Avraham Stern [Tue, 10 Jun 2014 17:50:42 +0000 (20:50 +0300)]
tests: Autonomous GO random channel selection
Verify that a standalone GO selects a random channel from the social
channels in case no other preference is set.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:41 +0000 (20:50 +0300)]
tests: P2P GO negotiation when two peers force different freq
Verify that when trying to form a P2P group but each peer forces a
different frequency, the group formation fails.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:40 +0000 (20:50 +0300)]
tests: Frequency set as no GO
Verify that when setting frequency as no_go_freq and setting up
autonomous GO, the GO is instantiated on a different frequency, but
when forming a P2P group and becoming a client this frequency can be
used.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:39 +0000 (20:50 +0300)]
tests: GO with preferred channel and station on a disallowed channel
Verify that when setting up autonomous GO with configured preferred
channel and a station interface is connected on a channel that is
disallowed for P2P, the GO is instantiated on the preferred channel.
Requires MCC.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:37 +0000 (20:50 +0300)]
tests: Autonomous GO with preferred channel and station on another channel
Verify that when setting up an autonomous GO with configured preferred
channel and a station interface is on another channel, the GO is
instantiated on the same channel as the station interface and not on the
configured preferred channel.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:36 +0000 (20:50 +0300)]
tests: GO negotiation with forced freq different than station interface
Verify that when a station interface is on one frequency, and GO
negotiation is started in which both sides force a different frequency,
the P2P group is formed on the forced frequency (both as GO and client).
Requires MCC.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Haim Dreyfuss [Tue, 10 Jun 2014 17:50:35 +0000 (20:50 +0300)]
tests: Autonomous GO force different channel than station interface
After station interface is connected on a specific channel, create
autonomous GO with forced different channel.
Requires MCC.
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:34 +0000 (20:50 +0300)]
tests: GO negotiation with station interface on a P2P-disallowed channel
Verify that when P2P group is formed and a station interface is
connected on a channel that is disallowed for P2P, the group is formed
on a different channel than the BSS (both as GO and client).
Requires MCC.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:33 +0000 (20:50 +0300)]
tests: GO with station interface on a P2P-disallowed channel
Verify that when setting up an autonomous GO and station interface is
connected on a channel that is disallowed for P2P uses, the GO is
instantiated on a different channel than the station mode connection.
Requires MCC.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Avraham Stern [Tue, 10 Jun 2014 17:50:32 +0000 (20:50 +0300)]
tests: GO negotiation with station interface is connected
Verify that when station interface is connected and GO negotiation is
initiated, the P2P group is formed on the same channel as the station
connection.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Haim Dreyfuss [Tue, 10 Jun 2014 17:50:31 +0000 (20:50 +0300)]
tests: Autonomous GO channel selection following BSS
This test verifies that if a GO is instantiated after a connection of a
station interface, the chosen operating channel is that of the station
interface.
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Haim Dreyfuss [Tue, 10 Jun 2014 17:50:30 +0000 (20:50 +0300)]
tests: Add wpasupplicant get_mcc helper function
The function returns the number of concurrent channels supported by the
driver.
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Haim Dreyfuss [Tue, 10 Jun 2014 17:50:29 +0000 (20:50 +0300)]
tests: Add channels argument to run-all.sh and start.sh
Add an option to run-all.sh and start.sh to get as an argument the
number of concurrent channels that mac80211_hwsim will be loaded with.
To start mac80211_hwsim with more than one channel, the following
parameter should be added to command line: channels=<num_channels>
The default is one channel (no concurrent channels).
The driver should be loaded with multi channel support in order to run
some tests.
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Jouni Malinen [Sat, 14 Jun 2014 16:02:46 +0000 (19:02 +0300)]
Clean up EAPOL-Key Key Data processing
Use a single location in wpa_sm_rx_eapol() for preparing the pointer to
the Key Data field and to its validated length instead of fetching that
information in number of processing functions separately.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 14 Jun 2014 15:31:14 +0000 (18:31 +0300)]
Clean up EAPOL-Key processing
Re-order wpa_sm_rx_eapol() to first go through all EAPOL (802.1X) header
validation steps using the original message buffer and re-allocate and
copy the frame only if this is a valid EAPOL frame that contains an
EAPOL-Key. This makes the implementation easier to understand and saves
unnecessary memory allocations and copying should other types of EAPOL
frames get here.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 14 Jun 2014 14:27:12 +0000 (17:27 +0300)]
tests: EAP-EKE protocol test cases
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 14 Jun 2014 14:15:07 +0000 (17:15 +0300)]
EAP-EKE: Fix typos in debug message
These error messages had an incorrect frame name (likely copy-pasted
from the commit message handler) and couple of typos.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 22:29:42 +0000 (01:29 +0300)]
dbus: Check return value more consistently (CID 62841)
Most of these calls are checked to return success and there is no reason
why these wouldn't, so be more consistent. This addresses CID 62841,
CID 62840, CID 62839, CID 62838, CID 62837, CID 62836.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 22:24:06 +0000 (01:24 +0300)]
wext: Verify set_ssid results consistently (CID 62842)
Note in debug log if SSID clearing to stop pending cfg80211 association
attempts fail.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 22:20:18 +0000 (01:20 +0300)]
Note chmod() failure in debug log even in ignore case (CID 62843)
If this chmod() call fails, the global control interface is allowed to
be used since there was no change to its group. Anyway, it can be
helpful to note the error case in debug log instead of silently ignoring
it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 22:05:18 +0000 (01:05 +0300)]
WPS: Check wps_build_wfa_ext() return value consistently (CID 68104)
While this call cannot really fail, check the return value to be more
consistent with all the other wps_build_wfa_ext() calls.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 22:01:18 +0000 (01:01 +0300)]
EAP-MSCHAPv2: Check hash function results more consistently (CID 68105)
While the hash functions would be very unlikely to fail in practice,
they do have option of returning an error. Check that return value more
consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 21:20:04 +0000 (00:20 +0300)]
Fix validation of EAPOL-Key length with AES key wrap (CID 62859)
The additional eight octet field was removed from keydatalen without
proper validation of the Key Data Length field. It would have been
possible for an invalid EAPOL-Key frame to be processed in a way that
ends up reading beyond the buffer. In theory, this could have also
resulted in writing beyond the EAPOL-Key frame buffer, but that is
unlikely to be feasible due to the AES key wrap validation step on
arbitrary memory contents.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 13:03:45 +0000 (16:03 +0300)]
EAP-TNC: Limit maximum message buffer to 75000 bytes (CID 62873)
Since there is a limit on the EAP exchange due to maximum number of
roundtrips, there is no point in allowing excessively large buffers to
be allocated based on what the peer device claims the total message to
be. Instead, reject the message if it would not be possible to receive
it in full anyway.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 12:29:48 +0000 (15:29 +0300)]
tests: Validate parsing and rejection of invalid WFD subelement
This is a regression test for wifi_display_subelem_hex() bounds checking
issue.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 13 Jun 2014 12:25:39 +0000 (15:25 +0300)]
P2P: Fix wfd_dev_info parsing for P2P-DEVICE-FOUND (CID 68127)
Commit
b125c48fce823f28d22ebd68297c5b94366c6aa1 ('P2P: Add wfd_dev_info=
field for device found event') added Wi-Fi Display device info to the
P2P-DEVICE-FOUND events. However, it did not include proper bounds
checking in wifi_display_subelem_hex() and could accept subelements with
invalid length field values. This could result in buffer read overflow
of up to 64 kB and inclusion of heap memory in the local control
interface event and/or process crash due to invalid memory access. Fix
this by checking the validity of the length field before writing a
hexdump of the data.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 21:48:21 +0000 (00:48 +0300)]
dbus: Clean up P2P group vendor ext getter
The vendor_ext[i] = NULL setting did not make any sense since
num_vendor_ext should have been used to index the vendor_ext array. The
old code did not do any harm since i >= num_vendor_ext and none of the
already set entries could have been cleared. Anyway, better clean this
by making it skip the setting to NULL similarly to what was already done
in the P2P peer vendor ext getter.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 21:36:42 +0000 (00:36 +0300)]
HS 2.0R2: Fix OSEN IE parsing for in cipher setup (CID 68132)
The OSEN code path hardcodes number of struct wpa_ie_data items.
However, it did not clear the full structure and some uninitialized
fields could have been used (e.g., ie.mgmt_group_cipher for a debug
print and ie.capabilities for checking MFPC). Fix this by clearing the
ie data before filling in the hardcoded OSEN values.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 20:33:33 +0000 (23:33 +0300)]
WNM: Use cleaner way of generating pointer to a field (CID 68100)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 19:36:02 +0000 (22:36 +0300)]
WNM: Use cleaner way of generating pointer to a field (CID 68099)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 19:10:43 +0000 (22:10 +0300)]
GAS server: Fix request frame length validation (CID 68098)
There seemed to be an off-by-one error in the validation of GAS request
frames. If a Public Action frame without the Action code field would
have reached this function, the length could have been passed as
(size_t) -1 which would likely have resulted in a crash due to reading
beyond the buffer. However, it looks like such frame would not be
delivered to hostapd at least with mac80211-based drivers. Anyway, this
function better be more careful with length validation should some other
driver end up reporting invalid Action frames.
In addition, the Action code field is in a fixed location, so the
IEEE80211_HDRLEN can be used here to clean up bounds checking to avoid
false reports from static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 19:09:05 +0000 (22:09 +0300)]
tests: Truncated GAS query request
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 18:46:30 +0000 (21:46 +0300)]
HT: Use cleaner way of generating pointer to a field (CID 68097)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 17:18:15 +0000 (20:18 +0300)]
P2P: Use cleaner way of generating pointer to a field (CID 68096)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 17:13:50 +0000 (20:13 +0300)]
P2P: Use cleaner way of generating pointer to a field (CID 68095)
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 17:08:00 +0000 (20:08 +0300)]
dbus: Add explicit break statements to switch-default
There were couple of missing breaks in switch-default (before/after).
While these did not have any noticeable issues due to falling over to
the next step that just exited from the switch statement, it is cleaner
and more robust to have each case use an explicit break.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 17:02:00 +0000 (20:02 +0300)]
dbus: Initialize temporary entry properly (CID 62877)
The tmpentry variable was not initialized and
_wpa_dbus_dict_entry_get_byte_array() does not set tmpentry.type, so it
would have been possible for the error path to end up trying to free
unexpected type of an entry or not free the memory at all.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 16:42:50 +0000 (19:42 +0300)]
Use clearer way of getting pointer to a frame (CID 62835)
This avoids an incorrect ARRAY_VS_SINGLETON report for a case where a
pointer is taken to the specified field in a frame and not to a single
octet. Bounds checking was already handled separately.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 15:42:29 +0000 (18:42 +0300)]
WPS: Clean up indentation level (CID 68109)
The implementation here was doing what it was supposed to, but the code
was indented in a way that made it quite confusing in the context of a
single line if statement body.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 15:38:31 +0000 (18:38 +0300)]
Fix HS20_GET_NAI_HOME_REALM_LIST hex length check (CID 68108)
Due to an incorrect operation (MOD vs. AND), the code that was supposed
to return an error if the hex string has odd length was not really
reporting any failures. Instead of reporting an error, the invalid
control interface command would have been truncated. This is not an
issue in practice, but better fix the implementation anyway.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 14:36:56 +0000 (17:36 +0300)]
dbus: Avoid theoretical memory leaks with duplicated dict entries
If a dict would include duplicated items, the parsing code here would
have leaked memory by overwriting old os_strdup() result with the new
one. Fix this by explicitly freeing the previous entry. This addresses
CID 62852, CID 62851, CID 62850, CID 62849, CID 62847, CID 62846.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 12 Jun 2014 14:26:58 +0000 (17:26 +0300)]
dbus: Fix a potential double-free in on error path (CID 62880)
It would have been at least theoretically possible to hit the first
error in the loop and end up jumping to error handling which would call
os_free(value) without the value having been cleared after the os_free()
call at the end of the previous loop iteration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Philippe De Swert [Tue, 27 May 2014 10:42:39 +0000 (13:42 +0300)]
TNC: Fix minor memory leak (CID 62848)
In tncc_read_config(), the memory allocted for the config
did not get freed if an error occured.
Signed-off-by: Philippe De Swert <philippe.deswert@jollamobile.com>
Jouni Malinen [Thu, 12 Jun 2014 07:56:06 +0000 (10:56 +0300)]
GAS: Limit TX wait time based on driver maximum value
The GAS query TX operation used a fixed wait time of 1000 ms for the
reply. However, it would be possible for the driver to not support this
long remain-on-channel maximum. Limit this wait time based on driver
support, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 12 Jun 2014 07:49:19 +0000 (10:49 +0300)]
P2P: Fix SD and DevDisc to limit maximum wait time per driver support
The driver may reject offchannel TX operation if the requested wait time
is longer than what the driver indicates as the maximum
remain-on-channel time. Two of the P2P action frame cases used long
enough wait times (1000 ms for DevDisc and 5000 ms for SD) that could go
beyond the limit with some drivers. Fix these to limit the maximum wait
to what the driver indicates as supported.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 11 Jun 2014 22:00:56 +0000 (01:00 +0300)]
tests: EAP-GPSK protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 11 Jun 2014 18:23:54 +0000 (21:23 +0300)]
tests: EAP-OTP protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 29 Mar 2014 08:56:43 +0000 (10:56 +0200)]
tests: cfg80211 offchannel TX vs. operating channel
This test case shows an example case where an uncancelled offchannel TX
frame command seems to end up getting following CMD_FRAME TX operations
transmitting on incorrect channel.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 10 Jun 2014 21:54:45 +0000 (00:54 +0300)]
tests: EAP-MD5 protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 10 Jun 2014 21:46:38 +0000 (00:46 +0300)]
tests: EAP-LEAP protocol tests
Signed-off-by: Jouni Malinen <j@w1.fi>
Nirav Shah [Mon, 9 Jun 2014 16:43:26 +0000 (19:43 +0300)]
P2P: Make the default p2p_find delay value configurable
This makes the p2p_find default delay value configurable as
p2p_search_delay parameter through the configuration file (and through
control interface "SET p2p_search_delay <value>" on the P2P management
interface.
This parameter controls the number milliseconds of extra delay that is
added between search iterations when there is a concurrent operation in
progress. This can be used, e.g., p2p_search_delay=100 to make p2p_find
friendlier to concurrent operations by avoiding it from taking 100% of
the radio resources. The default value is the previous default, i.e.,
500 ms. Smaller values can be used to find peers more quickly at the
cost of larger effect to concurrent operations while a larger value
leaves more time for the concurrent operations at the cost of making
device discovery take longer time.
The optional p2p_find delay argument can still be used to override the
search delay for each search operation.
Since the P2P_CONCURRENT_SEARCH_DELAY macro is not used anymore, the
driver specific build parameter for bcmdhd from Android.mk is also
removed. Similar configuration can now be achieved with
p2p_search_delay=0 in the p2p0 interface configuration file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ashok Kumar Ponnaiah [Mon, 9 Jun 2014 16:19:30 +0000 (19:19 +0300)]
atheros: Add support for new GCMP/CCMP/CMAC/GMAC cipher suites
Extend the set of supported cipher suites to include CCMP-256, GCMP,
GCMP-256, CMAC-256, GMAC, and GMAC-256 when ATH_GCM_SUPPORT=y is set in
the build configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Sun, 8 Jun 2014 20:10:02 +0000 (23:10 +0300)]
tests: Framework for EAP peer protocol tests
This introduces a minimal RADIUS authentication server using pyrad to
allow simple EAP handler functions to be used for writing protocol tests
for EAP peer methods. This initial commit includes test cases for
EAP-SAKE.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 8 Jun 2014 15:17:08 +0000 (18:17 +0300)]
tests: Extend RADIUS protocol testing coverage
Test RADIUS client behavior with various invalid Access-Accept messages.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 8 Jun 2014 09:28:36 +0000 (12:28 +0300)]
EAP-IKEv2: Remove obsolete ccns.pl project workarounds
It does not look like there is going to be any additional use for this
old build option that could be used to build the EAP-IKEv2 peer
implementation in a way that interoperates with the eap-ikev2.ccns.pl
project. Remove the workarounds that matches incorrect implementation in
that project to clean up implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 16:26:41 +0000 (19:26 +0300)]
eap_proxy: Check sm != NULL more consistently
While it does not look like that eapol_sm_get_key() would ever be called
with sm == NULL, the current implementation is inconsistent on whether
that is allowed or not. Check sm != NULL consistently to avoid warnings
from static analyzers.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 16:21:48 +0000 (19:21 +0300)]
TDLS: Add extra validation step for responder RSN IE length
The following kde.rsn_ie_len != peer->rsnie_i_len was already taking
care of enforcing the length to be within the target buffer length.
Anyway, this explicit check makes this clearer and matches the design in
TPK M1 processing.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 16:15:50 +0000 (19:15 +0300)]
Check for EVENT_ASSOC data to be present for AP mode operation
wpa_supplicant_event() is required to include the event data for AP mode
events. In theory, a non-AP mode event could be sent here from the
driver wrapper, so reject such event.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 16:05:33 +0000 (19:05 +0300)]
GAS server: Explicitly check that home realm is available
This makes the code easier to understand for static analyzers to avoid
false reports.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 16:04:17 +0000 (19:04 +0300)]
GAS server: Remove unused function parameter
This parameter was not used at all, so just remove the argument instead
of passing NULL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 14:39:51 +0000 (17:39 +0300)]
WPS: Check for theoretical gmtime() failure
In theory, gmtime() could return NULL if the year value would not fit
into an integer. However, that cannot really happen with the current
time() value in practice. Anyway, clean up static analyzer reports by
checking for this corner case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 14:35:22 +0000 (17:35 +0300)]
WPS ER: Fix UDN parser to handle missing field
Must check that UDN was present before trying to parse it. Avoid a NULL
pointer dereference by checking the result before using os_strstr() when
parsing device description from an AP.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 13:33:28 +0000 (16:33 +0300)]
Validate driver extended capabilities length against buffer length
Prepare for new extended capabilities bits by checking that the local
buffer is large enough to contain all the bits the driver requests. The
existing buffers are large enough to include anything defined until now,
but it would be possible to add more definitions in the future, so
increase them a bit as well to make this more future proof.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 13:18:30 +0000 (16:18 +0300)]
Interworking: Reject EAP configuration with unsupported inner method
Instead of allowing the connection attempt to occur with an unsupported
inner method, check for that explicitly at the time the network block is
added and drop the network if the identified inner method is not
supported.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 12:42:07 +0000 (15:42 +0300)]
Check eap_get_name() return against NULL to silence static analyzer
This cannot really be NULL in practice since cred->eap_method would
point to a valid EAP method. Anyway, to avoid false positive from
analyzers, check the pointer explicitly before printing it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 12:37:31 +0000 (15:37 +0300)]
Make a code path easier for static analyzers to understand
prev cannot be NULL here in the hostapd_eid_country_add() call since
prev is set whenever start becomes non-NULL. That seems to be a bit too
difficult for some static analyzers, so check the prev pointer
explicitly to avoid false warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 10:35:03 +0000 (13:35 +0300)]
tests: Verify behavior on unexpected association event
This verifies association event processing in case the association was
not requested by wpa_supplicant.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 7 Jun 2014 10:32:13 +0000 (13:32 +0300)]
Check current_ssid on unexpected association event
This is mainly to keep static analyzers silent since it does not look
like this code path can be reached in practice due to the way
association events are handled and current_ssid is either set before
resched here or the association is rejected. Anyway, if this could be
reached, the wpa_supplicant_set_wpa_none_key() call would end up
dereferencing a NULL pointer, so add an explicit check to make sure that
does not happen.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 5 Jun 2014 17:43:00 +0000 (20:43 +0300)]
Update OpenSSL 0.9.8 patch for EAP-FAST support
The 0.9.9 branch was for development purposes only, so no one should be
using that in production and there is not much point in maintaining the
obsolete patch here either. Similarly, the old 0.9.8 versions are
obsolete at this point in time and taken into account the recent OpenSSL
vulnerabilities, anything older than 0.9.8za should not really be used.
Prepare an updated version of the TLS session ticket patch based on the
current OpenSSL 0.9.8za release and remove all the older TLS extension
patches.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 5 Jun 2014 13:55:48 +0000 (16:55 +0300)]
Reserve QCA vendor specific nl80211 commands 20..33
These are reserved for QCA use.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Amar Singhal [Tue, 3 Jun 2014 18:52:31 +0000 (11:52 -0700)]
nl80211: Add vendor attribute for interface index
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 4 Jun 2014 21:51:02 +0000 (00:51 +0300)]
The master branch is now used for v2.3 development
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 4 Jun 2014 13:26:14 +0000 (16:26 +0300)]
Include CONTRIBUTIONS file in the release tarballs
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 4 Jun 2014 13:09:59 +0000 (16:09 +0300)]
Change version information for the 2.2 release
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 3 Jun 2014 09:45:01 +0000 (12:45 +0300)]
ChangeLog entries for v2.2
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 3 Jun 2014 12:35:01 +0000 (15:35 +0300)]
Fix offchannel TX not to retransmit pending frame on callback
If the offchannel TX frame command was offloaded to the driver in
offchannel_send_action(), we must not send another copy of the frame if
a remain-on-channel event happens to be delivered between this TX
command and the matching TX status event. It was possible for the
duplicated frame to cause problems, e.g., with P2P invitation exchange
if the same Invitation Request frame got sent twice and only the first
one getting accepted by the peer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Darshan Paranji Sri [Tue, 3 Jun 2014 09:48:05 +0000 (12:48 +0300)]
Add rsn_pairwise bits to set_ieee8021x() driver_ops
This fixes an issue where a driver using the deprecated set_ieee8021x()
callback did not include rsn_pairwise bits in the driver configuration
even if mixed WPA+WPA2 configuration was used. This could result, e.g.,
in CCMP not being enabled properly when wpa_pairwise=TKIP and
rsn_pairwise=CCMP was used in the configuration. Fix this by using
bitwise OR of the wpa_pairwise and rsn_pairwise values to allow the
driver to enable all pairwise ciphers.
In addition, make the newer set_ap() driver_ops use the same bitwise OR
design instead of picking between rsn_pairwise and wpa_pairwise. This
makes the code paths consistent and can also fix issues with mixed mode
configuration with set_ap().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 2 Jun 2014 13:21:29 +0000 (16:21 +0300)]
tests: Non-ASCII EAP user identity
This is a regression test for printf_encode() bounds checking issues
that can now be caught under valgrind.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 2 Jun 2014 12:50:31 +0000 (15:50 +0300)]
RADIUS/EAP server: Use longer username buffer to avoid truncation
If the peer provides a username with large part of it being non-ASCII
characters, the previously used buffers may not have been long enough to
include the full string in debug logs and database search due to forced
truncation of the string by printf_encode(). Avoid this by increasing
the buffer sizes to fit in the maximum result.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 2 Jun 2014 12:49:54 +0000 (15:49 +0300)]
tests: printf_encode unit test for bounds checking
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Stuart Henderson [Mon, 2 Jun 2014 12:53:23 +0000 (15:53 +0300)]
Fix off-by-one bounds checking in printf_encode()
The off-by-one error in printf_encode() bounds checking could have
allowed buffer overflow with 0x00 being written to the memory position
following the last octet of the target buffer. Since this output is used
as \0-terminated string, the following operation would likely read past
the buffer as well. Either of these operations can result in the process
dying either due to buffer overflow protection or by a read from
unallowed address.
This has been seen to cause wpa_supplicant crash on OpenBSD when control
interface client attaches (debug print shows the client socket address).
Similarly, it may be possible to trigger the issue in RADIUS/EAP server
implementation within hostapd with a suitable constructed user name.
Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Ashok Kumar Ponnaiah [Mon, 2 Jun 2014 14:03:33 +0000 (17:03 +0300)]
Fix validation of RSN EAPOL-Key version for GCMP with PMF
If PMF was enabled, the validation step for EAPOL-Key descriptor version
ended up rejecting the message if GCMP had been negotiated as the
pairwise cipher. Fix this by making the GCMP check skipped similarly to
the CCMP case if a SHA256-based AKM is used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 2 Jun 2014 13:20:08 +0000 (16:20 +0300)]
tests: Run hostapd-AS under valgrind if requested
Previously, only hostapd-AP and wpa_supplicant processed were run under
valgrind when valgrind testing was enabled. Extend this to include
hostapd as authentication server.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Sun, 1 Jun 2014 21:26:23 +0000 (00:26 +0300)]
tests: cfg80211 scan-for-auth workaround
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 20:20:36 +0000 (23:20 +0300)]
tests: nl80211 connect command and AP disconnecting the STA
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 20:03:14 +0000 (23:03 +0300)]
tests: nl80211 connect command and association reject event
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 19:47:44 +0000 (22:47 +0300)]
tests: Remove CONFIG_DRIVER_TEST=y from example config
This was still present in hostapd example configuration even though the
test driver wrapper is not used anywhere in the hwsim testing and there
are no plans of using it either.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 13:17:33 +0000 (16:17 +0300)]
tests: rfkill test cases
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 12:48:48 +0000 (15:48 +0300)]
tests: FT roams multiple times
This extends testing coverage by running FT-over-air and FT-over-DS
tests for hundred roams.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 09:25:48 +0000 (12:25 +0300)]
tests: FT and GTK rekeying
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 09:24:49 +0000 (12:24 +0300)]
FT: Fix GTK rekeying after FT protocol
Move to PTKINITDONE state and mark PTK valid after successful completion
of FT protocol. This allows the AP/Authenticator to start GTK rekeying
when FT protocol is used. Previously, the station using FT protocol did
not get the new GTK which would break delivery of group addressed
frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 08:59:23 +0000 (11:59 +0300)]
tests: GTK rekeying
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 1 Jun 2014 08:47:37 +0000 (11:47 +0300)]
tests: PTK rekey enforced by AP
These are similar to the existing test cases where PTK rekey was
triggered by the station, but here a timer on the AP is used as the
trigger.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jithu Jance [Fri, 23 May 2014 05:51:07 +0000 (11:21 +0530)]
nl80211: Work around error case prints for nl_recvmsgs on Android
I got the below prints on a particular Android platform:
I/wpa_supplicant( 2637): nl80211: send_and_recv->nl_recvmsgs failed: 20
I/wpa_supplicant( 2637): nl80211: send_and_recv->nl_recvmsgs failed: 20
In JellyBean libnl_2 code, I see that the nl_recvmsgs returns postive values
too. In some cases, nl_recvmgs return the output of nl_recv function. nl_recv
function can return Number of bytes read, 0 or a negative error code.
Looks like this positive return value for nl_recvmsgs may be specific to
Android. While this is not how the API is supposed to work, this does no
harm with upstream libnl which returns only 0 or -1 from the function.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
Jouni Malinen [Sat, 31 May 2014 21:52:03 +0000 (00:52 +0300)]
tests: Initial mechanism for RADIUS protocol testing
This brings in a minimal pyrad-based RADIUS server to allow various
protocol tests to be run. For now, the server is not adding
Message-Authenticator, so that error case is checked. Additional tests
can be added in the future.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 31 May 2014 21:02:15 +0000 (00:02 +0300)]
tests: RADIUS interim accounting with unreachable server
This adds coverage for radius_client_list_del() loop that deletes
pending messages related to the specific STA.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 31 May 2014 20:10:33 +0000 (23:10 +0300)]
P2P NFC: Fix use of freed memory
The dev_found() callback from NFC connection handover message processing
ended up using the p2p_dev_addr pointer that points to the parsed
message. However, that parsed data was freed just before the call. Fix
this by reordering the calls.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 31 May 2014 19:58:51 +0000 (22:58 +0300)]
Fix external radio work stopping to not read freed memory
The dynamically allocated struct wpa_external_work contains the name of
the radio work in the type field and this is used in a debug print
within radio_work_done(). Re-order radio_work_done() and os_free() calls
on couple of paths where the memory was freed before that final user of
the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 31 May 2014 19:24:31 +0000 (22:24 +0300)]
SAE: Fix memory leak in random number generation
If the randomly generated bignum does not meet the validation steps, the
iteration loop in sae_get_rand() did not free the data properly. Fix the
memory leak by freeing the temporary bignum before starting the next
attempt at generating the value.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 31 May 2014 14:15:41 +0000 (17:15 +0300)]
tests: Verify double DISABLE on hostapd with multi-BSS configuration
This used to result in a segmentation fault due to use of freed memory
(mismatch in pointer lifetime between hostapd.c and driver_nl80211.c).
Signed-off-by: Jouni Malinen <j@w1.fi>