The length check for the BSS Termination Duration subelement was
accidentally removed and this could result in reading up to 10 bytes
beyond the end of a received frame. The actual read bytes would be
stored locally, but they were not used for anything, so other than
reading beyond the end of an allocated heap memory buffer, this did not
result in any behavior difference or exposure of the bytes.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14922
Fixes: 093226783d ("WNM: Simplify how candidate subelements are stored")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Avoid a memory leak in fuzzer tests by calling wnm_deallocate_memory()
before exiting since this fuzzing wrapper does not use full
wpa_supplicant_cleanup().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The bootstrapping URI format for DPP was extended during protocol design
to allow a list of channels without having to repeat the same operating
class information for each channel. That change was not included in the
initial implementation of the parser and a channel-list like
"C:81/1,6,11" would not be understood correctly (i.e., only the longer
"C:81/1,81/6,81/11" form would have been parsed correctly).
Fix this by extending the parser to accept both the shorter and longer
form for a list of channels within a single operating class.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this
was missing from the initial implementation. The AP side behavior was
not described properly in 802.11ai due to a missing change in the
(Re)Association Response frame format tables which has resulted in some
deployed devices not including the RSNE.
For now, use an interoperability workaround to ignore the missing RSNE
and only check the payload of the element if it is present in the
protected frame. In other words, enforce this validation step only with
an AP that implements FILS authentication as described in REVmd while
allowing older implementations to skip this check (and the protection
against downgrade attacks). This workaround may be removed in the future
if it is determined that most deployed APs can be upgraded to add RSNE
into the (Re)Association Response frames.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This AP behavior was missing from IEEE Std 802.11ai-2016, but it is
needed for the RSNE validation to work correctly and for a FILS STA to
be able to perform the mandatory check for RSNE matching when processing
the (Re)Association Response frame (as described in 802.11ai). REVmd
will be updating the standard to cover this AP case, so prepare the
implementation to match that. Without this, a FILS STA might reject
association whenever using FILS authentication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
wpa_dbus_dict_close_write() was not called if
fill_dict_with_properties() fails and that could result in leaking
memory. Fix this in two cases. There might be other missing calls to
jouni@codeaurora.org() on error paths, but those will need to be handled
separately with more complex changes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If OCSP_resp_find_status() fails with the first OCSP_CERTID, the
generation of the second OCSP_CERTID ended up leaking memory. Fix this
by freeing the previously allocated OCSP_CERTID on that code path.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->own_protocol_key to be overridden without having
freed the previously stored key in case a test sequence in
dpp_proto_auth_conf_replaced_by_resp is used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not allow auth->peer_protocol_key to be overridden without having
freed the previously stored key in case two Authentication Response
messages are received.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The result of EC_GROUP_dup() needs to be freed, so do so within the
derivation functions for all error cases and in the callers for success
cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a separate error case handler for eap_pax_mac() failures and memcmp
to avoid wpa_hexdump() calls for the (mainly theoretical) local error
cases in deriving the MAC.
Fixes: b3c2b5d9f7 ("EAP-PAX server: Check hash function results")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is mostly a theoretical case, but since crypto_bignum_rand() could
fail, need to free the allocated struct crypto_bignum *tmp in such a
case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
BN_clear() does not free the BIGNUM; it only clears its value. Fix this
memory leak by using the appropriate BN_clear_free() function instead.
Fixes: b11fa98bcb ("Add explicit checks for peer's DH public key")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
EC_GROUP_new_by_curve_name() allocates memory for the returned pointer,
so need to free this with EC_GROUP_free() before leaving the calling
functions. This was leaking memory when parsing JWK and when performing
PKEX.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
ec_params needs to be freed before returning from the function.
Extension of this function to support BoringSSL introduced this memory
leak and that was later extended to be the only variant and apply to
OpenSSL and LibreSSL cases as well in commit c23e87d0d1 ("OpenSSL:
Replace EVP_PKEY_paramgen() with EC_KEY_new_by_curve_name()").
Fixes: f29761297b ("BoringSSL: Implement crypto_ecdh_init()")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
In practice, some APs have interop issues with the DUT. This sub command
is used to transfer the AP info between the driver and user space. This
works both as a command and event. As a command, it configures the
stored list of APs from user space to firmware; as an event, it
indicates the AP info detected by the firmware to user space for
persistent storage. The attributes defined in enum
qca_vendor_attr_interop_issues_ap are used to deliver the parameters.
Signed-off-by: Paul Zhang <paulz@codeaurora.org>
There is no actual need for running the authentication server with
driver=nl80211, so simplify this by using driver=none instead. This
frees up apdev[1] for actual AP needs in the test cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This speeds up test execution significantly by removing unnecessary
waiting for things to happen since the kernel log is allowed to jump
forward whenever there is nothing to do.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The initial commit used srp instead of spr for the spatial reuse
configuration prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
If none of the sr_control bits are set, we do not neet to add the IE to
the Beacon frame.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
This test case was failing frequently due to the station not being able
to connect back to the AP if the interrupted channel switch ended up
moving the AP to the new channel anyway on restart. Scan both possible
channels to allow the AP to be found in either case.
Signed-off-by: Jouni Malinen <j@w1.fi>
While this should not happen in practical use cases,
wpa_get_ntp_timestamp() could return the same value when called twice in
a row quickly. Work around that case by enforcing a new Replay Counter
value based on stored last value.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows UML builds to be used in running user mode without having to
run the full x86 kernel in virtual machine.
Signed-off-by: Jouni Malinen <j@w1.fi>
Update enum qca_wlan_vendor_attr_get_wifi_info to add support for
attribute QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX. In addition
update the documentation for qca_wlan_vendor_attr_get_wifi_info and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO to fully describe the
operation of the command and the format of the attributes.
Signed-off-by: Jeff Johnson <jjohnson@codeaurora.org>
Add a QCA vendor sub command QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING
to implement beacon reporting feature. Different operations required to
implement this feature can be specified in
QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_OP_TYPE.
Userspace requests the driver/firmware to periodically report received
Beacon frames whose BSSID matches the current connected BSS's MAC
address. If userspace requests the driver/firmware to send beacon
reports actively, the driver encapsulates the details of the beacon in
an event and sends it to userspace asynchronously. Otherwise, the driver
will only update the beacon in cfg80211 scan cache but will not send any
event to userspace.
If this command is not issued, the current behavior of the
driver/firmware is to update the cfg80211 scan cache only when there is
a scan issued by the host in progress or whenever there is a change in
IEs of the Beacon frames from the current connected BSS.
The userspace requests the driver/firmware to stop reporting beacons
when reporting is not required anymore. If the driver/firmware is not
able to receive Beacon frames because of other Wi-Fi operations such as
off-channel activities, etc., the driver/firmware sends a pause event to
userspace and stops reporting Beacon frames. The driver/firmware
indicates whether the beacon reporting automatically resumes later by
using the QCA_WLAN_VENDOR_ATTR_BEACON_REPORTING_AUTO_RESUMES flag. If
userspace doesn't want the beacon reporting to be resumed automatically,
userspace can send QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP command to
the driver to stop beacon reporting.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439
The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.
The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.
In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This provides a mechanism for configuring per-STA airtime weight for
airtime policy configuration.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Commit 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and
deprecated APIs") removed a call to ENGINE_load_dynamic() for newer
versions of OpenSSL, asserting that it should happen automatically.
That appears not to be the case, and loading engines now fails because
the dynamic engine isn't present.
Fix it by calling ENGINE_load_builtin_engines(), which works for all
versions of OpenSSL. Also remove the call to ERR_load_ENGINE_strings()
because that should have happened when SSL_load_error_strings() is
called anyway.
Fixes: 373c796948 ("OpenSSL: Fix compile with OpenSSL 1.1.0 and deprecated APIs")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Maintain a single array (of struct with two int variables) instead of
two independent arrays (of int) for tracking know ifindexes and reasons
for having added them. The previous implementation tried to maintain two
independent arrays even though they were always required to be of
exactly same length and order. That had resulted in a bug earlier and
the code was not exactly easy to understand either, so replace this with
a single array.
Signed-off-by: Jouni Malinen <j@w1.fi>
Addition of a separate if_indices_reason array broke reallocation
failure checking. drv->if_indices or drv->if_indices_reason could not be
NULL in the place where this check was moved to. Fix that by maintaining
knowledge of reallocation failure in a separate local variable.
Fixes: 732b1d20ec ("nl80211: Clean up ifidx properly if interface in a bridge is removed")
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no point in checking this pointer against NULL after it has
been dereferenced. Move the check to the beginning of the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
An earlier change in drivers_ops API for struct external_auth broke the
way SSID and BSSID for an external authentication request were stored.
The implementation depended on the memory array being available in the
API struct with a use of memcpy() to copy the full structure even though
when only SSID and BSSID was needed. Fix this by replacing that
easy-to-break storing mechanism with explicit arrays for the exact set
of needed information.
Fixes: dd1a8cef4c ("Remove unnecessary copying of SSID and BSSID for external_auth")
Signed-off-by: Jouni Malinen <j@w1.fi>
The new wpa_supplicant network profile configuration parameter
ft_eap_pmksa_caching=1 can be used to enable use of PMKSA caching with
FT-EAP for FT initial mobility domain association. This is still
disabled by default (i.e., maintaining previous behavior) to avoid
likely interoperability issues.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows authenticator side to complete FT initial mobility domain
association using FT-EAP with PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows supplicant side to complete FT initial mobility domain
association using FT-EAP with PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When completing FT initial mobility domain association with EAP, store
XXKey/MPMK in the PMKSA cache instead of MSK. The previously stored MSK
was of no use since it could not be used as the XXKey for another FT
initial mobility domain association using PMKSA caching.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The change to use a shared dragonfly_generate_scalar() helper function
resulted in failures in sae_no_random and sae_bignum_failure test cases
due to renamed functions and removed uses.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
It is apparently possible to somehow trigger the driver to report a
channel switch event during ACS operation when the interface information
is not yet complete. hapd->iface->current_mode could be NULL in that
case and that would result in process termination due to NULL pointer
dereference.
It should not really be possible to trigger a channel switch during ACS
is running (i.e., before the AP mode operation has been started), but
since that has been seen in an arbitrary test sequence with interface
start/stop operations with various parameters (both valid and invalid),
better prevent a crash here by ignoring the unexpected event instead of
trying to process it.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>