Driver capabilities may end up masking out some WPA_KEY_MGMT_* bits, so
debug print the outcome only after having performed all these steps.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Split multi_ap_process_assoc_resp() to set 4-address mode after network
selection. Previously, wpa_s->current_ssid might have been NULL in some
cases and that would have resulted in 4-address mode not getting enabled
properly.
Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
The previous implementation was assuming a fixed 20 MHz channel
bandwidth when determining which operating class value to indicate as
the Current Operating Class in the Supported Operating Classes element.
This is not accurate for many HT/VHT cases.
Fix this by determining the current operating class (i.e., the operating
class used for the requested association) based on the HT/VHT operation
elements from scan results.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 5f9b4afd ("Use frequency in HT/VHT validation steps done before
starting AP") modified hostapd_is_usable_edmg() to use freq instead of
channel numbers. Unfortunately, it did not convert the frequency
calculation correctly and this broke EDMG functionality.
Fix the frequency calculation so that EDMG channel 9 works again.
Fixes: 5f9b4afdfa ("Use frequency in HT/VHT validation steps done before starting AP")
Signed-off-by: Hrishikesh Vidwans <hvidwans@codeaurora.org>
Commit e5a9b1e8a3 ("mesh: Implement use of VHT20 config in mesh mode")
introduced the possibility to check the disable_vht param. However, this
entry is only available when CONFIG_VHT_OVERRIDES is enabled and as
such, this broke the build for some cases.
Fix this by encapsulating VHT property with the proper CONFIG entry.
Fixes: e5a9b1e8a3 ("mesh: Implement use of VHT20 config in mesh mode")
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
When wps_cred_add_sae=1 is used, WPS_AUTH_WPA2PSK credential gets
converted to enabling both PSK and SAE AKMs. However, this case was
still hardcoded auth_alg=OPEN which is not really correct for SAE. While
the SME-in-wpa_supplicant case can handle that, the SME-in-driver case
might not. Remove the unnecessary auth_alg=OPEN configuration to get the
normal PSK+SAE configuration enabled for the network profile.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Set device_name in the test cases instead of relying on the
wpa_supplicant configuration file. This fixes problems when we run WPS
test cases in remote test environment.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Add a new command line option -f (--modules) that will run all test
cases from the specified module(s).
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Check whether an error is reported from any of the functions that could
in theory fail and if so, do not proceed with the partially filled SAE
commit buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
In theory, hmac_sha256() might fail, so check for that possibility
instead of continuing with undetermined index value that could point to
an arbitrary token entry.
Signed-off-by: Jouni Malinen <j@w1.fi>
The return value from nl80211_send_monitor() is not suitable for use
with strerror(). Furthermore, nl80211_send_monitor() itself is printing
out a more detailed error reason.
Signed-off-by: Jouni Malinen <j@w1.fi>
send_and_recv_msgs() returns a negative number as the error code and
that needs to be negated for strerror().
Fixes: 8759e9116a ("nl80211: Control port over nl80211 helpers")
Signed-off-by: Jouni Malinen <j@w1.fi>
send_auth_reply() could be called with sta == NULL in certain error
conditions. While that is not applicable for this special test
functionality for SAE, the inconsistent checks for the sta pointer could
result in warnings from static analyzers. Address this by explicitly
checking the sta pointer here.
Signed-off-by: Jouni Malinen <j@w1.fi>
mode->he_capab is an array and as such, there is no point in checking
whether it is NULL since that cannot be the case. Check for the
he_supported flag instead. In addition, convert the TWT responder
capability bit into a fixed value 1 to avoid any surprising to the
callers. In practice, neither of these changes results in different
behavior in the current implementation, but this is more robust.
Signed-off-by: Jouni Malinen <j@w1.fi>