Commit graph

16088 commits

Author SHA1 Message Date
Jouni Malinen
2f06008564 loop: Use size_t for eloop.count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets/signals/events be registered.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
7858f493f3 eloop: Use size_t for socket table->count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int should more than 32767
sockets be registered (which is not really going to happen in practice).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
3f45b8daeb hs20-osu-client: Use size_t for certificate components
This avoids a theoretical integer overflow with 16-bit unsigned int
should a certificate be encoded with more that 65535 friendly names or
icons.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
913220cbb8 eloop: Use size_t for signal_count
This is more consistent with the other eloop registrations and avoids a
theoretical integer overflow with 16-bit int (not that there would ever
be more that 32767 signal handlers getting registered).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
ae7193611f Limit maximum number of pending SA Queries
There is no point in starting a huge number of pending SA Queries, so
limit the number of pending queries to 1000 to have an explicit limit
for how large sa_query_count can grow.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
02b43c557c RADIUS: Use size_t instead of int for message attributes
While RADIUS messages are limited to 4 kB, use size_t to avoid even a
theoretical overflow issue with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
a2c23195ad D-Bus: Use size_t for values theoretically larger than 16-bit int
These are theoretical cases with 32-bit integers, but cases that could
potentially hit an integer overflow with 16-bit int.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
d2d16e3100 Use size_t instead of int or unsigned int for configuration items
While int and unsigned int are not going overflow in practice as 32-bit
values, these could at least in theory hit an integer overflow with
16-bit int. Use size_t to avoid such potential issue cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
4391ddd639 Use size_t instead of unsigned_int for last_scan_res
This avoids a theoretical unsigned integer overflow case with 32-bit
integers, but something that could potentially be hit with 16-bit int
(though, even that part looks pretty theoretical in this particular case
of number of BSSs in scan results).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-22 18:50:04 +02:00
Jouni Malinen
7fb365893a tests: Wait longer for connection in radius_macacl_unreachable
It looks ike the authentication timeouts may continue a bit longer after
some kernel changes and that could result in temporarily disabling the
network profile. Give this test case more time to complete the
connection to avoid reporting failures unnecessarily.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 23:56:19 +02:00
Jouni Malinen
275509ee67 tests: Update prefer_vht40 throughput estimation
Match the updated max_ht40_rate() estimation with VHT.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 19:33:38 +02:00
Matthew Wang
22f0318dbd Interpolate rate calculation functions
Make max_*_rate() functions and rate calculation at the beginning of
wpas_get_est_tpt() more continuous. In wpa_supplicant_need_to_roam(), we
compare these values to make a roaming decision. However, at certain
SNRs, we see unrealistically large jumps in estimated throughput
according to these functions, leading us to make incorrect roaming
decisions. Perform linear interpolation where applicable to more
accurately reflect actual throughput.

Example:
wlan0: Current BSS: 88:3d:24:b4:95:d2 freq=2412 level=-69 snr=20 est_throughput=54000
wlan0: Selected BSS: 88:3d:24:b4:89:9e freq=2417 level=-67 snr=22 est_throughput=63500
wlan0: Using signal poll values for the current BSS: level=-69 snr=20 est_throughput=54000
wlan0: Allow reassociation - selected BSS has better estimated throughput

2 dB increase in RSSI likely isn't responsible for a 17% increase in
throughput.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2020-03-21 19:00:44 +02:00
Matthew Wang
3a25897ef7 Adjust max bitrate SNR floors
These values were defined in commit a1b790eb9d ("Select AP based on
estimated maximum throughput") with no justification. Other sources
[0,1,2] give a different (consistent) set of SNR floors per MCS index.
Adjust the values accordingly.

[0] http://www.revolutionwifi.net/revolutionwifi/2014/09/wi-fi-snr-to-mcs-data-rate-mapping.html
[1] https://higher-frequency.blogspot.com/2016/10/80211n-80211ac-data-rates-and-snr.html
[2] https://www.wlanpros.com/resources/mcs-index-802-11ac-vht-chart/

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2020-03-21 18:17:44 +02:00
Jouni Malinen
a60a0a43c7 tests: Fix bgscan_simple_beacon_loss with REPORTS_TX_ACK_STATUS
Stopping the AP from beaconing will also stop it from acknowledging
frames and that resulted in bgscan_simple_beacon_loss failing when
mac80211_hwsim is registering REPORTS_TX_ACK_STATUS. Work around this by
moving to using PMF so that the station ignores the unprotected
deauthentiation frames from the AP and also disabling SA Query. This
allows the AP to be stopped and restarted with large enough Beacon
interval to allow the station to detect beacon loss.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 18:13:28 +02:00
Jouni Malinen
eb26a6997d Allow SA Query to be disabled for testing purposes
The new wpa_supplicant control interface SET parameter disable_sa_query
can now be used to disable SA Query on receiving unprotected
disconnection event.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 18:12:02 +02:00
Ouden
7546c489a9 nl80211: Fix RTM NEW/DELLINK IFLA_IFNAME copy for maximum ifname length
If the kernel rtm_newlink or rtm_dellink send the maximum length of
ifname (IFNAMSIZ), the event handlers in
wpa_driver_nl80211_event_rtm_addlink() and
wpa_driver_nl80211_event_rtm_dellink() did not copy the IFLA_IFNAME
value. Because the RTA_PAYLOAD (IFLA_IFNAME) length already includes the
NULL termination, that equals the IFNAMSIZ.

Fix the condition when IFNAME reach maximum size.

Signed-off-by: Ouden <Ouden.Biz@gmail.com>
2020-03-21 17:12:29 +02:00
Sourav Mohapatra
22547c3148 More details to the vendor specific driver internal failure reporting
Add more hang reason codes for the hang reason in the
QCA_NL80211_VENDOR_SUBCMD_HANG events. This also introduces the
attribute QCA_WLAN_VENDOR_ATTR_HANG_REASON_DATA to carry the required
data for the respective hang reason. This data is expected to contain
the required dump to analyze the reason for the hang.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 17:12:29 +02:00
Jouni Malinen
51e8f5d63c Ignore duplicated SSID element when parsing
Some APs have managed to add two SSID elements into Beacon frames and
that used to result in picking the last one which had incorrect data in
the known examples of this misbehavior. Pick the first one to get the
correct SSID.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 17:12:29 +02:00
Veerendranath Jakkam
5a296129fc Set beacon protection config irrespective of macro CONFIG_FILS
This was not supposed to be conditional on CONFIG_FILS.

Fixes: ecbf59e693 ("wpa_supplicant configuration for Beacon protection")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 17:12:29 +02:00
Jouni Malinen
cc79eb725f Check against integer overflow in int_array functions
int_array_concat() and int_array_add_unique() could potentially end up
overflowing the int type variable used to calculate their length. While
this is mostly theoretical for platforms that use 32-bit int, there
might be cases where a 16-bit int overflow could be hit. This could
result in accessing memory outside buffer bounds and potentially a
double free when realloc() ends up freeing the buffer.

All current uses of int_array_add_unique() and most uses of
int_array_concat() are currently limited by the buffer limits for the
local configuration parameter or frame length and as such, cannot hit
this overflow cases. The only case where a long enough int_array could
be generated is the combination of scan_freq values for a scan. The
memory and CPU resource needs for generating an int_array with 2^31
entries would not be realistic to hit in practice, but a device using
LP32 data model with 16-bit int could hit this case.

It is better to have more robust checks even if this could not be
reached in practice, so handle cases where more than INT_MAX entries
would be added to an int_array as memory allocation failures instead of
allowing the overflow case to proceed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-21 17:12:17 +02:00
Jouni Malinen
2af3d99cd3 tests: Additional FT-SAE with RSNXE testing
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:24:03 +02:00
Jouni Malinen
a55ecfeabe Allow RSNXE to be removed from Beacon frames for testing purposes
The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to
remove RSNXE from Beacon frames. This can be used to test protection
mechanisms for downgrade attacks.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:24:03 +02:00
Jouni Malinen
b7366a942a FT: Omit RSNXE from FT protocol Reassociation Response when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Response frame so
that a STA not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
6140cca819 FT: Omit RSNXE from FT protocol Reassociation Request when needed
The previous design for adding RSNXE into FT was not backwards
compatible. Move to a new design based on 20/332r3 to avoid that issue
by not include RSNXE in the FT protocol Reassociation Request frame so
that an AP not supporting RSNXE can still validate the FTE MIC
correctly.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
35936cd2cf FT: Verify that RSNXE is used consistently in Reassociation Response
Verify that the AP included RSNXE in Beacon/Probe Response frames if it
indicated in FTE that RSNXE is used. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-21 00:01:47 +02:00
Jouni Malinen
497ae9f004 FT: Verify that RSNXE is used consistently in Reassociation Request
Verify that the STA includes RSNXE if it indicated in FTE that RSNXE is
used and the AP is also using RSNXE. This is needed to protect against
downgrade attacks based on the design proposed in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:33:02 +02:00
Jouni Malinen
51d1924bd8 FT: Set the new RSNXE Used subfield in FT reassociation
This is a workaround needed to keep FT protocol backwards compatible for
the cases where either the AP or the STA uses RSNXE, but the other one
does not. This commit adds setting of the new field to 1 in
Reassociation Request/Response frame during FT protocol when the STA/AP
uses RSNXE in other frames. This mechanism is described in 20/332r3.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-20 21:23:48 +02:00
Jouni Malinen
c557720ef0 tests: sigma_dut AP configuration for different channels
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-16 16:22:32 +02:00
Jouni Malinen
5732e57423 tests: Use hostapd_logdir in sigma_dut_ap_psk_sha256
logdir was prepared for this test case, but it was not actually used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-16 15:38:27 +02:00
Alexander Wetzel
6ea7a152c6 wlantest: Basic Extended Key ID support
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-16 00:07:20 +02:00
Jouni Malinen
796253a65f nl80211: Debug print set_key() command names
This makes it easier to understand the debug log for various set_key()
operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:42:21 +02:00
Alexander Wetzel
ac22241532 nl80211: Extended Key ID support
Add key configuration parameters needed to support Extended Key ID with
pairwise keys. Add a driver capability flag to indicate support forusing
this.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:39:57 +02:00
Jouni Malinen
a1afa2df8a Remove unnecessary and confusing length check from the PMKID KDE case
wpa_parse_kde_ies(), i.e., the only caller to wpa_parse_generic(),
verifies that there is room for KDE Length field and pos[1] (that
length) octets of payload in the Key Data buffer. The PMKID KDE case
within wpa_parse_generic() was doing an unnecessary separate check for
there being room for the Length, OUI, and Data Type fields. This is
covered by the check in the calling function with the combination of
verifying that pos[1] is large enough to contain RSN_SELECTOR_LEN +
PMKID_LEN octets of payload.

This is confusing since no other KDE case was checking remaining full
buffer room within wpa_parse_generic(). Clean this up by removing the
unnecessary check from the PMKID KDE case so that all KDEs are handled
consistently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 23:24:18 +02:00
Alexander Wetzel
094c9cdc7e Add parsing of Key ID KDE for Extended Key ID
wpa_parse_generic() can now recognize the Key ID KDE that will be needed
to deliver the Key ID of the pairwise key when Extended Key ID is used.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:17:56 +02:00
Alexander Wetzel
f5c0104f3b Add KEY_FLAG_MODIFY for Extended Key ID support
KEY_FLAG_MODIFY was initial added for the planned Extended Key ID
support with commit a919a26035 ("Introduce and add key_flag") and then
removed with commit 82eaa3e688 ("Remove the not yet needed
KEY_FLAG_MODIFY") to simplify commit e9e69221c1 ("Validity checking
function for key_flag API").

Add it again and update check_key_flag() accordingly.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-03-15 23:00:10 +02:00
Jouni Malinen
e9d2cd71af tests: Scanning in AP mode
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:22:47 +02:00
Jouni Malinen
9e30180a30 nl80211: Allow scanning in wpa_supplicant AP mode
If the driver supports this, request cfg80211 to allow the explicitly
requested scan to go through in AP mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:21:35 +02:00
Jouni Malinen
fab94f16e6 Indicate scan completion in active AP mode even when ignoring results
This is needed to avoid leaving external components (through control
interface or D-Bus) timing out while waiting for the scan completion
events. This was already taken care of for the scan-only case
("TYPE=only"), but the scan-and-allow-roaming case did not report the
scan completion event when operating in AP mode.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 21:18:16 +02:00
Jouni Malinen
037e004c16 nl80211: Remove extraneous space from send_mlme debug print
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:09:27 +02:00
Jouni Malinen
2e22f3e82e tests: Check more details in pmksa_cache_ap_expiration
It looks like this test case can fail if the STA goes to power save mode
and the Deauthentication frame from the AP after session timeout is not
actually sent at all. Check more details to make it clear that this is
indeed the reason behind the failure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:07:52 +02:00
Jouni Malinen
81fa7730d3 nl80211: Add more TX status details in debug log in AP mode
The actual TX status (whether ACK frame was received) was not included
in the debug log in AP mode. Add that for all cases. In addition, add
some more details in the debug log to make the log more helpful in
debugging issues related to frame delivery.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 17:06:35 +02:00
Jouni Malinen
60c435493d tests: SAE and RSNE mismatch in EAPOL-Key msg 2/4
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 11:16:22 +02:00
Jouni Malinen
f21fbfb977 Allow RSNE in EAPOL-Key msg 2/4 to be overridden for testing purposes
The new wpa_supplicant control interface parameter rsne_override_eapol
can be used similarly to the earlier rsnxe_override_eapol to override
the RSNE value added into EAPOL-Key msg 2/4.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 11:11:38 +02:00
Jouni Malinen
2b8f8a4721 tests: FT protocol RSNE/RSNXE mismatch in Reassociation Response frame
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
46e147fcdc Allow RSNE/RSNXE to be replaced in FT protocol Reassocation Response frame
This can be used to test station side behavior for FT protocol
validation steps.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
1a8e9334c0 FT: Check RSNE/RSNXE match in FT protocol Reassociation Response frame
While 13.7.1 (FT reassociation in an RSN) in P802.11-REVmd/D3.0 did not
explicitly require this to be done, this is implied when describing the
contents of the fourth message in the FT authentication sequence (see
13.8.5). Furthermore, 20/332r2 is proposing an explicit validation step
to be added into 13.7.1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-15 10:39:17 +02:00
Jouni Malinen
a8d2ca9e23 wlantest: Do not report PMF failure without BSS supporting PMF
Previously, missing CCMP protection on Robust Management frames was
reported based on the STA having indicated MFPC=1. That is not accurate
since the AP/BSS may have MFPC=0. Report this failure only if both the
AP and STA have indicated MFPC=1, i.e., when PMF has been negotiated for
the association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-14 18:20:31 +02:00
Jouni Malinen
80d4122159 wlantest: Detect and report plaintext payload in protected frames
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-03-14 17:36:41 +02:00
Jouni Malinen
839bab785b nl80211: Debug print driver capabilities
This can be helpful in understanding driver behavior.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-13 20:03:14 +02:00
Jouni Malinen
e861fa1f6b Move the "WPA: AP key_mgmt" debug print to be after final changes
Driver capabilities may end up masking out some WPA_KEY_MGMT_* bits, so
debug print the outcome only after having performed all these steps.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-03-13 20:01:53 +02:00