wpa_supplicant: Resolve WPA3 SAE softAP coverity issues

1) Resolve wpa_suppliant coverity issues caused by SAE softAP
2) Fix crash occured while deinitialization of softAP
   when authmode is changed
3) Fix issue related to anti clogging token and send_confirm
4) Put some AP specific functions under ESP_WIFI_SOFTAP_SUPPORT
   compilation flags
This commit is contained in:
Shreyas Sheth 2023-03-02 12:21:10 +05:30
parent cd747165df
commit c797146f43
7 changed files with 57 additions and 75 deletions

View File

@ -224,17 +224,11 @@ bool hostap_deinit(void *data)
esp_wifi_unset_appie_internal(WIFI_APPIE_WPA);
#ifdef CONFIG_SAE
uint8_t authmode;
authmode = esp_wifi_ap_get_prof_authmode_internal();
if (authmode == WIFI_AUTH_WPA3_PSK ||
authmode == WIFI_AUTH_WPA2_WPA3_PSK) {
wpa3_hostap_auth_deinit();
/* Wait till lock is released by wpa3 task */
if (WPA3_HOSTAP_AUTH_API_LOCK() == pdTRUE) {
WPA3_HOSTAP_AUTH_API_UNLOCK();
os_mutex_delete(g_wpa3_hostap_auth_api_lock);
g_wpa3_hostap_auth_api_lock = NULL;
}
wpa3_hostap_auth_deinit();
/* Wait till lock is released by wpa3 task */
if (g_wpa3_hostap_auth_api_lock &&
WPA3_HOSTAP_AUTH_API_LOCK() == pdTRUE) {
WPA3_HOSTAP_AUTH_API_UNLOCK();
}
#endif /* CONFIG_SAE */
@ -259,7 +253,7 @@ int esp_wifi_build_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len)
capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
}
flen = (capab & 0xff00) ? 2 : 1;
flen = 1;
if (len < 2 + flen || !capab) {
return 0; /* no supported extended RSN capabilities */
}
@ -268,10 +262,6 @@ int esp_wifi_build_rsnxe(struct hostapd_data *hapd, u8 *eid, size_t len)
*pos++ = WLAN_EID_RSNX;
*pos++ = flen;
*pos++ = capab & 0x00ff;
capab >>= 8;
if (capab) {
*pos++ = capab;
}
return pos - eid;
}

View File

@ -461,7 +461,7 @@ static void wpa3_process_rx_confirm(wpa3_hostap_auth_event_t *evt)
}
os_mutex_unlock(sta->lock);
if (ret != WLAN_STATUS_SUCCESS) {
uint16_t aid = 0;
uint16_t aid = -1;
if (esp_wifi_ap_get_sta_aid(frm->bssid, &aid) == ESP_OK && aid == 0) {
esp_wifi_ap_deauth_internal(frm->bssid, ret);
}
@ -521,23 +521,23 @@ static void esp_wpa3_hostap_task(void *pvParameters)
int wpa3_hostap_auth_init(void *data)
{
int ret = ESP_OK;
if (g_wpa3_hostap_evt_queue) {
wpa_printf(MSG_ERROR, "esp_wpa3_hostap_task has already been initialised");
return ret;
return ESP_OK;
}
g_wpa3_hostap_auth_api_lock = os_semphr_create(1, 0);
if (!g_wpa3_hostap_auth_api_lock) {
wpa_printf(MSG_ERROR, "wpa3_hostap_auth_init: failed to create WPA3 hostap auth API lock");
return ESP_FAIL;
if (g_wpa3_hostap_auth_api_lock == NULL) {
g_wpa3_hostap_auth_api_lock = os_semphr_create(1, 1);
if (!g_wpa3_hostap_auth_api_lock) {
wpa_printf(MSG_ERROR, "wpa3_hostap_auth_init: failed to create WPA3 hostap auth API lock");
return ESP_FAIL;
}
}
g_wpa3_hostap_evt_queue = os_queue_create(10, sizeof(wpa3_hostap_auth_event_t));
if (!g_wpa3_hostap_evt_queue) {
wpa_printf(MSG_ERROR, "wpa3_hostap_auth_init: failed to create queue");
ret = ESP_FAIL;
goto init_done;
return ESP_FAIL;
}
if (os_task_create(esp_wpa3_hostap_task, "esp_wpa3_hostap_task",
@ -546,22 +546,18 @@ int wpa3_hostap_auth_init(void *data)
&g_wpa3_hostap_task_hdl) != pdPASS) {
wpa_printf(MSG_ERROR, "wpa3_hostap_auth_init: failed to create task");
os_queue_delete(g_wpa3_hostap_evt_queue);
ret = ESP_FAIL;
goto init_done;
return ESP_FAIL;
}
struct hostapd_data *hapd = (struct hostapd_data *)data;
dl_list_init(&hapd->sae_commit_queue);
init_done:
WPA3_HOSTAP_AUTH_API_UNLOCK();
return ret;
return ESP_OK;
}
bool wpa3_hostap_auth_deinit(void)
{
if (wpa3_hostap_post_evt(SIG_TASK_DEL, 0) != 0) {
wpa_printf(MSG_ERROR, "failed to send task delete event");
wpa_printf(MSG_DEBUG, "failed to send task delete event");
return false;
} else {
return true;

View File

@ -202,7 +202,7 @@ static int use_sae_anti_clogging(struct hostapd_data *hapd)
for (sta = hapd->sta_list; sta; sta = sta->next) {
if (sta->sae &&
(sta->sae->state == SAE_COMMITTED ||
sta->sae->state != SAE_CONFIRMED)) {
sta->sae->state == SAE_CONFIRMED)) {
open++;
}
if (open >= hapd->conf->sae_anti_clogging_threshold) {
@ -358,13 +358,12 @@ static int sae_sm_step(struct hostapd_data *hapd, struct sta_info *sta,
if (ret) {
return ret;
}
sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
if (sae_process_commit(sta->sae) < 0) {
return WLAN_STATUS_UNSPECIFIED_FAILURE;
}
sae_set_state(sta, SAE_COMMITTED, "Sent Commit");
sta->sae->sync = 0;
} else {
if (sae_check_big_sync(hapd, sta)) {
@ -534,38 +533,36 @@ int handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
goto remove_sta;
}
if (sta->sae->state >= SAE_CONFIRMED) {
const u8 *var;
size_t var_len;
u16 peer_send_confirm;
const u8 *var;
size_t var_len;
u16 peer_send_confirm;
var = buf;
var_len = len;
if (var_len < 2) {
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto reply;
}
var = buf;
var_len = len;
if (var_len < 2) {
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto reply;
}
peer_send_confirm = WPA_GET_LE16(var);
peer_send_confirm = WPA_GET_LE16(var);
if (sta->sae->state == SAE_ACCEPTED &&
(peer_send_confirm <= sta->sae->rc ||
peer_send_confirm == 0xffff)) {
wpa_printf(MSG_DEBUG,
"SAE: Silently ignore unexpected Confirm from peer "
MACSTR
" (peer-send-confirm=%u Rc=%u)",
MAC2STR(sta->addr),
peer_send_confirm, sta->sae->rc);
return 0;
}
if (sta->sae->state == SAE_ACCEPTED &&
(peer_send_confirm <= sta->sae->rc ||
peer_send_confirm == 0xffff)) {
wpa_printf(MSG_DEBUG,
"SAE: Silently ignore unexpected Confirm from peer "
MACSTR
" (peer-send-confirm=%u Rc=%u)",
MAC2STR(sta->addr),
peer_send_confirm, sta->sae->rc);
return 0;
}
if (sae_check_confirm(sta->sae, buf, len) < 0) {
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto reply;
}
sta->sae->rc = peer_send_confirm;
}
if (sae_check_confirm(sta->sae, buf, len) < 0) {
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto reply;
}
sta->sae->rc = peer_send_confirm;
resp = sae_sm_step(hapd, sta, bssid, auth_transaction,
status, 0, &sta_removed);

View File

@ -495,7 +495,7 @@ static void wpa_free_sta_sm(struct wpa_state_machine *sm)
void wpa_auth_sta_deinit(struct wpa_state_machine *sm)
{
#ifdef ESP_SUPPLICANT
if (esp_wifi_ap_is_sta_sae_reauth_node(sm->addr)) {
if (sm && esp_wifi_ap_is_sta_sae_reauth_node(sm->addr)) {
wpa_printf( MSG_DEBUG, "deinit old sm=%p\n", sm);
}
#else /* ESP_SUPPLICANT */
@ -2509,6 +2509,7 @@ void wpa_deinit(struct wpa_authenticator *wpa_auth)
}
#ifdef CONFIG_ESP_WIFI_SOFTAP_SUPPORT
bool wpa_ap_join(struct sta_info *sta, uint8_t *bssid, uint8_t *wpa_ie,
uint8_t wpa_ie_len, uint8_t *rsnxe, uint8_t rsnxe_len,
bool *pmf_enable, int subtype)
@ -2614,6 +2615,7 @@ bool wpa_ap_remove(void* sta_info)
return true;
}
#endif /* CONFIG_ESP_WIFI_SOFTAP_SUPPORT */
void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
const u8 *sta_addr)

View File

@ -311,7 +311,7 @@ int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len)
capab |= BIT(WLAN_RSNX_CAPAB_SAE_H2E);
}
flen = (capab & 0xff00) ? 2 : 1;
flen = 1;
if (!capab)
return 0; /* no supported extended RSN capabilities */
if (len < 2 + flen)
@ -321,9 +321,6 @@ int wpa_write_rsnxe(struct wpa_auth_config *conf, u8 *buf, size_t len)
*pos++ = WLAN_EID_RSNX;
*pos++ = flen;
*pos++ = capab & 0x00ff;
capab >>= 8;
if (capab)
*pos++ = capab;
return pos - buf;
}

View File

@ -2212,10 +2212,10 @@ int sae_write_confirm(struct sae_data *sae, struct wpabuf *buf)
return ESP_FAIL;
/* Send-Confirm */
if (sae->send_confirm < 0xffff)
sae->send_confirm++;
sc = wpabuf_put(buf, 0);
wpabuf_put_le16(buf, sae->send_confirm);
if (sae->send_confirm < 0xffff)
sae->send_confirm++;
if (sae->tmp->ec) {
if (sae_cn_confirm_ecc(sae, sc, sae->tmp->own_commit_scalar,

View File

@ -493,17 +493,17 @@ int wpa_parse_wpa_ie_rsn(const u8 *rsn_ie, size_t rsn_ie_len,
}
if (left >= 2) {
data->num_pmkid = WPA_GET_LE16(pos);
u16 num_pmkid = WPA_GET_LE16(pos);
pos += 2;
left -= 2;
if (left < (int) data->num_pmkid * PMKID_LEN) {
if (num_pmkid > (unsigned int) left / PMKID_LEN) {
wpa_printf(MSG_DEBUG, "%s: PMKID underflow "
"(num_pmkid=%lu left=%d)",
__func__, (unsigned long) data->num_pmkid,
left);
"(num_pmkid=%u left=%d)",
__func__, num_pmkid, left);
data->num_pmkid = 0;
return -9;
} else {
data->num_pmkid = num_pmkid;
data->pmkid = pos;
pos += data->num_pmkid * PMKID_LEN;
left -= data->num_pmkid * PMKID_LEN;