diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2019-05-02 21:51:55 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2019-05-02 21:51:55 +0000 |
commit | 0803bc45979cf94dd8a009915a08a77bbb6dfdb0 (patch) | |
tree | a92b9348f6d174c6efe7fec4d9e4566e0475a084 | |
parent | bd9d83deac1d48774c732e5d2843716e8537aba8 (diff) | |
parent | 1dc4d2010e96bb0240640f644bbd1b53b51a4276 (diff) | |
download | wpa_supplicant_8-0803bc45979cf94dd8a009915a08a77bbb6dfdb0.tar.gz |
Merge "[wpa_supplicant] Cherry-pick security fixes (April 29, 2019)" into qt-dev
-rw-r--r-- | src/ap/drv_callbacks.c | 7 | ||||
-rw-r--r-- | src/ap/hostapd.c | 6 | ||||
-rw-r--r-- | src/ap/hw_features.c | 11 | ||||
-rw-r--r-- | src/ap/wpa_auth.c | 8 | ||||
-rw-r--r-- | src/common/sae.c | 2 | ||||
-rw-r--r-- | src/eap_common/eap_pwd_common.c | 13 |
6 files changed, 36 insertions, 11 deletions
diff --git a/src/ap/drv_callbacks.c b/src/ap/drv_callbacks.c index 8ddf754f..952a3d55 100644 --- a/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c @@ -787,6 +787,13 @@ void hostapd_event_ch_switch(struct hostapd_data *hapd, int freq, int ht, freq, ht, hapd->iconf->ch_switch_vht_config, offset, width, channel_width_to_string(width), cf1, cf2); + if (!hapd->iface->current_mode) { + hostapd_logger(hapd, NULL, HOSTAPD_MODULE_IEEE80211, + HOSTAPD_LEVEL_WARNING, + "ignore channel switch since the interface is not yet ready"); + return; + } + hapd->iface->freq = freq; channel = hostapd_hw_get_channel(hapd, freq); diff --git a/src/ap/hostapd.c b/src/ap/hostapd.c index 20c8e8f5..0bd68923 100644 --- a/src/ap/hostapd.c +++ b/src/ap/hostapd.c @@ -2486,8 +2486,12 @@ static void hostapd_deinit_driver(const struct wpa_driver_ops *driver, wpa_printf(MSG_DEBUG, "%s:bss[%d]->drv_priv=%p", __func__, (int) j, hapd_iface->bss[j]->drv_priv); - if (hapd_iface->bss[j]->drv_priv == drv_priv) + if (hapd_iface->bss[j]->drv_priv == drv_priv) { hapd_iface->bss[j]->drv_priv = NULL; + hapd_iface->extended_capa = NULL; + hapd_iface->extended_capa_mask = NULL; + hapd_iface->extended_capa_len = 0; + } } } } diff --git a/src/ap/hw_features.c b/src/ap/hw_features.c index 9d3d990a..8ac33bb3 100644 --- a/src/ap/hw_features.c +++ b/src/ap/hw_features.c @@ -936,11 +936,16 @@ int hostapd_hw_get_channel(struct hostapd_data *hapd, int freq) int i, channel; struct hostapd_hw_modes *mode; - channel = hw_get_chan(hapd->iface->current_mode, freq); - if (channel) - return channel; + if (hapd->iface->current_mode) { + channel = hw_get_chan(hapd->iface->current_mode, freq); + if (channel) + return channel; + } + /* Check other available modes since the channel list for the current * mode did not include the specified frequency. */ + if (!hapd->iface->hw_features) + return 0; for (i = 0; i < hapd->iface->num_hw_features; i++) { mode = &hapd->iface->hw_features[i]; channel = hw_get_chan(mode, freq); diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c index 616b2059..e89a7163 100644 --- a/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c @@ -699,7 +699,7 @@ static void wpa_free_sta_sm(struct wpa_state_machine *sm) #ifdef CONFIG_DPP2 wpabuf_clear_free(sm->dpp_z); #endif /* CONFIG_DPP2 */ - os_free(sm); + bin_clear_free(sm, sizeof(*sm)); } @@ -1730,6 +1730,12 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event) case WPA_DEAUTH: case WPA_DISASSOC: sm->DeauthenticationRequest = TRUE; +#ifdef CONFIG_IEEE80211R_AP + os_memset(sm->PMK, 0, sizeof(sm->PMK)); + sm->pmk_len = 0; + os_memset(sm->xxkey, 0, sizeof(sm->xxkey)); + sm->xxkey_len = 0; +#endif /* CONFIG_IEEE80211R_AP */ break; case WPA_REAUTH: case WPA_REAUTH_EAPOL: diff --git a/src/common/sae.c b/src/common/sae.c index 5a50294a..0d56e550 100644 --- a/src/common/sae.c +++ b/src/common/sae.c @@ -317,7 +317,7 @@ static int sae_test_pwd_seed_ecc(struct sae_data *sae, const u8 *pwd_seed, wpa_hexdump_key(MSG_DEBUG, "SAE: pwd-value", pwd_value, sae->tmp->prime_len); - if (os_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) + if (const_time_memcmp(pwd_value, prime, sae->tmp->prime_len) >= 0) return 0; x_cand = crypto_bignum_init_set(pwd_value, sae->tmp->prime_len); diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c index 884150e6..6ca2c8ba 100644 --- a/src/eap_common/eap_pwd_common.c +++ b/src/eap_common/eap_pwd_common.c @@ -144,6 +144,7 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, u8 qnr_bin[MAX_ECC_PRIME_LEN]; u8 qr_or_qnr_bin[MAX_ECC_PRIME_LEN]; u8 x_bin[MAX_ECC_PRIME_LEN]; + u8 prime_bin[MAX_ECC_PRIME_LEN]; struct crypto_bignum *tmp1 = NULL, *tmp2 = NULL, *pm1 = NULL; struct crypto_hash *hash; unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; @@ -161,6 +162,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, os_memset(x_bin, 0, sizeof(x_bin)); prime = crypto_ec_get_prime(grp->group); + primebitlen = crypto_ec_prime_len_bits(grp->group); + primebytelen = crypto_ec_prime_len(grp->group); + if (crypto_bignum_to_bin(prime, prime_bin, sizeof(prime_bin), + primebytelen) < 0) + return -1; grp->pwe = crypto_ec_point_init(grp->group); tmp1 = crypto_bignum_init(); pm1 = crypto_bignum_init(); @@ -170,8 +176,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, goto fail; } - primebitlen = crypto_ec_prime_len_bits(grp->group); - primebytelen = crypto_ec_prime_len(grp->group); if ((prfbuf = os_malloc(primebytelen)) == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " "buffer"); @@ -237,6 +241,8 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, if (primebitlen % 8) buf_shift_right(prfbuf, primebytelen, 8 - primebitlen % 8); + if (const_time_memcmp(prfbuf, prime_bin, primebytelen) >= 0) + continue; crypto_bignum_deinit(x_candidate, 1); x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); @@ -246,9 +252,6 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, goto fail; } - if (crypto_bignum_cmp(x_candidate, prime) >= 0) - continue; - wpa_hexdump_key(MSG_DEBUG, "EAP-pwd: x_candidate", prfbuf, primebytelen); const_time_select_bin(found, x_bin, prfbuf, primebytelen, |