Commit graph

11878 commits

Author SHA1 Message Date
Jouni Malinen
3a583e0023 OpenSSL: Fix PKCS#12 parsing of extra certificates with OpenSSL 1.0.1
Commit 8bcf8de827 ('OpenSSL: Fix memory
leak in PKCS12 additional certificate parsing') tried to fix a memory
leak in both the 1.0.2(and newer) and 1.0.1 branches of PKCS12 parsing.
However, the 1.0.1 case was not properly tested and freeing of the
certificate after a successful SSL_CTX_add_extra_chain_cert() call
resulted in use of freed memory when going through the TLS handshake.
Fix this by not freeing the certificate in that specific case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 18:30:55 +02:00
Jouni Malinen
ddd0032e03 wpa_cli: Clean up logical operation
While '!func() == 0' here resulted in correct behavior, it is not clear
and clang is starting to warn about this (-Wlogical-not-parentheses).
Use 'func()' instead as the condition to clear this.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 15:52:08 +02:00
Jouni Malinen
24c382af7a TDLS: Clean up os_memcmp use
Ciuple of the nonce comparisons used a strange '!os_memcmp() == 0' to
check if the values were different. While this resulted in correct
behavior, the construction is not exactly clear and clang has started
warning about this (-Wlogical-not-parentheses). Clean this up by using
'os_mecmp() != 0'.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 15:49:28 +02:00
Jouni Malinen
b333f53f6e tests: Fix eap_proto_sake_errors with OpenSSL 1.1.0
The use of the newer OpenSSL API in openssl_hmac_vector() removes one of
the memory allocations, so the TEST_ALLOC_FAIL here could not trigger.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 15:28:16 +02:00
Jouni Malinen
6136d43b8e trace: Free symbols on program exit
This makes valgrind memleak checks with CONFIG_WPA_TRACE=y somewhat
cleaner.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 14:10:29 +02:00
Jouni Malinen
8bcf8de827 OpenSSL: Fix memory leak in PKCS12 additional certificate parsing
The additional PKCS12 certificates were not freed properly in the loop
added in commit de2a7b796d ('OpenSSL: Use
connection certificate chain with PKCS#12 extra certs').

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 13:29:40 +02:00
Jouni Malinen
03e3ddf84e OpenSSL: Fix memory leak in HMAC_CTX compatibility wrapper function
Commit 5c9a33702f ('OpenSSL: Clean up
crypto_hash_*() to use a single implementation') added a wrapper
function to allow the new OpenSSL API to be used with older OpenSSL
versions. However, the HMAC_CTX_free() wrapper was incorrectly skipping
the call to HMAC_CTX_cleanup() which is still needed to free the
resources OpenSSL allocated internally.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 13:13:36 +02:00
Jouni Malinen
d9a0f69747 OpenSSL: Fix memory leak in OCSP parsing
The result from OCSP_cert_to_id() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:40:41 +02:00
Jouni Malinen
29bc76e3d3 OpenSSL: Do not use library init/deinit functions with 1.1.0
SSL_library_init() does not work properly after EVP_cleanup() starting
from OpenSSL 1.1.0 pre release 3. The automated library init/deinit
functions in that pre release are supposed to handle all initialization
and deinitialiation, so comment out the explicit calls to these function
with OpenSSL 1.1.0 and newer.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:35:34 +02:00
Jouni Malinen
0f09637001 OpenSSL: Fix memory leak in subjectAltName parsing
The parsed data from X509_get_ext_d2i() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:35:20 +02:00
Jouni Malinen
e60913b600 curl: Fix memory leak in subjectAltName parsing
The parsed data from X509_get_ext_d2i() needs to be freed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:33:27 +02:00
Jouni Malinen
6014890bfb OpenSSL: Fix memory leak with EVP_CIPHER_CTX_new()
Commit 1eb87ae48d ('OpenSSL: Use
EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0') started using
EVP_CIPHER_CTX_new() to allocate EVP_CIPHER_CTX from heap instead of
using stack memory. This commit used incorrect EVP_CIPHER_CTX_reset()
function in number of cases when the allocated memory was supposed to be
freed instead of just reset for reuse. Fix this by using
EVP_CIPHER_CTX_free() properly.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:30:43 +02:00
Jouni Malinen
99a17351c7 rfkill: Fix a memory leak
rfkill_init() uses realpath() which allocates memory and that memory was
not freed on the success path.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-16 00:14:47 +02:00
Jouni Malinen
1f1e599b3b OpenSSL: Fix memory leak on error path
If SSL_CTX_new(SSLv23_method()) fails, tls_init() error path did not
free the allocated struct tls_data instance.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-15 21:53:33 +02:00
Lior David
b907491281 wpa_supplicant: Basic support for PBSS/PCP
PBSS (Personal Basic Service Set) is a new BSS type for DMG
networks. It is similar to infrastructure BSS, having an AP-like
entity called PCP (PBSS Control Point), but it has few differences.
PBSS support is mandatory for IEEE 802.11ad devices.

Add a new "pbss" argument to network block. The argument is used
in the following scenarios:
1. When network has mode=2 (AP), when pbss flag is set will start
as a PCP instead of an AP.
2. When network has mode=0 (station), when pbss flag is set will
connect to PCP instead of AP.

The function wpa_scan_res_match() was modified to match BSS according to
the pbss flag in the network block (wpa_ssid structure). When pbss flag
is set it will match only PCPs, and when it is clear it will match only
APs.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-02-08 22:23:56 +02:00
Lior David
86b5c400a0 nl80211: Basic support for PBSS/PCP
PBSS (Personal Basic Service Set) is a new BSS type for DMG
networks. It is similar to infrastructure BSS, having an AP-like
entity called PCP (PBSS Control Point), but it has few differences.
PBSS support is mandatory for IEEE 802.11ad devices.

Add a pbss flag to the relevant structures to support starting a PCP and
connecting to a PCP. Implement support in the nl80211 driver by using
the new PBSS flag attribute.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-02-08 22:16:04 +02:00
Jouni Malinen
afa453a28a Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2016-01-28.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-08 22:12:57 +02:00
Jouni Malinen
0918fe4dda tests: EAP state machine status information
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 21:26:15 +02:00
Jouni Malinen
2f60d1985f tests: Additional EAP-Finish local error coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 21:05:02 +02:00
Jouni Malinen
d1d8a2bd62 EAP peer: Simplify buildNotify return
There is no need for the local variable and two return statements.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 21:01:41 +02:00
Jouni Malinen
7dbd2c6c69 tests: EAP Notification errors
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 21:01:06 +02:00
Jouni Malinen
1314bc11cf Clean up EAP peer PCSC identity functions
Leave out more code if PCSC_FUNCS is not defined since config->pcsc != 0
case cannot be used with such a build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 20:51:04 +02:00
Jouni Malinen
b81e50cddb tests: EAP-Nak special cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 20:43:48 +02:00
Jouni Malinen
bd3948c0eb tests: Memory allocation failing for expanded EAP-Nak
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 20:35:35 +02:00
Jouni Malinen
3d85fd5a12 tests: EAP-Success/Failure prior to any EAP method
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 20:27:13 +02:00
Jouni Malinen
307993f770 tests: ERP init error case on allocation failure
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 20:16:04 +02:00
Nick Lowe
c06c9099f0 Use stronger PRNG for MS-MPPE-Send/Recv-Key salt
When generating a MS-MPPE-Send/Recv-Key, don't use a weak PRNG for the
salt.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-07 18:18:49 +02:00
Jouni Malinen
9e1f1bdb6f eloop: Clean up coding style for eloop debug prints
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-07 18:09:21 +02:00
Roy Marples
f9982b3212 Implement kqueue(2) support via CONFIG_ELOOP_KQUEUE
NOTE: kqueue has to be closed and re-build after forking. epoll *should*
do the same, but it seems that wpa_supplicant doesn't need it at least.

I have re-worked a little bit of the epoll code (moved into a similar
kqueue function) so it's trivial to requeue epoll if needed in the
future.

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-07 18:09:19 +02:00
Roy Marples
2e69bdd16a eloop: Add eloop_sock_requeue()
This function can be used to re-build eloop socket tables after forking
for eloop implementations that need this.

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-07 12:38:04 +02:00
Jörg Krause
70f4f052f1 wpa_ctrl: Retry select() on EINTR
Retry select() if it was interrupted by a signal.

Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
2016-02-07 12:20:38 +02:00
Lubomir Rintel
df9e2c2a55 D-Bus: Don't do <deny send_interface="..." /> in dbus service file
It does more than intended; apart from denying messages to that
particular interface it also denies all messages non-qualified with an
interface globally. This blocks messages completely unrelated to
wpa_supplicant, such as NetworkManager communication with the VPN
plugins.

From the dbus-daemon manual:

  Be careful with send_interface/receive_interface, because the
  interface field in messages is optional. In particular, do NOT
  specify <deny send_interface="org.foo.Bar"/>! This will cause
  no-interface messages to be blocked for all services, which is almost
  certainly not what you intended. Always use rules of the form: <deny
  send_interface="org.foo.Bar" send_destination="org.foo.Service"/>

We can just safely remove those rules, since we're sufficiently
protected by the send_destination matches and method calls are
disallowed by default anyway.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2016-02-07 11:55:09 +02:00
Jouni Malinen
fe28ed3f29 tests: Secure mesh network plink counting during reconnection
This verifies that num_plinks is decremented properly if a peer mesh STA
reconnects without closing the link explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-06 21:25:52 +02:00
Srinivasa Duvvuri
9684c7567e mesh: Fix peer link counting when a mesh peer reconnects
When a mesh point reconnects by starting from Authentication frame
sequence, the plink count was not decremented from its last connection.
This resulted in leaking peer link count and causing wpa_supplicant to
reject the connection after max_peer_links (default: 99) reconnects.

This was reproduced by pre-configuring 2 mesh points with mesh
credentials. Boot both mesh points and make sure they connect to each
other. Then in a loop reboot one of the mesh points after it
successfully connects while leaving the other mesh point up and running.
After 99 iterations the supplicant on mesh point that is not rebooting
will reject the connection request from the other mesh point.

Fix this by decrementing num_plinks when freeing a STA entry that is
still in PLINK_ESTAB state.

Signed-off-by: Srinivasa Duvvuri <sduvvuri@chromium.org>
2016-02-06 21:22:29 +02:00
Avraham Stern
83fe38b011 P2P: Fall back to no VHT when starting AP/P2P GO
In cases where the bandwidth is not set when starting an AP/P2P GO,
the code tries to use 160 MHz or 80 MHz channels. As a result, the
AP/P2P GO configuration is set to use these channel widths even if
they are not available, which may results in failing to start the
AP/P2P GO.

Fix this by changing the AP/P2P GO configuration not to use VHT channels
when they are not available. In this case the AP/P2P GO will use a 40
MHz channel, if available, or a 20 MHz channel, if this is the maximum
available width.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2016-02-06 18:23:33 +02:00
Avraham Stern
360a9d5a8f P2P: Reduce off channel wait time for some P2P Action frames
Setting a long off channel wait time for P2P Action frames when
we know we are already on the right channel may cause a delay in
sending the Action frame (because the driver may not be able to
satisfy the request for long wait time until previous off channel
requests are over). This may be crucial for P2P response frames
that must be sent within 100 milliseconds of receiving the request.

Fix this by adjusting P2P Action frame wait times as follows:

 1. For GO Negotiation Response frame, shorten the wait time to 100 ms.
    This is reasonable because the peer has just sent us the GO
    Negotiation Request frame, so it is known to be on the right
    channel and is probably ready to send us the GO Negotiation
    Confirmation frame without delay.
 2. For GO Negotiation Confirmation, P2P Invitation Response, and
    Provision Discovery Response frames, there is no need for wait
    time at all as this is the last frame in the exchange. So set
    the wait time to 50 ms to ensure there is enough time to send the
    frame.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2016-02-06 18:19:03 +02:00
Jouni Malinen
1fc63fe299 RADIUS: Share a single function for generating session IDs
There is no need to maintain three copies of this functionality even if
it is currently implemented as a single function call.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-06 17:19:35 +02:00
Nick Lowe
2cbc6ffb3a RADIUS: Redesign Request Authenticator generation
Simplify and make properly random the generation of the Request
Authenticator.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:19:35 +02:00
Nick Lowe
b71a64aa01 Send an Acct-Multi-Session-Id attribute in Access-Request packets
Previously, this was included only in Accounting-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:13:21 +02:00
Nick Lowe
4260e1a1ff Add Acct-Session-Id to Accounting-On/Off
An Acct-Session-Id is required on Accounting-On and Accounting-Off forms
of Accounting-Request.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:11:01 +02:00
Nick Lowe
d72a00539c RADIUS: Use more likely unique accounting Acct-{,Multi-}Session-Id
Rework the Acct-Session-Id and Acct-Multi-Session-Id implementation to
give better global and temporal uniqueness. Previously, only 32-bits of
the Acct-Session-Id would contain random data, the other 32-bits would
be incremented. Previously, the Acct-Multi-Session-Id would not use
random data. Switch from two u32 variables to a single u64 for the
Acct-Session-Id and Acct-Multi-Session-Id. Do not increment, this serves
no legitimate purpose. Exclusively use os_get_random() to get quality
random numbers, do not use or mix in the time. Inherently take a
dependency on /dev/urandom working properly therefore. Remove the global
Acct-Session-Id and Acct-Multi-Session-Id values that serve no
legitimate purpose.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 17:10:19 +02:00
Jouni Malinen
d689317ddb EAPOL auth: Move radius_cui/identity freeing to eapol_auth_free()
These can get allocated within eapol_auth_alloc(), so it is more logical
to free them in eapol_auth_free() instead of ieee802_1x_free_station()
that ends up calling eapol_auth_free().

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-06 16:32:22 +02:00
Roshan Pius
0ae86f9043 wpa_supplicant: Fix couple of C++ compiler errors with header files
Need to include these headers in C++ files for adding a binder interface
to wpa_supplicant. So, fix the following C++ compiler errors in them:
1. Add explicit C-style casts in wpa_buf.h header.
2. Move the nested definition of wpa_driver_scan_ssid in driver.h
outside of wpa_driver_scan_params because it is used in another
structure below.

Signed-off-by: Roshan Pius <rpius@google.com>
2016-02-06 15:26:48 +02:00
Jouni Malinen
592790bf15 tests: Additional EAP-FAST PAC coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-06 13:23:42 +02:00
Nick Lowe
9b6177a891 Add Event-Timestamp to all Accounting-Request packets
Event-Timestamp should be sent for all Accounting-Request packets and
only after the system clock has a sane value, not where there's a value
close to the Unix time epoch.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-02-06 01:24:59 +02:00
Max Stepanov
d179089b6d GAS: Calculate response buffer length of ANQP elements
Calculate the required length needed for the extra ANQP elements added
to GAS response buffer instead of using fixed size and truncating the
response if there was not sufficient space.

Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
2016-02-06 01:19:32 +02:00
Jouni Malinen
31dd315382 tests: PKCS#12 with extra certs on the server
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-02-06 01:14:43 +02:00
Ayala Beker
dda091cf51 OpenSSL: Fix server side PKCS#12 processing with extra certificates
Fix a possible null pointer dereference in tls_parse_pkcs12() when
loading a PKCS#12 file for the server keys and the file includes extra
certificates.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-06 01:14:43 +02:00
Ayala Beker
443c8e18de OpenSSL: Fix possible null pointer dereference on an OCSP error path
Fix possible null pointer dereference in check_ocsp_resp() if an memory
allocation fails.

Signed-off-by: Ayala Beker <ayala.beker@intel.com>
2016-02-06 00:58:32 +02:00
Roy Marples
a3cc64f3d2 Remove -w support from wpa_supplicant README
wpa_supplicant dropped the -w option long long time ago..

Signed-off-by: Roy Marples <roy@marples.name>
2016-02-06 00:31:26 +02:00