Add list_sta command to print addresses of all stations. Command
added to both wpa_cli and hostapd_cli.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
With mac_addr=0 and preassoc_mac_addr=1, the permanent MAC address
should be restored for association. Previously this did not happen when
reassociating to the same ESS.
Signed-off-by: Benjamin Richter <br@waldteufel.eu>
Scan results were not propagated to all interfaces if scan results
started a new operation, in order to prevent concurrent operations. But
this can cause other interfaces to trigger a new scan when scan results
are already available. Instead, always notify other interfaces of the
scan results, but note that new operations are not allowed.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
There are a couple of places in wpa_supplicant/hostapd where qsort() can
be called with a NULL base pointer. This results in undefined behavior
according to the C standard and with some standard C libraries (ARM RVCT
2.2) results in a data abort/memory exception. Fix this by skipping such
calls since there is nothing needing to be sorted.
Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
This was already done for most driver cases, but it is possible that the
BSSID/frequency is not forced if the driver reports BSS selection
capability (e.g., NL80211_ATTR_ROAM_SUPPORT). That could potentially
result in the driver ignoring the BSSID/frequency hint and associating
with another (incorrect) AP for the WPS provisioning step if that
another AP in the same ESS is more preferred (e.g., better signal
strength) by the driver and only one of the APs (the not preferred one)
is in active WPS registrar state.
While most drivers follow the BSSID hint for the initial connection to
an ESS, not doing it here for the WPS provisioning would break the
protocol. Fix this by enforcing a single BSSID/frequency to disallow the
driver from selecting an incorrect AP for the WPS provisioning
association.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This modifies wpa_eapol_key_send() to use AEAD cipher (AES-SIV for FILS
AKMs) to provide both integrity protection for the EAPOL-Key frame and
encryption for the Key Data field. It should be noted that this starts
encrypting the Key Data field in EAPOL-Key message 2/4 while it remains
unencrypted (but integrity protected) in non-FILS cases. Similarly, the
empty Key Data field in EAPOL-Key message 4/4 gets encrypted for AEAD
cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This can be used to check whether the running wpa_supplicant version was
built with CONFIG_FILS=y.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If FILS is supported, indicate that in Probe Request and (Re)Association
Request frames in the Extended Capabilities element.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The previous implementation was hardcoded to use 128-bit AES key
(AEAD_AES_SIV_CMAC_256). Extend this by allowing AEAD_AES_SIV_CMAC_384
and AEAD_AES_SIV_CMAC_512 with 192-bit and 256-bit AES keys.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This also implements the macsec_get_capability for the macsec_qca
driver to maintain the existing behavior.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to struct receive_sc
down the stack to the {create,delete}_recevie_sc() ops, instead of
passing the individual properties of the SC.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to struct transmit_sc
down the stack to the {create,delete}_transmit_sc() ops, instead of
passing the individual arguments.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to struct receive_sa
down the stack to the {create,enable,disable}_receive_sa() ops, instead
of passing the individual properties of the SA.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to struct transmit_sa
down the stack to the {create,enable,disable}_transmit_sa ops, instead
of passing the individual properties of the SA.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Clean up the driver interface by passing pointers to structs transmit_sa
and receive_sa down the stack to get_receive_lowest_pn(),
get_transmit_next_pn(), and set_transmit_next_pn() ops, instead of
passing the individual arguments.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
This makes it easier to figure out why autoscan is not used even when
being configured through the control interface.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
PNO is sometimes restarted due to changes in scan parameters
(e.g., selected network changed or MAC randomization being
enabled/disabled). Restart is done by stopping PNO and immediately
starting it again. This may result in the SCHED_SCAN_STOPPED event being
received after the request for new PNO, which will make wpa_supplicant
believe PNO is not active although it is actually is. As a result, the
next request to start PNO will fail because PNO is active and should be
stopped first.
Fix this by deferring the request to start PNO until the
SCHED_SCAN_STOPPED event is received in case sched_scan is being
stopped.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When scheduled scan stops without the interface request (for example,
driver stopped it unexpectedly), start a regular scan to continue
scanning for networks and avoid being left with no scan at all.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
In some cases, after a sudden AP disappearing and reconnection to
another AP in the same ESS, if another scan occurs, wpa_supplicant might
try to roam to the old AP (if it was better ranked than the new one)
because it is still saved in BSS list and the blacklist entry was
cleared in previous reconnect. This attempt is going to fail if the AP
is not present anymore and it'll cause long disconnections.
Remove an AP that is probably out of range from the BSS list to avoid
such disconnections. In particular mac80211-based drivers use the
WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY reason code in locally generated
disconnection events for cases where the AP does not reply anymore.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
As the scan channels might need to change when the channel list has been
updated by the kernel. Use the simulated sched_scan timeout
(wpas_scan_restart_sched_scan()) to handle a possible race where an
ongoing sched_scan has stopped asynchronously while trying to restart a
new sched_scan.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
This extends ANQP_GET command to support querying MBO cellular
preference also. The cellular preference can be requested along with
neigbor report by appending mbo:1 to the command arguments.
For example:
ANQP_GET <bssid> 272,mbo:1
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This code sequence was already used at two different places (and an
additional one has been proposed), so add a common helper function to
avoid having to copy-paste this functionality in multiple locations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If a scheduled scan is running on select network command,
cancel and reset it before kicking off a regular scan request.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
The reason detail field in non_pref_chan attribute was removed from MBO
draft v0.0_r25, so the STA should not include this field to be compliant
with the latest draft.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
For testing purposes, it is useful to have an option to be able to
reject BTM Request sent by AP in order to verify the AP behavior upon
BTM Request rejection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a testing mechanism to allow association disallowed set by AP to be
ignored. This can be used to verify AP behavior for disallowing a
specific association.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Implement "SET ignore_auth_resp <0/1>" command to simulate auth/assoc
response loss and EAPOL RX packet loss by ignoring corresponding
incoming events.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
If authentication times out while reassociating to same ESS incorrect
BSSID may end up being blacklisted. Use pending_bssid field on
authentication timeout and deauthentication to ensure the correct AP
gets blacklisted. This is mainly to address cases related to Android
framework roaming behavior.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
When an interface becomes disabled (e.g., when RF-kill becomes blocked)
we should clear the stored scan results to avoid maintaining stale
information.
Fix this by flushing the BSS entries when an interface becomes
disabled.
Signed-off-by: Moshe Benji <moshe.benji@intel.com>
Previously, struct hostapd_iface sta_seen list head was initialized only
when completing interface setup. This left a window for operation that
could potentially iterate through the list before the list head has been
initialized. While the existing code checked iface->num_sta_seen to
avoid this case, it is much cleaner to initialize the list when struct
hostapd_iface is allocated to avoid any accidental missing of the extra
checks before list iteration.
Signed-off-by: Jouni Malinen <j@w1.fi>
When starting a P2P GO, the struct p2p_go_neg_results may use
persistent_group == 2 to indicate use of persistent reconnect. Setting
ssid->p2p_persistent_group based on this did not take into account this
special case and that ended up in D-Bus code trying to encode 2 as a
DBUS_TYPE_BOOLEAN value which results in an assert from the library. Fix
this by setting ssid->p2p_persistent_group to 0 or 1 instead of raw
params->persistent_group value without any filtering.
This is similar to an earlier fix in commit
112fdee738 ('P2P: Fix D-Bus persistent
parameter in group started event') that addressed another code path in
sending out this D-Bus signal.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside wpa_supplicant. When
framework is activated, it will use wpa_supplicant to configure the
STA/AP to publish the FTM functionality. See IEEE P802.11-REVmc/D7.0,
9.4.2.27.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Some deployed stations incorrectly consider nsts capability in
(Re)Association Response frame as required capability instead of maximum
capability and if it is greater than station's capability then beamform
will not happen in uplink traffic.
This commit adds support for an optional workaround to use station's
nsts capability in (Re)Association Response frame if the station's nsts
is less than AP by using the use_sta_nsts=1 configuration parameter.
This configuration is introduced in this commit and it is disabled by
default.
Signed-off-by: Tamizh chelvam <c_traja@qti.qualcomm.com>
This patch aims to expose the configuration file path as an interface
property, like is done with the driver and the bridge name. Doing so,
higher layer programs become responsible to recreate interfaces with the
correct configuration file path when programs need to remove them.
Signed-off-by: Jose Blanquicet <blanquicet@gmail.com>
This is a known constant value (CS_ID_LEN, i.e., the length of the EUI64
identifier) and does not need to be provided separately in these
function calls.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Previously, this was initialized in hostapd_setup_bss() which made it
possible for a REMOVE_NEIGHBOR control interface command to be issued
prior to the list head pointers having been set. That resulted in a NULL
pointer dereference. Fix this by initializing the list head at the time
the data structure gets allocated.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
All the 3 control interfaces: socket based, dbus & binder needs to
perform the same sequence of steps for network add/remove. So, move
these to a common utility method in |wpa_supplicant.c| instead of
duplicating the code everywhere.
Signed-off-by: Roshan Pius <rpius@google.com>
Accoding to the comment of struct wpa_driver_mesh_bss_params, the
max_peer_links parameter should be under that struct.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Previously, secondary channel offset could be non zero even though
disable_ht40=1. This patch fixes it.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Move out the disconnect command handling from |ctrl_iface.c| to
|wpa_supplicant.c| so that it can be reused across the different
control interfaces (socket, dbus & binder).
Signed-off-by: Roshan Pius <rpius@google.com>
The new network profile parameter group_rekey can now be used to specify
the group rekeying internal in seconds for IBSS.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the driver indicates a roamed event with already completed
authorization, altAccept = TRUE could have resulted in the EAP state
machine ending up in the FAILURE state from the INITIALIZE state. This
is not correct behavior and similar cases were already addressed for FT
and WPA-PSK. Fix the offloaded roamed+authorized (EAP/PMKSA caching)
case by doing similar changes to EAPOL/EAP state variable updates during
association event handling.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a ".clang-format" file which is pretty close to the rest of
wpa_supplicant code base and reformat the binder codebase.
Signed-off-by: Roshan Pius <rpius@google.com>
Restructure the binder related makefile sections to expose a separate
|libwpa_binder_interface| which can be imported by clients/tests.
While there,
Change the name of the binder service to the name used in the selinux
permissions.
Signed-off-by: Roshan Pius <rpius@google.com>
In preparation for adding further command completion support
to hostapd_cli move some cli related utility functions out of
wpa_cli into a new common cli file.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
wpas_p2p_persistent_group() returns non-zero for persistent groups. This
value happens to be 2 instead of 1 due to the
P2P_GROUP_CAPAB_PERSISTENT_GROUP value. This ended up with D-Bus code
trying to encode 2 as a DBUS_TYPE_BOOLEAN value which results in an
assert from the library. Fix this by modifying
wpas_p2p_persistent_group() to return 0 or 1 instead of 0 or an
arbitrary non-zero.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes wpa_supplicant set default scan IEs to the driver (if the
vendor command is supported). The driver can use these IEs in the scan
requests initiated by the driver itself. Also the driver can merge these
IEs into further scan requests that it receives, in case if the scan
request doesn't carry any of the IEs sent in this command.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, HT capability IE and HT information IE were included in
Beacon and Mesh Peering Open/Confirm frames even if HT is disabled with
disable_ht=1. This patch removes these.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Previously, mesh power management functionality works only with kernel
MPM. Because user space MPM did not report mesh peer AID to kernel,
the kernel could not identify the bit in TIM element. So this patch
reports mesh peer AID to kernel.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The local found variable is not used in this case. Commit
653d227e9f ('MBO: Improve supported
operating class generation') introduced this variable and unnecessarily
set it here. Remove the write-only assignment to silence static
analyzers.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If no new sme_sa_query_timer() callback is scheculed,
sme_stop_sa_query() needs to be called to allow new SA Query operations
to be started after the failure.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed for hwsim test cases to allow multiple STA-initiated SA
Query operations in short amount of time.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is mainly for testing purposes to allow multiple FETCH_OSU ANQP
operations to be ran without having to wait for full scan between each
query.
Signed-off-by: Jouni Malinen <j@w1.fi>
These control interface event message are used by external programs, so
define them a bit more formally in the header file.
Signed-off-by: Jouni Malinen <j@w1.fi>
If base64_encode() fails (e.g., due to memory allocation failure), the
return value needs to be checked against NULL before using the (not
really) returned length value. The error path here ended up reading
uninitialized variable.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous version did not really work at all and it ended up crashing
if the os_strdup(field->name) call failed.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to maintain separate "return -1;" for each of the
wpa_config_set() calls that cannot really fail in practice.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows P2P Listen to be offloaded to device to enhance power
saving.
To start P2P listen offload, from wpa_cli interface, issue the command:
p2p_lo_start <freq> <period> <interval> <count>
To stop P2P listen offload, issue the command:
p2p_lo_stop
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, wpa_set_scan_ssids() fully exhausted
wpa_driver_scan_params.ssid list when hidden network IDs are provided
via the control interface. This results in us exceeding the max size for
the list advertised by the driver when we add the "wildcard" scan SSID
entry. So, ensure that we leave space for one more scan SSID entry in
the list when we exit out of wpa_set_scan_ssids().
Signed-off-by: Roshan Pius <rpius@google.com>
Previously, 2.4 GHz operating class 81 was not added for US due to not
all of the channels (1-13 in this operating class) being supported.
Still, this operating class is the main operating class in the global
table for 2.4 GHz and it is the only option for indicating support for
the 2.4 GHz band channels in US.
Change the supported operating class building rules to include all
operating classes for which at least one channel is enabled. In
addition, fix the 80, 80+80, and 160 MHz channel checks (checking the
center frequency channel was failing since it is not a valid 20 MHz
channel).
Signed-off-by: Jouni Malinen <j@w1.fi>
{OPN,CNF,CLS}_IGNR events were removed during P802.11s draft development
process. Replace these with not generating a MPM FSM event. In addition,
add the standard REQ_RJCT event and option to pass in a specific reason
code to mesh_mpm_fsm().
Signed-off-by: Jouni Malinen <j@w1.fi>
During the P802.11s draft development, there were separate LISTEN and
IDLE states. However, the current IEEE 802.11 standards uses only the
IDLE state while the implementation called this LISTEN. Rename the state
in the implementation to match the one used in the standard to avoid
confusion. In addition, rename OPEN_{SENT,RCVD} to OPN_{SNT,RCVD} to
match the exact spelling of these states in the standard.
Signed-off-by: Jouni Malinen <j@w1.fi>
REVmc/D6.0 14.5.5.2.2 (Processing Mesh Peering Open frames for AMPE)
mandates the OPN_RJCT event to be invoked if AES-SIV decryption for
received Mesh Peering Open frame fails. This allows a Mesh Peering Close
frame to be sent in such a case.
Signed-off-by: Jouni Malinen <j@w1.fi>
These optional fields are supposed to be included in the Authenticated
Mesh Peering Exchange element only in Mesh Peering Open frames.
Previously, these were incorrectly included in Mesh Peering
Confirm/Close frames and also required to be present in all these
frames.
While this commit changes the receive processing to ignore the
unexpected extra fields, it should be noted that the previous
implementation required the fields to be present and as such, the fixed
implementation is not compatible with it for secure mesh.
Signed-off-by: Jouni Malinen <j@w1.fi>
If radio_add_work() fails, gas_query_req() ended up freeing the query
payload and returning an error. This resulted in also the caller trying
to free the query payload. Fix this by not freeing the buffer within
gas_query_req() in error case to be consistent with the other error
cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
This function was added with the initial GAS implementation, but there
was no user for it at the time and no clear use now either, so remove
the unused function and the related GAS query reason code.
Signed-off-by: Jouni Malinen <j@w1.fi>
Apply the GAS specific rule of using Protected Dual of Public Action
frame only after having checked that the action code indicates this to
be a GAS response. Previously, non-GAS Public Action frames could have
been incorrectly dropped because of this check if received during an
association with PMF enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
The GAS-QUERY-DONE event with result=INTERNAL_ERROR was reported on most
other error cases, but the failure triggered by not being able to
transmit a GAS Initial Request stopped the query silently. Make this
more consistent with other error cases by reporting the same event.
Signed-off-by: Jouni Malinen <j@w1.fi>
Now that mesh sets wpa_s->wpa_state = WPA_COMPLETED, it looks like this
getter can get called with wpa_s->current_ssid = NULL. That could result
in NULL pointer dereference, so need to protect that specific case.
Signed-off-by: Jouni Malinen <j@w1.fi>
This signal sends the peer properties to applications for discovered
peers. The signature of this event is "oa{sv}". This event is needed
because the current DeviceFound signal provides only the peer object
path. If there are many peers in range there will be many DeviceFound
signals and for each DeviceFound signal, applications would need to use
GetAll to fetch peer properties. Doing this many times would create
extra load over application as well as over wpa_supplicant, so it is
better to send peer properties in the event so that applications can
extract found peer information without extra steps.
The existing DeviceFound signal is left as-is to avoid changing its
signature.
The issue is not applicable to the control interface because the
P2P-DEVICE-FOUND event includes peer info in it, but over D-Bus
interface DeviceFound provides only the peer object.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
In mesh interface, the wpa_supplicant state was either
DISCONNECT/SCANNING in non-secured connection or AUTHENTICATING in
secured connection. The latter prevented the scan. Update the
wpa_supplicant state in mesh to be COMPLETED upon initialization. This
is similar to the P2P GO case.
Signed-off-by: Maital Hahn <maitalm@ti.com>
In wpa_supplicant AP mode, allow configuration of the EAP fragment size
using the fragment_size member of network block (wpa_ssid), similar to
the fragment_size in hostapd configuration. bss->fragment_size default
value of 0 is treated specially in some EAP code paths (such as MTU
initialization in eap_pwd_init). In order to preserve the existing
behavior, bss->fragment_size will only be set if the network block
specified a value different from the default which is
DEFAULT_FRAGMENT_SIZE(1398) bytes.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
This is now annotated as be16, so use it as such in all cases instead of
first storing host byte order value and then swapping that to big endian
in other instances of the same structure. This gets rid of number of
sparse warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of number of sparse warnings and also allows the
compatibility of the declarations to be verified.
Signed-off-by: Jouni Malinen <j@w1.fi>
This gets rid of number of sparse warnings and also allows the
compatibility of the declarations to be verified.
Signed-off-by: Jouni Malinen <j@w1.fi>
In some cases parsing of the mesh scan info for a BSS or the P2P scan
info can fail. One reason can be that the Beacon/Probe Response frame
contained malformed length vendor IEs which are not parsed when adding
to the BSS table. Instead of skipping the whole BSS of the BSS command,
just skip the part that failed to parse.
Signed-off-by: Jonathan Afek <jonathanx.afek@intel.com>
The "Accepting Additional Mesh Peerings bit == 0" means the peer cannot
accept any more peers, so suppress attempt to open a connection to such
a peer.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This moves pairwise, group, and management group ciphers to various mesh
data structures to avoid having to hardcode cipher in number of places
through the code. While CCMP and BIP are still the hardcoded ciphers,
these are now set only in one location.
Signed-off-by: Jouni Malinen <j@w1.fi>
The AMPE element includes number of optional and variable length fields
and those cannot really be represented by a fixed struct
ieee80211_ampe_ie. Remove the optional fields from the struct and
build/parse these fields separately.
This is also adding support for IGTKdata that was completely missing
from the previous implementation. In addition, Key RSC for MGTK is now
filled in and used when configuring the RX MGTK for a peer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The previous implementation was incorrect in forcing the MGTK to be used
as the IGTK as well. Define new variable for storing IGTK and use that,
if set, to configure IGTK to the driver. This commit does not yet fix
AMPE element parsing to fill in this information.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the data structures to allow variable length MGTK to be
stored for RX. This is needed as an initial step towards supporting
different cipher suites.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previous implementation was incorrectly using MGTK also as the IGTK and
doing this regardless of whether PMF was enabled. IGTK needs to be a
independent key and this commit does that at the local TX side.
The current AMPE element construction and parsing is quite broken, so
this does not get add the IGTKdata field there.
Signed-off-by: Jouni Malinen <j@w1.fi>
Clean up the mesh_rsn_derive_mtk() function by using proper macros and
pointer to the location within the context block.
Signed-off-by: Jouni Malinen <j@w1.fi>
mesh_rsn_derive_mtk() was hardcoded to use GCMP (even though CCMP was
hardcoded elsewhere) cipher suite selector instead of the selected AKM
suite selector. This resulted in incorrect MTK getting derived. Fix this
by used the SAE AKM suite selector in the input to the KDF.
Signed-off-by: Jouni Malinen <j@w1.fi>
Clean up the mesh_rsn_derive_aek() function by using proper macros and
pointer to the location within the context block.
Signed-off-by: Jouni Malinen <j@w1.fi>
mesh_rsn_derive_aek() was hardcoded to use GCMP (even though CCMP was
hardcoded elsewhere) cipher suite selector instead of the selected AKM
suite selector. This resulted in incorrect AEK getting derived. Fix this
by used the SAE AKM suite selector in the input to the KDF.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is initial step in fixing issues in how PMF configuration for RSN
mesh was handled. PMF is an optional capability for mesh and it needs to
be configured consistently in both hostapd structures (to get proper
RSNE) and key configuration (not included in this commit).
Signed-off-by: Jouni Malinen <j@w1.fi>
Fix possible memory leak in case if WPS is not enabled on the interface
for connection. This path was missed in commit
fae7b37260 ('WPS: Do not expire probable
BSSes for WPS connection').
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When the BSS count reaches max_bss_count, the oldest BSS will be removed
in order to accommodate a new BSS. Exclude WPS enabled BSSes when going
through a WPS connection so that a possible WPS candidate will not be
lost.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ditch the legacy syntax and manual engine mangling and just give an
example using simple PKCS#11 URIs that'll work with both GnuTLS and
OpenSSL.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies
that the wildcard BSSID value is used in Public Action frames that are
transmitted to a STA that is not a member of the same BSS.
wpa_supplicant used to use the actual BSSID value for all such frames
regardless of whether the destination STA is a member of the BSS.
P2P does not follow this rule, so P2P Public Action frame construction
must not be changed. However, the cases using GAS/ANQP for non-P2P
purposes should follow the standard requirements.
Unfortunately, there are deployed AP implementations that do not reply
to a GAS request sent using the wildcard BSSID value. The previously
used behavior (Address3 = AP BSSID even when not associated) continues
to be the default, but the IEEE 802.11 standard compliant addressing
behavior can now be configured with gas_address3=1.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows minimal testing with 160 MHz channel with country code ZA
that happens to be the only one with a non-DFS 160 MHz frequency. DFS
with mesh is not yet supported.
Signed-off-by: Jouni Malinen <j@w1.fi>
ssid->frequency cannot be 0 in wpa_supplicant_mesh_init() since
wpas_supplicant_join_mesh() rejects such a configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds the necessary changes to support extraction and use of the
extended capabilities specified per interface type (a recent
cfg80211/nl80211 extension). If that information is available,
per-interface values will be used to override the global per-radio
value.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a new "timeout" argument to the event message if the nl80211 message
indicates that the connection failure is not due to an explicit AP
rejection message. This makes it easier for external programs to figure
out why the connection failed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_deinit() got called twice if the random_get_bytes() fails to
generate the MGTK. This resulted in double-freeing the rsn->auth
pointer. Fix this by allowing mesh_rsn_auth_init() handle freeing for
all error cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds an extra parameter in GroupStarted signal to indicate whether
the created group is Persistent or not. It is similar to the
[PERSISTENT] tag which comes in P2P-GROUP-STARTED over the control
interface.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
Instead of reporting the memory allocation failure and stopping, run the
scan even if the frequency list cannot be created due to allocation
failure. This allows the wpa_s->reattach flag to be cleared and the scan
to be completed even if it takes a bit longer time due to all channels
getting scanned.
Signed-off-by: Jouni Malinen <j@w1.fi>
If preassoc_mac_addr is used and updating the MAC address fails in
wpas_trigger_scan_cb(), the cloned scan parameters were leaked. Fix that
and also send a CTRL-EVENT-SCAN-FAILED event in this and another error
case.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to have a separate if statement to skip the cases where
phase1 is not set. Just check it with the strstr comparison since this
case is not really used in practice.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_s->current_ssid is set to a non-NULL ssid pointer value here, so
there is no need for the extra if statement.
Signed-off-by: Jouni Malinen <j@w1.fi>
The P2P Device interface can only send Public Action frames. Non-Public
Action frames must be sent over a group interface. The previous
implementation sometimes tried to send non-Public Action frames such as
GO Discoverability over the P2P Device interface, however, the source
address of the frame was set to the group interface address so the code
in offchannel.c knew to select the correct interface for the TX.
The check breaks when the P2P Device and group interfaces have the same
MAC address. In this case the frame will be sent over the P2P Device
interface and the send will fail.
Fix this problem in two places:
1. In offchannel, route non-Public Action frames to the GO
interface when the above conditions are met.
2. When a TX_STATUS event arrives on such routed frame, it will
arrive on the GO interface but it must be handled by the P2P Device
interface since it has the relevant state logic.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
This allows using P2PS config method with or without PIN for connection.
wpa_supplicant should internally handle the default PIN "12345670" and
shall also allow connection irrespective of PIN used in P2P_CONNECT.
For example,
1. P2P_CONNECT 02:2a:fb:22:22:33 p2ps
2. P2P_CONNECT 02:2a:fb:22:22:33 xxxxxxxx p2ps
Where the second one is maintained for backwards compatibility.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
work->type was pointing to the allocated work->ctx buffer and the debug
print in radio_work_free() ended up using freed memory if a started
external radio work was removed as part of FLUSH command operations. Fix
this by updating work->type to point to a constant string in case the
dynamic version gets freed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a new parameter wps_disabled to network block (wpa_ssid). This
parameter allows WPS functionality to be disabled in AP mode.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
While this is unlikely to make any practical difference, it is better to
keep consistent with hostapd configuration parser.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the network profile key_mgmt parameter was not set, wpa_supplicant
defaulted to enabling both WPA-PSK and WPA-EAP. This is not correct for
AP mode operations, so remove WPA-EAP in such a case to fix WPA-PSK
without explicit key_mgmt parameter.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant was starting P2P group processing for all AP mode
interfaces in CONFIG_P2P=y builds. This is unnecessary and such
operations should be enabled only for actual GO interfaces.
Signed-off-by: Jouni Malinen <j@w1.fi>
The NL80211_CMD_WIPHY_REG_CHANGE can be handled by any of the
interfaces that are currently controlled by the wpa_supplicant.
However, some applications expect the REGDOM_CHANGE event to be
sent on the control interface of the initially added interface
(and do not expect the event on any of child interfaces).
To resolve this, when processing NL80211_CMD_WIPHY_REG_CHANGE,
find the highest parent in the chain, and use its control interface
to emit the CTRL-EVENT-REGDOM-CHANGE event.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This makes it easier to write hwsim test cases to verify management
frame processing sequences with dropped or modified frames. When
ext_mgmt_frame_handling is used, this new command can be used to request
wpa_supplicant to process a received a management frame, e.g., based on
information reported in the MGMT-RX events.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE Std 802.11-2012 13.5.6.3 State transitions require an action
sending SETKEYS primitive to MAC when OPN_ACPT event occurs in CNF_RCVD
state in case of AMPE is used, but since MTK calculation is missed in
this condition, all zero valued key are passed to MAC and cause unicast
packet decryption error. This could happen if the first transmission of
plink Open frame is dropped and Confirm frame is processed first
followed by retransmitted Open frame.
Fix this by calculating the MTK also in this sequence of unexpected
messages.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
IEEE Std 802.11-2012 Table 13-2, MPM finite state machine requires to
clear retryTimer when CNF_ACPT event occurs in OPN_SNT state which is
missing, so add it to comply with the standard.
This was found while debugging an MTK issue and this commit fixes a
potential issue that mesh sends invalid event (PLINK_OPEN) which will
lead another invalid timer register such as MeshConfirm Timer. This
behaviour might lead to undefined mesh state.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
Instead of hardcoding "ad-hoc" in the array of supported capabilities,
add this only if the driver indicates support for IBSS.
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
wpas_ap_pmksa_cache_list() and wpas_ap_pmksa_cache_flush() should be
under the #ifdef since they're only called for the control iface and
use functionality that otherwise isn't available.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Since ieee80211w=2 is an explicit configuration to wpa_supplicant, the
connection attempt for such non-PMF (non-RSN) capable networks should be
skipped.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
PMF is available only with RSN and pmf=2 could have prevented open
network connections. Change the global wpa_supplicant pmf parameter to
be interpreted as applying only to RSN cases to allow it to be used with
open networks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Many of the global configuration parameters are written as strings
without filtering and if there is an embedded newline character in the
value, unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file global parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the value of a parameter before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Most of the cred block parameters are written as strings without
filtering and if there is an embedded newline character in the value,
unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file cred parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the credential value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Spurious newlines output while writing the config file can corrupt the
wpa_supplicant configuration. Avoid writing these for the network block
parameters. This is a generic filter that cover cases that may not have
been explicitly addressed with a more specific commit to avoid control
characters in the psk parameter.
Signed-off-by: Paul Stewart <pstew@google.com>
WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a passphrase configuration attempt if that passphrase
includes an invalid passphrase.
This fixes an issue where wpa_supplicant could have updated the
configuration file psk parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the passphrase value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject up to 63 characters of
almost arbitrary data into the configuration file. Such configuration
file could result in wpa_supplicant trying to load a library (e.g.,
opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
load_dynamic_eap) from user controlled location when starting again.
This would allow code from that library to be executed under the
wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When the P2P Device interface is used and an existing interface is used
for P2P GO/Client, the P2P Device configuration was not cloned to the
configuration of the existing interface. Thus, configuration parameters
such as idle_group_time, etc., were not propagated to the P2P GO/Client
interface.
Handle this by copying all configuration parameters of the P2P device
interface to the reused interface, with the following exceptions:
1. Copy the NFC key data only if it was not set in the configuration
file.
2. The WPS string fields are set only if they were not previously set
in the configuration of the destination interface (based on the
assumption that these fields should be identical among all
interfaces).
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Use the p2pdev pointer instead of the parent pointer to comply with the
flows when a dedicated P2P Device interface is used and
p2p_no_group_iface == 1 (in which case the parent of the reused
interface isn't necessary the same as p2pdev).
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
On receiving a WNM BSS Transition Management Request frame with a
candidate list, fetch the latest scan results from the kernel to see if
there are any recent scan results for the candidates and initiate a
connection if found. This helps to avoid triggering a new scan in cases
where a scan initiated by something else (e.g., an internal beacon
measurement report functionality in a driver) has processed Beacon or
Probe Response frames without wpa_supplicant having received a
notification of such an update yet.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
systemd service files were supplied with old D-Bus bus name. After
service activation systemd was waiting for appearance of specified bus
name to consider it started successfully. However, if wpa_supplicant was
compiled only with the new D-Bus interface name, systemd didn't notice
configured (old) D-Bus bus name appearance. In the end, service was
considered malfunctioning and it was deactivated.
Update systemd service BusName property according to supported D-Bus
interface version.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
This allows local GO to fetch the P2P Interface Address of a P2P Client
in the group based on the P2P Device Address for the client. This
command should be sent only on a group interface (the same peer may be
in multiple concurrent groups).
Usage:
P2P_GROUP_MEMBER <P2P Device Address>
Output:
<P2P Interface Address>
Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Trigger an event when wpa_supplicant accepts an invitation to re-invoke
a persistent group. Previously wpa_supplicant entered group formation
without triggering any specific events and it could confuse clients,
especially when operating with a driver that does not support
concurrency between P2P and infrastructure connection.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Parse a received neighbor report and report for each neighbor report the
data received for it:
RRM-NEIGHBOR-REP-RECEIVED bssid=<BSSID> info=0x<hex> op_class=<class> chan=<chan> [lci=hex] [civic=hex]
Note that this modifies the previous format that originally reported
only the length of the received frame.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Handle radio measurement request that contains LCI request. Send
measurement report based on a configurable LCI report element. The LCI
report element is configured over the control interface with
SET lci <hexdump of the element>
and cleared with
SET lci ""
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Process Neighbor Report Request frame and send Neighbor Report Response
frame based on the configured neighbor report data.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Add a configurable neighbor database that includes the content of
Nighbor Report element, LCI and Location Civic subelements and SSID.
All parameters for a neighbor must be updated at once; Neighbor Report
element and SSID are mandatory, LCI and civic are optional. The age of
LCI is set to the time of neighbor update.
The control interface API is:
SET_NEIGHBOR <BSSID> <ssid=SSID> <nr=data> [lci=<data>] [civic=<data>]
To delete a neighbor use:
REMOVE_NEIGHBOR <BSSID> <SSID>
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Add an option to request LCI and Location Civic Measurement in Neighbor
Report Request frame, as described in IEEE P802.11-REVmc/D5.0, 9.6.7.6.
Note: This changes the encoding format of the NEIGHBOR_REP_REQUEST
ssid=<val> parameter. This used to be parsed as raw SSID data which is
problematic for accepting additional parameters. The new encoding allows
either a string within double-quotation marks or a hexdump of the raw
SSID.
Thew new format:
NEIGHBOR_REP_REQUEST [ssid=<SSID>] [lci] [civic]
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Add a function that parses SSID in text or hex format. In case of the
text format, the SSID is enclosed in double quotes. In case of the hex
format, the SSID must include only hex digits and not be enclosed in
double quotes. The input string may include other arguments after the
SSID.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Make the function available as part of the wpabuf API.
Use this renamed function where possible.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
The new VENDOR_ELEM value 14 can now be used to add a vendor element
into Probe Request frames used by non-P2P active scans.
For example:
VENDOR_ELEM_ADD 14 dd05001122330a
and to clear that:
VENDOR_ELEM_REMOVE 14 *
Signed-off-by: Jouni Malinen <j@w1.fi>
When a station starts an association to a Hotspot 2.0 network, request
the driver to do the following, based on the BSS capabilities:
1. Enable gratuitous ARP filtering
2. Enable unsolicited Neighbor Advertisement filtering
3. Enable unicast IP packet encrypted with GTK filtering if
DGAF disabled bit is zero
Clear the filter configuration when the station interface is
disassociated.
Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
Add a new function declaration that will allow wpa_supplicant to request
the driver to configure data frame filters for specific cases.
Add definitions that will allow frame filtering for stations as
required by Hotspot 2.0:
1. Gratuitous ARP
2. Unsolicited NA
3. Unicast IP packets encrypted with GTK
Signed-off-by: Matti Gottlieb <matti.gottlieb@intel.com>
Add a new value 2 to the pbss parameter of wpa_ssid structure, which
means "don't care". This value is used in infrastructure mode to request
connection to either AP or PCP, whichever is available in the scan
results. The value is also used in regular WPS (not P2P group formation)
to make WPS work with devices running as either AP or PCP.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
With the only callers in wpas_{start,stop}_pno() moved into scan.c,
there is no need to call these helper functions from outside scan.c
anymore.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit dd271857a5 ('Skip normal scan when
PNO is already in progress') fixed issues with normal scans getting
rejected by the driver when PNO scan is already running. The part about
skipping such a scan request is fine, but the part about clearing
wpa_s->pno back to 0 in EVENT_SCHED_SCAN_STOPPED handler is problematic.
If PNO is stopped ("SET pno 0") and then restarted ("SET pno 1")
immediately, it is possible for the EVENT_SCHED_SCAN_STOPPED event from
the stopping part to be received only after the new PNO instance has
been started. This would have resulted in clearing wpa_s->pno and the
driver and wpa_supplicant getting out of sync. This would then prevent
PNO from being stopped with "SET pno 0" (that fails if wpa_s->pno == 0).
Fix this race condition by reverting the wpa_s->pno = 0 addition from
the EVENT_SCHED_SCAN_STOPPED handler.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds use of the driver capability (instead of hardcoded
WPAS_MAX_SCAN_SSIDS) in wpas_start_pno() similarly to what was already
done in wpa_supplicant_req_sched_scan().
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This commit implements the methods defined in Supplicant service:
1. CreateInterface
2. RemoveInterface
3. GetInterface
The binder service returns the corresponding iface binder object
references which can be used by clients to control a specific
interface.
Signed-off-by: Roshan Pius <rpius@google.com>
Create the skeletal binder interface for wpa_supplicant. The interface
hierarchy is based off the existing dbus
interface(https://w1.fi/wpa_supplicant/devel/dbus.html).
Since we use libbinder, the binder interface codebase needs to be
written in C++ and can only be compiled on Android platform for now.
The aidl files define binder RPC interfaces. The Android build system
generates the corresponding C++ interface classes which needs to be
implemented by the server process.
The clients can obtain a reference to the binder service (root object)
using:
android::String16 service_name("fi.w1.wpa_supplicant");
android::sp<android::IBinder> binder =
android::defaultServiceManager()->getService(service_name);
Once a reference to the root object is retrieved, the clients can
obtain references to other RPC objects using that root object methods.
Signed-off-by: Roshan Pius <rpius@google.com>
This struct in the union is empty, but the design of using a zero-length
u8 array here is not fully compatible with C++ and can result in
undesired compiler warnings. Since there are no non-IE fields in the
Probe Request frames, get the location of the variable length IEs simply
by using the pointer to the frame header and the known header length.
Signed-off-by: Jouni Malinen <j@w1.fi>