This function does not get called with in_data == NULL in practice, but
it seems to be at least partly prepared for that case, so better make it
consistent by handling the NULL value throughout the function.
Both the SA and IEs from the received Probe Request frames must be
included and the Probe Request RX callback functions may assume that
these are not NULL.
The change to use wpa_dbg() in wpa_sm_parse_own_wpa_ie() could result
in a NULL pointer dereference if the function were called when WPA
state machine has not been initialized. While this cannot really
happen in practice, it is better to be prepared for that since that
was the case before the wpa_dbg() change.
The size_t value here can be 64-bit and result in implicit sign
extension. In this particular case, that gets masked out by
host_to_be32(), so there is no practical difference, but it is better
to get rid of the 64-bit variable explicitly.
The supportedTypes parameter is a list of TNC_MessageType values
and the buffer to be copied should use size of TNC_MessageType, not
TNC_MessageTypeList. In practice, these are of same length on most
platforms, so this is not a critical issue, but anyway, the correct
type should be used.
This avoids reading past the end of the IE buffer should the FTIE
be too short. In addition, one debug hexdump was using uninitialized
pointer to the FTIE buffer, so fixed it to use the pointer from the
parse data.
AF_INET6 is not always enabled by default, so use AF_INET instead. In
addition, use the old fixed length, 2048, as a failover value if the
sysctl fails for any reason.
Commit 03d3f28a69 broke initialization of
EAPOL authenticator state machines since an error value from
wpa_auth_sta_key_mgmt() (-1) was not handled properly and the fixed
wpa_key_mgmt_wpa_psk() identified the value as a PSK-based AKM because
of all bits being set to 1. The special error value needs to handled
separately to avoid skipping EAPOL state machine initialization.
These can be used in some cases with a bitfield having multiple
AKMs enabled (e.g., WPA-PSK and WPA-PSK-SHA256). Address those
cases by checking whether any of the matching AKM are included.
When the SME is in the driver or cfg80211, the automatic selection
of auth_alg is done by leaving out the NL80211_ATTR_AUTH_TYPE
attribute from the NL80211_CMD_CONNECT command.
This should fix EAPOL reauthentication and rekeying timeout issues
with Intel clients when using WMM (e.g., with IEEE 802.11n). These
stations do not seem to be able to handle EAPOL data frames as
non-QoS Data frames after the initial setup.
This adds STA flags to hapd_send_eapol() driver op to allow
driver_nl80211.c to mark the EAPOL frames as QoS Data frame
when injecting it through the monitor interface.
This provides a means for the supplicant to directly request signal
quality metrics from the driver. This is useful, for example for
background scan algorithms that might ask desire this information
out-of-band with CQM events.
Signed-off-by: Paul Stewart <pstew@google.com>
When building IE from an empty string and CONFIG_WPS_STRICT is
not defined, redundant 2 bytes are being added to the string.
We have to return right after building the "dummy" string.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Some deployed supplicants update their SNonce for every receive
EAPOL-Key message 1/4 even when these messages happen during the
same 4-way handshake. Furthermore, some of these supplicants fail
to use the first SNonce that they sent and derive an incorrect PTK
using another SNonce that does not match with what the authenticator
is using from the first received message 2/4. This results in
failed 4-way handshake whenever the EAPOL-Key 1/4 retransmission
timeout is reached. The timeout for the first retry is fixed to
100 ms in the IEEE 802.11 standard and that seems to be short
enough to make it difficult for some stations to get the response
out before retransmission.
Work around this issue by increasing the initial EAPOL-Key 1/4
timeout by 1000 ms (i.e., total timeout of 1100 ms) if the station
acknowledges reception of the EAPOL-Key frame. If the driver does
not indicate TX status for EAPOL frames, use longer initial
timeout (1000 ms) unconditionally.
Store Manufacturer, Model Name, Model Number, and Serial Number
attributes for P2P peers and expose these through the existing
peer information mechanisms.
Previously, a bug in GKeyDoneStations count would remain in effect
until the authenticator is restarted. Make this more robust by
clearing the station count before each rekeying setup. While this
is not really supposed to be needed, there has been bugs in this
area in the past and it is safer to make the implementation recover
from such an issue automatically.
If the STA to be freed is still included in GKeyDoneStations count,
decrement the count when the STA is freed. This does not happen in
AP mode since there is enough time to go through the authenticator
state machine to clear the STA. However, in the current RSN IBSS
implementation, the authenticator state for the STA is freed in a
way that does not allow the state machine to go through the clearing.
To address this, make sure that wpa_free_sta_sm() decrements the
GKeyDoneStations count if the STA happened to be in the process of
GTK rekeying.
CFLAGS += -DCONFIG_RSN_TESTING in .config and rsn_testing=1 in
hostapd.conf can now be used to enable a testing mode that adds
extensions to RSN element. This can be used to check whether
station implementations are incompatible with future extensions
to the RSN element.
The AP code might, currently only in the case of HT40, defer actual
enabling to after a scan. In this case, the wpa_s AP code gets confused.
Add a callback for it to use and make it use it to finish only when the
setup has actually completed.
With appropriate hacks in place this allows using HT40 in P2P mode.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Make the P2P code keep track of WPS vendor extensions received from
peers so they can be exposed via DBus later.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This adds the ability to add WPS vendor extension attributes in P2P
frames, like GO Negotiation and Probe Response frames.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This adds the ability to add WPS vendor extensions to an AP (or GO).
They will be added to the WSC IE(s) in Beacon and Probe Response frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Instead of converting back and forth from the string representation,
always use the binary representation internally.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Use only the UUID-E to remove active PBC session(s) at the completion of
successful PBC protocol run. This fixes potential issues with Enrollees
that use multiple MAC addresses and as such, can get multiple entries in
the PBC session list.
Add Secondary Device Type List attribute in WSC IE for P2P
Probe Response frames if one or more secondary device types
are configured.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The secondary device type list is an optional attribute in the WSC IE.
Signed-off-by: Jean-Michel Bachot <jean-michelx.bachot@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Currently hostapd will force HT Mixed Mode if at least one non-GF STA is
associated. This will force _all_ HT transmissions to be protected.
802.11n-2009 doesn't require HT Mixed Mode to be used in case of non-GF
STAs but instead the HT information element contains a flag if non-GF
STAs are present. All STAs are required to protect GF transmissions in
that case. Hence, setting HT Mixed mode if non-GF STAs are present is
superfluous.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Use a specific return value, WPS-PBC-OVERLAP, to indicate a reason
for rejecting a wps_pbc command in wpa_supplicant AP mode if the
PBC mode cannot be started due to PBC session overlap having been
detected during monitor time.
This allows the user to complete WPS provisioning using PBC by
selected a specific Enrollee even if there are other Enrollees
in active PBC mode at the same time. The other Enrollees will be
rejected should they try to connect at the same time.
Ignore possible mismatches in the source address of the frame and only
use UUID-E to check whether a Probe Request or M1 is from the same
Enrollee when figuring out whether there is PBC session overlap. This
is needed to avoid potential issues with Enrollee devices that may have
multiple interfaces indicating active PBC state.
If there is already a link the requested peer, request start of
renegotiation instead of completely new link. This seems to be needed
to allow some driver to accept the trigger for a new negotiation.
tdls_testing 0x80 can now be used to request wpa_supplicant to send
a TDLS Setup Request frame (i.e., try to initiate TDLS setup)
whenever a TDLS Setup Request frame has been received from a peer.
Blindly clearing all struct wpa_tdls_peer members is a risky
operation since it could easily clear pointers to allocated
memory, etc. information that really should not be removed.
Instead of hoping that new code gets added here to restore
the important variables, reverse the approach and only clear
structure members one by one when needed.
This allows the same code path to be used for both protected and
unprotected configurations to limit need for duplicated code in
both the driver and wpa_supplicant.
This adds code for validating that the same Key Lifetime is used
throughout TPK handshake and enables TPK lifetime expiration and
renewal/teardown. These part seem to be working, but the actual
handling of TDLS Setup Confirm and renewal are not fully
functional yet.
tdls_testing bits:
bit 3 = use short TPK lifetime (301 seconds)
bit 4 = use wrong TPK lifetime in TDLS Setup Response
bit 5 = use wrong TPK lifetime in TDLS Setup Confirm
These special test cases can be configured at run time with "wpa_cli
tdls_testing <value>" where <value> is an integer (either as a decimal
or as a hex value with 0x prefix) bitmap of special features with
following bits available at this point:
bit 0 = long frame (add dummy subelement to make FTIE very long)
bit 1 = use alternative RSN IE (different RSN capab value and no extra
replay counters)
bit 2 = send incorrect BSSID in Link Identifier of TDLS Setup Request
(e.g., 1 = long FTIE, 2 = different RSN IE, 3 = both of those)
This is disabled by default and can be enabled for the build by
adding the following line to .config:
CFLAGS += -DCONFIG_TDLS_TESTING
This allows driver wrappers to indicate whether the association was
done using Association Request/Response or with Reassociation
Request/Response frames.
CFLAGS += -DCONFIG_VALGRIND can now be used to enable support for
Valgrind client requests to help in removing some non-issues from
Valgrind reports. This is mainly aimed at allowing unknown ioctl
results to be marked as defined data.
If the os_time_t variable used for the expiration time (seconds)
overflows when the registered timeout value is being added,
assume that the event would happen after an infinite time, i.e.,
would not really happen in practice. This fixes issues with
long key timeouts getting converted to immediate expiration due
to the overflow.
os_snprintf() can be a preprocessor macro and according to
C99 (6.10.3 clause 11) the results of having preprocessor directives
inside the macro arguments is undefined.
Build options can now be used to replace the location of client
sockets for UNIX domain socket control interface:
CFLAGS += -DCONFIG_CTRL_IFACE_CLIENT_DIR=\"/tmp\"
CFLAGS += -DCONFIG_CTRL_IFACE_CLIENT_PREFIX=\"wpa_ctrl_\"
The buffer size for routing socket is fixed to 2048.
This patch fix it to obtain the size from OS.
This patch worked on x86 platform with NetBSD 5.0.2.
This allows keystore:// prefix to be used with client_cert and
private_key configuration parameters.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>