diff options
| author | Varun Reddy Yeturu <varunreddy.yeturu@codeaurora.org> | 2019-02-12 17:27:26 -0800 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2019-02-20 02:11:33 -0800 |
| commit | d08bb9062956c9adbd12135a949b5689b9510062 (patch) | |
| tree | e3c1005faf84b456e128a7f922d632b47e2182ba | |
| parent | 6fd330814b813647664530446bf8bcddc54d0c9e (diff) | |
qcacld-3.0: Clear PTK, GTK and IGTK keys on sta disconnection
Currently PTK, GTK and IGTK keys are not getting cleared
on wifi link disconnection from wifi driver memory, which
can lead to information disclosure. Clear PTK, GTK and IGTK
keys from wifi driver memory to avoid any potential information
disclore after wifi is turned off.
Change-Id: I309cd7af8d396167e9ec3ef9c6c443e8c08903d8
CRs-fixed: 2396603
| -rw-r--r-- | core/hdd/src/wlan_hdd_assoc.c | 12 | ||||
| -rw-r--r-- | core/hdd/src/wlan_hdd_cfg80211.c | 9 | ||||
| -rw-r--r-- | core/hdd/src/wlan_hdd_wext.c | 5 | ||||
| -rw-r--r-- | core/mac/src/pe/lim/lim_process_mlm_req_messages.c | 7 | ||||
| -rw-r--r-- | core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c | 5 | ||||
| -rw-r--r-- | core/mac/src/pe/lim/lim_process_sme_req_messages.c | 6 | ||||
| -rw-r--r-- | core/mac/src/pe/lim/lim_security_utils.c | 2 | ||||
| -rw-r--r-- | core/mac/src/pe/lim/lim_session.c | 5 | ||||
| -rw-r--r-- | core/sme/inc/sme_ft_api.h | 11 | ||||
| -rw-r--r-- | core/sme/src/common/sme_ft_api.c | 20 | ||||
| -rw-r--r-- | core/sme/src/csr/csr_api_roam.c | 19 | ||||
| -rw-r--r-- | core/wma/src/wma_dev_if.c | 15 |
12 files changed, 106 insertions, 10 deletions
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c index 82176d586793..f6369c94d69c 100644 --- a/core/hdd/src/wlan_hdd_assoc.c +++ b/core/hdd/src/wlan_hdd_assoc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -943,7 +943,12 @@ static void hdd_save_bss_info(hdd_adapter_t *adapter, } /* Cache last connection info */ qdf_mem_copy(&hdd_sta_ctx->cache_conn_info, &hdd_sta_ctx->conn_info, - sizeof(connection_info_t)); + sizeof(hdd_sta_ctx->cache_conn_info)); + /* Do not cache key info */ + qdf_mem_zero(&hdd_sta_ctx->cache_conn_info.Keys, + sizeof(hdd_sta_ctx->cache_conn_info.Keys)); + qdf_mem_zero(&hdd_sta_ctx->ibss_enc_key, + sizeof(hdd_sta_ctx->ibss_enc_key)); } /** @@ -1755,6 +1760,7 @@ static QDF_STATUS hdd_dis_connect_handler(hdd_adapter_t *pAdapter, hdd_wmm_adapter_clear(pAdapter); sme_ft_reset(WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId); + sme_reset_key(WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId); if (hdd_remove_beacon_filter(pAdapter) != 0) hdd_err("hdd_remove_beacon_filter() failed"); @@ -3245,6 +3251,8 @@ static QDF_STATUS hdd_association_completion_handler(hdd_adapter_t *pAdapter, timeout_reason); } hdd_clear_roam_profile_ie(pAdapter); + sme_reset_key(WLAN_HDD_GET_HAL_CTX(pAdapter), + pAdapter->sessionId); } else if ((eCSR_ROAM_CANCELLED == roamStatus && !hddDisconInProgress)) { hdd_connect_result(dev, diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 024543526956..5f8a22eb398b 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -15510,6 +15510,7 @@ static int __wlan_hdd_cfg80211_add_key(struct wiphy *wiphy, default: hdd_err("Unsupported cipher type: %u", params->cipher); + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return -EOPNOTSUPP; } @@ -15530,6 +15531,7 @@ static int __wlan_hdd_cfg80211_add_key(struct wiphy *wiphy, /* if a key is already installed, block all subsequent ones */ if (pAdapter->sessionCtx.station.ibss_enc_key_installed) { hdd_debug("IBSS key installed already"); + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return 0; } @@ -15540,6 +15542,7 @@ static int __wlan_hdd_cfg80211_add_key(struct wiphy *wiphy, if (0 != status) { hdd_err("sme_roam_set_key failed, status: %d", status); + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return -EINVAL; } /*Save the keys here and call sme_roam_set_key for setting @@ -15548,6 +15551,7 @@ static int __wlan_hdd_cfg80211_add_key(struct wiphy *wiphy, &setKey, sizeof(tCsrRoamSetKey)); pAdapter->sessionCtx.station.ibss_enc_key_installed = 1; + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return status; } if ((pAdapter->device_mode == QDF_SAP_MODE) || @@ -15610,9 +15614,11 @@ static int __wlan_hdd_cfg80211_add_key(struct wiphy *wiphy, pAdapter->sessionId, &setKey); if (qdf_ret_status == QDF_STATUS_FT_PREAUTH_KEY_SUCCESS) { hdd_debug("Update PreAuth Key success"); + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return 0; } else if (qdf_ret_status == QDF_STATUS_FT_PREAUTH_KEY_FAILED) { hdd_err("Update PreAuth Key failed"); + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return -EINVAL; } @@ -15624,6 +15630,7 @@ static int __wlan_hdd_cfg80211_add_key(struct wiphy *wiphy, hdd_err("sme_roam_set_key failed, status: %d", status); pHddStaCtx->roam_info.roamingState = HDD_ROAM_STATE_NONE; + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return -EINVAL; } @@ -15662,10 +15669,12 @@ static int __wlan_hdd_cfg80211_add_key(struct wiphy *wiphy, hdd_err("sme_roam_set_key failed for group key (IBSS), returned %d", status); pHddStaCtx->roam_info.roamingState = HDD_ROAM_STATE_NONE; + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); return -EINVAL; } } } + qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey)); EXIT(); return 0; } diff --git a/core/hdd/src/wlan_hdd_wext.c b/core/hdd/src/wlan_hdd_wext.c index 5015e21ae277..2bbde1b7ca0f 100644 --- a/core/hdd/src/wlan_hdd_wext.c +++ b/core/hdd/src/wlan_hdd_wext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -3886,6 +3886,9 @@ void hdd_clear_roam_profile_ie(hdd_adapter_t *pAdapter) qdf_mem_zero(pWextState->roamProfile.Keys.KeyLength, CSR_MAX_NUM_KEY); + qdf_mem_zero(pWextState->roamProfile.Keys.KeyMaterial, + sizeof(pWextState->roamProfile.Keys.KeyMaterial)); + #ifdef FEATURE_WLAN_WAPI pAdapter->wapi_info.wapiAuthMode = WAPI_AUTH_MODE_OPEN; pAdapter->wapi_info.nWapiMode = 0; diff --git a/core/mac/src/pe/lim/lim_process_mlm_req_messages.c b/core/mac/src/pe/lim/lim_process_mlm_req_messages.c index e524420c93d0..c16f17470bb3 100644 --- a/core/mac/src/pe/lim/lim_process_mlm_req_messages.c +++ b/core/mac/src/pe/lim/lim_process_mlm_req_messages.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -2116,6 +2116,7 @@ lim_process_mlm_set_keys_req(tpAniSirGlobal mac_ctx, uint32_t *msg_buf) mlm_set_keys_req->sessionId); if (NULL == session) { pe_err("session does not exist for given sessionId"); + qdf_mem_zero(mlm_set_keys_req, sizeof(tLimMlmSetKeysReq)); qdf_mem_free(mlm_set_keys_req); mac_ctx->lim.gpLimMlmSetKeysReq = NULL; return; @@ -2253,6 +2254,8 @@ lim_process_mlm_set_keys_req(tpAniSirGlobal mac_ctx, uint32_t *msg_buf) session->peSessionId); /* Package WMA_SET_BSSKEY_REQ message parameters */ lim_send_set_bss_key_req(mac_ctx, mlm_set_keys_req, session); + + qdf_mem_zero(mlm_set_keys_req, sizeof(tLimMlmSetKeysReq)); return; } else { /* @@ -2262,11 +2265,13 @@ lim_process_mlm_set_keys_req(tpAniSirGlobal mac_ctx, uint32_t *msg_buf) lim_send_set_sta_key_req(mac_ctx, mlm_set_keys_req, sta_idx, (uint8_t) default_key_id, session, true); + qdf_mem_zero(mlm_set_keys_req, sizeof(tLimMlmSetKeysReq)); return; } end: mlm_set_keys_cnf.sessionId = mlm_set_keys_req->sessionId; lim_post_sme_set_keys_cnf(mac_ctx, mlm_set_keys_req, &mlm_set_keys_cnf); + qdf_mem_zero(mlm_set_keys_req, sizeof(tLimMlmSetKeysReq)); } /** diff --git a/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c b/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c index 4a2e54ae2aa0..612d9316428f 100644 --- a/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c +++ b/core/mac/src/pe/lim/lim_process_mlm_rsp_messages.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -2720,6 +2720,7 @@ void lim_process_mlm_set_sta_key_rsp(tpAniSirGlobal mac_ctx, session_entry = pe_find_session_by_session_id(mac_ctx, session_id); if (session_entry == NULL) { pe_err("session does not exist for given session_id"); + qdf_mem_zero(msg->bodyptr, sizeof(tSetBssKeyParams)); qdf_mem_free(msg->bodyptr); msg->bodyptr = NULL; lim_send_sme_set_context_rsp(mac_ctx, @@ -2745,6 +2746,7 @@ void lim_process_mlm_set_sta_key_rsp(tpAniSirGlobal mac_ctx, else mlm_set_key_cnf.key_len_nonzero = false; + qdf_mem_zero(msg->bodyptr, sizeof(tSetBssKeyParams)); qdf_mem_free(msg->bodyptr); msg->bodyptr = NULL; @@ -2842,6 +2844,7 @@ void lim_process_mlm_set_bss_key_rsp(tpAniSirGlobal mac_ctx, set_key_cnf.resultCode = result_status; } + qdf_mem_zero(msg->bodyptr, sizeof(tSetBssKeyParams)); qdf_mem_free(msg->bodyptr); msg->bodyptr = NULL; /* Restore MLME state */ diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c index 23cb94ad3491..b30f4c89d950 100644 --- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c +++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -2959,6 +2959,9 @@ __lim_process_sme_set_context_req(tpAniSirGlobal mac_ctx, uint32_t *msg_buf) } qdf_mem_copy(set_context_req, msg_buf, sizeof(struct sSirSmeSetContextReq)); + + qdf_mem_zero(msg_buf, sizeof(tSirSmeSetContextReq)); + sme_session_id = set_context_req->sessionId; sme_transaction_id = set_context_req->transactionId; @@ -3066,6 +3069,7 @@ __lim_process_sme_set_context_req(tpAniSirGlobal mac_ctx, uint32_t *msg_buf) sme_transaction_id); } end: + qdf_mem_zero(set_context_req, sizeof(tSirSmeSetContextReq)); qdf_mem_free(set_context_req); return; } diff --git a/core/mac/src/pe/lim/lim_security_utils.c b/core/mac/src/pe/lim/lim_security_utils.c index d23ccb3751c8..56bb15d9bb51 100644 --- a/core/mac/src/pe/lim/lim_security_utils.c +++ b/core/mac/src/pe/lim/lim_security_utils.c @@ -749,6 +749,7 @@ void lim_post_sme_set_keys_cnf(tpAniSirGlobal pMac, &pMlmSetKeysReq->peer_macaddr); /* Free up buffer allocated for mlmSetKeysReq */ + qdf_mem_zero(pMlmSetKeysReq, sizeof(tLimMlmSetKeysReq)); qdf_mem_free(pMlmSetKeysReq); pMac->lim.gpLimMlmSetKeysReq = NULL; @@ -1024,6 +1025,7 @@ void lim_send_set_sta_key_req(tpAniSirGlobal pMac, return; /* Continue after WMA_SET_STAKEY_RSP... */ free_sta_key: + qdf_mem_zero(pSetStaKeyParams, sizeof(tSetStaKeyParams)); qdf_mem_free(pSetStaKeyParams); fail: /* Respond to SME with LIM_MLM_SETKEYS_CNF */ diff --git a/core/mac/src/pe/lim/lim_session.c b/core/mac/src/pe/lim/lim_session.c index ed961de3f132..09c079b26d30 100644 --- a/core/mac/src/pe/lim/lim_session.c +++ b/core/mac/src/pe/lim/lim_session.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -850,6 +850,9 @@ void pe_delete_session(tpAniSirGlobal mac_ctx, tpPESession session) pe_delete_fils_info(session); session->valid = false; + qdf_mem_zero(session->WEPKeyMaterial, + sizeof(session->WEPKeyMaterial)); + if (session->access_policy_vendor_ie) qdf_mem_free(session->access_policy_vendor_ie); diff --git a/core/sme/inc/sme_ft_api.h b/core/sme/inc/sme_ft_api.h index b063c83a189a..6174d0bb0cea 100644 --- a/core/sme/inc/sme_ft_api.h +++ b/core/sme/inc/sme_ft_api.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2016,2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -85,6 +85,15 @@ void sme_get_ft_pre_auth_response(tHalHandle hHal, uint32_t sessionId, uint16_t *ft_ies_length); void sme_get_rici_es(tHalHandle hHal, uint32_t sessionId, uint8_t *ric_ies, uint32_t ric_ies_ip_len, uint32_t *ric_ies_length); +/** + * sme_reset_key() -Reset key information + * @mac_handle: MAC handle + * @vdev_id: vdev identifier + * + * Return: None + */ +void sme_reset_key(tHalHandle mac_handle, uint32_t vdev_id); + void sme_preauth_reassoc_intvl_timer_callback(void *context); void sme_set_ft_pre_auth_state(tHalHandle hHal, uint32_t sessionId, bool state); bool sme_get_ft_pre_auth_state(tHalHandle hHal, uint32_t sessionId); diff --git a/core/sme/src/common/sme_ft_api.c b/core/sme/src/common/sme_ft_api.c index 7a7913c23d7f..b34bdaec3a7b 100644 --- a/core/sme/src/common/sme_ft_api.c +++ b/core/sme/src/common/sme_ft_api.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2017,2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -472,6 +472,24 @@ void sme_preauth_reassoc_intvl_timer_callback(void *context) pUsrCtx->sessionId); } +void sme_reset_key(tHalHandle mac_handle, uint32_t vdev_id) +{ + tpAniSirGlobal mac = PMAC_STRUCT(mac_handle); + tCsrRoamSession *session = NULL; + + if (!mac) { + sme_err("mac is NULL"); + return; + } + + session = CSR_GET_SESSION(mac, vdev_id); + if (!session) + return; + qdf_mem_zero(&session->psk_pmk, sizeof(session->psk_pmk)); + session->pmk_len = 0; + qdf_mem_zero(&session->eseCckmInfo, sizeof(session->eseCckmInfo)); +} + /* Reset the FT context. */ void sme_ft_reset(tHalHandle hHal, uint32_t sessionId) { diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c index b67915e81419..211806b3f358 100644 --- a/core/sme/src/csr/csr_api_roam.c +++ b/core/sme/src/csr/csr_api_roam.c @@ -4809,6 +4809,23 @@ static QDF_STATUS csr_roam_get_qos_info_from_bss(tpAniSirGlobal pMac, return status; } +static void csr_reset_cfg_privacy(tpAniSirGlobal pMac) +{ + uint8_t Key0[WNI_CFG_WEP_DEFAULT_KEY_1_LEN] = {0}; + uint8_t Key1[WNI_CFG_WEP_DEFAULT_KEY_2_LEN] = {0}; + uint8_t Key2[WNI_CFG_WEP_DEFAULT_KEY_3_LEN] = {0}; + uint8_t Key3[WNI_CFG_WEP_DEFAULT_KEY_4_LEN] = {0}; + + cfg_set_int(pMac, WNI_CFG_PRIVACY_ENABLED, 0); + cfg_set_int(pMac, WNI_CFG_RSN_ENABLED, 0); + cfg_set_str(pMac, WNI_CFG_WEP_DEFAULT_KEY_1, Key0, 0); + cfg_set_str(pMac, WNI_CFG_WEP_DEFAULT_KEY_2, Key1, 0); + cfg_set_str(pMac, WNI_CFG_WEP_DEFAULT_KEY_3, Key2, 0); + cfg_set_str(pMac, WNI_CFG_WEP_DEFAULT_KEY_4, Key3, 0); + cfg_set_int(pMac, WNI_CFG_WEP_KEY_LENGTH, 0); + cfg_set_int(pMac, WNI_CFG_WEP_DEFAULT_KEYID, 0); +} + void csr_set_cfg_privacy(tpAniSirGlobal pMac, tCsrRoamProfile *pProfile, bool fPrivacy) { @@ -18073,6 +18090,8 @@ void csr_cleanup_session(tpAniSirGlobal pMac, uint32_t sessionId) /* Clean up FT related data structures */ sme_ft_close(pMac, sessionId); + sme_reset_key((tHalHandle)pMac, sessionId); + csr_reset_cfg_privacy(pMac); csr_free_connect_bss_desc(pMac, sessionId); csr_roam_free_connect_profile(&pSession->connectedProfile); csr_roam_free_connected_info(pMac, &pSession->connectedInfo); diff --git a/core/wma/src/wma_dev_if.c b/core/wma/src/wma_dev_if.c index 27414b79c734..952ac186fb2a 100644 --- a/core/wma/src/wma_dev_if.c +++ b/core/wma/src/wma_dev_if.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2013-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -1846,6 +1846,17 @@ wma_remove_peer_by_reference(ol_txrx_pdev_handle pdev, return status; } +#ifdef WLAN_FEATURE_11W +static void wma_clear_iface_key(struct wma_txrx_node *iface) +{ + qdf_mem_zero(&iface->key, sizeof(iface->key)); +} +#else +static void wma_clear_iface_key(struct wma_txrx_node *iface) +{ +} +#endif + /** * wma_vdev_stop_resp_handler() - vdev stop response handler * @handle: wma handle @@ -1897,6 +1908,8 @@ int wma_vdev_stop_resp_handler(void *handle, uint8_t *cmd_param_info, resp_event->vdev_id); } + /* Clear key information */ + wma_clear_iface_key(iface); wma_release_wakelock(&iface->vdev_stop_wakelock); req_msg = wma_find_vdev_req(wma, resp_event->vdev_id, |