It was possible for a Action frame sequence completion to stop an
ongoing offchannel remain-on-channel operation unexpectedly in cases
where TX operation was offloaded to the driver and such an operation
happened to occur during a previously started remain-on-channel (e.g.,
for P2P listen state).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for the previously requested remain-on-channel for P2P
listen state to get canceled before having received driver event
indicating start of that remain-on-channel operation. In such a case,
the event was able to trigger P2P module to start processing listen
timeout even though there was not supposed to be a following listen
operation anymore. Skip the driver event if we are not waiting for a new
listen state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When noise floor measurements are not available, compute SNR
using default values for the noise floor. This helps steer us
towards 5 GHz BSSes in high signal strength environments.
In more detail...
Existing code prefers a 5 GHz BSS when the 5 GHz BSS's signal
strength is "close" to that of the 2.4 GHz BSS, or when both SNRs
are large. However, the mwifiex driver does not provide noise
floor measurements, so we can't compute SNRs.
Because mwifiex doesn't provide NF measurements, the "large SNR"
code wasn't effective. By using default values for the noise floor,
we can again compute SNRs, and decide that the SNR is high enough
that we shouldn't worry about the exact difference in SNR.
The default noise floor values (one for 2.4 GHz, and one for 5 GHz)
were chosen by measurement in a noisy environment, so they should be
conservative.
Note that while this patch is motivated by mwifiex, it affects
ath9k as well. Although ath9k provides noise floor measurements
in general, it will sometimes fail to provide a measurement for
one or more specific channels.
As a result of this patch, we'll always compare BSSes based on SNR
(either measured or estimated), rather than sometimes comparing
based on signal strength. ("Always" assumes that the
WPA_SCAN_LEVEL_DBM flag is set. It is for mwifiex and ath9k.)
While there:
- fix a whitespace issue (spaces -> tab)
- clean up existing comments
- update dump_scan_res to indicate whether the noise floor is
measured, or default
Signed-hostap: mukesh agrawal <quiche@chromium.org>
For wired IEEE 802.1X authentication, phase1="allow_canned_success=1"
can now be used to configure a mode that allows EAP-Success (and
EAP-Failure) without going through authentication step. Some switches
use such sequence when forcing the port to be authorized/unauthorized or
as a fallback option if the authentication server is unreachable. By
default, wpa_supplicant discards such frames to protect against
potential attacks by rogue devices, but this option can be used to
disable that protection for cases where the server/authenticator does
not need to be authenticated.
When enabled, this mode allows EAP-Success/EAP-Failure as an immediate
response to EAPOL-Start (or even without EAPOL-Start) and EAP-Success is
also allowed immediately after EAP-Identity exchange (fallback case for
authenticator not being able to connect to authentication server).
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant used to request user to re-enter username/password if the
server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2)
authentication failed (E=691), but retry is allowed (R=1). This is a
reasonable default behavior, but there may be cases where it is more
convenient to close the authentication session immediately rather than
wait for user to do something.
Add a new "mschapv2_retry=0" option to the phase2 field to allow the
retry behavior to be disabled. This will make wpa_supplicant abort
authentication attempt on E=691 regardless of whether the server allows
retry.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some packages don't install its headers in the default directory
(e.g.: In Arch Linux libiberty and libn13 includes are installed)
in their own subdirectory under /usr/include) and the build fails
trying to find the headers.
This patch will allow passing extra CFLAGS values without discarding
the assignments made in the Makefile. The CFLAGS values in the Makefile
are ignored, if defined directly in the make command line.
Signed-off-by: Roger Zanoni <roger.zanoni@openbossa.org>
Linux kernel commit 576eb62598f10c8c7fd75703fe89010cdcfff596 ('bridge:
respect RFC2863 operational state') from 2012 introduced a regression
for using wpa_supplicant with EAPOL frames and a station interface in a
bridge. Since it does not look like this regression is going to get
fixed any time soon (it is already two years from that commit and over
1.5 from a discussion pointing out the regression), add a workaround in
wpa_supplicant to avoid this issue.
The wpa_supplicant workaround uses a secondary packet socket to capture
all frames (ETH_P_ALL) from the netdev that is in a bridge. This is
needed to avoid the kernel regression. However, this comes at the price
of more CPU load. Some of this is avoided with use of Linux socket
filter, but still, this is less efficient than a packet socket bound to
the specific EAPOL ethertype. The workaround gets disabled
automatically, if the main packet socket interface on the bridge
interface turns out to be working for RX (e.g., due to an old kernel
version being used or a new kernel version having a fix for the
regression). In addition, this workaround is only taken into use for the
special case of running wpa_supplicant with an interface in a bridge.
Signed-off-by: Jouni Malinen <j@w1.fi>
Currently, there is a race in open mesh networks where mesh STA A
receives a beacon from B and sends a peering open frame to initiate
peering. STA B, having not yet received a beacon from A and thus
created the corresponding station entry, will ignore all such open
frames. If the beacon interval is sufficiently long then peering
will not succeed as a result.
In fact B can simply create the station entry when the popen is
received, as is done in Linux's in-kernel MPM, avoiding the issue.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Previously, we would only free the station entry if a peering close
frame was received (freeing the station entry causes the kernel to
start sending peer candidate events again when suitable beacons are
received, triggering peering or authentication to restart).
The end result is the same in any case regardless of close reason:
if we leave holding state then peering has started again, so go
ahead and remove the station in all cases.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
The plink_state exists both wpa_supplicant and kernel. Synchronize them
with wpa_mesh_set_plink_state().
Signed-off-by: Kenzoh Nishikawa <Kenzoh.Nishikawa@jp.sony.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Drop the unneeded 'attempt' argument. This was originally used for
indicating an aborted PMKID caching attempt, but a fix in 2006 removed
the only such user and since that time, only attempt == 1 has been used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use OpenSSL HMAC_* functions to implement HMAC-MD5 instead of depending
on the src/crypto/md5.c implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Connection with a PMF enabled AP will fail if we try to negotiate PMF
while the local driver does not support this. Since pmf=1 does not
require PMF for a successful connection, it can be ignored in such a
case to avoid connectivity issues with invalid configuration. This makes
it somewhat easier to allow upper layer programs to use pmf=1 default
regardless of driver capabilities.
Signed-off-by: Jouni Malinen <j@w1.fi>
This modifies struct wpa_ptk to allow the length of KCK and KEK to be
stored. This is needed to allow longer keys to be used, e.g., with
Suite B 192-bit level.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends GET_CAPABILITY command to allow the supported group
management frame cipher suites to be listed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There are lots of reasons we can fail to match an EAP credential, so add
logging to help determine why it is happening in various cases.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signal strength was sorted lexically rather than numerically, which
put "-100 dBm" before "-50 dBm" if sorted in descending order.
This change fixes that. It also treats frequency in the same
manner, preparing it for the IEEE 802.11ah.
Signed-off-by: Adrian Nowicki <adinowicki@gmail.com>
This new wpa_supplicant configuration parameter can be used to force
passive scanning to be used for most scanning cases at the cost of
increased latency and less reliably scans. This may be of use for both
testing purposes and somewhat increased privacy due to no Probe Request
frames with fixed MAC address being sent out.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ANQP verification/parsing is done only after the GAS_DONE indication
is sent over the control interface. This means that in case the ANQP
parsing fails there is no indication to the upper layers. Add an
ANQP-QUERY-DONE event that reports the status of the ANQP parsing.
Signed-off-by: ASHUTOSH NARAYAN <ashutoshx.narayan@intel.com>
The icon files and the osu-providers.txt that are generated may not have
proper permission for external programs to access. Set the access
permissions to the same as the permissions for osu_dir.
Signed-off-by: ASHUTOSH NARAYAN <ashutoshx.narayan@intel.com>
In wpa_cli_cmd_interface(), try_connection(), and main(), ctrl_ifname
may be NULL and could be dereferenced depending on the printf()
implementation.
Signed-off-by: Eytan Lifshitz <eytan.lifshitz@intel.com>
Stop any ongoing P2P listen/find flow before starting invitation flow.
This was partially handled in p2p_invite() that called p2p_find(), but
this did not cleanly handle cases such as long_listen.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
A control interface call to flush the current state used the
current wpa_s to clear the P2P state even though it might not
be the interface controlling the P2P state.
Fix it by using the correct interface to flush the P2P state.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Publish support for Tx STBC in the HT capabilities of a GO and AP
controlled by wpa_supplicant in case the hardware supports it.
Signed-off-by: Eyal Shapira <eyalx.shapira@intel.com>
external_scan_running should be common to all interfaces that share a
radio. This fixes a case where external_scan_running was set on a single
interface, but did not block scan on other interfaces.
Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
Clear the reattach flags, in case a connection request did not trigger a
scan. This needs to be done to avoid leaving the reattach flag set for
the next scan operation which may not have anything to do with the
specific request that could have been optimized using the single-channel
single-SSID scan.
Signed-off-by: Ben <ben.rosenfeld@intel.com>
Use interface's own NFC configuration instead of parent's one
to support a P2P device dedicated interface.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
The length should be 14 and not 10.
The current situation causes failure during parsing of the command.
Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
This restores some of the pre-radio work behavior for scanning by
retrying scan trigger if the driver rejects it (most likely returning
EBUSY in case of nl80211-drivers). Retry is indicated in the
CTRL-EVENT-SCAN-FAILED event with "retry=1".
For manual scans (e.g., triggered through "SCAN" control interface
command), no additional retries are performed. In other words, if upper
layers want to retry, they can do so based on the CTRL-EVENT-SCAN-FAILED
event.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
For CONFIG_TESTING_OPTIONS=y builds, add a new test parameter than can
be used to trigger various error cases within wpa_supplicant operations
to make it easier to test error path processing. "SET test_failure
<val>" is used to set which operation fails. For now, 0 = no failures
and 1 = scan trigger fails with EBUSY. More operations can be added in
the future to extend coverage.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Current mesh code uses ap_max_inactivity as inactivity timer. This patch
makes it configurable.
There is another mesh inactivity timer in mac80211. The timer works even
if user_mpm=1. So this patch sets the max value to the timer for
workaround.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
It is easier to debug issues related to the wpa_supplicant control
interfaces being left behind in attached state when the debug log file
can be used to determine whether a specific monitor socket was a global
or per-interface one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 17b8995cf5 ('Interworking: Try to
use same BSS entry for storing GAS results') added a mechanism to try to
pair GAS request and response to a single BSS entry to cover cases where
multiple BSS entries may exists for the same BSSID. However, that commit
did not cover the Hotspot 2.0 ANQP elements. Extend this mechanism to
all ANQP elements. This can help in cases where information in the
Hotspot 2.0 specific ANQP elements got lost if a hidden SSID or some
other reason of duplicated BSS entries was present while doing ANQP
fetches.
Signed-off-by: Jouni Malinen <j@w1.fi>
Move the wpa_bss_flush() call to the end of the function to allow any
pending user of a BSS entry to be cleared before removing the unused
entries. There were number of cases where BSS entries could have been
left in the list and this resulted in some hwsim test failures.
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be helpful in figuring out why the driver was requested to
flush its scan results prior to starting a new scan.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for interworking_find_network_match() to find a possible
BSS match in a case where more thorough checks in
wpa_supplicant_select_bss() reject network. This itself is fine, in
general, but when combined with wpa_supplicant_fast_associate()
optimization and auto_interworking=1, this resulted in a busy loop of up
to five seconds and a possible stack overflow due to recursion in that
loop.
Fix this by limiting the Interworking wpa_supplicant_fast_associate()
call to be used only once per scan iteration, so that new scan
operations can be completed before going through the scan results again.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reduce maximum stack use by starting next ANQP fetch operation from an
eloop callback rather than calling interworking_next_anqp_fetch()
directly from interworking_start_fetch_anqp(). This avoids issues that
could potentially make the process run out of stack if long loops of
ANQP operations are executed in cases where automatic Interworking
network selection is used and scan results do not have a full match for
a network.
Signed-off-by: Jouni Malinen <j@w1.fi>
For Interworking connection to work, the SSID of the selected BSS needs
to be known to be able to associate with the AP. It was possible for the
scan results to include two BSS entries matching the BSSID when an
earlier scan with that AP has shown a hidden SSID configuration (e.g.,
when running hwsim test cases, but at least in theory, this could happen
with real use cases as well). When that happened, the incorrect BSS
entry may not have included RSN configuration and as such, it would get
rejected for Interworking connection.
Fix this by confirming that the selected BSS entry has a real SSID. If
not, try to find another BSS entry matching the same BSSID and use that,
if found with an SSID.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.
Signed-off-by: Jouni Malinen <j@w1.fi>
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com
Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes D-Bus network profile Set(Properties) clear cached EAP data
similarly to how SET_NETWORK does for control interface.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.
The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports mesh.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports SAE.
Signed-off-by: Jouni Malinen <j@w1.fi>
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.
Signed-off-by: Jouni Malinen <j@w1.fi>
At least MinGW did not have ENOTCONN, EOPNOTSUPP, ECANCELED, so define
these to allow the build to go through.
wpas_rrm_send_neighbor_rep_request() is not really used on Windows, so
the exact error code values do not make any difference here.
Signed-off-by: Jouni Malinen <j@w1.fi>
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.
Signed-off-by: Jouni Malinen <j@w1.fi>
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.
Signed-off-by: Jouni Malinen <j@w1.fi>
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).
This change expands the data structures used by MAC lists to include a
mask indicating the significant (non-masked) portions of an address and
extends the list parser to recognize mask suffixes.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.
This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
This change generalizes the code used for parsing the configuration
option 'p2p_client_list' and makes it suitable to use it in other
contexts.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
There should not be a mesh-specific mechanism for setting up channel
parameters since that will just result in duplicated code. IBSS, mesh,
and AP mode can use the same data structures and parameters for setting
up such parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
Automatically enable HT20, HT40+, HT40-, or VHT, based on driver
capabilities. This obsoletes the mesh_ht_mode network block parameter
that was previously used to configure HT parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add WPA_DRIVER_FLAGS_HT_IBSS driver feature flag. Some drivers could not
set this feature and next could fail when we will enable HT support for
IBSS with error message: nl80211: Join IBSS failed: ret=-22 (Invalid
argument).
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
When performing SAE authentication in mesh, one station may
initiate authentication by sending a COMMIT as soon as a peer
candidate is discovered. Previously we did this in mesh_rsn.c,
but this left some of the state initialization in a different
part of the code from the rest of the state machine, and we may
need to add other initializations here in the future, so move
that to a more central function.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Try to be a bit more consistent by using NoMemory instead of InvalidArgs
if os_strdup() fails in the CreateInterface handler.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for the interface not to be marked in INTERFACE_DISABLED
state in case the event was processed for P2P GO because the wpa_s
instance could have been removed in case of a separate group interface.
Change the state first to avoid leaving different state for the case
where separate group interface is not used.
Mark scan to be a normal scan on INTERFACE_ENABLED so that scanning
rules (e.g., skip scan if no networks enabled) get used consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is a race condition between receiving an AP stopped event and
netdev down event. These resulted in different group removal reasons on
a GO device (UNAVAILABLE for stop AP event coming first and REQUESTED
for netdev event first). Make this more consistent by reporting
UNAVAILABLE for both possible cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new control interface command TEST_ALLOC_FAIL and GET_ALLOC_FAIL can
now be used to trigger memory allocation failures for testing purposes.
TEST_ALLOC_FAIL sets a failure conditions with
<count>:func[;func][;func]... string and GET_ALLOC_FAIL returns the
current state using the same format. Whenever an allocation is made with
a matching backtrace of calling functions, the count is decremented by
one and once zero is reached, the allocation is forced to fail.
Function names can be prefixed with either '=' or '?' to get different
matching behavior. '=' requires this specific function to be the next
one in the backtrace (i.e., do not skip any other functions in the list
which is the default behavior). '?' allows the function to be optionally
present in the backtrace.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible for this function to get called even if D-Bus
registration had failed, so the path can be NULL here.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible for this function to be called even if D-Bus interface
registration has failed. Avoid a D-Bus assert in such a case.
Signed-off-by: Jouni Malinen <j@w1.fi>
entry->strarray_value was left to point to freed memory in case
os_realloc_array() failed. This resulted in the following
wpa_dbus_dict_entry_clear() trying to free an already freed memory area.
In addition, the separately allocated strings in the array would have
been leaked in such a case. Furthermore, wpa_dbus_dict_entry_clear() was
not prepared for the possibility of the initial os_calloc() call failing
and entry->strarray_value being NULL without array_len being cleared to
zero. That would have resulted in reading uninitialized memory and NULL
pointer dereference.
Signed-off-by: Jouni Malinen <j@w1.fi>
entry->bytearray_value was left to point to freed memory in case
os_realloc_array() failed. This resulted in the following
wpa_dbus_dict_entry_clear() trying to free an already freed memory area.
Signed-off-by: Jouni Malinen <j@w1.fi>
add_interface() did not check for os_strdup() return value and could end
up dereferencing a NULL pointer if memory allocation failed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The error reply needs to be sent out as a response. The "out" label was
in incorrect place to allow that to happen; instead, it ended up leaking
memory for the generated reply message.
Signed-off-by: Jouni Malinen <j@w1.fi>
If setSmartcardModules() fails to allocate memory with os_strdup(), the
allocated items in the dict entry were not freed.
Signed-off-by: Jouni Malinen <j@w1.fi>
This moves the AES-SIV test case from tests/test-aes.c to be part of
wpa_supplicant module testing framework with a new
src/crypto/crypto_module_tests.c component. In addition, the second test
vector from RFC 5297 is also included for additional coverage.
Signed-off-by: Jouni Malinen <j@w1.fi>
1. Supported MAC address randomization for scan.
2. Supported MAC address randomization for scheduled scan.
2. Supported MAC address randomization for pno.
4. Add functions to set and clear the MAC address randomization
state variables.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
For the start operation, this includes appropriate parameters for
specifying channel and peer information. The cancel operation includes
peer information.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
The supplicant code does not try to control the actual channel of the
radio at any point. It simply passes the target peer and channel
parameters to the driver. It's the driver's responsibility to
periodically initiate TDLS channel-switch operations when TDLS
channel-switching is enabled.
Allow enable/disable operations to be invoked via the control interface.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
The specification requires the tspecs to be kept upon reassociation to
the same BSS. Save the last tspecs before such reassociation, and
reconfigure on the association notification.
Note that the current flow is not transparent to the user
(it is notified about deauth/reassoc and tspec removal/addition).
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Some APs add their custom (vendor-specific) IEs to the Association
Response frame. Fail WMM AC initialization only if Association Response
frame IE parsing actually failed, i.e., ignore all unknown IEs.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
In case of roaming, we don't get disassoc notification, but
still want to remove the existing tspecs.
Move the wmm_ac_notify_disassoc() call to the state change
function, which get called also on roaming.
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
Previously, role="enrollee" was required to be used to allow the AP mode
WPS operation to be started. This is incorrect since the AP/GO will
operate in Registrar role. Fix this by ignoring the role parameter when
AP (including P2P GO) mode is enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Start of station-mode WPS PBC/PIN/Registrar/NFC operation would result
in the AP mode getting disabled. This can be particularly confusing for
the P2P GO case where the group would need to be stopped cleanly. As
such, it is better to reject these invalid operations rather than trying
to handle all corner cases needed to allow this to work robustly.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to limit this property based on the role of the device
in the group, so return the passphrase if it is available. It will be
available in GO role and it may be available in P2P Client role based on
whether the peer GO provided it during the WPS provisioning step.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was returning a byte array of the pointer to the PSK, not the
actual PSK, due to incorrect use of
wpas_dbus_simple_array_property_getter(). In addition, there is no need
to limit this property based on the role of the device in the group, so
return the PSK if it is available (which it will be for both GO and P2P
Client roles).
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to have separate wpa_printf() and different error
message strings for the unlikely out-of-error messages. Use a helper
function, wpas_dbus_error_no_memory(), to get consistent behavior with a
one-line call.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 6aeeb6fa21 ('dbus: clean up new
D-Bus interface getters and setters') redesigned the property
getter/setter calls in a way that made the
wpas_dbus_error_unknown_error() note about message being NULL in some
cases obsolete. All the remaining callers are from method handler
functions that must have a valid message. Remove the obsolete notes and
unnecessary messsage == NULL check.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to have multiple separate return statements for error
cases in a sequence of operations. In addition, there is not much point
in "converting" boolean return values with "if (!res) return FALSE;
return TRUE;" style constructions.
Signed-off-by: Jouni Malinen <j@w1.fi>
net_id_str can be NULL and that must be checked for to avoid NULL
pointer dereference if an invalid persistent_group_object path is used
with these methods.
Signed-off-by: Jouni Malinen <j@w1.fi>
None of the new D-Bus interface cases use the bssid_part in
decompose_object_path (while the old interface ones do). As such, this
is dead code and can be removed. In addition, the P2P addition here was
pretty ugly extension. Replace these with a cleaner way of passing the
separating string (e.g., "Networks") from the caller and returning the
requested item.
In addition, there is no need to allocate the returned item separately,
so use a single allocation and a pointer to that allocated memory. This
will make it easier for callers to have to free only a single
allocation. This is also fixing a memory leak in P2P invitation
persistent group case where the caller had missed the need to free the
returned values.
Signed-off-by: Jouni Malinen <j@w1.fi>
This helper function does not modify peer_path, so mark it const. In
addition, there is no point in callers to check separately whether
peer_path is NULL since that is taken care of by this helper function.
Signed-off-by: Jouni Malinen <j@w1.fi>
This cannot be NULL when an interface is in use. There is not much point
in couple of functions checking this while large number of other places
do not.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds the message signature to the new D-Bus interface message
handler and similar prints to the old interface messages handlers.
Signed-off-by: Jouni Malinen <j@w1.fi>
eloop_is_timeout_registered() was called with incorrect context argument
which meant that the pending timeout would have never been found.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant_deauthenticate() call needs to happen before
wpa_config_remove_network(). Freed memory could be dereferenced if
removeNetwork method was issued on the currently connected network.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like both gcc and clang optimize the (entry.type != foo ||
entry.array_type != bar) in a way that ends up evaluating the second
condition even when the first one results in 0. While this is not really
what the C language requirements on short-circuit evaluation require,
the compiler likely assumes this can have no side effects and with both
type and array_type being comparable in a single 64-bit operation, this
can clearly be a bit more efficient. While the code behaves same in both
cases, valgrind does warn about use of uninitialized memory when the
second condition is evaluated (entry.array_type is not initialized if
entry.type != DBUS_TYPE_ARRAY).
To keep valgrind logs cleaner, initialize entry.array_type to
DBUS_TYPE_INVALID so that these compiler optimizations do not result in
reading uninitialized memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
The logic in wpas_dbus_signal_p2p_provision_discovery() seemed to imply
that there could be a case where _signal would be used uninitized. While
that is not the case since either (request || !status) or (!request &&
status) would always be true, some compilers do not seem to be clever
enough to figure that out to avoid the warning. Make this easier for
such compilers by removing the (!request && status) condition since it
is identical to !(request || !status).
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 911e97e400 ('DBus: Refactor array
adding, add binary arrays') introduced WPAS_DBUS_TYPE_BINARRAY as an
internal fake type for array_type. However, it selected this value to be
(DBUS_NUMBER_OF_TYPES + 100) = 116 = 't'. This happens to conflict with
DBUS_TYPE_UINT64 ((int) 't'). While none of the existing array_type use
cases supported UINT64, it is much clearer if WPAS_DBUS_TYPE_BINARRAY
has a value that does not match any existing DBUS_TYPE_* value. Replace
this with '@' (64).
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to allow Set(P2PDeviceConfig) to clear the
VendorExtension array (i.e., to remove all configured vendor
extensions). Previously, such an attempt was met with a D-Bus assert and
rejection of the operation.
Signed-off-by: Jouni Malinen <j@w1.fi>
The wps_vendor_ext array can be set using D-Bus Set(P2PDeviceConfig)
with the VendorExtension key in the dictionary. However, there was no
code for freeing the allocated memory when the interface is removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The ServiceDiscoveryRequest signal uses int32 for encoding dialog_token
for some reason (even though this is a u8 field).
ServiceDiscoveryResponse is supposed to accept the values from the
signal as-is, so extend that to accept int32 in addition to the
previously used uint32.
Signed-off-by: Jouni Malinen <j@w1.fi>
The earlier implementation seemed to require a strange extra
encapsulation with a dictionary for setting the WPSVendorExtensions
property while this was defined to have aay signature and the get
operation did indeed return and array of array of bytes without that
dictionary. Fix this to accept aay format for the setter as well. Keep
support for the old dictionary encapsulation format for backwards
compatibility.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible to add WPS vendor extensions through the D-Bus
WPSVendorExtensions setter, but these extensions were not freed when the
P2P GO was stopped or when replacing previously configured extensions.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to keep temporary keys in memory beyond the end of the
association, so explicitly clear any SAE buffers that can contain keys
as soon as such keys are not needed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, the main PSK entry was cleared explicitly, but psk_list
could include PSKs for some P2P use cases, so clear it as well when
freeing config_ssid instances.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to leave this temporary key in stack memory after
having been configured to the WPA state machine.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to leave the PSK from temporary Credential structure
that was built in stack after that Credential has been passed to the WPS
module.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is more of a theoretical case since this part is done only during
setup and the structure is not allocated in practice. Anyway,
maintaining more consistent use of bin_clear_free() for structures that
may contain keys is useful.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was already verified to be non-NULL above and there is no point in
having an extra check after the pointer has already been dereferenced.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpas_dbus_decompose_object_path() may leave the network part NULL on
unexpected path. This resulted in NULL pointer dereference when
processing an invalid removeNetwork or selectNetwork call. Fix this by
explicitly verifying that the network part was included in the object
path.
Signed-off-by: Jouni Malinen <j@w1.fi>
The "Invalid blob name" string was not shown since the zero-length name
was used regardless of first verifying that it should not be allowed.
Signed-off-by: Jouni Malinen <j@w1.fi>
External WPS Registrar operation requires the BSSID to be specified, so
the old D-Bus interface better apply that requirement as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible for the persistent group object to be added and removed
by non-D-Bus triggers (e.g., ctrl_iface commands). The add part was
already handled, but removal was not. That resulted in memory leaks when
a P2P persistent group was removed without using an explicit D-Bus
command for this even if the object was added without D-Bus involvement.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpas_dbus_simple_property_getter() cannot be used with NULL
DBUS_TYPE_STRING, so replace that with an empty string to handle the
case of no config_methods parameter in the configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible for the peer to be a non-P2P device and as such, for
p2p_dev_addr to be NULL. This resulted in NULL pointer dereference if
D-Bus interface was enabled for the interface when a legacy STA joined a
group.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for old scan state to remain from a previous test case
when an operation like WNM neighbor scan or another-BSS-in-ESS was
started, but stopped at the end of a test case. This could result in
failures, e.g., when running wnm_bss_tm_req followed by scan_setband.
Signed-off-by: Jouni Malinen <j@w1.fi>
This converts most of the remaining perror() and printf() calls from
hostapd and wpa_supplicant to use wpa_printf().
Signed-off-by: Jouni Malinen <j@w1.fi>
struct wpa_driver_associate_params moved to using struct
hostapd_freq_params instead of just frequency. Need to update wpa_priv
to do same.
Signed-off-by: Jouni Malinen <j@w1.fi>
Even if the UUID would have a mismatch, e.g., due to no UUID known for
the target in a new WPS PBC instance, do not indicate PBC session
overlap if the BSSID is same in the two entries. This should not really
happen in normal use cases, but can happen at least in some test
scenarios where the same BSSID is used in consecutive test cases and the
old BSS entry remains in cfg80211 cache.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is a possible race condition between receiving the
NEW_PEER_CANDIDATE event and the Authentication frame from the peer.
Previously, if the Authentication frame RX event was indicated first,
that frame got dropped silently. Now, this frame is still dropped, but a
copy of it is stored and the frame gets processed on the following
NEW_PEER_CANDIDATE event if that is received for the same peer within
two seconds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Include only the potentially affected channel range in OBSS scans to
reduce the amount of offchannel time needed for scanning when requested
by the AP.
Signed-off-by: Jouni Malinen <j@w1.fi>
ap_ft_sae test case managed to hit a somewhat unclear error case which
resulted in "WPA: Failed to select WPA/RSN" print and not enough
information to figure out what exactly had went wrong.
Signed-off-by: Jouni Malinen <j@w1.fi>
Maximum number of peer links is maximum number of connecting mesh peers
at the same time. This value is 0..255 based on the
dot11MeshNumberOfPeerings range.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Unexpected trailing zero causes following error.
wpa_supplicant.sgml:472:53:E: character data is not allowed here
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This helps hwsim test cases by avoiding undesired state from previously
executed test cases affecting following tests.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit faf9a8585d added mechanism for
selecting 2.4 or 5 GHz band for scan operation. However, no mechanism
for setting the setband value was added at that time. This commit adds a
new SET ctrl_iface parameter to allow the setband functionality to be
used. "SET setband <AUTO/5G/2G>" can be used to select all bands, 5 GHz
band only, or 2.4 GHz band only.
Signed-off-by: Jouni Malinen <j@w1.fi>
Android framework maintains a state to process the scan results after
the scan is issued. If wpa_supplicant issues the scan during the
initialization, the one issued by the framework may fail (with EBUSY) if
the host driver is already processing the scan. Thus, the scan results
returned for the first scan triggered by wpa_supplicant are not
processed for getting displayed resulting in delay for the display of
the first scan results after the Wi-Fi subsystem initialization. Thus,
trigger the scan only based on the framework request on Android.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
FAIL-BUSY was already returned for the case where a scan had been
started, but with the radio work design, it would have been possible to
schedule multiple scan requests if a non-scan radio work was in
progress. Multiple back-to-back scans are not usually very helpful, so
reject this type of cases where the SCAN command would be used to build
such a sequence.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
On receiving the cancel remain on channel event, the pending_tx
is scheduled immediately and returned. This was preventing
the wpas_p2p_listen_start function from execution thereby resulting
in termination of the long listen operation.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
The manual scan operations with the SCAN command are supposed to have
independent set of scan frequencies, so do not allow scan_freq
parameters to override scanned frequencies for scans that were triggered
with a SCAN command.
Signed-off-by: Jouni Malinen <j@w1.fi>
The mesh gate is used to bridge (or route) between mesh network and
another network. For example, mesh gate acts as router between mesh
network and IEEE 802.11 BSS network.
This command makes a virtual mesh interface to be used for mesh gate.
This command expects to be used like this.
wpa_cli -i wlan0 MESH_INTERFACE_ADD ifname=mesh0
wpa_cli -i mesh0 add_network
wpa_cli -i mesh0 set_network 0 ssid '"commell_2X_mmm"'
wpa_cli -i mesh0 set_network 0 mode 5
wpa_cli -i mesh0 set_network 0 frequency 2412
wpa_cli -i mesh0 set_network 0 key_mgmt SAE
wpa_cli -i mesh0 set_network 0 psk '"01234567"'
wpa_cli -i mesh0 mesh_group_add 0
wpa_cli -i wlan0 mesh_group_remove mesh0
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Since mesh functionality uses struct hostapd_data to maintain peer
state, the existing STA* control interface commands can be used to
display information about the peers.
Signed-off-by: Jouni Malinen <j@w1.fi>
Option '-p' of 'read' command may be unsupported in some POSIX-complete
shells. So replace 'read -p' with 'echo -n'/'read' pair.
Signed-off-by: Oleksandr Chumachenko <ledest@gmail.com>
If tray icon messages are perceived as disturbing, one can pass `-q`
parameter on the command line to disable them permanently.
Signed-off-by: Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>
Show associated network SSID in the tool tip message of the
application's tray icon. When network is not associated, then simple
"(not-associated)" message is shown.
Signed-off-by: Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>
Instead of just stopping connection process and network discovery,
report SAE failures to build Authentication frames (e.g., due to missing
password) as a connection failure to get the normal retry mechanism into
use.
Signed-off-by: Jouni Malinen <j@w1.fi>
Both the wpa_s->pending_action_src and src argument to
wpas_get_tx_interface() were used somewhat randomly. Make this more
consistent since these values are pointing to the same address and the
implementation is easier to understand when it is obvious that there is
only one address being used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This function could not fail and it can be replaced with a single
line variable update that takes less code than the function call.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_bss_flush*() cannot fail and as such, there is no need for
wpa_supplicant_ctrl_iface_bss_flush() to return a value either.
Signed-off-by: Jouni Malinen <j@w1.fi>
This function cannot return negative value, so no need to check for
that. If there is not enough room in the buffer or if something
unexpected happens, 0 is returned.
Signed-off-by: Jouni Malinen <j@w1.fi>
Update the scan parameters in wpa_s only in case the scan command is
going to be executed. In other words, do not change the parameters for
an ongoing scan (the SCAN command is rejected with FAIL-BUSY) or if any
of the parameters is invalid.
Signed-off-by: Jouni Malinen <j@w1.fi>
The send_eapol() callback was used by driver_test.c, but with that
removed, there is no remaining users of the alternative EAPOL frame
transmitting mechanism in wpa_supplicant, i.e., all remaining driver
interfaces use l2_packet instead. Remove the send_eapol() to get rid of
unused code.
Signed-off-by: Jouni Malinen <j@w1.fi>
The space following the BSSID was not skipped properly if the following
parameter started with the "hs20:" prefix. For other cases, atoi() ended
up ignoring the space, but it is cleaner to skip it anyway for all
cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, any P2P capable interface was skipped in cross connection
uplink consideration. However, this ends up skipping more or less all
nl80211-based driver cases now since they mark the main interface P2P
capable. Relax this rule to allow the parent interface to be used as the
non-P2P station interface for cross connection purposes.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to get into more consistent state after the FLUSH
command. DISCONNECT followed by FLUSH could result in
wpa_s->disconnected being left to 1 and this resulted in a test failure,
e.g., when running wpas_ctrl_dup_network followed by
wpas_ctrl_enable_disable_network where the latter was expecting
ENABLE_NETWORK on a disabled network to connect automatically and that
does not happen if wpa_s->disconnected == 1.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While these are using practically large enoungh buffer sizes, it is
better to be more consistent with checking os_snprintf() return value.
Signed-off-by: Jouni Malinen <j@w1.fi>
This converts os_snprintf() result validation cases to use
os_snprintf_error() for cases that were note covered by spatch and
semantic patches.
Signed-off-by: Jouni Malinen <j@w1.fi>
This converts os_snprintf() result validation cases to use
os_snprintf_error() in cases where success condition was used to execute
a step. These changes were done automatically with spatch using the
following semantic patch:
@@
expression E1,E2,E3;
statement S1;
@@
E1 = os_snprintf(E2, E3, ...);
- if (\( E1 >= 0 \| E1 > 0 \) && \( (size_t) E1 < E3 \| E1 < (int) E3 \| E1 < E3 \))
+ if (!os_snprintf_error(E3, E1))
S1
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds verification of os_snprintf() result against the maximum
buffer length. These changes were done automatically with spatch
using the following semantic patch:
@@
expression E1,E2,E3;
statement S1;
@@
E1 = os_snprintf(E2, E3, ...);
- if (\( E1 < 0 \| E1 <= 0 \))
+ if (os_snprintf_error(E3, E1))
(
S1
|
{ ... }
)
Signed-off-by: Jouni Malinen <j@w1.fi>
This pointer cannot be NULL sicne it is called only from this file and
with a valid pointer to the received command.
Signed-off-by: Jouni Malinen <j@w1.fi>
'num * 5 > end - pos' handles bounds checking a bit more efficiently,
but apparently that is not clear enough for all static analyzers.
Replace with 'num > left / 5' to avoid false reports. (CID 68117)
Signed-off-by: Jouni Malinen <j@w1.fi>
This reduced number of unnecessarily duplicated driver interface
callback functions for sending Action frames by using the more generic
send_action() instead of FT specific send_ft_action().
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the previously used WFD_SUBELEM_SET/GET <subelem id> design
to allow special "all" value to be used as an id to indicate that all
WFD subelements are to be set/get. This uses similar interface as was
previously added over D-Bus.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no point in flooding the log with WARNING or ERROR level
messages if WMM-AC related Action frames are ignored in cases where they
were not expected. In addition, WARNING/ERROR should not really be used
in cases an invalid frame is dropped especially if this is not related
to a security setup since external devices could otherwise generate log
entries.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous version was somewhat too complex for some static analyzers.
Use local variables for the extracted length fields and explicitly
compare these against the remaining buffer length. (CID 68121)
Signed-off-by: Jouni Malinen <j@w1.fi>
Derive rRK and rIK on EAP peer if ERP is enabled. The new wpa_supplicant
network configuration parameter erp=1 can now be used to configure the
EAP peer to derive EMSK, rRK, and rIK at the successful completion of an
EAP authentication method. This functionality is not included in the
default build and can be enabled with CONFIG_ERP=y.
If EAP authenticator indicates support for re-authentication protocol,
initiate this with EAP-Initiate/Re-auth and complete protocol when
receiving EAP-Finish/Re-auth.
Signed-off-by: Jouni Malinen <j@w1.fi>
This change creates 'LIST_NETWORK LAST_ID=x' form to allow
retrieval of all networks saved in the system. Without this form,
only first few (whatever fills in first 4096 bytes) can be
retrieved.
Signed-off-by: Vinit Deshpande <vinitd@google.com>
wpa_bss_in_use() used to determine that a BSS with BSSID of
00:00:00:00:00:00 is in use in almost every case since either
wpa_s->bssid or wpa_s->pending_bssid was likely to be cleared. This
could result in a corner case of a BSS entry remaining in the BSS table
indefinitely if one was added there with a (likely bogus) address of
00:00:00:00:00:00. Fix this by ignore wpa_s->bssid and
wpa_s->pending_bssid if the BSSID in the BSS table entry is
00:00:00:00:00:00.
In theory, that address is a valid BSSID, but it is unlikely to be used
in any production AP, so the potential expiration of a BSS entry with
that address during a connection attempt would not be a concern
(especially when a new scan would be enough to recover from that).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Externally triggered scan could result in a new radio work item getting
started even when external radio work was in progress. Delay such start
until the external work is completed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for the current network profile to be deleted when
merging duplicated WPS credentials. However, this did not clear
wpa_s->current_ssid and it was possible for something else to end up
dereferencing that pointer to now freed memory. This could be hit, e.g.,
with ap_wps_mixed_cred. Fix this by clearing current_ssid also in this
code path similarly to other cases of network block getting removed.
Signed-off-by: Jouni Malinen <j@w1.fi>
The mesh group addition was designed to use wpa_s->connect_without_scan
to skip a scan. That path was skipped if wpa_supplicant_fast_associate()
allowed previous scan results to be used. This could result in undesired
double-initialization attempt for the mesh interface. Avoid this by not
using wpa_supplicant_fast_associate() when wpa_s->connect_without_scan
is set.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible that these location ended up getting called before mesh
startup operations had been completed and that could result in
dereferencing NULL pointers. Address those error cases by verifying that
the needed parameters are available before using them.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for auth/assoc timeout/failure event from the driver to
result in unexpected processing during mesh group setup if that
operation was started before the previously started driver operation to
association/connect had completed. Since those events cannot happen in
mesh cases, ignore them to avoid issues due to this corner case.
For example, monitor_iface_unknown_sta followed by wpas_mesh_secure test
case resulted in failure without this change.
Signed-off-by: Jouni Malinen <j@w1.fi>
An earlier check of the action_field value above the switch statement
already took care of all other possible cases, but that was apparently
too difficult for the compiler to notice. Bring back the default case to
avoid incorrect warnings about the event variable being maybe
uninitialized.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new wpa_supplicant control interface command can be used in
automated testing to verify how AP processes Data frames with arbitrary
contents. This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
There is no need for this state to maintained when the wpa_supplicant
FLUSH ctrl_iface command is used to request flushing of all state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for wmm_ac_deinit() not getting called when an interface
was removed in a sequence where disassociation was not reported and
wmm_ac_notify_disassoc() did not get called. This resulted in leaking
whatever memory was allocated for WMM AC parameters. Fix that by calling
wmm_ac_notify_disassoc() from wpa_supplicant_cleanup().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to fix some sequencies where a real scan in ap_scan=2
case would be issued even when the connection case would expect direct
connection without a scan.
This fixed an issue shown in hwsim test case autoscan_exponential
followed by ibss_open_fixed_bssid.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to allow proper Action frame transmission to work without
having to claim these to be offchannel operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
On Android, the control socket being used may be the socket that is
created when wpa_supplicant is started as a /init.*.rc service. Such a
socket is maintained as a key-value pair in Android's environment.
Closing this control socket would leave wpa_supplicant in a bad state.
When wpa_supplicant re-opens the ctrl_iface socket, it will query the
Android's environment, and will be returned with the same socket
descriptor that has already been closed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The country code from the current AP needs to be used in
ieee80211_chan_to_freq() to support cases where non-global operating
class table is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous version was valid, but apparently too complex for some
static analyzers. Use a local variable for uri_len and explicitly
compare it against the remaining buffer length. (CID 68121)
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous version was fine, but too much for some static analyzers to
understand as proper bounds checking. (CID 68122)
Signed-off-by: Jouni Malinen <j@w1.fi>
The upper bound for the element length was already verified, but that
was not apparently noticed by a static analyzer (CID 68128).
Signed-off-by: Jouni Malinen <j@w1.fi>
Send link measurement response when a request is received. Advertise
only RCPI, computing it from the RSSI of the request. The TX power field
is left to be filled by the driver. All other fields are not published.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Allow supplying an SSID for the SSID IE. If not supplied, no SSID IE is
sent, and the request implies the current SSID.
Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
Add NEIGHBOR_REP_REQUEST command to the wpa_supplicant ctrl_iface.
This command triggers the sending of a Neighbor Report Request to the
associated AP.
Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
Add the ability to send a Neighbor Report Request (part of
RRM). Requester is then notified once the report arrives.
Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
In case the AP we are associating with advertises support for RRM,
advertise our own RRM support in the (Re)Association Request frame. This
is done by adding an RRM Capabilities IE. The underlying driver is
expected to further add a Power Capabilities IE to the request, and set
the Radio Measurement flag in the Capability Info field. At this point
the RRM Capabilities IE advertises no measurement support.
Signed-off-by: Assaf Krauss <assaf.krauss@intel.com>
If the last scans are recent (for now, less than ten seconds old), use
them instead of triggering a new scan when a BSS Transition Management
Request frame is received. As a fallback, allow a new scan to be
triggered if no matches were found.
Signed-off-by: Jouni Malinen <j@w1.fi>
When the list of preferred transition candidates is received, use the
identified channels to optimize the following scan so that no time is
wasted on other channels.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previously cached candidate list needs to be free properly through a
call to wnm_deallocate_memory() to ensure all subelements gets freed.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows an AP to steer us to another BSS within the ESS even if that
results in reduced signal strength as long as the signal strength with
the target BSS is expected to provide some connectivity.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to use a separately allocated data structures for this.
A bitfield indicating which information is present and variables within
struct neighbor_report are simpler to use and more efficient.
Signed-off-by: Jouni Malinen <j@w1.fi>
Switch the stop and sending DelTS to avoid sending data packets
for the session after the DelTS, which is otherwise possible.
This also helps the mac80211 implementation as it requires stopping the
traffic flow before sending the DelTS as it may modify the AC parameters
for the affected queue, and that may in turn affect management frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This wmm_ac_status command will show the current status for WMM AC.
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
wmm_ac_addts command will add (or update) a traffic stream and
wmm_ac_delts command will delete an existing traffic stream.
Each of the above commands will call its corresponding
ctrl_iface command.
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
Add the TSPEC to the driver on successful TSPEC ADDTS response. Delete
the TSPEC when receiving DELTS action.
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
Add basic implementation for ADDTS and DELTS sending
functions.
wpas_wmm_ac_addts() will send ADDTS request public action,
containing TSPEC (traffic stream specification) with
the given params.
wpas_wmm_ac_delts() will look for the saved tspec with
the given tid, and send DELTS public action for it.
(Handling of ADDTS response and actually configuring the admission
control params will be added in following patches.)
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
Add add_tx_ts() and del_tx_ts() ops to notify the driver about
TSPEC add / delete.
Additionally, add wmm_ac_supported flag to indicate
whether the driver supports WMM AC.
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
Initialize WMM AC data structures upon successful association
with an AP that publishes WMM support, and deinitialize the data
structure when the association is no longer valid.
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
This patch makes four MIB variables for plink configurable and sets the
correct default values based on IEEE Std 802.11s-2011.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Android 4.4 uses "BSS" command instead of "SCAN_RESULT" command.
So this patch add the mesh scan result for BSS command.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
STAs that have different BSSBasicRateSet cannot connect to each other
as per IEEE 802.11s-2011 9.6.0c1:
"A mesh STA shall not establish a mesh peering with a mesh STA using a
different BSSBasicRateSet."
Make BSSBasicRateSet configurable to improve interoperability with other
stations.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Parse MESH_GROUP_ADD/REMOVE commands on ctrl interface and call
wpa_supplicant routines. These commands are used to start or
join and leave a mesh network.
The mesh id is given in the configuration file, therefore there is
no need to scan before joining a mesh network. We reuse the
connect_without_scan construct used by P2P for that same purpose.
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Javier Lopez <jlopex@gmail.com>
mesh_ht_mode default value is CHAN_UNDEFINED.
So previous code set 11N capability even though 11N is not used.
Signed-off-by: Natsuki Itaya <Natsuki.Itaya@jp.sony.com>
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Add a new option "mesh_ht_mode" that specifies the HT mode for the
mesh, with this option on, mesh beacons, actions frames, and probe
responses with include the appropriate HT information elements.
[original implementation by Chun-Yeow Yeoh <yeohchunyeow@gmail.com>]
[some fixes by Masashi Honma <masashi.honma@gmail.com>]
Signed-off-by: Ashok Nagarajan <ashok.dragon@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Add timer to do SAE re-authentication with number of tries defined
by MESH_AUTH_RETRY and timeout defined by MESH_AUTH_TIMEOUT.
Ignoring the sending of reply message on "SAE confirm before commit"
to avoid "ping-pong" issues with other mesh nodes. This is obvious when
number of mesh nodes in MBSS reaching 6.
Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
New kernels in wiphy_suspend() will call cfg80211_leave_all() that will
eventually end up in cfg80211_stop_ap() unless wowlan_triggers were set.
For now, use the parameters from the station mode as-is. It may be
desirable to extend (or constraint) this in the future for specific AP
mode needs.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
The new AKM uses a different mechanism of deriving the PMKID based on
KCK instead of PMK. hostapd was already doing this after the KCK had
been derived, but wpa_supplicant functionality needs to be moved from
processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds definitions for the 128-bit level Suite B AKM 00-0F-AC:11. The
functionality itself is not yet complete, i.e., this commit only
includes parts to negotiate the new AKM.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed since the SCAN command with radio work returns before the
actual driver operation to trigger a scan has been executed and as such,
cannot return result of that operation.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Number of documentation and configuration files had references to the
madwifi driver interface that was removed in the previous commit. Remove
these references as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
This helps window managers treat the window properly. Mostly tiling WMs
are affected by this. All other windows inherit this option from QDialog
already.
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
If p2p_stop_find is issued after the p2p_scan request is triggered to
the host driver, the obtained scan results are also considered to update
the P2P peer entries. This is not always desired behavior, i.e., it can
be clearer if no P2P-DEVICE-FOUND events are generated based of that
final pending scan.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
With the radio work interface in place, station interface SCAN command
was not scheduled (i.e., it got continously delayed with "Delay station
mode scan while P2P operation is in progress") when a p2p_find was
operational. Fix this be delaying station mode scan only when a P2P
operation is in progress, but not in search state.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
With the radio work interface, the actual request to start p2p_scan
operation is scheduled from a radio work and hence the initial return
value cannot provide the real result of the driver operation to trigger
a scan. Introduce a new notification API to indicate the scan trigger
status based on which the p2p_scan_running instance can be set using the
real return value from the driver operation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In theory, wpas_p2p_disconnect_safely() could have dereferenced the
wpa_s == NULL argument, but in practice, it won't due to the
calling_wpa_s == wpa_s check and wpas_p2p_disconnect() accepting NULL.
Anyway, it is cleaner to add an explicit check for this. (CID 74492)
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible for scan result processing or BSS entry removal to occur
while there is a pending connect or sme-connect radio work with a
previously selected BSS entry. The BSS pointer was previously verified
to be valid, i.e., still point to a BSS entry, at the time the actual
connection operation is started. However, that BSS entry could have
changed to point to another BSS if the old BSS entry was either removed
or reallocated and a new BSS entry was added at the same location in
memory. This could result in the connection attempt failing to configure
parameters properly due to different BSS information (e.g., different
BSSID).
Fix this by updated the pending connect radio work data on BSS entry
updates similarly to how the last_scan_res array was updated. If the
selected BSS entry is removed, this will still result in a failed
connection, but reallocated BSS entry is now followed properly and used
when the connection work starts.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit fixes couple of connection failure paths where
wpas_connect_work_done() was not called, thus enabling the radio work
interface to proceed with the other queued actions.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 22628eca34 ('Support driver-based
BSS selection in ap_scan=1 mode') ended up disabling the special
ap_scan=2 WPS case where ap_scan=1 like scan followed by association is
used to find the WPS AP using wildcard SSID. Fix this by allowing
association request even with wpas_driver_bss_selection() when searching
for a WPS AP.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
In case of a P2P management device being present, it will be up to that
interface to handle P2P requests.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Such interface is not registered on DBus, thus there is no need to raise
any signal from it.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
DBus client should always request the proper netdev interface. This will
be necessary to get a consistent behavior whatever driver is in use:
iwlwifi (which requires a P2P mgmt dev), ath9/10k (which does not),
etc...
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
This will be useful to hand-off P2P commands from the parent interface
to its dedicated P2P device if that one is present, in DBus interface.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Save the group common frequencies when starting a GO due to
an invitation signaling requesting to re-invoke a persistent GO.
To do so, move the code that handles the translation of p2p_channels to
frequency list into a public function so it can be re-used both when GO
Negotiation is done and invitation signaling is done.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Once a P2P GO interface is configured, save the group common
frequencies, as this can be useful later for channel selection
considerations during channel switch, etc.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Use the 'no_ir' notation instead of the 'passive scan' and
'no_ibss' notations to match the earlier change in nl80211.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The extra_roc_dur parameter can now be used in CONFIG_TESTING_OPTIONS=y
builds to simulate driver behavior where the ROC duration gets increased
without user space request.
Signed-off-by: Jouni Malinen <j@w1.fi>
When GC receives invitation response and tries to re-establish
connection to a persistent group channels from passive list should
be allowed. A missing check for operation mode triggered reselection
of operating channel from active channels only to happen and thus fail
the connect attempt.
Add a check for operation mode and if GC instead use negotiated
frequency (i.e. GO operating channel from invitation response).
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
When mesh is configured in, include the wildcard mesh id so that mesh
networks are returned.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Abele <jason.abele@gmail.com>
Add no_auto_peer parameter, which controls wheter a station will
automatically initiate peering to another mesh peer that comes into
range.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
Modify network mode to support mode number 5 when CONFIG_MESH is
enabled.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
The mesh peering manager establishes and maintains links among
mesh peers, tracking each peer link via a finite state machine.
This implementation supports open mesh peerings.
[assorted fixes from Yu Niiro <yu.niiro@gmail.com>]
[more fixes from Masashi Honma <masashi.honma@gmail.com>]
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Ashok Nagarajan <ashok.dragon@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-hostap: Bob Copeland <me@bobcopeland.com>
Add user_mpm config parameter, when this is set to 1 (the default) the
peer link management is done on userspace, otherwise the peer management
will be done by the kernel.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
Add routines to (de)initialize mesh interface data structures and
join and leave mesh networks.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
These key management options were missing from the previous set of
parsed information in scan results.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Abele <jason.abele@gmail.com>
Add smps_modes field, and let the driver fill it with its supported SMPS
modes (static/dynamic). This will let us start an AP with specific SMPS
mode (e.g., dynamic) that will allow it to reduce its power usage.
Signed-off-by: Eliad Peller <eliad@wizery.com>
This commit introduces a QCA vendor command and event to provide an
option to use extended versions of the nl80211 connect/roam operations
in a way that allows drivers to offload key management operations to the
driver/firmware.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 1595eb93ae ('P2P: Add support for
60 GHz social channel') had an unintended change to how P2P search scans
2.4 GHz social channels. Use of p2p_supported_freq() to filter the list
of social channels ended up using the disallow_freq setting to remove
social channels from the P2P search scans. This is not desired since
peers need to be found on any of the social channels even if those
channels have been disabled from P2P operating channel use. Restore the
previous behavior by included all the 2.4 GHz social channels in P2P
search scans if the driver indicated support for the 2.4 GHz band.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new "bss_load_update_period" parameter can be used to configure
hostapd to advertise its BSS Load element in Beacon and Probe Response
frames. This parameter is in the units of BUs (Beacon Units).
When enabled, the STA Count and the Channel Utilization value will be
updated periodically in the BSS Load element. The AAC is set to 0 sinze
explicit admission control is not supported. Channel Utilization is
calculated based on the channel survey information from the driver and
as such, requires a driver that supports providing that information for
the current operating channel.
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
This moves the addition of P2P Device interface into
wpa_supplicant_add_iface() so that this operation can be done
dynamically when adding an interface to an already running
wpa_supplicant process.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to allow dynamic removal of an interface that adds the
P2P Device interface without leaving behind the management interface
with invalid wpa_s->parent pointer.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is now possible to run hwsim_test like data connectivity test through
wpa_supplicant/hostapd control interface if CONFIG_TESTING_OPTIONS=y is
used for the build. Test functionality is enabled/disabled at runtime
with "DATA_TEST_CONFIG <1/0>". The "DATA_TEST_TX <dst> <src> <tos>"
command can be used to request a test frame to be transmitted.
"DATA-TEST-RX <dst> <src>" event is generated when the test frame is
received.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was forgotten when the key_mgmt parser for SAE and FT-SAE was
added.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Thomas Pedersen <thomas@noack.us>
Create init_mesh, mesh_join, and mesh_leave actions to kernel.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Convert the driver flags variable to u64 since there was no room for
more flags.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Add an implementation of Synthetic Initialization Vector (SIV)
Authenticated Encryption Using the Advanced Encryption Standard (AES).
This mode of AES is used to protect peering frames when using
the authenticated mesh peering exchange.
Signed-off-by: Javier Lopez <jlopex@gmail.com>
Signed-off-by: Jason Mobarak <x@jason.mobarak.name>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
It was possible to issue the P2P_GROUP_REMOVE command through the
per-interface control interface. This resulted in freed memory getting
accessed when trying to send the control interface response to the
operation that ended up deleting the group interface. Fix this by
postponing the removal operation until the caller has returned.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes wpa_supplicant SME create PMKSA cache entries from SAE
authentication and try to use PMKSA caching if an entry is found for the
AP. If the AP rejects the attempt, fall back to SAE authentication is
used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Increase EAPOL startWhen to 2 for the case where the AP/GO has
advertised it supports WPS 2.0. This is done to make it less likely for
the EAPOL-Start frame to be sent out since that is only required for WPS
1.0. Not sending it can remove one unnecessary round trip from the EAP
exchange when the AP is going to start with EAP-Request/Identity
immediately based on the Association Request frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 152cff6ba6 ('P2P: Remove
WPA_DRIVER_FLAGS_P2P_MGMT option') removed the only non-zero return from
wpas_p2p_stop_find_oper(), but did not remove the useless return value
or the return check in wpas_p2p_stop_find(). Clean these up by removing
unreachable code and useless return value.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
This is needed for number of items and it was possible to make a build
configuration that did not include ieee802_11_common.c while still
trying to use functions from there. While it would be possible to add
NEED_80211_COMMON=y to all the cases where this file is needed, the
extra complexity from this is not really justifiable anymore, so include
the file unconditionally.
Signed-off-by: Jouni Malinen <j@w1.fi>
The MACsec addition placed one of the calls outside the #ifdef
IEEE802X_EAPOL block while the variable needed for this was defined only
within the block.
Signed-off-by: Jouni Malinen <j@w1.fi>
This information can be used to determine whether the event is generated
for a new peer that was added or due to an update in the information for
an existing peer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled for TLS-based EAP methods when
OpenSSL is used as the TLS library. This parameter can be used both as a
global parameter to set the default for all network blocks and as a
network block parameter to override the default for each network
profile.
Signed-off-by: Jouni Malinen <j@w1.fi>
Mark the variable as unsigned and make the length check use "len > end -
pos" version to makes this easier to understand for static analyzers
(CID 74155).
Signed-off-by: Jouni Malinen <j@w1.fi>
len + pos > end comparison here did verify that the length field had a
valid value, but that did not seem to enough to avoid TAINTED_SCALAR
warning. Re-order that validation step to be equivalent "len > end -
pos" to remove these false positives (CID 68116).
Signed-off-by: Jouni Malinen <j@w1.fi>
The driver_test.c driver wrapper (-Dtest in wpa_supplicant and
driver=test in hostapd) was previously used for testing without real
Wi-Fi hardware. mac80211_hwsim-based tests have practically replaced all
these needs and there has been no improvements or use for driver_test.c
in a long while. Because of this, there has not really been any effort
to maintain this older test tool and no justification to change this
either. Remove the obsoleted test mechanism to clean up the repository.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, wpas_set_wowlan_triggers() could have been called in
uninitialized wpa_driver_capa data if the driver interface did not
support reporting of capabilities. While this would not really happen
with a driver wrapper that implements set_wowlan() and as such, would
not cause any difference in practice, it is better to clean this up to
make the code path easier to understand for static analyzers.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new ext_eapol_frame_io parameter can be used to configure hostapd
and wpa_supplicant to use control interface for receiving and
transmitting EAPOL frames. This makes it easier to implement automated
test cases for protocol testing. This functionality is included only in
CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
A P2P Client may be able to connect to the GO even if the WPS
provisioning step has not terminated cleanly (e.g., P2P Client does not
send WSC_Done). Such group formation attempt missed the event
notification about started group on the GO and also did not set the
internal state corresponding to the successful group formation.
This commit addresses the missing part by completing GO side group
formation on a successful first data connection if WPS does not complete
cleanly. Also, this commit reorders the STA authorization indications to
ensure that the group formation success notification is given prior to
the first STA connection to handle such scenarios.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, this variable did not necessarily get cleared between group
formations and could result in some of the workaround operations from
not being executed after the first group formation when using the same
interface for all P2P groups. Fix this by clearing the variable whenever
starting the GO to make sure it is used consistently for each group
formation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for local deauthentication request to leave sme-connect
radio work running even when there was no ongoing effort to complete the
connection anymore. Clean this up by marking sme-connect radio work
item, if any, done when clearing connection state after such
disconnection during connection.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for group formation timeout to be the trigger for
detecting the second PSK/4-way handshake failure. If that happened, the
special reason=PSK_FAILURE was not used in the P2P-GROUP-REMOVED event
even though P2P-PERSISTENT-PSK-FAIL did get reported. Fix this special
case by replacing the reason code with PSK_FAILURE if the PSK failure
timeout gets registed as part of the disconnection processing in the
formation timeout handler.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 86bd36f0d5 ("Add generic
mechanism for adding vendor elements into frames") has a minor bug
where it miscalculates the length of memory to move using
os_memmove. If multiple vendor elements are specified then this can
lead to out of bounds memory accesses.
This patch fixes this by calculating the correct length of remaining
data to shift down in the information element.
Signed-off-by: Toby Gray <toby.gray@realvnc.com>
Use hostapd_freq_params instead of simple frequency parameter for driver
commands. This is preparation for IBSS configuration to allow use of
HT/VHT in IBSS.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Previously, the case of non-netdev P2P management device ended up
pulling in both the main interface (e.g., wlan0) and P2P Device
interface (from command line -m argument) as configuration. Similarly,
the main interface ended up included both configuration files. This is
not really helpful for various use cases, e.g., when permanent P2P group
information is stored in the P2P Devince interface, but it gets
duplicated in the main station interface configuration.
Clean this up by changing the -m<file> argument to replace, not
concatenate, configuration information. In other words, the main station
interface will not read this configuration and the P2P Device interface
(non-netdev) does not read parameters from the station interface
configuration file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Relying on qos qosinfo is not enough, as it can be 0 for WMM enabled
peers that don't support U-APSD. Further, some peers don't even contain
this IE (Google Nexus 5), but do contain the WMM IE during setup.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Some drivers need to know the initiator of a TDLS connection in order
to generate a correct TDLS mgmt packet. It is used to determine
the link identifier IE. Pass this information to the driver.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
mac_addr=2 and preassoc_mac_addr=2 parameters can now be used to
configure random MAC address to be generated by maintaining the OUI part
of the permanent MAC address (but with locally administered bit set to
1). Other than that, these values result in similar behavior with
mac_addr=1 and preassoc_mac_addr=1, respectively.
Signed-off-by: Jouni Malinen <j@w1.fi>
Support 60 GHz band in P2P module by selecting random social channel
from all supported social channels in 2.4 GHz and 60 GHz bands.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This permits to set or unset the WiFi Display subelements from DBus, by
providing the full WFD specific IE frame.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
If "STA_AUTOCONNECT 0" has been used to disable automatic connection on
disconnection event and the driver indicates multiple disconnection
events for the disconnection from the current AP when WPS is started, it
could have been possible to hit a case where wpa_s->disconnected was set
to 1 during WPS processing and the following scan result processing
would stop the operation.
wpa_s->key_mgmt == WPA_KEY_MGMT_WPS check was trying to avoid to skip
autoconnect when WPS was in use, but that does not seem to work anymore.
Fix this by checking through wpas_wps_searching() as well to avoid
setting wpa_s->disconnect = 1 when there is an ongoing WPS operation.
Signed-off-by: Jouni Malinen <j@w1.fi>
This check is already being done on wpas_p2p_deinit_iface.
Of course, it is assumed wpa_s is not deinit when reaches
that point as a matter of fact.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
As P2P service are not necessarily attached to a iface, when
added, proceed with same approach on p2p global deinit. Such
approach solves memory leaks ocurring upon wpa_supplicant
termination, when p2p services were registered previously.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
This adds experimental support for wpa_supplicant to assign random local
MAC addresses for both pre-association cases (scan, GAS/ANQP) and for
connections. MAC address policy for each part can be controlled
separately and the connection part can be set per network block.
This requires support from the driver to allow local MAC address to be
changed if random address policy is enabled. It should also be noted
that number of drivers would not support concurrent operations (e.g.,
P2P and station association) with random addresses in use for one or
both.
This functionality can be controlled with the global configuration
parameters mac_addr and preassoc_mac_addr which set the default MAC
address policies for connections and pre-association operations (scan
and GAS/ANQP while not connected). The global rand_addr_lifetime
parameter can be used to set the lifetime of a random MAC address in
seconds (default: 60 seconds). This is used to avoid unnecessarily
frequent MAC address changes since those are likely to result in driver
clearing most of its state. It should be noted that the random MAC
address does not expire during an ESS connection, i.e., this lifetime is
only for the case where the device is disconnected.
The mac_addr parameter can also be set in the network blocks to define
different behavior per network. For example, the global mac_addr=1 and
preassoc_mac_addr=1 settings and mac_addr=0 in a home network profile
would result in behavior where all scanning is performed using a random
MAC address while connections to new networks (e.g.,
Interworking/Hotspot 2.0) would use random address and connections to
the home network would use the permanent MAC address.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends "wpa_cli -a<action script>" functionality to work with the
global wpa_supplicant control interface. The IFNAME=<ifname> prefix is
removed from the event messages and converted to the control interface
name when present. Previously, action scripts could only be used with
the per-interface control interfaces.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Number of other buffers were already increased to this size, but the
buffer used for receiving unsolicited event messages from wpa_supplicant
(e.g., for wpa_cli action scripts) was still at the older 256 byte size.
This could result in some events getting truncated. Avoid this by using
the same 4096 byte buffer size here as in the other places receiving
messages from wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ifname_prefix string could change during line editing and the
periodic PING command running in the background ended up getting the
latest snapshot of the command line due to the pointer being left to
point to the edit buffer. This resulted in unexpected prefix strings
getting used with the periodic PING command. Fix this by temporarily
clearing the ifname_prefix whenever running such a periodic PING.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The commit 5cd4740580 has rearranged the
update scan results code and hence the IEs were not getting updated
properly for ap_scan=1 case. This can result in a 4-way handshake
failure in the roaming case (IE mismatch in 3/4 EAPOL). Fix this by
updating the scan results even if ap_scan=1 is used and network does not
need to get reselected based on association information.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
It also allows to use the STATUS command with default behavior,
say for debug, i.e., don't generate a "fake" CONNECTION and
SUPPLICANT_STATE_CHANGE events with the new STATUS-NO_EVENTS case.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
In theory, this call could fail, so check the return value before using
the received data. These specific cases would not really care much about
the failures, but this keeps the code more consistent and keeps static
analyzer warnings more useful. (CID 72678, CID 72679, CID 72680,
CID 72683, CID 72689, CID 72698, CID 72703)
Signed-off-by: Jouni Malinen <j@w1.fi>
The network block bssid parameter can be used to force a specific BSS to
be used for a connection. It is also possible to modify this parameter
during an association. Previously, that did not result in any
notification to the driver which was somewhat problematic with drivers
that take care of BSS selection. Add a new mechanism to allow
wpa_supplicant to provide a driver update if the bssid parameter change
for the current connection modifies roaming policy (roaming
allowed/disallowed within ESS).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
An interoperability issue with a deployed AP has been identified where
the connection fails due to that AP failing to operate correctly if
PMKID is included in the Association Request frame. To work around this,
allow EAPOL-Start packet to be transmitted on startWhen reaching 0 even
when trying to use PMKSA caching. In practice, this allows fallback to
full EAP authentication if the AP/Authenticator takes more than 1-2
seconds to initiate 4-way handshake for PMKSA caching or full EAP
authentication if there was no PMKSA cache match.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the shorter startWhen value was used based on build
parameters (i.e., if WPS was enabled). This is not really ideal and the
knowledge of WPS use can be provided to the EAPOL state machine to allow
this (and similar WPS workarounds) to be done only when the association
is for the purpose of WPS.
Reduce the default startWhen value from 3 to 2 seconds for non-WPS case
since WPS builds have likely received most testing for the past years
with the 1 second value and there is no strong justification for forcing
the longer 3 second wait should a frame be lost or something else
require the EAPOL-Start to initiate operation after a connection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Currently to signal PropertiesChanged upon group client
removal (group property), wpa_supplicant dbus uses wpa_s
members like go_dev_addr and current_ssid, for instance.
Thus, deferring p2p client deauth to after dbus notify,
but keeping the same order as before, solves the issue,
as wpa_s is not yet completely deinitialized.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
"Age" is the age in seconds since the BSS was last seen, and is
emitted as a PropertyChanged signal whenever the BSS is updated
from a scan result. It also returns the correct age when queried
directly.
This property can be used to resolve issues where, if no other
properties of the BSS changed from scan results (for example,
if the BSS always had 100% signal) no D-Bus signals would be
emitted to indicate that the BSS had just been seen in the scan.
Signed-hostap: Dan Williams <dcbw@redhat.com>
While building Association Request frame IEs we should consider adding
P2P IEs only on interface where P2P functionality is enabled. Consider
per interface p2p_disabled parameter before adding P2P IEs to complete
the checks for this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some deployed APs send two credentials when in mixed-WPA/WPA2
configuration; one for the WPA-Personal/TKIP and the other for
WPA2-Personal/CCMP. Previously, this would result in two network blocks
getting added for the single AP. This can be somewhat confusing and
unnecessary, so merge such credentials into a single one that allows
both WPA and WPA2 to be used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the P2P Interface Address of the peer gets updated in the
peer table every time based on the scan results.
For example, in a two port concurrency scenario, where the peer device
has two interfaces with unique P2P Interface Addresses and with same P2P
Device Address, based on the Probe Response/Beacon frames from these two
interfaces, their peer table gets updated, but each of these updates
happens in the peer table only based on the P2P Device Address. So, the
same peer's P2P Interface address is updated every time and hence, at
any instant, only one P2P Device Address to P2P Interface Address
mapping entry exist in the peer table for the peer which has two
interfaces.
When we try to join a group operated by the peer, lookup happens in the
peer table and when an interface entry is not available, the pending
interface address gets overwritten with the P2P Device Address and hence
the P2P connection can fail. Since the BSS table is the one that is
up-to-date, this fix will ensure that the interface overwriting will
happen only when there is no BSS entry for the pending P2P Interface
Address as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Global freq_list scan filtar was taken into account only by
req_scan and not by req_sched_scan. We want to allow the user
to limit the channels that wpa_supplicant will scan in req_sched_scan
requests as well.
Signed-off-by: Bojan Prtvar <bojan.prtvar@rt-rk.com>
Before fixing this issue, calling wpas_dbus_getter_p2p_device_config
was causing early termination of dbus connection, due to writing
values to an already closed dict.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
In order to find a GO interface, there has to be a
comparison among two SSIDs, instead of a wpa_ssid and
a ssid.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
First for better concistancy but also to tell about the group_object
that is getting removed, thus the client will know about it and will be
able to act accordingly.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
When p2p_cancel is invoked while the GO Negotiation Action TX was
pending, the p2p_send_action_work was not getting cleared.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
The parameter wowlan_triggers is a global string and is not recognised
if it is embraced with double-quotes.
Signed-off-by: Philippe Nunes <philippe.nunes@linux.intel.com>
The PAME-BI bit in the Advertisement Protocol element is reserved for
non-AP STA, so this function will never set that bit to one and as such,
there is not much point in maintaining the placeholder dead code for
this either. (CID 68107)
Signed-off-by: Jouni Malinen <j@w1.fi>
The PSK/passphrase are needed for the control interface events since the
upper layer UI component is required by the specification to be able to
make this available for manual configuration. However, this is not
needed in the INFO verbosity level debug entry, so split the event
generation into two parts.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to change the event message message for indication
when P2P group has stated and removes some duplicated code.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows external programs to use vendor specific information from
P2P peers without wpa_supplicant having to be able to parse and
understand all such vendor specific elements.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds following new control interface commands to allow arbitrary
vendor elements to be added into number of frames:
VENDOR_ELEM_ADD <frame id> <hexdump of elem(s)>
VENDOR_ELEM_GET <frame id>
VENDOR_ELEM_REMOVE <frame id> <hexdump of elem(s)>
VENDOR_ELEM_REMOVE <frame id> *
The following frames are supported in this commit (additional frames can
be added in the future):
0 = Probe Request frame in P2P device discovery
1 = Probe Response frame from P2P Device role
2 = Probe Response frame from P2P GO
3 = Beacon frame from P2P GO
4 = PD Req
5 = PD Resp
6 = GO Neg Req
7 = GO Neg Resp
8 = GO Neg Conf
9 = Invitation Request
10 = Invitation Response
11 = P2P Association Request
12 = P2P Association Response
One or more vendor element can be added/removed with the commands. The
hexdump of the element(s) needs to contain the full element (id, len,
payload) and the buffer needs to pass IE parsing requirements to be
accepted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, offloaded scanning (PNO) on Android was including SSIDs from
all enabled networks regardless of the scan_ssid parameter which
resulted in different behavior for the offloaded case when comparing to
wpa_supplicant initiated scans.
Use the sched_scan match filter to allow broadcast SSID to be used for
scan_ssid=1 networks also with PNO to avoid running active scans for
SSIDs that have not been explicitly marked as requiring an SSID-specific
scan. This reduces exposure of configured network names on the device
when running offloaded scans while the host device is in sleep.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This would not really be needed since these functions check the pointer
above. However, this seems to be too difficult for some static analyzer,
so add the extra check to avoid false reports.
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be used to configure a Hotspot 2.0 Release 2 network externally
for a case where wpa_supplicant-based Interworking network selection is
not used and the update_identifier cannot be copied directly from a
cred.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Incorrect field was used to determine the init=<value> in the regulatory
domain changed control interface event.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new "scan_id=<comma separated list of network ids>" parameter can
now be used to specify a list of network ids that have scan_ssid=1 to
indicate active scanning of the SSID. This adds the listed SSIDs to the
scan command to allow manual scan requests to perform active scans for
hidden SSIDs. For example, "SCAN scan_id=1,7,11" would run a scan with
the SSID fetched from the configured network blocks 1, 7, and 11
(assuming those are set with scan_ssid=1). The SSIDs will be included
even from network blocks that are currently disabled.
The maximum number of SSIDs added to the request is limited by the
driver support. If more than supported values are specified, the command
will fail (returns "FAIL").
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use an explicit memset call to clear any wpa_supplicant configuration
parameter that contains private information like keys or identity. This
brings in an additional layer of protection by reducing the length of
time this type of private data is kept in memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
build_root_nai() will not be extended to write something after the
domain, so there is no need to update the pos pointer after the final
os_snprintf() call in the function. Remove this to make a static
analyzer happier.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is not really necessary check, but it keeps a static analyzer
happier by avoiding dead increment. Doing it this way rather than
removing the increment is less likely to cause problems when new entries
are added here in the future (the "dead" increment would be very much
needed in those cases).
Signed-off-by: Jouni Malinen <j@w1.fi>
The pointer to the current position is enough to figure out whether the
proto string is the first one in the buffer. Removing the separate
tracking variable cleans up a static analyzer warning on dead
assignment.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds an explicit limit for the maximum Wi-Fi Display subelement
length for ASCII hexdump. This would not really be needed since the
buffer is already limited by maximum frame length. Anyway, since this
can make static analyzers happier and the subelement used with this
function is short, we may as well include an explicit check.
Signed-off-by: Jouni Malinen <j@w1.fi>
While the buffer is expected to be large enough for all the IEs, it is
better to check for this explicitly when adding the HS 2.0 Indication
element. (CID 68601)
Signed-off-by: Jouni Malinen <j@w1.fi>
The previously used design was a bit too complex for static analyzers
(e.g., CID 68131, CID 68133) to understand which resulted in false
warnings about uninitialized memory. Avoid this by explicitly
initializing the pointer array to NULL and also skipping any invalid
NULL entry in the helper function.
Signed-off-by: Jouni Malinen <j@w1.fi>
GroupMember is unusable in itself and all the necessary informations are
stored in Peer objects, thus replace the use of GroupMember by Peer.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
If only the Peer is part of one or more group, this property will tell
those via listing their object paths.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
This will be useful for a peer to know if it is part of a group either
as a client of our local GO or as the peer GO.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Commit e9852462d5 ('eapol_test: Add PC/SC
reader and PIN command line arguments') did not add break to the switch
statement for the new -R command line option.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Previously, eight character random passphrase was generated
automatically for P2P GO. The new p2p_passphrase_len parameter can be
used to increase this length to generate a stronger passphrase for cases
where practicality of manual configuration of legacy devices is not a
concern.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new command line arguments -R<reader> and -P<PIN> can now be used to
specify which PC/SC reader (prefix match) and PIN are to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to trigger new SA Query procedure to check the state of
the connection immediately after having performed such a check. Limit
the impact of burst of unprotected Deauth/Disassoc frames by starting a
new SA Query procedure only once at least 10 seconds has passed from the
previous SA Query that was triggered by reception of an unprotected
disconnection. The first SA Query procedure for each association does
not follow this rule to avoid issues with test cases that expect to see
an SA Query every time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
"TDLS_TEARDOWN *" can now be used to tear down the direct links to all
TDLS peers. This is useful for debugging purposes.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
If a link is unreachable, the specification mandates we should send a
teardown packet via the AP with a specific teardown reason. Force this
by first disabling the link and only then sending the teardown packet
for the LOW_ACK event.
Rename the TDLS LOW_ACK event handler to better reflect its purpose.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
This removes number of unnecessary #ifdef CONFIG_P2P blocks from generic
code by hiding the conditional build into p2p_supplicant.h with empty
inline functions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Performing a P2P Device flow such as p2p_listen or
p2p_find, can degrade the performance of an active interface
connection, if the listen frequency is different than the
frequency used by that interface.
To reduce the effect of P2P Device flows on other interfaces,
try changing the listen channel of the P2P Device to match the
operating channel of one of the other active interfaces. This change
will be possible only in case that the listen channel is not forced
externally, and will be delayed to a point where the P2P Device
state machine is idle.
The optimization can be configured in the configuration file and
is disabled by default.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In case there is no preference for the GO operating channel,
try using one of 1, 6, 11 (randomly), and only if the random
selection is not suitable traverse all the channels 1..11.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Remove the seperation between getting the local interface frequency and
other interfaces frequencies since going over all the radio interfaces
includes the local interface.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When the number of frequencies supported by the kernel is bigger than
one, and there is a need to pick a frequency for a new flow such as P2P
GO Negotiation or P2P Invitation, the flow should be able to pick the
best frequency among all the frequencies currently used by the device.
In order to prioritize between the currently used frequencies, add
the ability to collect additional data about each used frequency
(if the frequency is used by a station interface or P2P Client)
and when needed select the best frequency, where:
1. Infrastructure interfaces have highest priority
2. P2P Client interfaces have higher priority over AP/GO
interfaces.
The rational is that the frequency of an AP/GO can change while
that of a station interface cannot.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Remove the check for get_radio_name support from
get_shared_radio_freqs_data() since get_radio_name is no longer in use
in this function.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Most of these calls are checked to return success and there is no reason
why these wouldn't, so be more consistent. This addresses CID 62841,
CID 62840, CID 62839, CID 62838, CID 62837, CID 62836.
Signed-off-by: Jouni Malinen <j@w1.fi>
If this chmod() call fails, the global control interface is allowed to
be used since there was no change to its group. Anyway, it can be
helpful to note the error case in debug log instead of silently ignoring
it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit b125c48fce ('P2P: Add wfd_dev_info=
field for device found event') added Wi-Fi Display device info to the
P2P-DEVICE-FOUND events. However, it did not include proper bounds
checking in wifi_display_subelem_hex() and could accept subelements with
invalid length field values. This could result in buffer read overflow
of up to 64 kB and inclusion of heap memory in the local control
interface event and/or process crash due to invalid memory access. Fix
this by checking the validity of the length field before writing a
hexdump of the data.
Signed-off-by: Jouni Malinen <j@w1.fi>
The vendor_ext[i] = NULL setting did not make any sense since
num_vendor_ext should have been used to index the vendor_ext array. The
old code did not do any harm since i >= num_vendor_ext and none of the
already set entries could have been cleared. Anyway, better clean this
by making it skip the setting to NULL similarly to what was already done
in the P2P peer vendor ext getter.
Signed-off-by: Jouni Malinen <j@w1.fi>
The OSEN code path hardcodes number of struct wpa_ie_data items.
However, it did not clear the full structure and some uninitialized
fields could have been used (e.g., ie.mgmt_group_cipher for a debug
print and ie.capabilities for checking MFPC). Fix this by clearing the
ie data before filling in the hardcoded OSEN values.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
There were couple of missing breaks in switch-default (before/after).
While these did not have any noticeable issues due to falling over to
the next step that just exited from the switch statement, it is cleaner
and more robust to have each case use an explicit break.
Signed-off-by: Jouni Malinen <j@w1.fi>
The tmpentry variable was not initialized and
_wpa_dbus_dict_entry_get_byte_array() does not set tmpentry.type, so it
would have been possible for the error path to end up trying to free
unexpected type of an entry or not free the memory at all.
Signed-off-by: Jouni Malinen <j@w1.fi>
This avoids an incorrect ARRAY_VS_SINGLETON report for a case where a
pointer is taken to the specified field in a frame and not to a single
octet. Bounds checking was already handled separately.
Signed-off-by: Jouni Malinen <j@w1.fi>
Due to an incorrect operation (MOD vs. AND), the code that was supposed
to return an error if the hex string has odd length was not really
reporting any failures. Instead of reporting an error, the invalid
control interface command would have been truncated. This is not an
issue in practice, but better fix the implementation anyway.
Signed-off-by: Jouni Malinen <j@w1.fi>
If a dict would include duplicated items, the parsing code here would
have leaked memory by overwriting old os_strdup() result with the new
one. Fix this by explicitly freeing the previous entry. This addresses
CID 62852, CID 62851, CID 62850, CID 62849, CID 62847, CID 62846.
Signed-off-by: Jouni Malinen <j@w1.fi>
It would have been at least theoretically possible to hit the first
error in the loop and end up jumping to error handling which would call
os_free(value) without the value having been cleared after the os_free()
call at the end of the previous loop iteration.
Signed-off-by: Jouni Malinen <j@w1.fi>
The GAS query TX operation used a fixed wait time of 1000 ms for the
reply. However, it would be possible for the driver to not support this
long remain-on-channel maximum. Limit this wait time based on driver
support, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes the p2p_find default delay value configurable as
p2p_search_delay parameter through the configuration file (and through
control interface "SET p2p_search_delay <value>" on the P2P management
interface.
This parameter controls the number milliseconds of extra delay that is
added between search iterations when there is a concurrent operation in
progress. This can be used, e.g., p2p_search_delay=100 to make p2p_find
friendlier to concurrent operations by avoiding it from taking 100% of
the radio resources. The default value is the previous default, i.e.,
500 ms. Smaller values can be used to find peers more quickly at the
cost of larger effect to concurrent operations while a larger value
leaves more time for the concurrent operations at the cost of making
device discovery take longer time.
The optional p2p_find delay argument can still be used to override the
search delay for each search operation.
Since the P2P_CONCURRENT_SEARCH_DELAY macro is not used anymore, the
driver specific build parameter for bcmdhd from Android.mk is also
removed. Similar configuration can now be achieved with
p2p_search_delay=0 in the p2p0 interface configuration file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_supplicant_event() is required to include the event data for AP mode
events. In theory, a non-AP mode event could be sent here from the
driver wrapper, so reject such event.
Signed-off-by: Jouni Malinen <j@w1.fi>
Prepare for new extended capabilities bits by checking that the local
buffer is large enough to contain all the bits the driver requests. The
existing buffers are large enough to include anything defined until now,
but it would be possible to add more definitions in the future, so
increase them a bit as well to make this more future proof.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of allowing the connection attempt to occur with an unsupported
inner method, check for that explicitly at the time the network block is
added and drop the network if the identified inner method is not
supported.
Signed-off-by: Jouni Malinen <j@w1.fi>
This cannot really be NULL in practice since cred->eap_method would
point to a valid EAP method. Anyway, to avoid false positive from
analyzers, check the pointer explicitly before printing it.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is mainly to keep static analyzers silent since it does not look
like this code path can be reached in practice due to the way
association events are handled and current_ssid is either set before
resched here or the association is rejected. Anyway, if this could be
reached, the wpa_supplicant_set_wpa_none_key() call would end up
dereferencing a NULL pointer, so add an explicit check to make sure that
does not happen.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the offchannel TX frame command was offloaded to the driver in
offchannel_send_action(), we must not send another copy of the frame if
a remain-on-channel event happens to be delivered between this TX
command and the matching TX status event. It was possible for the
duplicated frame to cause problems, e.g., with P2P invitation exchange
if the same Invitation Request frame got sent twice and only the first
one getting accepted by the peer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The dynamically allocated struct wpa_external_work contains the name of
the radio work in the type field and this is used in a debug print
within radio_work_done(). Re-order radio_work_done() and os_free() calls
on couple of paths where the memory was freed before that final user of
the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>