path: root/src/wps
Commit message (Collapse)AuthorAgeFilesLines
* Share a single str_starts() implementationJouni Malinen2016-08-061-6/+0
| | | | | | No need to define this as a static function in multiple files. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Declare module test functions in a header fileJouni Malinen2016-06-231-0/+1
| | | | | | This gets rid of number of warnings from sparse. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Mark some module test arrays staticJouni Malinen2016-06-231-1/+1
| | | | | | These are not used outside the source code file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Check sha256_vector() result in wps_build_oob_dev_pw()Jouni Malinen2016-05-161-1/+2
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the wpas_ctrl_error test case where the result was used after the failed sha256_vector() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Fix debug prints in wps_derive_psk() error caseJouni Malinen2016-05-164-11/+16
| | | | | | | | Check for hmac_sha256() failures and exit from wps_derive_psk() without printing out the derived keys if anything fails. This removes a valgrind warning on uninitialized value when running the ap_wps_m3_oom test case. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Fix segmentation fault in new DH key derivationRujun Wang2016-05-131-1/+1
| | | | | | | | | | | | Commit 4104267e81b0a0acdb43f693a67f236b3237a719 ('Fix memory leak on NFC DH generation error path') modified dh5_init() behavior in the non-OpenSSL implementation to free the public key (if any was previously set). However, this did not update one of the callers to make sure the publ argument in the call is initialized. This could result in trying to free invalid pointer and segmentation fault when hostapd or wpa_supplicant was built against some other crypto library than OpenSSL. Signed-off-by: Rujun Wang <chinawrj@gmail.com>
* WPS: Reject a Credential with invalid passphraseJouni Malinen2016-05-021-0/+10
| | | | | | | | | | | | | | | WPA/WPA2-Personal passphrase is not allowed to include control characters. Reject a Credential received from a WPS Registrar both as STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or WPA2PSK authentication type and includes an invalid passphrase. This fixes an issue where hostapd or wpa_supplicant could have updated the configuration file PSK/passphrase parameter with arbitrary data from an external device (Registrar) that may not be fully trusted. Should such data include a newline character, the resulting configuration file could become invalid and fail to be parsed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Explicitly clear wpabuf memory with key informationJouni Malinen2016-04-285-48/+48
| | | | | | | | This reduces duration that private keying material might remain in the process memory by clearing wpabuf data used in WPS operations when there is possibility of the buffer including keys or related material. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Use only os_get_random() for PIN generationNick Lowe2016-02-192-8/+6
| | | | | | | | | Remove the fallback dependency on os_random() when generating a WPS pin. This is exceptionally unlikely to ever be called as the call to os_get_random() is unlikely to fail. The intention is to facilitate future removal of os_random() as it uses a low quality PRNG. Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
* WPS: Testing mechanism to force auth/encr type flagsJouni Malinen2016-01-013-3/+29
| | | | | | | | | | The new wps_force_{auth,encr}_types parameters can be used in test build (CONFIG_WPS_TESTING) to force wpa_supplicant to use the specified value in the Authentication/Encryption Type flags attribute. This can be used to test AP behavior on various error cases for which there are workarounds to cover deployed device behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Add a workaround for WPA2PSK missing from Enrollee auth flagsJouni Malinen2016-01-011-0/+17
| | | | | | | | | | | Some deployed implementations seem to advertise incorrect information in this attribute. A value of 0x1b (WPA2 + WPA + WPAPSK + OPEN, but no WPA2PSK) has been reported to be used. Add WPA2PSK to the list to avoid issues with building Credentials that do not use the strongest actually supported authentication option (that device does support WPA2PSK even when it does not claim it here). Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Do not build Credential with unsupported encr combination on APJouni Malinen2016-01-012-2/+23
| | | | | | | | | | | | | | | | | It was possible for the Registrar code to generate a Credential with auth type WPAPSK (i.e., WPA v1) with encr type AES if the Enrollee claimed support for WPAPSK and not WPA2PSK while the AP was configured in mixed mode WPAPSK+WPA2PSK regardless of how wpa_pairwise (vs. rsn_pairwise) was set since encr type was selected from the union of wpa_pairwise and rsn_pairwise. This could result in the Enrollee receiving a Credential that it could then not use with the AP. Fix this by masking the encryption types separately on AP based on the wpa_pairwise/rsn_pairwise configuration. In the example case described above, the Credential would get auth=WPAPSK encr=TKIP instead of auth=WPAPSK encr=AES. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Support parallel UPnP WPS protocol runsJouni Malinen2015-11-304-12/+90
| | | | | | | | | This allows multiple external registrars to execute a WPS protocol run with a WPS AP over UPnP. Previously, hostapd supported only a single WPS peer entry at a time and if multiple ERs tried to go through a WPS protocol instance concurrently, only one such exchange could succeed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Avoid undefined behavior in pointer arithmeticJouni Malinen2015-10-181-2/+2
| | | | | | | | | Reorder terms in a way that no invalid pointers are generated with pos+len operations. end-pos is always defined (with a valid pos pointer) while pos+len could end up pointing beyond the end pointer which would be undefined behavior. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Mark web_connection_parse_get() argument filename constJouni Malinen2015-10-031-1/+2
| | | | | | | All the other web_connection_parse_*() functions were already doing this, so make the GET handler consistent as well. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Reduce struct wps_parse_attr sizeJouni Malinen2015-09-073-22/+26
| | | | | | | | | Use shorter variables for storing the attribute lengths and group these variables together to allow compiler to pack them more efficiently. This reduces the struct size from 960 bytes to 760 bytes in 64-bit builds. This reduces stack use in number of functions. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Reduce wps_ap_priority_compar() stack useJouni Malinen2015-09-071-6/+6
| | | | | | | | There is no need to maintain two concurrent instances of struct wps_parse_attr in this function. Share a single structure for parsing both IEs. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS ER: Clean up WPS session on PutMessage error casesJouni Malinen2015-09-071-7/+20
| | | | | | | This is needed to allow new operation to be started after an error without having to wait for the AP entry to time out. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Allow config_methods to be cleared with an empty stringJouni Malinen2015-09-051-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Merge identical error paths in ssdp_listener_open()Jouni Malinen2015-09-051-8/+5
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Remove trailing CR from subscription callback URLsJouni Malinen2015-08-311-0/+2
| | | | | | This cleans up the debug log a bit. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Print subscription UUID in debug log in more placesJouni Malinen2015-08-312-5/+15
| | | | | | This makes it easier to debug subscription issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Clean up next_advertisement() error pathJouni Malinen2015-08-311-5/+1
| | | | | | | | No need to have a common failure handler if it is used from only a single location and that lcoation does not even need the memory freeing step. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Merge event_send_start() error pathsJouni Malinen2015-08-311-5/+3
| | | | | | There is no need to keep these separate. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Merge SetSelectedRegistrar parsing error returnsJouni Malinen2015-08-311-4/+2
| | | | | | There is no need to maintain two error paths for this. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Use a shared error path in http_client_addr()Jouni Malinen2015-08-291-18/+12
| | | | | | This simplifies error processing by removing duplicated cleanup steps. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Clean up http_client_tx_ready()Jouni Malinen2015-08-291-6/+6
| | | | | | | Calculate the send() buffer length only once to make this a bit more readable. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Remove duplicated isgraph() loop in HTTP header parsingJouni Malinen2015-08-281-2/+0
| | | | | | | The hbp pointer is moved to the next space already earlier in this code path, so the while loop here did not really do anything. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Merge common error paths in HTTP serverJouni Malinen2015-08-281-5/+3
| | | | | | There is no need to maintain three separate "goto fail" cases. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Fix HTTP body length checkJouni Malinen2015-08-241-3/+6
| | | | | | | | | | | | | | Commit 7da4f4b4991c85f1122a4591d8a4b7dd3bd12b4e ('WPS: Check maximum HTTP body length earlier in the process') added too strict check for body length allocation. The comparison of new_alloc_nbytes against h->max_bytes did not take into account that HTTPREAD_BODYBUF_DELTA was added to previous allocation even if that ended up going beyond h->max_bytes. This ended up rejecting some valid HTTP operations, e.g., when checking AP response to WPS ER setting selected registrar. Fix this by taking HTTPREAD_BODYBUF_DELTA into account. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS ER: Fix SSDP CACHE-CONTROL line parserJouni Malinen2015-08-151-3/+1
| | | | | | | | | | Incorrect number of bytes was skipped from the beginning of the line which resulted in the loop skipping spaces doing nothing. However, the following operation was simply looking for the max-age parameter with os_strstr(), so this did not have any effect on functionality. Fix the number of bytes to skip and remove the unneeded loop to skip spaces. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Reject AP settings with invalid network key (PSK/passphrase)Jouni Malinen2015-08-061-2/+3
| | | | | | | | | | | This is similar to the earlier commit b363121a208e3d18fe80682430a5f50cefaa3595 ('WPS: Reject invalid credential more cleanly'), but for the AP cases where AP settings are being replaced. Previously, the new settings were taken into use even if the invalid PSK/passphrase had to be removed. Now, the settings are rejected with such an invalid configuration. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Avoid bogus static analyzer warning in ndef_parse_record()Jouni Malinen2015-07-171-3/+5
| | | | | | | | | | Use a local variable and check the record payload length validity before writing it into record->payload_length in hopes of getting rid of a bogus static analyzer warning. The negative return value was sufficient to avoid record->payload_length being used, but that seems to be too complex for some analyzers. (CID 122668) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* NFC: Add a hardcoded limit on maximum NDEF payload lengthJouni Malinen2015-07-081-1/+2
| | | | | | | | | While this is already enforced in practice due to the limits on the maximum control interface command length and total_length bounds checking here, this explicit check on payload_length value may help static analyzers understand the code better. (CID 122668) Signed-off-by: Jouni Malinen <j@w1.fi>
* NFC: Fix payload length validation in NDEF record parserJouni Malinen2015-07-081-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was possible for the 32-bit record->total_length value to end up wrapping around due to integer overflow if the longer form of payload length field is used and record->payload_length gets a value close to 2^32. This could result in ndef_parse_record() accepting a too large payload length value and the record type filter reading up to about 20 bytes beyond the end of the buffer and potentially killing the process. This could also result in an attempt to allocate close to 2^32 bytes of heap memory and if that were to succeed, a buffer read overflow of the same length which would most likely result in the process termination. In case of record->total_length ending up getting the value 0, there would be no buffer read overflow, but record parsing would result in an infinite loop in ndef_parse_records(). Any of these error cases could potentially be used for denial of service attacks over NFC by using a malformed NDEF record on an NFC Tag or sending them during NFC connection handover if the application providing the NDEF message to hostapd/wpa_supplicant did no validation of the received records. While such validation is likely done in the NFC stack that needs to parse the NFC messages before further processing, hostapd/wpa_supplicant better be prepared for any data being included here. Fix this by validating record->payload_length value in a way that detects integer overflow. (CID 122668) Signed-off-by: Jouni Malinen <j@w1.fi>
* NFC: Avoid misaligned read of an NDEF fieldJouni Malinen2015-07-071-1/+1
| | | | | | | The 32-bit version of payload length field may not be 32-bit aligned in the message buffer, so use WPA_GET_BE32() to read it instead of ntohl(). Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Add more debug prints to httpreadJouni Malinen2015-05-031-5/+27
| | | | | | These can be helpful when debugging HTTP error cases. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Replace the httpread_debug design with standard debug printsJouni Malinen2015-05-031-43/+18
| | | | | | | | | The debug information from httpread can be helpful in figuring out error cases in general and as such, should be enabled by default. Get rid of the hardcoded httpread_debug value that would require source code changes to enable. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Check maximum HTTP body length earlier in the processJouni Malinen2015-05-031-0/+13
| | | | | | | There is no need to continue processing a HTTP body when it becomes clear that the end result would be over the maximum length. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Extra validation step for HTTP readerJouni Malinen2015-05-031-0/+5
| | | | | | | | Verify that ncopy parameter to memcpy is not negative. While this is not supposed to be needed, it is a good additional protection against unknown implementation issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Fix HTTP chunked transfer encoding parserJouni Malinen2015-05-031-0/+7
| | | | | | | | | | | | | | | | | | | | | | strtoul() return value may end up overflowing the int h->chunk_size and resulting in a negative value to be stored as the chunk_size. This could result in the following memcpy operation using a very large length argument which would result in a buffer overflow and segmentation fault. This could have been used to cause a denial service by any device that has been authorized for network access (either wireless or wired). This would affect both the WPS UPnP functionality in a WPS AP (hostapd with upnp_iface parameter set in the configuration) and WPS ER (wpa_supplicant with WPS_ER_START control interface command used). Validate the parsed chunk length value to avoid this. In addition to rejecting negative values, we can also reject chunk size that would be larger than the maximum configured body length. Thanks to Kostya Kortchinsky of Google security team for discovering and reporting this issue. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Add support for 60 GHz bandHamad Kadmany2015-04-275-3/+13
| | | | | | | | Handling of WPS RF band for 60 GHz was missing. Add it in all relevant places and also map "AES" as the cipher to GCMP instead of CCMP when operating on the 60 GHz band. Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
* Declare all read only data structures as constMikael Kanstrup2015-04-252-5/+5
| | | | | | | | By analysing objdump output some read only structures were found in .data section. To help compiler further optimize code declare these as const. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
* WPS: Explicitly reject Public Key attribute with unexpected lengthJouni Malinen2015-04-221-0/+12
| | | | | | | | | | | | | There is no need to try to derive DH shared key with a peer that tries to use too short or too long DH Public Key. Previously, such cases ended up implicitly getting rejected by the DH operations failing to produce matching results. That is unnecessarily, so simply reject the message completely if it does not have a Public Key with valid length. Accept couple of octets shorter value to be used to avoid interoperability issues if there are implementations that do not use zero-padding properly. Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Truncate variable length string attributes to maximum lengthJouni Malinen2015-04-222-4/+20
| | | | | | | | | | | This enforces variable length strings Manufacturer, Model Name, Model Number, and Serial Number to be within the maximum length defined in the WSC specification. While none of the existing users for these within hostapd/wpa_supplicant had problems with longer strings, it is good to ensure the strings are not longer to avoid potential issues at higher layer components. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add p2p-fuzzerJouni Malinen2015-04-221-3/+36
| | | | | | | | | This program can be used to run fuzzing tests for areas related to P2P message parsing and processing. p2p-fuzzer allows data files to be used to inject Probe Response and Action frames for processing by the P2P module. Signed-off-by: Jouni Malinen <j@w1.fi>
* Use common is_ctrl_char() helper functionJouni Malinen2015-04-221-1/+2
| | | | | | | This modifies couple of code segments that replaced control characters in strings with '_' to use a common helper function. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Ignore too long SSID attributeJouni Malinen2015-04-221-0/+5
| | | | | | | | | While it looks like all the users of this parsed attribute were able to handle longer SSID values, there is no valid use case for these and to avoid any potential future issues, enforce maximum length (32 bytes) on the SSID during parsing. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use SSID_MAX_LEN define instead of value 32 when comparing SSID lengthJouni Malinen2015-04-221-2/+3
| | | | | | This makes the implementation easier to understand. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Ignore too long Device Name attributeJouni Malinen2015-04-221-0/+6
| | | | | | | | | While it looks like all the users of this parsed attribute were able to handle longer Device Name values, there is no valid use case for these and to avoid any potential issues in upper layer components, enforce maximum length (32 bytes) on the Device Name during parsing. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>