Instead of using implicit limit based on 16-bit unsigned integer having
a maximum value of 65535, limit the maximum length of a CID explicitly
to 1500 bytes. This will hopefully help in reducing false warnings from
static analyzers (CID 72712).
Signed-off-by: Jouni Malinen <j@w1.fi>
The local bss variable is used only within the while loop, so no need to
assign or even make it visible outside the loop.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
TDLS Setup Request frame has to be rejected with status code 37 ("The
request has been declined"), if the BSSID in the received Link
Identifier does not match the current BSSID per IEEE Std 802.11-2012,
10.22.4 ('TDLS direct-link establishment') step (b). The previously used
status code 7 ('Not in same BSS') is described to used only when
processing TPK Handshake Message 2 in TDLS Setup Response frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While building Association Request frame IEs we should consider adding
P2P IEs only on interface where P2P functionality is enabled. Consider
per interface p2p_disabled parameter before adding P2P IEs to complete
the checks for this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When a netdev is removed from a bridge, RTM_DELLINK message is received
with ifname (IFLA_IFNAME) pointing to the main netdev event though that
netdev is not deleted. This was causing issues with P2P GO interface
getting disabled when the netdev was removed from a bridge. Fix this by
filtering RTM_DELLINK events that are related to the bridge when
indicating interface status changes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some deployed APs send two credentials when in mixed-WPA/WPA2
configuration; one for the WPA-Personal/TKIP and the other for
WPA2-Personal/CCMP. Previously, this would result in two network blocks
getting added for the single AP. This can be somewhat confusing and
unnecessary, so merge such credentials into a single one that allows
both WPA and WPA2 to be used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add NULL checks to take care of issues reported by static analyzer tool
on potentially using NULL with printf format %s (which has undefined
behavior even though many compilers end up printing "(null)").
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the P2P Interface Address of the peer gets updated in the
peer table every time based on the scan results.
For example, in a two port concurrency scenario, where the peer device
has two interfaces with unique P2P Interface Addresses and with same P2P
Device Address, based on the Probe Response/Beacon frames from these two
interfaces, their peer table gets updated, but each of these updates
happens in the peer table only based on the P2P Device Address. So, the
same peer's P2P Interface address is updated every time and hence, at
any instant, only one P2P Device Address to P2P Interface Address
mapping entry exist in the peer table for the peer which has two
interfaces.
When we try to join a group operated by the peer, lookup happens in the
peer table and when an interface entry is not available, the pending
interface address gets overwritten with the P2P Device Address and hence
the P2P connection can fail. Since the BSS table is the one that is
up-to-date, this fix will ensure that the interface overwriting will
happen only when there is no BSS entry for the pending P2P Interface
Address as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While hostapd should not really receive the EVENT_ASSOC message for
IBSS, driver_nl80211.c could potentially generate that if something
external forces the interface into IBSS mode and the IBSS case does not
provide the struct assoc_info data. Avoid the potential NULL pointer
dereference by explicitly verifying for the event data to be present.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Global freq_list scan filtar was taken into account only by
req_scan and not by req_sched_scan. We want to allow the user
to limit the channels that wpa_supplicant will scan in req_sched_scan
requests as well.
Signed-off-by: Bojan Prtvar <bojan.prtvar@rt-rk.com>
Before fixing this issue, calling wpas_dbus_getter_p2p_device_config
was causing early termination of dbus connection, due to writing
values to an already closed dict.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
Disable Probe Request reporting for statically created AP interfaces
during de-initialization. We will enable it again while starting AP
operations.
Signed-off-by: Avinash Patil <avinashapatil@gmail.com>
Some devices have limitations which do not allow changing virtual
interface mode from AP to station or vice versa. To work around this,
check if such AP interface is not dynamic. If such an interface is
enumarated, just set ifmode to AP and avoid setting nlmode to default
station mode on deinit.
Signed-off-by: Avinash Patil <avinashapatil@gmail.com>
In order to find a GO interface, there has to be a
comparison among two SSIDs, instead of a wpa_ssid and
a ssid.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
This adds hostapd support for the new WLAN-Pairwise-Cipher,
WLAN-Group-Cipher, WLAN-AKM-Suite, and WLAN-Group-Mgmt-Pairwise-Cipher
attributes defined in RFC 7268. These attributes are added to RADIUS
messages when the station negotiates use of WPA/RSN.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hostapd support for the new WLAN-HESSID attribute defined in
RFC 7268. This attribute contains the HESSID and it is added whenever
Interworking is enabled and HESSID is configured.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hostapd support for the new Mobility-Domain-Id attribute
defined in RFC 7268. This attribute contains the mobility domain id and
it is added whenever the station negotiates use of FT.
Signed-off-by: Jouni Malinen <j@w1.fi>
First for better concistancy but also to tell about the group_object
that is getting removed, thus the client will know about it and will be
able to act accordingly.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
When p2p_cancel is invoked while the GO Negotiation Action TX was
pending, the p2p_send_action_work was not getting cleared.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
The parameter wowlan_triggers is a global string and is not recognised
if it is embraced with double-quotes.
Signed-off-by: Philippe Nunes <philippe.nunes@linux.intel.com>
The special PAC_OPAQUE_TYPE_PAD case did not skip incrementing of the
pos pointer and could result in one octet read-after-buffer when parsing
the PAC-Opaque data.
Signed-off-by: Jouni Malinen <j@w1.fi>
The PAME-BI bit in the Advertisement Protocol element is reserved for
non-AP STA, so this function will never set that bit to one and as such,
there is not much point in maintaining the placeholder dead code for
this either. (CID 68107)
Signed-off-by: Jouni Malinen <j@w1.fi>
Verify that EAP fast session resumption is skipped if the connection
uses a different network configuration than the last EAP connection.
Signed-off-by: Jouni Malinen <j@w1.fi>
This forces EAP peer implementation to drop any possible fast resumption
data if the network block for the current connection is not the same as
the one used for the previous one. This allows different network blocks
to be used with non-matching parameters to enforce different rules even
if the same authentication server is used. For example, this allows
different CA trust rules to be enforced with different ca_cert
parameters which can prevent EAP-TTLS Phase 2 from being used based on
TLS session resumption.
Signed-off-by: Jouni Malinen <j@w1.fi>
The PSK/passphrase are needed for the control interface events since the
upper layer UI component is required by the specification to be able to
make this available for manual configuration. However, this is not
needed in the INFO verbosity level debug entry, so split the event
generation into two parts.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to change the event message message for indication
when P2P group has stated and removes some duplicated code.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is similar to wpa_msg_global() in the same way as wpa_msg_ctrl() is
to wpa_msg(). In other words, wpa_msg_global_ctrl() is used to send
global control interface events without printing them into the debug
log.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use an explicit memset call to clear any configuration parameter and
dynamic data that contains private information like keys or identity.
This brings in an additional layer of protection by reducing the length
of time this type of private data is kept in memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes the EAP-pwd server and peer implementations more robust
should OpenSSL fail to derive random number for some reason. While this
is unlikely to happen in practice, the implementation better be prepared
for this should something unexpected ever happen. See
http://jbp.io/2014/01/16/openssl-rand-api/#review-of-randbytes-callers
for more details.
Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
This makes the implementation less likely to provide useful timing
information to potential attackers from comparisons of information
received from a remote device and private material known only by the
authorized devices.
Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
This changes OpenSSL calls to explicitly clear the EC_POINT memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.
Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
This changes OpenSSL calls to explicitly clear the bignum memory
allocations when freeing them. This adds an extra layer of security by
avoiding leaving potentially private keys into local memory after they
are not needed anymore. While some of these variables are not really
private (e.g., they are sent in clear anyway), the extra cost of
clearing them is not significant and it is simpler to just clear these
explicitly rather than review each possible code path to confirm where
this does not help.
Signed-off-by: Florent Daigniere <nextgens@freenetproject.org>
FreeRADIUS releases before 1.1.4 did not send MS-CHAP2-Success in
EAP-TTLS/MSCHAPv2. A wpa_supplicant workaround for that was added in
2005 and it has been enabled by default to avoid interoperability
issues. This could be disabled with all other EAP workarounds
(eap_workaround=0). However, that will disable some workarounds that are
still needed with number of authentication servers.
Old FreeRADIUS versions should not be in use anymore, so it makes sense
to remove this EAP-TTLS/MSCHAPv2 workaround completely to get more
complete validation of server behavior. This allows MSCHAPv2 to verify
that the server knows the password instead of relying only on the TLS
certificate validation.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
When driver interface is destroyed (via wpa_driver_nl80211_deinit) the
"preq" nl socket isn't always deleted but the callback struct associated
is. After the interface is destroyed we may still get event on the
socket but as the callback has been freed this will cause wpa_supplicant
to crash.
This patch ensures that the "preq" socket is destroyed when destroying
the interface.
Signed-off-by: Cedric IZOARD <cedricx.izoard@intel.com>
This allows external programs to use vendor specific information from
P2P peers without wpa_supplicant having to be able to parse and
understand all such vendor specific elements.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds following new control interface commands to allow arbitrary
vendor elements to be added into number of frames:
VENDOR_ELEM_ADD <frame id> <hexdump of elem(s)>
VENDOR_ELEM_GET <frame id>
VENDOR_ELEM_REMOVE <frame id> <hexdump of elem(s)>
VENDOR_ELEM_REMOVE <frame id> *
The following frames are supported in this commit (additional frames can
be added in the future):
0 = Probe Request frame in P2P device discovery
1 = Probe Response frame from P2P Device role
2 = Probe Response frame from P2P GO
3 = Beacon frame from P2P GO
4 = PD Req
5 = PD Resp
6 = GO Neg Req
7 = GO Neg Resp
8 = GO Neg Conf
9 = Invitation Request
10 = Invitation Response
11 = P2P Association Request
12 = P2P Association Response
One or more vendor element can be added/removed with the commands. The
hexdump of the element(s) needs to contain the full element (id, len,
payload) and the buffer needs to pass IE parsing requirements to be
accepted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
