Commit graph

4486 commits

Author SHA1 Message Date
Ilan Peer
9b05135aa4 P2P: Fix association with an AP/P2P GO that is not a P2P manager
Do not add a P2P IE when a station interface is trying to associate
to an AP or P2P GO that publishes a P2P IE but does not include
a P2P manageability attribute.

This addresses an interoperability issue that was reported in
https://bugzilla.kernel.org/show_bug.cgi?id=96471, where a P2P GO
rejects association from a station interface without a specified
reason.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2015-05-07 21:00:22 +03:00
Matthias May
8884ce03bc hostapd: check validity of cwMin/cwMax values
Signed-off-by: Matthias May <matthias.may@neratec.com>
2015-05-07 20:57:32 +03:00
Michael Braun
9649b5342d vlan: Print libnl error message on vlan_add / vlan_del
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-05-07 20:54:26 +03:00
Sunil Dutt
279724d835 Add QCA vendor subcmd for Link Property Query
Link Property query vendor command shall facilitate the information
of the Wi-Fi link. MAC address of the Wi-Fi peer is given as an input
for querying the link properties.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-05-07 18:53:23 +03:00
Jouni Malinen
58606fd987 EAP-pwd server: Make sure in_frag_pos is cleared to zero on allocation
The cleanup code will handle this, but it is more robust to make sure
this is cleared to zero when allocating a new buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
6aa5d95dab EAP-pwd peer: Make sure in_frag_pos is cleared to zero on allocation
The cleanup code will handle this, but it is more robust to make sure
this is cleared to zero when allocating a new buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
28a069a545 EAP-pwd peer: Fix asymmetric fragmentation behavior
The L (Length) and M (More) flags needs to be cleared before deciding
whether the locally generated response requires fragmentation. This
fixes an issue where these flags from the server could have been invalid
for the following message. In some cases, this could have resulted in
triggering the wpabuf security check that would terminate the process
due to invalid buffer allocation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
3035cc2894 EAP-pwd server: Fix Total-Length parsing for fragment reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
477c74395a EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
The remaining number of bytes in the message could be smaller than the
Total-Length field size, so the length needs to be explicitly checked
prior to reading the field and decrementing the len variable. This could
have resulted in the remaining length becoming negative and interpreted
as a huge positive integer.

In addition, check that there is no already started fragment in progress
before allocating a new buffer for reassembling fragments. This avoid a
potential memory leak when processing invalid message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
e28a58be26 EAP-pwd server: Fix payload length validation for Commit and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
dd2f043c9c EAP-pwd peer: Fix payload length validation for Commit and Confirm
The length of the received Commit and Confirm message payloads was not
checked before reading them. This could result in a buffer read
overflow when processing an invalid message.

Fix this by verifying that the payload is of expected length before
processing it. In addition, enforce correct state transition sequence to
make sure there is no unexpected behavior if receiving a Commit/Confirm
message before the previous exchanges have been completed.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
ef566a4d4f AP WMM: Fix integer underflow in WMM Action frame parser
The length of the WMM Action frame was not properly validated and the
length of the information elements (int left) could end up being
negative. This would result in reading significantly past the stack
buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
so, resulting in segmentation fault.

This can result in an invalid frame being used for a denial of service
attack (hostapd process killed) against an AP with a driver that uses
hostapd for management frame processing (e.g., all mac80211-based
drivers).

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
8640cf7f8f WPS: Add more debug prints to httpread
These can be helpful when debugging HTTP error cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
1bd0d578a9 WPS: Replace the httpread_debug design with standard debug prints
The debug information from httpread can be helpful in figuring out error
cases in general and as such, should be enabled by default. Get rid of
the hardcoded httpread_debug value that would require source code
changes to enable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
7da4f4b499 WPS: Check maximum HTTP body length earlier in the process
There is no need to continue processing a HTTP body when it becomes
clear that the end result would be over the maximum length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
af185d0b57 WPS: Extra validation step for HTTP reader
Verify that ncopy parameter to memcpy is not negative. While this is not
supposed to be needed, it is a good additional protection against
unknown implementation issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Jouni Malinen
5acd23f458 WPS: Fix HTTP chunked transfer encoding parser
strtoul() return value may end up overflowing the int h->chunk_size and
resulting in a negative value to be stored as the chunk_size. This could
result in the following memcpy operation using a very large length
argument which would result in a buffer overflow and segmentation fault.

This could have been used to cause a denial service by any device that
has been authorized for network access (either wireless or wired). This
would affect both the WPS UPnP functionality in a WPS AP (hostapd with
upnp_iface parameter set in the configuration) and WPS ER
(wpa_supplicant with WPS_ER_START control interface command used).

Validate the parsed chunk length value to avoid this. In addition to
rejecting negative values, we can also reject chunk size that would be
larger than the maximum configured body length.

Thanks to Kostya Kortchinsky of Google security team for discovering and
reporting this issue.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 18:26:50 +03:00
Maks Naumov
74d912f134 libtommath: Fix check mp_init_multi() result
If the mp_init_multi() call had failed due to memory allocation failure,
mp_div() would have returned 1 instead of MP_MEM (-2). It looks like all
callers are checking the return value against MP_OKAY instead of <1
(etc.), so this does not seem to result in difference in behavior.
Anyway, it's best to fix the mp_div() return value for the MP_MEM error
case to avoid unexpected behavior.

Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
2015-05-03 16:53:59 +03:00
Jouni Malinen
fd66aa63f4 Check Public Action length explicitly before reading Action Code
In theory, the previous version could have resulted in reading one byte
beyond the end of the management frame RX buffer if the local driver
were to deliver a truncated Public Action frame for processing. In
practice, this did not seem to happen with mac80211-based drivers and
even if it were, the extra octet would be an uninitialized value in a
buffer rather than read beyond the end of the buffer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:33:08 +03:00
Jouni Malinen
ff4a6d4382 EAP-SIM/AKA: Explicitly check for header to include Reserved field
This was previously checked as part of the eap_sim_parse_attr()
processing, but it is easier to review the code if there is an
additional explicit check for confirming that the Reserved field is
present since the pos variable is advanced beyond it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:33:03 +03:00
Jouni Malinen
f5ed40010c EAP-SAKE: Make attribute parser more readable
Clean up eap_sake_parse_add_attr() design by passing in pointer to the
payload of the attribute instead of parsing these separately for each
attribute within the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:50 +03:00
Jouni Malinen
0dfb7be470 EAP-SAKE: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:46 +03:00
Jouni Malinen
354e3f7959 TLS: Fix debug dump of X.509 certificate
The length of the extra data following the encoded certificate was
printed out in debug hexdump.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:40 +03:00
Jouni Malinen
87fcb5a735 EAP-PAX: Fix PAX_STD-1 and PAX_STD-3 payload length validation
The req_plen argument to eap_pax_process_std_1() and
eap_pax_process_std_3() could be smaller than sizeof(struct eap_pax_hdr)
since the main processing function was only verifying that there is
enough room for the ICV and then removed ICV length from the remaining
payload length.

In theory, this could have resulted in the size_t left parameter being
set to a negative value that would be interpreted as a huge positive
integer. That could then result in a small buffer read overflow and
process termination if MSGDUMP debug verbosity was in use.

In practice, it does not seem to be feasible to construct a short
message that would be able to pass the ICV validation (calculated using
HMAC-SHA1-128) even for the case where an empty password is used.
Anyway, the implementation should really check the length explicitly
instead of depending on implicit check through ICV validation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:36 +03:00
Jouni Malinen
c3c5615ee0 EAP-GPSK: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:28 +03:00
Jouni Malinen
d36c803c69 EAP-TLS/PEAP/TTLS/FAST: Move more towards using struct wpabuf
The EAP-TLS-based helper functions can easily use struct wpabuf in more
places, so continue cleanup in that direction by replacing separate
pointer and length arguments with a single struct wpabuf argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:23 +03:00
Jouni Malinen
8d9f3b8ed6 EAP-FAST: Do not use type cast to remove const specification
All the uses here are read only, so there is no need to type case the
const specification away.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:19 +03:00
Jouni Malinen
07f9034d14 EAP-FAST: Pass EAP identifier instead of full request
This simplifies analysis of areas that get access to unverified message
payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:10 +03:00
Jouni Malinen
f153e41bb2 EAP-EKE: Do not pass full request to eap_eke_build_fail()
This function is only using the Identifier field from the EAP request
header, so there is no need to pass it a pointer to the full message.
This makes it a bit easier to analyze the area that gets access to
unverified message payload.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:32:05 +03:00
Jouni Malinen
53f376c103 Fix a typo in function documentation
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-03 16:31:59 +03:00
Jouni Malinen
dea0d8ee29 RADIUS: Fix a copy-paste error in variable name
MS-MPPE-Recv-Key generation in radius_msg_add_mppe_keys() used incorrect
function argument (send_key_len; should be recv_key_len) when allocating
a temporary buffer. Fix this by using the correct argument.

The only caller of the function uses the same length for both
send_key_len and recv_key_len, so this copy-paste error did not result
in any difference in the behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-29 12:08:27 +03:00
Hamad Kadmany
01a025937c WPS: Add support for 60 GHz band
Handling of WPS RF band for 60 GHz was missing. Add it in all relevant
places and also map "AES" as the cipher to GCMP instead of CCMP when
operating on the 60 GHz band.

Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
2015-04-28 00:22:16 +03:00
Jouni Malinen
346517674a nl80211: Verify that cipher suite conversion succeeds
It was possible for the WPA_ALG_PMK algorithm in set_key() to result in
trying to configure a key with cipher suite 0. While this results in a
failure from cfg80211 or driver, this is not really desirable operation,
so add a check for cipher suite conversion result before issuing the
nl80211 command.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-27 16:49:06 +03:00
Jouni Malinen
4a7ce98469 Make IPv6 NA multicast-to-unicast conversion configurable
This can be used with Proxy ARP to allow multicast NAs to be forwarded
to associated STAs using link layer unicast delivery. This used to be
hardcoded to be enabled, but it is now disabled by default and can be
enabled with na_mcast_to_ucast=1. This functionality may not be desired
in all networks and most cases work without it, so the new
default-to-disabled is more appropriate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-27 12:30:09 +03:00
Michael Braun
a0ad9e8c9e Remove WPA per-VLAN groups when no more stations remain
Previously, struct wpa_group was created when the first station enters
the group and the struct wpa_group was not freed when all station left
the group. This causes a problem because wpa_group will enter
FATAL_FAILURE when a wpa_group is running while the AP_VLAN interface
has already been removed.

Fix this by adding a reference counter to struct wpa_group and free a
group if it is unused.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-26 16:56:22 +03:00
Jouni Malinen
87b5b53959 Make VLAN ID available in STA info over control interface
If hostapd has bound a STA into a specific VLAN, the new vlan_id
parameter in the control interface STA command can now be used to check
which VLAN ID is in use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-26 15:58:10 +03:00
Jouni Malinen
209214b479 vlan: Move CONFIG_FULL_DYNAMIC_VLAN includes to proper places
All the system header files are supposed to be included before any other
internal header file apart from utils/includes.h.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-26 13:36:55 +03:00
Jouni Malinen
a6da824b19 Do not use C++ reserved words as variable names
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-26 13:36:55 +03:00
Mikael Kanstrup
8b423edbd3 Declare all read only data structures as const
By analysing objdump output some read only structures were found in
.data section. To help compiler further optimize code declare these
as const.

Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
2015-04-25 17:33:06 +03:00
Mike Gerow
fd4fb28179 OpenSSL: Try to ensure we don't throw away the PIN unnecessarily
Now on an engine error we decode the error value and determine if the
issue is due to a true PIN error or not. If it is due to incorrrect PIN,
delete the PIN as usual, but if it isn't let the PIN be.

Signed-off-by: Mike Gerow <gerow@google.com>
2015-04-25 16:05:50 +03:00
Masashi Honma
fabc6dd8c4 mesh: Retransmit the last Commit Message in the Committed state
Previously, mesh state machine transmits updated Commit Message when
receiving a Confirm Message in Committed state. According to the
standard, it should (re)send the latest Commit Message previously sent.

IEEE Std 802.11-2012, 11.3.8.6.4 Protocol instance behavior - Committed
state:
"Upon receipt of a Con event, ... If Sync is not greater than
dot11RSNASAESync, the protocol instance shall increment Sync, transmit
the last Commit Message sent to the peer, and set the t0
(retransmission) timer."

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2015-04-25 15:36:41 +03:00
Michael Braun
068669fc92 vlan: Verify RADIUS returned VLAN-ID and dynamic_vlan=required
This extends dynamic_vlan=required checks to apply for WPA-PSK with
macaddr_acl=2 (RADIUS) case.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2015-04-25 10:28:19 +03:00
Jouni Malinen
8ea8a89cb4 nl80211: Extend unique MAC address assignment for station iftype
Previously, only P2P and mesh use cases enforced unique MAC address for
a dynamically added virtual interface. Extend this to cover normal
station mode interfaces since those can now be added with INTERFACE_ADD.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-24 01:22:14 +03:00
Jouni Malinen
ca68a8b561 WPS: Explicitly reject Public Key attribute with unexpected length
There is no need to try to derive DH shared key with a peer that tries
to use too short or too long DH Public Key. Previously, such cases ended
up implicitly getting rejected by the DH operations failing to produce
matching results. That is unnecessarily, so simply reject the message
completely if it does not have a Public Key with valid length. Accept
couple of octets shorter value to be used to avoid interoperability
issues if there are implementations that do not use zero-padding
properly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:12 +03:00
Jouni Malinen
6b94f71dcd WPS: Truncate variable length string attributes to maximum length
This enforces variable length strings Manufacturer, Model Name, Model
Number, and Serial Number to be within the maximum length defined in the
WSC specification. While none of the existing users for these within
hostapd/wpa_supplicant had problems with longer strings, it is good to
ensure the strings are not longer to avoid potential issues at higher
layer components.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:12 +03:00
Jouni Malinen
f4b64c603e Simplify VHT Operation element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:12 +03:00
Jouni Malinen
d6fefd64d2 Simplify HT Operation element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
40baac0e43 Simplify VHT Capabilities element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
baae4cb9b4 Simplify HT Capabilities element parsing
Check the element length in the parser and remove the length field from
struct ieee802_11_elems since the element is of fixed length.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00
Jouni Malinen
b39a05913a Simplify Timeout Interval element parsing
Remove the length field from struct ieee802_11_elems since the only
allowed element length is five and that is checked by the parser.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-04-22 22:05:11 +03:00