This is a regression test case for a memory leak on a TLS PRF error
path. In addition, this provides more coverage for this error path.
Signed-off-by: Jouni Malinen <j@w1.fi>
If key derivation fails, there is no point in trying to continue
authentication. In theory, this could happen if memory allocation during
TLS PRF fails.
Signed-off-by: Jouni Malinen <j@w1.fi>
Free tmp_out before returning to prevent memory leak in case the second
memory allocation in openssl_tls_prf() fails. This is quite unlikely,
but at least theoretically possible memory leak with EAP-FAST.
Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
The test sequence "scan_and_bss_entry_removed ap_wps_ap_scan_2" resulted
in failure due to an old BSS entry remaining from the first test case to
the second and the WPS_PBC operation on a forced BSSID ending up picking
the incorrect BSS entry. Make this more robust by clearing the scan
results from cfg80211.
Signed-off-by: Jouni Malinen <j@w1.fi>
Both of these test cases were leaving out BSS entries with active PBC
mode at the end of the test. This could result in the next text case
failing, e.g., in "ap_wps_pbc_overlap_2ap grpform_ext_listen" and
"ap_wps_pbc_overlap_2sta grpform_ext_listen" sequences. Fix this by
flushing the scan results more carefully at the end of the PBC overlap
test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Verify that advertiser returns 'org.wi-fi.wfds' wildcard in a Probe
Response frame if at least one P2PS advertisement is present.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
org.wi-fi.wfds service is not a replacement for non-WFA service matches.
Do not try to replace the results with that if there is not sufficient
room for the response. Instead, reply with all the matching services
that fit into the message. org.wi-fi.wfds is the first entry in the list
(if matching request/service is present), so it won't get overridden by
other services.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The service hash for org.wi-fi.wfds is supposed to match only if the
device has a WFA defined org.wi-fi.wfds.* service. Verify that before
adding org.wi-fi.wfds to the response.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Probe Response building is already doing service matching and there is
no need to do this in both places, so simplify the p2p_reply_probe()
implementation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When doing initial processing of Probe Request frame service hashes, the
previous implementation dropped all other hash values if a hash for
org.wi-fi.wfds was included. This is not correct, since that is not a
full wildcard of all services (it only matches WFA defined
org.wi-fi.wfds.* services).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This "wildcard" match is for WFA specified org.wi-fi.wfds.* services,
not for all services. Verify that there is a really matching service
being advertised instead of assuming this "wildcard" matches if any
services are advertised.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The org.wi-fi.wfds "wildcard" is not a full wildcard of all service
names and as such, it must not remove other service name hash values
from the Probe Request frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
p2ps_gen_hash() has a limit on service names based on the temporary
buffer from stack. Verify that the service name from the local P2P_FIND
command is short enough to fix into that buffer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Only the first seek=<service name> parameter was accepted from the
P2P_FIND command. Fix this to go through all seek parameters to
construct the list of service hash values to seek.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Quoting P2PS specification: "If multiple Service Hash values are
included in the Probe Request frame, then the ASP shall find a match for
each Service Hash, and it shall send a Probe Response frame with the
information listed in this section for all matched Service Hashes." This
commit changes handling of wildcard hash matching by adding a
wildcard 'org.wi-fi.wfds' info together with the other hash matches.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Add auxiliary functions to write a single advertised service info record
into a wpabuf and to find P2PS wildcard hash in a received hash
attribute. Re-factor p2p_buf_add_service_instance() function to allow
adding new wildcard types in future commits.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Commit 4be9f27595 ('wpa_cli: Use eloop
during connection attempts in interactive mode') did not take into
account the needs for signal processing in action mode. eloop_run() was
not called in this case and the internal select() loop would block eloop
processing anyway and prevent clean shutdown. Fix this by using eloop
for action mode operations.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When hostapd or wpa_supplicant is run in debug more with key material
prints allowed (-K on the command line), it is possible for passwords
and keying material to show up in debug prints. Since some of the debug
cases end up allocating a temporary buffer from the heap for processing
purposes, a copy of such password may remain in heap. Clear these
temporary buffers explicitly to avoid causing issues for hwsim test
cases that verify contents of memory against unexpected keys.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The control interface commands may include passwords or other private
key material, so clear it explicitly from memory as soon as the
temporary buffer is not needed anymore.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for a P2P group formation failure to result in a
concurrent station mode operation getting disconnected in the specific
error case where group interface addition fails after a successful GO
Negotiation. Fix this by skipping the wpas_p2p_group_delete() call in
this specific case since the group interface does not exists anymore at
the point wpas_group_formation_completed() gets called.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Avoid using p2p_data::query_hash for both Probe Request frame processing
and for hashes specified by p2p_find. It's resolved by use of local
query_hash and query_count variables in p2p_reply_probe().
Since p2p_data::query_hash is used only for seek hash values rename
p2p_data::query_hash to p2ps_seek_hash.
Delete p2p_data::query_count since it's not needed anymore.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
This increases testing coverage for VENDOR_ELEM mechanism by explicitly
verifying that the requested element gets added to each of the supported
frame types.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 86bd36f0d5 ('Add generic mechanism
for adding vendor elements into frames') introduced a mechanism to add
vendor elements into various frames, but missed the addition to the
Invitation Response frame. This commit addresses the same.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This variable is used locally only in the p2p_reply_probe() function.
The value of this variable is valid only in the context of the single
Probe Request message handling and doesn't make much sense in p2p
context.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Free a PD context with a function encapsulating both os_free() call and
setting a PD context pointer to NULL.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Test P2PS GO and CLI discoverability on group operating channel.
In order to implement these tests, refactor p2ps_connect_p2ps_method
and test_p2ps_connect_adv_go_pin_method to reuse the code for
connection establishment. Also change p2ps_exact_seek so it will
allow getting Probe Response frames from several peers.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
test_p2ps_connect_adv_go_pin_method() expects that
p2ps_provision_keypad_method() returns P2PS-PROV-DONE with details
needed for a connection. However, this event was overridden which
resulted in an incorrect test flow skipping the connection
establishement. The test would pass, however, without really trying to
connect. Fix this by returning the correct event.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
A P2P Client may be discoverable and reply to Probe Request frames,
while at the same time the P2P GO would also be discoverable and include
the P2P Client information in the P2P Group Info attribute of the Probe
Response frames.
If a seeker constantly hears the Probe Response frames from a P2P Client
and then from the GO, but handles them in the opposite order (due to
scan results ordering), the more valuable Probe Response frame from the
P2P Client will be ignored. Fix this by defining a threshold (1 second)
during which the direct Probe Response frame will be preferred over the
information acquired from the GO and will not be considered as old.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
When adding group clients to the P2P peer list, use the driver provided
BSS entry timestamp instead of the current time. Otherwise, the time
comparison which is made in p2p_add_device() doesn't make sense.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
If the RX frequency of the Probe Request frame is known, specify it when
sending the Probe Response frame. This is needed when the Probe Request
frame is received on another virtual interface, for example, when a GO
or P2PS client are discoverable on the group operating channel.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Change send_mlme() API to allow sending management frames on a specific
channel, overriding the internal driver decision.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Return P2P_PREQ_PROCESSED instead of P2P_PREQ_NOT_PROCESSED on
a successful Probe Request frame handling in p2p_reply_probe().
Verify a return value of p2p_reply_probe() in p2p_probe_req_rx()
and continue a pending invitation/connection flow only if the
Probe Request frame is from an expected P2P peer.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
1. Add global p2p_cli_probe property to enable/disable Probe Request
frame RX reporting for connected P2P Clients. The property can be set to
0 - disable or 1 - enable. The default value is 0.
2. Enable Probe Request frame RX reporting for P2P Client on
WPA_COMPLETED state if p2p_cli_probe property is set to 1. Disable it
when an interface state is changing to any other state.
3. Don't cancel Probe Request frame RX reporting on wpa_stop_listen for
a connected P2P Client handling Probe Request frames.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
In some cases, Probe Request frames can be received by a peer not only
on a listen channel. In this case an additional rx_freq parameter
explitly contains a Probe Request frame RX frequency. In case rx_freq is
set to 0, a Probe Request frame RX channel is assumed to be our own
listen channel (p2p->cfg->channel).
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
It is possible for P2P_CONNECT-join command to be issued on a GO's P2P
Interface Address before the P2P peer entry is available to map this
into the GO's P2P Device Address. This could result in the join
operation failing to continue after receiving PD Response due to the
address mismatch (source address = P2P Device Address while only the P2P
Interface Address is known). Fix this by updating the pending join P2P
Device Address based on the BSS entry, if needed.
Signed-off-by: Jouni Malinen <j@w1.fi>
CA country code was included mistakenly (copy-paste..) in cn_op_class_cc
while it was supposed to be included only in us_op_class_cc. In
practice, this did not result in incorrect operation due to the
us_op_class_cc list being checked first. Anyway, better fix
cn_op_class_cc to avoid confusion here.
Signed-off-by: Jouni Malinen <j@w1.fi>
This increases code coverage for gas.c testing to cover areas that
cannot be reached with pure hwsim test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds hwsim test ap_vlan_iface_cleanup_multibss. It connects two
stations in different BSS but the same hostapd process. First both
stations are in VLAN 1, then they get reauthenticated into VLAN 2. Due
to the ordering of the stations moving around, this test checks that
bridge and tagged interface referencing counting is done globally, such
that the tagged interface is not removed too early and no bridge is
left over.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Currently, if multiple bss share are bridge and tagged vlan interface,
only the first instance of struct hostapd_vlan for this vlanid will have
the DVLAN_CLEAN_VLAN flag added. Thus, when this instance is removed,
the tagged vlan interface will be removed from bridge, thought other bss
might still need it. Similarily, the bridge will be left over, as the
does not have zero ports when the first instance of a struct
hostapd_vlan is freed.
This patch fixes this by having a global (per process) reference counter
for dynamic tagged vlan and dynamically created bridge interfaces, so
they are only removed after all local users are freed. (struct
hapd_interfaces *)->vlan_priv is used to hold src/ap/vlan_init.c global
per-process data like drv_priv does; right now this is only used for the
interface reference counting, but could get extended when needed. Then
possibly some vlan_global_init / vlan_global_deinit should be added, but
this is not required right now.
Additionally, vlan->configured is checked to avoid reference counter
decreasing before vlan_newlink increased them.
In order to avoid race conditions, vlan_dellink is called explicitly
after hostapd_vlan_if_remove. Otherwise there would be a short timeframe
between hostapd_vlan_if_remove and vlan_dellink during which the struct
hostapd_vlan still exists, so ap_sta_bind_vlan would try to attach
stations to it.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>